Saturday, August 20, 2016

Tabuar Rosa Systems.blog of 8/20/2016 - Your passwords can easily be spied on if you use a wireless keyboard












Using a wireless keyboard? Your passwords can easily be spied on 
27 JULY 2016 • 10:51AM www.telegraph.co.uk
People using low-cost wireless keyboards are at risk of having their passwords read, according to researchers.
Eight major keyboard brands accounting for millions of devices in use across the world were shown to have a security hole that could let hackers up to 100m away read every letter a victim types. 
The attack, called KeySniffer, could allow hackers to eavesdrop card details, passwords, usernames and answers to security questions, among other sensitive documents. 
"When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product," said Marc Newlin, a researcher at Bastille, the internet of things security company that discovered the flaw. 
Marc Newlin stands in front of the dozen keyboards Bastille tested in the researchCREDIT: BASTILLE
Researchers tested wireless keyboards from a dozen manufacturers and found that eight were susceptible, including models from Toshiba and HP that don't use Bluetooth to connect to a computer, but instead communicate through unencrypted radio signals. 
The attack uses equipment that costs less than $100 (£76) and intercepts the signal between the keyboard and its USB receiver. Unlike Bluetooth keyboards, there are no industry standards for those that use radio signals, meaning manufacturers can make their own choices about security. 
As well as being able to eavesdrop on what a victim is typing, the hack could also let an attacker remotely type onto the affected computer. 
Internet security: The five worst ever cyber hacksPlay!02:06
A spokesman from Kensington, one of the two vulnerable brands that have issued statements, said: "We are happy to report that, to our knowledge, no security incidents have been reported to us since this product launched.
"We have taken all necessary measures to close any security gaps and ensure the privacy of users." The company released an update to its Kensington Pro Fit Wireless Desktop Set K72324 that introduced encryption to the keyboard. 
The other brand to respond, General Electric, said it was aware of the issue and "will work directly with its customers of this product to address any issues or concerns". 
The $12 "crazy radio" dongle that Bastille used to test keyboards in previous research CREDIT: BASTILLE
The researchers at Bastille previously found that hackers could remotely control more than a billion keyboards using a $12 UBS radio antenna. The hack affected keyboards from big name brands including Logitech, Dell, Microsoft, HP, Amazon and Lenovo, according to Bastille. 
Separate research revealed a similar attack using a radio amplifier could unlock dozens of car models, including Ford's Galaxy, Audi's A3, Toyota's Rav4, Volkswagen's Golf GTD and Nissan's Leaf.
In France, three quarters of cars stolen in the first four months of 2015 were done so using this kind of interception, according Traquer, the French leader in detecting and recovering stolen vehicles.
How can I protect myself?
Unfortunately there is no simple fix for the security hole. If you own one of the affected keyboards you should contact the manufacturer, who is responsible for building defences for such attacks and providing updates to their products' software. 
David Emm, principal security researcher at Kaspersky Lab, said: "It's vital that manufacturers of such devices consider security at the design stage.
"If you are considering buying a wireless keyboard (or other wireless device), check that it includes security features that will safeguard any data you send or receive; and if you’re unsure, buy a wired device instead."
Is my keyboard affected?
The full list of affected devices among those the researchers tested is: 
·         EagleTec K104 

The company said: "This should not be considered an exhaustive list of all vulnerable keyboards. There may be other brands and models that are vulnerable to this, or other attacks." 
 Using a wireless keyboard? Your passwords can easily be spied on 
27 JULY 2016 • 10:51 AM www.telegraph.co.uk

People using low-cost wireless keyboards are at risk of having their passwords read, according to researchers.
Eight major keyboard brands accounting for millions of devices in use across the world were shown to have a security hole that could let hackers up to 100m away read every letter a victim types. 
The attack, called KeySniffer, could allow hackers to eavesdrop card details, passwords, usernames and answers to security questions, among other sensitive documents. 
"When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product," said Marc Newlin, a researcher at Bastille, the internet of things security company that discovered the flaw. 
Researchers tested wireless keyboards from a dozen manufacturers and found that eight were susceptible, including models from Toshiba and HP that don't use Bluetooth to connect to a computer, but instead communicate through unencrypted radio signals. 
The attack uses equipment that costs less than $100 (£76) and intercepts the signal between the keyboard and its USB receiver. Unlike Bluetooth keyboards, there are no industry standards for those that use radio signals, meaning manufacturers can make their own choices about security. 
As well as being able to eavesdrop on what a victim is typing, the hack could also let an attacker remotely type onto the affected computer. 
Internet security: The five worst ever cyber hacksPlay!02:06
A spokesman from Kensington, one of the two vulnerable brands that have issued statements, said: "We are happy to report that, to our knowledge, no security incidents have been reported to us since this product launched.
"We have taken all necessary measures to close any security gaps and ensure the privacy of users." The company released an update to its Kensington Pro Fit Wireless Desktop Set K72324 that introduced encryption to the keyboard. 
The other brand to respond, General Electric, said it was aware of the issue and "will work directly with its customers of this product to address any issues or concerns". 
The researchers at Bastille previously found that hackers could remotely control more than a billion keyboards using a $12 UBS radio antenna. The hack affected keyboards from big name brands including Logitech, Dell, Microsoft, HP, Amazon and Lenovo, according to Bastille. 
Separate research revealed a similar attack using a radio amplifier could unlock dozens of car models, including Ford's Galaxy, Audi's A3, Toyota's Rav4, Volkswagen's Golf GTD and Nissan's Leaf.
In France, three quarters of cars stolen in the first four months of 2015 were done so using this kind of interception, according Traquer, the French leader in detecting and recovering stolen vehicles.
How can I protect myself?
Unfortunately there is no simple fix for the security hole. If you own one of the affected keyboards you should contact the manufacturer, who is responsible for building defences for such attacks and providing updates to their products' software. 
David Emm, principal security researcher at Kaspersky Lab, said: "It's vital that manufacturers of such devices consider security at the design stage.
"If you are considering buying a wireless keyboard (or other wireless device), check that it includes security features that will safeguard any data you send or receive; and if you’re unsure, buy a wired device instead."
Is my keyboard affected?
The full list of affected devices among those the researchers tested is: 
·         EagleTec K104 

The company said: "This should not be considered an exhaustive list of all vulnerable keyboards. There may be other brands and models that are vulnerable to this, or other attacks." 
===========================================

Another Special Announcement - Tune in to my radio interview,  on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.   

In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:

 www.amazon.com/author/paulbabicki

In addition to this blog, I maintain a radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and  PSG of Mercer County, NJ.


I am the president of Tabula Rosa Systems, a “best of breed” reseller of products for communications, email, network management software, security products and professional services.  Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.

Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================

Friday, August 19, 2016

Tabula Rosa Systems Blog Of 8/19/2016 - The Murkiest Denzens Of The Dark Net









www.thetelegraph.com
The murkiest denziens of the dark net - and how to escape their grasp
2 AUGUST 2016 • 3:23PM      

 in drugs and stolen data on the Dark Net is growing CREDIT: -/-
Earlier this week it was revealed that the 18-year-old man who murdered nine and injured 35 in Munich did so with a Glock 9mm handgun which he bought from a dark net market. The dark net, technically called ‘Tor Hidden Services’, is a network of hidden sites which are difficult to censor and accessed with an anonymous web browser. Its uses are many and varied.Whistleblowers and political activists rely on its privacy enhancing features, but so do (probably more) criminals: the most popular and common use of the dark net are its two dozen or so anonymous markets, which look and feel like Amazon, and where more or less anything can be bought and sold, including a Glock 9mm.
For all the understandable worry about the weapons trade (Angela Merkel herself has promised a crackdown on the dark net), there are not that many known cases of firearms being traded there: this may have been the first time a murder weapon was acquired this way. True, there are plenty for sale, but it’s difficult for a journalist to know if it’s legitimate or a scam designed to make off with some gullible buyer’s bitcoin. (I was once asked by a foreign television show to buy an AK-47 live on air, which I politely declined).
A Glock 9mm for sale on a Dark Net market - is it a scam or a genuine offer? CREDIT:ALPHABAY
By contrast, drugs sales on the dark net markets are large and growing – according to the annual Global Drug Survey in June, 10 per cent of drug takers have got drugs from there – because they are easy to mail in the post, possession won’t always land you in jail, and there are hundreds of vendors selling all sorts of exotic drugs, which makes for a very competitive, consumer-centric market place.
Guns are more difficult to mail, more expensive, and illegal possession a more serious crime. It’s a far smaller trade, which means the competition and choice which characterises the drugs market doesn’t exist. That in turn makes scams (or law enforcement sting operations) more likely. The dark net sale of weapons will likely continue to grow, but remain small – at least relative to the offline trade.
You have been warned - the trade in stolen data is going to get worse before it gets better
The same cannot be said of the escalating online trade in stolen data. The BBC's Victoria Derbyshire show revealed last week that O2 customer data was being sold on a dark net market. An ethical hacker - someone who hacks into systems and then suggests how to fix the weakness - from company Insinia Security spotted a vendor claiming to have access to thousands of users O2 accounts. Yours for just $4.50 per user (which is pretty expensive in fact - but the vendor was offering a "buy 5 and get 2 free" deal).
7 hacked O2 accounts for the price of 5 CREDIT: -/-
It wasn’t actually O2’s fault. It looks like those user names and passwords were stolen from the gaming website XSplit three years ago. Because we’re all pretty lazy, hackers tried them on different websites, including O2. When they matched, hackers then accessed that user’s O2 account and pulled out dates of birth, phone numbers and so on. This game of snap is known as ‘credential stuffing’.
You have been warned - the trade in stolen data is going to get worse before it gets better. It’s a highly professional industry. In the last few months alone the following have been reported:
That TalkTalk hack from a while back? Also being sold on a dark net market for £1.62 per record.
All of us leave personal data scattered all over the web, and in the right hands it’s worth something. (There’s a handy site to check if you’ve been hacked without knowing, www.haveibeenpwned.com). Take that stolen 02 data. A less ethical hacker could try to “credential stuff” from Amazon, or Gumtree, lock a user out of their account, and start making deliveries to a new address. One victim of the XSplit hack found cars for sale on his eBay account. More sophisticated uses include identity theft, and credit card fraud.
I was away from home when eBay contacted me to say there was some suspicious activity... I checked and it looked like there were cars for sale on my account. I am considering using a password manager and two-step authentication, although nothing is foolproofHasnain Shaw, hacked O2 account holder
This stuff is sold in staggering volumes; and there are secondary and tertiary markets where stolen data is repackaged and resold like dodgy mortgage bonds. It doesn’t even need to be put in a parcel. The O2 data, for example, is just delivered via email.
As I’ve argued elsewhere, these dark markets are efficient, creative, and professionally run. When they’re shut down, as sometimes happens, they tend to pop up again, even more secure.
New services and scams show up all the time, and will continue to. One of the fastest growing trades on dark net sites – insiders reckon it’s worth millions of dollars a year – is ransomware. A user’s computer is infected with malware which encrypts the entire hard drive.
Ransomware - a new invasive service on offer from the Dark Web CREDIT: -/-
That user is then asked to pay a ransom fee to get it unlocked again.This is for sale as a service on the dark net for just $39. You send it out into the wild, see what you catch, and then extort money. It’s awful stuff, but a very creative way to make money.
A decade ago, you needed some technical know-how to make money from being a criminal computer hacker. The barriers to entry are lowering. You can just hire someone to do it for you, or download software, or buy stolen data and start credential stuffing.
The bad guys, through the use of the Internet, have shrunk the worldFBI director James Comey
Estimates of the cost of cybercrime to UK firms and individuals vary wildly, although it’s certainly billions of pound a year. Most of that’s not on the dark net of course, but I reckon a growing proportion of it is. Ironically, the answer might be there too. You know what dark net data vendors definitely do not do? Re-use the same password for every account and click links they don’t trust.
What’s more, last week another dark net service was launched, using the privacy and security this network offers to host your “smart home” services – your fridge, toaster, heater – which are increasingly becoming internet enabled and spewing out more data about you. The point? To stop hackers being able to access your personal data.


============================================

Another Special Announcement - Tune in to my radio interview,  on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.   

In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:

 www.amazon.com/author/paulbabicki

In addition to this blog, I maintain a radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and  PSG of Mercer County, NJ.


I am the president of Tabula Rosa Systems, a “best of breed” reseller of products for communications, email, network management software, security products and professional services.  Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.

Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================