Breach Brief: White House computer network hacked

The Obama Administration has revealed that hackers recently breached an unclassified computer network used by the President’s senior staff.

What happened? First reported by the New York Times, officials said the cyberattack “did not appear to be aimed at destruction of either data or hardware, or to take over other systems at the White House. That strongly suggests that the hackers’ intention was either to probe and map the unclassified White House system, find entry points where they connect to other system or conduct fairly standard espionage.”

What information was breached? According to the Washington Post, “The breach was discovered two to three weeks ago… Some staffers were asked to change their passwords. Intranet or VPN access was shut off for awhile, but the email system, apart from some minor delays, was never down.”

Who’s behind it? Sources say the attack was consistent with that of a state-sponsored effort. The Post notes that a number of security firms have identified cyber-­espionage campaigns by Russian hackers thought to be working for the government. Targets have included NATO, the Ukrainian government and U.S. defense contractors.

What they’re saying: “In the course of assessing recent threats, we identified activity of concern on the unclassified Executive Office of the President network. We took immediate measures to evaluate and mitigate the activity… Unfortunately, some of that resulted in the disruption of regular services to users. But people were on it and are dealing with it… Our computers and systems have not been damaged, though some elements of the unclassified network have been affected. The temporary outages and loss of connectivity for our users is solely the result of measures we have taken to defend our networks.”

With the number of breaches on the rise and security at our core, learn how Atmel has you covered.

Got AES? Got security?

Currently in wide use, AES is a great algorithm that has been implemented in a number of hardware and software systems. It has been carefully studied by legions of cryptanalysts, so it’s often assumed that a system which includes AES is secure. But that assumption isn’t always true – in this post, let’s explore three situations that could cause problems.

Like all cryptographic systems and algorithms, AES depends on a key. If an attacker can get the key, he or she can impersonate the authentic party, decrypt all the network messages and generally eliminate every aspect of the system security. However, a few systems have a great place to store keys that is truly isolated from attack. With the increasing commonality of connected systems, software bugs like Heartbleed can easily find keys that you thought you had carefully protected. If you’re not familiar with Heartbleed, see this great panel from XKCD which does a nice job of explaining it.

Like all cryptographic algorithms, there are many variations to the way in which AES can be used. Lots of systems have been cracked because an improper mode, protocol or procedure was used. The illustration below shows a mode of AES which is the right answer in some cases — but definitely not this one!

The last point is a bit trickier. When encrypting something with AES, most modes require an Initialization Vector (IV). The IV should never be repeated, and in some modes it must be random. There are two problems with a repeated IV: (1) If the attacker could discover the plain text of the first message, he could determine the contents of the second; and (2), If the same message is sent with the same IV, the ciphertext will be the same both times, which could be vital information all by itself.

Problem is that it’s hard to generate a random number. One famous random number generator used the hash of an image of lava lamps – for some years an online site (lavarand) was supported by Silicon Graphics to provide online numbers.

Assuming you don’t have lava lamps and a camera in your system, you might be tempted to use ‘random’ keystrokes, noise on a signal wire, the current time to the ms, or some similar thing. Problem is, while the resulting numbers appear to be random there are often a limited number of choices. Given how fast modern computers execute, an attacker can try literally millions of possibilities in a few seconds and guess your random number!

Many designers rely on dedicated hardware cryptographic devices to help resolve this issue. Generally speaking, they offer solutions to the three points mentioned above:

• Strong protection for cryptographic keys that is not subject to bugs, malware or other aggressive attacks;
• Proper use of modes and protocols for the operations performed within the devices; and,
• High quality random number generators that rely on random physical phenomena and which are rigorously tested

Guess what? Atmel’s CryptoAuthentication devices offer all three in a low-cost small package. Start designing security in your next product with a free CryptoAuthentication tool.

Report: Cyber breaches put 18.5 million Californians’ data at risk

The recent string of major data breaches — including the likes of Target, Home Depot, P.F. Chang’s and Nieman Marcus — have spurred a 600% increase in the number of California residents’ records compromised by cyber criminals over the last year, the latest California Data Breach Report revealed.

According to the study, a total of 167 breaches were reported in 2013 – where 18.5 million personal records were compromised – an increase of 28% from 2012 where just 2.5 million records were stolen. To put things in perspective, that’s nearly half of the state’s population (38 million).

These figures experienced a large uptick following recent incidents involving Target and LivingSocial, which together accounted for 7.5 million of the breached records. Out of the incidents reported in 2013, over half (53%) of them are attributed to malware and hacking.

“Malware and hacking breaches made up 93% of all compromised records (over 17 million records). The LivingSocial and Target breaches accounted for the bulk of those records . In April, the online marketplace LivingSocial reported a cyber attack on their systems that compromised the names, email addresses, some birth dates and passwords of over 50 million customers, including 7.5 million Californians. In December, Target reported a hacking and malware insertion into its network that resulted in the theft of the names and payment card data of 41 million customers, including 7.5 million Californians,” the report noted.

Even by factoring out both Target and LivingSocial, the amount of Californian records illegally accessed last year rose 35% to 3.5 million.

“Data breaches pose a serious threat to the privacy, finances and personal security of California consumers. The fight against these kind of cyber crimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses,” California Attorney General Kamala Harris said in a statement.

While California residents aren’t any more susceptible to data hijacking than others, the state law requires businesses and agencies to notify customers of any breach involving more than 500 accounts. This law led to the creation of the California Data Breach Report.

The last 12 months weren’t a fluke either. In fact, “These data breaches are going to continue and will probably get worse with the short term,” emphasized Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency.

Aside from payment cards, which the Attorney General urged companies to adopter stronger encrypting and safeguard technologies, one of the most vulnerable sectors is the healthcare industry. Not only are a number of medical devices coming under siege by hackers, stolen health records are also plaguing the industry. Moreover, cyber thieves accessing unprivileged information can even be more harmful than other stolen data as it can be used for identity theft and fraud over a longer duration.

In 2012-2013, the majority of breaches in the healthcare sector (70%) were caused by lost or stolen hardware or portable media containing unencrypted data, in contrast to just 19% of such breaches in other sectors.

“By now, the problem should be obvious to anyone who is paying attention — data of any kind is vulnerable to attack by a wide variety of antagonists from hacker groups and cyber-criminals to electronic armies, techno-vandals and other unscrupulous organizations and people. The reason is simple. Yes, you guessed it: It is because data = money. To make it worse, because of the web of interconnections between people, companies, things, institutions and everything else, everyone and everything digital is exposed,” explained Bill Boldt, Atmel’s resident security expert.

To safeguard information and devices, authentication is increasingly coming paramount. As the latest incidents highlight, thinking about forgoing security in a design simply because that device isn’t connected to a network or possesses a wireless interface? Think again. The days of truly isolated systems are long gone and every design requires security. As a result, the first step in implementing a secure system is to store the system secret keys in a place that malware and bugs can’t get to them – a hardware security device like CryptoAuthentication. If a secret key is not secret, then there is no such thing as security.

Want to read more? Download the entire report here.

Infographic: 2014’s top data breaches (so far)

Dating back to last December, a string of major data breaches have affected nearly every sector, including a number of today’s most notable brands. This infographic from DataBreachToday highlights some of the most significant breaches, based on what each publicly disclosed around the incident.

Evident by the surge in cyber crime, the world has become a serious hackathon with real consequences; and, unfortunately, it is likely that it’ll only get worse with the rise of mobile communications, cloud computing, and the growth of autonomous computing devices and the Internet of Things.

So, what can be done about these growing threats against secure data? Here’s how to ensure trust in our constantly-connected world.

And, it appears that the general public is now cognizant of these threats, casting its doubts on the security of their data. With the growing number of breaches and vulnerabilities, a recent Gallup poll has revealed that Americans are more likely to worry about hackers accessing and stealing their personal information than any other crime, including burglary and murder. Specifically, 69% of these respondents claimed they frequently or occasionally fret over the notion of having their credit card information stolen by cyber criminals. These worries are justified, too. Over 25% of all Americans have experienced some form of card information theft, making it the most frequently cited crime on the infographic from Forbes below.

Secure your hardware, software and IoT devices

Evident by a recent infographic published by Forbes, it appears people are finally cognizant of the urgent need for security. It’s clearer than ever that hacking has become a real problem over the web and into electronic devices. With the emergence of the Internet of Things (IoT), we consistently find ourselves connecting these gadgets and gizmos to the web. As a result, security becomes a key issue throughout the entire chain.

Analog Aficionado Paul Rako recently had the chance to catch up with Bill Boldt, Atmel’s resident security expert, to explore the latest threats and trends in security as well as how Atmel can help secure products across the spectrum. Not in the reading mood? There’s a pretty sweet playlist of all the footage from the 1:1 interview here.

In the first segment of the interview, Boldt discusses how an engineer or designer can use Atmel’s CryptoAuthentication chips to ensure that the accessories to a particular product are genuine. Here, the security expert talks about using symmetrical authentication to certify that only a drill manufacturer’s batteries will work on its own drill.

If you recall, Boldt provided an in-depth exploration into this same demo, which can be found here. Though securing hardware is great, if you wanted, you could make this symmetrical authentication protect any kind of plug-in or device, even if it is not electronic. In fact, this safeguard is used on things ranging from ink cartridges to e-cigarettes; moreover, medical device manufactures love this technology since it protects them from liability from knockoff products.

This can help secure products with add-ons or attachments, but an even greater value for hardware security comes when you use these chips to make sure that your device has not had its code or operating system hijacked. Since the interface between the microcontroller and the crypto chip is only sending a random number from the micro, and the one-time result from the crypto chip in response, snooping on the SPI port will not help you crack the code. Now, your microcontroller firmware can query the chip and ensure that it indeed gets the proper result — if someone attacks the firmware and puts their own code, it won’t execute since it cannot get past the protected part of the chip code that has to get a valid response from the crypto chip.

You can extend this to secure downloads as well. As long as your code requires the downloaded segment to query and respond to the tiny crypto chip, only your code will work since only you know the secret key programmed into the chip.

“As a hardware engineer, I am just as fascinated by the cool packages we use as well as all the math and firmware algorithms,” says Rako.

In the subsequent video of the interview, Boldt describes the packaging for the crypto chips, in addition to a unique three-pad package manufactured by Atmel that does not need to be mounted on a circuit board at all.

During the segment, Boldt also delves deeper into some security scenarios for the IoT, incuding some great analogies. Furthermore, the security guru reminds viewers that these Atmel CryptoAuthentication chips will work with any company’s microcontroller, not just Atmel’s.

One thing you hear bandies about in security are the dissimilarities between both symmetric and asymmetric. The aforementioned drill demo was symmetric, since both the drill and the battery had the secret key programmed into the MCU and the crypto chip, respectively. Here, Boldt expands on the topic and how Atmel does all the hard math so you don’t have to worry about it.

Concluding his interview with Rako, Boldt addresses the fact that you can use the crypto chip not only in a drill, but in the charger as well to guarantee that only your OEM charge will charge your OEM batteries. The resident security expert wraps up by noticing that people can counterfeit those holograms on a product’s box, but they can’t hack hardware security chips.

Interested in learning more? Explore hardware-based security solutions for every system design here. Look to secure the full stack? You can receive a FREE Atmel CryptoAuthentication™ development tool. For more in-depth analysis from Bill Boldt, you can browse through his archive on Bits & Pieces. 

U.S. agencies investigate medical devices for cyber flaws

According to a recent report from Reuters, the U.S. Department of Homeland Security is currently investigating nearly two dozen cases of suspected cybersecurity vulnerabilities in medical devices and hospital equipment that officials fear could be exploited by hackers.

(Source: Getty Images)

The vulnerable products include implantable heart implants and drug infusion pumps, thus leaving members of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) concerned these flaws could be used to induce heart attacks and drug overdoses, among other things.

Without naming companies, the ISC-CERT team announced last year that a vast assortment of these medical devices contain backdoors making them quite susceptible to potential life-threatening hacks. These hard-coded password flaws affected roughly 300 medical devices — ranging from ventilators and patient monitors to surgical and anesthesia devices — across approximately 40 vendors.

(Source: Shutterstock)

“The senior DHS official said the agency is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment,” Reuters stated.

While there are still no known deaths as a result of such malicious behavior, officials claim that it certainly isn’t “out of the realm of possibilities,” comparing similar incidents to those seen on TV like the show Homeland. In this Showtime Network spy drama, a fictional U.S. vice president is killed via cyber attack on his pacemaker. Coincidentally enough, former Vice President Dick Cheney has revealed that he once feared a similar attack and to prevent such thing from happening, disabled the wireless connectivity of his pacemaker.

Reuters points out that security officers are increasing their vigilance around cyber threats and that medical facilities throughout the country have beefed up their networks to protect from intruders. Furthermore, the report notes that security vulnerabilities in medical devices are exposed so manufacturers can fix them, and that there was no need for patients to panic. Nevertheless, as one can imagine, this still leaves many uneasy.

As scenarios such as these continue to emerge, it is becoming increasingly clear that embedded system insecurity affects everyone and every company, not just those in the healthcare world. Products can be cloned, software copied, systems tampered with and spied on, and many other things that can lead to revenue loss, increased liability, and diminished brand equity… or in this case, injury or death. Worry no more! Thanks to ultra-secure defense mechanisms and security at its core, Atmel devices can protect firmware, software, and hardware products from future threats. Register for a chance to receive a free CryptoAuthentication tool kit here!

Breach Brief: Staples says probing possible data breach

Staples is investigating a possible breach of payment card data, making it the latest U.S. retailer to become a victim of a cyberattack.

What happened? Security blogger Brian Krebs reported that multiple banks have identified a pattern of credit and debit card fraud suggesting that several office chain’s locations in the northeast are currently dealing with a data breach. Experts believe the cyber criminals are using a form of the same malicious software Backoff used in the Target, Home Depot and Dairy Queen attacks, among a number of others.

What information was breached? According to more than a half-dozen banks, it appears likely that thieves have succeeded in stealing customer card data from seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

What they’re saying: Staples has issued a statement saying that they are “in the process of investigating a potential issue involving credit card data and have contacted law enforcement… We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on [in] a timely basis.” 

With the number of breaches on the rise and security at our core, learn how Atmel has you covered.

This $150 3D-printed device can crack a safe

While we like to believe that safes are, in fact, safe, the Australian duo of Luke Jahnke and Jay Davis have developed an inexpensive gadget to demonstrate the mechanism’s security vulnerabilities.

The pair of security professionals recently revealed a $150 safe-cracker devised from a custom [Atmel based] Arduino, 3D-printed components, and salvaged electronics including a step motor (perviously used in stage lighting) for rotation control. According to The Register, the device can be affixed on top of a combination lock and then used to stage brute force attacks against two combination locks used in high-security environments like ATMs. This techniques involves autodialing as many different combinations as possible until the lock is breached.

The current prototype, which was recently on display at the Ruxcon Security Conference in Melbourne, can crack any group lock combination in less than four days using automatic brute force attacks that run through all possible combinations. However, if the pre-loaded combos are loaded into SD card then inserted into the Arduino board, the researchers claim that it can finish the job in just minutes.

“A lot of these locks have about 10 default combinations which never ever get changed and they would be the ones you would want to try out first,” Davis explained.

Watch the prototype in action in this video report.

Shouldn’t security be a standard?

Security matters now more than ever, so why isn’t security a standard feature in all digital systems? Luckily, there is a standard for security and it is literally standards-based. It is called TPM. TPM, which stands for Trusted Platform Module, can be thought of as a microcontroller that can take a punch, and come back for more.

“You guys give up, or are you thirsty for more?”

The TPM is a small integrated circuit with an on-board microcontroller, secure hardware-based private key generation and storage, and other cryptographic functions (e.g. digital signatures, key exchange, etc.), and is a superb way to secure email, secure web access, and protect local data. It is becoming very clear just how damaging loss of personal data can be. Just ask Target stores, Home Depot, Brazilian banks, Healthcare.gov, JP Morgan, and the estimated billions of victims of the Russian “CyberVor” gang of hackers. (What the hack! You can also follow along with the latest breaches here.) The world has become a serious hackathon with real consequences; and, unfortunately, it will just get worse with the increase of mobile communications, cloud computing, and the growth of autonomous computing devices and the Internet of Things.

What can be done about growing threats against secure data?

The TPM is a perfect fit for overall security. So, just how does the TPM increase security? There are four main capabilities:

1. Furnish platform integrity
2. Perform authentication (asymmetric)
3. Implement secure communication
4. Ensure IP protection

These capabilities have been designed into TPM devices according to the guidance of an industry consortium called the Trusted Computing Group (TCG), whose members include many of the 800-pound gorillas of the computing, networking, software, semiconductor, security, automotive, and consumer industries. These companies include Intel, Dell, Microsoft, among many others. The heft of these entities is one of the vectors that is driving the strength of TPM’s protections, creation of TPM devices, and ultimately accelerating TPM’s adoption. The TPM provides security in hardware, which beats software based security every time. And that matters, a lot.

TPM Functions

Atmel TPM devices come complete with cryptographic algorithms for RSA (with 512, 1024, and 2048 bit keys), SHA-1, HMAC, AES, and Random Number Generator (RNG). We won’t go into the mathematical details here, but note that Atmel’s TPM has been Federal Information Processing Standards (FIPS) 140-2 certified, which attests to its high level of robustness. And, that is a big deal. These algorithms are built right into Atmel TPMs together with supporting software serve to accomplish multiple security functions in a single device.

Each TPM comes with a unique key called an endorsement key that can also be used as part of a certificate chain to prevent counterfeiting. With over 100 commands, the Atmel TPM can execute a variety of actions such as key generation and authorization checks. It also provides data encryption, storage, signing, and binding just to name a few.

An important way that TPMs protect against physical attacks is by a shielded area that securely stores private keys and data, and is not vulnerable to the types of attacks to which software key storage is subjected.

But the question really is, “What can the TPM do for you?”  The TPM is instrumental in systems that implement “Root of Trust” (i.e. data integrity and authentication) schemes.

Root of trust schemes use hashing functions as the BIOS boots to ensure that there have been no unwanted changes to the BIOS code since the previous boot. The hashing can continue up the chain into the OS. If the hash (i.e. digest) does not match the expected result, then the system can limit access, or even shut down to prevent malicious code from executing.  This is the method used in Microsoft’s Bitlocker approach on PCs, for example. The TPM can help to easily encrypt an entire hard drive and that can only be unlocked for decryption by the key that is present on the TPM or a backup key held in a secure location.

Additionally, the TPM is a great resource in the embedded world where home automation, access points, consumer, medical, and automotive systems are required. As technology continues to grow to a wide spectrum of powerful and varying platforms, the TPM’s role will also increase to provide the necessary security to protect these applications.

Interested in learning more about Atmel TPM? Head here. To read about this topic a bit further, feel free to browse through the Bits & Pieces archive.

This blog was contributed by Ronnie Thomas, Atmel Software Engineer. 

 

 

Breach Brief: Hundreds of Dropbox accounts leaked after third-party hack

A thread recently surfaced on Reddit that contained links to files containing hundreds of Dropbox usernames and passwords in plain text, while at this point, its origins remain unclear. Supposedly, hackers are threatening a major breach in Dropbox security, claiming to have stolen the log-in credentials of nearly 7 million users. If their Bitcoin ransom is paid, the cyber criminals are promising to release more password details.

How many victims? The log-in details for 400 email addresses, each one starting with the letter B, have been labeled as a “first teaser… just to get things going.” In what may appear to be part of a much larger-scale Dropbox hack, the hackers claim to have accessed details from 6,937,081 individual accounts.

What information was breached? It remains uncertain as to how the account details were accessed and of course, whether or not they are actually valid. However, the hackers are believed to be in possession of various user photos, videos and other files.

When did it happen? An entry on Pastebin was posted on October 13 at 4:10pm CDT with a link to the list of emails and matching plain text passwords.

What they’re saying: Dropbox has issued a statement on its blog emphasizing that the passwords were stolen from “unrelated services.”

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling two-step certification to your account.

Despite its legitimacy, this incident highlights the increasingly common way hackers are using to gain access to identity credentials, such as usernames, passwords and other personal information. With the number of breaches on the rise and security at our core, learn how Atmel has you covered.