Posts Tagged ‘encrypted’

Thursday, September 19, 2013 @ 05:09 PM gHale

After reports of hacking attempts, Brazilian oil giant Petrobras wants to keep itself on the winning security edge by increasing its spending on its IT infrastructure this year and for the following four years at least.

Maria das Graças Silva Foster, president of Petrobras, said at a public hearing in the Brazilian Senate the company will invest $1.8 billion (R$4 billion) in 2013 and $9.6 billion (R$21.2 billion) between 2013-2017 on information technology and telecommunications.

RELATED STORIES
Black Hat: NSA Know the Facts
NIST Grants to Improve Security, Privacy
FBI: Public, Private Support can Defeat Threat
Private, Public Sector Share Data

“This is a policy that is so important it has been personally approved by the board of directors,” said Graças Foster. “The management of our goods, people, information and the wealth we create is of crucial importance.”

During the joint hearing with the Parliamentary Commission for the Espionage Inquiry and the Economic Affairs and Foreign Relations committees in the Senate, she said the company constantly monitors and protects its information. One case in point she cited the quantity of emails that end up preemptively blocked.

“Between August 09 and September 09 we received 195.9 million emails,” she said. “Of these, 16.5 million arrived at their destination.”

Regarding press reports the U.S.’ National Security Agency (NSA) targeted Petrobras through espionage, the president said no violation of Petrobras systems had been recorded, but the presence of the company’s name in reports has created “discomfort.”

“Systems used by Petrobras are among the most advanced on the market,” she said, emphasizing “investment in information security should be set to follow technological developments.”

Graça Foster said Petrobras has an integrated data processing center, which has restricted access, and the company’s strategic information does not go through the Internet.

“The company’s knowledge is held at the data processing center. Critical information is stored in an encrypted closed system. Access to the center is controlled with biometrics, weighing and monitoring with cameras” she said. Despite working with partner companies and suppliers, only Petrobras holds all the information, only allowing the company to read them, she said. Additionally, Petrobras has contracts that provide for confidentiality.

Strict security procedures included requiring scientists and functionaries to avoid transferring the most critical data, such as seismic studies of the company’s oil reserves, through the Internet.

Wednesday, May 1, 2013 @ 05:05 PM gHale

RuggedCom released a new version of the Rugged Operating System (ROS) v3.12 which fixes security issues found in previous versions.

ROS Update v3.12 has been produced to mitigate these issues and can be obtained from the RuggedCom Customer Support Team.

RELATED STORIES
MatrikonOPC Patches Vulnerabilities
Bugs in Galil Compact PLC
Schneider Mitigates Software Vulnerability
Canary Labs Patches Vulnerability

Coming on the heels of the release of the vulnerabilities, RuggedCom said the efforts to implement the improvements in functionality, reliability and security were considerably more than originally estimated as was the complexity of required changes. That is why RuggedCom decided to package this upgrade version of ROS as a major release designated as ROS 3.12.

The new version adds new features, including:
Advanced security for default keys: The ROS main firmware binary contains renewed default SSH keys and SSL certificates for SSH and SSL management access. These objects end up encrypted using strong cryptography and otherwise obfuscated within the binary file.

New SSL certificates and SSH keys can now generate via ROS or can upload to ROS by the administrator: ROS can generate SSL certificates and SSH keys by itself. Alternatively, the administrator can upload SSL certificates and SSH keys at any time, as required.

It is possible to disable guest and operator users: By configuring the user-name as an empty string, the default user with the ROS guest and operator access roles/privileges ends up disabled.

Support for multi-homed, dual port IEDs: Port security enhancements for multi-homed IEDs

Given the extent and complexity of the changes, it is not possible to back port these upgrades to previous versions of ROS, officials said. Users who want to implement the security updates will have to download and standardize on ROS 3.12.

As reported back in September, there was a hard-coded RSA SSL private key within RuggedCom’s Rugged Operating System (ROS). The vulnerability with proof-of-concept (PoC) exploit code first came out from security researcher Justin W. Clarke of Cylance Inc. According to this report, the remotely exploitable vulnerability can decrypt SSL traffic between an end user and a RuggedCom network device and result in a loss of system integrity.

After ICS-CERT notified them of the vulnerability, further analysis by RuggedCom found similar holes in the ROX (ROX I and ROX II) operating system firmware and the RuggedMax operating system firmware. A fix for the identified vulnerability in ROX is available. For the SSH service of RuggedMax, an interim mitigation for the identified vulnerability is also available.

The following products suffer from the issue:
• Devices using the ROS releases before and including ROS Main v3.11.0.
• ROX I OS firmware used by RX1000 and RX1100 series products. ROX I versions before and including ROX v1.14.5 are affected.
• ROX II OS firmware used by RX5000 and RX1500 series products. ROX II versions before and including ROX v2.3.0 are affected.
• RuggedMax Operating System Firmware used by the Win7000 and Win7200 base station units and the Win5100 and Win5200 subscriber (CPE) devices. All versions of the firmware released before and including 4.2.1.4621.22.

Clarke previously reported an attacker can identify the RSA Private PKI key for SSL communication between a client/user and a RuggedCom switch in the ROS. An attacker could use the key to decrypt management traffic and create malicious communication to a RuggedCom network device.

Wednesday, December 12, 2012 @ 04:12 PM gHale

RuggedCom released a new version of the Rugged Operating System (ROS) v3.12 which fixes security issues found in previous versions.

Coming on the heels of the release of the vulnerabilities, RuggedCom said the efforts to implement the improvements in functionality, reliability and security were considerably more than originally estimated as was the complexity of required changes. That is why RuggedCom decided to package this upgrade version of ROS as a major release designated as ROS 3.12.

RELATED STORIES
Siemens Patches WinCC Holes
Honeywell Fixes HMIWeb Browser Hole
Hole Exists; Wrong Vendor Selected
More Holes with RuggedCom

The new version adds new features, including:
Advanced security for default keys: The ROS main firmware binary contains renewed default SSH keys and SSL certificates for SSH and SSL management access. These objects end up encrypted using strong cryptography and otherwise obfuscated within the binary file.

New SSL certificates and SSH keys can now generate via ROS or can upload to ROS by the administrator: ROS can generate SSL certificates and SSH keys by itself. Alternatively, the administrator can upload SSL certificates and SSH keys at any time, as required.

It is possible to disable guest and operator users: By configuring the user-name as an empty string, the default user with the ROS guest and operator access roles/privileges ends up disabled.

Support for multi-homed, dual port IEDs: Port security enhancements for multi-homed IEDs

Given the extent and complexity of the changes, it is not possible to back port these upgrades to previous versions of ROS, officials said. Users who want to implement the security updates will have to download and standardize on ROS 3.12.

As reported back in September, there was a hard-coded RSA SSL private key within RuggedCom’s Rugged Operating System (ROS). The vulnerability with proof-of-concept (PoC) exploit code first came out from security researcher Justin W. Clarke of Cylance Inc. According to this report, the remotely exploitable vulnerability can decrypt SSL traffic between an end user and a RuggedCom network device and result in a loss of system integrity.

After ICS-CERT notified them of the vulnerability, further analysis by RuggedCom found similar holes in the ROX (ROX I and ROX II) operating system firmware and the RuggedMax operating system firmware. A fix for the identified vulnerability in ROX is available. For the SSH service of RuggedMax, an interim mitigation for the identified vulnerability is also available.

The following products suffer from the issue:
• Devices using the ROS releases before and including ROS Main v3.11.0.
• ROX I OS firmware used by RX1000 and RX1100 series products. ROX I versions before and including ROX v1.14.5 are affected.
• ROX II OS firmware used by RX5000 and RX1500 series products. ROX II versions before and including ROX v2.3.0 are affected.
• RuggedMax Operating System Firmware used by the Win7000 and Win7200 base station units and the Win5100 and Win5200 subscriber (CPE) devices. All versions of the firmware released before and including 4.2.1.4621.22.

Clarke previously reported an attacker can identify the RSA Private PKI key for SSL communication between a client/user and a RuggedCom switch in the ROS. An attacker could use the key to decrypt management traffic and create malicious communication to a RuggedCom network device.

Wednesday, December 5, 2012 @ 03:12 PM gHale

Security issues within the mobile device realm continue to be a problem. This time there was an attack on Facebook’s Instagram photo-sharing service that could allow a hacker to seize control of a victim’s account.

The attack, developed by security researcher Carlos Reventlov, revolves around a vulnerability within Instagram. He notified Instagram of the problem Nov. 11, but the company has not fixed the issue so far.

RELATED STORIES
Apple iOS 6, Safari Security Fixes
Apple Updates Java for Older Macs
Apple ID Phishing Scam
Weak Crypto Keys Fixed

The vulnerability is in the 3.1.2 version of Instagram’s application, released Oct. 23, for the iPhone.

Reventlov found while some sensitive activities, such as logging in and editing profile data, end up encrypted when goes over to Instagram, other data ends up sent in plain-text. He tested the two attacks on an iPhone 4 running iOS 6, where he first found the problem.

“When the victim starts the Instagram app, a plain-text cookie is sent to the Instagram server,” Reventlov said. “Once the attacker gets the cookie he is able to craft special HTTP requests for getting data and deleting photos.”

An attacker can intercept the plain-text cookie by using a man-in-the-middle attack as long as the hacker is on the same LAN (local area network) as the victim. Once the he grabs the cookie, the hacker can delete or download photos or access the photos of another person who is friends with the victim.

The Danish security company Secunia verified the attack and issued an advisory.

Reventlov continued to study the potential of the vulnerability and found the cookie issue could also allow the hacker to take over the victim’s account. Again, the attacker has to be on the same LAN as the victim.

The compromise uses a method called ARP (Address Resolution Protocol) spoofing, where the web traffic of the victim’s mobile device is channeled through the attacker’s computer. Reventlov said it is then possible to intercept the plain-text cookie.

By using another tool to modify the headers of a web browser during transmission to Instagram’s servers, it is possible to then sign in as the victim and change the victim’s email address, resulting in a compromised account. The fix for Instagram is easy: The site should use always use HTTPS for API requests that have sensitive data, Reventlov said.

“I’ve found that many iPhone apps are vulnerable to such things but not too many are high-profile apps like Instagram,” Reventlov said.

Tuesday, November 20, 2012 @ 02:11 PM gHale

Facebook will begin turning on secure browsing for its millions of users in North America, which will make HTTPS the default connection option for all sessions and will give users a baseline level of security and help prevent some common attacks.

While at first thought, this may seem more consumer-oriented than manufacturing automation-focused, but with more manufacturers using social media as an e-commerce tool and an arrow in their marketing quiver, this could add one more layer of defense.

RELATED STORIES
Hacker Talk: DDoS, SSQL Hot Topics
Attack Vector: Zero Days Open for 10 Months
ZENworks Asset Management Bug
Java SE Zero Day Fix can Wait

Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not the default protection and users had to manually make the change in order to get the better protection of HTTPS. When users have to take that extra step, they often just go with the default settings.

Now, users will have to manually turn HTTPS off if they don’t want it, a distinction that is a major change, especially for Facebook’s massive user base, which has become a major target for attackers.

Facebook is under constant attack by hackers. One of the common techniques used to compromise users is a man-in-the-middle attack, through which attackers intercept traffic between a client and the server it should be going to. This type of attack is much easier when that traffic remains unencrypted and attackers really don’t need to do much in order to get it.

HTTPS encrypts the connection between the user’s machine and the server on the other end, obscuring it from attackers, even if they are able to sniff the traffic on the wire or on a wireless connection. The technology is by no means “the silver bullet” for Web-based attacks, but it can slow down or cut out some basic types of attacks.

Using HTTPS also won’t protect you if there is malware on your machine that’s capable of logging keystrokes. But it is an important change for Facebook, something that has become not just a social network but also an e-commerce platform.

Thursday, March 22, 2012 @ 03:03 PM gHale

Google’s encrypted search service will be the default option for Mozilla’s Firefox browser.

The modification is not in the stable version of Firefox yet, but users who download the daily beta builds can access it now.

RELATED STORIES
Mozilla Firefox 11 Ready to Go
IE 10 Tougher to Crack
Safari Updates; Firefox Delays
Browsers hit with Framesniffing

The switch to using HTTPS for search by default is a major step for Mozilla in terms of protecting the privacy of users’ search queries and results. Google has had an option for encrypted search and the company made secure search the default choice for users logged in to their Google accounts since last October. Google has not made that option the default for its own Chrome browser.

With the change in Firefox, users of Mozilla’s browser now have an extra layer of protection for their search queries, something that is becoming increasingly importance in the age of surveillance, targeted ads and data sales.

“Google’s October 2011 decision to start proactively scrubbing search queries from the referrer header was a great first step, but a small percentage of Google’s search users benefited. Now that Mozilla is switching to HTTPS search, hundreds of millions of Firefox users will have their privacy protected, by default,” privacy and security researcher Chris Soghoian said.

“The only surprising aspect to this otherwise great bit of good news is that the first major browser to use HTTPS search is Firefox and not Chrome. I reasonably assumed that as soon as Google’s pro-privacy engineers and lawyers won the internal battle over those in the company sympathetic to needs of the SEO community, that Google’s flagship browser would have been the first to ship HTTPS by default.”

Google has not said publicly when it plans to enable HTTPS search by default for Chrome users, but with the move by Mozilla, it seems likely Google will do it soon.

“We would welcome Firefox giving their users the option to use encrypted search. However, at this time we don’t feel that our encrypted search offers the features and speed that our users expect and so we wouldn’t want it to be the default. We are working towards making encrypted search as fast and complete as unencrypted search, but we’re not there yet,” said Google’s Adam Langley.

Mozilla has not said when the change to HTTPS Google searches will show up in the stable channel of Firefox.

Tuesday, April 13, 2010 @ 04:04 PM gHale

Flash drive makers, SanDisk Corp. and Verbatim Corp. joined with Kingston Technology Inc. in warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives.

The hole could allow unauthorized access to encrypted data on a USB flash drive by circumventing the password authorization software on a host computer.

You need to be logged in to see this part of the content. Please Login to access.

 
 
Archived Entries