ICYMI: Polish airlines, Samsung, VoIP, LinkedIn bounty, Verify limitations
ICYMI: Lot airline DDoS attack; Samsung keyboard vulnerability, poor VoIP server security; LinkedIn bug bounty programme, Verify programme has severe privacy/security problems.
LOT Polish Airlines
This week's In Case You Missed It looks at Polish airline grounded by DDoS attack, Samsung keyboard vulnerability exposes mobile flaws, poor VoIP server security slammed, LinkedIn 'invitation-only' bug bounty programme pays £41K and Verify programme has "severe privacy and security problems".
Thousands of passengers were grounded in Warsaw, Poland following what was later revealed to be a DDoS attack on the computer networks of LOT Polish Airlines.
The airline posted a message on its Facebook page around 7pm Sunday night saying it had “encountered IT attack that affected our ground operation systems”. The attack prevented it from being able to create flight plans with the result that outbound flights from Warsaw were unable to depart. Ten international and domestic flights were cancelled, with others delayed.
Justin Clarke, director at Gotham Digital Science and chapter leader of London OWASP, told SCMagazineUK.com, “This is a great example of where key infrastructure systems could be attacked and have a far wider effect.”
Gavin Reid, vice president of threat intelligence at Lancope, told SC: “What we are seeing here in this attack is right at the tipping point where cyber-attacks meet physical. This tipping point once crossed will forever change the seriousness of how society views hacking.”
Researchers at NowSecure uncovered a vulnerability in the stock keyboard that is pre-installed on 600 million Samsung devices, including the new Galaxy S6, that can apparently enable a remote arbitrary code execution attack.
Researcher Ryan Welton says the SwiftKey IME keyboard update mechanism can be manipulated by a remote attacker capable of controlling user network traffic and can then execute code as a privileged system user on the target phone.
The keyboard cannot be disabled or uninstalled, and even if not used as the default keyboard the vulnerability can still be exploited. In his blog entry detailing the vulnerability, Welton explains, "The attack vector for this vulnerability requires an attacker capable of modifying upstream traffic." Any attacker would need to perform a man-in-the-middle (MiTM) attack to get at someone's phone, so wide-scale targeting of the “600 million vulnerable Samsung users” that other articles mention does not seem feasible.
Routing voice and multimedia content over the Internet exposes an organisation's telecoms system to the same risks faced by internet servers and web-connected corporate networks. Consequently Voice over IP attacks are on the rise due to the proliferation of online tools and software which can target these services.
They can be highly profitable, as successful attackers gain access to telephone lines from which they can make calls to foreign countries and premium rate phone services. Long-distance services can be sold on to phone shops while attackers can make up to £1 a minute by calling premium rate numbers which they control.
Security consultancy Nettitude has released a report based on its experience monitoring servers for its clients which found that attacks on VoIP services – carried out by targeting Session Initiation Protocol (SIP) servers – represented 67 percent of all attacks it recorded against UK-based servers – of which, 80 percent took place out of office hours.
SQL servers – which represented the second-most attacked category – accounted for only four percent of attacks.
LinkedIn's director of information security has confirmed that the company has joined the ranks of other major companies with bug bounty programmes, including Twitter, Dropbox and Facebook – a fact that remained under wraps for months, as the initiative is an “invitation-only” programme.
In a blog post Cory Scott revealed that LinkedIn's private bug bounty programme was formalised in October 2014, and has since resulted in more than £41,000 in bounties for researchers who reported more than 65 'actionable bugs' to the company. Having seen that the “vast majority” of bug reports submitted to the company “were not actionable or meaningful,” LinkedIn decided to create a private bug bounty programme.
The UK government has been forced to deny allegations that its identity assurance service, Gov.uk Verify, is littered with security problems and could be used to spy on citizens.
According to a research paper titled Toward Mending Two Nation-Scale Brokered Identification Systems, the service has "severe privacy and security problems" and a major flaw within its architecture that could be used to undertake mass surveillance.
Notably, the hub can link interactions of the same user across different service providers and has visibility over private identifiable information of citizens. "In case of malicious compromise it is also able to undetectably impersonate users," the report said.
The hub acts as a go-between for government departments and identifies providers and citizens. The government hit back saying: “Gov.uk Verify does not allow for mass surveillance. It does not have any other connection with or ability to monitor people or their data.”