Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Indicators of Compromise for Malware Used by Sony Hackers
https://www.securityweek.com/indicators-compromise-malware-used-sony-hackers
Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise.
While not mentioning Sony by name in its advisory, instead referring to the victim as a “major entertainment company,” US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks.
According to the advisory, the SMB Worm Tool is equipped with five componments, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
The advisory also provides a summary of the C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.
Tomi Engdahl says:
Transforming Security Into an Enabler: The Validated Best of Breed Certification Paradigm
https://www.securityweek.com/transforming-security-enabler-validated-best-breed-certification-paradigm
Security drives many of these software issues. Security requirements for information assurance, risk management, and certification and accreditation constrain Government organizations with respect to software allowed on Government networks. On one level, this is nothing more than managing the supply chain to prudently mitigate security risks to systems and networks. Unfortunately, these security measures often become procedural impediments and disablers, preventing Government programs from implementing optimal solutions.
The intent of these requirements is uniformly good, but problems arise as they are distilled into a myriad of risk management policies and directives. This results in a security environment where many excellent, and often cost effective, software components are unavailable for Government use. In many cases these components are proven commercial products (both proprietary and open source) that simply lack the right certification or accreditation pedigree. A brief look at one of the most important security certification standards, the “Common Criteria for Information Technology Security Evaluation” (Common Criteria), helps to illustrate the point.
Tomi Engdahl says:
Layered Security – It’s Not Just for Networks
https://www.securityweek.com/layered-security-its-not-just-networks
At this time of year, many of us like to surprise our family, friends, and colleagues with gifts that aren’t what they appear to be. A ring wrapped in the box your microwave came in. A sweater in a package weighted down with a few bricks. Or maybe a new suitcase that actually contains tickets for a trip. You get the picture – using deception for a pleasant surprise.
These various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. That’s what we as defenders need to do with our defenses – use a security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. As security professionals we’re all familiar with the concept of defense-in-depth and multi-layered protection. Traditionally these approaches have been focused on the network, but they can and should be applied to email gateways as well.
Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Tomi Engdahl says:
Entry Point of JPMorgan Data Breach Is Identified
http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?_r=0
The computer breach at JPMorgan Chase this summer — the largest intrusion of an American bank to date — might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network, said people who have been briefed on internal and outside investigations into the attack.
Big corporations like JPMorgan spend millions — $250 million in the bank’s case — on computer security every year to guard against increasingly sophisticated attacks like the one on Sony Pictures. But the weak spot at JPMorgan appears to have been a very basic one, the people said. They did not want to be identified publicly because the investigation into the attack is incomplete.
The attack against the bank began last spring, after hackers stole the login credentials for a JPMorgan employee, these people said. Still, the attack could have been stopped there.
Most big banks use a double authentication scheme, known as two-factor authentication, which requires a second one-time password to gain access to a protected system. But JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme, the people briefed on the matter said. That left the bank vulnerable to intrusion.
The oversight is now the focus of an internal review at JPMorgan that seeks to identify whether there are any other unguarded holes in the bank’s vast network
JPMorgan discovered the hackers inside its systems in August, after first finding that the same group of hackers had breached a website for a charitable race that the bank sponsors.
The revelation that a simple flaw was at issue may help explain why several other financial institutions that were targets of the same hackers were not ultimately affected nearly as much as JPMorgan Chase was. To date, only two other institutions have suffered some kind of intrusion, but those breaches were said to be relatively minor by people briefed on the attacks.
It is not clear why the vulnerability in the bank’s network had gone unaddressed previously.
A large part of the problem, security experts say, is that it has become nearly impossible for banks of JPMorgan’s size to secure their networks, particularly as they integrate the networks of companies they acquire with their own. This has been a particular headache at JPMorgan, where it is still not uncommon for the name “Bank One” — a lender JPMorgan merged with a decade ago — to pop up in a web URL.
About two weeks ago, JPMorgan’s legal department sent an email to a number of its technology and cybersecurity employees reminding them not to “destroy or delete” any relevant documents about the breach, as well as about a smaller intrusion one year ago that affected 465,000 customers who used the bank’s prepaid cash cards.
Companies customarily send out these “hold” notices when they receive subpoenas or request for documents from regulators and law enforcement agencies.
Tomi Engdahl says:
China condemns cyberattacks, but says no proof North Korea hacked Sony
http://www.reuters.com/article/2014/12/22/us-sony-cybersecurity-idUSKBN0K006U20141222
China said on Monday it opposed all forms of cyberattacks but there was no proof that North Korea was responsible for the hacking of Sony Pictures, as the United States has said.
China is North Korea’s only major ally, and would be central to any U.S. efforts to crack down on the isolated state. But the United States has also accused China of cyber spying in the past and a U.S. official has said the attack on Sony could have used Chinese servers to mask its origin.
South Korea, which is still technically at war with North Korea, said computer systems at its nuclear plant operator had been hacked and non-critical data stolen, but there was no risk to nuclear installations or reactors.
Tomi Engdahl says:
Microsoft Acquires Active Directory Security Startup Aorato
http://www.securityweek.com/microsoft-acquires-active-directory-security-startup-aorato
Microsoft has acquired Israeli cyber security startup Aorato, a company focused on protecting Active Directory deployments.
The Herzelia, Israel-based company makes an “Directory Services Application Firewall” (DAF) which analyzes Active Directory-related traffic to detect attacks.
Offered as a virtual or physical appliance, DAF utilizes port mirroring and integrates alongside Active Directory without affecting an existing network topology.
“With this acquisition, we will cease selling our Directory Services Application Firewall (DAF) product,” Aorato said in a post to its website Thursday. “As part of Microsoft, we will share more on the future direction and packaging of these capabilities at a later time.”
“Companies need new, intelligent solutions to help them adapt and defend themselves inside the network, not just at its edge,” Numoto continued.
“Aorato’s sophisticated technology uses machine learning to detect suspicious activity on a company’s network. It understands what normal behavior is and then identifies anomalies, so a company can quickly see suspicious behavior and take appropriate measures to help protect itself. Key to Aorato’s approach is the Organizational Security Graph, a living, continuously-updated view of all of the people and machines accessing an organization’s Windows Server Active Directory (AD).”
Tomi Engdahl says:
Social media has become dangerous?
Man allegedly burns down woman’s house for rejecting his Facebook friend request
http://www.dailydot.com/crime/facebook-friend-request-arson/?fb=dd
Getting used to the word “no” is an important part of being an adult
Tomi Engdahl says:
List of cyber attacks and data breaches in 2014
http://www.itgovernance.co.uk/blog/list-of-the-hacks-and-breaches-in-2014/?utm_source=social&utm_medium=reddit
look back on some of the more prominent hacks and data breaches of 2014
Tomi Engdahl says:
Neglected Server Provided Entry for JPMorgan Hackers
http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?ref=technology&_r=2
The computer breach at JPMorgan Chase this summer — the largest intrusion of an American bank to date — might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network, said people who have been briefed on internal and outside investigations into the attack.
Tomi Engdahl says:
Steven Sinofsky / Learning by Shipping:
Sony breach highlights need to move away from insecure legacy OS architecture to mobile apps and cloud services — Why Sony’s Breach Matters — This past year has seen more wide-spread, massive-scale, and damaging computer system breaches than any time in history.
Why Sony’s Breach Matters
http://blog.learningbyshipping.com/2014/12/21/why-sonys-breach-matters/
This past year has seen more wide-spread, massive-scale, and damaging computer system breaches than any time in history. The Sony breach is just the latest—not the first or most creative or even the most destructive computer system breach. It matters because it is a defining moment and turning point to significant and disruptive changes to enterprise and business computing.
The dramatic nature of today’s breaches impacts the enterprise computing infrastructure at both the endpoint and server infrastructure points. This is a good news and bad news situation.
The bad news is that we have likely reached the limits as to how much the existing infrastructure can be protected. One should not dismiss the Sony breach because of their simplistic security architecture (a file Personal passwords.xls with passwords in it is entertaining but not the real issue). The bad news continues with the reality of the FBI assertion of the role of a nation state in the attack or at the very least a level of sophistication that exceeded that of a multi-national corporation.
The good news is that several billion people are already actively using cloud services and mobile devices. With these new approaches to computing, we have new mechanisms for security and the next generation of enterprise computing. Unlike previous transitions, we already have the next generation handy and a cleaner start available. It is important to consider that no one was “training” on using a smartphone—no courses, no videos, no tutorials. People are just using phones and tablets to do work. That’s a strong foundation.
All of us today are familiar with the patchwork of a security architecture that we experience on a daily basis. From multiple passwords, firewalls, VPN, anti-virus software, admin permissions, inability to install software, and more we experience the speed-bumps put in place to thwart future attacks through some vector. To put things in context, it seemed worthwhile to talk about a couple of these speed-bumps. With this context we can then see why we’ve reached a defining moment.
You have to keep in mind that back then most PCs weren’t connected to each other by networking, even in the workplace. The way you got a virus was by someone giving you a program via floppy (or downloading via 300b from a BBS) that was infected.
With the advent of Windows and email, businesses had a good run of both improved productivity and a world pretty much free of viruses. With Windows more and more businesses had begun to deploy Microsoft Word as well as to connect employees with email. Emailing documents around came to replace floppy disks.
My personal view is that there is no longer an ability to add more speed-bumps and even if there was it would not address the changing environment. The road is covered with bumps and cones, but it is still there. The modern enterprise PC and Server infrastructures have been infiltrated with tools, processes, and settings to reduce the risk in today’s environment. Unfortunately in the process they have become so complex and hard to manage that few can really know these systems. Those using these systems are rapidly moving to phones and tablets just to avoid the complexity, unpredictability, and performance challenges faced in even basic work.
One could make a list a mile long of the specific issues faced with computing today. One could debate whether System A is more or less susceptible than System B. The reality is whether you’re talking Windows, OS X, Linux on desktop or client, they are for all practical purposes equivalent: an Intel-based OS architected in the 1980’s and with capabilities packaged at the user level for that era.
Surface area of knobs and dials for end-users or IT. For 20 years, software was defined by how it could be broadly tweaked, deeply customized, or personalized at every level.
Risk of execution engines. The history of computing is one of placing execution engines inside every program. Macro languages, runtimes, and more—execution engine on top of programs/execution engines. Macros or custom “code” defines the generation. Apps all had the ability to call custom code and to tap directly into native OS services. Having some sort of execution engine and ability to communicate across running programs was not just a feature but a business and competitive necessity.
Vector of social. Technology can only go so far. As with everything, there’s always a solid role for humans to make mistakes or to be tricked into making mistakes. Who wouldn’t open a document that says “Don’t open”? With a hundred passwords, who wouldn’t write them down somewhere? Who wouldn’t open an email from a close college friend? Who wants the inconvenience of using SMS to sign on to a service? Why wouldn’t you use the USB memory stick given to you at a Global Summit of world leaders or connect to the WiFi at an international business class hotel? There are many things where taking humans out of the equation is going to make the world safer and better (cars, planes, manufacturing) to free up resources for other endeavors. Using computing to communicate, collaborate, and create, however, is not on a path to be human-free.
It is a good idea to go through and put in more speed bumps and triple check that your IT house is in order. It is unfortunate that most IT professionals will be doing so this holiday season. That is the job and work that needs to be done. This is a short term salve.
When the dust settles we need a new approach. We need the equivalent of breaking a bunch of existing solutions in order to get to a better place.
All is not lost however. We are on the verge of a new generation of computing that was designed from the ground up to be more secure, more robust, more manageable, more usable, and simply better. To be clear, this is absolutely positively not a new state of zero risk. We are simply moving the barriers to a new road. This new road will level the playing field and begin a new war with bad actors. That’s just how this goes. We can’t rid the world of bad actors but we can disrupt them for a while.
New OS and App architectures. Today’s modern operating systems designed for mobile running on ARM decidedly resets some of the most basic attack vectors. We can all bemoan app store (or app store approval) or app sandboxing.
Cloud services designed for API access of data. The cloud is so much more than hosting existing servers and server products. In fact, hosting an existing server app or OS is essentially a speed-bump and not a significant win for security. Moving existing servers to be VMs in a public or “private” cloud adds a complexity for you and a minimal bump for bad actors.
Modern cloud-native products designed from the ground up have a whole different view of extensibility and customization from the start. Rather than hooks and execution engines, the focus is on data and API customization. The surface area is much less from the very start.
Cloud native companies and products. When engineers moved to writing Windows programs from DOS programs whole brain patterns needed to be rewired. This same thing is true when you move from client and server apps to mobile and cloud services. You simply do everything in a different way. This different way happens to be designed from the start with a whole different approach to security and isolation.
New authentication and infrastructure models. Imagine a world of ubiquitous two factor authentication and password changing verified by SMS to a device with location awareness and potentially biometrics and even simple PINs. That’s the default today, not some mechanism requiring a dongle, VPN, and a 10 minute logon script. Imagine a world where firewalls are crafted based on software that knows the reachability of apps and nodes and not on 10’s of thousands of rules managed by hand and essentially untouchable even during a breach.
Every major change in business computing that came about because of a major breach or disruption of services caused a difficult or even painful transition to a new normal. At each step business processes and workflow were broken. People complained. IT was squeezed. But after the disruption the work began to develop new approaches.
Tomi Engdahl says:
Exploits Circulating for Remote Code Execution Flaws in NTP Protocol
http://threatpost.com/exploits-circulating-for-remote-code-execution-flaws-in-ntp-protocol/110001
Researchers at Google have uncovered several serious vulnerabilities in the Network Time Protocol and experts warn that there are exploits publicly available for some of the bugs.
The vulnerabilities are present in all versions of NTP prior to 4.2.8 and include several buffer overflows that are remotely exploitable
Attackers have taken advantage of a weakness in NTP to amplify DDoS attacks.
“The reason has to do with the amplification factor,” said Arbor Networks solutions architect Gary Sockrider in April. “With NTP reflection attacks, you get 1000 times the amplification; 1000 times the size of the query is reflected back. There’s more cause for alarm with NTP attacks because attackers get a better response rate.”
The flaws disclosed today in NTP are more worrisome. They put servers running older versions of the protocol at risk of remote code execution.
The advisory from NTP.org says that a single packet is enough to exploit any of the buffer overflow vulnerabilities.
Tomi Engdahl says:
Xbox and PlayStation online services crash
http://www.bbc.com/news/uk-30602609
Xbox and PlayStation online services have been suffering technical problems, amid claims a hacking group has disabled their services.
Microsoft and Sony – the companies which make the games consoles – have told customers they are aware of issues affecting their online services.
A hacking group called Lizard Squad is claiming to have caused the problems.
“He says it’s been his worst Christmas ever.”
“I think Xbox should compensate us all.”
Hacked? Xbox and Playstation Networks Both Go Down for Christmas
http://www.nbcnews.com/tech/tech-news/hacked-xbox-playstation-networks-both-go-down-christmas-n274821
Thousands of people reported Christmas Day problems on the Xbox Live and Playstation gaming networks, as a band of hackers took gleeful credit. The networks, which allow users of the popular consoles to play the video games with a wider online community, first crashed on Wednesday evening and the problems persisted into Christmas Day, enraging many users — but especially those powering-up new machines from Santa Claus.
A hacker group called “Lizard Squad” claimed responsibility, saying on Twitter that it toppled both networks with so-called distributed denial of service attacks. The tactic involves overwhelming Sony and Microsoft’s servers with unexpected — and bogus — user traffic. “Jingle bells jingle bells xbox got ran,” the group wrote on Twitter Thursday, adding a similar line about Sony. “oh my fun it is to troll of you morons … hey!”
Tomi Engdahl says:
PlayStation and Xbox hacked by Lizard Squad
http://www.independent.co.uk/news/world/americas/playstation-and-xbox-hacked-by-lizard-squad-9945230.html
Christmas was far from perfect for thousands of people who woke up with new Xbox Live and PlayStation games, only to discover the networks had been hacked.
Reports said untold thousands of people were prevented from accessing the networks after a hack by a group, or individual, which called itself the Lizard Squad.
On Thursday afternoon, the makers of both games acknowledged on social media that they were facing problems.
PlayStation is owned by Sony, the same company that released The Interview on Thursday.
Xbox is owned by Microsoft, one of the companies which agreed to stream the film
Tomi Engdahl says:
Hackers allegedly behind Xbox and PlayStation network shutdown set sights on Tor
http://www.theverge.com/2014/12/26/7451293/lizard-squad-hackers-set-sights-on-tor-network
The group that allegedly took down Microsoft and Sony’s gaming networks now says it’s set its sights on a new target. Lizard Squad, which took credit for denial of service attacks that kept Xbox Live and PlayStation Network offline over Christmas, tweeted earlier today that it was going after the Tor encryption service.
Earlier today, Tor’s service was flooded with new relays — the routers that users’ data is passed between in order to make it untraceable — with the name LizardNSA. “Hi, do you guys still give away shirts for relay owners? We need about 3000,” Lizard Squad bragged on Twitter.
Kobeissi, who developed the chat client Cryptocat, pointed to metrics that showed “LizardNSA” relays made up a significant part of the network. “Currently there’s actually almost 10,000 relays, about 3,000 to 6,000 of those seem to be Lizard Squad’s,” he said over email. Theoretically, a group that controls enough of these nodes could track the traffic over them, compromising users’ anonymity. The tactic of creating malicious relays isn’t a new one; earlier this year, Tor reported that an unknown attacker had potentially captured some user data by setting up about 100 of them.
Tomi Engdahl says:
Abby Ohlheiser / Washington Post:
Xbox Live is back, but PlayStation Network is still down after Christmas outage for which Lizard Squad claimed responsibility —
http://www.washingtonpost.com/news/national/wp/2014/12/26/playstation-and-xboxs-networks-are-still-recovering-from-a-christmas-day-outage/
Tomi Engdahl says:
David Lerman / Bloomberg:
NSA reports show agency may have violated laws by unauthorized surveillance of Americans for over a decade
U.S. Spy Agency Reports Improper Surveillance of Americans
http://www.bloomberg.com/news/2014-12-24/spy-agency-to-release-reports-documenting-surveillance-errors.html
In Holiday Document Dump, NSA Declassifies Compliance Errors
http://techcrunch.com/2014/12/25/in-holiday-document-dump-nsa-declassifies-compliance-errors/
Tomi Engdahl says:
HIPAA – the US standard for electronic health care documentation – spends a lot of verbiage and bureaucratese on the security of electronic records, making a clear distinction between the use of records by health care worker and the disclosure of records by health care workers. Likewise, the Federal Information Security Management Act of 2002 makes the same distinction; records that should never be disclosed or transmitted should be used on systems that are disconnected from networks.
This distinction between use and disclosure or transmission is of course a farce; if you can display something on a screen, it can be transmitted. [Ian Latter] just gave a talk at Kiwicon that provides the tools to do just that.
[Ian] has designed a protocol and application that allows people to download files through a screen. By using TGXf, anyone can load a file stored locally on a computer, have the binary data displayed through QR codes, and record that data with a smartphone or tiny video camera. This video is then analyzed, the data is recovered, and the file is transmitted, defeating all security measures a sysadmin has in mind.
If this sounds like something torn from the pages of a yet-to-be-written [Cory Doctorow] YA novel, you’re probably not far off: nearly all official recommendations for security and privacy controls, including publications published by NIST, place a distinction between use of a file, and distribution or disclosure of a file. There is a marked difference between displaying information on a screen and sending it over a network. By transmitting binary data through a display, [Ian] has kicked that door down, turning every monitor and every employee into a security risk.
ThruGlassXfer (TGXf)
Anywhere that data can be visually rendered, technical risk will exist.
TGXf encodes binary data into packets that can be displayed on the screen of one computer and then captured (via camera) on another, where they are decoded and the data is stored on disk. By doing this, TGXf turns any display surface into an egress (outbound) binary data transfer interface.
ThruKeyboardXfer (TKXf)
Anywhere that data can be entered, technical risk will exist.
As a part of the development process for TKXf, a TKXf-like transfer was created by encoding a binary payload and storing it on a programmable keyboard (the Arduino platform with USB HID keyboard capability) which sends this payload as a script (currently BASH or PERL) that is typed into the target system. When run, this script exports the original binary payload.
Sources:
http://hackaday.com/2014/12/14/downloading-data-through-the-display/
http://thruglassxfer.com/
Tomi Engdahl says:
And 2014′s Worst Currency Was…Bitcoin
http://www.bloombergview.com/articles/2014-12-23/and-2014s-worst-currency-wasbitcoin
Bitcoin claims to provide Web buccaneers with a secure store of value free from the risk of government confiscation or interventionist devaluation, making it the currency of choice for old-fashioned money-launderers and modern-day snake-oil salesmen.
At a current value of about $326, Bitcoin isn’t dead, yet it may be mortally wounded.
Tomi Engdahl says:
PSN is still down for some as Sony gets service back online
http://venturebeat.com/2014/12/28/psn-is-still-down-for-some-as-sony-gets-service-back-online/
Sony says that its online service is back up and running, but many people are still having issues playing games.
Last night, PlayStation Network started booting back up for many people after an outage that lasted for several days kept gamers offline. PSN, which enables you to play with friends online, is now working for PlayStation 4, PlayStation 3, and PlayStation Vita. But Sony admits that some people may still run into problems as the PSN servers return to full operational status. PSN went down on Christmas Day as the result of an alleged cyberattack.
Tomi Engdahl says:
Iran expands ‘smart’ Internet censorship
http://www.reuters.com/article/2014/12/26/us-iran-internet-censorship-idUSKBN0K40SE20141226
Iran is to expand what it calls “smart filtering” of the Internet, a policy of censoring undesirable content on websites without banning them completely, as it used to, the government said on Friday.
The Islamic Republic has some of the strictest controls on Internet access in the world, but its blocks on U.S.-based social media such as Facebook, Twitter and YouTube are routinely bypassed by tech-savvy Iranians using virtual private networks (VPNs).
Tomi Engdahl says:
Ask Hackaday: Stopping The Stingray
http://hackaday.com/2014/12/23/ask-hackaday-stopping-the-stingray/
Most probably had no idea that the police truck was equipped with Stingray technology. It forces your cell phone to connect to it as opposed to the nearest cell tower, allowing authorities to listen in on your conversations and track individual phones by moving and measuring the difference in signal strength. The hacking group Anonymous released some audio of a conversation between two officers and a command center
So here’s the question: Can it be fooled? Can you spoof the spoofer? Can you tell the difference between a signal from a Stingray versus a cell tower?
Tomi Engdahl says:
German steel mill suffered massive damage when the hackers were able to tamper with the production network of the blast furnace at the controls.
The matter was reported in the recently published German security agency BSI’s report
The attack was carried out by means of targeted phishing. It will be sent for the e-mail that appears to come from inside the company. When the production system was achieved by means of an access, the individual components or entire systems continuously stopped crashing.
This in turn was followed by the fact that one of the mill blast furnaces not been extinguished in a controlled manner, which caused “massive damage” to the factory.
Source: http://www.tivi.fi/kaikki_uutiset/kyberhyokkays+aiheutti+terastehtaalle+massiiviset+tuhot/a1038606
German security agency BSI’s report
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2014.pdf?__blob=publicationFile
Tomi Engdahl says:
Spiegel Online:
Snowden documents reveal the NSA routinely intercepted SSL/TLS traffic, decrypted VPN connections, struggled with PGP, Truecrypt, Tor, CSpace, OTR, ZRTP in 2012 — Inside the NSA’s War on Internet Security — US and British intelligence agencies undertake every effort imaginable to crack …
Prying Eyes: Inside the NSA’s War on Internet Security
http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
US and British intelligence agencies undertake every effort imaginable to crack all types of encrypted Internet communication. The cloud, it seems, is full of holes. The good news: New Snowden documents show that some forms of encryption still cause problems for the NSA.
One example is the encryption featured in Skype, a program used by some 300 million users to conduct Internet video chat that is touted as secure. It isn’t really. “Sustained Skype collection began in Feb 2011,” reads a National Security Agency (NSA) training document from the archive of whistleblower Edward Snowden. Less than half a year later, in the fall, the code crackers declared their mission accomplished. Since then, data from Skype has been accessible to the NSA’s snoops. Software giant Microsoft, which acquired Skype in 2011, said in a statement: “We will not provide governments with direct or unfettered access to customer data or encryption keys.” The NSA had been monitoring Skype even before that, but since February 2011, the service has been under order from the secret US Foreign Intelligence Surveillance Court (FISC), to not only supply information to the NSA but also to make itself accessible as a source of data for the agency.
The “sustained Skype collection” is a further step taken by the authority in the arms race between intelligence agencies seeking to deny users of their privacy and those wanting to ensure they are protected.
For the NSA, encrypted communication — or what all other Internet users would call secure communication — is “a threat”.
The Snowden documents reveal the encryption programs the NSA has succeeded in cracking, but, importantly, also the ones that are still likely to be secure. Although the documents are around two years old, experts consider it unlikely the agency’s digital spies have made much progress in cracking these technologies. “Properly implemented strong crypto systems are one of the few things that you can rely on,” Snowden said in June 2013, after fleeing to Hong Kong.
The digitization of society in the past several decades has been accompanied by the broad deployment of cryptography, which is no longer the exclusive realm of secret agents.
“for the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” and “vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.” Decryption, it turns out, works retroactively – once a system is broken, the agencies can look back in time in their databases and read stuff they could not read before.
Monitoring a document’s path through the Internet is classified as “trivial.” Recording Facebook chats is considered a “minor” task, while the level of difficulty involved in decrypting emails sent through Moscow-based Internet service provider “mail.ru” is considered “moderate.” Still, all three of those classifications don’t appear to pose any significant problems for the NSA.
Things first become troublesome at the fourth level. The presentation states that the NSA encounters “major” problems in its attempts to decrypt messages sent through heavily encrypted email service providers like Zoho or in monitoring users of the Tor network*, which was developed for surfing the web anonymously.
The NSA also has “major” problems with Truecrypt, a program for encrypting files on computers. Truecrypt’s developers stopped their work on the program last May, prompting speculation about pressures from government agencies. A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems. Both are programs whose source code can be viewed, modified, shared and used by anyone. Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed.
Things become “catastrophic” for the NSA at level five – when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a “near-total loss/lack of insight to target communications, presence,” the NSA document states.
ZRTP, which is used to securely encrypt conversations and text chats on mobile phones, is used in free and open source programs like RedPhone and Signal. “It’s satisfying to know that the NSA considers encrypted communication from our apps to be truly opaque,” says RedPhone developer Moxie Marlinspike.
One document shows that the Five Eyes intelligence services sometimes use PGP themselves. The fact is that hackers obsessed with privacy and the US authorities have a lot more in common than one might initially believe. The Tor Project*, was originally developed with the support of the US Naval Research Laboratory.
One example is virtual private networks (VPN), which are often used by companies and institutions operating from multiple offices and locations. A VPN theoretically creates a secure tunnel between two points on the Internet.
When it comes to the level of privacy offered here, virtual is the right word, too. This is because the NSA operates a large-scale VPN exploitation project to crack large numbers of connections, allowing it to intercept the data exchanged inside the VPN — including, for example, the Greek government’s use of VPNs.
Tomi Engdahl says:
Intro to the VPN Exploitation Process mentioning the protocols attacked – PPTP, IPSEC, SSL, SSH)
http://www.spiegel.de/media/media-35515.pdf
Tomi Engdahl says:
Dan Massoglia / The Atlantic Online:
Few US laws protect against the abuse of remote access tools used to spy on laptop users
The Webcam Hacking Epidemic
It’d be easy for policy makers to correct gaps in protections against remote access tools used to spy on individuals. So why haven’t they?
http://www.theatlantic.com/technology/archive/2014/12/the-webcam-hacking-epidemic/383998/?single_page=true
The problem, for the public, is that we know next to nothing about what is “lawfully authorized” law enforcement hacking.
It’s hard to know how many RATs are out there because of their covert nature.
Online, at places like HackForums.net, individuals, often men, trade and sell access to strangers’ computers, often women, gained via RAT. The jargon that ratters use underscores the power dynamic—ratted computers are called “slaves.”
The National Security Agency, too, is involved. The agency has budgeted tens of millions of dollars for an aggressive effort to scale its hacking operations and “own the net,” a proposition that, as The Intercept reported, envisions indiscriminately infecting millions with malware that has the capability for remote video surveillance by webcam. The Department of Justice, for its part, expended considerable effort in 2014 making vague arguments in support of expansions in Federal Bureau of Investigation ability to use malware, like RATs, for domestic law enforcement.
Despite repeated violations of privacy via webcam hacking, legal protections against RATs in the United States leave many behind. Theoretically available state-level protections vary widely from place to place, and federal law, as a privacy backstop, is inadequate.
There are counter-intuitive interpretations of aging electronic privacy statute passed before webcams were invented and a federal hacking law that offers a private individual the right to sue but imposes requirements on this right that exclude most victims of ratters. In the case of the government’s use of RATs against the public, the process is comically and characteristically opaque.
On a constitutional and procedural level, we should require that law enforcement hacking include automatic transparency, ban government webcam hacking, and be exacting in applying the Fourth Amendment’s warrant requirements. Together, with political will and popular support behind them, change in these areas would empower the public to better respond to ratters—whether individuals or government agents—and improve the privacy of millions.
It would be impossible to ensure that even arguably appropriate uses of surveillance malware would not equal inappropriate and unlawful access.
Tomi Engdahl says:
The Slow Death of ‘Do Not Track’
http://www.nytimes.com/2014/12/27/opinion/the-slow-death-of-do-not-track.html
FOUR years ago, the Federal Trade Commission announced, with fanfare, a plan to let American consumers decide whether to let companies track their online browsing and buying habits. The plan would let users opt out of the collection of data about their habits through a setting in their web browsers, without having to decide on a site-by-site basis.
The idea, known as “Do Not Track,” and modeled on the popular “Do Not Call” rule that protects consumers from unwanted telemarketing calls, is simple. But the details are anything but.
Although many digital advertising companies agreed to the idea in principle, the debate over the definition, scope and application of “Do Not Track” has been raging for several years.
Now, finally, an industry working group is expected to propose detailed rules governing how the privacy switch should work.
If regulators go along, the rules would allow the largest Internet giants to continue scooping up data about users on their own sites and on other sites that include their plug-ins, such as Facebook’s “Like” button or an embedded YouTube video. This giant loophole would make “Do Not Track” meaningless.
How did we get into this mess?
For starters, the Federal Trade Commission doesn’t seem to fully understand the nature of the Internet.
The regulatory process is the wrong way to address this fundamental tension. If the government wants to shift the Internet economy away from a “barter” system (exchanging personal data for free services) toward a subscription-based system, Congress should take charge.
Even worse, the Federal Trade Commission has abandoned responsibility, all but throwing up its hands. Instead of leading the effort to write good rules, based on the broadest public participation, the commission has basically surrendered control of the process to the industry panel, the “tracking protection working group” of the World Wide Web Consortium, or W3C.
Continue reading the main story Continue reading the main story
Continue reading the main story
The outcome could be worse than doing nothing at all.
The Federal Trade Commission shouldn’t help pick winners and losers through a murky process that has devolved into an effort to protect the positions of Internet giants.
Tomi Engdahl says:
Mark Gilbert / Bloomberg View:
Bitcoin was the worst-performing currency of 2014, dropping more than 56% to under $330
http://www.bloombergview.com/articles/2014-12-23/and-2014s-worst-currency-wasbitcoin
Tomi Engdahl says:
Updated: Twitter recovered from login woes
http://www.geekwire.com/2014/problem-logging-twitter-youre-not-alone/
There have been widespread reports of the Twitter app for Android failing to work, along with third-party clients
Update: Twitter’s service is back to normal following a five hour period this evening when users were unable to log in. Our full story follows below.
Tomi Engdahl says:
U.S. Social-Media Giants Are Resisting Russia Censors
Facebook, Twitter, Google Wrestle With Kremlin Orders to Erase Content
http://www.wsj.com/articles/u-s-tech-firms-face-showdown-with-russian-censors-1419620113
Facebook Inc., Twitter Inc. and Google Inc. have started resisting Russian government orders to remove information about a rally next month in support of opposition leader Alexei Navalny, raising the prospect of a showdown over the Kremlin’s efforts to control online information.
In response to a request from Russian prosecutors, Roskomnadzor, the country’s communications regulator, began issuing block orders for Russia just hours after the Moscow rally was publicized on social media late last week, officials said.
Tomi Engdahl says:
Michelle Moghtader / Reuters:
Iran to expand Internet “smart filtering” to censor content without banning entire websites
Iran expands ‘smart’ Internet censorship
http://www.reuters.com/article/2014/12/26/us-iran-internet-censorship-idUSKBN0K40SE20141226
Iran is to expand what it calls “smart filtering” of the Internet, a policy of censoring undesirable content on websites without banning them completely, as it used to, the government said on Friday.
The policy appears to follow President Hassan Rouhani’s push to loosen some social restrictions, but it was not clear if it would mean more or less Internet freedom. Iranians on Twitter expressed concern that, as part of the new policy, the government would try to block VPN access to such sites.
“Implementing the smart filtering plan, we are trying to block the criminal and unethical contents of the Internet sites, while the public will be able to use the general contents of those sites,” Vaezi told a news conference.
The policy would be fully in place by June 2015, he said.
Tomi Engdahl says:
Sony fingers DDoS attackers for ruining PlayStation’s Xmas
Malefactors turned festivities into a turkey for online gamers
http://www.theregister.co.uk/2014/12/28/sony_blames_playstation_outage_on_ddos_attack/
Sony has blamed distributed-denial-of-service (DDoS) attackers for causing PlayStation’s network to go titsup on Christmas Day.
The Japanese company struggled for nearly three days to restore services, following an assault on its PSN login system.
Microsoft’s Xbox Live also suffered a DDoS attack on 25 December. But that service recovered not long after rotund file-sharing baron Kim Dotcom apparently convinced the wrongdoers to stop disrupting the services.
Tomi Engdahl says:
Inside the EYE of the TORnado: From Navy spooks to Silk Road
It’s hard enough to peel the onion, are you hard enough to eat the core?
http://www.theregister.co.uk/2014/10/29/history_of_tor/
Tomi Engdahl says:
NSA’s Christmas Eve confession: We unlawfully spied on you for 12 years, soz
NSA’s Christmas Eve confession: We unlawfully spied on you for 12 years, soz
Agency cynically dumps blunder dossier at 1:30pm on Dec 24
http://www.theregister.co.uk/2014/12/26/nsa_doc_dump_shows_staff_routinely_spying_where_they_shouldnt_for_12_years/
Slipping out unpleasant news at awkward times is a well-known PR practice – but the NSA has excelled itself by publishing on Christmas Eve internal reports detailing its unlawful surveillance.
The agency dumped the docs online shortly after lunchtime on December 24, when most journalists are either heading home to their families or already drunk.
The files have been heavily censored, but still manage to show that, either by accident or design, NSA staff routinely engaged in illegal surveillance with almost no comeback from management.
Tomi Engdahl says:
European data law: UK.gov TRASHES ‘unambiguous consent’ plans
Don’t be such a silly-billy, Brussels
http://www.theregister.co.uk/2014/12/29/uk_trashes_consent_plans_in_eu_data_protection_reforms/
The UK government has raised objections to current EU proposals that would require businesses seeking to rely on “consent” as the lawful basis for processing personal data to ensure that that consent has been unambiguously given “for one or more specific purposes”.
It said those proposals are “unjustified” and called on EU law makers to instead turn to the definition of consent under existing EU data protection rules instead for setting the legal standard businesses would need to achieve for consent under the draft new General Data Protection Regulation.
Under the 1995 Data Protection Directive, set to be replaced by the Regulation, individuals’ consent is defined as “any freely given specific and informed indication of … wishes by which the data subject signifies his agreement to personal data relating to him being processed”.
However, organisations wishing to rely on individuals’ consent to process their data are obliged to ensure that “the data subject has unambiguously given his consent”.
However, even the proposals for consent to personal data processing to be unambiguous represent a climb-down from earlier plans EU ministers were considering. Under the previous proposals, businesses relying on consent would have been required to ensure that the consent was “explicit”.
Under those plans, explicit consent would in general be needed where businesses wished to process special categories of personal data, such as health data or information on individuals’ ethnic origin or political beliefs. There would, though, be limited circumstances in which this kind of data could be processed without consent altogether, according to the Council document.
Officials from the 28 EU countries that make up the Council have reached provisional agreement on some areas of the proposed Regulation, but a major sticking point remains on how data protection should be regulated across national borders in the EU under the new regime.
Tomi Engdahl says:
This is known about North Korea cyber army
North Korea cyber operations are lead by an intelligence officer RGB (under North Korea’s National Defense Committee control).
RGB has worked for many years the traditional espionage and secret operations involved. It has formed two cyber divisions: Unit 121 and Agency 91.
The Office 91 is reportedly the North Korean hacker headquarters operations, although most of the attacks happen unit 121, which acts as outside North Korea. Unit 121 has offices abroad, especially near the North Korean border, in Chinese cities.
Also Korean Workers’ Party, there are numerous cyber units: Unit 35 is responsible for cyber agent education and care for the internal cyber research and operations.
North Korea’s educational system emphasizes the importance of mathematics. Brightest students have access to computers, which they can practice their programming. The most talented can go to educational institutions, which have separate computer departments (Kim Il-sung University, Kim Chaekin University of Technology and the University Mirim). Students practice of general programming techniques and choose the specialization. After graduation, they may go abroad, where they can participate in hacker forums and develop malware. It is estimated that in North Korea in recent years has trained 2000-600 students, that form the cyber army.
North Korea attacking uses computers around the world. Their owners often do not have any idea that there is malicious software that is used to sabotage. Attacks are thought to begin foreign outpost, located in Russia, China and India. When an intrusion occurs, the author traces is often very difficult to reach. North Korea has in recent years been accused of several attacks.
Source: http://www.tivi.fi/kaikki_uutiset/tama+tiedetaan+pohjoiskorean+kybersotajoukoista/a1038616
Tomi Engdahl says:
Manage security in real time
SIEMs like a good idea
http://whitepapers.theregister.co.uk/paper/view/3440/
You face more, and more dangerous threats every day – drive-by infections, APTs, executive targeted phishing to name three. At the same time, the potential attack surface of IT systems are growing rapidly: your VMs, your cloud, your users’ mobile devices are all at risk. You have probably spent a large part of 2014 developing external-facing web applications. How do you secure them all?
Reg readers tell us they have multiple tools handling security, making it impossible to get an idea of security in real time. Operating best-effort security isn’t enough, but Security Information and event Management (SIEM), touted as the answer to this, has so far been complicated to set up and hard to interpret.
Is SIEM the future of enterprise security and, if so, what will that future look like?
Tomi Engdahl says:
Towards the Perfect Coin Flip: The NIST Randomness Beacon
http://hackaday.com/2014/12/19/nist-randomness-beacon/
Since early evening on September 5th, 2013 the US National Institute of Standards and Technology (NIST) has been publishing a 512-bit, full-entropy random number every minute of every day. What’s more, each number is cryptographically signed so that you can easily verify that it was generated by the NIST. A date stamp is included in the process, so that you can tell when the random values were created. And finally, all of the values are linked to the previous value in a chain so that you can detect if any of the past numbers in the series have been altered after the next number is published. This is quite an extensive list of features for a list of random values
But first, before those of you who’ve got crypto on the brain start thinking crazy thoughts, note that the NIST has a banner stating the obvious in all caps: “WARNING: DO NOT USE BEACON GENERATED VALUES AS SECRET CRYPTOGRAPHIC KEYS.” Why not? Cryptographically speaking, they’re phenomenal random numbers; they’re just not secret at all! In contrast, they’re publicly available to everyone and archived for all time. The aim of the Randomness Beacon is to provide a random number standard, not to generate secrets. This distinction between secrecy and randomness is important in order to realize what the NIST is up to
Because the Beacon’s Output Value is the product of a few hashing steps, it’s also almost impossible that I could influence the value ahead of time even if I had an insider at the NIST.
To pick a restaurant, we agree to look at the NIST’s webpage at 7:00 pm and if the first digit is even, we go Thai. If it’s odd, we go Italian. We both agree that this is fair because the 7:00 pm result isn’t published until 7:00 pm.
More esoterically, one could use the Randomness Beacon to prove that something is newer than a certain date by including a recent Beacon entry. As of this writing, the values for December 31, 2014 are all still up in the air, so I can’t possibly write one of them down yet. But from Jan 1, 2015 and on, it’s trivial to do so. So if I get a bunch of t-shirts made with the midnight value from December 31, it’s absolutely verifiable that I got them made in the new year. In short, you could use the Beacon as a not-older-than dating scheme.
Now let’s say that you don’t trust the NIST. That’s OK, because by design you don’t need to.
If you want to make the outcome even more difficult to manipulate, you could use two values from the Beacon and XOR or hash them together to create the final random value. Because the outputs are chained, changing any value in the past introduces a changed Previous Output value which would have to be propagated forward to the current observation.
It’s virtually impossible to manipulate the Output Value, and even if your adversary could, they’d have to tailor a publicly-announced value to target you specifically.
On the NIST’s webpage, there’s a teaser for a future implementation that will provide guaranteed non-deterministic randomness.
So in short, the NIST Randomness Beacon is designed to be the perfect coin flip. It’s a public source of random values that’s totally unpredictable, but also ex-post verifiable and extremely difficult to manipulate.
Tomi Engdahl says:
Lizard Squad wipes out gaming networks at Christmas time
Won’t somebody think of the children?
http://www.theinquirer.net/inquirer/news/2388185/lizard-squad-wipes-out-gaming-networks-at-christmas-time
NOTORIOUS HACK GROUP THE Lizard Squad has continued its long campaign of gaming related mayhem by standing in front of Christmas consoles and not letting a lot of people play their brand new machines and games.
The Squad, which we have met often, had the main gaming networks in its sights, the XBox and PSN systems, at the start of the brief holiday season, and for a couple of days more.
The Lizard Squad was honest and clear in its intentions and it gave good warning of its holidays plans.
Gamers were left shut out of the Playstation and Xbox Live experience for a good chunk of Christmas day and looked to stay that way until an unlikely hero stepped in with an offer.
Kim Dotcom, a well-known fan of the videogame, approached the group offering it the prize of a number of passes for a secure online environment. This was accepted, and it was expected to be the end of things. However, issues have persisted.
“The video game industry has been experiencing high levels of traffic designed to disrupt connectivity and online gameplay. ”
http://blog.us.playstation.com/2014/12/27/playstation-network-update-3/
Tomi Engdahl says:
Sony PlayStation Network Back Up Now, Supposedly
http://games.slashdot.org/story/14/12/28/1717257/sony-playstation-network-back-up-now-supposedly
Sony’s PlayStation Network, brought down in a Christmas Day hacking attack, now seems to be back online. Of course, Sony also said the same thing on Saturday, but outages and problems lingered.
Sony: PlayStation Network is back online now, really
http://www.itworld.com/article/2863815/sony-playstation-network-is-back-online-now-really.html
“PlayStation Network and some other gaming services were attacked over the holidays with artificially high levels of traffic designed to disrupt connectivity and online gameplay. This may have prevented your access to the network and its services over the last few days,” wrote Catherine Jensen, Vice President of Consumer Experience at Sony Computer Entertainment America
Jensen also apologized to the many disappointed gamers who received Sony consoles on Christmas. “If you received a PlayStation console over the holidays and have been unable to log onto the network, know that this problem is temporary and is not caused by your game console.”
Microsoft’s Xbox Live also suffered a disruption on Christmas Day, but it was back up and running on Friday, although some individual applications are still down
Tomi Engdahl says:
Ask Slashdot: Dealing With Companies With Poor SSL Practices?
http://ask.slashdot.org/story/14/12/28/1822238/ask-slashdot-dealing-with-companies-with-poor-ssl-practices
Despite recent highly-publicized hacking incidents making the news, companies continue to practice poor cyber-security. I signed-up to buy something from [an online vendor] and upon completing signup through HTTPS, was sent my username and password in plain-text through e-mail. This company has done everything in its power to avoid being contacted for its poor technical practices
Comments:
There really isn’t much you can do about companies like this, except shop elsewhere. Sooner or later, they will have a breach, and the “security researchers” will have your credit card data.
Please don’t hide whom it is that I might accidentally do business with. Nothing is going to change just sending them an email, they may even go after you for doing so. However you may stop others from being suckered when their poor security becomes everyone else’s problem. It’s not their problem, it’s going to be everyone else’s.
Use an online review tool. Like say google. Then put your grievance there. They do not want to know, well just put your sticker up then move on and do not deal with them anymore. It is not your problem to fix.
Yes there are *many* things on the internet that are broken. Yes you will find people who go ‘oppps my bad’ and fix it. You will also find many who *do not care*. They never will. You cant fix stupid.
Your issue is apparently with them sending your password by email. This has nothing to do with SSL. Having a password stored in an inbox is bad for security reasons that have for the most part little to do with secure transport.
So we added a third-party login mechanism (FB, Google+, Yahoo, LinkedIn). This significantly reduced the number of calls about forgotten passwords (or more accurately, those calls were probably shifted to FB/Google/Yahoo/LinkedIn) but created another fuck-up option: people who create their account using their FB login, but then come back the next week and try to login without using the FB login button, trying instead to login with their email address and a password (which is probably their FB email and password anyways). Less people called to complain about forgotten passwords, instead they created even more accounts. There are people in the system with 4-5 logins, including FB, Google+ and 2-3 different email addresses.
So to fix this we added the “get connected” feature. Basically it’s a page after the initial login where people can open a session to all their social networks and provide all their frequent email addresses. This way they can login with any of these. This helped a lot.
But still there was a lot of complaints about password reset links not working
Tomi Engdahl says:
‘Great Firewall’ FINGERED after Gmail block hits China – report
Chinese clients? Better pick another webmail
http://www.theregister.co.uk/2014/12/29/gmail_blocked_in_china/
Large numbers of Google’s Gmail web addresses were blocked in China over the weekend.
The disruption occurred on Friday, according to reports from GreatFire.org, a China-based freedom of speech group.
One Gmail user complained on Twitter yesterday that domestic suppliers could not send emails to Gmail accounts and described the block as “way too harsh,” according to Google Translate.
“I think the government is just trying to further eliminate Google’s presence in China and even weaken its market overseas,” a member of GreatFire.org told Reuters news service.
Tomi Engdahl says:
Sony FINGERS DDoS attackers for ruining PlayStation’s Xmas
Malefactors turned festivities into a turkey for online gamers
http://www.theregister.co.uk/2014/12/28/sony_blames_playstation_outage_on_ddos_attack/
Sony has blamed distributed-denial-of-service (DDoS) attackers for causing PlayStation’s network to go titsup on Christmas Day.
The Japanese firm struggled for nearly three days to restore services, following an assault on its PSN login system.
Microsoft’s Xbox Live also suffered a DDoS attack on 25 December. But that service recovered not long after rotund file-sharing baron Kim Dotcom apparently convinced the wrongdoers to stop disrupting the services.
Tomi Engdahl says:
Titsup Twitter: We’ve swatted the bug that caused the outage
Is it 2015 yet?
http://www.theregister.co.uk/2014/12/29/twitter_outage/
Twitter reported a partial outage yesterday, which it said had been due to a bug in its “front end code”.
The outage is thought to be due to a bug which led Twitter’s servers to believe it was 2015.
Tomi Engdahl says:
Tor de farce: NSA fails to decrypt anonymised network
Turn that frown upside down and do the happy dance
http://www.theregister.co.uk/2014/12/29/nsa_gchq_internet_security_pet_hates/
A new round of NSA documents snatched by master blabbermouth Edward Snowden appeared online late on Sunday, revealing spooks’ internet security pet hates.
The latest dump of PDFs published by Der Spiegel appeared to show what the Five Eyes surveillance buddies – the USA, the UK, Australia, Canada and New Zealand – see as obstacles posed by internet security protocols.
It reveals that spooks at Britain’s eavesdropping nerve centre GCHQ believed that they could unmask Tor
The g-men concluded that “wider testing” was needed to get a better handle on the “false positive rate”. It recommended that Brit spooks should try to deanonymise JTRIG TOR usage as a first step.
Another GCHQ slide summarised (PDF) why the anonymised network was such a nuisance to government snoopers.
“Very naughty people use Tor”, it said, before adding “Hidden Services hide the fact web content even exists!”, “Near impossible to figure out who is talking to who”, and “It’s complicated”.
Elsewhere, the documents revealed plenty of fear and loathing about attempts to decrypt the likes of PGP (still secure), AES (under attack but no definitive proof that it was compromised by spooks) and OTR (secure, but the software implementing it was found to be buggy and exploitable).
Shared secret keys or passwords needed to be obtained before the VPN and SSL protocols could be decrypted.
Tomi Engdahl says:
Prying Eyes: Inside the NSA’s War on Internet Security
http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
US and British intelligence agencies undertake every effort imaginable to crack all types of encrypted Internet communication. The cloud, it seems, is full of holes. The good news: New Snowden documents show that some forms of encryption still cause problems for the NSA.
Tomi Engdahl says:
When algorithms ATTACK: Facebook sez soz for tacky ‘Year in Review’ FAIL
It’s been really sh*tty, thanks for being a part of it!
http://www.theregister.co.uk/2014/12/28/facebook_year_in_review_apology/
Facebook has apologised to a bloke who moaned about the free-content ad network’s recent “Year in Review” feature, after the firm’s clumsy algorithms tastelessly inserted painful, personal highlights from 2014.
The latest creepy function offered by the Mark Zuckerberg-run company offered a cheap-looking clip art album for users to share with others on the site.
Netizens who didn’t customise the selection of photos before posting them on Facebook discovered a little too late that they were, in some instances, sharing depressing highlights from the past 12 months.
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Hacker gang siphons more than $15M from Eastern European banks with targeted phishing, malware
Gang Hacked ATMs from Inside Banks
http://krebsonsecurity.com/2014/12/gang-hacked-atms-from-inside-banks/
An organized gang of hackers from Russia and Ukraine has broken into internal networks at dozens of financial institutions and installed malicious software that allowed the gang to drain bank ATMs of cash. While none of the victim institutions were in the United States or Western Europe, experts say the stealthy methods used by the attackers in these heists would likely work across a broad range of western banks.
Most cybercrime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards. But this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.
A number of the gang’s members are believed to be tied to a group of Eastern European hackers accused of stealing more than USD $2 million from Russian banks using a powerful, custom-made banking trojan known as Carberp.
Once inside a financial institution, the criminals typically abused that access to launch even more convincing spear-phishing attacks against other banks. They also gained access to isolated bank network segments that handled ATM transactions, downloading malicious programs made to work specifically with Wincor ATMs
It was bad enough that this group is believed to have hacked into more than 50 Russian banks, but nasty messages encoded into the malware tools employed by the thieves suggest they hold utter contempt for their targets.
While they appear to have developed a penchant for stealing directly from banks, these crooks aren’t above going after easy money: Sources tell KrebsOnSecurity that this group of hackers is thought to be the same criminal gang responsible for several credit and debit card breaches at major retailers across the United States, including women’s clothier Bebe Stores Inc., western wear store Sheplers, and office supply store Staples Inc.
Tomi Engdahl says:
Who Is Watching You?
Companies and institutions track us almost indiscriminately. Is this the world we want to live in?
By Julia Angwin
https://medium.com/backchannel/who-is-watching-you-7296eeb036c1
Who is watching you? This was once a question asked only by kings, presidents, and public figures trying to dodge the paparazzi and criminals trying to evade the law. The rest of us had few occasions to worry about being tracked.
But today the anxious question — “who’s watching?” — is relevant to everyone regardless of his or her fame or criminal persuasion. Any of us can be watched at almost any time, whether it is by a Google Street View car taking a picture of our house, or an advertiser following us as we browse the Web, or the National Security Agency logging our phone calls.
Dragnets that scoop up information indiscriminately about everyone in their path used to be rare; police had to set up roadblocks, or retailers had to install and monitor video cameras. But technology has enabled a new era of supercharged dragnets that can gather vast amounts of personal data with little human effort.
These dragnets are extending into ever more private corners of the world.
Tomi Engdahl says:
Chaos Computer Club claims it can reproduce fingerprints from people’s public photos
http://venturebeat.com/2014/12/28/chaos-computer-club-claims-it-can-reproduce-fingerprints-from-peoples-public-photos/
Chaos Computer Club, Europe’s largest association of hackers, claims it can reproduce your fingerprints from a couple of photos that show your fingers. At the 31st annual Chaos Computer Club convention in Hamburg, Germany, Jan Krissler, also known by his alias “Starbug,” explained how he copied the thumbprint of German Defense Minister Ursula von der Leyen.
We’ve seen before how fingerprints can be copied from a person who touched any object with a polished surface (like a glass or a smartphone). Krissler meanwhile showed how these biometrical attributes can be snatched without having to first obtain the physical objects.
Instead, he explained how fingerprints can be snatched from persons at public events by simply using a “standard photo camera.” Because these fingerprints can be used for biometric authentication, Starbug believes that after his talk, “politicians will presumably wear gloves when talking in public.”
Krissler said he used commercially available software called VeriFinger to pull off the feat. The main source was a close-up picture of von der Leyen’s thumb, obtained during a news conference in October, along with photographs taken from different angles to get an image of the complete fingerprint.
Tomi Engdahl says:
Denial of Service as a service?
The infamous Lizard Squad motives were revealed? Began to sell denial of service attacks
Players Playstation and Xbox networks of overthrowing angered Lizard Squad Group has set up a web page, which are sold through denial of service attacks.
Lizard Squad wanted publicity: Apparently, this was in addition to this marketing event.
Source: http://www.tivi.fi/kaikki_uutiset/pahamaineisen+liskoryhman+motiivit+paljastuivat+alkoivat+myyda+palvelunestohyokkayksia/a1039362