Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
iPhone 4 phones in the mobile browser at risk
24/09/2014 at 16:55
Apple iPhone 4 phones are no longer available security updates. The phone browser vulnerability has been found that the use of the attacker is able to take control of the phone.
Apple iPhone 4 phones may no longer be the most recent operating system. The latest in this model available in the current operating system is iOS 7, the Safari mobile browser is the vulnerability which is also freely available to accept the use of the method.
This case highlights the problem of the use of obsolete equipment. Outdated devices and operating systems are no longer available patches. Thus, the equipment remains permanently exposed to new abusing technologies: matching vulnerabilities can be used indefinitely
Source: https://www.viestintavirasto.fi/tietoturva/tietoturvanyt/2014/09/ttn201409241655.html
Tomi Engdahl says:
Unix/Linux Bash: Critical security hole uncovered
http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/
Summary: The popular Linux and Unix shell has a serious security problem that means real trouble for many web servers. Fortunately, a patch — as source code — is available.
Bash, aka the Bourne-Again Shell, has a newly discovered security hole. And, for many Unix or Linux Web servers, it’s a major problem.
The flaw involves how Bash evaluates environment variables. With specifically crafted variables, a hacker could use this hole to execute shell commands. This, in turn, could render a server vulnerable to ever greater assaults.
“Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.”
The root of the problem is that Bash is frequently used as the system shell. Thus, if an application calls a Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data, the web server could be hacked. As Andy Ellis, the Chief Security Officer of Akamai Technologies, wrote: “This vulnerability may affect many applications that evaluate user input, and call other applications via a shell.”
That could be a lot of web applications — including many of yours.
So what can you do? First you should sanitize the web applications’ inputs. If you’ve already done this against such common attacks as cross-site scripting (XSS) or SQL injection, you’ll already have some protection.
After that, I’d follow Akamai’s recommendation and switch “away from using Bash to another shell.” But keep in mind that the alternative shell will not use exactly the same syntax and it may not have all the same features. This means if you try this fix, some of your web applications are likely to start acting up.
OpenSSH is also vulnerable via the use of AcceptEnv variables, TERM, and SSH_ORIGINAL_COMMAND. However, since to access those you already need to be in an authenticated session, you’re relatively safe. That said, you’d still be safer if you blocked non-administrative users from using OpenSSH until the underlying Bash problem is patched.
Tomi Engdahl says:
Bash bug as big as Heartbleed
By Robert Graham
http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCPp-xZsUik
Today’s bash bug is as big a deal as Heartbleed. That’s for many reasons
The first reason is that the bug interacts with other software in unexpected ways.
An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable.
Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.
Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.
Bash ‘shellshock’ bug is wormable
http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html#.VCPp_hZsUik
Early results from my scan: there’s about 3000 systems vulnerable just on port 80, just on the root “/” URL, without Host field. That doesn’t sound like a lot, but that’s not where the bug lives.
Firstly, only about 1 in 50 webservers respond correctly without the proper Host field. Scanning with the correct domain names would lead to a lot more results — about 50 times more.
Secondly, it’s things like CGI scripts that are vulnerable, deep within a website (like CPanel’s /cgi-sys/defaultwebpage.cgi). Getting just the root page is the thing least likely to be vulnerable.
Thirdly, it’s embedded webserves on odd ports that are the real danger. Scanning for more ports would give a couple times more results.
Fourthly, it’s not just web, but other services that are vulnerable, such as the DHCP service reported in the initial advisory.
Consequently, even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems.
Tomi Engdahl says:
Bash specially-crafted environment variables code injection attack
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses.
Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. As a result, this vulnerability is exposed in many contexts, for example:
ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.
Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).
PHP scripts executed with mod_php are not affected even if they spawn subshells.
DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.
Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.
Any other application which is hooked onto a shell or runs a shell script as using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.
Tomi Engdahl says:
Unix/Linux Bash: Critical security hole uncovered
Of course, the real fix will be to replace the broken Bash with a new, secure one. As of the morning of September 24, Bash’s developers have patched all current versions of Bash, from 3.0 to 4.3. At this time, only Debian and Red Hat appear to have packaged patches ready to go.
Source: http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/
Tomi Engdahl says:
AWS to Reboot a Substantial Number of EC2 Instances
http://www.rightscale.com/blog/rightscale-news/aws-reboot-substantial-number-ec2-instances
Today Amazon Web Services (AWS) notified its customers that it will be rolling out an urgent patch to hosts causing a maintenance reboot of EC2 instances over the next several days starting on September 26, 2014, at 2:00 UTC/GMT (September 25, 2014, at 7:00 PM PDT) and ending on September 30, 2014, at 23:59 UTC/GMT (September 30, 2014, at 4:59 PM PDT).
Tomi Engdahl says:
In-App Browsers Considered Harmful
http://furbo.org/2014/09/24/in-app-browsers-considered-harmful/
How many apps on your iPhone or iPad have a built-in browser?
A few things to note about what you’re seeing:
The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.
This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.
The app is stealing your username and password by watching what you type on the site. There’s nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.
The site content is also modified: the text on the button label is normally “Sign in” and has been changed to “SUCK IT UP”. It seemed appropriate.
This technique works in iOS 7 and 8 (and probably earlier versions, but I didn’t have an easy way to test them.)
Tomi Engdahl says:
Apple knew of iCloud security hole 6 months before Celebgate
http://www.dailydot.com/technology/apple-icloud-brute-force-attack-march/
Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher.
The emails, obtained earlier this month by the Daily Dot and reviewed by multiple security experts, show Ibrahim Balic, a London-based software developer, informing Apple of a method he’d discovered for infiltrating iCloud accounts.
The strength of Apple’s security came under fire earlier this month after hundreds of celebrity nude photos, allegedly stolen from iCloud servers, flooded the Internet. While the exploit Balic says he reported to Apple shares a stark resemblance to the exploit allegedly used in the so-called “Celebgate” hack, it is currently unclear if they are the same vulnerability.
Tomi Engdahl says:
Australian Senate Introduces Laws To Allow Total Internet Surveillance
http://yro.slashdot.org/story/14/09/24/2241240/australian-senate-introduces-laws-to-allow-total-internet-surveillance
New laws due to be passed in Australia allow intelligence agency ASIO to spy on domestic internet traffic like never before. The Sydney Morning Herald reports: “Spy agency ASIO will be given the power to monitor the entire Australian internet”
New laws could give ASIO a warrant for the entire internet, jail journalists and whistleblowers
http://www.smh.com.au/digital-life/consumer-security/new-laws-could-give-asio-a-warrant-for-the-entire-internet-jail-journalists-and-whistleblowers-20140923-10kzjz.html
Spy agency ASIO will be given the power to monitor the entire Australian internet and journalists’ ability to write about national security will be curtailed when new legislation – expected to pass in the Senate as early as Wednesday – becomes law, academics, media organisations, lawyers, the Greens party and rights groups fear.
The new laws – the first of many national security reforms – began being debated in the Senate on Tuesday and had previously been sent to a committee for public consultation.
They say the recommendations do not address grave concerns they hold about the bill giving ASIO the power to monitor the entire internet with just one warrant and restricting what journalists write.
“A network can essentially be anything from three computers on a Wi-Fi modem to potentially an entire corporate network or an entire internet service provider network or at the extreme end the whole internet,”
“I accept that [agencies] should be able to access [a university or another organisation's computer] network but it should be strictly limited to those parts of the network to gain the intelligence on a particular [target],”
Tomi Engdahl says:
Ask Slashdot: How To Keep Student’s Passwords Secure?
http://ask.slashdot.org/story/14/09/25/0249243/ask-slashdot-how-to-keep-students-passwords-secure
My son’s school is moving more and more online and is even assigning Chromebooks or iPads to students (depending on the grade). In some cases they may have books, but the books stay home and they have user names and passwords to the various text book sites. They also have user names/passwords to several other school resources. Most all the sites are 3rd party. So each child may have many user names (various formats) and passwords. They emphasized how these elementary kids needed to keep their passwords safe and not share them with other kids. However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook.
Comments:
Just make sure they understand to keep the notebook safe. Ideally, they would write them down in a diary or the like, that contains other private information, bit at least here only girls usually have these.
How about we do away with passwords and have the kids get mandatory, government issued, RFID chips imbedded under their skin. Problem solved!
Tomi Engdahl says:
PayPal Announces Bitcoin Support
by Jarred Walton on September 23, 2014 8:03 PM EST
http://www.anandtech.com/show/8566/paypal-announces-bitcoin-support
It’s been a long time in coming, but PayPal announced in a blog post today that they have partnered with BitPay, Coinbase, and GoCoin to allow merchants to accept Bitcoin. This comes just a few weeks after the announcement that businesses working with Braintree would be able to accept Bitcoin, and this is a more direct use of Bitcoin.
Tomi Engdahl says:
Remote exploit vulnerability in bash CVE-2014-6271
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271 and has been given the name Shellshock by some. This affects Debian as well as other Linux distributions. You will need to patch ASAP.
The major attack vectors that have been identified in this case are HTTP requests and CGI scripts.
Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time. We have also verified that this vulnerability is exposed in ssh—but only to authenticated sessions.
If you have a username in your authorization header this could also be an attack vector.
Another attack surface is OpenSSH through the use of AcceptEnv variables. As well through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad.
The race is on. Will you be able to patch before Metasploit has a working exploit?
“As you might have guessed, we’re busy at work putting together a Metasploit module that demonstrates the bash bug (CVE-2014-6271), as is the rest of the world of open source security contributors. I expect to see a first version today.”
That said, it’s difficult to write one “bash bug” exploit — this is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote.
Tomi Engdahl says:
How do I recompile Bash to avoid the remote exploit CVE-2014-6271 and CVE-2014-7169?
http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7
Note: this exploit is really nasty, because it doesn’t require a username or password to trigger it. Even log parsing messages that are running bash may be susceptible to stray log messages in HTTP, for example. Fix this ASAP …
Switching to zsh only helps if you also removed bash and sh from your system. The shell you personally use is unimportant, it’s that bash and sh are used by all kinds of processes to do shell expansion from software, leaving your system open to an exploit attempt.
Tomi Engdahl says:
Update: Bug in Bash shell creates big security hole on anything with *nix in it
Could allow attackers to execute code on Linux, Unix, and Mac OS X.
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
Update: The Bash vulnerability, now dubbed by some as “Shellshock”, has been reportedly found in use by an active exploit against web servers. Additionally, the initial patch for the vulnerability was incomplete and still allows for attacks to succeed, according to a new CERT alert. See Ars’ latest report for further details.
The vulnerability affects versions 1.14 through 4.3 of GNU Bash. Patches have been issued by many of the major Linux distribution vendors for affected versions, including:
Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
CentOS (versions 5 through 7)
Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
Debian
National Cyber Awareness System
Vulnerability Summary for CVE-2014-6271
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:
env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”
If the system is vulnerable, the output will be:
vulnerable
this is a test
Tomi Engdahl says:
Bash bug fallout: Shell Shocked yet? You will be … when this becomes a worm
Much carnage to come, warn experts
http://www.theregister.co.uk/2014/09/25/shell_shocked_not_yet/
Much of the impact of the Shell Shocked vulnerability is unknown and will surface in the coming months as researchers, admins and attackers (natch) find new avenues of exploitation.
The vulnerability, coined Shell Shocked by researcher Robert Graham, existed in the Bash command interpreter up to version 4.3 and affected scores of servers, home computers and embedded devices.
“I think this bug opens up a variety of interesting niche exploitation scenarios, depending on what an attacker is trying to get into,” Drazen said, noting that there were “a lot worse things out there with a lot lower barriers to exploitation”.
He said admins should consult patches already released from vendors.
The number of affected systems that a given enterprise could be running was largely unknown at present, and Wise said administrators should ask their vendors to investigate the impact and address any exposures.
Researcher Robert Graham has so far dug up 3,000 vulnerable systems by scanning port 80 on the root URL, and said the bug was “clearly wormable”.
BASH Shellshock vulnerability – Update
https://community.qualys.com/blogs/laws-of-vulnerabilities/2014/09/24/bash-shellshock-vulnerability
Tomi Engdahl says:
Everything you need to know about the Shellshock Bash bug
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
Remember Heartbleed? If you believe the hype today, Shellshock is in that league and with an equally awesome name albeit bereft of a cool logo (someone in the marketing department of these vulns needs to get on that). But in all seriousness, it does have the potential to be a biggie and as I did with Heartbleed,
Bash ‘shellshock’ scan of the Internet
http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html#.VCRs6FdQO9J
Tomi Engdahl says:
Shellshock Bash Vulnerability Online Checkers Available
http://news.softpedia.com/news/Shellshock-Bash-Vulnerability-Online-Checkers-Available-459967.shtml
As the Shellshock bug (CVE-2014-6271) in the Bash command interpreter used by Linux and Unix systems is serious business, multiple online tools have been created specifically for testing web servers against the vulnerability.
Test your website for Shellshock
(CVE-2014-6271)
Enter a URL or a hostname to test the server for
CVE-2014-6271/CVE-2014-7169.
http://bashsmash.ccsir.org/
Tomi Engdahl says:
Why You Could Be At Risk From Shellshock, A New Security Flaw Found In Linux
http://www.forbes.com/sites/jameslyne/2014/09/25/shellshocked-vulnerability-why-you-are-at-risk-and-heartbleed-3-0b/
There has recently been a deluge of serious defects in the public eye that have allowed attackers to exploit all manner of devices–Heartbleed being the most prominent of late. Now another bug has surfaced and it is pretty ‘point and click’ simple to attack. You should act now.
Most people invest heavily in Windows patching and are utterly awful at patching Linux. Your Linux systems need to apply this patch, so check with your IT guys that this has been done. Some systems are naturally immune (geeky bit: for example Debian based systems using Dash instead of Bash) but you should check just in case.
More importantly this is ANOTHER great excuse to go and find all those Linux systems you are using you don’t know you have in your business.
CVE-2014-6271 / Shellshock & How to handle all the shells!
http://www.clevcode.org/cve-2014-6271-shellshock/
Tomi Engdahl says:
FBI boss slams Google, Apple for phone, tab encryption that puts people ‘above law’
Wants snooping access to protect kids and catch terrorists
http://www.theregister.co.uk/2014/09/25/fbi_boss_slams_google_apple_for_encryption_that_puts_users_above_law/
FBI Director James Comey has complained to journalists that Apple and Google’s use of encryption on phones and tablets makes it impossible for cops and g-men to collar crooks.
“There will come a day – well it comes every day in this business – when it will matter a great, great deal to the lives of people of all kinds that we be able to with judicial authorization gain access to a kidnapper’s or a terrorist or a criminal’s device,” he apparently told a press conference.
“What concerns me about this is companies marketing something expressly to allow people to place themselves above the law.”
And, on iOS 8, not all data is encrypted on the gadgets, and some information can still be extracted if the g-men really want it, security expert Jonathan Zdziarski says.
Tomi Engdahl says:
FBI: Your real SECURITY TERROR? An ANGRY INSIDE MAN
Hackers? Pah! It’s that sysadmin who has had enough
http://www.theregister.co.uk/2014/09/25/insider_threat_growing_warn_feds/
Disgruntled workers are causing more problems for their employers, the FBI warns.
Employees, ex-workers or contractors with a grudge against their former paymasters are abusing cloud storage sites or remote access to enterprise networks to steal trade secrets, customer lists or other sensitive information.
Insider threats have, of course, been a problem in business for decades. But the internet had brought a new dimension to the problem by making it far easier to destroy data or swipe customer records.
Physical records that used to occupy racks of shelves can now be contained on a single USB stick.
The FBI said it has investigated multiple incidents involved disgruntled or former employees who’ve attempted to extort their employer after disabling content management systems or conducted distributed denial-of-service (DoS) attacks.
In other cases, the theft of proprietary information was facilitated through the use of cloud storage websites like Dropbox and personal email accounts. In many cases, terminated employees had continued access to the computer networks through the installation of unauthorised remote desktop protocol software,
Tomi Engdahl says:
Shellshock Bash bug patch is buggy: ‘Millions of systems’ still at risk
But don’t delay – update your gear now to avoid early attacks hitting the web
http://www.theregister.co.uk/2014/09/25/shellshock_bash_worm_type_fears/
A patch for the severe Shellshock security vulnerability in Bash is incomplete – as hackers exploit the hole to compromise computers.
The flaw affects the GNU Bourne Again Shell – better known as Bash – which is a command interpreter used by many Linux and Unix operating systems – including Apple’s OS X.
It allows miscreants to remotely execute arbitrary code on systems ranging from web servers, routers, servers and Macs to various embedded devices that use Bash, and anything else that uses the flawed open-source shell.
The Bash flaw – designated CVE-2014-6271 – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.
Tomi Engdahl says:
Euro chiefs: Hi Google. Here’s how to REALLY protect everyone’s privacy. Hello? Hello?
is this thing on? Anyone there?
http://www.theregister.co.uk/2014/09/25/google_eu_working_party_privacy/
Google cannot expect its users to read the web giant’s rewritten Terms of Service to know how their privacy is being handled. That’s according to Europe’s data protection chiefs in a letter to Google supremo Larry Page on Tuesday.
In 2012, Google decided to merge the different privacy rules of 60 of its services including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs and Google Maps into a single policy. The working party said this means that “almost ALL European internet users were affected.”
The move prompted several EU data protection authorities to take action against the advertising goliath. I
According to the party’s guidelines, this policy must be immediately visible and accessible via one click, without scrolling, from each service landing page. It must provide clear, unambiguous and comprehensive information regarding the data processing.
It must give users an address so that individuals can exercise their rights against the company. “This specifically includes the obligation to clearly identify Google as data controller on the YouTube service,” says the Euro bigwigs said.
“Google should avoid indistinct language such as ‘we can’ or ‘we may’, but rather say ‘if you use services A and B, we will’,” continues the text.
The group suggests making it easier for users to manage and control the use of their personal data.
The watchdogs said these are only guidelines, and there may be other means by which Google could achieve compliance.
Tomi Engdahl says:
Russia Asks Facebook, Google, Twitter to Comply With Law on Data Storage
http://www.themoscowtimes.com/news/article/russia-demands-facebook-google-and-twitter-comply-with-law-on-data-storage/507852.html
Russia’s media watchdog has sent notifications to Google, Facebook and Twitter, demanding they register as “organizers of information distribution” under a law that experts say paves the way for banning the few remaining platforms of free speech in the country.
Maxim Ksenzov, deputy chief of the Roskomnadzor watchdog, said his agency would “force [the three Internet companies] one way or the other to obey the law,” the Izvestia newspaper reported Friday.
In accordance with the law, websites and online services registered as “organizers of information distribution” are required to keep information about their Russian users on servers located inside the country.
Tomi Engdahl says:
More details on how iOS 8’s MAC address randomization feature works (and when it doesn’t)
http://9to5mac.com/2014/09/26/more-details-on-how-ios-8s-mac-address-randomization-feature-works-and-when-it-doesnt/
A new two-part study by AirTight Networks into how well this security feature works has turned up some interesting results, including several conditions that will stop the phone from randomizing a MAC address. Part one of the study breaks down what exactly needs to happen in order to start this function…
Apple’s website (seen above) states that to trigger this function, the user should be “out running errands with your phone in your pocket.” As implied by that sentence, the device needs to be locked to start randomzing its MAC address. This was confirmed by the AirTight study, which found that about two minutes after the device’s screen was locked, it would start searching for a familiar Wi-Fi network using a random address. Every time the device wakes up and goes back to sleep, a new MAC address is generated.
There is another stipulation that must be met before this feature will kick in, however, and it’s one that most users aren’t going to meet. In order to start using randomized MAC addresses, location services must be disabled.
When they put SIM cards into these units and activated a cellular data connection, they found that MAC address randomization was completely disabled no matter what other critera were met.
You read that correctly: activating cellular data (3G/4G/LTE) on your iPhone (which you need to get iMessages, push notifications, emails, and more when not on Wi-Fi) seems to be deactivating one of the key features touted on Apple’s own privacy page. Apparently Apple belives that you should disable your cellular data connection when “out running errands with your phone in your pocket.”
Tomi Engdahl says:
Free applications have been nice to try but they have risks
This ended the Fraunhofer Institute researchers examined the 4600 iPhone free application. The results show that 60 percent of free apps had security was so bad that the are not suitable for work phone.
Of the applications a quarter containedcritical security holes. Every fifth application data is sent to the phone companies, which had nothing to do with the operation of the application itself.
According to the Fraunhofer researchers in many ilmaissovelluksessa will not be shown to have paid no attention to information security. The test now for iOS apps, but Android applications, the situation is at least as dangerous.
Source: http://etn.fi/index.php?option=com_content&view=article&id=1835:ilmaissovellukset-vaarallisia-tyopuhelimeen&catid=13&Itemid=101
Tomi Engdahl says:
Facebook Will Use Facebook Data to Sell Ads on Sites That Aren’t Facebook
http://recode.net/2014/09/28/facebook-will-facebook-data-to-sell-ads-on-sites-that-arent-facebook/
Investors and analysts spent years clamoring for Facebook to start up an ad network, and earlier this year it obliged them.
And now Facebook is rolling out another one.
Caveat — this isn’t an ad network in a formal sense. But it’s going to be viewed as one, because in the big picture, it does the thing people outside Facebook wanted an ad network to do: It lets advertisers buy ads, via Facebook, on properties Facebook doesn’t own.
Tomi Engdahl says:
Still more vulnerabilities in bash? Shellshock becomes whack-a-mole
Latest patch fixed one test case, but more vulnerabilities remain, say experts.
http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/
Here’s how the Shellshock vulnerability works, in a nutshell: an attacker sends a request to a Web server (or Git, a DHCP client, or anything else affected) that uses bash internally to interact with the operating system. This request includes data stored in an environmental variable.
Environmental variables are like a clipboard for operating systems, storing information used to help it and software running on it know where to look for certain files or what configuration to start with. But in this case, the data is malformed so as to trick bash into treating it as a command, and that command is executed as part of what would normally be a benign set of script. This ability to trick bash is the shellshock bug. As a result, the attacker can run programs with the same level of access as the part of the system launching a bash shell. And in the case of a web server, that’s practically the same level of access as an administrator, giving the attacker a way to gain full control of the targeted system.
Tomi Engdahl says:
Kevin Mitnick, Once the World’s Most Wanted Hacker, Is Now Selling Zero-Day Exploits
http://www.wired.com/2014/09/kevin-mitnick-selling-zero-day-exploits/
As a young man, Kevin Mitnick became the world’s most notorious black hat hacker, breaking into the networks of companies like IBM, Nokia, Motorola, and other targets. After a stint in prison, he reinvented himself as a white hat hacker, selling his skills as a penetration tester and security consultant.
With his latest business venture, Mitnick has switched hats again: This time to an ambiguous shade of gray.
Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception six months ago, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.
And what will his clients do with those exploits? “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells WIRED in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”
Mitnick declined to name any of his customers, and wouldn’t say how many, if any, exploits his exchange has brokered so far.
As the zero day market has come to light over the last several years, freelance hackers’ sale of potential surveillance tools to government agencies has become a hotly debated ethical quandary in the security community. The notion of Kevin Mitnick selling those tools could be particularly eyebrow-raising
Enabling targeted surveillance also clashes with Mitnick’s new image as a privacy advocate; His forthcoming book titled “The Art of Invisibility” promises to teach readers “cloaking and countermeasures” against “Big Brother and big data.”
“It’s like an Amazon wish list of exploits.”
Tomi Engdahl says:
THE ART OF INVISIBILITY
Coming Soon!
https://www.mitnicksecurity.com/shopping/books-by-kevin-mitnick
The world’s most famous hacker reveals the secrets on how citizens and consumers can stay connected and on the grid safely and securely by using cloaking and counter-measures in today’s age of Big Brother and big data.
Tomi Engdahl says:
SIEMs like a good idea: How to manage security in real time
http://www.theregister.co.uk/2014/09/29/siems_like_a_good_idea_how_to_manage_security_in_real_time/
Register now for this webcast that explains how security information and event management (SIEM) can work, what it does, and how to fit it into your existing security environment.
You face more and more dangerous threats every day – drive-by infections, APTs and executive targeted phishing, to name just three. At the same time, the potential attack surface of IT systems are growing rapidly: your VMs, your cloud and your users’ mobile devices are all at risk. You have probably spent a large part of 2014 developing external-facing web applications. How do you secure them all?
Reg readers tell us they have multiple tools handling security, making it impossible to get an idea of security in real time. Operating best-effort security isn’t enough, but security information and event management, touted as the answer to this, has so far been complicated to set up and hard to interpret.
Has this changed? Is SIEM the future of enterprise security and, if so, what will that future look like?
Tomi Engdahl says:
Piracy Police Chief Calls For State Interference To Stop Internet “Anarchy”
http://news.slashdot.org/story/14/09/28/2213237/piracy-police-chief-calls-for-state-interference-to-stop-internet-anarchy
The City of London Police’s Intellectual Property Crime Unit (PIPCU) is determined to continue its anti-piracy efforts in the years to come. However, the unit’s head, Andy Fyfe, also believes that the government may have to tighten the rules on the Internet to stop people from breaking the law.
Piracy Police Chief Calls For State Interference to Stop Internet Anarchy
By Ernesto
on September 28, 2014
http://torrentfreak.com/piracy-police-chief-calls-for-state-interference-to-stop-internet-anarchy-140928/
Since last year City of London Police’s Intellectual Property Crime Unit have been working with copyright holders to tackle online piracy. The police have already booked some successes but according to PIPCU head Andy Fyfe, more state interference may be needed to stop Internet anarchy.
Tomi Engdahl says:
Facebook’s Atlas: the Platform For Advertisers To Track Your Movements
http://yro.slashdot.org/story/14/09/29/1150248/facebooks-atlas-the-platform-for-advertisers-to-track-your-movements
In its most direct challenge to Google yet, Facebook plans to sell ads targeted to its 1.3 billion users when they are elsewhere on the Web. The company is rolling out an updated version of Atlas that will direct ads to people on websites and mobile apps.
Tomi Engdahl says:
Meet Facebook’s Atlas: The platform for advertisers to track your movements
http://www.zdnet.com/meet-facebooks-atlas-the-platform-for-advertisers-to-track-your-movements-7000034140/
Summary: Facebook’s revamped advertising platform, Atlas, allows marketers to track your patterns, preferences and purchase decisions across the Web.
Atlas, Facebook’s advertising platform, is now open for business following an overhaul from the ground up.
First acquired from Microsoft last year by the social media giant, Atlas was reportedly in the middle of a revamp following Facebook’s acquisition. However, it seems the platform has been completely rewritten for use on the social media website, according to a company blog post.
“Atlas delivers people-based marketing, helping marketers reach real people across devices, platforms and publishers,” Atlas says. “By doing this, marketers can easily solve the cross-device problem through targeting, serving and measuring across devices. And, Atlas can now connect online campaigns to actual offline sales, ultimately proving the real impact that digital campaigns have in driving incremental reach and new sales.”
Tomi Engdahl says:
What It’s Like To Use North Korea’s Internet
http://www.fastcolabs.com/3036049/what-its-like-to-use-north-koreas-internet
Even the country’s 2 million mobile phone subscribers can’t see outside the borders of Kwangmyong and Koryolink 3G.
“For the average North Korean, the Internet doesn’t exist,” Martyn Williams tells Co.Labs. He’s spent decades studying the country, and is now a John S. Knight Journalism Fellow at Stanford University and the editor of the North Korea Tech blog.
Instead of access to the Internet, Williams tells me, the country has an intranet–an internal collection of networked servers and computers that is only accessible from inside North Korea’s borders. The name of this intranet is Kwangmyong, which roughly translates into “Bright” in English.
Kwangmyong is a free service to the country’s inhabitants–even though less than 10% of the population is believed to have ever accessed it.
Tomi Engdahl says:
Zero Day Weekly: Bash bug Shellshock, jQuery, Amazon’s messy EC2 reboot
http://www.zdnet.com/zero-day-weekly-bash-bug-shellshock-jquery-amazons-messy-ec2-reboot-7000034079/
Summary: A collection of notable security news items for the week ending September 26, 2014. Covers enterprise, controversies, reports and more.
Red alert for enterprise: The Bash “shellshock” bug affecting Linux and Mac is both serious and dangerous. The 20-year-old bug was discovered this week in Bourne-Again Shell (Bash), which according to US CERT affects nearly all Linux (including Debian, Ubuntu) and Mac OS X deployments.
Amazon Inc. isn’t soothing customers anxious about cloud security: This week Amazon revealed it has to reboot its EC2 instances to patch a Xen bug.
A jQuery.com Malware Attack Put Privileged Enterprise IT Accounts at Risk not once, but twice in one week.
The new Apple iPhone 6 Touch ID (fingerprint) sensor was hacked this week by the same researcher who hacked the iPhone 5S Touch ID first released last year
TripAdvisor subsidary Viator was hit by a massive data breach that exposed payment card details, account credentials, usernames and passwords of its customers, affecting approximately 1.4 million accounts.
Microsoft Inc. launched its Online Services Bug Bounty Program, including Office 365 and with rewards starting at $500.
IBM Security Intelligence reported that Tinba Malware is Reloaded and Attacking Banks Around the World, publishing a slew of details and interesting findings.
Tomi Engdahl says:
Fraud shop OVERSTOCKED with stolen credit cards
Supply, meet demand: prices crash
http://www.theregister.co.uk/2014/09/29/fraud_shop_overstocked_with_stolen_credit_cards/
Infamous carding store Rescator.cc is so chock-full of stolen credit cards from recent high-profile breaches that it’s gutting its prices due to overstocking.
The fire sale makes a mockery of the security in place at some of the world’s biggest retailers, many of which have in recent months been invaded by hackers who have made off with many millions of customer credit cards.
Stolen cards were released on the site in tranches under names such as American Sanctions and European Sanctions which could be purchased in batches and filtered by geography to reduce the chance that a buyer’s subsequent fraudulent transactions would be detected.
Tomi Engdahl says:
Medical Records Worth More To Hackers Than Credit Cards
http://yro.slashdot.org/story/14/09/29/1620231/medical-records-worth-more-to-hackers-than-credit-cards
Reuters reports that your medical information including names, birth dates, policy numbers, diagnosis codes and billing information is worth 10 times more than your credit card number on the black market. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations. Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials.
Your medical record is worth more to hackers than your credit card
http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
Your medical information is worth 10 times more than your credit card number on the black market.
Last month, the FBI warned healthcare providers to guard against cyber attacks after one of the largest U.S. hospital operators, Community Health Systems Inc, said Chinese hackers had broken into its computer network and stolen the personal information of 4.5 million patients.
Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,
Tomi Engdahl says:
Yet another case of malvertising on The Pirate Bay
https://blog.malwarebytes.org/exploits-2/2014/09/malvertising-on-the-pirate-bay/
The Pirate Bay is famous for its tumultuous relationship with copyright advocates and law enforcement. And yet, despite police raids and numerous trials, the torrent site is still going strong with a new infrastructure
From a security standpoint, The Pirate Bay has been involved in notorious malvertising attacks, most likely resulting in a large number of infections given the site’s high traffic.
BlueCoat and Malekal blogged about this before and what we caught in our honeypots today is not in fact all that different.
At the end of the day, we are not too surprised about this malvertising attack. A site that (over)uses advertisements (and especially salacious ones) is navigating dangerous waters.
The problem with The Pirate Bay is that it generates a lot of traffic which means a lot of potential infections, something traffers (bad guys who resell traffic) and exploit kit operators salivate about.
Tomi Engdahl says:
Interesting idea:
Mining Bitcoins with Pencil and Paper
http://hackaday.com/2014/09/29/mining-bitcoins-with-pencil-and-paper/
Right now there are thousands of computers connected to the Internet, dutifully calculating SHA-256 hashes and sending their results to other peers on the Bitcoin network. There’s a tremendous amount of computing power in this network, but [Ken] is doing it with a pencil and paper. Doing the math by hand isn’t exactly hard, but it does take an extraordinary amount of time; [Ken] can calculate about two-thirds of a hash per day.
The SHA-256 hash function used for Bitcoin isn’t really that hard to work out by hand.
Completing one round of a SHA-256 hash took [Ken] sixteen minutes and forty-five seconds. There are sixty-four steps in calculating the hash, this means a single hash would take about 18 hours to complete. Since Bitcoin uses a double SHA-256 algorithm, doing the calculations on a complete bitcoin block and submitting them to the network manually would take the better part of two days. If you’re only doing this as your daily 9-5, this is an entire weeks worth of work.
Tomi Engdahl says:
CloudFlare Announces Free SSL Support For All Customers
http://tech.slashdot.org/story/14/09/29/2252214/cloudflare-announces-free-ssl-support-for-all-customers
CloudFlare, a cloud service that sits between websites and the internet to provide a CDN, DDOS and other attack prevention, speed optimization, and other services announced today that SSL will now be supported for all customers, including free customers. This will add SSL support to approximately 2 million previously unprotected websites. Previously SSL was only available to customers paying at least $20/month for a “Pro” plan or higher.
Browsers connect to CloudFlare’s servers and receive a certificate provided by CloudFlare. CloudFlare then connects to the website’s server to retrieve the content, serving as a sort of reverse proxy. Different security levels allow CloudFlare to connect to the website host using no encryption, a self-signed certificate, or a verified certificate, depending on the administrator’s preferences.
Introducing Universal SSL
https://blog.cloudflare.com/introducing-universal-ssl/
The team at CloudFlare is excited to announce the release of Universal SSL™. Beginning today, we will support SSL connections to every CloudFlare customer, including the 2 million sites that have signed up for the free version of our service.
For new customers who sign up for CloudFlare’s free plan, after we get through provisioning existing customers, it will take up to 24 hours to activate Universal SSL. As always, SSL for paid plans will be provisioned instantly upon signup.
For all customers, we will now automatically provision a SSL certificate on CloudFlare’s network that will accept HTTPS connections for a customer’s domain and subdomains.
For a site that did not have SSL before, we will default to our Flexible SSL mode, which means traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site’s origin server will not. We strongly recommend site owners install a certificate on their web servers so we can encrypt traffic to the origin.
Tomi Engdahl says:
FBI Plans To Open Up Malware Analysis Tool To Outside Researchers
http://tech.slashdot.org/story/14/09/30/0313255/fbi-plans-to-open-up-malware-analysis-tool-to-outside-researchers
The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others. The system is known as Malware Investigator and is designed to allow FBI agents and other authorized law enforcement users to upload suspicious files. Once a file is uploaded, the system runs it through a cluster of antimalware engines, somewhat akin to the way that Virus Total handles submissions, and returns a wide variety of information about the file.
Right now, Malware Investigator is able to analyze Windows executables, PDFs and other common file types.
FBI to Open Up Malware Investigator Portal to External Researchers – See more at: https://threatpost.com/fbi-to-open-up-malware-investigator-portal-to-external-researchers/108590#sthash.8pWs5yn4.dpuf
Tomi Engdahl says:
Payment security vastly improved when you DON’T ENTER your BANK DETAILS
Entering randomly generated ‘tokens’ makes it safer – report
http://www.theregister.co.uk/2014/09/30/payments_security_vastly_improved_by_tokenisation_according_to_report/
Developments around “tokenisation” should help to “instil confidence in a payments environment challenged by more frequent data breaches” and fraud, according to a report released by the Federal Reserve Bank of Boston.
The June 2014 report from the US Federal Reserve’s Mobile Payments Industry Workgroup (MPIW), which was released on 24 September (16-page/320KB PDF), defined tokenisation as the process of “randomly generating substitute value to replace sensitive information”.
The report said: “When used for financial transactions, tokens replace payment credentials, such as bank account and credit/debit card numbers. The ability to remove actual payment credentials from the transaction flow can improve the security of the payment and is a key benefit of tokenisation.”
However, the report said some “hurdles” remain before tokenisation receives broad adoption by industry, “particularly around standards and coordination of the different solutions”.
According to the report, “the key goal of tokenisation” is to protect the 13 to 19-digit primary account number (PAN) embossed on a plastic bank or credit card and encoded on the card’s magnetic strip. “The PAN identifies the card issuer in the first six digits, known as the bank identification number (BIN), as well as the individual cardholder account (generally the final four digits), and includes a check digit for authentication.”
Tokenisation “eliminates the need for merchants to store the full PAN on their network systems for exception processing or to resolve disputes”
Tomi Engdahl says:
Analyzing Trends in the Silk Road 2.0
http://lau.im/articles/analyzing-silk-road-2-0-part-1/
Last Friday, one of the top articles on hacker news was called Breaking the Silk Road’s Captcha
I won’t tell you that I know what I’m doing
This is simply a collection of observations from someone who knows pretty much nothing about the drug world.
Tomi Engdahl says:
China blocked access to photo service Instagram on Sunday.
Facebook owned Instagram has been one of the few in China permitted of American social media services. Chinese users reported on Sunday, local time, the service was denied.
The Chinese authorities have not commented on the matter. The most likely reason for censorship of Hong Kong’s democracy protests. Police broke up the demonstrations with tear gas on Sunday. Pictures of events spread to the network quickly.
On Monday, China’s largest search engine Baidu prevented the results of the searches.
Source: http://www.tivi.fi/uutisia/kiina+blokkasi+instagramin+mielenosoitusten+vuoksi/a1015451
Tomi Engdahl says:
Could your credit score soon be based on your FACEBOOK FRIENDS? Expert predicts future of banking will rely on social networks
http://www.dailymail.co.uk/sciencetech/article-2773349/Could-credit-score-soon-based-FACEBOOK-FRIENDS-Expert-predicts-future-banking-rely-social-networks.html
The predictions were made financial tech expert Gi Fernando
He claimed that credit scores could soon be based on Facebook friends
Banks could also move into coffee shops and supermarkets
Payment technology will become wireless and be based on biometric data
And Mr Fernando claims this could happen within the next decade
Tomi Engdahl says:
Security company F-Secure held in central London two experimental situation in which it wanted to illustrate the dangers of Wi-Fi technology.
The experiment showed how easy almost anyone to set up a wireless LAN in a public place and start to download from passing people’s personal information on their mobile device.
Source: http://www.iltalehti.fi/iltvdigi/201409300113118_v4.shtml
Tomi Engdahl says:
New web service prevents spies from easily intercepting your data
http://www.engadget.com/2014/09/29/okturtles/?ncid=rss_truncated
The encryption that protects your email and social updates is far from flawless — it’s relatively easy for spies to intercept your data using spoofs and hacked servers. If Greg Slepak has his way, though, there will soon be a safer way to send your info. His okTurtles project uses blockchains (the transaction databases you see in virtual currencies like Bitcoin) to let you communicate over the web without the risk of a man-in-the-middle attack.
The underlying technology (DNSChain) is already available, but you’ll have to wait a while for something that’s easy to use
A blockchain-based DNS + HTTP server that fixes HTTPS security, and more!
https://github.com/okTurtles/dnschain
http://okturtles.com
Tomi Engdahl says:
These three products approved for the Finnish data protection
Finnish Communications Regulatory Authority Kyberturvallisuuskeskus to promote product safety by evaluating digital products, security. It tells the acceptance of three products for the protection of classified national authority against unlawful disclosure of information.
The national approval process for this year are passed Deltagon Sec@GW, Blancco 5 and Samsung Knox. They can be used in official communications in the future under certain conditions.
Deltagon Sec @ GW e-mail solution can be used for e-mail encryption protection level IV.
Blancco 5 data erasing is valid to security levels I-IV (ST I to IV).
Samsung Android 4.4.2 Knox-extension is suitable for protection level IV (ST IV).
Source: http://www.tivi.fi/kaikki_uutiset/nama+kolme+tuotetta+hyvaksyttiin+suomalaistietojen+suojaksi/a1015747
Tomi Engdahl says:
89 percent of companies expect their systems to crash
Suse commissioned an international survey shows that companies are going to invest in the next 12 months IT infrastructures reliability. When asked, for information management professionals in three of the four considered an important goal of IT infrastructure, with shutdowns need to do and do not crash systems with regard to the most important workloads.
The survey revealed that the reality is not expected to obey the wishes, as much as 89 per cent of respondents believe it would encounter the most critical work load controlled and uncontrolled shutdowns.
The fear is not unfounded as the uncontrolled shutdowns has experienced 80 per cent of the respondents, on average, more than twice a year. Technical fault situations are by far the main cause of uncontrolled down times.
“Information systems and workloads shutdowns and crashes have a negative impact in all sizes and in all industries operating companies. CIOs and IT experts acknowledge the need for major systems significantly reduce the duration of the shut-down. They have to do with hardware and software suppliers who are able to provide a sufficiently reliable solutions and technologies, ”
51 per cent of respondents say they have made provision for high availability clustering to reduce uncontrolled shut-down.
Source: http://www.tivi.fi/kaikki_uutiset/89+prosenttia+yrityksista+odottaa+jarjestelmiensa+kaatuvan/a1015713
Tomi Engdahl says:
Zero Day Weekly: Bash bug Shellshock, jQuery, Amazon’s messy EC2 reboot
http://www.zdnet.com/zero-day-weekly-bash-bug-shellshock-jquery-amazons-messy-ec2-reboot-7000034079/
Summary: A collection of notable security news items for the week ending September 26, 2014. Covers enterprise, controversies, reports and more.