Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
We’re listening: Additional steps to protect your privacy
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/03/28/we-re-listening-additional-steps-to-protect-your-privacy.aspx
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
Tomi Engdahl says:
Big Yellow loses its head… again: Symantec, we need to talk
Enormo security firm needs to get serious about acquisitions
http://www.channelregister.co.uk/2014/03/24/comment_on_symantec/
Symantec recently fired Steve Bennett, its second CEO in two years.
Profits up but revenue down. Clearly financial engineering and cost-cutting is not the answer to the “How will we raise revenues?” question the board is asking.
At the time we wrote: “Salem, we think, got the bullet for failing to conquer the mobile security market, his handling of the Backup Exec outrage, and … humdrum financial performance.”
Symantec largely operates within its installed base comfort zone, making minor tweaks to existing products to preserve their revenue streams, and seemingly afraid of doing anything to disturb those revenue streams.
Tomi Engdahl says:
NSA Confirms It Has Been Searching US Citizens’ Data Without a Warrant
http://yro.slashdot.org/story/14/04/01/2144257/nsa-confirms-it-has-been-searching-us-citizens-data-without-a-warrant
Tomi Engdahl says:
NSA performed warrantless searches on Americans’ calls and emails – Clapper
http://www.theguardian.com/world/2014/apr/01/nsa-surveillance-loophole-americans-data
NSA used ‘back door’ to search Americans’ communications
Director of national intelligence confirms use of new legal rule
Data collected under ‘Prism’ and ‘Upstream’ programs
Tomi Engdahl says:
Chester Wisniewski of Sophos Talks About Secure Credit Card Transactions (Video)
http://it.slashdot.org/story/14/04/01/182214/chester-wisniewski-of-sophos-talks-about-secure-credit-card-transactions-video
Tomi Engdahl says:
NSA chief’s legacy is shaped by big data, for better and worse
Gen. Keith Alexander, who just retired as NSA director, achieved ‘absolutely invaluable’ results with digital spying but failed to anticipate how the public would feel about privacy.
http://www.latimes.com/nation/la-na-alexander-nsa-20140331,0,6256842.story#ixzz2xht8O7Qe
Tomi Engdahl says:
SmartTV, dumb vuln: Philips hard-codes Miracast passwords
Best not browse smut on this TV
http://www.theregister.co.uk/2014/04/02/smarttv_dumb_vuln_philips_hardcodes_miracast_passwords/
Demonstrating once again that consumer electronics companies don’t understand security, ReVuln has turned up a hard-coded password in Philips “smart” televisions.
Shown off in the video below, the vulnerability is simplicity itself: the WiFi Miracast feature is switched on by default, has a fixed password (“Miracast”, for heaven’s sake), no PIN, and doesn’t request permission for new WiFi connections.
Tomi Engdahl says:
Letter Tells of U.S. Searches for Emails and Calls
http://www.nytimes.com/2014/04/02/us/politics/letter-puts-focus-on-us-searches-for-americans-emails-and-calls.html?_r=1
United States intelligence analysts have searched for Americans’ emails and phone calls within the repository of communications that the government collects without a warrant, according to a letter from James R. Clapper Jr., the director of national intelligence, to Senator Ron Wyden, Democrat of Oregon.
The March 28 letter was not the first official confirmation that both the National Security Agency and the C.I.A. had carried out such searches.
“It is now clear to the public that the list of ongoing intrusive surveillance practices by the N.S.A. includes not only bulk collection of Americans’ phone records, but also warrantless searches of the content of Americans’ personal communications,”
Tomi Engdahl says:
Password bug let me see shoppers’ credit cards in eBay ProStores, claims infosec bod
Online bazaar fixes store account hijack flaw, we’re told
http://www.theregister.co.uk/2014/04/01/ebay_stores_vuln/
“In short, it was possible to change the password of another administrator, then you could log in as that user with full administrative access to the store,”
Tomi Engdahl says:
UK regulators: We will be CHECKING UP on banks’ IT systems
‘Major outages… completely unacceptable’ – FCA
http://www.theregister.co.uk/2014/04/02/bank_it_systems_review_regulators/
“The aim is to assess how well firms manage their own exposure to risks, to what extent IT risks are discussed at board level, and whether boards have the skills and expertise to challenge executive decisions,” the FCA said.
Woods said that major IT outages are “completely unacceptable” and that they present a “threat to financial stability”.
Tomi Engdahl says:
European Cybercrime Centre at Europol warns about Windows XP security risks
https://www.europol.europa.eu/content/european-cybercrime-centre-europol-warns-about-windows-xp-security-risks
The European Cybercrime Centre (EC3) at Europol warns about security risks related to the end of Windows XP support. After 8 April 2014, Windows will stop supporting its Windows XP operating system. This means that from that day forward, security vulnerabilities will not be fixed, leaving computers potentially vulnerable to attacks. Since Windows XP is still the second most popular operating system in use, the number of potential victims is cause for serious concern. Therefore, the EC3 advises Windows XP users to upgrade or change their operating system before 8 April.
According to Troels Oerting, Head of EC3, the April deadline will work as a red flag for hackers. “People have to realise that if they connect to the Internet with a Windows XP machine after 8 April, they will become easy targets for hackers. This goes for individuals as well as for companies and government services. If you realise you can no longer lock your front door, you call a locksmith to change it. This is the same.”
Tomi Engdahl says:
NSA had deeper hooks in RSA than first thought
Back doors, man
http://www.theinquirer.net/inquirer/news/2337440/nsa-had-deeper-hooks-in-rsa-than-first-thought
SECURITY FIRM RSA has been accused of compromising its integrity for the US National Security Agency (NSA) for the second time, each time giving the NSA access to place backdoors in its software.
RSA repeated what it did with the Dual Elliptic Curve encryption algorithm in the “Extended Random” extension for secure websites.
“We trusted them because they are charged with security for the US government and US critical infrastructure.”
Tomi Engdahl says:
Coinbase Denies Reports of Data Breach, Addresses Security Concerns
http://www.coindesk.com/coinbase-denies-reports-data-breach-addresses-security-concerns/
Tomi Engdahl says:
Hack of Boxee.tv exposes password data, messages for 158,000 users
Huge file circulating online contains e-mail addresses, full message histories.
http://arstechnica.com/security/2014/04/hack-of-boxee-tv-exposes-password-data-messages-for-158000-users/
Hackers posted names, e-mail addresses, message histories, and partially protected login credentials for more than 158,000 forum users of Boxee.tv, the Web-based television service that was acquired by Samsung last year, researchers said.
McIntyre said he acquired a copy of the enormous MySQL database last week and found entries known to belong to some of his company’s clients in it.
Tomi Engdahl says:
Alleged Silk Road Creator’s Lawyer Denies Bitcoin Is ‘Monetary Instrument,’ Moves To Drop All Charges
http://www.forbes.com/sites/andygreenberg/2014/04/01/alleged-silk-road-creators-lawyer-denies-bitcoin-is-monetary-instrument-moves-to-drop-all-charges/
The trial of Ross Ulbricht, the alleged creator of the Silk Road Bitcoin-based black market for drugs, hasn’t yet begun, but it’s already raising hairy legal questions. First on the docket: Is Bitcoin even money?
Tomi Engdahl says:
Dimwit hackers use security camera DVRs as SUPER-SLOW Bitcoin-mining rig
‘Seriously, this is just wasting electricity’ huffs securo boffin
http://www.theregister.co.uk/2014/04/02/dvr_botnet_mines_bitcoins/
Miscreants are using hacked digital video recorders in a somewhat misguided attempt to mine cryptocurrency BitCoins.
Hackers have created custom code to infect devices normally used for recording footage from security cameras. After getting in, likely to taking advantage of weak default passwords, a common security mistake with embedded devices, the ne’er-do-wells plant malicious code. This malware scans for vulnerable Synology Disk Stations as well as attempting to mine BitCoins.
“The malware is an ARM binary, indicating that it is targeting devices, not your typical x86 Linux server,”
Tomi Engdahl says:
Win32/Sality newest component: a router’s primary DNS changer named Win32/RBrute
http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/
Win32/Sality is a family of malware that has been using a peer-to-peer botnet since at least 2003. It is a file infector and a trojan downloader, the latter of which is mainly used to send spam, although it has been used for different purposes such as faking advertising network traffic, distributed denial of service or VoIP account cracking.
Lately, a new component has now appeared with some novel characteristics: the ability to change a residential broadband gateway router’s primary DNS address
Win32/RBrute.A tries to find the administration web pages for routers by downloading a list of IP addresses from its C&C server to scan and then reporting back its findings. At the time of our investigation, Win32/RBrute.A targeted the following routers
If a web page is found, the C&C sends a short list of about ten passwords to the bot and instructs it to perform a brute force password guess attack against the router. If the bot is able to log in to the router, it will then proceed to change the router’s primary DNS server settings.
Tomi Engdahl says:
Tesla’s Model S can be located, unlocked, and burglarized with a simple hack
http://www.extremetech.com/extreme/179556-teslas-model-s-can-be-located-unlocked-and-burglarized-with-a-simple-hack
While Tesla’s Model S might be physically the safest car on the road, once it’s parked up by the curb, it’s not very secure at all. That’s according to a security researcher, who says the Model S is very vulnerable to some rudimentary hacking techniques, allowing a would-be thief to remotely locate your car, unlock its doors, and then steal all your stuff. Fortunately, the researcher hasn’t yet found a way of starting a Model S without the key fob, but given how security always eventually falls to hackers, it’s just a matter of time.
The use of just a password is known as single-factor authentication, and it’s an absolute no-no in the security industry if you’re protecting absolutely anything of value. To add insult to injury, Tesla only enforces a minimum password length of six characters with at least one number — a perilously weak password scheme, especially when combined with the fact that the Tesla website doesn’t appear to limit incorrect login attempts.
Single-factor authentication is also very weak to phishing, malware, people using the same password on multiple services, email account compromises (“yes, I forgot my Tesla password, please email me the reset link…”).
Beyond those rather easy hacks, Dhajani also took a look a brief look at the security of the Model S’s on-board computer and networking subsystems. He used a WiFi sniffer to see which IP addresses the Model S connects to (for the remote unlock and other telemetry features).
Tomi Engdahl says:
FTC Halts Massive Tech Support Scams
http://www.ftc.gov/news-events/press-releases/2012/10/ftc-halts-massive-tech-support-scams
Tens of Thousands of Consumers Allegedly Tricked Into Paying for Removal of Bogus Viruses and Non-Existent Spyware, and Allowing Scammers to Remotely Access their Computers
“The FTC has been aggressive – and successful – in its pursuit of tech support scams,” said FTC Chairman Jon Leibowitz. “And the tech support scam artists we are talking about today have taken scareware to a whole other level of virtual mayhem.”
The FTC charged that the operations – mostly based in India – target English-speaking consumers in the United States, Canada, Australia, Ireland, New Zealand, and the U.K. According to the FTC, five of the six used telemarketing boiler rooms to call consumers. The sixth lured consumers by placing ads with Google which appeared when consumers searched for their computer company’s tech support telephone number.
Tomi Engdahl says:
F-Secure: greater danger than an aging XP for small businesses
F-Secure survey showed that small and medium-sized enterprises have a lot to do with a variety of software for information security.
Security company F-Secure commissioned in November of international research, the results show that an estimated 40 per cent of small and medium-sized businesses using outdated software. This refers to programs that do not have the latest security updates.
Yet, nearly all respondents considered it important to update the software. Companies with fewer than 50 employees, use the upgrades on average three hours a week, while more than 250 employees in enterprises is used for updates on a weekly basis for more than 15 hours.
A large proportion of the respondents had too few resources to caring for updates.
- The general misconception that the problem is the operating system. However, this is not the case, because the operating systems are maintained and updated relatively well. The real problem is corporate and private use applications – the most common Java, Flash, Adobe Reader, and web browsers with many plugins. A few users know what software is installed in, not to mention the security risks they pose
Source: Digitoday
http://www.digitoday.fi/tietoturva/2014/04/03/f-secure-vanhenevaa-xpta-suurempi-vaara-uhkaa-pienyrityksia/20144749/66?rss=6
Tomi Engdahl says:
Interesting thoughts:
How Microsoft can keep Win XP alive – and WHY: A real-world example
Redmond needs to discover the mathematics of trust
http://www.theregister.co.uk/2014/04/02/the_mathematics_of_trust/
How Microsoft chose to handle the Windows XP end-of-life is a great starting point for a discussion about the ethics and obligations of high-tech companies.
To understand what kinds of decisions destroyed my faith, let’s examine Microsoft’s handling of XP end-of-life: the decision to discontinue support, security patches and other updates from April 8, 2014.
Of the 57 clients I work with, 43 of them are in positions where they simply cannot upgrade all their Windows XP systems in use. The choices for them are “run an insecure operating system” or “go out of business.” There are countless businesses around the world facing similar issues; indeed, Windows XP still accounts for more than 20 per cent of all detected Windows computers connected to the internet.
Microsoft can offer affordable security to these companies. It chooses not to.
I have been told by people I trust to know such things that it should take no more than 25 full-time programmers to provide ongoing patching support for Windows XP. Let’s double that number to 50 just to be on the safe side.
Based on the above we get 50 x $500,000 x 2 = $50m as the cost of ongoing yearly Windows XP support for Microsoft.
If all 2 million XP boxes that have a good reason to be XP boxes pay the cost of a Windows Professional license every three years, in order to obtain ongoing support, Microsoft would bring in $130m a year.
Such a move would start to rebuild trust. The total cost of support for XP is a minor marketing expense.
Tomi Engdahl says:
Ad tracking: Is anything being done?
http://www.computerworld.com/s/article/9247217/Ad_tracking_Is_anything_being_done_
With online tracking on the rise and Do Not Track efforts moving ahead slowly, users and browser vendors have been taking matters into their own hands.
Efforts in the W3C working group are continuing, but Zaneis thinks the most likely scenario is that the industry will work with “a few key players” to develop a policy that’s an extension of a self-regulatory program developed by the Digital Advertising Alliance (DAA), an industry consortium.
A Do Not Track policy with all parties as signatories would be a good first step toward addressing these issues across all platforms, and Brookman remains optimistic that a negotiated agreement still can be hammered out.
Zaneis says advertisers won’t be coerced into an agreement. “The $40 billion U.S. ad industry will not be strong-armed by advocates into agreeing to a standard that does nothing to further privacy or allow the Internet to prosper,”
Tomi Engdahl says:
More businesses trust the cloud … despite Snowden concerns
http://www.cloudpro.co.uk/cloud-essentials/cloud-security/3951/more-businesses-trust-the-cloud-despite-snowden-concerns
A survey tries to spread fear about the cloud even though more of us trust it. Why all the FUD?
The Edward Snowden ‘NSA snooping’ revelations is a story that just keeps on giving.
The Lieberman survey, conducted with the help of 280 IT security professionals at the 2014 RSA conference in San Francisco, revealed that “government surveillance is driving a third of organisations away from the cloud … with the majority preferring to store sensitive data on premise rather than in the cloud because of fear of government snooping”.
I can understand the headline figure of 80 percent of respondents preferring to keep ‘more sensitive data’ within the network boundaries – we here at Cloud Pro have been covering the 80/20 rule and data classification in the cloud as a result
The research suggests that “fear of government snooping discourages 33 per cent of IT professionals from the cloud”
“When Lieberman Software undertook the same survey in November, 2012″ it admitted “48 per cent of respondents were discouraged from using the cloud because of fear of government snooping”.
a survey of 1,000+ global business leaders suggests some 90 per cent have changed the way they use the cloud and a third are moving data to locations where they know it will be safe
The Guardian describes what is happening as something of a paradigm shift in IT purchasing, where geography is as important as price and quality.
Tomi Engdahl says:
European Cybersecurity to standardise under ETSI
http://www.edn-europe.com/en/european-cybersecurity-to-standardise-under-etsi.html?cmp_id=7&news_id=10003751&vID=44#.Uz1R3FdM0il
The European Telecommunications Standards Institute (ETSI) has opened a new technical committee on Cybersecurity to address the growing demands for standards in this field.
Tomi Engdahl says:
Did you believe your data traffic was protected?
Finland are the mobile operators do not encrypt LTE networks traffic from the base station forward. The telecommunications sector standardizing organization 3GPP LTE does not require specification of traffic encryption.
Germany, for example, all operators encrypt traffic, the USA and the Russian part of the operators are turning to encryption, mainly because of the massive network of organized crime.
The base station access to the premises is not that much of a thing, if you want to get in there. Station on the traffic passing the Ethernet cable.
Source: Tietokone
http://www.tietokone.fi/artikkeli/uutiset/uskoitko_dataliikenteesi_olevan_suojassa_suomessa_4g_liikenne_kulkee_salaamattomana
Tomi Engdahl says:
Facebook paid 330 security researchers $1.5M in 2013; adds Instagram, Parse, Atlas, Onavo to Bug Bounty program
http://thenextweb.com/facebook/2014/04/03/facebook-paid-330-security-researchers-1-5-million-2013-part-bug-bounty-program/
In total, Facebook received 14,763 submissions in 2013 (each one reviewed individually by a security engineer)
Of those, only 687 (just 4.65 percent) were valid and eligible to receive rewards. The average reward was $2,204, and Facebook said the majority of bugs were discovered in “non-core properties,” such as websites operated by companies it has acquired.
Furthermore, just 6 percent of those eligible bugs were categorized as high severity. Facebook says its median response time for these critical issues was just six hours, from reading the first submission to implementing an initial fix, and it’s going to keep trying to lower that number going forward.
Tomi Engdahl says:
How to respond to a data breach
GAO: Data breaches have more than doubled since 2009, how should government, companies respond?
http://www.networkworld.com/news/2014/040214-data-breach-280311.html?page=1
Establish a data breach response team
Train employees on roles and responsibilities for breach
Prepare reports on suspected data breaches and submit them to appropriate internal and external entities
Assess harm
Offer assistance to affected individuals (if appropriate)
Analyze breach response and identify lessons learned
Tomi Engdahl says:
Bitcoin crackdown in China halts bank transfers for two exchanges
China’s central bank is forcing the closure of banking accounts operated by the exchanges
http://www.itworld.com/internet/412901/bitcoin-crackdown-china-halts-bank-transfers-two-exchanges
Tomi Engdahl says:
French firms: You want us to compile DATABASES… of our SECRET information?
New law increases cyber attack risks, biz fumes to govt
http://www.theregister.co.uk/2014/04/04/french_firms_to_gov_you_want_us_to_compile_a_database_of_secret_information/
Businesses in France are being asked to compile a database of commercially sensitive information that will potentially attract increased interest from cyber criminals.
Changes to employment laws in the country will require businesses with more than 50 employees to create a database for worker representatives to be able to access. The database must contain information such as details of business assets, employee salaries and forecasts outlining the strategic direction of the company.
The reform raises a general issue regarding the protection of confidential business information. Practically, it will be the first time that such a comprehensive central database of confidential information will be created and made available to such a large group of people, many of which may never have accessed such information so easily and had access to such a full picture about a company.
The most worrying part of this change is related to the security of the database. Although the database will be accessible solely to members of work councils, it may be stored on a company’s intranet or on a network which could be accessible remotely.
Tomi Engdahl says:
EMC intros data protection-as-a-service: You shall D-PAAS
Firm faces up to virtual reality
http://www.theregister.co.uk/2014/04/04/emc_boosts_data_protection/
As the world is moving towards software-defined data centres with infrastructure components virtualised and delivered as a service, data protection appears to be going the same way.
EMC has gone and boosted its offerings to do just this.
The company says it is adding “new integrations with primary and protection storage platforms, and with hypervisors and enterprise applications, while extending support for cloud environments and delivering new technologies that enable data protection-as-a-service delivery.”
Tomi Engdahl says:
SQL Injection Fools Speed Traps and Clears Your Record
http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/
Typical speed camera traps have built-in OCR software that is used to recognize license plates. A clever hacker decided to see if he could defeat the system by using SQL Injection…
SQL Injection in the Wild
http://blog.ioactive.com/2013/03/sql-injection-in-wild.html
In fact the OWASP Top-10 list of Web threats lists SQL Injection in first place.
More often than not, when security professionals discuss SQL Injection threats and attack vectors, they focus upon the Web application context.
While the image above is amusing, I’ve encountered similar problems before when physical tracking systems integrate with digital backend processes – opening the door to embarrassing and fraudulent events.
Unlike the process of hunting for SQL Injection vulnerabilities within Internet accessible Web applications, you can’t just point an automated vulnerability scanner at the application and have at it. Assessing the security of complex physical monitoring systems is generally not a trivial task and requires some innovative approaches.
Tomi Engdahl says:
Hacker holds key to free flights
http://www.itnews.com.au/News/381803,hacker-holds-key-to-free-flights.aspx
A security boffin claims to have developed a method to score free flights across Europe by generating fake boarding passes designed for Apple’s Passbook app.
The feat, the efficacy of which cannot be verified directly by SC Magazine, has stumped Europe’s aviation authority. The boarding gate scanners should reconcile a passengers’ ticket with the airline’s departure database to ensure only legitimate passengers board.
Tomi Engdahl says:
Five-year-old finds Xbox password backdoor, hacks dad’s Live account
Boy, they’re starting young these days
http://www.theregister.co.uk/2014/04/04/five_year_olds_xbox_live_password_hack/
A five-year-old lad has humbled Microsoft’s security team by finding and exploiting a password bug in his Xbox to log into his father’s Xbox Live account.
navigating to a password verification screen, and filling the password box with space characters before hitting the submit button. After that, the door was open.
Tomi Engdahl says:
Triathlete injured as drone filming race falls to ground
http://www.abc.net.au/news/2014-04-07/triathlete-injured-as-drone-filming-race-drops-to-ground/5371658
Reports that a drone hit an athlete competing in a triathlon in Western Australia’s Mid West
Mr Abrams said an initial investigation had indicted that someone nearby “channel hopped” the device, taking control away from the operator.
Channel hopping is a form of hacking which can render the drone uncontrollable to the original operator.
Mr Abrams said it was a deliberate act and it would be difficult to determine who was responsible
Comment from http://tech.slashdot.org/story/14/04/07/0248230/uav-operator-blames-hacking-for-malfunction-that-injured-triathlete
Something went wrong, he throws up the “it wasn’t me it must be those evil hackers” defence rather than accepting the blame for putting his device together poorly or letting it go out of range. There would be no way of knowing for sure if another device took control during the incident (because who would build that in to a home made UAV), so he *may* be telling the truth
Tomi Engdahl says:
Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros
http://linux.slashdot.org/story/14/04/06/1322236/not-just-apple-gnutls-bug-means-security-flaw-for-major-linux-distros
According to an article at Ars Technica’s, a major security bug faces Linux users, akin to the one recently found in Apple’s iOS (and which Apple has since fixed).
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
This GnuTLS bug is worse than the big Apple “goto fail” bug patched last week.
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.
The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations
Tomi Engdahl says:
Comment from http://linux.slashdot.org/story/14/04/06/1322236/not-just-apple-gnutls-bug-means-security-flaw-for-major-linux-distros
Debian was fixed on the 3rd of March which is the date of the Debian Security Advisory [debian.org],
The impact of this bug does not compare to the goto fail bug. Most Linux distributions use OpenSSL for TLS. Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation, and if it doesn’t, then it’s not affected by this bug (one example is Google Chrome).
2) Hardly anything uses the GNU TLS library, and for the same reason people have been advising against Apple’s rewrite of security libraries: because it’s better to use something that’s had over a decade of development and review and is widely deployed across a series of platforms;
There are two distinct part of SSL/TLS; encryption and authentication. In this case it’s only the authentication portion that has an issue, not the encryption portion. There are several places in which GnuTLS is used for encryption but not authentication such as MTA (email) transfers over TLS (at least most of the time).
As for why GnuTLS exists, AFAIK it’s mainly because of licensing issues — compiling a GPLv2+ program against OpenSSL gets into licensing troubles, so there needed to be a GPL compatible alternative.
Tomi Engdahl says:
Microsoft spells out new rules for exiling .EXEs
Adware classification regime won’t tolerate privacy probes or auto-installs
http://www.theregister.co.uk/2014/04/07/microsoft_puts_adware_in_the_crosshairs_again/
Microsoft has updated the methodology it uses to define adware, a move designed to make it clearer just what the company considers worthy for removal by its malware tools.
Tomi Engdahl says:
Experian subsidiary faces MEGA-PROBE for ‘selling consumer data to fraudster’
US attorneys general roll up sleeves, snap on gloves
http://www.theregister.co.uk/2014/04/07/id_theft_website_probe_experian/
Vietnamese national Hieu Minh Ngo allegedly used information obtained through Experian subsidiary Court Ventures to run two identity fraud-enabling websites, Superget.info and Findget.me.
The credit reference agency “acknowledge[d] the concern consumers may have about this illegal access”.
Tomi Engdahl says:
Tesla in ‘Ethernet port carries data’ SCANDAL
Musk sticks ‘hands off’ signs on console data
http://www.theregister.co.uk/2014/04/06/tesla_in_ethernet_port_carries_data_scandal/
A Tesla enthusiast has sparked a thousand variations on headlines saying “Tesla hacked” by working out that in-car network traffic is visible on a port designed for service access to the network.
The thread on the Tesla Motors Club forum begins in March, and reveals various traffic types that are visible on the network segment that connects the centre console (192.168.0.100), the navigation screen (192.168.0.101) and a gateway device (192.168.0.102).
The system is revealed to be running a version of Ubuntu and an oldish version of the mini-httpd Web server.
Tomi Engdahl says:
5-year-old boy exposes Microsoft Xbox security flaw
http://blogs.marketwatch.com/themargin/2014/04/04/5-year-old-boy-exposes-microsoft-xbox-security-flaw/
http://www.gamenguide.com/articles/10294/20140405/xbox-live-hacked-by-a-five-year-old-he-gets-free-games-in-exchange.htm
Tomi Engdahl says:
The Fifth Protocol
http://startupboy.com/2014/04/01/the-fifth-protocol/
Cryptocurrencies will create a fifth protocol layer powering the next generation of the Internet.
Humans don’t *need* math-based cryptocurrencies when dealing with other humans. We walk slowly, talk slowly, and buy big things. Credit cards, cash, wires, checks – the world seems fine.
Machines, on the other hand, are far chattier and quicker to exchange information. The Four Layers of the Internet Protocol Suite are constantly communicating. The Link Layer puts packets on a wire. The Internet Layer routes them across networks. The Transport Layer persists communication across a given conversation. And the Application Layer delivers entire documents and applications.
This chatty, anonymous network treats resources as “too cheap to meter.” It’s a giant grid that transfers data but doesn’t transfer value. DDoS attacks, email spam, and flooded VPNs result. Names and identities are controlled by overlords – ICANN, DNS Servers, Facebook, Twitter, and Certificate “Authorities.”
Cryptocurrencies like Bitcoin are already trustless – any machine can accept it from any other, securely. They are (nearly) free. They are global
Tomi Engdahl says:
Snowden leaks made us look twice at cloud suppliers – biz bods
Survey: Corporates putting cloud firms under closer scrutiny
http://www.theregister.co.uk/2014/04/01/survey_snowden_leaks_impact_business_cloud_computing/
Businesses are conducting more due diligence on cloud suppliers and demanding more localised storage of their data in the wake of reports about US surveillance activities, according to a new survey.
The survey also revealed raised concerns about data protection among businesses.
“Nearly three-quarters (72 per cent) of ICT decision-makers polled said they would revisit every cloud and hosting arrangement to ensure data protection, if they had the necessary time and resources,” NTT Communications’ report said.
“The Snowden revelations have also made ICT decision-makers more aware of the need to have detailed knowledge of data protection rules. 84 per cent of ICT decision-makers globally believed they need training on data protection laws and security rules in the territories their businesses operate,”
Tomi Engdahl says:
ACLU launches user-friendly database of every Snowden doc
Search all now-public NSA surveillance docs at your leisure
http://www.theregister.co.uk/2014/04/05/aclu_launches_userfriendly_database_of_every_snowden_doc/
The American Civil Liberties Union (ACLU) has launched a searchable online database that contains all of the documents obtained by Edward Snowden and made public since last June.
“These documents stand as primary source evidence of our government’s interpretation of its authority to engage in sweeping surveillance activities at home and abroad, and how it carries out that surveillance,” Emily Weinrebe of the ACLU’s National Security project wrote on Thursday.
Tomi Engdahl says:
How advertising cookies let observers follow you across the web
http://www.theverge.com/2014/4/4/5581884/how-advertising-cookies-let-observers-follow-you-across-the-web
Back in December, documents revealed the NSA had been using Google’s ad-tracking cookies to follow browsers across the web, effectively coopting ad networks into surveillance networks. A new paper from computer scientists at Princeton breaks down exactly how easy it is, even without the resources and access of the NSA. The researchers were able to reconstuct as much as 90% of a user’s web activity just from monitoring traffic to ad-trackers like Google’s DoubleClick. Crucially, the researchers didn’t need any special access to the ad data. They just sat back and watched public traffic across the network.
Tomi Engdahl says:
Hackers hijack DCMS Twitter to slam government stance on expenses
http://www.theinquirer.net/inquirer/news/2338372/hackers-hijack-dcms-twitter-to-slam-government-stance-on-expenses
Tomi Engdahl says:
Symantec scratches head over balance sheet, calls in JPMorgan
Bankers drafted in to stave off activist investor threat – reports
http://www.theregister.co.uk/2014/04/07/symantec_looking_for_strategic_options/
Reports say Symantec, struggling to reverse a revenue slowdown, has called in JPMorgan Chase & Co. to look at its options and help fend off activist shareholders.
Symantec is a $6.7bn/year revenue company that is struggling to lift its earnings. The last quarterly report made that abundantly clear.
Tomi Engdahl says:
Slashdot Asks: Will You Need the Windows XP Black Market?
http://ask.slashdot.org/story/14/04/06/2112255/slashdot-asks-will-you-need-the-windows-xp-black-market
“Anytime you have such market imbalance, there is opportunity.”
“How big will the Windows XP patch market be?”
Tomi Engdahl says:
USA opposes ‘Schengen cloud’ Eurocentric routing plan
All routes should transit America, apparently
http://www.theregister.co.uk/2014/04/07/keeping_data_away_from_the_us_not_on_ustr/
The US Trade Representative is warning Europe not to proceed with the idea of EU data network services that don’t cross the Atlantic.
The idea of a European “walled garden” emerged in February amid rising anger over revelations that the NSA wants to listen to the whole world – and that its sweeps included snooping on German Chancellor Angela Merkel’s own BlackBerry.
Tomi Engdahl says:
Introducing the ACLU’s NSA Documents Database
https://www.aclu.org/blog/national-security/introducing-aclus-nsa-documents-database
This tool will be an up-to-date, complete collection of previously secret NSA documents made public since last June. The database is designed to be easily searchable – by title, category, or content – so that the public, researchers, and journalists can readily home in on the information they are looking for.
The NSA Archive
https://www.aclu.org/nsa-documents-search
Tomi Engdahl says:
Microsoft to Block Unwanted Adware July 1
http://threatpost.com/microsoft-to-block-unwanted-adware-july-1/105256
Microsoft has announced this summer it will change the way it classifies adware by beginning to block unwanted and intrusive advertisements from users.
New objective criteria drafted up by the company stipulates that by July 1 internet ads must have a visible close button and must clearly state who’s behind them, or they’ll be branded as adware.
Currently when Microsoft’s security products detect a program is operating suspiciously, the program is allowed to run, and the user is alerted and then given a recommended option to proceed. On July 1 when adware is found, Microsoft will stop the program entirely, notify the user and give them the option to restore it if they want.
Tomi Engdahl says:
Adware: A new approach
http://blogs.technet.com/b/mmpc/archive/2014/04/03/adware-a-new-approach.aspx
Programs that promote a product or service outside of their own program can interfere with your computing experience. You should have clear choice and control when installing programs that open advertisements.
The advertisements that are opened by these programs must:
Include an obvious way to close the ad.
Include the name of the program that created the ad.
The program that creates these advertisements must:
Provide a standard uninstall method for the program using the same name as shown in the ads it produces.
It is important that both developers and our customers understand this criteria
Many programs use advertising as a form of payment for the program and that is also an acceptable practice.
It is important for the user to know that these ads are being shown by a specific program and would not be there if it was not for this program. To tell the user that your program is making the ads, you need to make it clearly known in the advertisement.
The final part of giving a user choice and control is giving them a way to uninstall the program that is making the ads.