Volkswagen establishes new cyber security company called CyMotive Technologies.

Last week on the 14th of September, Volkswagen had announced that they have formed a new corporation called CyMotive Technologies with the goal of helping to insure that smart cars and self driving cars can be protected from attacks by hackers, who could otherwise potentially threaten the lives of both the passengers of the car and the surrounding pedestrians.

volkswagen-emblemThis company is being co-owned by Yuval Diskin, ex-head of Israel’s Shin Bet Intelligence Agency, along with two other of his colleagues.  Diskin has been a consultant in the cyber security community since he left Shin Bat in 2011, also apparently having worked with Volkswagen for about half a decade before CyMotive was launched.

This is no doubt in response to concerns of safety in a more connected vehicle.  As more and more systems become electronic and hackable, the worry of what a hacker can do to a vehicle remotely have also increased.  This need for security will only increase as we start to see companies making self driving cars, which if hacked could be a massive danger to those on the road.

As it stands CyMotive will be only working with Volkswagen, though perhaps over time it might either offer its services to other automotive companies or inspire similar firms to be developed.

Original Article: http://www.reuters.com/article/us-volkswagen-cyber-israel-idUSKCN11K1DA

-jes5746

iPhone Passcode Hack

Just a few days ago, Dr Sergei Skorobogatov, who works at the University of Cambridge laboratory, was able to develop a method to crack an unknown pin code on an iPhone 5c.  He did it by removing the Nand chip, which is the main memory of the phone, studying how it communicated with the phone and successfully cloning it.

The purpose of this is to allow for an unlimited number of passcode attempts as usually an iPhone will lock up after a few incorrect tries. This directly contradicts a claim by the FBI that this method (called Name mirroring) would not work during the time they were attempting to access San Bernardino gunman Syed Rizwan Farook’s iPhone 5c.

Dr Skorobogatov made a YouTube video demonstrating his method of removing and replacing the Nand chip and the successful reset of the passcode lockout counter.

Using this method, he was able to crack a 4 digit code in about 40 hours and a 6 digit code could take hundreds of hours. In order to crack newer phones, Dr Skorobogatov said more information was needed about how Apple stored data in memory and he would need a more sophisticated set-up to extract the memory chip.

Apple has not responded to this yet.

Link to original article: http://www.bbc.com/news/technology-37407047

Bromium and Microsoft: Is Micro-Virtualization the Next Step in Cyber Security?

Using virtual machines to isolate programs and processes that could be harmful in the computing community for years. This ensures that the hardware is fully isolated and cannot be harmed by malicious code. A company called Bromium has taken this concept and created what they call “Micro-Virtualization”, a process of taking programs and running it in their own environment, so nothing they do can effect the hardware directly. This creates a computer that essentially acts as a controller, isolating itself from the actual processes its running to remain uninfected from any attack. However, running this as a 3rd party component of a server or workstation operating system might lead to a slow down in load times and efficiency.

Taking on this problem, Bromium has created a partnership with Microsoft, integrating parts of their system directly into the operating system, rather than having it run on top of it. This would make the ‘hand off’ of programs from hardware to VM seamless, as well as make sure there are no faults in configuring how the program works.m5

Photo Courtesy of blogs.bromium.com

So how does it work? The largest component of Bromium is a system that they call the ‘Microvisor’, which is the name of the Micro-Virtualization implementation that they came up with in Windows 10. By doing this, they claim that any program that is run is perfectly safe, as it eliminates the dangers of ‘Zero Day’ exploits, un-patchable programs, and unpatched programs in the system. The company also claims that the hardware and the system will be ‘invulnerable’.

The other side of the integration is ‘LAVA’, which is their answer to how forensics can be conducted within the Microvisor system that they developed. It works by letting the attack develop in the Micro-Virtualization, and then reporting it to the administrators on the network, giving the full details of the attempted attack as it unfolds in a safe environment. This can help administrators learn how the attacks work in real time, as well as help them develop ways to counter them, or even trace them back without the threat of the virus spreading.

While this system seems secure as it is, no system is ever 100 percent secure. While the Microvisor system runs low in the operating system, it still is not at the kernel level, and thus could theoretically be bypassed. However, the author does believe that this system might be the best step forward in the Cyber Security world, as it catches vulnerabilities in a virtual net so they can be easily managed and dealt with as they arise.

-Will Eatherly

Sources:

http://blogs.bromium.com/2015/07/13/bromium-partners-to-bring-micro-virtualization-to-windows-10/

http://learn.bromium.com/microsoft-partnership.html

http://www.bromium.com/

 

Samsung Knox for Android Unsafe to Use, Researcher Says

samsung-knox-lptp

The Samsung Knox login screen on a Galaxy S4 smartphone. Credit: Laptop Magazine.

In October of 2014 a German security researcher says that pre-installed Samsung Knox has security problems and isn’t safe to use due to some obvious security holes.

Samsung touts its Knox software as a safe partition for business professionals that are looking to comply with their company’s security policies.  Samsung further claims that Knox is a “Comprehensive device management solution ideal for enterprises looking to secure their mobile data, while respecting employees’ privacy.”  Samsung Knox is supposed to be secure as its namesake Fort Knox.

Samsung Knox is supposed to be a competitor for applications like BYOD Divide which setup a separate partition on Android devices that provides a separate work space from personal space.  This allows a company’s IT team to remotely manage company data without interfering with an employee’s personal apps and data.  This also consolidates the number of devices an employee has to carry and saves company cash in that the company doesn’t have to purchase devices for employees to use for company business.

When users setup Knox on their device, they chose a pin in case they forget their password.  The pin that is used during the setup process is stored locally on the device in clear text in the pin.xml file.  When a user taps the “Password forgotten?” button and enters their pin, the Knox app will provide the first and last characters, along with the number of characters in their password.  The password is also stored locally on the device though what looks like an AES encrypted string which is a symmetric encryption algorithm.  The decryption program is also stored locally on the device and can be converted to a jar file to be reverse engineered.

Samsung Knox uses the Android ID together with a hardcoded string and mixes them for the encryption key.  Since Knox doesn’t use randomly generated numbers to make the encryption key, attackers can easily find out the Android ID number and use it to generate the encryption key thereby giving them the means to decrypt the locally stored password.

Samsung has since responded to these concerns in an official statement as follows:

“KNOX does save the encryption key required to auto-mount the container’s file system in TrustZone. However, unlike what is implied in the blog, the access to this key is strongly controlled. Only trusted system processes can retrieve it, and KNOX Trusted Boot will lock down the container key store in the event of a system compromise.”

After these concerns were brought forward, Samsung has since deprecated Knox personal and replaced it with My KNOX; however, it is still pre-installed on older Samsung devices.

https://www.samsungknox.com/en

http://www.tomsguide.com/us/samsung-knox-security-flaw,news-19828.html

http://mobilesecurityares.blogspot.com/2014/10/why-samsung-knox-isnt-really-fort-knox.html

https://www.samsungknox.com/en/blog/response-blog-post-samsung-knox

Bill Edwards

Vulnerability  Found in Blackphone’s SilentText App

The first phone from Silent Circle, Blackphone, totes itself as “the world’s first enterprise privacy platform” and is relying on the fact that people are willing to pay a premium for privacy. This is still a neiche market but Blackphone is betting on that neiche having the finances to afford a security-conscious option.
Despite Blackphone being a company with security at the fore-front of their mission, a  type confusion vulnerability was found in their text application, Silent Text. The vulnerability works whether the Silent Text application is installed on one of the company’s Blackphone devices or onto another device. The vulnerability could be exploited to do anything from simply eavesdrop by decrypting messages to actually executing malicious code.

The vulnerability was found and reported by Mark Dowd, an Azimuth Security consultant. It was first reported after giving time to Blackphone to patch the vulnerability. While the application is no longer susceptible to this attack it is unknown whether malicious parties were privy to the issue in time to take advantage of it.
In order to exploit the vulnerability all that was needed was the targets Silent Circle ID or their phone number. The type confusion occurs when the application is performing the JSON deserialization of the incoming Silent Circle Instant Messaging Protocol (SCIMP) message. This type confusion can be exploited to corrupt a pointer which can then be used to execute the attacker’s desired payload.

While the actual vulnerability was patched over a month ago the disclosure is still of interest as Silent Circle has recently acquired their partners stake in the project as well as an additional $50 million dollars in funding. It remains to be seen whether the market will support the company’s mission but the announcement of additional funding seems promising and it appears that their model for bug disclosure is working.
Article on the vulnerability:
http://arstechnica.com/security/2015/01/bug-in-ultra-secure-blackphone-let-attackers-decrypt-texts-stalk-users/
For more information on the specifics of the vulnerability:
http://blog.azimuthsecurity.com/2015/01/blackpwn-blackphone-silenttext-type.html
Information on the acquisition:
http://www.cnet.com/news/silent-circle-buys-out-secure-blackphone-hardware-partner/

-Arthur Lunn