Belgian researchers have discovered a major weakness in the security protocol WPA2 – used to protect the vast majority of Wi-Fi connections.
Mathy Vanhoef, a security expert at KU Leuven University in Belgium, discovered the flaw and published details to highlight the problems. ‘Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,’ he said. ‘This can be used to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.’
Depending on the network configuration, it is also possible to inject and manipulate data. Any attackers may well be able to inject ransomware or other malware into websites.
Britain’s National Cyber Security Centre is looking into the matter. ‘Research has been published into potential global weaknesses to Wi-Fii systems. The attacker would have to be physically close to the target and the potential weaknesses would not not compromise connections to secure websites, such as Wi-Fi safety, device management and browser security.
www.the guardian/technews.co.uk (17th October 18)
If you have a device that uses public Wi-Fi, you are at a higher risk. Shopping centres, airports, hotels, public transport, coffee shops, and restaurants all see hundreds of people connecting to the same Wi-Fi access points. It is a prime hunting ground for anyone trying to intercept personal information.
The advice is to avoid public Wi-Fi at the moment whilst vendors work on patches to allow all devices to be updated. Hackers will develop software quickly to take advantage of any vulnerabilities. Therefore updating all devices is a must.
If you have any questions about the state of the security of your devices, or indeed if you have any concerns in general, please call and talk to one of our team. We will be happy to advise and help in any way we can. (adecsmaple – 024 7699 5930)
Many carmakers are adopting ‘over the air’ (OTA) software for their increasingly connected and autonomous cars. Does this mean that there is increase in the risk of hacker hijackers?
Two years ago, hackers showed that they could remotely take control of a Chrysler Jeep. Earlier this year, Tesla boss Elon Musk warned about the dangers of hackers potentially taking control of thousands of driverless cars. Speaking at a National Governors Association meeting he said, ‘ I think one of the biggest concerns for autonomous vehicles is somebody achieving a fleet-wide hack. In principle, if someone was to hack all the autonomous Teslas they could send them all to Rhode Island as a prank. That would be the end of Tesla, and there would be a lot of angry people in Rhode Island.’
Mr Musk was quick to insist that a kill switch would ensure that the driver was able to gain control of the car and cut any links to the servers.
As cars become more sophisticated, incorporating features such as lane keeping, automatic braking and self parking, their systems are connected to the internet and the amount of software needed to control these systems is increasing. Also, It is much easier to use online updates – rather than repair-shop visits – for both automakers and customers.
OTA updates give manufacturers the ability to respond quickly as problems arise. Chrysler was criticised for sending out USB sticks with updates to patch the Jeep. Critics pointed out that criminals could easily intercept the USB sticks and infect them with malware.
Research consultancy IHS Markit estimates that by 2022, 160 million vehicles globally will have the capability to upgrade their onboard computer systems over the air.
‘Ultimately, as cars have become more connected, it does potentially create a bigger target and hackers have always altered their techniques as technology changes,’ said Robert Moran, an expert in car connectivity and security at NXP Semiconductors. ‘The fact that we can provide over-the-air updates is a security feature in itself, as it gives us the ability to respond and make changes’
Consumer trust is crucial, so security is paramount.
www.bbc.co.uk./technews (6th October)
Microsoft appears to have abandoned its smartphone operating system ambitions after Joe Belfiore (chief of the company’s Windows 10) sent a tweet stating that developing new features and hardware for the Mobile version of the OS was no longer a focus. He also added that he had also switched to Android himself.
Mr Belfiore said that Microsoft would support the many companies that had adopted the platform in terms of bug fixes, security updates, etc.
Windows 10 Mobile tried to attract users by letting them run the same ‘universal apps’ on both their PCs and handsets, but the concept failed to catch on. It has been reported that there wasn’t a wide range of devices running Windows 10 Mobile thus making it unattractive to retailers or operators. Consumers had reported that the operating system didn’t provide as good an experience as Android or iOS.
Mr Belfiore posted Microsoft had tried “very hard” to incentivise other companies to release universal apps – even writing their software for them in some cases – but the number of users had been too low for most to bother.
bbc.co.uk/technews (10th October 2017)
Equifax has revealed the extent of a security breach that occurred earlier this year. It is thought that 2.5 million more Americans than previously thought may have had information compromised in the huge cyber security breach at the firm. This means that a total of 145.5 million customers were affected.
Critics say that the company failed to take proper steps to guard information – such as Social Security numbers, birth dates and addresses – and waited too long to inform the public.
Equifax disclosed the attack last month, estimating that around 400,000 Britons and 100,000 Canadians may also have had data compromised.
Richard Smith, former boss of Equifax, is to testify in Congress about the attack. He apologised ahead of the hearing for the firm’s failing and urged the US to adopt new standards for customer credit information. Mr smith said that the attack made him believe that consumers should have sole control over when their credit information may be accesses.
Mr Smith also offered a timeline of events of the incident –
- first attack occurred in May – with hackers taking advantage of a software vulnerability that Equifax was warned about in March and did not address
- An intrusion was identified on the 29th July
- An investigation ordered by the company revealed the enormity of the attack by mid-August
Mr Smith said Equifax faced a huge task to prepare to respond to customers. The firm was overwhelmed by calls after the breach became public and faced problems with the website it created to address customer complaints.
Equifax holds data on more than 820 million consumers as well as information on 91 million businesses.
www.bbc.co.uk/technews (2nd October)
Alphabet’s Google has struck a $1.1bn (£822m) deal with Taiwan’s HTC to expand its smartphone business. Google will not take a stake in the firm, but will acquire a team of people who develop Pixel smartphones for the US company and receive a non-exclusive license for HTC’s intellectual property. According to HTC half their smartphone research and development team – about 2000 people – will go to Google.
HTC was once a major player in the smartphone market but has struggled to compete with the likes of Apple and Samsung. Google expects the deal to close by early 2018 – provided it gets the all clear from regulators. This deal marks a move by Google to boost its hardware capabilities.
HTC makes Vive, the VR headset favoured by Google, as the alternative Oculus Rift is owned by Facebook. Vive is reportedly outselling Oculus Rift by a margin of nearly two to one, albeit with modest numbers, but is recognised by many as the superior system.
www.bbc.co.uk/technews (21st September)
More than 2 million users of anti-malware tool CCleaner installed a version of the software that had been hacked to include malware. Piriform, the developer of CCleaner now owned by security firm Avast, says its download servers were compromised at some point between 15th August, when it released version v5.33.6162 of the software, and the 12th of September, when it updated the servers with a new version.
In that period, a Trojan was loaded into the download package which sent ‘non-sensitive data’ from infected users’ computers back to a server located in America. The data, according to Piriform, included ‘computer name’, IP address, list of installed software, list of active software, list of network adapters.
As well as the data leak, however, the infection also resulted in a ‘second stage payload’ being installed on to the infected computer – another piece of malware, which Piriform says was never executed.
The company says 2.27m users were infected, but added that ‘we believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.’
Compromising downloads to trusted software is an increasingly common route by which malware authors infect devices. The method is known as a ‘supply chain’ attack. It works because the attackers are relying on the trust relationship between a manufacturer or supplier and a customer.
www.theguardian.com/uk/technology (19th September)