Security trends for 2014

Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).

Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.

Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.

2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.

crystalball

Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.

Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.

DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.

There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.

The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.

Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.

Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made ​​from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.

In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.

Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.

3,382 Comments

  1. Tomi Engdahl says:

    German minister photo fingerprint ‘theft’ seemed far too EASY, wail securobods
    Security industry fear after apparent digit sig nickery
    http://www.theregister.co.uk/2014/12/30/hacking_fingerprints_get_a_hires_pic_and_commercial_software/

    Claims that fingerprints can be cloned from pictures are being taken seriously by security experts, who argue that any possible hack underlines the fragility of the biometric technique.

    Hacker Jan “Starbug” Krisller cloned the thumbprint of the German Defence Minister Ursula von der Leyen after photographing her hand at a press conference.

    During a presentation at the annual Chaos Computer Club hacker conference in Hamburg, Krisller explained how he used commercial fingerprint software from Verifinger to map out the contours of the minister’s thumbprint from the hi-res image taken using a telephoto lens.

    Krisller previous credits include successfully defeating Apple’s TouchID fingerprint lock.

    Using a “raised ink” printing process, it’s possible to print an image on a very thin plastic surface, such as the skin of a balloon. By wearing the balloon skin over a finger, anyone can then assume the identity associated with the lifted fingerprint.

    The type of hack is possible because fingerprint biometrics are deliberately tuned to minimise false negatives – something that tends to make standalone fingerprint techniques unreliable

    “Fingerprint biometrics means keeping your fingers secret,”

    Reply
  2. Tomi Engdahl says:

    Zero-day hacking group resorts to UNICORN SMUT-SLINGING
    Playboy ploy not beneath APT3

    Sysadmins who have not yet patched their Windows boxes against the 18-year-old “unicorn-like” OLE bug disclosed last month could expect a deluge of spear phishing smut from a group once confined to lofty targeted zero-day attacks.

    The talented APT3 group was behind widespread zero-day attacks code-named Clandestine Fox earlier this year and was now targeting recently patched Windows vulnerabilities, according to FireEye researchers.

    That group had begun spewing spear-phishing emails targeting two vulnerabilities (CVE-2014-6332, CVE-2014-4113) disclosed this month and in October respectively.

    “The use of CVE-2014-6332 is notable, as it demonstrates that multiple classes of actors, both criminal and APT alike, have now incorporated this exploit into their toolkits,” they said in an advisory.

    Reply
  3. Tomi Engdahl says:

    Can’t stop Home Depot-style card pwning, but suppliers will feel PCI regulation pain
    Third parties must comply to new standard
    http://www.theregister.co.uk/2014/12/17/pci_revamp_after_target_home_depot_breach/

    Reply
  4. Tomi Engdahl says:

    Facebook cosies up to ESET for malware detection
    Is this the world’s largest comparative test?
    http://www.theregister.co.uk/2014/12/04/facebook_cosies_up_to_eset_for_malware_detection/

    Facebook, which earlier this year started partnering with F-Secure and Trend Micro for malware detection, has added Slovak vendor ESET to its suite of security products.

    F-Secure and Trend both pointed Facebook users at their free online scans if devices behaved in a way that suggested infection.

    Facebook similarly says the tie-ups will help it keep malicious links and harmful sites out of News Feeds and Messages.

    Reply
  5. Tomi Engdahl says:

    Early Bitcoin Adopters Facing Extortion Threats
    http://yro.slashdot.org/story/14/12/30/1328216/early-bitcoin-adopters-facing-extortion-threats

    An Extortionist Has Been Making Life Hell for Bitcoin’s Earliest Adopters
    http://www.wired.com/2014/12/finney-swat/

    The Finneys were the victims of a “swatting,” a nasty online hoax where the perpetrator calls up emergency dispatch using a spoofed telephone number and pretends to have committed a heinous crime in the hopes of provoking an armed police response to the victim’s home

    For a year, the caller had been demanding that the Finneys pay an extortion fee of 1,000 bitcoin—worth more than $400,000 at the time

    When someone calling himself Satoshi Nakamoto first proposed the idea of bitcoin back in 2008, his ideas went largely unnoticed. But Hal Finney paid attention. He quickly became one of the world’s first bitcoin users. That early enthusiasm proved lucrative for Hal Finney, allowing him to join the digital currency’s network and “mine” many bitcoins during the early days. The stash helped the Finneys cover Hal’s medical expenses, but it also came at a price.

    Hal Finney died in August, and his wife Fran says he spent his final months being harassed by the online extortionist.

    Roger Ver, another early bitcoin adopter, believes he was victimized by the same person the week before the Finney family was swatted.

    Reply
  6. Tomi Engdahl says:

    Armouring up online: Duncan Campbell’s chief techie talks crypto with El Reg
    Truecrypt, PGP, GPG – but NEVER Skype
    http://www.theregister.co.uk/2014/12/19/crypto_toolkit_1/

    At the point I joined the team for ICU’s Offshore Leaks project, Duncan had just finished winning an internal battle about the use of PGP. Specifically, convincing everyone NOT to use it.

    If you have a big team project and nobody apart from one or two crypto-fans have ever used PGP before, the feel-good factor that might be gained from being all techno-futuristic will be very rapidly overshadowed by the feel-bad problem of not managing to get any work done.

    Duncan wisely pointed out that the threat model for the project did not include governments – as we understood it, they had already received the same data we were working with and reporting on. So, there was no need to go to Defcon 1 in order to try to keep them out. A slow and convoluted manual PGP-and-email arrangement was replaced with a dedicated private forum system (provided by team member Sebastian Mondial) which was invite-only and delivered over SSL – but not specifically trying to be secure against government-level adversaries.

    Local storage: Truecrypt

    Truecrypt can encrypt an entire physical drive (HDD, USB flash stick, whatever you like), or you can create a “container file” of a fixed size to hold the data you want to store securely. When you run Truecrypt, enter your password and mount your encrypted volume, it shows up as a new drive on whatever drive letter you choose.

    Of course, Truecrypt can’t help you if the files you have stored inside its robust cryptographic storage are also present in C:\Windows\Temp, or available for forensic recovery after you move them into your Truecrypt container. If you are worried about that, you can get TC to encrypt your boot partition so you have to enter your password to even get Windows to begin booting. Of course, that’s still vulnerable if someone snatches your booted-and-unlocked laptop from your grasp.

    Despite the recent scares, many people are still comfortable with using the previous (7.1a) release of the massively popular encrypted storage application. Now that the dust has settled a little, I am too.

    Securing email with PGP/GPG

    While you certainly can use Truecrypt to send files to someone else, that would require you to either pre-arrange a shared password in advance, or have some other already-secure channel to transmit it to them.

    That’s where the clever maths of Public Key Cryptography comes in.

    The de facto standard for this is OpenPGP, descended from the original Pretty Good Privacy created by Phil Zimmermann. The Free Software toolset GPG (GNU Privacy Guard) is the most commonly used implementation.

    There are a number of possible configurations available for GPG, depending on if you would rather use it as a plugin to a local email client or use it entirely as a stand-alone app. My personal preference is to use the Enigmail plugin for the Mozilla Thunderbird mail client, whereas a more-manual approach which requires less changes to your general way of working (not needing you to use a different email client) would be to use the Gnu Privacy Assistant (GPA) standalone app from the GPG4Win bundle.

    There are also Chrome extensions which implement OpenPGP in client-side Javascript inside your browser

    OpenPGP doesn’t have that top-down “CA-style” validation of public keys. Rather, users can sign their friends’ or colleagues’ public keys to assert that they have checked that the specific key really belongs to the proper person.

    The most common approach at the moment is to publish your Public Key directly on your own website.

    The key-signing side of OpenPGP is pretty un-fun

    Don’t even think about using Skype for anything sensitive. There is no meaningful encryption or security provided any more. It is completely open to interception by the agencies.

    Reply
  7. Tomi Engdahl says:

    UK banks prepare for Apple Pay ‘invasion’, look to slap on bonking protection
    Financial bodies air concerns over ‘privacy’, ‘data security’
    http://www.theregister.co.uk/2014/12/30/uk_banks_fearing_apple_pay_invasion_but_can_nfc_be_stopped/

    Apple’s attempt to launch its NFC payment solution in the UK could be thwarted by some financial institutions’ concerns over privacy and security issues surrounding Cupertino’s “invasion” of the banking industry.

    The system, which has been developed with the credit card companies, has been tried by two million iPhone 6 users in the US.

    However, The Telegraph reports that UK adoption has been slowed by banks concerns over privacy, saying “some executives fear Apple Pay and the data it delivers to Apple could serve as a beachhead for an invasion of the banking industry”.

    Maybe they have looked at what Apple has done to the music and mobile phone industries and drawn conclusions from that. A battle between banks and Apple would certainly be interesting to watch.

    Airing concerns about security, money laundering and financing of terrorism is a standard tactic employed by the banks when they want to slow the adoption of a new technology.

    Reply
  8. Tomi Engdahl says:

    Fake Android The Interview app actually banking Trojan
    20K credulous victims hit by South Korea targeting nasty
    http://www.theregister.co.uk/2014/12/29/interview_banking_trojan/

    Malware-slingers have latched onto the torrent of publicity spawned by the controversial film The Interview by stitching together a fake Android app actually designed to swipe online banking credentials.

    The banking Trojan is programmed to target customers of a number of Korean banks, as well as Citi Bank. Approximately 20,000 devices appear to have been infected to date, based on bank account data from infected Android devices relayed back to a Chinese mail server and intercepted by security researchers.

    Reply
  9. Tomi Engdahl says:

    DON’T PANIC! Latest Anonymous data dump looks old hat
    13,000 leaked accounts are likely stale data, expert claims
    http://www.theregister.co.uk/2014/12/29/dont_panic_large_anonymous_data_dump_looks_like_its_old_hat/

    On the day after Christmas, Anonymous dumped out 13,000 credit card numbers and account details for a host of popular websites, but an analysis of the package by security experts shows that most of the data has been available online for ages.

    The dump was carried out “for the lulz,” according to an Anonymous Twitter account. It contained passwords for Amazon, Walmart, and Hulu Plus, in addition to other software, dating, and pornography sites. Some credit card data was also included in the (now deleted) posting.

    Reply
  10. Tomi Engdahl says:

    Kim Dotcom vows to KILL SKYPE with encrypted MegaChat
    Claims new service will end NSA mass surveillance
    http://www.theregister.co.uk/2014/12/30/kim_dotcom_megachat/

    Megaupload maestro Kim Dotcom says he will soon unveil an encrypted video calling and chat service that he claims will mark “the end of NSA mass surveillance.”

    In a series of tweets, Dotcom said the service, to be called MegaChat, will also doom Skype, the current king of online calling, which is thought to have been cooperating with US government snoops since at least 2011.

    “No US based online service provider can be trusted with your data,” the rotund refugee proclaimed. “Skype has no choice. They must provide the US Government with backdoors.”

    Dotcom said MegaChat will be browser-based – preempting Microsoft’s plan to bake Skype into IE – and will also include the ability to conduct high-speed file transfers with end-to-end encryption.

    One small problem with all of this: Dotcom launched the Mega file-sharing service in early 2013 with similar claims that it offered impenetrable browser-based encryption. But it only took a few days for security researcher Steve “Sc00bzt” Thomas to come up with a tool to steal passwords from encrypted Mega confirmation links, and no less than crypto expert Moxie Marlinspike called Mega’s approach to security “inept.”

    Reply
  11. Tomi Engdahl says:

    London teen pleads guilty to Spamhaus DDoS
    Sentence will be passed in January next year
    http://www.theregister.co.uk/2014/12/17/london_teen_pleads_guilty_to_spamhaus_ddos/

    A 17 year-old Londoner has pleaded guilty to a series of denial-of-service attacks against internet exchanges and the Spamhaus anti-spam service last year.

    The teenager was arrested and prosecuted following a series of DDoS attacks aimed at Spamhaus and content distribution network CloudFlare that ultimately affected the operation of internet exchanges.

    Hackers used DNS reflection to amplify the DDoS attack. Peak traffic volumes exceeded 300 Gbps, marking the assault out as the biggest DDoSes ever.

    the attack failed to break the internet’s backbone

    it’s unlikely that the 17 year-old acted alone

    Reply
  12. Tomi Engdahl says:

    The NSA Uses the Same Chat Protocol As Hackers
    http://yro.slashdot.org/story/14/12/29/2120259/the-nsa-uses-the-same-chat-protocol-as-hackers

    NSA documents obtained by Edward Snowden and reported on by Der Spiegel on Sunday reveal that the agency communicates internally with Jabber, an open source messaging service used by hackers and activists trying to skirt the NSA’s internet surveillance dragnet.

    The NSA Uses the Same Chat Protocol as Hackers and Activists
    http://motherboard.vice.com/read/the-nsa-uses-the-same-chat-protocol-as-hackers-and-activists

    But what is Jabber, exactly?
    “Jabber” is a nebulous term

    All are considered implementations of XMPP.

    XMPP is an open protocol, which makes XMPP chat services popular among activists and hackers who view open source chat platforms as more secure and resistant to surveillance attempts than messaging services that run on a central server. The latter group includes Google Hangouts, which was criticized after Google announced its move from XMPP last year.

    Encryption can be built into XMPP-based services, making them the go-to for many privacy-conscious internet users. Off-the-Record Messaging (OTR) is an encryption protocol used by many XMPP-based messaging clients, and provides plausible deniability to conversants in addition to encrypting messages themselves.

    The XMPP community as a whole has been moving towards mandatory encryption for clients, and this year Peter Saint-Andre—who runs jabber.org—published an online manifesto urging developers to build encryption into their systems and to refuse unencrypted connections. The manifesto has garnered the support of high-profile XMPP advocates including Jabber’s original author, Jeremie Miller.

    Reply
  13. Tomi Engdahl says:

    William Turton / The Daily Dot:
    Hacker group Lizard Squad launches DDoS service with prices ranging from $6 to $500, says recent PSN and Xbox Live attacks were marketing scheme

    Lizard Squad’s Xbox Live, PSN attacks were a ‘marketing scheme’ for new DDoS service
    http://www.dailydot.com/crime/lizard-squad-lizard-stresser-ddos-service-psn-xbox-live-sony-microsoft/

    The devastating Christmas Day attacks against the gaming networks of Sony and Microsoft were a marketing scheme for a commercial cyberattack service, according to the hackers claiming responsibility for the attacks.

    Known as Lizard Squad, the hacker collective says it shut down the PlayStation Network (PSN) and Xbox Live network on Dec. 25 using a distributed denial-of-service (DDoS) attack, a common technique that overloads servers with data requests. The powerful attacks rendered the networks unusable for days, infuriating gamers around the world and causing yet-untold losses of revenue.

    Now, members of Lizard Squad say the group is selling the DDoS service they used against Sony and Microsoft to anyone willing to pay.

    The service, dubbed Lizard Stresser, launched early Tuesday morning

    Customers can use the service against any target they wish

    A DDoS attack sends a huge amount of traffic to a server or computer network, swamping its capacity. The overload of “fake” traffic means legitimate users can’t connect, rendering the network temporarily unusable. While DDoS attacks may be considered a form of protest, they have been interpreted as a violation of the Computer Fraud and Abuse Act.

    It’s worth noting that DDoS attacks don’t require actual hacking the traditional sense. “A DDoS attack does not involve breaking into someone else’s computer in any way. It doesn’t expose user data, doesn’t destroy files,” noted hacker Gregg Housh wrote in the Kernel earlier this year. “It’s like a hundred crazy couponers blocking every lane in the grocery store: It’s obnoxious but not damaging anything.”

    Their purchase page says that the Lizard Stresser service offers attacks with an “average” load of 5 terabits per second (Tbps)—the total amount of fake traffic with which all customers can bombard their targets.

    Within three hours of launch, 25 customers have already purchased Lizard Squad’s services, according to dragon. Lizard Squad hopes that they will be able to keep this service online for a “minimum of one year.”

    The cost of attacks range anywhere from $6 to $500, paid for with Bitcoin, the difficult-to-trace cryptocurrency. The most expensive tier offers 30,000 seconds of attack (a little more than 20 days), and costs just $130 per month. For $500, customers can launch unlimited attacks.

    Reply
  14. Tomi Engdahl says:

    Over 80 Percent of Dark-Web Visits Relate to Pedophilia, Study Finds
    http://www.wired.com/2014/12/80-percent-dark-web-visits-relate-pedophilia-study-finds/

    The mysterious corner of the Internet known as the Dark Web is designed to defy all attempts to identify its inhabitants. But one group of researchers has attempted to shed new light on what those users are doing under the cover of anonymity. Their findings indicate that an overwhelming majority of their traffic is driven by the Dark Web’s darkest activity: the sexual abuse of children.

    At the Chaos Computer Congress in Hamburg, Germany today, University of Portsmouth computer science researcher Gareth Owen will present the results of a six-month probe of the web’s collection of Tor hidden services, which include the stealthy websites that make up the largest chunk of the Dark Web. The study paints an ugly portrait of that Internet underground: drug forums and contraband markets are the largest single category of sites hidden under Tor’s protection, but traffic to them is dwarfed by visits to child abuse sites.

    The researchers’ disturbing statistics could raise doubts among even the staunchest defenders of the Dark Web as a haven for privacy. “Before we did this study, it was certainly my view that the dark net is a good thing,” says Owen. “But it’s hampering the rights of children and creating a place where pedophiles can act with impunity.”

    “It came as a huge shock to us. I don’t think anyone imagined it was on this scale.”

    Tor executive director Roger Dingledine followed up in a statement to WIRED pointing out that Tor hidden services represent only 2 percent of total traffic over Tor’s anonymizing network. He defended Tor hidden services’ privacy features. “There are important uses for hidden services, such as when human rights activists use them to access Facebook or to blog anonymously,” he wrote, referring to Facebook’s launch of its own hidden service in October. “These uses for hidden services are new and have great potential.”

    The researchers found that a majority of Tor hidden service traffic—the traffic to the 40 most visited sites, in fact—were actually communications from “botnet” computers infected with malware seeking instructions from a hacker-controlled server running Tor. Most of those malware control servers were offline, remnants of defunct malware schemes like the Skynet botnet whose alleged operator was arrested last year.

    The study also found that the vast majority of Tor hidden services persist online for only a matter of days or weeks.

    In his Chaos Computer Congress talk, Owen also plans to present methods that could be used to block access to certain Tor hidden services.

    The study could nonetheless lead to difficult questions for the Tor support community.

    Reply
  15. Tomi Engdahl says:

    NVIDIA Breached
    http://it.slashdot.org/story/14/12/30/1828233/nvidia-breached

    Another day, another corporate network intrusion. NVIDIA has reportedly been breached in the first week of December, with the attack compromising personal information of the employees. There is no indication that other data has been compromised.

    NVIDIA Corporate Network Breached
    http://www.forbes.com/sites/davelewis/2014/12/29/nvidia-corporate-network-breached/

    Over the winter holidays people were concerning themselves with family gatherings, the exchange of presents and even some reading on the soap opera that has blossomed from the Sony Pictures breach. To say the least it has been a very busy couple of weeks. Then, on Monday December 22nd news came of a breach of the NVIDIA NVDA -0.92% corporate network.

    An email outlining the breach was sent to NVIDIA employees on Wednesday December 17th from the privacy office informing them that a breach had occurred and that their individual information had been compromised.

    Here are the key points summarized:

    Review bank statements and credit card statements for unauthorized activity
    Call the police if you think you’re an ID theft victim
    Be alert to phishing emails
    “Regularly change your passwords on both company and personal accounts. Avoid using the same password for more than one account“

    Points three and four stood out as this leads me to believe that this was the root of the issue and possibly how the breach was able to transpire via a phishing email coupled with a reused password.

    Reply
  16. Tomi Engdahl says:

    Security Research At the Hague, Netherlands: Mobile Network and Internet Threats
    http://mobile.slashdot.org/story/14/12/31/0346209/security-research-at-the-hague-netherlands-mobile-network-and-internet-threats

    The Hague Security Delta (HSD) is the official title of a collaborative effort between Netherlands businesses, their federal government and multiple research institutions, to identify emerging security threats, share best practices, and foster collaboration between industry, governments, and universities. One of the most pressing issues they’re tackling is that of mobile network and internet security. One point that the Netherlands’ officials made repeatedly is that the country is essentially the “digital gateway” to Europe. This might seem like hubris but once you look at the arrangement of undersea cables between the U.S. and Europe, it makes a lot more sense.

    Security Research At The Hague: The Mobile Malware Threat
    http://hothardware.com/reviews/security-research-at-the-hague-the-mobile-malware-threat

    The Hague is the name of the government seat of the Netherlands (and yes, the article is capitalized). The Hague Security Delta (HSD) is the official title of a collaborative effort between Netherlands businesses, the government, and multiple research institutions to identify emerging security threats, share best practices, and foster collaboration between industry, governments, and universities.

    One of the most interesting topics that came up during our visit was the issue of mobile network security, particularly now that Edward Snowden has let the cat somewhat out of the bag.

    One point that the Netherlands’ officials made repeatedly during our conversation is that the company is the “digital gateway” to Europe. In other contexts, this might seem like hubris — but once you look at the arrangement of undersea cables between the US and Europe, it makes a lot more sense.

    The Netherlands is far from the only transatlantic connection hub between the US and Europe, but it certainly accounts for a significant chunk of total cable capacity.

    Reply
  17. Tomi Engdahl says:

    One of the largest single threat vectors, it turns out, is the spread of third-party app stores. For all its flaws, Apple’s own App Store has guidelines that have largely kept such problems to a minimum. Google Play suffers a relatively small number of problems, and according to the Dutch, Windows Phone actually has fewer intrinsic flaws than either of the other two platforms. Yes, that means Windows Phone may actually be the most secure platform you can buy today.
    Read more at http://hothardware.com/reviews/security-research-at-the-hague-the-mobile-malware-threat?page=2#tqAoDykrQ2UrV3Sj.99

    Reply
  18. Tomi Engdahl says:

    Over 78% of All PHP Installs Are Insecure
    http://developers.slashdot.org/story/14/12/31/002253/over-78-of-all-php-installs-are-insecure

    Anthony Ferrara, a developer advocate at Google, has published a blog post with some statistics showing the sorry state of affairs for website security involving PHP.

    PHP Install Statistics
    http://blog.ircmaxell.com/2014/12/php-install-statistics.html

    So, what’s the breakdown?

    Platform % Installs That Are Secure
    PERL 82.27%
    Python 77.59%
    Nginx 64.48%
    Apache 61.96%
    WordPress 60.45%
    Drupal 45.23%
    PHP 25.94%

    Well, for purposes of this analysis, we’ll call versions that have no known vulnerabilities (more recent than the most recent security release) secure.

    This Is Pathetic
    This is absolutely and unequivocally pathetic. This means that over 78% of all PHP installs have at least one known security vulnerability. Pathetic.

    Check your installed versions. Push for people to update. Don’t accept “if it works, don’t fix it.”… You have the power to change this, so change it.

    Security is everyone’s problem. What matters is how you deal with it.

    Reply
  19. Tomi Engdahl says:

    Being A Responsible Developer
    http://blog.ircmaxell.com/2014/12/being-responsible-developer.html

    The general consensus was that as an ideology, only supporting latest versions is correct. From a practical standpoint though they said that it’s unrealistic. That there are tons of legacy systems out there that are running just fine and can’t justify the cost of upgrading. So they shouldn’t have to upgrade “for ideological reasons”.

    It can be expensive to maintain software, especially old and outdated software. If it’s running, why not just let it run? After all, if you don’t have problems with it, why bother touching it (if it ain’t broke, don’t fix it).

    This point of view disturbs me deeply.

    The Connection
    Why do we unit test our code? Is it to find bugs? No. In fact, there are far far more effective ways of finding bugs.

    Automated testing is only about 30-40% effective at finding defects. Formal code review alone is far more effective than automated tests at detecting defects (at least according to studies).

    So why do we write automated tests?

    There are two main reasons:

    To drive the design of our applications (TDD).

    To prevent regressions.

    So if we practice TDD, we write the tests to help us design components and ensure that they work as intended (defects aside). Then we keep those tests to ensure that regressions don’t enter the system down the line.

    Testing is one way to make code maintainable. The better the tests are (note, the test quality, not the coverage), the more confidence you’ll have that your change won’t break things and the faster and easier it will be to maintain the codebase.

    Security Is A Maintainability Concern
    No non-trivial application that is ever built is 100% secure. Tradeoffs are made, mistakes are made and new research uncovers new vulnerabilities every day.

    Think about that for a second. That means that every single piece of non-trivial software that was ever written will have a security vulnerability it in today. It may not be known, but it exists.

    The question comes, what do you do when those vulnerabilities become known? Do you update? Or do you ignore it? Do you pretend it’s not broken, because your specific website hasn’t been hacked (yet, that you know of)?

    If It Ain’t Broke Don’t Fix It
    The problem is that it is broken. All software is. The fallacy isn’t that upgrading is “fixing something that works fine today”, the fallacy is that it’s working fine in the first place.

    You can choose to ignore the break, or you can make an “informed” decision that the break isn’t worth fixing, but don’t pretend it’s working fine.

    Reply
  20. Tomi Engdahl says:

    Office MACROS PERIL! Age-old VBScript tactic is BACK in biz attack
    ‘Office macro exploits only cool thing Visual Basic used for,’ quips securobod
    http://www.theregister.co.uk/2014/12/31/vbscript_office_macros_peril/

    The dangers of allowing Office macros have been underlined by a newly discovered attack against European and Israeli companies.

    Malicious Office macros were used as the launchpad of the so-called RocketKitten attacks presented at this year’s Chaos Communication Congress hacking conference (stream here, relevant material starts around 20 minutes in). The technique is nothing new and still effective – even though it has been around for years and is straightforward to block.

    Visual Basic for Applications (VBA) is one of the easiest methods to deliver malware nasties: simply by dropping malicious code into an Office doc as a macro and attaching to an email. The victim would be lured by a plausible pretext into opening an Office file attachment delivered to them by email.

    Reply
  21. Tomi Engdahl says:

    Bloomberg:
    FBI investigating whether US financial institutions enlisted hackers to disable Iranian servers used to attack bank websites

    FBI Investigating Whether Companies Are Engaged in Revenge Hacking
    http://www.bloomberg.com/news/2014-12-30/fbi-probes-if-banks-hacked-back-as-firms-mull-offensives.html

    The hacked are itching to hack back.

    So say a dozen security specialists and former law-enforcement officials, who described an intensifying and largely unspoken sense of unease inside many companies after the recent breach of Sony Corp. (6758)’s networks.

    U.S. officials have shown little appetite to intervene as banks, retailers, casinos, power companies and manufacturers have been targeted by foreign-based hackers. Private-sector companies doing business in the U.S. have few clear options for striking back on their own.

    That has led a growing number of companies to push the limits of existing law to consider ways to break into hackers’ networks to retrieve stolen data or even knock computers offline to stop attacks, the cybersecurity professionals said in interviews. Some companies are enlisting cybersecurity firms, many with military or government security ties, to walk them through options for disrupting hacker operations or peering into foreign networks to find out what intellectual property hackers may have stolen.

    Reply
  22. Tomi Engdahl says:

    William Turton / The Daily Dot:
    Hacker group Lizard Squad launches DDoS service with prices ranging from $6 to $500, says recent PSN and Xbox Live attacks were marketing scheme — L
    http://www.dailydot.com/crime/lizard-squad-lizard-stresser-ddos-service-psn-xbox-live-sony-microsoft/

    Reply
  23. Tomi Engdahl says:

    Sony insider — not North Korea — likely involved in hack, experts say
    December 30, 2014
    http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-hack-inside-job-not-north-korea-20141231-story.html

    Federal authorities insist that the North Korean government is behind the cyberattack on Sony Pictures Entertainment.

    Cybersecurity experts? Many are not convinced.

    From the time the hack became public Nov. 24, many of these experts have voiced their suspicions that a disgruntled Sony Pictures insider was involved.

    Respected voices in the online security and anti-hacking community say the evidence presented publicly by the FBI is not enough to draw firm conclusions.

    They argue that the connections between the Sony hack and the North Korean government amount to circumstantial evidence. Further, they say the level of the breach indicates an intimate knowledge of Sony’s computer systems that could have come from someone on the inside.

    “We can’t find any indication that North Korea either ordered, masterminded or funded this attack,” Kurt Stammberger, a senior vice president at Norse, said in an interview with The Times.

    President Obama this month said North Korea was behind the Sony attack and pledged a “proportional” response. North Korea’s Internet suffered outages in the days following the announcement. The U.S. hasn’t taken responsibility for the outages, but North Korea has blamed Obama.

    But analysts said attribution in cyberattacks is difficult, and hackers are skilled in obfuscation and misdirection to avoid getting caught. Also, software-wiping technology used by the so-called Guardians of Peace group against Sony is widely available to hackers and can be easily purchased. Many were surprised that the FBI made its announcement so quickly.

    “You don’t want to jump to conclusions in a cyberattack,” said Rob Sloan, head of cybercontent and data at Dow Jones. “Attributing attacks is really a non-scientific art.”

    Even skeptics who doubt the attack was state-sponsored said the FBI may have more convincing evidence that it has chosen to keep secret.

    Reply
  24. Tomi Engdahl says:

    Moreover, because of the way that antivirus programs are sandboxed on a phone or tablet, it’s exceedingly difficult to do anything about them.
    Read more at http://hothardware.com/reviews/security-research-at-the-hague-the-mobile-malware-threat?page=2#dQAIOTr9SLF7HtiH.99

    Reply
  25. Tomi Engdahl says:

    U.K. police allegedly arrest Lizard Squad hacker
    http://www.dailydot.com/crime/lizard-squad-vinnie-omari-arrested/

    A member of the hacker group that claimed responsibility for the Christmas Day shutdown of Sony and Microsoft’s gaming networks has been arrested.

    Vinnie Omari, a 22-year-old member of the group Lizard Squad, was arrested on Monday after British law enforcement agents from the South East Regional Organized Crime Unit raided his home. Omari confirmed the raid with the Daily Dot, and provided a photo of the search warrant he received.

    “They took everything,” Omari told the Daily Dot in an email. “Xbox one, phones, laptops, computer USBs, etc.”

    A press release from the Thames Valley Police confirms that a 22-year-old man was arrested Monday “on suspicion of fraud by false representation and Computer Misuse Act offense.”

    Lizard Squad took credit for the Dec. 25 distributed denial-of-service (DDoS) attacks against the PlayStation Network and Xbox Live.

    Reply
  26. Tomi Engdahl says:

    Jon Southurst / CoinDesk:
    Japanese police suspect 99% of bitcoins missing from Mt. Gox are due to internal system manipulation, not hack

    Missing Mt Gox Bitcoins Likely an Inside Job, Say Japanese Police
    http://www.coindesk.com/missing-mt-gox-bitcoins-inside-job-japanese-police/

    Reply
  27. Tomi Engdahl says:

    Jeff Grubb / VentureBeat:
    Sony to give PlayStation Network members 10% off one transaction in PlayStation Store to make up for outage; qualifying PSN Plus subscribers get five days extra

    http://venturebeat.com/2015/01/01/heres-how-sony-is-going-to-make-up-for-the-psn-outage/

    Reply
  28. rfid card case wallet says:

    I initially had the Aluma Wallet nevertheless filled it to complete and broke it which i
    discovered these together with what a great price. The primary
    purpose I did not provide five stars is really simply because the Aluma wallet holds somewhat bigger card
    then these handbags. Something wider an ordinary bank card will not easily fit into
    this wallet. Which I involve some cards that are only a little wider an ordinary bank card.

    Reply
  29. Maude says:

    Its so frustrating to see the amount of professionals
    and SEO gurus who don’t know anything
    Added to Digg, someone will like it

    Reply
  30. technology blogs says:

    That doesn’t mean there aren’t downsides, though. I think
    you havce a really good viewpoint however and I like the angle you came from
    on this.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*