Security professionals have said for years that the only way to make a computer truly secure is for it to not be connected to any other computers, a method called airgapping. Then, any attack would have to happen physically, with the attacker actually entering the room and accessing the computer that way, which is incredibly unlikely. In the case of computers containing highly sensitive information, additional, physical security can always be added in the form of security guards, cameras, and so on.
Researchers at Georgia Institute of Technology have uncovered a vulnerability in all computers, however, which can be exploited regardless of an air gap. It’s a vulnerability which you’d never suspect, and it’s one that’s hard to fight against. All CPUs emit electromagnetic signals when they are performing tasks, and the first thing these researchers discovered was that binary ones and zeroes emit different levels. The second thing they discovered is that electromagnetic radiation is also emitted by the voltage fluctuations and that it can be read from up to six meters away. These signals, by the way, are known as side-channels, and they are well-documented in the cryptography field.
The Least Traditional Attack You’ve Ever Seen
Side channels are a powerful class of attacks that circumvent traditional security protections and access controls. Unlike traditional attacks that exploit vulnerabilities in what the system does, side channel attacks allow information to be obtained by observing how the system does it, reads their white paper.
The researchers, whose names are Robert Callan, Alenka Zajic, and Milos Prvulovic, have developed software which allows them to overcome the two main problems of this type of attack: multiple weak signals and determining what is of interest and what is not, such as keystrokes. In this video, Milos demonstrates that the keystrokes can be decoded in real time from across the room.
The white paper tries very hard to impress the importance of this vulnerability. An attacker who knows what they are looking for can do a great deal of damage using technology like this. They note that a vulnerability rating has been proposed recently, but that the proposal doesn’t do much in the way of providing developers of future technologies with a roadmap of improvement.
The current state of the art is the recently proposed Side-Channel Vulnerability Factor (SVF), which measures how the side channel signal correlates with high-level execution patterns (e.g. program phase transitions). While this metric allows overall assessment of the “leakiness” of a particular system and application over a given side channel, it provides limited insight to 1) computer architects about which architectural and microarchitectural features are the strongest leakers, and to 2) software developers about how to reduce the side channel leakiness of their code.
Nothing New Under the Sun
Elsewhere, in Israel, a similar process has been developed for except it runs on a cell phone, called the AirHopper. This was done back in October to challenge a policy of letting people bring their mobile phones on secure sites as long as they locked them up in a locker before beginning work. The Israeli researchers proved that they could get data from computers that were connected to no standard network by using side-channels.
With the foundations laid for this sort of compromise, one can only assume that it will be developed by governments and bad actors alike in order to further spy on communications of everyday people as well as gain access to incredibly sensitive data.
Farraday Cage Remedy
Conceivably, rooms containing computers or the computer cases themselves could be augmented with Farraday cages that would prevent this sort of close-range monitoring because the signals wouldn’t make it past the cage. Doing this on your home PC might seem overkill now. But as the technique gains wider usage and the technology which enables it is improved, a revival of wardriving could happen in highly populated areas, this time with the intention of stealing passwords and other sensitive data. One thing is for sure: the future of computer security will have to account for this new, universal vulnerability in some way.
Images from Shutterstock.
Coders Safeguard Vulnerable Ethereum Wallets Following Security Breach
Ethereum suffered large-scale security breaches last week after anonymous hackers targeted vulnerable wallets in the network, resulting in the loss of tens of millions of dollars. However, it didn’t take long for a volunteer group of coders to “rescue” the funds in 500 at-risk wallets before the same attackers could get to them too.
White Hat Group Takes Charge
The so-called White Hat Group showed initiative by “rescuing” the funds using the same techniques the thieves employed to compromise $32 million USD worth of ether from three multi-signature wallets. As of Monday, the White Hat Group of ethical hackers was in possession of $86 million worth of ether and an additional $122 million in tokens.
Tokens are digital assets that are sold during an Initial Coin Offering (ICO) fundraising event. They have proven to be extremely popular.
Tens of millions of dollars worth of ether and tokens have already been returned to their owners. The White Hat Group says it will issue full refunds by the end of July.
Blockchain-based trading platform Coindash was also breached last week, resulting in the loss of more than $7 million worth of ether.
Security Breaches Nothing New in Crypto World
For all its benefits, cryptocurrency has been vulnerable to several high-profile security breaches. Last summer, Hong Kong-based Bitfinex was the target of a major attack that resulted in the theft of around $70 million worth of bitcoins. In response, the exchange announced a controversial plans to “socialize” its losses among all users. Each Bitfinex trader was docked 36% as a result.
Bitcoin prices declined sharply following the attack, stopping what had been a blistering summer of gains.
Ethereum Enterprise Alliance
For anyone doubting the potential of the ether, take a look at the list of companies participating in the Enterprise Ethereum Alliance (EEA). The EEA is a forum that connects Fortune 500 companies, startups and academics with ethereum subject matter experts. The EEA is made up of multinational banks and some of the world’s biggest technology companies.
The forum has made cyber security a top priority, according to a May 22 press release. In the release, companies like Infosys, Mitsubishi UFJ Financial Group, Synechron and others expressed their intent to contribute to the future of ethereum’s security.
New Form of Ransomware Uses Social Media to Customize Demands
A new form of ransomware is reported to have been found that uses a person’s social media and computer files to customize a demand, according to cybersecurity researchers at Proofpoint.
Called ‘Ransoc’ by the researchers because of its connection to social media, they found that the malware was scanning local media filenames and running several routines by interacting with Skype, LinkedIn, and Facebook profiles, infecting the system through Internet Explorer on Windows and Safari on OS X.
What’s interesting about this new type of ransomware is the fact that unlike ransomware such as Locky, which encrypts a person’s files before demanding payment, Ransoc customizes its demands to its victims.
After scanning a person’s computer files and social media to find potentially incriminating evidence, it then sends a penalty notice, threatening victims with court action if the amount isn’t paid.
As it doesn’t encrypt a person’s files, the ransomware relies on a victim’s fear to pay the money straight away.
According to Proofpoint, though, this type of penalty notice threat was widespread during 2012 and 2014; however, since then the focus has been on crypto ransomware and other malware as a way of scamming victims out of their money.
Interestingly, enough, the team at Proofpoint discovered that the penalty notice only appeared if the malware was able to locate incriminating evidence on the computer. If, however, the file name was manually changed no penalty notice was triggered.
Not only that, but the team found that instead of demanding the payment in bitcoin, which is what the vast amount of cybercriminals using malware demand, this one demanded payment with a credit card. Unlike bitcoin, which gives criminals anonymity, the use of a credit card means that law enforcement can potentially trace the money back to the criminals a lot easier.
The fact that this method is used could suggest that the cybercriminals are happy in the belief that the victims have too much to hide to seek out help from the police. To encourage payment, though, the ransom note states that the money will be sent back to the victim if they are not caught again in 180 days.
It’s safe to say that repayment never happens.
All, it seems, is not lost.
According to Proofpoint, the Ransoc only employs a registry autorun key to persist, so rebooting in Safe Mode should allow users to remove the malware.
Featured image from Shutterstock.
Are Children Losing Their Childhood to Smart Toys?
Smart toys are on the rise, but while they may have the ability to enhance a child’s play, do they also pose a threat by spying on what children are doing?
In an article from the New Scientist, the issue of privacy is looked into. More specifically, the privacy of children.
Nowadays, it seems it’s no longer a case of simply playing with Ken and Barbie as the imagination of a child takes over. As the article reports, various companies have been looking into how they can capture the imagination of children. One play item, in particular, is the Barbie Hello Dreamhouse and Hello Barbie.
Created by the American toy-company Mattel, Inc., Barbie has been in existence since 1959. Designed by businesswoman Ruth Handler, Barbie has maintained its popularity with children up to the present day for nearly 60 years.
But, in a bid to keep up with technological advances in the 21st century, Mattel, Inc., has created the Barbie Hello Dreamhouse, a pink-and-white smart house for the world’s most popular doll. Apparently, the Hello Barbie is reported to be able to talk to a child on a number of topics ranging – as the New Scientist states – ‘from fashion and family to dreams and paddleboarding.’
Nothing wrong with that, you might think.
Except for the fact that when a child presses Barbie’s buckle to talk to her, every word the child makes is then transmitted to a Mattel-owned server farm where it is analyzed so that a suitable reply can be sent back to the child.
Sending Details to Third Parties
Shockingly, the information that was being stored was also being sent on to third parties, which, naturally, ensued a backlash.
According to Josh Golin, executive director of the Campaign for a Commercial-Free Childhood (CCFC), who launched a social media campaign #HellNoBarbie, he said that:
It just struck us as such as invasion of children’s privacy.
Open to Hackers
Children, in their innocence, don’t realize that what they are telling their dolls may now be listened to by others. This can also include hackers.
Even though toys may seem above anything else, they can just as easily become a target for hackers too.
In 2015, Chinese company VTech was targeted by hackers. Reports stated that nearly five million parents and more than 200,000 children had their information stolen after a hacker breached the servers of the toy company.
As such privacy activists have objected not only because of the concern from others listening in or the vulnerability that toys can pose, but also because it can take away the nature of a child’s play.
Taking Away the Child’s Imagination
Of course, if you walk into someone’s house, the chances are that you will find a vast array of smart technology around. Consider digital assistants such as Siri, Alexa, and Allo to name a few.
Toys, however, don’t need to be smart, do they?
After all, when it comes to child’s play that’s when a child learns how to figure out skills while playing out a fantasy world that only they see in their eyes. By playing with toys that are already preprogramed with answers seems to only hinder a child’s play rather than broaden it.
Featured image from Shutterstock.
- Ripple Spikes 50% as Bitcoin Lifts Smaller Altcoin...
- Technical Analysis: Bitcoin Grinds Higher as Recor...
- Trade Recommendation: Siacoin
- Trade Recommendation: ETC/BTC Pair Bottoming Out
- What’s Behind the Cryptosurge
- Trade Recommendation: Syscoin
- A Career in Crypto: How to Work in the World’s Fas...
- Crypto Market Reaches Historic Milestone as Ether, Ripple Surge December 14, 2017
- Technical Analysis: Volatility on the Rise Again, as Ripple and Ethereum Hit Targets December 13, 2017
- Federal Reserve Hikes Interest Rates for Third Time This Year, Keep 2018 Policy Outlook Unchanged December 13, 2017
- Trump’s Proposed Tax Changes Could Impact Cryptocurrency Investors December 13, 2017
- Trade Recommendation: Syscoin December 13, 2017
- Trade Recommendation: Ride the Next Rally of Bitcoin December 13, 2017
- Ethereum Just Broke $700 for the First Time December 13, 2017
- Trade Recommendation: ETC/BTC Pair Bottoming Out December 13, 2017
- Trade Recommendation: USDJPY December 13, 2017
- What’s Behind the Cryptosurge December 13, 2017
A part of CCN
Analysis4 days ago
Long-Term Cryptocurrency Analysis: Look Out Below?
Recommendations5 days ago
Trade Recommendation: Litecoin
Analysis1 week ago
$100 Litecoin Looks Poised for Greater Upside
Cryptocurrencies1 week ago
Trade Recommendation: Neo
Cryptocurrencies4 days ago
Trade Recommendation: Zcash
Cryptocurrencies1 day ago
Trade Recommendation: Bitcoin Cash
Cryptocurrencies5 days ago
Trade Recommendation: Stellar
Cryptocurrencies5 days ago
Trade Recommendation: Ethereum Classic