IT Support and Hardware for Clinics
38.4K views | +4 today
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...!

This USB Drive Can Nuke A Computer

This USB Drive Can Nuke A Computer | IT Support and Hardware for Clinics |

Do not ever use a random USB flash drive. There are plenty of software exploits that can ruin your computer or life. And with this flash drive, it can physically destroy your computer by blasting a load of voltage to the USB controller with negative voltage. Think Wile E. Coyote and an ACME Human Cannon. BOOM!

The basic idea of the USB drive is quite simple. When we connect it up to the USB port, an inverting DC/DC converter runs and charges capacitors to -110V. When the voltage is reached, the DC/DC is switched off. At the same time, the filed transistor opens. It is used to apply the -110V to signal lines of the USB interface. When the voltage on capacitors increases to -7V, the transistor closes and the DC/DC starts. The loop runs till everything possible is broken down. Those familiar with the electronics have already guessed why we use negative voltage here. I‘ll explain to others that negative voltage is easier to commutate, as we need the N-channel field resistor, which, unlike the P-channel one, can have larger current for the same dimensions.

Put simply, the bits inside the USB drive draws and stores a ton of power. When a certain level is hit, it returns the power to the source, which is either a dedicated USB controller or the CPU itself. This is bad news bears. The amount of power returned overloads the circuits, rendering it useless. Since a lot of USB controllers are built directly into the main processor… bye bye computer.

Scary. Thankfully the creator hasn’t released the schematic for the drive.

There are enough USB exploits floating around to warrant caution. Some will unknowingly install malware or backdoor software, and now, there is at least one, that will actually destroy your computer. It’s straight out of Colin Farrell spy movie and a fantastic argument for Apple’s vision of the future.

Via Paulo Félix
No comment yet.!

Lenovo Website Hijacked

Lenovo Website Hijacked | IT Support and Hardware for Clinics |

The website of, the world's largest PC manufacturer, was hacked on Feb. 25 and visitors directed to an attacker-controlled page. The hacking group Lizard Squad, which has claimed credit for the attack via Twitter, also appears to have intercepted some Lenovo e-mails.

"Lenovo has been the victim of a cyber-attack," spokeswoman Wendy Fung told Information Security Media Group on Feb. 26. "One effect of this attack was to redirect traffic from the Lenovo website. We are also actively investigating other aspects. We are responding and have already restored certain functionality to our public-facing website.

"We regret any inconvenience that our users may have if they are not able to access parts of our site at this time," Fung added. "We are actively reviewing our network security and will take appropriate steps to bolster our site and to protect the integrity of our users' information and experience. We are also working proactively with third parties to address this attack and we will provide additional information as it becomes available."

Lenovo appeared to have restored complete access to its public website by the evening of Feb. 25.

The attack follows revelations that Lenovo, in recent months, had been preinstalling Superfish, which is adware that information security experts warn could be abused by attackers to intercept consumers' communications on many of its consumer devices.

In response to those reports, Lenovo has apologized and released utilities consumers can use to expunge Superfish from their systems. Working with McAfee, Microsoft and Trend Micro, the Superfish software has also been classified as malware and targeted for removal by their anti-virus engines, which Lenovo says will remotely wipe the adware from many systems.

Lizard Squad has recently claimed credit for a number of attacks, including the January disruption of the Malaysian Airline website, as well as the 2014 Christmas Day disruption of the Sony PlayStation and Microsoft Xbox Live networks.

Hacking Lenovo's DNS

The website disruption began Feb. 25 at about 4 p.m. ET, with visitors to the site being redirected to another site that was labeled as being "the new and improved rebranded Lenovo website," accompanied by a slideshow of bored-looking teenagers looking at webcams, as the song "Breaking Free" - from the movie "High School Musical" - played in the background, technology publication The Verge first reported.

"We're breaking free! Soarin', flyin', there's not a star in heaven that we can't reach!" Lizard Squad tweeted at 4:19 p.m. ET via its @LizardCircle account, referencing the lyrics from the High "School Musical" song.

Security experts say Lizard Squad appears to have hijacked the website by compromising its domain registrar, Web Commerce Communications Limited - better known as The attackers were then able to alter the DNS settings, ultimately transferring them to servers run by the distributed denial-of-service attack defense service CloudFlare.

"To all asking: Lenovo was NOT a CF customer; their domain was hijacked & transferred to us," CloudFlare principal security research Marc Rogers tweeted on Feb. 25. "We are working with them to restore service."

The choice of CloudFlare was no doubt an ironic move, given that Lizard Squad says its attacks are meant to advertise its own DDoS service, Lizard Stresser.

Domain Registrar Offline

Following the attack, the website has been unavailable and resolving to a "service temporarily unavailable" error message. Contacted on Feb. 26, a member of the customer support team, based in Kuala Lumpur, Malaysia, declined to comment on the reported attack, and whether the website outage was intentional, for example if the registrar is attempting to conduct a digital forensics investigation and remediate affected systems following the apparent hack attack.

If Lizard Squad obtained access to internal systems, then it could have transferred the website to any address of its choosing. Bolstering that theory, Lizard Squad has published what it claims to be an authorization key - also known as an auth code or EFF key - that it stole from Such keys are used to authorize the transfer of domains between registrars.

Lenovo E-Mail Theft?

Lizard Squad has also published two e-mails that had apparently been sent to employees at Lenovo - with a e-mail address - on Feb. 25, during the time when the hacking group appeared to have been in control of the DNS settings. One e-mail cited The Verge report that the website had been hacked as of 4 p.m. ET, and that Lizard Squad appeared to be responsible.

Another published e-mail referred to a Lenovo Yoga laptop that was "bricked" when a customer attempted to run Lenovo's update to remove the Superfish application and root certificate that it was preinstalling on many of its consumer devices (see Lenovo Drops Superfish Adware). "FYI - the process to remove the Superfish software from the Yoga 11 has resulted in a failed device. Can we get him a new one?" the internal e-mail reads.

Lenovo's Fung declined to comment on whether those e-mails were genuine. But Lizard Squad says via Twitter: "We'll comb the Lenovo dump for more interesting things later."

Follows Google Vietnam Hack

The Lenovo website hack follows Lizard Squad claiming credit for the recent disruption of, or Google Vietnam, which was reportedly also registered with For several hours on Feb. 23, visitors to that Google website were reportedly redirected to a website that showed a man taking a "selfie" in the mirror with his iPhone, underneath the words "Hacked by Lizard Squad," The Wall Street Journal reports.

Google says that its systems were not breached by the attack, and said its domain name registrar was responsible. "For a short period today, some people had trouble connecting to, or were being directed to a different website," a Google spokesman told The Wall Street Journal. "We've been in contact with the organization responsible for managing this domain name and the issue should be resolved."

No comment yet.!

The Root of the Problem: How to Prevent Security Breaches

The Root of the Problem: How to Prevent Security Breaches | IT Support and Hardware for Clinics |

Anthem, the second largest health insurance company in the U.S., announced a massive data breach on Feb. 5. An estimated 80 million customers and employees of multiple health plans were affected, the Wall Street Journal reported.

It’s déjà vu.

In addition to big name breaches over the past year including Target, Home Depot, and JP Morgan, almost half of U.S. companies have experienced a security breach of some sort in the past year, according to a report published by the Ponemon Institute in September 2014. What’s more, a report from the Identity Theft Resource Center found a record number of security attacks in the U.S. in 2014.

The report also found that health and medical companies are becoming bigger targets, accounting for 42.5 percent of reported breaches last year. And in healthcare attacks, the stakes are higher.

In the Anthem breach, hackers accessed names, birthdays, addresses, social security numbers, email addresses, and employment information, the company disclosed in a statement. It’s a recipe for identity theft disaster.

Although there is currently no evidence that any medical or financial information was exposed, and the company quickly notified the public after discovering the attack, the breach highlights a serious problem in the IT industry.

What’s Causing the Data Security Problem?

IT security specialists and engineers with sophisticated skills are needed to prevent and defend against sophisticated cyberattacks. But tech talent with these skills are hard to find.

In 2013, 2,500 job postings for information security analysts were open in New York City alone, according to a report from JPMorgan Chase & Co.

In healthcare specifically, the problem is complicated by a few factors:

Competition. In healthcare IT, the competition for top security specialists is fierce. As electronic medical records are adopted by more and more health systems, hospitals, and companies, more security talent is needed to protect sensitive patient information.

Budget issues. As a result of the growing need for talent and the short supply of qualified professionals, salaries for security engineers are skyrocketing, and many healthcare organizations can’t afford to hire experts.

Outdated technology. Healthcare organizations are more susceptible to these attacks as they are usually years behind other industries in their adoption of new technology and software.

What Can Be Done to Avoid These Breaches?

To fix the data breach problem, companies can take a few steps to better hire for and invest in their IT department:

Invest in education. Part of the problem stems from a disconnect in how IT firms hire talent. Many employers value experience over education, and young, promising professionals are ignored for positions that require advanced skills.

Building stronger partnerships between employers and colleges and universities can help to better train the next generation of security experts. These relationships can foster expanded internship programs and training opportunities to groom young professionals and connect them with the employers who need them.

Investing in additional training, professional development, and workshops for existing staff can also help to boost security. To stay ahead of hackers, specialists need to be up-to-date on the latest technology and software.

Think globally. Hiring tech talent outside of the U.S. can also help to solve the security talent crisis. Thinking globally widens the talent pool and could lower the price of top talent. The recruiting process will take more time and effort and securing a visa might be difficult, but the end result could be worth it.

Hackers will always be out there, adapting to the newest, most complex technology and software. To prevent data breaches, we need to start at the root of the problem. Invest in security and your IT team and emphasize the importance of education. We’re going to need as many talented professionals as we can get.

What do you think? How can the industry fix the data breach problem?

Via Paulo Félix
No comment yet.!

Bitcoin exchange loses $5 million in security breach

Bitcoin exchange loses $5 million in security breach | IT Support and Hardware for Clinics |

Bitstamp has just suspended its Bitcoin exchange services, because some of its operational wallets have been compromised. And, while it's nowhere near the scale of the Mt. Gox debacle (850,000 Bitcoins gone), the company says hackers still made off with 19,000 BTC or roughly $5 million. The service clarifies on its website (which now shows a splash page) that the stolen money came from its online wallets only and that the "overwhelming majority" of its reserves are stored safely offline. According to ZDNet, the service had $96.9 million store in offline storage in May 2014, but the amount might have gone down due to fluctuating Bitcoin values.

Bitstamp says it will honor any transaction made before January 5th, 4AM Eastern, but it warns users (in bold and all caps) not to transfer anything to "previously issued bitcoin deposit addresses" anymore as those transactions cannot be honored. It also promises to go back to business in a few days once it's done moving to a more secure server.

Some users believe this page lists the illegal transactions that's crippled Bitstamp, since they're worth 18,868 BTC in all made over the weekend. But we still don't know what exactly went down, especially since no group of hackers has stepped forward to claim the security breach. Seeing as authorities still don't have a clear picture of the Mt. Gox fiasco in 2014, we might have wait a long while before we find out what happened to Bitstamp.

No comment yet.!

Obama Imposes Sanctions on North Korea for Hack

Obama Imposes Sanctions on North Korea for Hack | IT Support and Hardware for Clinics |

Holding North Korea responsible for the cyber-attack on Sony Pictures Entertainment, President Obama imposed sanctions on 10 individuals and three entities associated with the North Korean government.

The president ordered on Jan. 2 the seizing of property held by the individuals and organizations in the United States, a mostly symbolic action because few, if any, assets of those designated in the order are likely located in the U.S.

The organizations facing sanctions include the Reconnaissance General Bureau, North Korea's primary intelligence agency; Korea Mining Development Training Corp., or KOMID, North Korea's primary arms dealer; and Korea Tangun Trading Corp., the North Korean agency primarily responsible for the procurement of commodities and technologies to support its defense research and development programs.

"Our response to North Korea's attack against Sony Pictures Entertainment will be proportional, and will take place at a time and in a manner of our choosing," a White House statement says. "Today's actions are the first aspect of our response."

Further Isolating North Korea

The executive order authorizes Treasury Secretary Jack Lew to impose the sanctions. Lew, in a statement, says the sanctions are driven by the government's commitment to hold North Korea accountable for its destructive and destabilizing conduct.

"Even as the FBI continues its investigation into the cyber-attack against Sony Pictures Entertainment, these steps underscore that we will employ a broad set of tools to defend U.S. businesses and citizens, and to respond to attempts to undermine our values or threaten the national security of the United States," Lew says. "The actions taken today ... will further isolate key North Korean entities and disrupt the activities of close to a dozen critical North Korean operatives. We will continue to use this broad and powerful tool to expose the activities of North Korean government officials and entities."

An administration official told The New York Times that these sanctions are a first step to punish the North Koreans for the Sony breach. "The administration felt that it had to do something to stay on point," the official said. "This is certainly not the end for them."

No comment yet.!

Sony Hacking Scandal -- Execs Convinced It's an Inside Job

Sony Hacking Scandal -- Execs Convinced It's an Inside Job | IT Support and Hardware for Clinics |

Sony execs are now convinced someone who worked for the studio is behind the massive hacking ... because no one from the outside could so precisely target the compromising information.

Multiple sources connected to the studio tell TMZ ... the strong, prevailing view is that the North Koreans are probably involved, but they used someone with intimate knowledge of the Sony email system to laser in on the most embarrassing information.

We're told the people at Sony who are investigating believe the hackers had intimate knowledge of mail systems and their configurations. They also believe the hackers have knowledge of the internal media distribution systems and the internal IT systems, including human resources and payroll.

Several people suggested a possible link between the hackers and Sony layoffs, which included a large number of IT employees.

Via Roger Smith, Paulo Félix
Roger Smith's curator insight, December 17, 2014 4:43 PM

Insider job or very precise social engineering, either way not understanding the threat is the biggest problem for an organisation.

Mcol's curator insight, December 19, 2014 9:46 AM

Exemple de SONY!

Another Data Breach, Another Dollar For Identity Management Startups

Another Data Breach, Another Dollar For Identity Management Startups | IT Support and Hardware for Clinics |

As security breaches are reported for one major corporation after another, venture investors are writing bigger checks than ever in an attempt to buy some peace of mind.

From Target’s data breach that put a damper on last year’s holiday season to Bebe’s payment card data breach reported last week, we’ve seen countless examples of access management gone wrong. It’s become apparent that the present identity management solutions are just not cutting it, and investors are fully aware.

According to CrunchBase data, identity management startups have seen $350 million in venture dollars raised this year across 45 rounds — a big step up from last year’s $178 million raised over the same number of deals.

Q2 saw a major investment push as some of the first massive deals in the space were recorded for startups like Okta, Centrify, and Dashlane.

“Every time there’s a breach at one of these companies, we’ve seen enormous damages as a result,” says David Cowan of Bessemer Venture Partners, a frequent investor in the identity and security space.

“For businesses like Kmart and JP Morgan, these breaches cost them hundreds of millions of dollars,” says Cowan, and for users, “they’re able to steal your password from a website that you think is irrelevant to your life, and it turns out that’s the same password to your bank account and your Dropbox.”

Cowan is on the board at Dashlane, a password manager and secure digital wallet for consumers. Dashlane’s recent $22 million Series B is one of the larger rounds seen by a consumer-focused identity management application. To date, the majority of venture dollars have gone into companies like Centrify or Okta that provide multi-platform access management solutions for enterprise customers.

“When companies controlled all their systems on premise, everybody had a username and a password into those systems,” explains Robin Vasan of Mayfield Fund, an early Centrify backer, “but now with mobile devices and SaaS applications, those systems are no longer in control.”

“Identity management has seen such a resurgence of interest because enterprises are realizing that an employee of theirs goes and buys a new mobile device or is using a laptop from home and is accessing cloud applications, and those resources are no longer under the control of the enterprise,” says Vasan.

Centrify and others are tackling this issue by providing enterprises with secure identity management and single sign-on services that allow employees to access cloud-based applications across multiple devices.

Venture funding front-runner Okta will let you into all related apps with a single login, and five-year-old Dashlane will remember all of your passwords for you. But recently startups like Nymi and EyeVerify have closed sizable deals to replace passwords completely with biometric technology.

“People lump in together the identity management, access management, permissions and authentications — and we’re all about decoupling that,” says Nymi founder Karl Martin. “There’s a simple philosophy around privacy — a system should only know as much about you as it needs to for that application.”

Nymi seeks to accomplish this through a wristband that identifies a user by their unique electrocardiogram signal and acts as a gateway to provide easy authentication for a number of applications.

“Biometrics are a very useful tool for identity management, but the danger there is that you’re collecting a massive database of biometrics, and that has many implications for security and privacy,” says Martin. It’s a legitimate concern — the idea of handing over more personal data to protect the data that’s already out there seems a bit backward at first.

But Nymi isn’t collecting or storing any of this data. “It’s not verifying who you are, just that you’re the same person that showed up before,” says Martin of the Nymi band. “We’re not actually managing your identity — that should be application specific, and you shouldn’t have all of your information in one place.”

Nymi has locked down a variety of partnerships, from password manager PasswordBox to MasterCard, and is in the process of closing more deals to become something like the single sign on for the world.

“I don’t think anybody has a sense that we have actually good solutions in operation now, there’s absolutely a need for new technology,” says Martin. “On the one side it’s kind of crazy what we’re doing, but on the other side, do you imagine ten years from now that we’ll still be using passwords?”

No comment yet.!

New Approach to DDOS Protection

New Approach to DDOS Protection | IT Support and Hardware for Clinics |

Attacks are larger, adversaries more diverse, and damage is broader. These are characteristics of today's distributed-denial-of-service attacks, and organizations need a new approach to protection, says Verisign's Ramakant Pandrangi.

Pandrangi, VP of Technology at Verisign, has studied DDoS attacks, and he's concerned about recent trends.

"Large volumetric DDoS attacks are becoming more common," Pandrangi says. "And as that happens, on-premise solutions will not be able to handle these types of attacks."

What's needed, then, is an entirely new approach to protecting against DDoS. Pandrangi advocates what he calls an open/hybrid approach that relies on on-premise solutions to mitigate attacks locally, while leveraging cloud-based services when attacks are likely to overwhelm the defenses. At the core of this new approach is an open platform that allows multiple vendors to act in concert on the customer's behalf.

"This [approach], we believe, will allow businesses to have a wide range of options without the limitations of having vendor lock-in," he says.

No comment yet.!

Ramping Up Automobile Cybersecurity

Ramping Up Automobile Cybersecurity | IT Support and Hardware for Clinics |

In late 2014, signs emerged that the automobile industry was taking the first steps toward addressing cybersecurity and privacy risks.

See Also: Solving the Mobile Security Challenge

For instance, General Motors hired its first chief product cybersecurity officer, and the automobile industry set up an automobile Information Sharing and Analysis Center to collect and share information about cyber-related threats and vulnerabilities in motor vehicle electronics.

Heading into 2015, efforts to mitigate cybersecurity and privacy risks affecting automobiles continue to gain traction. Recently, Senator Edward Markey, D-Mass., issued a report detailing various automobile security and privacy vulnerabilities. Then, on Feb. 11, Markey confirmed that he, along with Senator Richard Blumenthal, D-Conn., will introduce legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards for improving the security of vehicles and protecting drivers' privacy.

"We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century," Markey says.

The senators' efforts come after auto manufacturer BMW recently addressed a potential security gap affecting data transmissions to and from the company's connected vehicles via the mobile phone network.

But while early steps are being taken by the industry to get on top of the risks, progress around securing automobiles may not come as quickly as some would hope. "Sure, proof of concept exploits are there - and they are real - but there is not even a semblance of exploitation by the criminals in the wild," says Anton Chuvakin, research vice president for security and risk management at Gartner.

"We do have a chance to prepare for this now by starting early with car and other device security," he says. "However, the history of information security teaches us that we probably won't. Today the threat is mostly 'not' real, but all signs point that it will become real."

Key Risks

Chris Valasek, director of vehicle security research at IOActive, a computer security services firm, has researched cyber vulnerabilities in automobiles through funding from the Cyber Fast Track initiative from the Defense Advanced Research Projects Agency, or DARPA.

Based on his research, Valasek says hackers could gain access to a vehicle's systems and potentially take private information, such as GPS coordinates or the driver's username and password for various in-car applications. Also, cybercriminals potentially could obtain control of computers within the car that operate certain features, such as cruise control, Valasek says.

"[Through our research], we showed that if you're on the car's computer network, you could send messages to completely stop the car and immobilize it," he says. "If an attacker found a way to break in remotely - through Bluetooth, cellular or an application - and was able to be on the right portion of the car's network, they could stop the car, disengage breaks or steer the steering wheel."

Down the road, automakers also need to worry about the potential cyberthreats concerning so-called "autonomous" or driverless vehicles now in development, says Stephen Wu, an attorney at the Silicon Valley Law Group, who has been researching the legal concerns regarding autonomous driving. "If cars crash because of information security vulnerabilities, it could lead to liability for the manufacturers," he says. "They need not only be concerned about safety, but also the governance of information security, privacy and the management of information that's being generated and communicated by cars."

Security Gaps Remain

The recent report from Senator Markey is based on a survey of 16 major automobile manufacturers about how vehicles may be vulnerable to hackers and how driver information is collected and protected.

Among the findings:

  • Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions;
  • Most automobile manufacturers were unaware of or unable to report on past hacking incidents;
  • Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers;
  • Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real time, and most said they rely on technologies that cannot be used for this purpose at all.

Valasek at IOActive says the biggest takeaway from the report is how most of the manufacturers couldn't answer many questions. "This means that not only are they behind on their security efforts, but probably don't have a good idea of the attack landscape or where to start," he says.


The new legislation proposed by Markey would include three key requirements:

  • All wireless access points in cars must be protected against hacking attacks and evaluated using penetration testing;
  • All collected information must be appropriately secured and encrypted to prevent unwanted access; and
  • The manufacturer or third-party feature provider must be able to detect, report and respond to real-time hacking events.

To address privacy issues, Markey is seeking a transparency requirement that drivers be made explicitly aware of data collection, transmission and use. He also wants consumers to have the ability to choose whether data is collected, without having to disable navigation. And he's seeking prohibition of the use of personal driving information for advertising or marketing purposes.

"In essence, the proposed legislation codifies what have been best practices in privacy and security for years," says Scot Ganow, a privacy and security attorney at the law firm Faruki Ireland and Cox PLL.

But that doesn't mean the proposed law won't face challenges similar to those that have arisen in previous failed attempts to adopt federal data breach legislation, Ganow says. "As with all laws seeking to regulate commerce and, in particular, the flow of information, the struggle will exist over balancing appropriate regulation while not choking innovation and corporate independence."

Proactive Approach

As the security and privacy landscape around automobiles continues to take shape, manufacturers can start taking the necessary steps to get ahead of the challenge before it becomes a real problem.

Right now, hacking a vehicle is still very hard and very expensive, Valasek says. "That's not to say that won't change in the future. But you want to start implementing security measures before there is an actual problem."

Valasek argues that manufacturers "will have to accept that security is required as part of the process and not an after-thought. Only then can we truly talk about mitigating risks."

In addition, automakers should hire more cybersecurity experts and attempt to integrate security into the automotive software development lifecycle, says Ben Johnson, chief security strategist at Bit9 + Carbon Black, an endpoint security firm. "Immediately, I would be hiring penetration-testers and security consultants to do as much assessment and analysis of the existing systems as possible," he says.

It may also be in the best interest of the automobile industry - and consumers - if manufacturers adopt a model similar to PCI-DSS, the independently developed standards in the payments card industry, says Andreas Mai, director for smart connected vehicles at Cisco. "If an independent body devised a list of security features and controls that a vehicle and its computer systems should have, and the body audited vehicles for adherence, even if it was voluntary, like Consumer Reports, it would at least provide consumers with the notion someone has looked at security and provide a baseline level of confidence," he says.

Secunoid's curator insight, February 19, 2015 1:52 PM

The next frontier to keep an eye out for from security perspective, Automobiles.

Sandesh's curator insight, March 23, 2015 9:55 AM

They have introduced the cybersecurity which is attached withh audio player!

930 Million Android Devices at Risk?

930 Million Android Devices at Risk? | IT Support and Hardware for Clinics |

Information security experts are calling on Google to rethink its patch priorities after it confirmed that it will no longer update a critical component that runs on Android 4.3 "Jelly Bean" and older devices. As a result, 61 percent of all Android smart phones and tablets - or about 930 million devices - will be running a version of Android that contains known vulnerabilities that an attacker could remotely exploit to seize control of the device or steal the data it stores, according to data security firm Rapid7.

At issue are the versions of WebView, which is used by Android to render Web pages, that are present in pre-Android 4.4 devices. Rapid7 researchers say that after finding and reporting a newly discovered vulnerability in older versions of WebView to Google's team, Google responded that it was not going to issue a related patch.

Google says that if it receives a patch for older versions of WebView from a third party, it will distribute it to anyone who develops Android distributions. But Google says it no longer plans to create and distribute its own patches for such flaws. "If the affected version [of WebView] is before 4.4 [KitKat], we generally do not develop the patches ourselves but do notify partners of the issue," Google's e-mail to Rapid7 says. "If patches are provided with the report [from a third party] or put into AOSP [Android Open Source Project] we are happy to provide them to partners as well."

But Rapid7, citing data published by market researchers Gartner and Strategy Analytics, says Google's policy will leave the estimated 930 million mobile devices that run pre-KitKat versions of Google's open source Android operating system at risk, because they will be stuck running outdated - and vulnerable - versions of WebView. Device manufacturers could, theoretically, issue related patches themselves, but to date they have not done so.

A Google spokeswoman declined to comment on Rapid7's report.

Numerous hardware and software developers stop issuing updates for their products after they have been on the market for a specified period of time. But today, only 37 percent of in-use Android devices run version 4.4 of the operating system - introduced in November 2013 - and just 1.5 percent run the most recent version 5 - code-named Lollipop - according to market research firm Net Market Share.

In other words, 61 percent of still-in-use Android devices won't be receiving WebView updates from Google, and thus could be at risk from "mass-market exploits" designed to seize control of millions of devices at once, says Tod Beardsley, who's the technical lead for the Metasploit open source penetration testing framework, which is maintained by Rapid7.

"This is great news for penetration testers, of course; picking company data off of Android phones is going to be drop-dead easy," Beardsley says in a blog post. "Unfortunately, this is great news for criminals," because it gives them potential new ways to penetrate devices, implant malware, steal data or intercept communications.

Beardsley says that in the past year, two researchers have discovered nearly a dozen exploits in WebView - most of which affect versions of the component that run on Android 4.3 "Jelly Bean" and earlier devices - and that Metasploit currently ships with 11 exploits for known WebView flaws.

Newer WebView Auto-Updates

WebView is a widely used Android component. Indeed, Google's developer guide encourages Android developers to use WebView "to deliver a Web application - or just a Web page - as a part of a client application." Google's developer documentation further outlines a number of scenarios in which it might be employed, ranging from retrieving an end-user agreement or user guide from inside an app, to accessing any type of information that requires an Internet connection, such as retrieving e-mails.

When Google introduced Android 4.4 KitKat, it debuted a new, stand-alone WebView component, based on its Chromium open source project, that was decoupled from the Android operating system. "The new WebView includes an updated version of the V8 JavaScript engine and support for modern Web standards that were missing in the old WebView," Google's developer documentation states.

From a security standpoint, the big-impact change was the ability - now found in all modern browsers - for WebView to be automatically updated by Google. In other words, thanks to Google uncoupling WebView from the innards of the Android operating system, WebView updates can be piped directly to all users of Android 4.4 and newer, just as Google does with any other app that's available via the Play Store and Google Play services, news site Android Police reports.

Here is why that change is good: Many Android devices run a version of the operating system that's customized by whichever OEM produces the device. As a result, every time Google releases an Android operating system update, the OEM has to test the update, then create a customized version for its devices. Thanks to the newer version of WebView, however, Google can now directly update that component on all Android 4.4 and newer devices, without the OEM having to build the patch into their version of Android and then distribute it to their users.

Android Is Open Source

But the question of whether it's right for Google to cease updating older versions of WebView, an important component that still runs on nearly 1 billion Android devices, remains. Rapid7's Beardsey notes that Android is technically an open source project, and that OEMs could, in theory, obtain patches for newly discovered flaws in older versions of WebView from third parties. But he says that to date, the OEMs that do patch Android have relied on updates issued directly from Google. "The update chain for Android already requires the handset manufacturers and service carriers to sign off on updates that are originated from Google, and I cannot imagine this process will be improved once Google itself has opted out of the patching business," he says. "After all, is AT&T or Motorola really more likely to incorporate a patch that comes from some guy on the Internet?"

Some OEMs have a relatively good track record at keeping customers' Android devices updated with the latest security fixes. But others rarely - if ever - release security patches for devices.

With Google ceasing to update a core component of Android that runs on pre-4.4 versions, the risks to users will only increase, Beardsley warns. "Please reconsider, Google," he says. "As a software developer, I know that supporting old versions of my software is a huge hassle. I empathize with their decision to cut legacy software loose. However, a billion people don't rely on old versions of my software to manage and safeguard the most personal details of their lives."

No comment yet.!

Cybersecurity: A Congressional Priority

Cybersecurity: A Congressional Priority | IT Support and Hardware for Clinics |

The 114th Congress, with solid Republican majorities in both the House and Senate, convenes this week at a time of growing public awareness of security breaches, especially the cyber-attack last year on Sony Pictures Entertainment.

And that means the new Congress is likely to soon take up legislation to promote the sharing of cyberthreat information between business and the government in an effort to help foil breaches.

"It isn't becoming a political issue in the sense that it is partisan. It is, however, becoming political in the sense that the general public is becoming increasingly concerned with the security of the systems they depend on," says Paul Rosenzweig, a former Department of Homeland Security policymaker who serves as a senior adviser to The Chertoff Group, a risk consultancy. "That concern will drive the debate."

President Obama also is putting pressure on Congress to enact laws to make cyberspace safer, especially legislation to encourage the sharing of cyberthreat information. After the cyber-attack on Sony Pictures Entertainment, Obama used his year-end press conference on Dec. 19 to call on Congress to pass threat-sharing legislation.

"One of the things in the new year that I hope Congress is prepared to work with us on is strong cybersecurity laws that allow for information-sharing across private sector platforms, as well as the public sector, so that we are incorporating best practices and preventing these attacks from happening in the first place," he said.

Will Squabbling Continue?

In the past two Congresses, Obama and House lawmakers bickered over the wording of cyberthreat sharing legislation, with the White House twice threatening to veto legislation that passed the House of Representatives with bipartisan support. The Senate, controlled by Democrats until this week, never took up its version of the legislation.

The White House and Congress differed on how to ensure the protection of individuals' privacy as well as their civil liberties. In its veto threat, the administration said the legislation passed by the House last year failed to require businesses to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or private-sector entities. "Given some issues that the privacy community has raised, we need to take that into account as we ... work on the bill," a senior administration official said last year in discussing the legislation.

Other differences between the administration and Congress centered on how cyberthreat information is shared with intelligence agencies. Privacy groups worry that the National Security Agency and other intelligence organizations could misuse the data to threaten Americans' privacy and civil liberties.

The administration also contended that legislation in the last Congress extended liability protections too broadly. Businesses say they need the legislation to prevent lawsuits that could result from disclosing how they protected - or inadequately safeguarded - their digital assets. But the administration expressed concern that the bills before Congress could allow businesses to exploit those protections to thwart lawsuits that have nothing to with cybersecurity.

Compromise in the Air

Can the White House and Congress compromise? Several experts say they believe both sides are motivated to find a middle ground.

"It takes 60 votes in the Senate to move a bill," Rosenzweig says. "After Sony, I am skeptical that there are 41 votes to block information sharing legislation."

Dan Lohrmann, the former Michigan state chief information security officer who has long kept an eye on Washington cybersecurity developments, expects members of Congress to act on the issue this year. "They want to be shown as doing something constructive before something worse happens than the recent attacks on Sony," he says. "Cyber may offer the better hope [for compromise] as compared to immigration [reform] or debt reduction."

Lohrmann, now chief strategist and chief security officer at security awareness training firm Security Mentor, points out that many lawmakers - including Republican Sen. John McCain of Arizona and Democratic Rep. Jim Langevin of Rhode Island, co-chairman of the House cybersecurity caucus - have called on Congress to act quickly on cyberthreat information sharing legislation.

But to reach a compromise, the White House and Congress must first agree on a definition of privacy, says Gene Spafford, who as executive director of Purdue University's Center for Education and Research in Information Assurance and Security follows cybersecurity legislative developments.

"There is no broad policy on privacy, and there needs to be," Spafford says. "We need clear lines on privacy protection from companies giving up too much information, to government agencies collecting too much. Companies and agencies should be liable for poor practices and for over-sharing or exposure. The fair information privacy principles are a good start for defining reasonable limits to what is collected and shared."

Three Factors to Mull

To get a bill enacted, Spafford says, lawmakers need to address the three factors influencing the conversation around cyberthreat information sharing legislation: national security, privacy and undue burdening of business with new requirements. "Depending on who you talk to, the balance of these three is different," he says. "Without some better understanding of consequences and compromise, action will not be uniformly accepted."

Larry Clinton, president of the Internet Security Alliance, a trade group that backed the House legislation, warns against expecting the adoption of a new cyberthreat information sharing law to have a substantial impact on data breaches. "Are we overhyping the information sharing legislation and giving the impression that this bill would solve, or even make a significant dent, in the cybersecurity problem?" he asks.

Clinton, for instance, says he doubts that a cyberthreat information sharing law would have helped to prevent the Sony breach. "Most of the benefit of information sharing would be to help entities [stop] second attacks that use similar methods," he says. "I haven't heard anyone in the government come forward and say they had information that would have helped Sony stop the attack. ... To think we are going to address this problem by passing one narrow bill, even a good one, is woefully mistaken."

The new Congress also is expected to take up legislation to nationalize data breach notification. Business leaders say they need one national statute because of the burden their companies face in complying with 47 different state laws. Many lawmakers and the Obama administration favor a national law, but the big challenge facing Congress is deciding on key provisions, such as what constitutes a breach worthy of notification and when should businesses notify individuals and law enforcement of a breach. As the multitude of state statutes show, there's no consensus on the provisions to be incorporated in a data breach notification law.

No comment yet.!

The Hackers' Shocking, Pointless Defeat of 'The Interview'

The Hackers' Shocking, Pointless Defeat of 'The Interview' | IT Support and Hardware for Clinics |

The latest, strangest turn in the Sony hack saga, an ongoing sequence of cyber-attacks seemingly motivated by Seth Rogen and James Franco's "assassination of Kim Jong-un" comedy The Interview, has a film studio taking a seemingly unprecedented step: letting movie theaters pull the movie entirely in the wake of terrorist threats. The film was due for release on Christmas Day and now may not be shown in any theater—certainly not the major chains (AMC, Regal, Cinemark, Cineplex) that most Americans attend. It's a shocking turn, especially since it's motivated by extremely vague threats ("The world will be full of fear…remember the 11th of September 2001…we recommend you to keep yourself distant from the places at that time.").

In one obvious sense, then, the terrorists have won. But if their goal really was to prevent people from seeing Kim Jong Un’s fictional assassination, then it may turn out to be a pointless victory.

It remains to be seen how this situation will play out exactly—but it’s easy to guess. Within hours of The Interview getting yanked from theaters, news hit that Sony is apparently considering a premium online release for the film. That seems like the most logical step—both from a profit standpoint and a safety one. Sony stands to lose millions in this whole affair, not to mention whatever penalties they might owe the film’s creative personnel, so any money that could be recouped on VOD would help offset that. It also makes a certain sense that theaters are acting in unison on this—as vague as the threat might be, it would take just one incident to create enormous liability for them. The New York Times pointed out that shopping malls, in which many theaters reside, helped lobby for the decision to avoid screening The Interview.

The Interview could very well benefit, in a cruel and unusual sort of way, from all this bizarre publicity.

Still, many are pointing out the scary precedent of Sony bowing to unspecified threats, especially when the Department of Homeland Security said the threats were not credible. Say someone disagrees with the premise of an upcoming film—one that deals with a hot-button issue like abortion or race, for example. If a terror threat gets called in, would theaters be compelled to make the same decision they made here? Though the Sony hackers have displayed their might in a sense—by ripping hundreds of terrabytes of information from its private servers to publicly embarrass the company—they haven’t demonstrated the capability to make good on the more horrifying threat they made Tuesday.

The Internet has enabled the hackers’ power, but it has also neutered them: The Interview will almost certainly be seen, whether in theaters or not. In 1990, a similar situation would have doomed a film to utter obscurity. Even in 2001, the Arnold Schwarzenegger action vehicle Collateral Damage, which was due for release on October 5, 2001 and was pushed to the next February because it depicted a bomb attack in the U.S., was basically forgotten outside of that pop-culture history footnote. But because of on-demand technology, The Interview could very well benefit, in a cruel and unusual sort of way, from all this bizarre publicity. Were the situation not so financially harmful and publicly embarrassing for Sony, it’d be easy to conspiratorially regard it as some kind of high-concept publicity stunt to convince us of The Interview’s political bravery.

Still, who knows if that will translate into online viewings—or what Sony will even charge for the privilege of watching it in one’s own home, free of a terrorist threat. That’s how precedent-setting this is: Nothing like this has ever happened before. Three years ago Universal weighed releasing its comedy Tower Heist on VOD three weeks after it hit theaters, at $60 a pop, to generate public interest. Theaters threatened to boycott and the decision was scrapped. We lived in strange times then—but stranger times now.

Paul Gill's curator insight, December 25, 2014 3:37 PM

Dear Kim Jong-un and everyone else - Merry Christmas - um, regarding The Interview - What was the Point?!

Experts Question Sony Hack-Back Story

Experts Question Sony Hack-Back Story | IT Support and Hardware for Clinics |

Information security experts are questioning the accuracy of a news report that claims Sony Pictures Entertainment is attempting to "hack back" to disrupt distribution of stolen Sony files.

The report on the news website Re/code, which is affiliated with CNBC, cites two anonymous sources saying that "the company is using hundreds of computers in Asia to execute what's known as a denial-of-service attack on sites where its pilfered data is available."

Multiple information security experts, however, have questioned that account. "I highly doubt Sony is doing this," Tom Chapman, director of the security operations group at computer security firm EdgeWave, tells Information Security Media Group. "And I highly doubt this would work. As for the legality, [it's] probably highly illegal."

What Sony might be doing, however, some experts speculate, is attempting to disrupt BitTorrent networks on which the stolen files are currently circulating by sending the "peers" that are attempting to download the file to sites where only bogus versions of those files are being stored. "Screwing with torrents is as old as torrents, and even if it were 'hacking,' which it isn't, it isn't hitting the attackers," says Jack Daniel, a strategist at vulnerability detection vendor Tenable Network Security.

Sony has failed to respond to repeated requests for comment on the hack attack against it.

Attackers Threaten Further Releases

Meanwhile, a group calling itself Guardians of Peace, or G.O.P., which claimed credit for the Sony attack, is continuing to release more of the "tens of terabytes" its claims to have stolen.

In an e-mail sent to Information Security Media Group on Dec. 11, someone claiming to be part of G.O.P. included links to multiple sites that contain a message from the group that includes links to download a sixth batch of leaked data, which attackers claim includes the Outlook mailbox for Sony's general counsel, Leah Weil, who joined the company in 1996. That leak follows the reported release of the Outlook mailbox for Sony Picture Chairman Amy Pascal.

G.O.P.'s latest message includes a warning to all Sony's employees. "We still have huge amount of sensitive information to be released including your personal details and mailboxes," it says. "Make the company cancel the release of the movie of terrorism, or you have to be blamed for it," it adds, apparently referring to Sony's forthcoming comedy The Interview, which according to leaked e-mails features Kim Jong-un's head exploding after he gets hit with a shell fired from a tank, Reuters reports.

Sony's Breach Costs Mount

Sony information that's already been leaked to date - beyond high-quality copies of five unreleased films - has included exhaustive lists of Sony's passwords for social media networks, as well as private details for 47,000 employees.

As more and more such information - including Social Security numbers and other personally identifiable information on current and former employees - becomes public, and the related risk of identity theft increases, some commentators have been asking just how much Sony is going to have to pay to repair the damage.

Of course, that question can't yet be definitively answered. Full details of the Sony attack have yet to come to light, and the full ramifications of the data breach - including whether it might drive big-name stars, directors and writers to competing studios - probably won't be known for at least another six months, Jim Lewis, senior fellow at the Center for Strategic and International Studies, tells Reuters. "Usually, people get over it, but it does have a short-term effect," he says.

Still, Lewis believes that Sony's related breach costs could hit $100 million, although he notes that the costs would be higher had Sony lost customer data, as happened in the April 2011 attack that compromised the personal information of 77 million PlayStation network and Qriocity customers, triggering a U.K. fine and a U.S. class action lawsuit that Sony ultimately settled.

No comment yet.