Security trends for 2014

Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).

Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.

Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.

2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.

crystalball

Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.

Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.

DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.

There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.

The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.

Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.

Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made ​​from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.

In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.

Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.

3,382 Comments

  1. Tomi Engdahl says:

    The NO-NAME vuln: w g e t mess patched without a fancy brand
    Directory overwrite bug threatens all *nix boxen
    http://www.theregister.co.uk/2014/10/30/no_poodle_for_you_wget_vuln_patched_without_fancy_brand/

    Reply
  2. Tomi Engdahl says:

    Mozilla releases geolocating WiFi sniffer for Android
    As if the civilians who never change access point passwords will ever opt out of this one
    http://www.theregister.co.uk/2014/10/30/mozilla_releases_geolocating_wifi_sniffer_for_android/

    Mozilla has released a new app, Stumbler, that “collects GPS data for our location service” by detecting WiFi access points and mobile phone cells towers, then “uses these wireless network locations to provide geolocation services for Firefox OS devices and other open source projects.”

    That sort of data collection has, of course, proven very controversial in the past as Google and Apple can attest after long legal battles.

    Mozilla Stumbler
    https://play.google.com/store/apps/details?id=org.mozilla.mozstumbler

    Mozilla is a nonprofit project and global community building a better internet. Mozilla Stumbler is an open-source wireless network scanner that collects GPS data for the Mozilla Location Service, our crowd-sourced location database. As you move around, the app “stumbles” upon new Wi-Fi networks and cell towers. The Mozilla Location Service combines these wireless network measurements to provide geolocation services for Firefox OS devices and other open source projects.

    Reply
  3. Tomi Engdahl says:

    This is it-the bosses of view, the biggest mobile security risk

    According to a recent Mobile Security Report survey of the biggest security risks can be found inside the business. 87 percent of respondents believe that mobile security is the biggest risk of a carefree staff, says the security company Check Point in a statement.

    Also, the employees own devices, raises concern. The survey found that 95 percent of enterprises and organizations responsible for IT staff struggling with their own mobile devices to work use (BYOD) caused by security problems.

    Mobile security is forecast to fail to a larger extent. 82 per cent of respondents expect the mobile security organization to fail more frequently in the next year. In addition, almost all (98 per cent) are concerned about the impact of those incidents. Most concerned about the possibility that company data is stolen or wasted.

    Android devices are considered at higher risk. 64 per cent of the respondents thought that Android devices in terms of security the weakest link, the benchmark had an Apple, Windows Mobile, and BlackBerry devices. Last year the figure was 49 per cent.

    Source: http://www.tivi.fi/kaikki_uutiset/tama+on+itpomojen+mielesta+mobiilin+suurin+tietoturvariski/a1024458

    More derails: http://www.checkpoint.com/capsule/

    Reply
  4. Tomi Engdahl says:

    Facebook open-sources OSquery, a security tool to monitor OS processes, network connections

    Facebook, Google, and the Rise of Open Source Security Software
    http://www.wired.com/2014/10/facebook-builder-osquery/

    Facebook chief security officer Joe Sullivan says that people like Mike Arpaia are hard to find.

    Arpaia is a security engineer, but he’s not the kind who spends his days trying to break into computer software, hoping he can beat miscreants to the punch. As Sullivan describes him, he’s a “builder”—someone who creates new tools capable of better protecting our computer software—and that’s unusual. “You go to the security conferences, and it’s all about breaking things,” Sullivan says. “It’s not about building things.”

    Facebook hired Arpaia in January, and in the nine months since, he and a small team of other engineers built a tool called OSquery, which aims to identify attacks on the thousands of machines used across the company

    On today’s internet, as Sullivan explains, you can’t buy your way to good security. If you run a large online operation like Facebook, you need more than just off-the-shelf hardware and software to protect the thing. “You can’t just install three appliances and go back to work,” he says. Today’s online operations are so complex, you’re forced to build your own security tools, tailoring software to your particular setup. In open sourcing OSquery, Facebook aims to help others do that—and in the process, help itself. Outside companies can use the tool—as some already do, according to Arpaia—but they can also help Facebook improve it.

    The move is part of a larger effort by the web’s biggest names to not only build their own security software, but also open source it. In the past, companies were reluctant to open source their tools for reasons of, well, security. And many still are still reluctant.

    “The notion that obscurity means security is not always true,”

    OSquery is a tool that lets you more easily identify what’s running on a machine’s operating system and what has recently changed—at the lowest level. Basically, it exposes the operating system as a relational database, so that you can use standard SQL queries to identify running processes, loaded kernel modules, open network connections, and more. “When a computer is hacked, some fundamental state has changed,” Arpaia says. “OSquery allows you to really easily, in almost natural language, ask the computer what its state is.”

    Reply
  5. Tomi Engdahl says:

    Wal-Mart’s Answer To Apple Pay Has Already Been Hacked
    http://www.businessinsider.com/currentc-hacked-2014-10?op=1

    Here’s a bad sign for CurrentC, the fledgling mobile payment system in development by a consortium of retailers.

    CurrentC is sending emails to people who signed up for the beta version of the app warning them “that unauthorized third parties obtained the e-mail addresses of some of you.”

    It doesn’t sound as if it’s the worst breach in the world, but it’s definitely not good for CurrentC, which is just getting started.

    Reply
  6. Tomi Engdahl says:

    Attack campaign infects industrial control systems with BlackEnergy malware
    http://www.pcworld.com/article/2840612/attack-campaign-infects-industrial-control-systems-with-blackenergy-malware.html

    Since 2011 a group of attackers has been targeting companies that operate industrial control systems with a backdoor program called BlackEnergy.

    “Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs),” the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security, said in a security advisory Tuesday.

    ICS-CERT has not identified cases where the BlackEnergy malware was used to damage, modify or disrupt the processes controlled by the compromised HMIs and it’s not clear if attackers used those HMIs to gain deeper access into the industrial control systems.

    The organization believes the BlackEnergy attackers targeted deployments of HMI products from three different vendors: General Electric’s Cimplicity HMI, Siemens’ SIMATIC WinCC and BroadWin’s WebAccess—also distributed by Advantech.

    Cimplicity HMI installations were compromised through a vulnerability that GE issued a patch for in December 2013. However, ICS-CERT believes this group of attackers has been exploiting the vulnerability since at least January 2012.

    ICS-CERT has not yet established the attack vectors for the SIMATIC WinCC and the Advantech/BroadWin WebAccess HMIs, but have reason to believe customers of these products have been targeted as well.

    GE issued an alert about the BlackEnergy campaign on its security website. “We recommend customers who have GE CIMPLICITY products installed follow security practices and install the latest patches,” the company said.

    Security researchers have predicted malware attacks against SCADA systems ever since the Stuxnet cybersabotage worm was discovered in 2010. Those predictions materialized this year: BlackEnergy is the second malware program found in the past several months that’s directly associated with attacks against industrial control systems.

    Reply
  7. Tomi Engdahl says:

    Carders offer malware with the human touch to defeat fraud detection
    Huge credit card heists mean crims want to cash out – fast
    http://www.theregister.co.uk/2014/10/30/carders_flog_bankbeating_fraud_funnel/

    A new cybercrime tool promises to use credit card numbers in a more human way that is less likely to attract the attention of fraud-detection systems, and therefore be more lucrative for those who seek to profit from events like the Target breach.

    The “Voxis Platform” is billed as “advanced cash out software” that promises to help carders earn “astronomical amounts” of cash by faking human interaction with different payment gateways, authors bragged in an ad posted around underground forums and to Bitcoin payments site Satoshibox.

    The operator of the Voxis Team crime group, an entity known as Bl4ckS14y3r, has claimed the platform can funnel cash through 32 payment gateways without human interaction and automatically create fake customer profiles to make the transfers less suspicious.

    Reply
  8. Tomi Engdahl says:

    UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
    Energy summit bods warned of free energy bonanza
    http://www.theregister.co.uk/2014/10/30/smart_meter_hackable_for_free_electricity_say_security_reserachers/

    British consumers could easily hack the controversial new smart meters the government plans to introduce, allowing them to illegally slash their energy bills, cyber-security experts have warned.

    The caution came as top White Hall apparatchiks met with energy industry leaders today to discuss plans that will see the the devices installed in every British home by 2020.

    Smart meters are supposed to provide more accurate bills by constantly monitoring energy use and sending this information to utility providers in real time.

    But cyber security experts have warned that these devices can be easily hacked to send false information.

    “Smart meters could be hacked to under-report consumption and this should act as warning to the British programme,”

    The UK has set out guidelines aimed at beefing up the security of smart meters, but this might not be enough to stop determined hackers finding a way to bypass protections.

    “Cyber criminals and cyber terrorists are improving their capabilities very quickly,” Rivas-Vásquez continued.

    Previous energy innovations have been attractive to criminals.

    Criminals were also quick to hack top-up cards for prepaid electricity meters when they were introduced in the noughties, in some cases going door to door to sell cheaper, illegal energy credit to customers.

    Reply
  9. Tomi Engdahl says:

    Planning to fly? Pour out your shampoo, toss your scissors, RENAME TERRORIST WI-FI!
    FAA fails to see humor in ‘Al-Quida’ hotspot jokes
    http://www.theregister.co.uk/2014/10/27/going_on_a_flight_pour_out_your_shampoo_toss_your_scissors_rename_your_terrorist_wifi/

    A US airline delayed a flight on Sunday evening after an unidentified person somewhere in or around Los Angeles International Airport picked a rather unfortunate name for a Wi-Fi hotspot.

    American Airlines Flight 136 from Los Angeles to London was grounded for nearly a day after a passenger spotted a Wi-Fi network named “Al-Quida Free Terror Nettwork” (sic).

    As security analyst Graham Cluley noted, however, if someone was intending to disrupt air travel, they were rather effective in this case.

    “One thing is clear. If a real terrorist wanted to disrupt an air flight they don’t have to go to the effort of sneaking in explosives or phoning in a bomb threat,” Cluley wrote. “They can just create a Wi-Fi hotspot with a suspicious-looking name.”

    Staff are cautioned to react strongly to each and every threat, and jokes – even those buried within Wi-Fi networks – get taken seriously by the Transportation Security Administration, airlines, and airport officials.

    Reply
  10. Tomi Engdahl says:

    The Hackaday Prize: Interview With A ChipWhisperer
    http://hackaday.com/2014/10/29/the-hackaday-prize-interview-with-a-chipwhisperer/

    How seriously are the backdoors the Chipwhisperer opens taken
    in the industry? Are we looking at a huge problem with on-chip
    security out there, simply because the tools to investigate
    them have been really expensive?

    For people who care about security because they directly have money to lose
    (think chip & pin credit cards, satellite set-top boxes, etc.) they’ve taken
    these problems seriously for a long time. But the majority of embedded
    systems work doesn’t fall into that category, and it’s those products which
    end up vulnerable. Part of the issue is the design engineers either don’t
    know about these attacks. Or the engineers trust the vendors they are buying
    from, which sell the crypto libraries, hardware accelerators, or stand-alone
    chips as completely bullet-proof systems.

    The problem may not be one of fundamental deficiencies in the design of
    the crypto, but more the users (i.e. design engineers) don’t fully
    understand how “secure” the specific implementation of the crypto is.

    If you could give 100 words of advice to embedded designers
    implementing encryption, what would you tell them?

    Crypto is not a check-box. Every implementation will be vulnerable, your
    question is how secure do I need this to be? If someone is able to determine
    the secret key in one device, does this mean they are now able to gain
    access to all similar devices? The problems exposed by side-channel analysis
    is often made worse by classic mistakes, such as re-using keying material
    across multiple devices to make deployment easier, but when the devices
    don’t actually require a shared key (think firmware images).

    What was the reaction from different communities? What was the
    response from security researchers versus the general public?
    Are you surprised at how popular your project was?

    The biggest reaction has been from embedded engineers, as they have often
    been sold on ‘secure because math’ during their design process. They are
    using AES-256 for example and assume that means someone attacking the system
    would need to physically decap the chip, reset fuse bits, and then read out
    Flash memory to get the key. They’d never seen practical demonstrations of
    side-channel attacks, only vaguely heard about it.

    I am surprised how popular the project was outside of this sphere though! A
    lot more people are involved in side-channel power analysis then I first
    realized, which is great to learn.

    Reply
  11. Tomi Engdahl says:

    Samaritans app monitors Twitter feeds for suicide warnings
    http://www.bbc.com/news/technology-29801214

    The Samaritans charity has launched a new app which will notify Twitter users if people they follow on the site appear to be suicidal.

    Samaritans Radar uses an algorithm to identify key words and phrases which indicate distress.

    They include “tired of being alone”, “hate myself”, “depressed”, “help me” and “need someone to talk to.”

    Users who have signed up for the scheme will receive an email alert if someone they follow tweets these statements.

    The app asks whether the tweets are cause for concern.

    Reply
  12. Tomi Engdahl says:

    Drupal Warns Users of Mass, Automated Attacks On Critical Flaw
    http://it.slashdot.org/story/14/10/30/1338246/drupal-warns-users-of-mass-automated-attacks-on-critical-flaw

    The maintainers of the Drupal content management system are warning users that any site owners who haven’t patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised.

    Reply
  13. Tomi Engdahl says:

    BIGGEST THREAT to Europe’s cybersecurity? Hint: not hackers
    Largest EVER Europe-wide cybersecurity exercise
    http://www.theregister.co.uk/2014/10/30/the_threats_to_europes_cybersecurity_arent_what_you_think_they_are/

    Forget cyber-espionage, cyber-warfare and cyber-terrorism. The biggest threat to Europe’s infrastructure cybersecurity are power outages and poor communication.

    On Thursday, ENISA (European Network and Information Security Agency) held its biggest ever cybersecurity exercise involving more than 200 organisations and 400 cyber-security professionals from 29 European countries.

    The bi-annual event* simulates a lifelike attack, modelled on real events, to test the reaction of national Computer Emergency Response Teams (CERTS), government ministries, telco companies, energy companies, financial institutions and internet service providers.

    But Steve Purser, Head of Operations at ENISA explained: “The biggest threats we really see are not attacks, but hardware and software failures.”

    Purser says he’s confident that they are testing the right things. “I speak at a lot of events and there are a lot of glib comments from people saying we need to share more data. But actually we need to share LESS data. We live in an age of data pollution and we need to discuss the right things at the right level.”

    The distributed exercise, involving several exercise centres across Europe working with a central exercise control centre, is designed to test EU cooperation and escalation procedures. The exercise will also test out the EU-Standard Operational Procedures, a set of guidelines to share operational information on cyber crisis.

    Last year global web-based attacks increased by almost a quarter and the total number of data breaches was 61 per cent higher than 2012 according to Symantec’s Intelligence Report.

    Each of the eight top data breaches resulted in the loss of tens of millions of data records while 552 million identities were exposed. Meanwhile, ENISA’s Threat Landscape report says that threat agents have increased the sophistication of their attacks and their tools and multiple countries have developed capabilities that can be used to infiltrate all kinds of targets, governmental and private.

    Professor Udo Helmbrecht, executive director of ENISA, commented: “Five years ago there were no procedures to drive cooperation during a cyber-crisis between EU Member States. Today we have the procedures in place collectively to mitigate a cyber-crisis on European level. The outcome of today’s exercise will tell us where we stand and identify the next steps to take in order to keep improving.”

    *Cyber Europe actually takes place in three phases throughout the year: technical – which involves the incident detection, investigation, mitigation and information exchanges (completed in April); operational/tactical – dealing with alerting, crisis assessment, cooperation, coordination, tactical analysis, advice and information exchanges at operational level (today and early 2015); and strategic, which examines decision making, political impact and public affairs. Thursday’s activities form the main part of the whole exercise.

    ENISA promises that the exercise will not affect critical information infrastructures, systems, or services.

    Reply
  14. Tomi Engdahl says:

    Cyber ​​security implementation for ICT and security staff

    1. Instruct, train and educate, and to justify bans
    2. Determine which remotely and at home may be made, and by what means
    3. Define and guidelines for handling of classified information
    4. Define and guidelines, train and educate the user and password policy and require the employees to use it
    5. Make sure that the terminal’s security features are enabled
    6. Make sure that the software automatically updated and are up to date
    7. Instruct using the social media as well as the Apps
    8. Be prepared for problems – who helps?

    Source: http://www.tivi.fi/blogit/turvasatama/kyberturvallisuuden+toteuttamisen+huoneentaulu+ict+ja+tietoturvahenkilostolle/a1024492

    More material: http://ict-tuki.fi/tietoturva/

    Reply
  15. Tomi Engdahl says:

    Hacking Team Manuals: Sobering Reminder That Privacy is Elusive
    http://yro.slashdot.org/story/14/10/30/1531224/hacking-team-manuals-sobering-reminder-that-privacy-is-elusive

    Advocatus Diaboli writes with a selection from The Intercept describing instructions for commercial spyware sold by Italian security firm Hacking Team.

    The manuals describe Hacking Team’s software for government technicians and analysts, showing how it can activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords on targeted devices.

    Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide
    https://firstlook.org/theintercept/2014/10/30/hacking-team/

    When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn’t be able to unlock evidence on criminals’ digital devices. What they didn’t say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces — easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept.

    We’re publishing in full, for the first time, manuals explaining the prominent commercial implant software “Remote Control System,” manufactured by the Italian company Hacking Team. Despite FBI director James Comey’s dire warnings about the impact of widespread data scrambling — “criminals and terrorists would like nothing more,” he declared — Hacking Team explicitly promises on its website that its software can “defeat encryption.”

    The manuals describe Hacking Team’s software for government technicians and analysts, showing how it can activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords on targeted devices. They also catalog a range of pre-bottled techniques for infecting those devices using wifi networks, USB sticks, streaming video, and email attachments to deliver viral installers. With a few clicks of a mouse, even a lightly trained technician can build a software agent that can infect and monitor a device, then upload captured data at unobtrusive times using a stealthy network of proxy servers, all without leaving a trace. That, at least, is what Hacking Team’s manuals claim as the company tries to distinguish its offerings in the global marketplace for government hacking software.

    Reply
  16. Tomi Engdahl says:

    Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You.
    https://firstlook.org/theintercept/2014/10/28/smuggling-snowden-secrets/

    It might seem strange to use Twitter, a public platform, to convey crucial information, but in some circumstances it makes perfect sense. Doing a man-in-the-middle attack against encrypted email without getting caught is significantly simpler than performing an attack on a public platform that anyone in the world might notice. If NSA had hacked my Twitter account and posted the wrong fingerprint, there’s a good chance I, or one of my followers, would notice and start looking into it.

    Snowden signed off from my life, or so I thought, with a final request: He asked that I help Greenwald get encrypted. He said it was an important task, though he didn’t tell me why.

    Tails, the secure system Poitras asked me to get for Greenwald, is serious business. It’s a hardened operating system designed for people who need to be anonymous, and not a lot of people use it.

    After the dust settled, I sat down to write a simple tutorial for using the open source tools that allowed me, Poitras, Greenwald, and Snowden to communicate securely, and I ended up with a 30-page whitepaper called Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance. I took the name from Snowden’s now-famous quote: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

    Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance
    https://freedom.press/encryption-works

    Reply
  17. Tomi Engdahl says:

    A Better Anonabox with the Beaglebone Black
    http://hackaday.com/2014/10/31/a-better-anonabox-with-the-beaglebone-black/

    A few weeks ago, Anonabox, the ill-conceived router with custom firmware that would protect you from ‘hackers’ and ‘legitimate governments’ drew the ire of tech media. It was discovered that this was simply an off-the-shelf router with an installation of OpenWrt, and the single common thread in the controversy was that, ‘anyone can build that. This guy isn’t doing anything new.’

    Finally, someone who didn’t have the terrible idea of grabbing another off the shelf router and putting it up on Kickstarter is doing just that. [Adam] didn’t like the shortcomings of the Anonabox and looked at the best practices of staying anonymous online. He created a Tor dongle in response to this with a Beaglebone Black.

    Tor Dongle | October 2014
    Or using a BeagleBone Black as a secure Tor gateway for your computer
    http://adammelton.com/tor_dongle.php

    Reply
  18. Tomi Engdahl says:

    Google To Disable Fallback To SSL 3.0 In Chrome 39 and Remove In Chrome 40
    http://tech.slashdot.org/story/14/10/30/220221/google-to-disable-fallback-to-ssl-30-in-chrome-39-and-remove-in-chrome-40

    Google today announced plans to disable fallback to version 3 of the SSL protocol in Chrome 39, and remove SSL 3.0 completely in Chrome 40. The decision follows the company’s disclosure of a serious security vulnerability in SSL 3.0 on October 14,

    Reply
  19. Tomi Engdahl says:

    Manhunt Underway For “Possibly Armed” Kinox Pirate Site Operators
    on October 31, 2014
    Breaking
    http://torrentfreak.com/manhunt-underway-for-possibly-armed-kinox-bitshare-and-freakshare-operators-141031/

    In a surprise move, police in Germany have launched a public manhunt for two men behind several large file-sharing sites. Alongside the unusual step of naming and publishing mugshots of the men, police are warning the public that they are violent and possibly armed.

    Just a few days ago news broke that police in Germany had carried out raids in several areas of the country.

    According to police he is one of the founders of the “criminal organization” behind Kinox, FreakShare and BitShare
    Kastriot also has alleged connections to a range of other sites including stream4k.to, shared.sx, mygully.com and boerse.sx.

    Reply
  20. Tomi Engdahl says:

    Swedish Regulator Orders Last “Hold-Out” ISP To Retain Customer Data
    http://yro.slashdot.org/story/14/10/31/0120233/swedish-regulator-orders-last-hold-out-isp-to-retain-customer-data

    Despite the death of the EU Data Retention Directive in April, and despite the country having taken six years to even begin to obey the ruling, the Swedish government, via its telecoms regulator, has forced ISPs to continue retaining customer data for law enforcement purposes.

    While providers all over Europe have rejoiced in not being obliged any longer to provide infrastructure to retain six months of data per customer, Sweden and the United Kingdom alone have insisted on retaining the ruling

    Swedish regulator orders ISP to retain customer data despite death of EU directive
    http://thestack.com/bahnhof-swedish-isp-ordered-to-retain-customer-data-291014

    Reply
  21. Tomi Engdahl says:

    Millions of websites hit by Drupal hack attack
    http://www.bbc.com/news/technology-29846539

    Up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software.

    The sites use Drupal to manage web content and images, text and video.

    Drupal has issued a security warning saying users who did not apply a patch for a recently discovered bug should “assume” they have been hacked.

    It said automated attacks took advantage of the bug and can let attackers take control of a site.

    “Attackers may have copied all data out of your site and could use it maliciously,” said the notice. “There may be no trace of the attack.” It also provided a link to advice that would help sites recover from being compromised.

    Mark Stockley, an analyst at security firm Sophos, said the warning was “shocking”.

    The bug in version 7 of the Drupal software put attackers in a privileged position, he wrote. Their access could be used to take control of a server or seed a site with malware to trap visitors, he said.

    He estimated that up to 5.1% of the billion or so sites on the web use Drupal 7 to manage their content, meaning the number of sites needing patching could be as high as 12 million.

    “Many site owners will never have received the announcement and many that did will have been asleep,” he said. “What Drupal badly needs but doesn’t have is an automatic updater that rolls out security updates by default.”

    Your Drupal site got hacked. Now what?
    https://www.drupal.org/node/2365547

    This information is useful should your Drupal site get compromised. Please report any details to the security team at [email protected]. The security team is unable to help with individual sites, but does like to keep track of compromised sites to see patterns.

    Reply
  22. Tomi Engdahl says:

    Visualizing hex dumps with Unicode emoji
    http://www.windytan.com/2014/10/visualizing-hex-bytes-with-unicode-emoji.html

    Memorizing SSH public key fingerprints can be difficult; they’re just long random numbers displayed in base 16. There are some terminal-friendly solutions, like OpenSSH’s randomart.

    I like to map the individual bytes into characters in the Miscellaneous Symbols and Pictographs block

    Reply
  23. Tomi Engdahl says:

    Facebook can uses through the Tor network – but does it make any sense?
    Facebook can also be used tor connections. Social media services have opened up a trial tor-network for use in the address.
    But trust that the ultimate security need tor users on Facebook and that it does not give users data to authorities?

    Making Connections to Facebook more Secure
    https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237

    It’s important to us at Facebook to provide methods for people to use our site securely. People connect to Facebook in many different ways, which is why we have implemented HTTPS across our service, and Perfect Forward Secrecy, HSTS, and other technologies which help give people more confidence that they are connected securely to Facebook.

    That doesn’t mean we can’t improve yet further.

    Consider Tor: Tor challenges some assumptions of Facebook’s security mechanisms

    - for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada. In other contexts such behaviour might suggest that a hacked account is being accessed through a “botnet”, but for Tor this is normal.

    Considerations like these have not always been reflected in Facebook’s security infrastructure, which has sometimes led to unnecessary hurdles for people who connect to Facebook using Tor. To make their experience more consistent with our goals of accessibility and security, we have begun an experiment which makes Facebook available directly over Tor network at the following URL:

    https://facebookcorewwwi.onion/

    [ NOTE: link will only work in Tor-enabled browsers ]

    Reply
  24. Tomi Engdahl says:

    Popular Science site shrugs off malicious code infection
    No warning, no response… at least it killed the code
    http://www.theregister.co.uk/2014/10/31/popsci_drive_by_download_risk/

    Security firm Websense warns that visiting the site exposed surfers to the RIG exploit kit. The malicious code was removed on Wednesday, but a number of surfers may still be harbouring infections after being sprayed with malicious code earlier this week.

    RIG is a hacker tool that uses client-side software exploits to push malware payloads onto the Windows PCs of visiting surfers. The RIG Exploit Kit features exploit code for various vulnerable plug-ins such as Java, Flash and SilverLight, according to Websense.

    The hacker tool, which first surfaced in April, has been linked with the distribution of the particularly nasty CryptoWall ransomware.

    Reply
  25. Tomi Engdahl says:

    Free government-penned crypto can swipe identities
    Beware of Australians bearing gifts
    http://www.theregister.co.uk/2014/10/31/privacy_flaws_found_in_fed_govts_560k_crypto/

    The PLAID (Protocol for Lightweight Authentication of Identity) cryptography kit appears to be insecure.

    PLAID is a homebrew cryptography system designed by Centrelink – the Australian government agency that shovels out tens of billions a year in welfare payments. The system has been considered for use by US government agencies.

    The software offers a means of contactless authentication using smart cards and is designed not to leak identities to scammers with dodgy card readers.

    The newly-disclosed flaws allow an attacker to fuzz cards in order to generate error messages. Attackers armed with a bushel of error messages could identify individual identity numbers.

    It was to the undoubtable glee of Human Services being considered for adoption across US Government agencies in a move that could bring down the cost of PLAID systems.

    Reply
  26. Tomi Engdahl says:

    Reverse Engineering the D-Link WPS Pin Algorithm
    http://hackaday.com/2014/10/31/reverse-engineering-the-d-link-wps-pin-algorithm/

    A router with WPS requires a PIN to allow other devices to connect, and this PIN should be unique to every router and not derived from other easily accessible data found on the router. When [Craig] took a look at the firmware of a D-Link DIR-810L 802.11ac router, he found exactly the opposite; the WPS PIN was easily decipherable because it was generated entirely from the router’s MAC address and could be reverse engineered by sniffing WiFi.

    [Craig] has an incomplete list of routers that are confirmed affected on his site, along with a list of confirmed unaffected routers.

    Reversing D-Link’s WPS Pin Algorithm
    http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/

    Reply
  27. Tomi Engdahl says:

    Dual-mode Avalanche and RF Random Number Generator
    http://hackaday.com/2014/10/31/dual-mode-avalanche-and-rf-random-number-generator/

    [Paul] designed a new open-hardware RNG (random number generator) that includes two sources of entropy in a small package. The first source of entropy is a typical avalanche diode circuit, which is formed by a pair of transistors. This circuit creates high-speed random pulses which are sampled by the onboard microcontroller.

    What makes this design unique is a second entropy source: a CC2531 RF receiver. The RF receiver continuously skips around channels in the 2.5Ghz band and measures the RF signal level. The least-significant bit of the signal level is captured and used as a source of entropy.

    The OneRNG uses the USB-CDC profile, so it shows up as a virtual serial port in most modern operating systems.

    Reply
  28. Tomi Engdahl says:

    Facebook now available through Tor browsers at an onion address, SSL still enabled — Why Facebook Just Launched Its Own ‘Dark Web’ Site — Facebook has never had much of a reputation for letting users hide their identities online. But now the world’s least anonymous website has just joined the Web’s most anonymous network.

    Why Facebook Just Launched Its Own ‘Dark Web’ Site
    http://www.wired.com/2014/10/facebook-tor-dark-site/

    Facebook has never had much of a reputation for letting users hide their identities online. But now the world’s least anonymous website has just joined the Web’s most anonymous network.

    In a first-of-its-kind move for a Silicon Valley giant, Facebook on Friday launched a Tor hidden service, a version of its website that runs the anonymity software Tor. That new site, which can only be accessed by users running the Tor software, bounces users’ connections through three extra encrypted hops to random computers around the Internet, making it far harder for any network spy observing that traffic to trace their origin.

    Reply
  29. Tomi Engdahl says:

    Will He Ever Return? Head Of Google’s Web Spam Team Matt Cutts Extends Leave Into 2015
    14 year veteran of Google says web spam fighting has been running fine since he took leave in July
    http://searchengineland.com/will-matt-cutts-return-extends-leave-207159

    The head of Google’s web spam team, Matt Cutts, says that his leave from the company has gone so well that he’ll be continuing it through 2015.

    Since his time on leave, various Google engineers and webmaster trends analysts have filled the role of being public faces to SEOs and publishers. None of them have emerged as the strong “rockstar” type of figure that Cutts has been for a decade. But it’s hard to say whether that has helped or hurt Google.

    Reply
  30. Tomi Engdahl says:

    Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide
    https://firstlook.org/theintercept/2014/10/30/hacking-team/

    When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn’t be able to unlock evidence on criminals’ digital devices. What they didn’t say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces — easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept.

    Reply
  31. Tomi Engdahl says:

    Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You.
    https://firstlook.org/theintercept/2014/10/28/smuggling-snowden-secrets/

    Reply
  32. Tomi Engdahl says:

    Pirate Bay co-founder JAILED for three years after massive CSC HACK ATTACK
    Guilty of illegally accessing government servers in Denmark
    http://www.theregister.co.uk/2014/11/01/pirate_bay_cofounder_gottfrid_svartholm_warg_jailed_for_three_and_a_half_years/

    The Pirate Bay co-founder Gottfrid Svartholm Warg was banged up for three and a half years on Friday.

    The jail term comes after the 30-year-old was found guilty of hacking charges by a court in Denmark on Thursday.

    Warg and an unnamed, 21-year-old accomplice hacked into the mainframe of American tech outfit CSC, which was hosting European government organisations between February and August 2012.

    They then proceeded to illegally access police email accounts, searched the European border control database and downloaded millions of social security numbers belonging to Danish citizens

    Reply
  33. Tomi Engdahl says:

    A Private Social Network for Cell Phones
    Users can share information, but the network only sees encrypted data.
    http://www.technologyreview.com/news/419503/a-private-social-network-for-cell-phones/

    Researchers at Microsoft have developed mobile social networking software that lets users share personal information with friends but not the network itself.

    “When you share a photo or other information with a friend on [a site like] Flickr, their servers are also able to read that information,” explains Iqbal Mohomed, a researcher at Microsoft Research Silicon Valley, who developed the new network, called Contrail, with several colleagues. “With Contrail, the central location doesn’t ever know my information, or what particular users care about–it just sees encrypted stuff to pass on.”

    When a Contrail user updates his information on the network, by adding a new photo, for example, the image file is sent to a server operating within the networks’ cloud, just as with a conventional social network. But it is encrypted and appended with a list that specifies which other users are allowed to see the file. When those users’ devices check in with the social network, they download the data and decrypt it to reveal the photo.

    Contrail requires users to opt-in if they want to receive information from friends. When a person wants to receive a particular kind of update from a contact, a “filter” is sent to that friend’s device.

    Once decrypted, the filter ensures that every time he shares a photo tagged “family,” an encrypted version is sent to the cloud with a header directing it to the cell phone belonging to his mother (as well as anyone else who has installed a similar filter on his device). Encryption hides the mother’s preferences from the cloud, as well as the photos themselves. Each user has a cryptographic key on his or her device for every friend that is used to encrypt and decrypt shared information.

    Reply
  34. Tomi Engdahl says:

    How Micah Lee securely connected Edward Snowden with Laura Poitras and Glenn Greenwald —

    Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You.
    https://firstlook.org/theintercept/2014/10/28/smuggling-snowden-secrets/

    Reply
  35. Tomi Engdahl says:

    Rootpipe — Critical Mac OS X Yosemite Vulnerability Allows Root Access Without Password
    Monday, November 03, 2014 Mohit Kumar
    http://thehackernews.com/2014/11/rootpipe-critical-mac-os-x-yosemite.html

    A Swedish Security researcher has discovered a critical vulnerability in Apple’s OS X Yosemite that gives hackers the ability to escalate administrative privileges on a compromised machine, and allows them to gain the highest level of access on a machine, known as root access.

    The vulnerability, dubbed as “Rootpipe”, was uncovered by Swedish white-hat hacker Emil Kvarnhammar, who is holding on the full details about the privilege escalation bug until January 2015, as Apple needs some time to prepare a security patch.

    Once exploited, hackers could install malicious software or make other changes to your computer without any need of a password.

    Kvarnhammar contacted Apple about the issue but he initially didn’t get any response, and Apple silently asked him for more details. When he provided with the details, Apple asked TrueSec not to disclose until next January.

    Reply
  36. Tomi Engdahl says:

    Security company: WordPress 4.0 is not safe

    Security Company Click to blame Helsingin Sanomat and Communications Agency is irresponsible for information that relates to a new WordPress vulnerability.

    Security company Klikki: WordPress Version 4.0 is also not completely safe, even if this is the case in the public eye so to speak. According to the company all commonly used versions are vulnerable. The opening allows a third party program code is entered WordPress blog posts and pages.

    WordPress administrators should be prepared to update the list of servers this week. Klikki is preparing a news release and preparing the vulnerability of the protective plug-in for their owners, who for some reason can not upgrade to the latest version.

    WordPress supported versions from 3.7 to 3.9 has not been publicly known vulnerabilities in months (May version of the vulnerabilities have been corrected and they are of minor importance compared to 4.0 problems)

    Sources:
    http://www.tivi.fi/kaikki_uutiset/tietoturvayhtio+wordpress+40+ei+olekaan+turvallinen/a1025723
    http://klikki.fi/adv/wordpress_ennakko-fi.html

    Reply
  37. Tomi Engdahl says:

    Google Releases Nogotofail Tool to Test Network Security
    http://threatpost.com/google-releases-nogotofail-tool-to-test-network-security/109143

    The last year has produced a rogues’ gallery of vulnerabilities in transport layer security implementations and new attacks on the key protocols, from Heartbleed to the Apple gotofail flaw to the recent POODLE attack. To help developers and security researchers identify applications that are vulnerable to known SSL/TLS attacks and configuration problems, Google is releasing a tool that checks for these problems.

    The tool, called nogotofail, allows developers to set up an infrastructure through which they can run known attacks against the target application. It has the ability to execute various attacks that require man-in-the-middle position, which is one of the key components of many of the known attacks on SSL/TLS, including POODLE, BEAST and others.
    - See more at: http://threatpost.com/google-releases-nogotofail-tool-to-test-network-security/109143#sthash.zveOLdGy.dpuf

    Reply
  38. Tomi Engdahl says:

    Israeli ex-spies want to help you defend your CAR from cybercrooks
    Who needs a lock pick when you’ve got an electronic key?
    http://www.theregister.co.uk/2014/11/05/israeli_car_security_start_up/

    Security shortcomings in new cars could nurture a new branch of the infosec industry in much the same way that Windows’ security failings gave rise to the antivirus industry 20 or so years ago, auto-security pioneers hope.

    Former members of Unit 8200, the signals intelligence unit of the Israel Defense Forces, have banded together to create a start-up developing technology and services designed to protect connected cars from next generation hackers.

    Car thieves are already taking advantage of electronic car entry and ignition systems to steal cars. Recent reports suggest that insurers are refusing cover for keyless Range Rovers in London following the rise of targeted attacks on keyless cars.

    But there’s also a more subtle and less immediate hacker threat.

    Connected cars lay the groundwork for the introduction of new features, such as navigation by points of interest, music and video streaming, and also remote control of the vehicle via products and services such as GM’s OnStar and BMW’s ConnectedDrive.

    All of this extra internet-connected technology increases the number of way malicious parties might be able to hack potentially vulnerable vehicles.

    Once inside, an attacker can utilise the vehicle’s internal communication bus and take control of additional modules inside the vehicle, including safety-critical systems like the ABS and engine ECUs (electronic computing units, the embedded computing systems in cars), according to Argus.

    Reply
  39. Tomi Engdahl says:

    Smartphone App To Be Used As Hotel Room Keys
    http://tech.slashdot.org/story/14/11/03/1811234/smartphone-app-to-be-used-as-hotel-room-keys

    Starwood Hotels and Resorts has became the first chain to let guests unlock doors with their phones at 10 Aloft, Element and W hotels. They hope to expand the program to 140 more properties in those brands by the middle of next year.

    “The technology’s developer says that it uses its own encrypted secure channel to ensure thieves cannot abuse the innovation.”

    Smartphone app to be used as hotel room keys
    http://www.bbc.com/news/technology-29869249

    The technology’s developer says that it uses its own encrypted secure channel to ensure thieves cannot abuse the innovation.

    But one expert had reservations.

    “Nothing is 100% secure, and once this technology is in widespread use it will make a very tasty target for hackers,” said Prof Alan Woodward from the University of Surrey’s department of computing.

    “It may be more secure than a standard hotel swipe card lock but use of strong security features such as AES encryption and ‘rotating keys’ does not mean someone won’t find an alternate way in.”

    “I don’t know why companies think they can do encryption better than a vetted standards body with significant peer review,” Joshua Wright told the BBC.

    Reply
  40. Tomi Engdahl says:

    ‘You have no right to see me NAKED!’ Suddenly, everyone wakes up at the Google-EU face-off
    Web ad giant’s ‘PR roadshow’ finishes in Brussels
    http://www.theregister.co.uk/2014/11/05/right_to_be_forgotten_eu_panel/

    “You have no right to see me naked!” Paul Nemitz, the European Commission’s director of fundamental rights, told Google this week. “A world in which everybody can see everybody naked is wrong.”

    He was speaking during the finale of the US giant’s “right to be forgotten” roadshow – a string of summits organized by the search monster’s advisory council to discuss privacy versus the public’s right to know in Europe.

    Eventually, the council will draw up non-binding, non-legally enforceable guidelines for Google when implementing the European Court of Justice’s May ruling that a search engine is a “data processor” under EU law – and as such is subject to certain rules regarding privacy.

    What has been widely touted as a right-to-be-forgotten is in fact a right-to-be-removed from search results associated with your name under certain circumstances – a long way from a right to be forgotten. For instance, the information to be de-indexed has to be “outdated” before the search site should comply with a takedown request.

    But that hasn’t stopped more than 150,000 people demanding Google “forgets” links to embarrassing web articles about them.

    Reply
  41. Tomi Engdahl says:

    Data center virtualization driving next-generation firewall adoption, finds study
    http://www.cablinginstall.com/articles/2014/10/abi-datacenter-virtualization-firewalls.html

    Next-generation firewalls (NGFW) have emerged as the security solution of choice for many virtualized data centers, as they provide a security architecture that can protect, scale, and evolve with virtualization needs. ABI Research believes that there is a niche market for NGFW for virtualized data centers, valued at US$375,000 in 2014.

    “NGFWs deliver much more granular control than traditional firewalls by being application and user aware, which in turn ensures better security without impacting user productivity,”

    According to ABI’s latest study, data centers have evolved significantly to keep pace with growing business demands. Operators in these centers are under immense pressure to roll out new applications and services faster than ever before. As a result, organizations are consolidating data centers and adopting technologies like virtualization, software-defined networking (SDN), and cloud computing. Virtualization enables organizations to utilize their data center hardware infrastructure effectively, leading to reduction in costs, and improvements in operational efficiencies. As traditional data centers evolve to virtualized and cloud computing environments, they pose significant new security challenges that need to be addressed.

    ABI says that its latest research indicates that a majority of organizations are still using the same tools for their virtualized environments — such as antivirus and firewalls — as they did for their in-house physical machine set-ups. However, existing security solutions in the data center fail to address the dynamic nature of the virtualized environment, and cannot track policies to virtual machine creation or movement.

    Reply
  42. Tomi Engdahl says:

    IoT cybersecurity: is EDA ready to deliver?
    http://www.design-reuse.com/news/35745/iot-cybersecurity-is-eda-ready-to-deliver.html

    “There is so much buzz around Cloud computing, IoT and Cybersecurity nowadays that just by attending all the conferences and talks on these three topics, you could never have to go back to your office”, jokingly said Rhines.

    “In fact, all three topics share a common concern, security” he noted, “and while the cloud is exposing us more, IoT magnifies both the amount of data and the number of data collection sites”, he added, inferring that each new node potentially offers a new entry point to hackers.

    IoT cybersecurity: is EDA ready to deliver?
    http://www.design-reuse.com/news/exit/?id=35745&url=http%3A%2F%2Fwww.electronics-eetimes.com%2Fen%2Fiot-cybersecurity-is-eda-ready-to-deliver.html%3Fnews_id%3D222922773%26cmp_id%3D7

    During a brief stint in Paris to visit customers and before hosting Mentor Graphics’ Integrated Electrical Solutions Forum (IESF Europe) in Munich, CEO Wally Rhines delivered a keynote speech to share his views on Internet-of-Things (IoT) cybersecurity and what could be the role of EDA, at the root of every design.

    It is true that security breaches regularly make the news, from credit card databases to Facebook or iCloud accounts to medical records. That also includes virus exploits compromising industrial or military assets, the Stuxnet being the most famous one.

    In fact, nowadays most security breaches are software-based, when an application can be compromised and data collected, either through social engineering, malware and viruses or Trojans.

    Counter-measures for such attacks range from basic antivirus scanning software, to embedded hypervisors to hardware-bound secure applications tying their execution to uniquely identifiable hardware (for example an embedded secure element or even better, a Physically Unclonable Function derived from intrinsic hardware properties).

    “But the threats extend way beyond software and some hackers will put a lot of effort into compromising a system’s security at silicon-level”, continued Rhines.

    Well-documented examples include side-channel attacks for which counter measures include hardened IP to resist attacks and make key extraction more difficult. At board-level, counterfeit chips have also been widely reported, some are pure fake or cloned or even recycled parts de-soldered from eWaste, but you could also find additional chips spying on the board’s transactions.

    “There is emerging customer demand for silicon authentication and sooner or later, some customers will say “I am not buying your chip if it can’t be traced””, said Rhines.

    “Authentication is good but is not enough”, Rhines added, “what you need is a comprehensive design for security”.

    Rhines sees there a new sector of activity for EDA, where companies like his will have to play a bigger role, with more IP emulation and verification strategies to ensure that the chip not only does what it is supposed to do, but does nothing that it is not supposed to do.

    Some solutions he proposes include on-chip odometers that can address recycling threats (counting power cycles or memory accesses), activation IP that guarantees the IP-rights holder control over the chip operation, or dedicated co-processors for run-time Trojan detection. The latter delivered as IP could prevent undeclared communications or detect peripherals with a hidden functionality.

    “You have to trust someone!”

    Reply
  43. Tomi Engdahl says:

    Security scorecard finds messaging apps need more development
    EFF experts find only a handful of apps that meet basic security standards.
    http://arstechnica.com/security/2014/11/scorecard-finds-messaging-apps-need-more-development/

    Only six out of 39 messaging applications have the features needed to guarantee the security of communications sent over the Internet, according to an analysis by the Electronic Frontier Foundation (EFF).

    The results of the analysis, published as a scorecard on Tuesday, found that popular messaging apps—such as Facebook Chat, Apple’s FaceTime and iMessage, Microsoft’s Skype, and Yahoo Messenger—failed to meet all seven criteria, such as whether the application implements perfect forward secrecy and whether the source code had been audited for security. The group did the analysis as part of its campaign to promote the development of secure and usable cryptography, which is necessary in a world where government surveillance has become more common, Peter Eckersley, EFF’s technology projects director, told Ars.

    The study is intended to help direct companies who are actively developing secure-communication software, he said.

    Reply
  44. Tomi Engdahl says:

    Secure Messaging Scorecard
    Which apps and tools actually keep your messages safe?
    https://www.eff.org/secure-messaging-scorecard

    Reply
  45. Tomi Engdahl says:

    Facebook are informed on the spreadable scams and manipulation of the companies more and more, but cybercriminals are getting busted, users still using the same old tools, survives the security company Bitdefender report.

    The two-year, an exceptionally massive study analyzed 850 000 hoax. The company notes that the lack of education and scammability there is a clear connection. But this does not explain everything.

    By far the most widely used scam was a so-called guess who looked at your profile scam. It covered 45.5 per cent of all operations. – genius lies in the exploitation of people’s curiosity.
    This spoofing works particularly well with the Facebook scams hazards knowledgeable users.

    Second most widely used means to scam the promises of free Facebook or extra features that the user gets additional visibility to your profile.

    Free products marketing scam ads are the third most common scam method.

    Traditional gossip-related scams can be found fourth

    Fifth, the most popular way of describing the atrocities videos

    Source: http://www.tivi.fi/kaikki_uutiset/facebookkayttajat+eivat+viisastu+ndash+nama+5+vedatysta+toimivat+vuodesta+toiseen/a1026323

    Reply
  46. Tomi Engdahl says:

    Watchdog bites hotel booking site: Over 3k card details slurped
    SQL flaw ‘oldest trick in the book’ – ICO
    http://www.theregister.co.uk/2014/11/05/hotel_booking_website_fined_over_breach_that_exposed_credit_card_details/

    Hotel booking website Worldview Limited has been fined £7,500 over a security breach involving its website that allowed hackers to swipe the full payment card details of some 3,814 customers.

    Sensitive data was accessed after the unidentified attacker exploited a SQL injection flaw in Worldview website to access the firm’s customer database. Although customers’ payment details had been encrypted, the means to decrypt the information — the decryption key — was stored with the data, according to a subsequent investigation by privacy watchdogs at the Information Commissioner’s Office (ICO).

    Reply
  47. Tomi Engdahl says:

    Home Depot Customers’ Cards Found For Sale in Online Black Market
    http://www.tripwire.com/state-of-security/top-security-stories/home-depot-customers-cards-found-for-sale-in-online-black-market/

    As of now, Krebs estimates the breach may impact all 2,200 Home Depot stores across the United States with several banks stating the breach could extend back to late April or early May 2014.

    Krebs added that the perpetrators of this attack may be the same group of hackers responsible for the previous breaches at P.F. Chang’s, Sally Beauty and the massive Target breach.

    Tripwire security researcher Ken Westin explained in a blog post how criminals can generate significant profit through the sale of stolen credit cards in the online black market.

    “The price for valid credit cards can be as high as $100 per card depending on the amount of information available with the card, such as the type of card and its known limits,” said Westin.

    Fraudsters often use the stolen card information to purchase pre-paid gift cards from other retailers, such as Amazon, then purchase high-value goods that can later be re-sold for profit.

    Unfortunately, Home Depot is not alone. Recently, Dairy Queen, The UPS Store and Supervalu came forward to announce all had been impacted by malicious malware stealing sensitive customer information.

    Reply
  48. Tomi Engdahl says:

    News & Analysis
    CTOs Wrestle With Mobile Security
    http://www.eetimes.com/document.asp?doc_id=1324495&

    Security is a top concern for business users, according to research conducted for Dell and a panel of chief technical officers at Dell World here.

    Company founder Michael Dell set the tone, referring to the survey of 2,000 midsized organizations:
    Sponsor video, mouseover for sound

    Security is the No. 1 inhibitor to cloud, mobility, and big data adoption. Most organizations are not prepared to deal with security risks, and only one in four organizations have plans for security breaches. It’s not just about securing the technology. People play a very big role in addressing those risks and creating solutions that keep those devices secure.

    Forty-four percent of respondents said they’re not adopting technology because of security concerns

    Wisdom: Are we still in a world where you would classify someone as a mobile worker and a non-mobile worker?

    Ferguson: I think mobile is an overly narrow [term]. Mobile means three things: the person, the device, and the data… [We] should not be focusing on mobility of the person only, but mobility of data.

    Wisdom: How has the electronic medical records industry looked at security, what are the challenges you faced, and what are your major strategies?

    Dr. Christopher Ray, CTO of Medical Information Records and developer of Anesthesia OS: We wanted to create an application where we can untether and unwire the experience an anesthesiologist has. When we created this application we had to understand how the user will use the application… We’re going to have to use best-practices in encryption and data in motion, but also stack that with very, very smart solutions to manage containers.

    Wisdom: We know from third-party research that 83% of organizations are supporting tablets in some way. Almost 100% support smartphones, and 77% support more than one operating system. What [respondents] didn’t say was [whether] they saw increased sales and reduction of non-work time [due to use of mobile systems]. Our customers believe in productivity, but they’re not thinking about technology as a core business strategy for changing the way they do business.

    Thrikutam: Most have used mobile or some kind of digital technologies around customer engagement, and I think it’s reached a point of sophistication. A shift is happening — users expect a lot more intuitive, easy-to-use applications, but CIOs have 25- to 30-year-old applications running the guts of the business. Dell offers a modernization service to help take that old legacy platform and, instead of rewriting the whole system, use tools to automate the process.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*