Hacking Archives - NuTech Services LLC

Jan, 2017

From Heart Attack to Hack Attack: Hackers Can Now Control Pacemakers

Medical technology has allowed for vast improvements in the way that conditions are treated. For example, the pacemaker allows some people with heart conditions to live longer and more comfortably. However, a European research team has concluded that even pacemakers are susceptible to being hacked, with deadly results.

The researchers made a note to describe the dangers of using implantable cardioverter defibrillators, from a hacking standpoint. Many modern pacemakers have the ability to communicate with other devices. While this capability is designed as a benefit to the patient, allowing the devices to be examined without an invasive surgical procedure, it can have dire consequences if hacked. If the patient is away from the doctor’s office within two hours, the pacemaker can still receive signals from other devices, thus making it vulnerable to a cyber attack.

Hackers can send a signal to the pacemaker that keeps the device from returning to “sleep mode,” which is what makes it vulnerable to exploitation. By analyzing the signals sent to the tested devices, researchers could spot various ways that a hacker would use this exploit. The results varied from draining the battery’s life to stealing personal data that may be stored on it. In other words, the hacker can make the patient’s life rather difficult by either turning off the device, or stealing data and using it to steal their identity. Hackers could even activate the pacemaker’s resuscitation shock without need, jolting the heart and making things difficult for the victim.

There are at least 10 different types of lifesaving devices that are vulnerable to this simple exploit. In fact, the hacker doesn’t necessarily need to know anything about the device itself. The reason why these devices are so vulnerable is thanks to the manufacturers not believing that pacemakers are clear targets of cybercriminals. This led them to release the devices without the IT security necessary to prevent these targeted attacks. The lesson learned: “Nobody will consider pacemakers a target,” is no excuse to use lackluster security.

Keep in mind that this study was conducted by researchers, rather than hackers. Still, have you ever considered the fact that your organization could be at serious risk? Some SMBs are under the impression that their small size means that they aren’t a target. However, most hacking incidents aren’t targeted events, and are instead massive campaigns meant to infect anything and anyone who happens to click on the wrong link. Furthermore, all businesses have some data that’s worth stealing, like employee records and financial credentials, and it needs to be protected properly.

If you want to maximize your company’s security, give NuTech Services a call at 810.230.9455.

Dec, 2016

This Hacker Messed With the Wrong Transportation Agency

While San Francisco residents might not be happy that they’ll again have to pay fares to ride the city’s rail system, the reason they again have to do so is understandable. Plus, it provides an excellent example of the importance of maintaining a backup and using complex passwords.

A hacker or group of hackers, operating under the moniker Andy Saolis, managed to halt the collection of fares by the San Francisco Municipal Transportation Agency (or Muni) by hacking their station computer system and introducing a strain of ransomware into it. As a result, Muni employees were unable to access their workstations and some of the agency’s systems were disabled.

However, the hacker claimed to have accomplished more, as ticketing kiosks across the city would only display “you hacked. ALL data encrypted.” The ransom demand for the decryption key was approximately $73,000 in Bitcoin. Despite the hacker’s apparent confidence in their accomplishment, Muni elected to not pay the ransom, deciding instead to restore their systems from a backup and allowing cybersecurity experts to strike back against the hacker, not just once, but twice.

Two independent vigilante hackers managed to access the email account of “Andy Saolis” to collect information that helped to stop the attack, both by correctly guessing the answer to the account’s security question. It would seem that the hacker(s) known as Andy Saolis had been active for a while, but had never before targeted anything other than private companies, which very well may have led to their downfall.

Once the attack was thwarted it came to light that seemingly no data, including that from Muni’s customer payment systems, had been accessed, despite the attack affecting 25 percent of Muni’s network. Saolis, unsurprisingly, gave a considerably different account online.

Claiming to have stolen data from the payment kiosks, as well as 30 gigabytes of data from Muni’s system on their employees, customers, and technical matters, Saolis wasn’t shy about casting himself (or themselves) in the light of the vigilante against an unjust system.

According to an email sent through Russian service Yandex.com, “They give Your Money and everyday Rich more! But they don’t Pay for IT Security and using very old system’s !”

Shortly after the attack ended, security experts were also able to establish that the emailer was based in Iran, and had gained access to the hacker’s servers.

Though Muni never had to pay a ransom for their data, this attack wasn’t cheap, costing them the combined total of the free rides they granted to commuters as their systems were compromised. However, this total would certainly be less than the actual cost of the Bitcoin ransom, and so a good general rule to follow is to never give in to a hacker’s possibly insincere demands.

On the topic of the hacker, whose password was guessed by two separate strangers, how weak must this password have been? While nobody should ever complain about a hacker being foiled, it goes to show how a complete stranger could find their way into your accounts if you aren’t being careful..

This case is far from over, as the Federal Bureau of Investigation and the U.S. Department of Homeland Security are still investigating the matter, which provides proof that public systems are still unable to be fully trusted.

There is a lot for SMBs to learn from this story. How confident are you in your IT security? If you feel it’s time for a security audit in order to determine how protected your business is from all kinds of threats, reach out to NuTech Services at 810.230.9455.

Oct, 2016

What Volkswagen is Doing to Prevent Hackers From Controlling Your Car

Today’s cars are equipped with more complicated computer systems that allow users access to cutting-edge technology and services. Due to the increasing number of cyber attacks on computerized cars, Volkswagen has chosen to team up with three Israeli cybersecurity experts to equip advanced vehicles with the proper security solutions.

Ownership and investments made by both parties haven’t been made public yet, the new partnership has adopted the name Cymotive, and its goal is clear. Its chairman, Yuval Duskin, formerly sat at the helm of the Israeli Security Services, and said: “Together with Volkswagen we are building a top-notch team of cyber security experts. We are aware of the significant technological challenges that will face us in the next years in dealing with the cyber security threats facing the connected car and the development of the autonomous car.”

It’s dangerous to assume that a hacker can’t get to you in your own car. Bluetooth connectivity and computerized dashboards have given criminals brand new ways to infiltrate connected cars. Researchers have recently discovered a way for an intruder to hack into Volkswagen vehicles using nothing but an inexpensive radio kit. This flaw affects vehicles sold since 2000, so there’s huge potential for this to cause trouble for millions of owners.

Volkswagen is far from being the only car manufacturer that produces systems that are at risk. Check out this YouTube video where two seasoned hackers use a laptop to control a Jeep Cherokee. They connected the laptop to the controller area network (or CAN bus) and were able to take complete control of the vehicle’s brakes. While this is a local hack, it could very well become a threat that could be controlled remotely.

Though the video seems proof enough that this trend is a problem, upon submitting their findings to Fiat Chrysler Automobiles–the manufacturer of the Jeep brand–their findings were swiftly dismissed as invalid and inappropriate, claiming that sharing “how-to information” could put the public at risk. They further claimed that the attack required considerable technical knowledge to use, and that the flaws had already been addressed.

Granted, hackers are always trying to find new vulnerabilities and exploits to test their mettle against. Whether it’s a vehicle computer or a corporate workstation, you can bet that in the near future hackers will find ways to infiltrate and exploit them. This race won’t end anytime soon, so it looks like hackers and cyber security professionals will be trapped in an endless cycle of hack or be hacked.

Will your next automotive purchase include a computerized system, or would you rather keep it simple? Let us know in the comments.

Apr, 2016

It Only Takes 8 Seconds for a Hacker to Open Your Garage Door

Hackers have proven to be a crafty and suspicious lot, and can take advantage of even the most benign technology to infiltrate networks. However, we don’t often associate them with objects in the physical world. Now, even something as simple as a decade-old communications device can be used to open the right garage doors.

The device in question was built from a discontinued toy from 2007 called the IM ME. Manufactured by Mattel, it’s a device that was advertised as a secure wireless instant messaging system, sort of like an archaic mobile phone that allows for texting. It stores an address book of other users of the IM ME system, and allows for communications between devices so long as the device had an Internet connection. Looking at it now, you wouldn’t be surprised to hear that it’s no longer supported or even remotely useful these days, especially since smartphones are so much more dynamic and effective for communication.

Last year, it was discovered that this toy could be altered to hack into any garage door that’s equipped with an insecure fixed code transmitted from a remote, rather than one that uses a “rolling code” that’s constantly changing with every button press. The flaw was discovered and exploited by Samy Kamkar, who works as an independant developer and technology consultant. He reportedly built the device out of the IM ME, adding only an antennae and a simple open-source hardware attachment.

Kamkar explains that his device, which he dubs the OpenSesame, works in a different fashion from what are known as “code grabbers.” Ordinarily, code grabbers are devices that capture the code from the garage door button when it’s pressed, and can then reuse the code at a later time. This requires the presence of the hacker when the button is pressed. OpenSesame can accomplish this without being anywhere near the user, which makes it significantly more versatile and dangerous.

The most dangerous part of this hacking experiment is the fact that any hacker can walk up to a vulnerable garage door and have it open in around eight seconds. As reported by WIRED:

Using a straightforward cracking technique, it still would have taken Kamkar’s program 29 minutes to try every possible code. But Kamkar improved his attack by taking out wait periods between code guesses, removing redundant transmissions, and finally using a clever optimization that transmitted overlapped codes, what’s known as a De Bruijn sequence. With all those tweaks, he was able to reduce the attack time from 1,771 seconds to a mere eight seconds.

If you want to know how OpenSesame works, you can watch this video. If you’re unsure of whether or not your garage door is vulnerable to this particular issue, you can watch this video released by Kamkar:

This just goes to show how dangerous and unpredictable some of the things on the Internet of Things can be. With so many devices capable of communicating with each other through near-field and Bluetooth communications, in a worst-case scenario, it becomes a liability that can quickly spiral out of control. Concepts like these should make your business question if it’s prepared to handle the dangers that are approaching in the form of unregulated Internet of Things devices. Considering how much your business stands to lose, you shouldn’t be putting your organization at this kind of risk.

We can give your business’s network a quality assessment to ensure that it’s not vulnerable to other Internet of Things devices and emerging technologies. To learn more, give us a call at 810.230.9455.

Social Engineering: Not All Hackers Target Technology

The nature of hacking is to take advantage of weak points and exploit them for some kind of profit. This is usually seen in flaws or vulnerabilities found within the code of a program or operating system, but these flaws can be psychological, too. Hackers are increasingly taking advantage of a concept known as “social engineering” to fool users into handing over sensitive information that can be used against them.

Social engineering hacks are performed against unsuspecting individuals who might be privy to sensitive information within a corporation. These people often have less technical skills and might be more vulnerable to exploitation than others. These attacks often seek out information like passwords, usernames, dates of birth, and other sensitive credentials. The more skilled social engineering hacker can replicate sites to infect systems with malware, or even initiate infected downloads.

The most notorious social engineering method of hacking is called phishing, when emails are sent to a user under the guise of a seemingly harmless institution, like a bank. These messages usually ask the victim to confirm login credentials and other information in a manner that looks legitimate.

Spear phishing attacks are some of the most dangerous hacks out there. These types of phishing threats target specific users with personalized messages that are designed to coerce them into giving up personal or financial information. There have even been accounts reported of hackers posing as the media in order to get access to secure information.

According to HowToGeek.com, this method isn’t limited to being used remotely. Social engineering hackers can also get up close and personal with their attempts:

An attacker could walk into a business, inform the secretary that they’re a repair person, new employee, or fire inspector in an authoritative and convincing tone, and then roam the halls and potentially steal confidential data or plant bugs to perform corporate espionage. This trick depends on the attacker presenting themselves as someone they’re not. If a secretary, doorman, or whoever else is in charge doesn’t ask too many questions or look too closely, the trick will be successful.

How Can You Protect Yourself?
Ultimately, it comes down to educating yourself and your staff on how to identify a social engineering hack from the real deal. Here’s how you can minimize your chances of playing into the hands of a phishing scam.

Always be suspicious. Strange messages and phone calls are more than enough reason to be suspicious of the sender. If this is the case, it’s important that you don’t respond until you can confirm the identity of the sender. Contact the organization with the number or email address you have on record to ensure that you’re not being scammed. Some pointers to look for are misspelled words or strange links.
Avoid links in emails to websites that gather sensitive information. It’s possible that these links lead to fake sites that are designed to steal your credentials. If you suspect this is the case, try logging into the official site that you accessed outside of your email. You can spot subtle differences in the URL which give it away.
Make sure spam and phishing filters are enabled in your email and browser. Some browsers have built-in protection from known phishing sites which should always stay active. One particularly powerful solution is NuTech Services’s Unified Threat Management (UTM) solution. This solution equips your business with everything it needs to keep outside threats from getting into your network, including spam filtering and web content blocking.

When it comes down to it, the only way to maximize your business’s security from phishing attacks is to make sure your team knows how to identify and handle them. For more information on how to keep yourself safe from all manners of threats, give NuTech Services a call at 810.230.9455.

Mar, 2015

Biohacking: Integration of Smart Technology with the Human Body

Wearable technology is still emerging, but a much different type of smart tech is coming soon. At the Kaspersky Labs Security Analyst Summit, the question of whether or not embedding technology in the human body is a viable concept was discussed in detail. This is supposedly the future of smart technology.

Hannes Sjoblad, a member of a Swedish group called BioNyfiken (warning: unless you speak Swedish, you might have trouble on this website), has implanted NFC (Near Field Communication) chips into his own hands in an attempt to back what he calls “biohacking.” This is the process of embedding technology into the human body to perform certain functions. This technology is still in development, but if it’s successful, we can expect to see “cyborg-like” results.

Sound too weird to be true? It’s a squeamish trend that’s happening all around the world. For proof, here’s a real video of YouTuber Mike James getting an xNT NFC chip implanted into his hand (skip the video if you don’t like needles).

According to ZDNet, over 300 Swedish citizens have volunteered to have these NFC chips implanted in their hands, specifically between the thumb and the forefinger. This project began as a crowdfunding campaign on Indiegogo, and has quickly turned into a topic of interest. Sjoblad himself uses this chip for a number of things. He says he can use it to unlock his house doors, bike lock, and even for his shop memberships and business cards. How’s that for smart technology?

Sjoblad was quick to defend his organization’s ideas by explaining that cyborgs “are already among us,” in the form of people with pacemakers, insulin pumps, and other medical technologies. He also explains that this technology is rapidly becoming more affordable as time goes on, not unlike other technologies like computers and smartphones. In terms of privacy, we already have smartphones that are capable of sharing personal data; therefore, these NFC chips shouldn’t be a cause for concern.

Sjoblad hopes that embedded NFC chips will improve the way that humans perform day-to-day activities normally achieved through use of smartphones, without having to use the device itself. Devices “clutter up” these daily routines and complicate things. Even wearables are considered “clutter.” Sjoblad’s goal is to eliminate these devices and simplify tasks using his NFC chips.

You can imagine the possibilities for this type of technology in the future. One of the most notable possibilities is two-factor authentication. Imagine keeping your computer locked until you and your unique NFC chip are within range. Or, imagine accessing a bank account without fear that someone else has access to it. Whether or not this type of technology will become readily available for the public is another topic altogether, but there’s a very real possibility that this kind of authentication can change the way we use our technology.

What are your thoughts on turning NFC chips and the human body itself into an authentication tool? Let us know in the comments.

Bonus technology: Want to take advantage of NFC tech without the use of needles? Try the NFC Ring.