Hackers hit PR Newswire, data shows up alongside recently stolen Adobe code

Today, Krebs on Security reported that publicity service PR Newswire was hacked in March 2013. But more interestingly, this hijacked data has surfaced on the same Internet servers where stolen Adobe Systems source code and customer data was recently found.

The location of this lifted PR Newswire data suggests that the same black hats may be behind both hacks. Brian Krebs confirmed the data (usernames and encrypted passwords) with PR Newswire, and the company will start contacting customers about password changes today. PR Newswire told Krebs its investigation into the data is still in progress, but early indications are that the breach affected customers in Europe, the Middle East, Africa, and India in particular.

Krebs and collaborator Alex Holden, chief information security officer at Hold Security LLC, found no evidence of abuse with the stolen data at this time. However, the duo notes that PR Newswire's clientele could be potentially very lucrative targets for hackers to use to manipulate financial markets.

Read 1 remaining paragraphs | Comments


Researchers uncover holes that open power stations to hacking

A pair of researchers have uncovered more than two dozen vulnerabilities in products used in critical infrastructure systems that would allow attackers to crash or hijack the servers controlling electric substations and water systems.

The vulnerabilities include some that would allow an attacker to crash or send a master server into an infinite loop, preventing operators from monitoring or controlling operations. Others would allow remote code-injection into a server, providing an opportunity for an attacker to open and close breakers at substations and cause power outages.

“Every substation is controlled by the master, which is controlled by the operator,” says researcher Chris Sistrunk who, along with Adam Crain, found vulnerabilities in the products of more than 20 vendors. “If you have control of the master, you have control of the whole system, and you can turn on and off power at will.”

Read 22 remaining paragraphs | Comments


Apple Releases Security Update for Java on OS X

Original release date: October 16, 2013

Apple has released a security update for Java on Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, and OS X Mountain Lion 10.8 or later to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code with the privileges of the current user.

US-CERT encourages users and administrators to review Apple Support Article HT5982 and follow best-practice security policies to determine which updates should be applied.


This product is provided subject to this Notification and this Privacy & Use policy.

Self-Assembling Robots May Herald Dawn of Evil Toasters


If Hollywood is to be believed, we will all one day be living in a future filled with robots, or less likely, zombies. Robots are everywhere in our predicted future. A common theme on the silver screen is the artificial intelligence mastermind attempting to take over the world. Another is of robots transforming into alternate shapes or robots with the ability to self-repair. Sadly, we are not yet at the stage where cars can transform into fighting robots while doing a front flip in slow motion to a heavy rock soundtrack, but we are getting closer. Researchers at MIT recently presented their exciting new creations, M-Blocks, signalling a new stage of self assembling robots.

The MIT modular robot cubes can rearrange themselves using internal flywheels, which generate impulse movements used to propel the units in the desired direction, and use magnets for alignment. The bots can even generate enough energy to create a strong enough momentum to enable them to jump from once place to another. The cubes can be assembled into rudimentary shapes, but alas cannot transform into a giant fighting robot as this is not the intended goal. The researchers’ wish for the future is to have each module act autonomously – the current prototypes are controlled externally, receiving their commands through radio transmissions.

For me, as a security researcher, this obviously raises questions surrounding the security implications of such modular robots. Don’t worry; I’m not talking about a Skynet taking over the world scenario here. Since they’re only prototypes at the moment, thinking about what could and could not be done with future versions would be purely speculative. However, one of the challenges I see is ensuring that rogue modules can be identified. Just imagine if you have a malicious robot block that, once introduced to the hive, confuses all the others and causes any structure that they were building before to disintegrate. Building up trust in a network of untrusted nodes is a difficult problem to solve. On the other hand, you might need to introduce new cubes, which ideally would get integrated seamlessly.

Current versions of the self-assembling modular robots, where you have a central control unit that transmits and receives commands, can be compared to the Internet of Things (IoT). The IoT, which you could simplify as a group of non-traditional devices connected to the Internet, is an interesting area with huge potential. One of the most tangible areas of the IoT is smart household devices, some of which are already sold today. The vacuum cleaning robots available in stores today may not be self-assembling but nevertheless they are robots.

There has already been quite a lot of interest from the security industry in the IoT. More and more security conferences start to feature talks on the topic. For example, Daniel Buentello presented at this year’s DerbyCon on how he completely took over a remote controlled power switch. While switching the lights on and off might not seem very scary, opening up windows and doors is more alarming. And this is only the tip of the iceberg of possibility. Fridge appliances doing portscans or mood lights that infect other lamps with malware are all realistic scenarios. Someday your neighbour may be able to compromise your toaster remotely in order to tell your HiFi system to switch off the music. Having malicious code running on such home devices can be difficult to detect and difficult to remove, as most devices are not built with high security in mind.

We at Symantec are following the development in this area closely to ensure that everyone stays secure in the future connected world. Of course, we hope that we won’t see scenarios where your fridge teams up with your coffee machine to DDoS your toaster any time in the immediate future, because that would really be a bad start to anyone’s day.