Popular office phones vulnerable to eavesdropping

Popular office phones vulnerable to eavesdropping hack, Columbia university researchers say

High-tech telephones common on many workplace desks can be hacked and turned into eavesdropping devices, researchers at Columbia University have discovered. The exploit targets the Cisco Unified IP Phone 7900 series, which feature color LCDs and internet connectivity. Discovered by doctoral candidate Ang Cui and computer science professor Salvatore Solfo — both from Columbia University — the hack can be applied to phones so long as the perpetrator has physical access to the device. Cui showed that the hack can easily be injected through the phone’s local serial port. Not only can the exploit allow the perpetrator to monitor any phone calls made from the device, but it can also turn on the phone’s microphone feature, allowing the perpetrator to hear anything within reach of the phone, as well as stream that audio over a network.

Read on the repost and discover how safe are the office communications we are relying on and how a hack turns our regular office phone into a bugging device, making all our workplace fears come true.

Columbia University
This small gadget can be attached to a single Cisco IP phone and turn an entire company’s network into a sophisticated bugging device within seconds, researchers say.
High-tech telephones common on many workplace desks in the U.S. can be hacked and turned into eavesdropping devices, researchers at Columbia University have discovered.
The hack, demonstrated for NBC News, allows the researchers to turn on a telephone’s microphone and listen in on conversations from anywhere around the globe. The only requirement, they say, is an Internet connection.
Doctoral candidate Ang Cui and Columbia Professor Sal Stolfo, who discovered the flaw while working on a grant from the U.S. Defense Department, say they can remotely order a hacked telephone to do anything they want and use software to hide their tracks.  For example, they said they could turn on a webcam on a phone equipped with one or instruct the phone’s LED light to stay dark when the phone’s microphone has been turned on, so an eavesdropping subject wouldn’t be alerted that their phone has been hacked.
The flaw involves software running on Cisco’s popular Internet Protocol telephones. Cisco acknowledged the flaw in a statement to NBC News, but wouldn’t say how many of its phones were impacted. In a blog post earlier this year, the company — the leading IP phone maker, with about one-third of the market — said it had just surpassed 50 million in phone sales. 
In a vulnerability announcement sent to paying customers in December, Cisco listed 15 phone models impacted by the problem. 
“You can imagine the implications of this,” Stolfo said of the vulnerability. “Anything that is said behind closed doors isn’t private, no matter how sensitive the conversation is. There is no privacy. How can you conduct business like that?”
Cisco’s statement indicated that the company is working on a fix, and the firm told NBC News that it planned to issue a security bulletin next week. But Stolfo said he is “very worried about the speed with which Cisco is handling this.”
In a demonstration of the phone hack at the Chaos Communications Conference Dec. 29 in Germany, Cui showed examples of Cisco phones being used in government and military applications, though he noted there is no way to know if those phones were vulnerable to the attack.
“On the dark side, these phones are sold worldwide,” Stolfo said. “Any government that would like to peer into the private lives of citizens could use this. This is a great opportunity to create a low-cost surveillance system that is already deployed. It’s a monitoring infrastructure that’s free, when you turn these into listening posts.”
The research was conducted under a grant from the Defense Advanced Research Projects Agency (DARPA), an arm of the Defense Department devoted to computer security, and conducted at the Computer Science Department of Columbia University’s School of Engineering and Applied Science.The same lab caused a global stir in 2011 when it published a hack of Hewlett Packard printers.
“We consider this to be much more dangerous than the printer hack,” Stolfo said, “because of what you can do with the phone.”
In a demonstration conducted last week for NBC News, Cui showed how a small device pre-loaded with software and plugged into a port on the Cisco phone could rewrite the IP phone’s software within seconds. In the scenario he described, a would be hacker would need to access a phone for only a few moments – a phone on a secretary’s desk, for example – to conduct the attack.
The Columbia lab focuses on so-called “embedded devices” — computer chips in non-PC gadgets, such as televisions, thermostats or telephones. Increasingly, all these gadgets are networked and connected to the Internet, and therefore can be hacked remotely.
“These phones are really general purpose computers jammed into a plastic case that makes you think it’s a phone,” Cui said. “Just because it doesn’t have a keyboard doesn’t make it less of a computer.”
Cisco’s IP phones — and other models that use the same chipset — are open to attack because they routinely connect to a central server looking for updated instructions, according to Cui.  That creates an avenue for a hacker to insert rogue code, he said.
The phones run a proprietary adaptation of the popular Unix operating system called CNU, but any programmer familiar with Unix could write code for the phone and tell it to perform any function, Cui said.
“The phones are listening to a network waiting for a command. They are actively saying, ‘Does anybody have any code for me to run?’” said Stofo. 
In an initial statement to NBC News, Cisco said that all Cisco IP phones “feature a hard-wired light that will alert the user whenever the microphone is active,” meaning it would warn any users that their phone’s microphone had been turned on.  But the Columbia researchers dispute that, and showed NBC News a hacked phone that showed no evidence the microphone had been activated while they were eavesdropping on a conversation. 
“There is no hard-wired light,” Cui said. “Everything is controlled by the software.”
After viewing Cui’s demonstration in Germany, Cisco issued an updated statement to NBC News backing away from its disagreement on the LED light issue, saying it “wasn’t directly relevant.”
But the researchers and Cisco still disagree about potential methods of attack.
Cisco said hackers would generally need physical access to a telephone in order to begin an attack, with rare exceptions.
“(Remote attack would require) the combination of authenticated remote access and non-default device settings,” Cisco said. “No default account exists for remote authentication and devices configured for remote access must use administrator-configured credentials.”
Stolfo said, however, that a hacker would need physical access to only a single phone on the network — a receptionist’s phone, for example, or a phone at the home or a remote worker — to gain access to a company’s entire phone network.
But he also maintained that there are multiple scenarios that would allow for a remote attack.
Escalation would be one way: An outsider could trick a worker into clicking on a virus-laden email attachment, infect the worker’s computer and then use that computer to attack a phone from inside a company’s network, he said.  But the researchers say other flaws exist that would allow the phone to be attacked directly from outside the company.
“It also works the other way,” Cui added. “You could attack the network, and then attack a single person’s phone. Say, the CEO, at home.”
Officials at DARPA said they couldn’t comment on specific research, but praised Columbia’s work generally.
“DARPA’s program is concerned … with exploring what kinds of vulnerabilities are present in current systems so that we can determine architectural principles that will rule out such vulnerabilities in future systems,” Dr. Howard Shrobe, DARPA Program Manager, said in a statement. “Computers often are at the core of many devices that most people do not think of as computers  (e.g.  phones, printers, power meters, cars and airplanes, for example) but which inherited the vulnerabilities of their embedded computer components.  These devices have enormous impact in our everyday lives and in our critical infrastructures and are therefore a core concern.”
Stolfo said it was critical to come forward with the Cisco flaw now because the company isn’t working fast enough to fix it.
“What we’re doing is trying to alert the manufacturer to not provide the opportunity to hackers to break into our phones,” he said. “What we’re asking them to do is like asking automakers to put seatbelts into cars to save lives.” 
The researchers have not released their attack code, so would-be criminals cannot simply copy their work and attack Cisco phone systems today, and there is no evidence that a hacker has exploited this vulnerability in the real world. They do believe others will successfully — and independently — duplicate their research, however, placing Cisco is in a race with hackers, and Cui thinks it’s possible that has already happened.
“I’d be surprised if someone else hasn’t already done this,” Cui said.

BYOD: Make it Secure !

BYOD Challenges can be handled through right policies

Bring your own device(BYOD) is a revolution happening at the user end and taken the infrastructure out of the control of ‘Information managers’. While the debate is going on whether or not BYOD policies save organizations money or cost them, it is slowly emerging that these policies increase complexity while decreasing direct control over information resources. Information security suddenly becomes a prime challenge as the devices now owned by the individuals & used for personal information purposes and the segregation & privacy of work information posing difficult practical problems. A robust BYOD policy coupled with an effective strategy can, to a reasonable extent, help restore the control and ensure a smooth transition to the inevitable BYOD revolution.

A strong framework of information security and a supporting policy guidelines are absolutely critical to ensure a smooth transition. The issue becomes more critical in the absence of a clear regulation and require an ironclad policy that is enforced rigorously. Typical tasks that are expected to include in the policy are clearly defined information classification, access policy rules from personal devices, user profiling, locking on security devices/OS, loss of device protection and data recovery methods and also have provisions for remote wipe and remote application management capabilities, the right to confiscate and search devices and the right to dictate which applications are allowed and prohibited. For example, IBM banned access to Apple’s Siri application as well as access to Dropbox, for company-managed devices.

In the extremely nebulous legal landscape, it is highly imperative that these policies should be cleared through the legal team to make sure that language is adequate and that it will work in all applicable jurisdictions. From a legal perspective, it is mandatory to review all licenses for cloud-based applications to ensure that data is handled responsibly in those environments. Review of these agreements should follow the same review and approval process that would be normally used when considering outsourcing partnerships.

The security framework need to answer questions like heavy weight or light security; security at server level or client level; security at device level, application level or information level, and so on. Other issues that cannot be overlooked are like bandwidth, software licenses, data plans etc. Similarly, users’ concerns like confiscating their devices and accessing the personal information need to addressed. Providing a method to secure copies of personal information, as well as a way to protect other pieces of private information (e.g., nonwork text messages, email and instant message logs) will go a long way toward easing those concerns.

Issues arising out of people using unmanned devices (eg.a user does not wish to participate in the officially sanctioned BYOD programme) may represent even greater risk to businesses than those people willingly agreeing to follow the rules.

While an in place, alysts and experts caution the organizations on the importance of having a strong BYOD policy the fact is that many organizations do not pay enough attention to this key fact and simply add a few lines to their existing wireless policy in an attempt to cover their bases. While it’s highly recommended that the BYOD strategy be in line with the corporate mobility strategy, just tweaking the mobility policy to accommodate BYOD is not enough. A separate policy that covers all possible aspects of BYOD is a basic necessity.

A policy is only as good as the people who follow it. Implementing a pilot and revisiting policy guidelines help to understand the ever evolving challenges. Further, policy-making needs to be treated as an evolving process and not a one time exercise to meet routene compliace or adherence to company policies. It is also important to build policies by implementing technical controls like mobile application management (MAM) and mobile device management (MDM) applications. Where possible, enforcing device encryption and passwords will help reduce associated technical risks. Improving access management requirements, such as by mandating two-step or two-factor authentication, can further help reduce the risk of a lost device immediately leading to a data breach.

US banks under cyber attack !!

Security researchers at McAfee labs believe Project Blitzkrieg, a plan to use malware to steal money from 30 banks in the U.S., is a real threat not to be taken lightly. The security company released a report about the project that was originally announced in September on a Russian forum. A cyber-criminal by the handle “vorVzakone” originally posted the intent to hack into 30 banks across the U.S. and steal information and money using a trojan. A trojan is a type of malware that secretly enters a computer system by pretending to be something innocuous.

McAfee says that the forum post originally called for developer help and said the trojan would be launched within a few weeks. Timing for the attacks have not been confirmed, though a number of banks were recently hit with denial of service attacks (DDOS) that took down their websites. DDOS attacks work by flooding a system’s servers with traffic, causing it to overload and shut down. This kind of attack does not actually reach the inside of the system, allowing hackers access, but is sometimes used a diversion tactic while hackers silently gain illegal access to the servers.

“McAfee Labs believes that Project Blitzkrieg is a credible threat to the financial industry and appears to be moving forward as planned. Not only did we find evidence validating the existence of an early pilot campaign operated by vorVzakone and his group using the Trojan Prinimalka that infected at a minimum 300 to 500 victims across the United States, but we were also able to track additional campaigns as a result of the forum posting,” said McAfee Labs threat researcher Ryan Sherstobitoff in the report.

McAfee believes the trojan in use here is called Prinimalka, a piece of malware originally built in 2008. VorVzakone’s forum post also said that the trojan had already stolen $5 million from unknown institutions.(Read more at http://venturebeat.com/2012/12/13/us-bank-threats/#miGWuyOSziGXZhGm.99)

On the other hand, Since September, U.S. banks have been battling with mixed success distributed denial of service (DDoS) attacks from a self-proclaimed hactivist group called Izz ad-Din al-Qassam Cyber Fighters. Despite its claims of being a grassroots operation, U.S. government officials and security experts say the group is a cover for Iran.

“There is no doubt within the U.S. government that Iran is behind these attacks,” James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies, told The New York Times.

Mr. Lewis said the amount of traffic flooding American banking sites was “multiple times” the amount that Russia directed at Estonia in a monthlong online assault in 2007 that nearly crippled the Baltic nation.

American officials have not offered any technical evidence to back up their claims, but computer security experts say the recent attacks showed a level of sophistication far beyond that of amateur hackers. Also, the hackers chose to pursue disruption, not money: another earmark of state-sponsored attacks, the experts said.

“The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Radware, a security firm that has been investigating the attacks on behalf of banks and cloud service providers. “There have never been this many financial institutions under this much duress.”

Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.

They employed DDoS attacks, or distributed denial of service attacks, named because hackers deny customers service by directing large volumes of traffic to a site until it collapses. No bank accounts were breached and no customers’ money was taken.

By using data centers, the attackers are simply keeping up with the times. Companies and consumers are increasingly conducting their business over large-scale “clouds” of hundreds, even thousands, of networked computer servers.

These clouds are run by Amazon and Google, but also by many smaller players who commonly rent them to other companies. It appears the hackers remotely hijacked some of these clouds and used the computing power to take down American banking sites.

“There’s a sense now that attackers are crafting their own private clouds,” either by creating networks of individual machines or by stealing resources wholesale from poorly maintained corporate clouds, said John Kindervag, an analyst at Forrester Research. How, exactly, attackers are hijacking data centers is still a mystery. Making matters more complex, they have simultaneously introduced another weapon: encrypted DDoS attacks.

Banks encrypt customers’ online transactions for security, but the encryption process consumes system resources. By flooding banking sites with encryption requests, attackers can further slow or cripple sites with fewer requests.A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks.