Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
SpyFiles 4
https://wikileaks.org/spyfiles4/
Today, 15 September 2014, WikiLeaks releases previously unseen copies of weaponised German surveillance malware used by intelligence agencies around the world to spy on journalists, political dissidents and others.
FinFisher (formerly part of the UK based Gamma Group International until late 2013) is a German company that produces and sells computer intrusion systems, software exploits and remote monitoring systems that are capable of intercepting communications and data from OS X, Windows and Linux computers as well as Android, iOS, BlackBerry, Symbian and Windows Mobile devices. FinFisher first came to public attention in December 2011 when WikiLeaks published documents detailing their products and business in the first SpyFiles release.
Since the first SpyFiles release, researchers published reports that identified the presence of FinFisher products in countries aroud the world and documented its use against journalists, activists and political dissidents.
“FinFisher continues to operate brazenly from Germany selling weaponised surveillance malware to some of the most abusive regimes in the world.”
“This full data release will help the technical community build tools to protect people from FinFisher including by tracking down its command and control centers.”
WikiLeaks is also publishing previously unreleased copies of the FinFisher FinSpy PC spyware for Windows. This software is designed to be covertly installed on a Windows computer and silently intercept files and communications, such as Skype calls, emails, video and audio through the webcam and microphone
WikiLeaks conservatively estimates FinFisher’s revenue from these sales to amount to around €50,000,000.
Tomi Engdahl says:
WikiLeaks posts the software governments use to spy on dissidents
http://www.engadget.com/2014/09/15/wikileaks-posts-finfisher-software/
WikiLeaks’ all-or-nothing approach to revealing shady government activity just took a new (if decidedly risky) turn. Julian Assange and crew have posted FinFisher and FinSpy PC, the intrusion software that Australia, Italy, Pakistan and other countries use to break into and spy on people’s devices, no matter what platform they’re running. The leak site hopes that privacy-minded developers will use the code to improve security and prevent governments from easily cracking down on dissidents
The strategy may pay off, although there is a worry that unscrupulous downloaders may use the code for more sinister purposes
Tomi Engdahl says:
With Tech Taking Over in Schools, Worries Rise
http://www.nytimes.com/2014/09/15/technology/with-tech-taking-over-in-schools-worries-rise.html?_r=0
At a New York state elementary school, teachers can use a behavior-monitoring app to compile information on which children have positive attitudes and which act out. In Georgia, some high school cafeterias are using a biometric identification system to let students pay for lunch by scanning the palms of their hands at the checkout line. And across the country, school sports teams are using social media sites for athletes to exchange contact information and game locations.
Technology companies are collecting a vast amount of data about students, touching every corner of their educational lives — with few controls on how those details are used.
Now California is poised to become the first state to comprehensively restrict how such information is exploited by the growing education technology industry.
Legislators in the state passed a law last month prohibiting educational sites, apps and cloud services used by schools from selling or disclosing personal information about students from kindergarten through high school; from using the children’s data to market to them; and from compiling dossiers on them. The law is a response to growing parental concern that sensitive information about children — like data about learning disabilities, disciplinary problems or family trauma — might be disseminated and disclosed, potentially hampering college or career prospects. Although other states have enacted limited restrictions on such data, California’s law is the most wide-ranging.
Tomi Engdahl says:
The FBI just finished building its facial recognition system
http://www.theverge.com/2014/9/15/6152185/the-fbi-just-finished-building-its-facial-recognition-system
The FBI’s Next Generation Identification (NGI) system is now fully operational
the Interstate Photo System, or IPS. IPS will serve as “an image-searching capability of photographs associated with criminal identities,” according to the release.
The facial recognition system has come under fire from privacy groups for mixing traditional mug shot photos with non-criminal faces pulled from employment records and background check databases.
Tomi Engdahl says:
PayPal takes a swipe at Apple Pay security over iCloud celebrity photo leaks
http://9to5mac.com/2014/09/15/paypal-takes-a-swipe-at-apple-pay-security-over-icloud-celebrity-photo-leaks/
PayPal appears to be calling out Apple and its newly announced mobile payment service Apple Pay with an ad appearing in The New York Times print edition (via Pando Daily) indirectly reminding people of last month’s disastrous iCloud photo leak when a list of celebrities found their personal photos an intimate situations published on the web. The ad reads “We the people want our money safer than our selfies,” but PayPal isn’t without its own security issue in the past.
Apple already has over 500 million iTunes account with most having credit cards, the company says, and iCloud features like iCloud Keychain manage and utilize credit card data for auto-completing credit card information.
Tomi Engdahl says:
NSW Police named as FinFisher spyware user
http://www.itnews.com.au/News/392090,nsw-police-named-as-finfisher-spyware-user.aspx
The NSW Police force has been named as a user of the FinFisher malware and spyware toolkit used by governments worldwide to capture user data, as part of a Wikileaks data release of the product today.
Wikileaks first published documents relating to the German spyware in late 2011. FinFisher is sold to law enforcement agencies across the world.
The FinFisher collection of tools is made by British-German conglomerate Gamma Group International, and its use is considered controversial as oppressive regimes have deployed it against political dissidents and non-criminal targets.
FinFisher control nodes were last year revealed to be located in eleven countries including Australia, but no local law enforcement agencies have admitted to using the spyware.
Wikileaks today named the NSW Police force as a user of the spyware
The licenses are valued at A$2.6 million, according to Wikileaks.
The activist group said it estimated FinFisher’s entire global revenue to be worth around A$72 million.
“FinFisher continues to operate brazenly from Germany, selling weaponised surveillance malware to some of the most abusive regimes in the world,” Wikileaks leader Julian Assange said in a statement. “The Merkel government pretends to be concerned about privacy, but its actions speak otherwise.
FinFisher owner Gamma International last month reportedly suffered a data breach after an anonymous hacker claimed to have compromised the company’s network.
The hacker posted links to a torrent file online
Tomi Engdahl says:
Rejoice, Blighty! UK is the TOP of the WHOLE WORLD … for PHISHING
Thanks, gullible chumps – now everyone knows we’re a soft touch
http://www.theregister.co.uk/2014/09/16/study_finds_uk_worlds_top_phishing_spot/
British punters are being served three times as many phishing links to trojans and exploit kits than the US, and five times more than the Germans, according to a ProofPoint study.
The security researchers say that while the English were being served more malicious links, Germans were hit with the greatest amount of unsolicited spam.
The scams aimed to lift British wallets through banking trojans and phishing emails mimicking organisations like the Royal Bank of Scotland.
“On average an unsolicited email sitting in the inbox of a user in the UK is more than five times more likely to contain a malicious URL than for a user in Germany,”
Tomi Engdahl says:
Oi, Tim Cook. Apple Watch. I DARE you to tell me, IN PERSON, that it’s secure
State attorney demands Apple CEO bows the knee to him
http://www.theregister.co.uk/2014/09/16/apple_watch_state_attorney_demands_personal_privacy_pledge_tim_cook/
Apple is facing tough privacy questions as it gears up for the release of its new Apple Watch, with one US state attorney demanding a meeting with Tim Cook.
The security of personal information is top of the agenda at the moment, after hackers broke into Apple’s iCloud and leaked a load of celebs’ naughty nudie pics.
Apple’s wrist computer will gather all manner of info on users’ personal activity and potentially their movements, as it boasts a host of health and navigation apps.
“When new technologies emerge in consumer markets they inevitably lead to new questions, including questions about privacy,”
Tomi Engdahl says:
Hackers-for-hire raided 300 banks, corporates for TWELVE YEARS
Phony cracker biz looked legit
http://www.theregister.co.uk/2014/09/16/hackersforhire_raided_300_banks_corporates_for_twelve_years/
A band of hackers for hire have raided some 300 banks, corporations and governments undetected for 12 years, possibly the longest campaign of its kind.
The German hackers registered 800 front businesses in the UK to target and fully compromise organisations in Germany, Switzerland, and Austria at the request of customers.
“… the damage to the organisations who have been victims in terms of loss of valuable data, income or the exposure of information related to employees and customers is immeasurable”
It was unknown if anti-virus was not run at compromised organisations, failed to detect the threat or could not due to the malware being encrypted or otherwise obfuscated.
SPECIAL REPORT – ‘HARKONNEN OPERATION’ CYBER-ESPIONAGE
http://cybertinel.com/wp-content/uploads/2014/09/HARKONNEN-OPERATION-CYBER-ESPIONAGE.pdf
From 2002 the German cybercrime network performed numerous targeted penetrations to over 300 organizations, including tier one commercial companies, government institutions, research laboratories and critical infrastructure facilities in the German speaking countries. The attackers planted Trojans in specific workstations in the organizations, gained access to sensitive confidential documents and information and silently ex- filtering them to the organizations who ordered the attack.
The British relatively tolerant requirements to purchasing SSL security certificates were exploited by
the network to create pseudo legitimate Internet service names and to use them to camouflage their
fraudulent activity.
Although it appears to be huge, it is impossible at this time to assess the actual damage caused by
‘Harkonnen Operation’ as most of its activity is not disclosed.
Hundreds of domain names, IP addresses and Wildcard certificates were acquired on behalf of these front companies at an estimated expense of $150,000 to camouflage fraudulent activity as legitimate services.
COUNTERMEASURES TAKEN
Disinfecting the contaminated workstation using CYBERTINEL
Deep HD investigation to reveal what documents and data were exposed
CONCLUSIONS
Legacy firewalls, antivirus and other cyber defense systems cannot completely protect organizations against zero day and targeted attacks.
Digital espionage activity has a very low profile and communication trace. It can reside and function undiscovered for a very long time
No organization, public or private, is safe from commercial, industrial or national threats
Tomi Engdahl says:
Usb stick is more dangerous than ever
Usb stick malware are a small phenomenon of cyber attacks alongside. But the phenomenon has become more dangerous than ever.
Contaminated usb tkut were a few years ago Threat, which allows many-industry companies connected to computers USB ports off.
The fear was not misplaced. According to current knowledge of Iran’s nuclear program was messed up also exactly usb memory supplied to the attack using the Stuxnet program.
The risk is increased by the fact that the usb-attacks have evolved. You no longer need to open an infected document or automatic start on marketing.
One of the most traitorous attack methods include the fair to be distributed sticks pollution: An attacker takes on a few sample stick, change the contents of their liking and take the sticks back to wait for the coming of picking out.
Modern usb attacks are effective because they are against is no longer to protect themselves by taking the Autorun turned off or refraining from opening the drive as PDF or Office files.
- USB is the most flexible technology that allows a wide range of attacks, Nuopponen says.
Usb flash drive can be programmed to appear first, some time in the usual way as an external mass storage device, but later change microphone or keyboard. Keyboard work the usb-stick can be pre-programmed keyboard shortcuts that open a command prompt and charge it through the computer program, device capture.
- If the infected drive down the machine, the game is lost
The only sure way to protect yourself is to use sticks, whose origin is familiar with.
Source: http://www.itviikko.fi/tietoturva/2014/09/16/usb-tikku-on-vaarallisempi-kuin-koskaan/201412828/7?rss=8
Tomi Engdahl says:
Cisco sprinkles Sourcefire goodies on ASA firewalls
FirePOWER can be licensed into existing kit
http://www.theregister.co.uk/2014/09/17/cisco_sprinkles_sourcefire_goodies_on_asa_firewalls/
Cisco has taken the next step in wrapping the technology it acquired along with Sourcefire, by putting its Adaptive Security Appliance (ASA) next-gen firewalls and the FirePOWER technology into the blender and giving it a good spin.
The idea is to run up a combination of firewall, application control, intrusion prevention and malware protection, for either new customers (buying the Cisco ASA 5500 Series firewall with FirePOWER services) or as a licence buy for existing 5500-X or 5585-X.
“there’s a huge installed base of ASAs that can be software upgraded with this.”
That’s because rule-tuning is one of the hard jobs in running an IPS, he explained: “We’re collecting information about the environment – we compare signatures, IP reputation, malware signatures, and we can compare that to the environment in which we’re sitting.
“If we see a Windows attack against a system that we know is running a vulnerable version, then we create an impact flag we attach to the event to tell you which to focus on first, rather than the mass of events that you see in IPS.
In regulated environments like banks’ networks, Stitt noted, rule maintenance is a big thing: there will be teams devoted to writing, maintaining and auditing security rules, and making sure that obsolete rules are eliminated.
The ASA/FirePOWER combination is also designed to leverage Cisco’s OpenAppID, which the company decided to open source earlier this year so that third parties could add their own application signatures into the system.
Tomi Engdahl says:
Got your NUDE SELFIES in the cloud? Two-factor auth’s your best bet for securing them
Infosec made simple: 2FA, its good points and bad points
http://www.theregister.co.uk/2014/09/16/in_defence_of_two_factor_authentication/
Bill Gates in 2004 predicted the death of the password over time. “They just don’t meet the challenge for anything you really want to secure,” Gates said.
Ten years on, passwords haven’t gone anywhere and as the recent nude-celeb-pics-on-iCloud proved, the medium is still not up to muster yet is in widespread use in scenarios that didn’t even exist when Gates was talking.
At this point, the naked celebs story looks like it was a case of human error – setting passwords that were relatively easy to break – as much as the technology itself being breakable.
In the wake of password breaches it becomes a scramble to remember which passwords you used on what sites. Humans are not programmed to remember super complex passwords of gibberish!
Rather than blame the users, one could look at the length of password and argue that reuse is understandable, if not excusable.
“There has to be an easier way?” I hear you scream. Yes, there is.
Two-factor authentication (TFA) was shoved into the spotlight by the naked-celebs story not least because Apple claimed iCloud already employed this technique, as we noted here, though, don’t let that put you off TFA – Apple wasn’t being entirely straightforward about the need for TFA on its cloud.
The fact remains, TFA remains a strong option for securing your web activities.
Simply put, TFA is based around the premise of using something you know – a password – and something you own – like a smartphone or the hardware token that some banks provide to users to gain access. TFA is perhaps the simplest method of attacking the password problem.
There are several variations to choose from.
TFA is also widely used to secure VPN access and the devices inside a network going over the internet. On the individual level for securing mildly important stuff such as e-mail, Google and Microsoft provide TFA for a number of their service
So, which web-based services support TFA? Sadly, the answer is not many. Usage tends to be grouped into a few enterprises based around high risk or high cost, or both.
For the provider there’s the cost of purchasing and licensing tokens, distributing tokens and – in the case of some banks – readers for smart card, pin-pad and biometric entry, and support costs of enrolling customers into schemes and then providing support to those signed up.
The cost factor is being tackled and a lot of cloud and infrastructure providers are starting to furnish users with hardware or downloadable soft tokens. Yubikey, for example, is offering inexpensive keys that can be reprogrammed to support any TFA scheme.
Don’t confuse TFA with an infosec magic bullet
But hold on. TFA may make you more secure but it doesn’t mitigate all the risk. Hackers have breached several banks TFA schemes. Admittedly this is done by means other than direct manipulation of the token as well as compromising of smart phones used as soft token
There are other issues, too.
TFA is not a guarantee against having your data slurped. Hackers have at least three techniques that can sidestep TFA.
There’s “man in the middle” – with hackers putting up fake sites that raid the real site once the user has signed in – “man in the browser”, infecting the client’s browser with malware and then injecting HTML into a web page that captures information from the browser’s memory – and there are Trojans, where the hacker piggybacks into a user’s account from an authenticated session.
Tomi Engdahl says:
Credit card cutting flaw could have killed EVERY AD on Twitter
Party-pooper gets $2800 for ad-busting bug
http://www.theregister.co.uk/2014/09/17/credit_card_cutting_flaw_could_have_killed_every_ad_on_twitter/
Twitter has patched a flaw in its service that allowed unauthorised users to delete every credit card from all accounts, potentially relieving the company of its advertising revenue, security researcher Ahmed Aboul-Ela says.
The attacks worked through a direct object reference vulnerability and involved the manipulation of number sequences in URLs.
“The impact of the vulnerability was very critical because all that is needed to delete credit cards is the credit card identifier which consists only of six numbers such as ’220152′,”
“So imagine a black hat hacker who could write a simple Python code and use a simple for loop on six numbers – he could delete all credit cards from all Twitter accounts which will result in halting all Twitter ads campaigns and will incur big financial loss for Twitter.”
Tomi Engdahl says:
Snowden, Dotcom, throw bombs into NZ election campaign
http://www.theregister.co.uk/2014/09/15/snowden_dotcom_throw_bombs_into_nz_election_campaign/
Edward Snowden and Kim Dotcom have joined hands and waded into New Zealand politics ahead of the nation’s forthcoming election, by alleging prime minister John Key has told fibs about his government’s involvement with the NSA’s nasties.
Snowden has released a new missive in which he claims that the many tools with which he worked at the NSA well and truly covered New Zealand.
Tomi Engdahl says:
Codenamed “Moments”, Facebook Has Built An App For Super-Private Sharing
http://techcrunch.com/2014/09/16/facebook-moments/
Facebook has failed repeatedly to get us to use complicated lists and privacy settings to share intimate moments with just our closest friends and family. It’s clumsy and confusing doing that with the same composer for blasting News Feed updates to everyone. But now Facebook is polishing off a new app codenamed “Moments” designed to make this micro-sharing much simpler, multiple sources tell TechCrunch, including one who has seen a live internal version of the app.
Tomi Engdahl says:
Data Center Security Startup vArmour Emerges from Stealth
http://www.datacenterknowledge.com/archives/2014/09/16/data-center-security-startup-varmour-emerges-stealth/
Data center security startup vArmour has come out of stealth.
vArmour says traditional security perimeters have disappeared in the cloud world. While compute, storage and networking have become virtualized, security remains locked in legacy, hardware-centric perimeter models that cannot scale to meet modern business requirements and systems architecture.
The company said its solution provides visibility, control and threat defense across physical, virtual and cloud applications and can easily scale with the infrastructure.
The increasing use of virtualization has benefited IT with cost savings and agility, but it has also caused new avenues for attack that rest outside traditional local-based perimeter security models. Advanced attackers exploit these critical gaps in visibility and control inside the data center.
Virtualization and cloud have changed the nature of traffic flows themselves – 83 percent of traffic now travels “east-west” within the data center, never seen by the traditional perimeter. Attackers often compromise low-profile assets as their initial way into the system.
vArmour says it helps an enterprise understand the nature of an attack’s progression across the entire network, showing intent and path, as well as “patient zero,” the initial point of compromise.
Tomi Engdahl says:
Two-factor verification for iCloud.com is back following recent hacks
http://9to5mac.com/2014/09/16/two-factor-verification-for-icloud-com-is-back-following-recent-hacks/
Back in June, Apple rolled out a two-factor authentication system for the iCloud.com suite of web apps. The feature quickly disappeared, but today, users are noticing that it has returned. The feature requires users to verify their identity via a ping to a SMS text number or device connected to their particular iCloud login ID. This adds an extra layer of protection so that if even another person knows your iCloud password, they will still need one of your iOS devices or SMS-connected cell phones to access Mail, Contacts, Calendar, Notes, Reminders, and iWork on the web.
Tomi Engdahl says:
Why Is It Taking So Long To Secure Internet Routing?
http://tech.slashdot.org/story/14/09/17/0016241/why-is-it-taking-so-long-to-secure-internet-routing
We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security
Routing security incidents can still slip past deployed security defenses.
http://queue.acm.org/detail.cfm?id=2668966
BGP (Border Gateway Protocol) is the glue that sticks the Internet together, enabling data communications between large networks operated by different organizations. BGP makes Internet communications global by setting up routes for traffic between organizations
While BGP plays a crucial role in Internet communications, it remains surprisingly vulnerable to attack. The past few years have seen a range of routing incidents that highlight the fragility of routing with BGP. They range from a simple misconfiguration at a small Indonesian ISP that took Google offline in parts of Asia,32 to a case of BGP-based censorship that leaked out of Pakistan Telecom and took YouTube offline for most of the Internet,2 to a routing error that caused a large fraction of the world’s Internet traffic to be routed through China Telecom,6 to highly targeted traffic interception by networks in Iceland and Belarus.
People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions
Why is it taking so long to secure BGP?
The answer to this question lies in the fact that BGP is a global protocol, running across organizational and national borders. As such, it lacks a single centralized authority that can mandate the deployment of a security solution; instead, every organization can autonomously decide which routing security solutions it will deploy in its own network. Thus, the deployment becomes a coordination game among thousands of independently operated networks. This is further complicated by the fact that many security solutions do not work well unless a large number of networks deploy them.
Tomi Engdahl says:
Tim Cook on why Apple is better at protecting privacy: “You’re not our product”
http://venturebeat.com/2014/09/16/tim-cook-on-why-apple-is-better-at-protecting-privacy-youre-not-our-product/
Apple’s Tim Cook made a not-so-subtle swipe last week at Internet companies that make their money by collecting “gobs of data.”
In a wide-ranging interview with Charlie Rose after Apple’s product showcase, Cook laid out the case for why Apple is unique in protecting privacy. His whole rant is worth quoting in full:
Our business is not based on having information about you. You’re not our product. Our product are these [points to iPhone], and this watch, and Macs, and so forth. And so we run a very different company.
I think everyone has to ask, how do companies make their money? Follow the money. And if they’re making money mainly by collecting gobs of personal data, I think you have a right to be worried. And you should really understand what’s happening to that data, and the companies — I think — should be very transparent.
Noticeably absent from Rose’s questions where how Apple plans to help consumers protect themselves. The celebrity nude photo leak was likely due to poor password protections and the fact that hackers were allowed to make multiple attempts to access an account.
Tomi Engdahl says:
NSA Director Says Agency Is Still Trying To Figure Out Cyber Operations
http://yro.slashdot.org/story/14/09/17/0019201/nsa-director-says-agency-is-still-trying-to-figure-out-cyber-operations
new NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war. “We’re still trying to work our way through distinguishing the difference between criminal hacking and an act of war,”
NSA director Rogers urges cyber-resilency
https://threatpost.com/nsa-director-rogers-urges-cyber-resiliency/108292
In his keynote address at the Billington Cybersecurity Summit, NSA Director and Commander of U.S. Cyber Command, Admiral Mike Rogers, explained that the Defense Department and corporate information security teams must focus on cyber-resiliency rather than total network protection.
In no other arena, Rogers argued, is it acceptable to totally shut down operations in the face of an attack. However, somehow this is something of a norm when it comes to network defense.
“Resiliency is the ability to sustain damage but ultimately succeed,” Rogers said. “Resiliency is all about accepting that I will sustain a certain amount of damage.”
“How do you continue to achieve goals in the face of constant penetration attempts?” he asked. Part of the problem here, he said, is that most organizations pour resources and capital into the idea that the majority of time should be spent protecting networks. Rogers said organizations must accept the hard reality that intruders will gain access to systems, and operative plans must be made in advance to ensure networks and business operations remain intact during incident response.
“You must train like you fight, and you don’t wait until the first day of combat to plan your fight,” Rogers said.
He highlighted five broad areas of focus:
The first is building resilient systems from the ground up, because security can not be bolted on.
Also, in order to create true situational awareness, organizations need to have a clear picture of what is going on within their networks, what normal looks like and what abnormal looks like, because, he said, it is impossible to protect what you cannot see.
His third point is to increase partnerships and information sharing by creating a framework through which organizations can begin to establish these partnerships and use them to work toward goals. “Cyber-defense has largely been pick-up game, and I don’t think that is going to get us anywhere,”
His fourth point related to a shift in the perception of the NSA, which is widely seen as an offensive force, to a source of defensive expertise.
His fifth point related to the creation of a workforce that can promote cyber-resilience, and by 2016, the government plans to have that workforce of some 6,200 people in place. Rogers made it clear that the Department of Defense is working through the relatively new theater of cyber-threats just the same as everyone else. Cyber-security, he explained, is new for everyone.
Adversaries see the investment in network penetration as a valuable one whether it’s advanced persistent threat groups or criminals seeking credit card data. Billions of dollars made and lost here, the admiral explained.
“This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help,” he said.
Tomi Engdahl says:
Justice Department Proposal Would Massively Expand FBI Extraterritorial Surveillance
http://justsecurity.org/15018/justice-department-proposal-massive-expand-fbi-extraterritorial-surveillance/
A Department of Justice proposal to amend Rule 41 of the Federal Rules of Criminal Procedure would make it easier for domestic law enforcement to hack into computers of people attempting to protect their anonymity on the Internet. The DOJ has explicitly stated that the amendment is not meant to give courts the power to issue warrants that authorize searches in foreign countries—but the practical reality of the underlying technology means doing so is almost unavoidable.
The result? Possibly the broadest expansion of extraterritorial surveillance power since the FBI’s inception.
The FBI brand of hacking: Network Investigative Techniques.
Broadly, the term “Network Investigative Techniques,” (NIT) describes a method of surveillance that entails “hacking,” or the remote access of a computer to install malicious software without the knowledge or permission of the owner/operator. Once installed, malware controls the target computer.
The right Network Investigative Technique can cause a computer to perform any task the computer is capable of—covertly upload files, photographs and stored e-mails to an FBI controlled server, use a computer’s camera or microphone to gather images and sound at any time the FBI chooses, or even take over computers which associate with the target (e.g. by accessing a website hosted on a server the FBI secretly controls and has programmed to infect any computer that accesses it).
Network Investigative Techniques are especially handy in the pursuit of targets on the anonymous Internet
Tomi Engdahl says:
Federal CIOs Must Reframe Security Around Data, Access
http://www.cio.com/article/2606005/government-use-of-it/federal-cios-must-reframe-security-around-data-access.html
An ambitious government IT push toward cloud, mobile and shared services stokes concerns about security challenges from insider threats and disappearing network boundaries.
In an era of cloud computing, increasing mobility and federal agencies outsourcing more functions to IT contractors, the traditional lines delineating a network perimeter have blurred beyond
“I think best practices have to completely shift,” Gus Hunt, operating partner at the private equity firm LLR Partners and the former CTO at the CIA, said this week at a government IT conference.
“We’ve entered into this world where there is no boundary,” Hunt says. “The approaches which have gone at this in the past – of trying to protect the perimeter – are the ones that are actually failing in this case, because the perimeter doesn’t exist and what constitutes an insider is also itself constantly changing.”
“In the past, we’ve been very kind of control-oriented and threat-oriented, rather than being much more outcomes and risk-based in thinking,” says Ari Schwartz, senior director for cybersecurity programs at the White House National Security Council.
Within the government, the IT community is juggling multiple priorities and initiatives. In addition to the heightened focus on security, agencies are developing policies to mobilize their workforces and are being pushed into closer collaboration with service providers in the private sector.
“In the old days, you used to be able to know who your employees are, and those were the insiders,” she says.
Looking ahead to 2020, when observers agree that the government will only become more reliant on third-party service providers, Seale sees more of a management challenge on the horizon than the simplification that vendors promise.
From a security perspective, Hunt urges IT leaders to focus on building controls that govern access to data. “That’s what people are after, he says, calling data “the most critical commodity” within agencies
Tomi Engdahl says:
Five German Telecom Companies Hacked by The NSA and The GCHQ, Der Spiegel Says
http://www.cubiclane.com/2014/09/14/five-german-telecom-companies-hacked-nsa-gchq-der-spiegel-says-20509
We knew already that Germany was a prime target for electronic espionage orchestrated by the American National Security Agency (NSA) and its British equivalent, the Government Communications Headquarters (GCHQ). According to the German Magazine, Der Spiegel, based on documents provided by Edward Snowden, 500 million communications (telephone, email, SMS) were being intercepted every month before the scandal broke out.
Der Spiegel ensures that the NSA and the GCHQ have clandestine access to the networks of at least five German companies: Deutsche Telekom, Netcologne, Stellar, and Cetel IABG. These companies, in fact, operate much of the German telecommunications infrastructure.
Der Spiegel explains that the British intelligence services take for “targets” the employees of these companies, and have the passwords of the servers of their customers.
The information collected is used to power a NSA program called “Treasure Map”, which was already revealed by the New York Times in 2013. This interactive map operates in real time and is fueled with tons of data collected through various channels.
According to Der Spiegel, the NSA and the GCHQ manage not only to map the major nodes of the network, but also many of the devices that connect to it (computers, phones, tablets).
The companies affected have reacted furiously to the revelation of this information. “Such cyber-attacks are strictly prohibited by German law,”
Tomi Engdahl says:
Facebook Powers More Than Half Of All Social Logins
http://www.seatid.com/facebook-powers-more-than-half-of-all-social-logins/
Social Login AKA Social Sign-in is a convenient and fast way to sign in on to websites and applications without the lengthy sign-up procedures of filling out annoying, multiple question forms and setting up yet another password.
Among desktop users, facebook is the absolute market leader, powering more than 51 percent of all social logins in North America. Google+ is the second most popular service with 31 percent in North America.
Trailing facebook and Google+ are Yahoo with 15 percent and Twitter with 3 percent.
Among Mobile users, facebook has a larger lead, with 62 percent of logins, followed by Google+ with 26 percent, Twitter with 6 percent and Yahoo with 4 percent.
Tomi Engdahl says:
Comcast Wi-Fi serving self-promotional ads via JavaScript injection
The practice raises security, net neutrality issues as FCC mulls Internet reforms.
http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
Tomi Engdahl says:
‘Broken code’ costs Yelp half a mil in child privacy dust-up with FTC
Busted age block in app is no excuse, says US watchdog
http://www.theregister.co.uk/2014/09/17/ftc_yelp_tinyco_settlement_childrens_data/
The US Federal Trade Commission (FTC) has fined Yelp after accusing the reviews website of inappropriately gathering personal data on children.
The FTC said Yelp and games maker TinyCo each allowed under-13s to register accounts without the explicit permission from their parents. The watchdog accused the pair of violating the US Children’s Online Privacy Protection Act (COPPA) that forbids the collection of kids’ personal information without parental consent.
In Yelp’s case, the FTC said pre-teens could create profiles and submit reviews thanks to broken age verification code in the mobile app. As a result, youngsters were not detected and blocked from the service, and the company ended up storing data on underage users.
As a result, Yelp has agreed to pay a “civil penalty” of $450,000 as an out-of-court settlement, while TinyCo will pay $300,000. As part of the deal, the companies will neither admit nor deny any of the charges
The FTC said it hopes the penalties will underscore to other developers the importance of not just paying lip service to parental permission requirements, but also making sure their verification tools are functioning as intended.
Tomi Engdahl says:
No, minister Turnbull, IP addresses aren’t part of routine billing data collection
Meta-splaining Malcolm’s metadata misstep
http://www.theregister.co.uk/2014/08/11/no_minister_turnbull_ip_addresses_arent_part_of_routine_billing_data_collection/
Australia’s government is still trying to explain exactly what its metadata retention regime will capture
On Friday, Turnbull joined the list of government ministers who have made contradictory statements about metadata collection, saying that IP addresses will and won’t be included in the metadata collection regime.
“What I can confirm is that the law enforcement agencies, and therefore the government is not seeking that the telcos … retain any information that they are not not currently retaining. In particular they are not seeking that the telcos retain details of your Web browsing history, which sites you go to, which IP addresses you connect with” (emphasis added).
Partly, Clark said, it depends on whether a user is on a fixed or mobile connection.
“When it’s a mobile network connecting to a mobile device – a GSM-based system where you’re using 3G or 4G or LTE protocols – there’s pretty good binding between the IP address and the handset,
Tomi Engdahl says:
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
http://www.theregister.co.uk/2014/09/17/adobe_reader_delayed_patch_released/
Mac and Windows users of Adobe Reader XI (11.0.08) and earlier versions should update to version 11.0.09.
Adobe Reader X (10.1.11) users who can’t upgrade are being offered a patched version of the earlier release, version 10.1.12.
Sysadmins should note that applying the patches will involve a system restart.
that’s a nasty cocktail so it’s no surprise that Adobe delayed Reader and Acrobat patches
Tomi Engdahl says:
Egypt launches deep-packet inspection system with help from an American company
http://www.theverge.com/2014/9/17/6350191/egypt-launches-deep-packet-inspection-with-help-from-an-american
Deep-packet inspection is the one of the most invasive things a country can do to its internet. Employed by repressive regimes from Russia to Bahrain, it lets governments look into the content of web traffic as it moves over the network, allowing them to censor websites in real time and conduct detailed surveillance of citizen’s activities on the web. They also require sophisticated equipment, usually provided by a western company. As a result, DPI installations are usually kept secret for as long as possible.
But sometimes, they can’t. A Buzzfeed report seems to have caught the Egyptian government in the act, confirming that the country is currently installing a new DPI system with a company called See Egypt, a sister company to the American Blue Coat. Blue Coat got in trouble a few years ago for selling a similar system to Syria
The Egyptian system is capable of monitoring conversations on most chat apps, including Skype, WhatsApp, and Viber, as well as direct messages sent over Twitter.
Tomi Engdahl says:
Chinese government hackers penetrated fed contractor systems 20 times, Senate probe reveals
September 17, 2014 | By Dibya Sarkar
http://www.fiercegovernmentit.com/story/chinese-govenrment-hackers-penetrated-fed-contractor-systems-20-times-senat/2014-09-17
Share
Tools
Comment
Print
Contact Author
Reprint
In one year alone, hackers working for the Chinese government penetrated computer networks of U.S. Transportation Command contractors at least 20 times, the Senate Armed Services Committee revealed Sept. 17 after a year-long investigation.
The committee said TRANSCOM, which assists in mobilizing and deploying U.S. troops and equipment worldwide, was only aware of two of those intrusions
Specifically, the investigation examined a 12-month period starting June 1, 2012. The committee said there were 50 intrusions or other cyber events into contractors’ systems, of which at least 20 were described as advanced persistent threats typically associated with governments. All intrusions were attributed to China, the release said.
“These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace,” Sen. Carl Levin (D-Mich.), who chairs the committee, said in a statement. “Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur.”
Tomi Engdahl says:
Technology That Knows Who You Are: The Nymi Wristband
http://www.eetimes.com/author.asp?section_id=36&doc_id=1323946&
One of the most critical ingredients in creating a connected world is making sure that our technology knows who we are. Once our smart car, our smart TV, and even our smart toaster confirm our identity, they can provide more meaningful experiences, like the perfect in-car temperature, our favorite TV channel, or how light or dark we like our toast. Right now, we mostly use passwords and PINs to help our technology tell us apart from others, but these mechanisms are frustrating and cumbersome, and they definitely don’t feel very futuristic. One wristband, the Nymi, is about to change all that.
The Nymi is a wristband that uses your cardiac rhythm or your unique heartbeat to identify who you are and then relays your identity to any connected thing via Bluetooth. Since the Nymi is something you wear, it offers persistent identity once you are authenticated, which means that you only need to confirm your identity once, rather than every time you want to get access to something.
Bionym, the company behind the Nymi, is getting ready to ship its first batch of wristbands out in the fall of this year to those that have pre-ordered.
Bionym is also focusing on building apps for the Nymi on every platform, including iOS, Android, PC, and Mac.
“Identity is not just about security but also about different profiles and different behaviors that depend on a person’s preferences,”
Tomi Engdahl says:
BitTorrent’s Encrypted P2P Chat App Bleep Opens To The Public, Adds Mac, Android Clients
http://techcrunch.com/2014/09/17/bittorrents-encrypted-p2p-chat-app-bleep-open-to-the-public-adds-mac-android-clients/
In the rush of new services for consumers that are concerned about their data privacy, make room for another messaging app. Peer-to-peer file distribution service BitTorrent is today announcing the public availability of Bleep — its encrypted P2P chat app for voice calls and texts that is still in alpha — with Mac and Android apps now available to download, in addition to the existing Windows app that was already part of the invite-only, closed alpha.
BitTorrent — once more notorious for enabling piracy, now running in less turbulent waters as it courts advertisers and big-name partners — has been one of the more outspoken internet companies on the issue of data privacy these days in the wake of the NSA snooping revelations. Bleep is a product of that position.
“Cloud-based services store personal information and private moments on servers, making them vulnerable to attacks,”writes Jaehee Lee, a product manager overseeing Bleep, in a blog post. “Privacy should not be up for debate. And privacy should not be hard to achieve.”
One way that Bleep achieves this is through a server-less architecture (which is built around a distributed hash table, or DHT)
Another is in how consumers can interface with the app: you can sign into the service using your email or mobile number, or you can access your client in incognito mode — “no Personally Identifiable Information is necessary.”
On the subject of Bleep monetization, BitTorrent tells me that “There are several possibilities, including the potential to license the engine we built for Bleep. But for the time being the focus is on building the best possible serverless communications app possible. In typical Silicon Valley fashion, we’ll evaluate monetization models down the line.”
Tomi Engdahl says:
Apple will no longer unlock most iPhones, iPads for police, even with search warrants
http://www.washingtonpost.com/business/technology/2014/09/17/2612af58-3ed2-11e4-b03f-de718edeb92f_story.html
Apple said Wednesday night that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user information.
The move, announced with the publication of a new privacy policy tied to the release of Apple’s latest mobile operating system, iOS 8, amounts to an engineering solution to a legal quandary: Rather than comply with binding court orders, Apple has reworked its latest encryption in a way that prevents the company — or anyone but the device’s owner — from gaining access to the vast troves of user data typically stored on smartphones or tablet computers.
The key is the encryption that Apple mobile devices automatically put in place when a user selects a passcode, making it difficult for anyone who lacks that passcode to access the information within, including photos, e-mails and recordings. Apple once maintained the ability to unlock some content on devices for legally binding police requests but will no longer do so for iOS 8, it said in the new privacy policy.
Apple will still have the ability — and the legal responsibility — to turn over user data stored elsewhere, such as in its iCloud service, which typically includes backups of photos, videos, e-mail communications, music collections and more. Users who want to prevent all forms of police access to their information will have to adjust settings in a way that blocks data from flowing to iCloud.
Apple’s new privacy policy comes less than five months after the Supreme Court ruled that police in most circumstances need a search warrant to collect information stored on phones.
Tim Cook reiterates commitment to user privacy and security in letter on Apple website, launches new security page
http://9to5mac.com/2014/09/17/tim-cook-reiterates-commitment-to-user-privacy-and-security-in-letter-on-apple-website-launches-new-security-page/
The executive also reiterated previous claims that neither he nor any part of the company has collaborated with governments to provide access to user information, noting again that Apple does not read users’ email, iMessages, and other communications. He also pointed out that there is no “profile” being created about user browsing habits or other data points that often interest advertisers.
The company also added a new “built-in security” page to its website which explains all of the measures put in place to keep user data private. It includes information about the security protecting iMessage, FaceTime, iCloud, Safari, Maps, Siri, Mail, the App Store, the new Health application, HomeKit, Spotlight, and the upcoming Apple Pay system.
We’ve built privacy into the things you use every day.
http://www.apple.com/privacy/privacy-built-in/
The moment you begin using an Apple product or service, strong privacy measures are already at work protecting your information. We build extensive safeguards into our apps and the operating systems they run on.
Apple’s health privacy pitch hits Hill
http://www.politico.com/story/2014/09/apples-health-privacy-pitch-hits-hill-111033.html
A week after Apple rolled out new products that track users’ health and fitness, the company dispatched its executives to Capitol Hill to address emerging privacy and security concerns.
Apple’s latest innovations, from its updated iPhone 6 to the Apple Watch, offer users the ability to monitor their heartbeats, count their steps and more. But those tools have piqued Washington’s interest because of the sheer amount of data Apple might be able to collect and tap — fears the company tried to assuage with a presentation in the nation’s capital on Tuesday.
The meeting marks a rare overture for Apple, a company that’s beginning to engage Washington more directly under CEO Tim Cook.
Apple unveiled the iPhone 6 and Apple Watch last week, along with the Apple Pay mobile payments system. But Apple’s foray into health tracking — and the company’s tool for managing that data, HealthKit — particularly has registered on regulators’ radars.
“When new technologies emerge in consumer markets, they inevitably lead to new questions, including questions about privacy,”
A message from Tim Cook about Apple’s commitment to your privacy.
http://www.apple.com/privacy/
Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay. And we continue to make improvements. Two-step verification, which we encourage all our customers to use, in addition to protecting your Apple ID account information, now also protects all of the data you store and keep up to date with iCloud.
We believe in telling you up front exactly what’s going to happen to your personal information and asking for your permission before you share it with us. And if you change your mind later, we make it easy to stop sharing with us. Every Apple product is designed around those principles. When we do ask to use your data, it’s to provide you with a better user experience.
Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple.
One very small part of our business does serve advertisers, and that’s iAd.
Tomi Engdahl says:
Apple turns Activation Lock on by default in iOS 8 to appease regulators calling for kill switch
http://9to5mac.com/2014/09/17/apple-turns-activation-lock-on-by-default-in-ios-8-to-appease-regulators-calling-for-kill-switch/
Apple is reportedly making its Activation Lock theft deterrent feature on by default in iOS 8 as it moves to please politicians attempting to require smartphone makers implement a remote “kill switch” to disable stolen devices. The news comes from Attorney General Eric Schneiderman and San Francisco District Attorney George Gascón who praised Apple’s decision in a statement today.
Apple first introduced the feature, which requires an Apple ID and password to reactivate a stolen phone after being remotely erased/wiped by the owner through Apple’s Find my iPhone app, alongside iOS 7 last year. Apple previously asked users setting up a new device to optionally enable Find My iPhone, which includes the Activation Lock feature.
Tomi Engdahl says:
So, the Chinese Webshop convey the Finns usernames
Helsingin Sanomat acquired the University of Helsinki, username and password of China’s biggest online store in Taobao
Millions of really useful products and licit, but the strange products, is sold under the illegalities. For example, stolen usernames and passwords for computer systems.
Helsingin Sanomat found out that you can buy on Taobao user rights, at least at the University’s information systems. Some of the millions of Taobao merchants advertise their service, that they can not buy access to academic research databases. Sellers website mentioned in the universities, whose libraries are available usernames. One-seller list, for example, lists Swedish, Danish, and several American universities.
The test showed that Chinese online store was about 19 euro gained full username password for the University of Helsinki services. The University security expert Kenneth Kahr, the university has known that hackers generally seek to seek their way to all potential organizations (companies, agencies etc.), user IDs, and possibly sell them. Kahr says that it is impossible to say how the HS acquired by the user is able to end up selling on Taobao. Often, hackers are trying to get names such as malware, or phishing.
Sellers on Taobao is higher than the Finnsih national population, so the selection is wide. Taobao has about nine million seller, of which about three million are active, said Alibaba Group’s President and CEO Jack Ma publicly last October.
Source: http://www.hs.fi/kotimaa/N%C3%A4in+kiinalainen+nettikauppa+v%C3%A4litt%C3%A4%C3%A4+suomalaisten+k%C3%A4ytt%C3%A4j%C3%A4tunnuksia/a1305874890487
Tomi Engdahl says:
The Information Society Programme memories
The end of 2006 published by the Prime Minister’s National Information Society Strategy 2007-2015.
Information and communication technology seamless integration into Finnish society was seen as a key factor of production in the future.
What, then, did not anticipate?
Turbulence in the global economy, the business world in general, and in particular the activities of Finnish companies
Cyber-threats have materialized curiosities serious information society wielding factors. Speaking of security is no longer the spam protection and prevention of a random hacker activity against, but something completely different.
Source: http://www.tivi.fi/cio/blogit/CIO_100_blogi/tietoyhteiskuntaohjelma+muistoissani/a1012225
Tomi Engdahl says:
Q2 2014: Malicious actors switch tactics to build, deploy and conceal powerful botnets
Server-side botnets prey on web vulnerabilities, reflection attacks continue to let attackers do more with less
http://www.prolexic.com/campaigns/2014/q2-2014-attack-report/gad-rem.html?cvosrc=Retargeting.GoogleRetargeting.AR-Q2-2014&gclid=CNuCufqO68ACFWfqcgodFRQAug
From April to June 2014, DDoS attack activity remained near the first quarter’s record-setting levels. Compared to Q2 a year ago, average bandwidth was up 72 percent, and peak bandwidth increased 241 percent, while attack duration was only half as long.
The powerful attacks in Q2 were largely fueled by reflection-based attacks that misuse common Internet protocols on open and vulnerable servers and server-side botnets that take advantage of web vulnerabilities in instances of Linux, Windows, and content management systems (CMSs) such as WordPress, Joomla and their plugins. With server-based attacks, malicious actors can cause more damage with fewer resources.
Tomi Engdahl says:
A look at Point of Sale RAM scraper malware and how it works
http://nakedsecurity.sophos.com/2013/07/16/a-look-at-point-of-sale-ram-scraper-malware-and-how-it-works/
A special kind of malware has been hitting the headlines recently – that which attacks the RAM of Point of Sale (PoS) systems.
Although it’s been getting quite a bit of publicity recently, we actually first identified it as a threat back in December 2009 and wrote about it in an article on Naked Security entitled Will RAM scraping loosen the sky and make it fall?.
Answering that question today, it just might!
Tomi Engdahl says:
Target Breach: 8 Facts On Memory-Scraping Malware
Target confirmed that malware compromised its point-of-sale systems. How does such malware work, and how can businesses prevent infections?
http://www.darkreading.com/attacks-and-breaches/target-breach-8-facts-on-memory-scraping-malware/d/d-id/1113440?page_number=1
What is memory-scraping malware, and how can it be stopped?
Malware that attacks the RAM inside point-of-sale (POS) devices — the fancy name for digital cash registers used by everyone from retailers and restaurants to hoteliers and hospitals — leapt into the spotlight this week after it was tied to the recent breach of Target, and by extension, breaches involving Neiman Marcus and other as-yet-unnamed retailers.
n the wake of Target’s admission, here’s what businesses and their customers should know about RAM-scraping malware and how to stop it.
1. Memory-scraping malware isn’t new. Memory-scraping attacks date from at least 2011,
2. POS malware routes around encryption. Memory-scraping malware is typically designed to target Track 1 and Track 2 data — including a cardholder’s name, card number, expiration date, and the card’s three-digit security code (a.k.a. CVV or CVC) — at the place where it’s most vulnerable to being intercepted: in memory, where it’s in plaintext format.
“There is that opportunity to steal the credit card information when it is in memory, perhaps even before your payment has even been authorized, and the data hasn’t even been written to the hard drive yet,” said Cluley. “In some ways, it’s understandable that the bad guys did this because the Payment Card Industry Data Security Standards — PCI DSS — tell retailers that if you write this [card] information to a hard disk or any other type of media it has to be strongly encrypted so nothing can grab it, and if you transmit it must be strongly encrypted, so nothing can intercept it in transit.”
3. Security wrinkle: plaintext realities. Unfortunately, it’s not feasible to encrypt data in POS system memory. “No matter how strong your encryption is, if the system needs to process data or process the code, everything needs to be decrypted in memory,”
4. US-CERT hint: Dexter, Stardust RAM malware. What particular type of malware was used to attack Target or Neiman Marcus?
5. Likely attack vectors. How do attackers infect POS systems with malware? To answer that question, it helps to understand that POS devices are network-connected, and thus any system that touches that network might be an infiltration point. Likewise, unsecured wireless networks may also give attackers an entry point.
That’s why POS devices are vulnerable to phishing attacks, as long as attackers can get their malware to jump from an infected PC to POS devices.
6. POS malware is easy to hide. If attackers gain access to the production network to which POS devices are connected, detecting or intercepting related malware-dropping attacks aimed at those POS devices may be quite difficult to detect.
7. POS network must be secured. How can retailers block attacks that aim to sneak malware onto POS devices? The US-CERT warning recommends these six best-practices: use strong passwords to access POS devices, keep POS software up to date, use firewalls to isolate the POS production network from other networks or the Internet, employ antivirus tools, limit access to the Internet from the production network, and disable all remote access to POS systems.
8. Can POS device security be verified?
“It suggests that Target may have dropped the ball somewhat, not only in terms of verifying those devices but verifying that the image on those devices hasn’t changed,”
Tomi Engdahl says:
2014 US IT Salary Survey: Security
http://reports.informationweek.com/abstract/166/12507/Professional-Development-and-Salary-Data/2014-US-IT-Salary-Survey:-Security.html?cid=smartbox_techweb_analytics_7.300005621
Some stats:
>> 70% of staffers say outsourcing has had no impact on their career paths.
>> 50% of managers say they’re challenged intellectually with the projects they are working on.
>> 18% of staffers say they’re very satisfied with their jobs.
>> 17% of managers received raises of more than 10% in the past year.
Tomi Engdahl says:
Context Hacks Into Canon IoT Printer to Run Doom
http://www.informationsecuritybuzz.com/context-hacks-canon-iot-printer-run-doom/
Researchers at Context Information Security have successfully managed to remotely access the web interface on a Canon Pixma printer and modify firmware from the Internet to run the classic 90s computer game Doom.
The researchers also used up ink by printing out hundreds of copies of random documents. Had they had more sinister implications, they could have easily uploaded an infected image file to the printer that they then could have used to spy on what documents were being printed and establish a gateway into the printer’s network.
The techniques used to compromise the printer were recently presented at 44Con in London by Mike Jordon, head of research at Context. An article and video detailing the findings can be found here: http://www.contextis.co.uk/resources/blog/hacking-canon-pixma-printers-doomed-encryption/.
“This latest example further demonstrates the insecurities posed by the emerging Internet of Things as vendors rush to connect their devices,” said Context’s Mike Jordon. “The printer’s web interface did not require user authentication, allowing anyone to connect to it. But the real issue is with the firmware update process. If you can trigger a firmware update, you can also change the web proxy settings and the DNS server; if you can change these, then you can redirect where the printer goes to check for a new firmware update and install custom code – in our case, a copy of Doom.”
Context sampled 9,000 of the 32,000 IPs that the web site Shodan (http://www.shodanhq.com) indicated may have a vulnerable printer. Out of these IPs, 1,822 responded, and 122 indicated that they may have a firmware version that could be compromised (around 6%). “Even if the printer is not connected directly to the Internet behind a NAT on a user’s home network or on an office intranet, for example, it is still vulnerable to remote attack,” adds Jordon.
Context recommends that wireless printers or any other potential IoT devices remain unconnected to the Internet. “We are not aware of anyone actively using this type of attack for malicious purposes. Hopefully by raising awareness, we can encourage vendors to increase the security of this new generation of devices,” says Jordon. “And of course it is important to always apply the latest available firmware.”
Tomi Engdahl says:
Hacking Canon Pixma Printers – Doomed Encryption
http://www.contextis.co.uk/resources/blog/hacking-canon-pixma-printers-doomed-encryption/
This blog post is another in the series demonstrating current insecurities in devices categorised as the ‘Internet of Things’. This instalment will reveal how the firmware on Canon Pixma printers (used in the home and by SMEs) can be modified from the Internet to run custom code. Canon Pixma wireless printers have a web interface that shows information about the printer, for example the ink levels, which allows for test pages to be printed and for the firmware to be checked for updates.
Context recommends that you do not put your wireless printers on the Internet, or any other ‘Internet of Things’ device.
Tomi Engdahl says:
Next Android To Enable Local Encryption By Default Too, Says Google
http://it.slashdot.org/story/14/09/18/2127243/next-android-to-enable-local-encryption-by-default-too-says-google
The same day that Apple announced that iOS 8 will encrypt device data with a local code that is not shared with Apple, Google has pointed out that Android already offers the same feature as a user option and that the next version will enable it by default.
Newest Androids will join iPhones in offering default encryption, blocking police
http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-androids-will-join-iphones-in-offering-default-encryption-blocking-police/?hpid=z1&wp_login_redirect=0
The next generation of Google’s Android operating system, due for release next month, will encrypt data by default for the first time, the company said Thursday, raising yet another barrier to police gaining access to the troves of personal data typically kept on smartphones.
Android has offered optional encryption on some devices since 2011, but security experts say few users have known how to turn on the feature. Now Google is designing the activation procedures for new Android devices so that encryption happens automatically; only somebody who enters a device’s password will be able to see the pictures, videos and communications stored on those smartphones.
“For over three years Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement,” said company spokeswoman Niki Christoff. “As part of our next Android release, encryption will be enabled by default out of the box, so you won’t even have to think about turning it on.”
Tomi Engdahl says:
Russian botnet suspects cuffed over romantic MMS spyware allegs
Avast! Belay that ‘RomanticVK’ order – there be MONSTERS
http://www.theregister.co.uk/2014/09/19/mobile_botnet_arrests_russia/
Russian cops have arrested two mobile botnet cybercrime suspects as part of an ongoing investigation that’s reckoned to be the first of its kind in Russia.
The unnamed duo, aged 25 and 24 and both resident in Arkhangelsk (a city in the north of European Russia) were arrested as part of an investigation into attempts to defraud customers of Sberbank using Android-based malware.
Tomi Engdahl says:
Google Apple grapple brings crypto cop block to Android
Belike tears of joy to this old seadog’s eyes, lad
http://www.theregister.co.uk/2014/09/19/google_apple_grapple_brings_crypto_cop_block_to_android/
Google has told The Washington Post it will introduce default encryption into its new Android fondleslabs in a bid to foil police forensics (and maybe to copy or catch up with Apple).
The security enhancement follows Apple’s release of iOS 8, which introduced broader encryption, and will ensure Google-powered devices will be equally attractive to those who value their privacy.
Apple’s new privacy policy will make it hard to access user data because the fruity company does not hold the users’ encryption key, “unlike competitors.”
“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data.
“So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”
Apple’s stance may, however, not be technically correct. Apple, if forensics expert Jonathan Zdziarski is correct: he’s written that Apple’s new arrangements offer “plausible deniability” but leave data like emails and photos open to access by police forensic tools.
“The move … amounts to an engineering solution to a legal quandary: Rather than comply with binding court orders, Apple has reworked its latest encryption in a way that prevents the company — or anyone but the device’s owner — from gaining access to the vast troves of user data typically stored on smartphones or tablet computers,” Zdziarski has blogged.
“Apple wants you to be able access your photos and other information from your desktop while the phone is locked – for ease of use. This, unfortunately, also opens up the capability for law enforcement to also use this mechanism to dump”
Tomi Engdahl says:
Ten years on, TEN PER CENT of retailers aren’t obeying CAN-SPAM
Unscrupulous marketers are, guess what, still being gits
http://www.theregister.co.uk/2014/09/18/can_spam_incompliance/
One in 10 of the world’s largest online retailers are sill violating the CAN-SPAM Act, a full 10 years after the US anti-spam legislation went into effect.
The retailers who violated CAN-SPAM did so by either a) failing to honor an unsubscribe request within 10 business days or b) failing to have a functional unsubscribe link within their emails
The Online Trust Alliance (OTA) is not naming any of the retailers who failed CAN-SPAM, “because the organization aims to recognize industry leaders, as opposed to publicly shaming companies,” according to a spokesman.
Both laws help to protect consumers from abuse by establishing mandatory standards for the dissemination of commercial email.
Tomi Engdahl says:
How Apple Made Your iPhone 6 Much Less Likely To Be Stolen
http://www.forbes.com/sites/ellenhuet/2014/09/18/iphone-6-default-kill-switc/
To you, your new iPhone 6 looks like a gleaming sheet of technological magic — but to a thief, it looks like a shiny, worthless brick.
That’s because every iPhone 6 and iPhone 6 Plus comes with Activation Lock — Apple’s AAPL +0.21% “kill switch” — on by default. Every phone, if stolen, can be wiped remotely and “bricked,” which makes it worth almost nothing to thieves, who usually want to re-sell stolen phones quickly for profit.
Apple introduced Activation Lock with the iOS 7 release a year ago, so many current phones already have it turned on. But the feature is opt-in, and too many iPhone users still haven’t turned it on. Even today, thieves still have a good chance of striking gold — except with the newest models.
“The iPhone 6 is going to be a less attractive device for thieves,”
Tomi Engdahl says:
Newest Androids will join iPhones in offering default encryption, blocking police
http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-androids-will-join-iphones-in-offering-default-encryption-blocking-police/
The next generation of Google’s Android operating system, due for release next month, will encrypt data by default for the first time, the company said Thursday, raising yet another barrier to police gaining access to the troves of personal data typically kept on smartphones.
Tomi Engdahl says:
Home Depot: 56M Cards Impacted, Malware Contained
http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted-malware-contained/
Home Depot said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers from its customers between April and September 2014. That disclosure officially makes the incident the largest retail card breach on record.
The disclosure, the first real information about the damage from a data breach that was initially disclosed on this site Sept. 2, also sought to assure customers that the malware used in the breach has been eliminated from its U.S. and Canadian store networks.
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” the company said via press release (PDF). “The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.”
That “enhanced payment protection,” the company said, involves new payment security protection “that locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.”
“Home Depot’s new encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms,” the statement continues.
The Target breach lasted roughly three weeks, but it exposed some 40 million debit and credit cards because hackers switched on their card-stealing malware during the busiest shopping season of the year.
Tomi Engdahl says:
In-depth: How CloudFlare promises SSL security—without the key
CEO shares technical details about changing the way encrypted sessions operate.
http://arstechnica.com/information-technology/2014/09/in-depth-how-cloudflares-new-web-service-promises-security-without-the-key/
Content delivery network and Web security company CloudFlare has made a name for itself by fending off denial-of-service attacks against its customers large and small. Today, it’s launching a new service aimed at winning over the most paranoid of corporate customers. The service is a first step toward doing for network security what Amazon Web Services and other public cloud services have done for application services—replacing on-premises hardware with virtualized services spread across the Internet.
Called Keyless SSL, the new service allows organizations to use CloudFlare’s network of 28 data centers around the world to defend against distributed denial of service attacks on their websites without having to turn over private encryption keys. Keyless SSL breaks the encryption “handshake” at the beginning of a Transport Layer Security (TLS) Web session, passing part of the data back to the organization’s data center for encryption. It then negotiates the session with the returned data and acts as a gateway for authenticated sessions—while still being able to screen out malicious traffic such as denial of service attacks.
In an interview with Ars, CloudFlare CEO Matthew Prince said that the technology behind Keyless SSL could help security-minded organizations embrace other cloud services while keeping a tighter rein on them. “If you decide you’re going to use cloud services today, how you set policy across all of these is impossible,” he said. “Now that we can do this, fast forward a year, and we can do things like data loss prevention, intrusion detection… all these things are just bytes in the stream, and we’re already looking at them.”
The development of Keyless SSL began about two years ago, on the heels of a series of massive denial of service attacks against major financial institutions alleged to have been launched from Iran.
the banks weren’t able to use existing content delivery networks and other cloud technology to protect themselves either because of the regulatory environment. “They said, ‘We can’t trust our SSL keys with a third party, because if they lose one of those keys, it’s an event we have to report to the Federal Reserve,’”
Prince and his team had nothing to offer the banks at the time. “These guys need us, but there’s no vault we can ever build that they’ll trust us with their SSL keys,” he said. So CloudFlare system engineers Piotr Sikora and Nick Sullivan started working on ways to allow the banks to hold onto their private keys. The answer was to change what happens with the SSL handshake itself.
Once that’s complete, the CloudFlare data center is able to manage the session with the client, caching the session key and using it to encrypt cached, static content from the organization’s website back to the client. Requests for dynamic data are passed through to the back-end servers on the organization’s server, and responses are passed through (encrypted) to the client Web browser.
CloudFlare’s data centers can spread out requests for a single session across all the servers in each data center through CloudFlare’s key store, an in-memory database of hashed session IDs and tickets.
Prince said that CloudFlare already has a “handful of beta customers, which include some of the top 10 financial institutions,” up and running on Keyless SSL.