Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Mobile device screens recorded using the Certifi-gate vulnerability
Shouldn’t even be possible on thingies not jailbroke
http://www.theregister.co.uk/2015/08/25/certifi_gate_vulnerability_exploited/
Vulnerable plug-ins have been installed on hundreds of thousands of Android devices, allowing screens to be recorded, according to data from the scanning tool which discovered that the so-called Certifi-gate vulnerability is already being exploited in the wild.
The Certifi-gate vulnerability was disclosed by security researchers at Check Point during the Black Hat conference in Las Vegas earlier this month.
The Check Point team also released a scanner app that checks Android devices for the vulnerability. Users have the option to share scan results with Check Point.
The Certifi-gate scanner app has nearly 100,000 downloads on Google Play, and Check Point has received over 30,000 anonymous scan results from users. These anonymous stats have allowed Check Point to access the level of exposure to the vulnerability across different devices and vendors.
More than 40 per cent of all the scan samples showed devices were vulnerable to Certifi-gate.
And 16 per cent of samples showed a vulnerable plug-in was installed on the device, allowing any malicious application to take full control of the device by exploiting the installed plug-in.
Certifi-gate Found in the Wild on Google Play
http://blog.checkpoint.com/2015/08/25/certifigate-statistics-exploitation-mitigation/
Three weeks ago, Check Point publicly disclosed Certifi-gate, a new vulnerability on Android. Using anonymous data collected from the Certifi-gate scanner, an app that tells users if their devices are vulnerable, Check Point uncovered some startling new information:
An instance of Certifi-gate was found running in the wild in an app on Google Play
At least 3 devices sending anonymous scan results were actively being exploited
15.84% of devices anonymously reported having a vulnerable plugin installed
Devices made by LG were the most vulnerable, followed by Samsung and HTC
Recordable Activator, an app developed by UK-based Invisibility Ltd., and which has between 100,000 and 500,000 downloads on Google Play, exploited the Certifi-gate vulnerability successfully on three devices evaluated by our Certifi-gate scanner app.
Recordable is the easy way to create high-quality screen recordings on Android.
Is simple to install and easy to use
Does not require root
To achieve this functionality, “EASY screen recorder NO ROOT” and its subcomponent Recordable Activator installs a vulnerable version of the TeamViewer plug-in on-demand. Because the plug-in is signed by various device manufacturers, it’s considered trusted by Android and is granted system-level permissions.
From this point, Recordable Activator exploits the authentication vulnerability and connects with the plug-in to record the device screen.
From our research team’s perspective, the developer did a poor job of protecting the interaction with subcomponents.
Tomi Engdahl says:
BYOD? More like CYOD as companies still set the parameters
The agony of the appearance of superficial choice
http://www.theregister.co.uk/2015/08/25/byod_myth_cyod_choice_corporate/
Companies are rapidly expanding the volume of mobile devices used by their employees. The number of devices enrolled in business grew by 72 per cent during the whole of last year, compared with 2013.
Moreover, a Good Technology survey in the first quarter of 2015 found 72 per cent of those devices ran iOS, 26 per cent Android, and one per cent Windows.
Apple’s share among tablets is 81 per cent, and Android 15 per cent. Samsung dominates Android activations – so much so, that 28 or the top 30 devices in Q1 were Apple or Samsung.
Yes, the employee-driven device strategy seems to be here.
And yet … this is not the Bring Your Own Device (BYOD) nirvana vendors are trying to sell. Rather employees are being allowed to choose from a tight list of approved devices (Choose Your Own Device).
Devices making the CYOD list are those proven to work safely with the company’s security, mobile device management and mobile application management systems.
A survey (in US, Canada, UK, Germany and Australia) by Check Point from last year found that as many as 75 per cent of companies allow personal devices to connect to corporate networks, but a (considerably larger survey in UK, France and Germany) by IDC also from late last year suggests that only a minority of European companies have such a policy.
Firms might not be buying BOYD but employees are – perhaps they are the real target for tech vendors. It’s employees who want to use the best device for work and who are prepared to pay for it. Forrester reckons 73 per cent of employees are happy with the technology they have at home, while just 59 per cent were happy with the tech at work; 30 per cent said they were willing to invest their own money in a tablet, if given the choice.
Tomi Engdahl says:
Jonathan Mayer / Web Policy:
AT&T hotspot at Dulles Airport tampers with HTTP traffic to inject third-party ads from WiFi monetization firm RaGaPa — AT&T Hotspots: Now with Advertising Injection
AT&T Hotspots: Now with Advertising Injection
http://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/
While traveling through Dulles Airport last week, I noticed an Internet oddity. The nearby AT&T hotspot was fairly fast—that was a pleasant surprise.
But the web had sprouted ads. Lots of them, in places they didn’t belong.
Some ad-supported websites, like the Wall Street Journal, were also emblazoned with extra marketing material.
Curious, and waiting on a delayed flight, I started poking through web source. It took little time to spot the culprit: AT&T’s wifi hotspot was tampering with HTTP traffic.
The ad injection platform appears to be a service from RaGaPa, a small startup. Their video pitch features “MONETIZE YOUR NETWORK” over cascading dollar signs.
When an HTML page loads over HTTP, the hotspot makes three edits. (HTTPS traffic is immune, since it’s end-to-end secure.)
Those scripts, in turn, import advertising content from additional third-party providers.
AT&T has an (understandable) incentive to seek consumer-side income from its free wifi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user’s browsing activity to an undisclosed and untrusted business. It clutters the user’s web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service.3 And it introduces security and breakage risks, since website developers generally don’t plan for extra scripts and layout elements.
Recent experience with advertisement injection is telling. When a Marriott property was spotted deploying similar technology, it immediately reversed course. The handful of U.S. ISPs that have dabbled in advertising injection appear to have backed off. Earlier this year, Google conducted a comprehensive study of advertising injection, and yanked nearly 200 misleading extensions from the Chrome Web Store. The closest common practice, to my knowledge, is injecting hotspot status indicators—and that’s also proven extraordinarily controversial.
The legality of hotspot advertising injection is a messy subject. There are a number of colorable arguments
Tomi Engdahl says:
Hollywood Finally Gets Hacking Right with Mr. Robot
http://hackaday.com/2015/08/24/hollywood-finally-gets-hacking-right-with-mr-robot/
a new show on the USA network, Mr. Robot. The synopsis for the show was “Mr. Robot is a psychological thriller that follows a young programmer who works as a cyber-security engineer by day and a vigilante hacker by night.” Yeah, that sounds like another Hollywood crapfes
Show creator [Sam Esmail] isn’t a hacker himself, but he is tech savvy enough to see how poorly hacking has been portrayed on TV and in the movies. He knew he could do it better. The solution was good consultants
This is an accurate description of some of the exploits which have been demonstrated on the tor network.
The hacking isn’t all software either. Everyone’s favorite Linux single board computer is featured prominently in the first season. We can’t knock a show where a character looks at another and says “Ok, we all know what a Raspberry Pi is, what’s your point?”
Social engineering is also a recurring theme. We see everything from the old “dropped USB stick in the parking lot” attack, to a character thoroughly destroying the self confidence of a corporate drone as a method to get to his superiors.
Tomi Engdahl says:
M. Alex Johnson / NBC News:
Ashley Madison faces at least five lawsuits seeking class action status: one asks for $500M in damages, others have anonymous plaintiffs and unspecified damages
Ashley Madison Faces Multiple Suits Seeking More Than a Half-Billion Dollars
http://www.nbcnews.com/news/us-news/ashley-madison-faces-multiple-suits-seeking-more-half-billion-dollars-n415281
At least five lawsuits seeking class-action status have been filed over the hack of cheat-on-your-spouse website Ashley Madison, seeking more than a half-billion dollars, according to North American court records.
None of the suits has yet been certified as a class action covering the reported 37 million members of Ashley Madison, whom they characterize as having suffered humiliation and harassment over the reported publication of delicate personal information — including credit card data and, in some cases, photos and sexual fantasies — by hackers calling themselves Impact Team.
The suit alleges an internal company file included in the hack lays out multiple “technical issues that could lead to a data breach occurring, as well the legal problems that may come with that.”
According to the suit, the document specifically notes that customer data were at risk of being exposed by phishing — in which an employee is conned into revealing protected information — and by an attack called SQL injection, in which malicious requests are entered into a database to force it to dump its data.
The suit also says at least two other Ashley Madison employees filed similar memos warning of weaknesses “allowing hackers access to our user data.”
Tomi Engdahl says:
Cyber Insecurity
http://www.eetimes.com/author.asp?section_id=216&doc_id=1327456&
In these uncertain times, designers have to consider security at every point in the system, because each system is only as secure as its weakest link.
We are certainly living in interesting times. Over the years I’ve read a lot of science fiction stories that depicted various flavors of the future, many of which involved the concept of cyber security and nefarious strangers trying to access one’s data.
Generally speaking, this sort of thing really didn’t affect most of us until relatively recently in the scheme of things. How things have changed. Now it seems that we hear about data breaches on an almost daily basis, many of which can put their victims at risk of identity theft.
In 2013, for example, we discovered that hackers had managed to steal the credit and debit card information (including names, addresses, and phone numbers) associated with more than 70 million customers.
Meanwhile, in 2014, I was informed that hackers had managed to access tens of millions of records from my health insurance company.
I heard a report on the National Public Radio (NPR) that hackers have just posted the data they stole from a company/website called Ashley Madison.
Apparently, the data released by the hackers includes the names, addresses, and phone numbers associated with the users of the site. Also, I hear that ~15,000 of these records have .mil or .gov email addresses
The real problem is that we still don’t seem to take security seriously. In the case of my health insurance company, for example, we came to discover that they had taken such minimalist precautions as to make one shake one’s head in disbelief.
And things are only going to get worse, which means that the designers of today’s electronic, computer, and embedded systems have to consider security at every point in the system — from the leaf nodes at the edge of the Internet of Things (IoT) to the mega servers in the cloud — because each system is only as secure as its weakest link.
“But where can we learn about this stuff?” you cry.
Tomi Engdahl says:
Are you using the cloud as your time capsule?
http://www.edn.com/electronics-blogs/power-points/4440207/Are-you-using-the-cloud-as-your-time-capsule–?_mc=NL_EDN_EDT_EDN_today_20150825&cid=NL_EDN_EDT_EDN_today_20150825&elq=ad8531cbe6f444cf8cf1a5098f9843ee&elqCampaignId=24508&elqaid=27702&elqat=1&elqTrackId=20a6250d8f4843b7a527faff710e5e3a
The electronics industry is not immune to marketing hype or optimism, of course. Right now, our three hot buttons are “IoT,” the “cloud,” and “big data.” When you are not sure what to say, just work one or more of these three phrases into your pitch or response and you should be all set, at least for a while.
While I understand the potential market and even end-application benefits of IoT – although not to the “it will be bigger than everything and solve every problem known” level of hype that IoT-related opportunities are made out to be – I am much more ambivalent about the cloud and, to a lesser degree, big data. I am not really sure why an application which is touted as cloud-based (such as CAD, CAE, CAM FAE, or Spice design/modeling tools) is inherently superior to one which is not, especially if the non-cloud application supports connectivity and file sharing.
It might seem that storing your precious family photos, videos, and other data in the cloud would eliminate or at least minimize these potential problems, but then I thought about it for a while. If you use a cloud-based storage service, there are many things that can happen:
The cloud service can go bankrupt and the contents can disappear; you may be notified about this, or perhaps not, or the notification is sent to a defunct email address that no one knows to check
Others in your family may lose track of which cloud service you are using
In years to come, someone will forget/not know about paying the service-storage fee
The sign-on ID and password may be “lost” at your end (even if you have them written down, will people know where to find where you have written it?); some cloud services make it very hard to re-gain access to an account if you don’t have the log-in information (if it’s part of an inherited estate, a court directive may be needed)
The stored formats may no longer be readable. (Who can say that PDFs, JPEG, Word, and other formats will be decodable in decades to come?)
I know that many of these concerns are not new or unique to the cloud, of course. There are many credible reports of important corporate and scientific data from pre-cloud era which are now lost or unreadable.
Tomi Engdahl says:
Why Nobody Should Ever Search The Ashley Madison Data
Genuine advice from one who has researched this purely for work reasons
http://www.theregister.co.uk/2015/08/26/why_nobody_should_ever_search_the_ashley_madison_data/
Analysis Some readers of the Register – or perhaps their spouses or significant others, or their bosses or colleagues or other people who may think they want to know if someone is “trustworthy” – may have heard that it is now possible to search online for evidence that a person may have been using the website Ashley Madison. Some users of that site may have been hypothetically considering possibly having an extramarital or otherwise illicit affair, though the mere fact of a person being registered with the site does not, of course, indicate any such thing.
Here are the points that all of my readers need to consider before taking such a step.
1. Your Computer Will Almost Certainly Get Infected With A Virus If You Do
2. Just Searching The Data Could Add Your Name To An Online List Of Likely Ashley Madison Users
3. The Mere Fact That Someone’s Details Are In The Ashley Madison Data Means Absolutely Nothing At All
4. It Is Morally Wrong To Even Look At The Ashley Madison Data. If You Have Looked At It You Are The Truly Evil One – Far Worse Than An Adulterer – And Nobody Should Or Will Care What You Say Or Think
Quite simply this. By looking at the Ashley Madison data you will almost certainly see other people named apart from your partner, who probably isn’t even in there or if he is, it’s for completely innocent reasons.
Even if it turns out that your partner has done something wrong, you have now done something much more wrong in the course of finding that out.
So don’t look – it’s that simple. You can trust me on this.
Tomi Engdahl says:
The Onion Router is being cut up and making security pros cry
IBM tells business to pull the plug, Agora pulls shutters on interesting goods mart
http://www.theregister.co.uk/2015/08/26/big_blue_biz_better_block_tor/
IBM is warning corporates to start blocking TOR services from their networks, citing rising use of the encrypted network to deliver payloads like ransomware.
The advice comes in the company’s latest X-Force research team report (PDF).
IBM claims there were around 180,000 malicious traffic “events” in the USA between January 1 and May 10 this year, with 150,000 in the Netherlands, and more than 50,000 in each of Romania, France, Luxembourg and Uraguay.
While the rise of ransomware is worrying, the biggest attacks emanating from TOR exit nodes are familiar old favourites: SQL injection, vulnerability scanning, and denial-of-service.
TOR is also providing an infrastructure for command-and-control networks, the report states.
“A likely explanation is that these attacks are not after money — they’re attempts to steal intellectual property and/or spy on company operations”, the report says.
X-Force threat researcher John Kuhn also told Darkreading attackers are looking for information about manufacturers’ SCADA networks.
Tomi Engdahl says:
GitHub wobbles under DDOS attack
What’s that big spike on site performance graph?
http://www.theregister.co.uk/2015/08/26/github_wobbles_under_ddos_attack/
GitHub is under a distributed-denial-of-service attack being perpetrated by unknown actors.
The service’s status page reported “a brief capacity overload” early on Tuesday. The site’s assessment of the incident was later upgraded to a a DDOS and at the time of writing the site is at code yellow.
Tomi Engdahl says:
Apple devices a big risk for companies
Centrify security company has investigated how much and how Apple’s devices are used to American companies. The results are alarming. Your iPads, iPhones, MacBook, and is used for processing the company’s data, even if the devices do not support the required security standards and protocols.
Study results show that 45 per cent of their employees to use Apple devices. Of these, 63 per cent of employees’ own devices. 51 percent of all Apple devices was protected by a PIN code, without stronger protection.
Olleista On Mac computers 59 per cent dealt with confidential company data. 65 percent of the Macs used for confidential customer data processing. Half of iPhoneista was such that they have achieved access to business applications. IPads corresponding percentage was 58.
Centrifyn point was the fact that despite the enormous popularity of Apple devices in their proper protection is not used enough resources. Only 17 percent of surveyed employees of Apple devices were equipped with the company supplying a password manager software.
Source: http://etn.fi/index.php?option=com_content&view=article&id=3237:applen-laitteet-iso-riski-yrityksille&catid=13&Itemid=101
Tomi Engdahl says:
BitTorrent patched against flaw that allowed crippling DoS attacks
Vulnerability in open BitTorrent protocol amplified attacks as much as 120 times.
http://arstechnica.com/security/2015/08/bittorrent-patched-against-flaw-that-allowed-crippling-dos-attacks/
The maintainers of the open BitTorrent protocol for file sharing have fixed a vulnerability that allowed lone attackers with only modest resources to take down large sites using a new form of denial-of-service attack.
The technique was disclosed two weeks ago in a research paper submitted to the 9th Usenix Workshop on Offensive Technologies. By sending vulnerable BitTorrent applications maliciously modified data, attackers could force them to flood a third-party target with data that was 50 to 120 times bigger than the original request. By replacing the attacker’s IP address in the malicious user datagram protocol request with the spoofed address of the target, the attacker could cause the data flood to hit the victim’s computer.
Tomi Engdahl says:
Google tells iOS 9 app devs: Switch off HTTPS if you want that sweet sweet ad money from us
Apple’s encrypt-everything rule gets in the way of plain HTTP
http://www.theregister.co.uk/2015/08/27/google_apple_ads/
Google has told iOS 9 app developers to disable Apple’s enforcement of HTTPS-only connections – or their in-app Google ads won’t show up on up-to-date iPhones and iPads.
Apple has added what it calls App Transport Security (ATS) to iOS 9 and OS X 10.11, which ensures software only uses encrypted connections when talking to servers and other systems over the network.
It’s supposed to make sure programmers always protect people from eavesdroppers and man-in-the-middle tampering: when an app sends someone’s personal data over the internet to the app maker’s backend servers, the information should be safeguarded by encryption. But this enforcement can be switched off on a per-application basis.
Apps can be built using the Google Mobile Ads software development kit to show adverts on-screen, and earn developers cash. By not showing these ads, the programmers lose out on vital revenue.
On Wednesday, Google admitted that it’s still shifting a ton of adverts over unencrypted HTTP connections
Tomi Engdahl says:
Want security? Next-gen startups show how old practices don’t cut it
Stop hackers from walking on the eggshells protecting your datacenter
http://www.theregister.co.uk/2015/08/22/next_generation_security_startups_emerge/
Sysadmin Blog In case you hadn’t noticed, IT security sucks. There is a chronic lack of people trained in IT security, people who will listen to IT security, and even a lack of agreement on how best to go about IT security. Fortunately, a new generation of startups are helping to tackle the issues.
No matter how good a sysadmin you think you are, your network will eventually be compromised. This is a huge problem, because “eggshell security” is still the dominant security model in most data centers.
Eggshell security is the traditional model of having a hardened outer layer of edge defences and a network that is essentially wide open, once the attacker has made it past the perimeter defences.
Administrative account and password reuse is rampant, few systems behind the outer defences have proper firewalls, security auditing is practically nonexistent, and file shares that are open to any user are everywhere.
I am aware of medical insurance companies running thousands of servers with databases of critical subscriber information without anti-malware protection, let alone proper intrusion detection. Retailers with SQL databases filled with millions of credit cards that don’t require even the most basic authentication. Law firms with file servers whose entire contents can be deleted by the first person who plugs a notebook into an Ethernet jack on the wall.
Eggshell computing is a fantastically stupid concept, yet our entire industry is addicted to it. We focus on “the bad guys” battering down the WAN with port scans and spam. We ignore the insider threats from people downloading malware, being malicious, or even just Oopsie McFumbleFingers YOLOing the delete key.
This has to change.
There are four pillars to Modern IT security: prevention, detection, mitigation, and incident response.
Tomi Engdahl says:
Indian State shuts off mobile internet to stop rumours fuelling riots
Activist calls for calm on WhatsApp amid protests for minority rights
http://www.theregister.co.uk/2015/08/28/indian_state_shuts_off_mobile_internet_to_stop_rumours_fuelling_riots/
An activist’s call for the Indian State of Guajarat to restrict access to WhatSapp and mobile internet has been heeded by local authorities, in the hope that restricting communications will quell violence. Authorities complied with that request.
Mobile internet access remains unavailable across parts of Gujarat at the time of writing and paramilitary forces have been deployed to maintain calm.
Tomi Engdahl says:
Google makes it official: Chrome will freeze Flash ads on sight from Sept 1
If your ads aren’t on web giant’s network, they better be HTML5 – or they’re dead to Chrome
http://www.theregister.co.uk/2015/08/28/google_says_flash_ads_out_september/
Google is making good on its promise to strangle Adobe Flash’s ability to auto-play in Chrome.
The web giant has set September 1, 2015 as the date from which non-important Flash files will be click-to-play in the browser by default – effectively freezing out “many” Flash ads in the process.
Netizens can right-click over the security-challenged plugin and select “Run this” if they want to unfreeze an ad. Otherwise, the Flash files will remain suspended in a grey box, unable to cause any harm nor any annoyance.
Click-to-play … Run if you wish
Back in June, Google warned that, in cooperation with Adobe, it would change the way Flash material is shown on websites.
Basically, “essential” Flash content (such as embedded video players) are allowed to automatically run, while non-essential Flash content, much of that being advertisements, will be automatically paused.
Tomi Engdahl says:
Google Tells Developers How to Get Around Apple’s New Security Rules So They Can Keep Selling Ads
http://recode.net/2015/08/27/google-tells-developers-how-to-get-around-apples-new-security-rules-so-they-can-keep-selling-ads/
Apple says it cares a lot about privacy. Just ask Tim Cook.
Hence, its new iOS 9 operating system will boast a new feature, called App Transport Security, or ATS, which is supposed to require iPhone app developers to use an advanced security protocol. The idea is to keep the operating system lock tight.
Google says it cares a lot about privacy, too. And it says Apple is doing the right thing.
But Google also says that not every app developer and mobile publisher will be able to work with Apple’s new standards, at least not yet. So, when those app publishers that aren’t running the protocol meet Apple’s new encryption, their mobile ads won’t run. No ads, less revenue.
On Wednesday, Google gave publishers a pointer. It published the five lines of code to disable Apple’s encryption, offering them a “short-term fix” before they get up to speed with the security rules that both Apple and Google are pushing. (It should be noted: Disabling the protocol doesn’t appear to violate Apple’s rules.)
Tomi Engdahl says:
Cops decide to collect less license plate data after 80GB drive got full
Police department unilaterally decides to impose six-month retention policy.
http://arstechnica.com/tech-policy/2015/08/cops-decide-to-collect-less-license-plate-data-after-80gb-drive-got-full/
Weeks after Ars published a feature on the scope of license plate reader use, the Oakland Police Department unilaterally and quietly decided to impose a data retention limit of six months.
Prior to April 2015, there had been no formal limit, which meant that the police were keeping data going as far back as December 2010.
That puts the OPD in line with other jurisdictions, including the Drug Enforcement Administration, which decided in 2012 that it would reduce its license plate reader (LPR, or ALPR) retention period from two years to six months. The Silicon Valley city of Menlo Park only retains for 30 days, by comparison.
According to Sgt. Dave Burke, who is in charge of the city’s LPR system, this change was not in response to Ars’ article, but rather was made primarily because the LPR computer—a Windows XP computer with an 80GB hard drive—was full and apparently “kept crashing.”
“We had no money in the budget to buy an additional server,” he told Ars.
“Trying to do this outside of a budget cycle [is difficult],”
Tomi Engdahl says:
FBI ordered more cell phone trackers in wake of Hurricane Katrina
Post-storm, procuring cell site simulators became “essential”
https://www.muckrock.com/news/archives/2015/aug/27/stingray-katrina/
Hurricane Katrina killed hundreds of people along the Gulf Coast, displaced thousands more, and exposed critical deficiencies in our country’s disaster response mechanisms. The historic storm also revealed gaps in the FBI’s inventory of cell phone trackers, making additional equipment purchases “essential,” by the agency’s assessment.
The FBI has declined to elaborate which particular lessons it gleaned from Katrina as far as cell phone tracking. But the agency’s Wireless Intercept and Tracking Team (WITT) cited the hurricane’s damage to justify additional procurements of cell phone tracking equipment.
After local first responders — including New Orleans Police Department and the Louisiana State Police — were “decimated” by the hurricane, the FBI and other federal law enforcement deployed hundreds of agents to assist in search and rescue and to address widespread looting. Subsequent assessments criticized that the federal response was uncoordinated, but the FBI entered the fray in force. The bureau dispatched tactical teams, medical personnel and senior management alike.
Tomi Engdahl says:
Malware menaces poison ads as Google, Yahoo! look away
Booming attack vector offers mass malware distribution, stealthy targeting
http://www.theregister.co.uk/2015/08/27/malvertising_feature/
Online advertising has become an increasingly potent threat to end-user security on the internet. More hackers than ever are targeting the internet’s money engine, using it as a powerful attack vector to hide exploits and compromise huge numbers of victims.
Malvertising, as poisoned ads are known, is as deadly as it is diverse. Hackers are able to poison advertisements with the world’s most capable exploit kits, then pay to have it served on a large number of prominent websites. Up to half of users exposed to the very worst forms of malvertising fall victim, yet tracking the attacks is often tricky. Advertisements are dynamic and served only to certain users, on certain websites, in certain conditions, making attacks difficult to study.
Ads as an attack vector was identified in 2007 when security responders began receiving reports of malware hitting user machines as victims viewed online advertisements
Since then malvertising has exploded. This year it increased by more than 260 percent on the previous year, with some 450,000 malicious ads reported in the first six months alone, according to numbers by RiskIQ. Last year, security firm Cyphort found a 300 percent increase in malvertising. In 2013, the Online Trust Alliance logged a more than 200 percent increase in malvertising incidents compared to 2012, serving some 12.4 billion malvertisement impressions.
It is a scourge that, according to malvertising research, will inflict up to US$1 billion in damages this year, making the threat difficult to overstate. J
The threat, coupled with privacy concerns, is driving users to block ads. PageFair statistics indicate some 198 million users operate ad blocking software, up by 41 percent globally since last year, and digging a $22 billion hole in the online ad industry.
“Malvertising is one of the biggest vectors for mass compromise out there,”
Malvertising set to wreak one BEELLION dollars in damage this year
On the upside, the ROI is amazing if you’ve an appetite for risky investments
http://www.theregister.co.uk/2015/08/13/june_worst_malvertising_month/
Records have fallen as malvertising clocked its most prolific month in history, making it one of the biggest threats to endpoint security.
If the scourge continues, criminals will have inflicted a billion dollars in damages by the end of the year from a paltry US$12,000 investment, according to researchers at security firm Invincea.
It says the attacks represent 2.1 million malicious advertisements purchased by maldoers.
“June was by far the worst month on record for malvertising – likely due to the multiple Flash zero-day exploits that were integrated into exploit kits used to host fraudulent ads that month”, the report says.
“At an industry average price of approximately US$2.90 per thousand online ads, malicious actors were able to inflict more than half a billion dollars of damage for a mere US$6,000 in advertising spend.
Tomi Engdahl says:
A Project to Guarantee Better Security for Open-Source Projects
http://www.linuxjournal.com/content/project-guarantee-better-security-open-source-projects
With many open-source projects built on top of others, a security weakness in a common piece of infrastructure can have far-reaching consequences. As OpenSSL’s Heartbleed security hole demonstrated, these vulnerabilities can appear in even the most trusted packages.
Open-source developers, however, can take steps to help catch these vulnerabilities before software is released. Secure development practices can catch many issues before they become full-blown problems. But, how can you tell which open-source projects are following these practices? The Core Infrastructure Initiative has launched a new “Best Practice Badge Program” this week to provide a solution by awarding digital badges to open-source projects that are developed using secure development practices.
The Core Infrastructure Initiative is a non-profit project set up by the Linux Foundation. It organizes funding for vital open-source projects. The Initiative has the financial support of many large enterprises who rely on these open-source projects, including Amazon, Google, IBM and Cisco.
The Initiative focuses its attention on projects that form the backbone of different software stacks and are widely used. The OpenSSL project is a clear example. This software is used in many different operating systems and Web applications, so the potential fallout from any security flaws is vast.
Although it’s just over a year old, it already is making a big difference to these essential packages. By funding essential security audits and development work, the Initiative has eliminated a large number of bugs and exploitable errors.
The badge program is the latest of the group’s initiatives, which include:
Education.
A broad census to help identify the projects that most need assistance.
Tooling to develop tools that open-source projects can use to improve their development processes.
Tomi Engdahl says:
UK police triples use of ad-hijacking tech on alleged piracy websites
Highly targeted approach is welcome, but lack of judicial oversight an issue.
http://arstechnica.co.uk/tech-policy/2015/08/uk-police-triples-use-of-ad-hijacking-tech-on-alleged-piracy-websites/
The City of London Police has stepped up its ad-hijacking program, trebling the number of alleged piracy websites that it targets. The program, called Operation Creative, replaces conventional revenue-driving ads with anti-piracy warnings. Last year, the City of London Police targeted 74 websites; this year, according to information obtained by TorrentFreak with a Freedom of Information request, the number of sites is up to 251.
Operation Creative was launched in 2013 with the aim of reducing the advertising carried by sites offering unauthorised copies of copyrighted works. In a recent press release, the City of London’s Police Intellectual Property Crime Unit (PIPCU) claimed that since the start of the scheme, “there has been a 73% decrease in advertising from the UK’s top ad spending companies on copyright infringing websites.”
A key element of the system is the Infringing Website List, which provides the digital advertising sector with “an up-to-date list of copyright infringing sites, identified by the creative industries, evidenced and verified by PIPCU, so that advertisers, agencies and other intermediaries can cease advert placement on these illegal websites.”
Tomi Engdahl says:
Spooks, plod and security industry join to chase bank hacker
Perp known as ‘DD4BC’ has some serious heat on his or her tail, with worse to come
http://www.theregister.co.uk/2015/08/28/irate_security_posse_intel_spooks_in_ddos_hushed_hacker_hunt/
A group of security boffins have joined police and intelligence spooks in a clandestine mission to identify those behind distributed denial of service (DDoS) extortion attacks against major banks.
An attacker using the handle DD4BC (DDoS for Bitcoins) is launching large DDoS attacks against banks and other big business in the UK, Europe, the US, and Australia and New Zealand demanding Bitcoin payment for the assaults to end.
The details of the secretive group, which boasts skills in actor attribution, are being kept under wraps to avoid tipping off the criminal who is thought to be a lone wolf.
Its work, says Roland Dobbins of Arbor Network’s security engineering and response team, will likely precipitate an official intelligence investigation should the extortionist continue to launch DDoS attacks against big banks.
“There is a very, very active posse who are trying to identify the actor and intelligence agencies in some jurisdictions are after DD4BC,”
The DDOS attacks are made through for-hire online booter or stresser services that are shooting relatively new Simple Service Discovery Protocol (SSDP) traffic which causes vulnerable embedded devices like smart TVs to fire requests at a target.
Tomi Engdahl says:
NCA arrests six Lizard Squad users after gaming firms, retailers targetted
Officers also visiting 50 addresses for a quiet word
http://www.theregister.co.uk/2015/08/28/nca_arrest_six_lizards/
The National Crime Agency has arrested six users of a Lizard Squad DDoS attack tool, which had been used against a national newspaper, a school, gaming companies, and a number of online retailers.
Those arrested are suspected of maliciously deploying Lizard Stresser, which allows users to pay to take websites offline for up to eight hours. All six bought the tool using alternative payment services, such as Bitcoin, it is alleged.
Tomi Engdahl says:
Germany to set up ‘Bundescloud’
http://www.euractiv.com/sections/infosociety/germany-set-bundescloud-316939
New German rules for government cloud computing means official data can only be processed in Germany. The restrictions are a strike against US-based cloud providers such as Amazon and Google.
German IT officials agreed on terms for public sector cloud use on Tuesday (18 August).
“Cloud providers have to sign a non-disclosure agreement, according to which these data aren’t allowed to end up in foreign disclosure obligations and access abilities that can be used against cloud providers outside the Federal Republic of Germany,” the rules specify.
The caveat about cloud providers that are beholden to foreign disclosure obligations alludes to the American tech companies that have been legally required to share client information with US intelligence agencies.
The document also limits German government offices to only using clouds certified by the government’s IT security office BSI, or by equally strict standards.
Germany is planning a “Bundescloud” to host government data as part of a larger move to slim down several government ministry IT services.
The new rules on government cloud use only affect national agencies, but the Federal Ministry of the Interior is nudging the private sector to follow its lead.
But Germany’s new rules get to the heart of the cloud industry’s achilles heel: Almost 40% of European companies using clouds named security as the main factor limiting their use, according to Eurostat’s most recent reading of attitudes towards clouds.
Tomi Engdahl says:
German Intelligence Traded Citizen Data For NSA Surveillance Software
http://yro.slashdot.org/story/15/08/28/1222202/german-intelligence-traded-citizen-data-for-nsa-surveillance-software
Germany’s domestic intelligence agency, the BfV, was so impressed with the NSA’s surveillance software that they were willing to “share all data relevant to the NSA’s mission” in order to get it. “The data in question is regularly part of the approved surveillance measures carried out by the BfV. In contrast, for example, to the Bundesnachrichtendienst (BND), Germany’s foreign intelligence agency, the BfV does not use a dragnet to collect huge volumes of data from the Internet. Rather, it is only allowed to monitor individual suspects in Germany — and only after a special parliamentary commission has granted approval. …
A Dubious Deal with the NSA
http://www.zeit.de/digital/datenschutz/2015-08/xkeyscore-nsa-domestic-intelligence-agency
Internal documents show that Germany’s domestic intelligence agency, the BfV, received the coveted software program XKeyscore from the NSA – and promised data from Germany in return. von Kai Biermann und Yassin Musharbash
Tomi Engdahl says:
Ins0mnia Flaw Turns iOS Apps Into Security Nightmare
http://www.tomsguide.com/us/apple-ios-ins0mnia-flaw,news-21517.html
Many iOS users know that you quit an app by double-clicking the home button and swiping the app window up, but it turns out there’s a vulnerability that renders that process useless. The Ins0mnia flaw breaks the standard three-minute limit for background activity that iOS imposes on apps you’re not using anymore.
That background-activity limit is important to user security, as it stops apps from gaining permanent access to device features like the camera, microphone or GPS tracking.
If an app were to exploit the Ins0mnia bug, it would trick the iPhone or iPad into thinking the app is being debugged. That loophole stops the iDevice from suspending the app based around the background activity time limit, and lets it still run in the background even if the user swipes it up off the screen in the task-switcher interface.
Apple iOS flaw Ins0mnia hides malicious apps which run forever
The security vulnerability allows malicious apps to run in the background with no timeout.
http://www.zdnet.com/article/apple-ios-flaw-ins0mnia-hides-malicious-apps-which-run-forever/
A security flaw which permitted malicious applications to run in the background of iOS devices for an unlimited amount of time has been patched by Apple.
The vulnerability, dubbed Ins0mnia by FireEye researchers, allowed iOS applications to continue to run in the background of an Apple device even when the process was terminated by the user and no longer visible in the task switcher — bypassing Apple background restrictions and timeout protocols.
If the owner of the iPad or iPhone uses the iOS task switcher, they can view a list of recently opened apps. When an app is closed down, the software will be pushed into the background — and is subject to the same time limit restrictions — or the user can choose to completely close the app by removing it from the list.
However, the Ins0mnia vulnerability allows applications to bypass these Apple-imposed controls. The exploit fools the device into believing the system is being debugged, and therefore the system suspends any timeout features relating to the malicious app.
Apple has been informed of the vulnerability and patched the problem in iOS version 8.4.1, released earlier this month.
A recent security breach which took place on the iOS platform left 220,000 iCloud users vulnerable to spying and remote hijacking.
Tomi Engdahl says:
Ins0mnia: Unlimited Background Time and Covert Execution on Non-Jailbroken iOS Devices
https://www.fireeye.com/blog/threat-research/2015/08/ins0mnia_unlimited.html
The attack consisted of fooling the idevice into believing that the iOS application was being debugged. This prevented the system from suspending the application when the permitted background duration expired.
To fool iOS, a malicious application could leverage ptrace, and utilize the ptrace code that handled the PT_TRACE_ME request to set the flag P_LTRACED and gracefully return 0. By setting the P_LTRACED flag, the application prevented the assertiond process from suspending the malicious application. Note that PT_TRACE_ME was a request made by the traced process to declare that it expected to be traced by its parent.
If an app exploited this vulnerability and the user removed the app from task switcher, the application would continue to run in the background, while the user believed the application had been completely shut down.
Tomi Engdahl says:
Mark Bergen / Re/code:
Google to app developers: iOS 9 privacy feature that forces HTTPS can break ads, so add an exception to allow ads to be delivered over HTTP
Google Tells Developers How to Get Around Apple’s New Security Rules So They Can Keep Selling Ads
http://recode.net/2015/08/27/google-tells-developers-how-to-get-around-apples-new-security-rules-so-they-can-keep-selling-ads/
Tomi Engdahl says:
Are you using the cloud as your time capsule?
http://www.edn.com/electronics-blogs/power-points/4440207/Are-you-using-the-cloud-as-your-time-capsule–?_mc=NL_EDN_EDT_EDN_today_20150825&cid=NL_EDN_EDT_EDN_today_20150825&elq=ad8531cbe6f444cf8cf1a5098f9843ee&elqCampaignId=24508&elqaid=27702&elqat=1&elqTrackId=20a6250d8f4843b7a527faff710e5e3a
The electronics industry is not immune to marketing hype or optimism, of course. Right now, our three hot buttons are “IoT,” the “cloud,” and “big data.” When you are not sure what to say, just work one or more of these three phrases into your pitch or response and you should be all set, at least for a while.
I am not really sure why an application which is touted as cloud-based (such as CAD, CAE, CAM FAE, or Spice design/modeling tools) is inherently superior to one which is not, especially if the non-cloud application supports connectivity and file sharing
It might seem that storing your precious family photos, videos, and other data in the cloud would eliminate or at least minimize these potential problems, but then I thought about it for a while. If you use a cloud-based storage service, there are many things that can happen:
The cloud service can go bankrupt and the contents can disappear; you may be notified about this, or perhaps not, or the notification is sent to a defunct email address that no one knows to check
Others in your family may lose track of which cloud service you are using
In years to come, someone will forget/not know about paying the service-storage fee
The sign-on ID and password may be “lost” at your end (even if you have them written down, will people know where to find where you have written it?); some cloud services make it very hard to re-gain access to an account if you don’t have the log-in information (if it’s part of an inherited estate, a court directive may be needed)
The stored formats may no longer be readable. (Who can say that PDFs, JPEG, Word, and other formats will be decodable in decades to come?)
I know that many of these concerns are not new or unique to the cloud, of course. There are many credible reports of important corporate and scientific data from pre-cloud era which are now lost or unreadable.
The film industry, which places great dollar value on their archives, understands the problem and risk. Although filming and editing have largely gone digital, and even theater projection is going that way at a rapid rate (80% are now digital), they still store archival copies of movies on high-quality analog film, in climate-controlled vaults.
What’s your take on the cloud as the answer to viable, retrievable long-term storage?
Comment:
Recommend that whatever you put in the cloud consider the data as temporal and you have no problem if it is gone – ie. vapourware. I have a concern about the risk of putting personal data in the cloud given the number of security issues that occur with various IT systems.
Tomi Engdahl says:
Microsoft intensifies data collection on Windows 7 and 8 systems
http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/
Microsoft has been criticized by privacy advocates in regards to the data hunger of its Windows 10 operating system. The operating system slurps data like there is no tomorrow, especially when systems are set up using the express settings.
Experienced users may disable telemetry and data collection partially during setup, and then some more afterwards using the Registry or Group Policy.
What makes this problematic however is the fact that it is nearly impossible to stop all of the data collecting that is taking place.
While users may disable some, for instance by using privacy tools (of which there are plenty), others cannot be disabled or stopped that easily, for instance because of hardcoded host and IP address information that bypass the Hosts file of the operating system.
Windows 7 and 8 users have been plagued by “upgrade preparation” updates but left alone otherwise up until recently when it comes to this new level of data collecting.
Tomi Engdahl says:
Company in shambles, marriages ruined. My work here is done, says Ashley Madison CEO
Noel Biderman quits hacked biz
http://www.theregister.co.uk/2015/08/28/noel_biderman_quits_ashley_madison/
Noel Biderman has quit as chief exec of Avid Life Media, the parent of adultery website Ashley Madison. If you can’t think why, or don’t know what Ashley Madison is by now, then you must have been living under a rock for the past month – and we’d be grateful if you could let us join you.
After hackers ransacked the Ashley Madison website, and leaked databases containing 36 million accounts plus source code and Biderman’s company emails, all hell has broken loose – from lawsuits against Avid Life Media to suicides linked to the outing of its love-rat users. It even turned out not that many women were using the Tinder-for-cheaters biz, and paying $19 to delete your account on the site left all sorts of personal information intact.
“Effective today, Noel Biderman, in mutual agreement with the company, is stepping down as Chief Executive Officer of Avid Life Media, and is no longer with the company,”
Tomi Engdahl says:
Ashley Madison boss steps down amid high-profile hacking scandal
http://www.theinquirer.net/inquirer/news/2418367/hackers-breach-cheaters-website-ashleymadison-in-data-debrief-encounter
The statement reads: “Effective today, Noel Biderman, in mutual agreement with the company, is stepping down as Chief Executive Officer of Avid Life Media Inc. (ALM) and is no longer with the company. Until the appointment of a new CEO, the company will be led by the existing senior management team.
“We are actively adjusting to the attack on our business and members’ privacy by criminals. We will continue to provide access to our unique platforms for our worldwide members.
“We are actively cooperating with international law enforcement in an effort to bring those responsible for the theft of proprietary member and business information to justice.”
Ashley Madison continues to investigate the hack, and earlier this week confirmed that it had lined up the FBI and the Royal Canadian Mounted Police to help it seek out and identify the hackers that are causing it consternation.
Ashley Madison is facing a class action lawsuit that accuses the company of not doing enough to protect personal and private information.
The class action case, from two Canadian law firms, argues that the hook-up station failed users by not protecting their information and not deleting it after a fee had been paid to ensure its deletion. The suit seeks $578m in damages.
“They are outraged that AshleyMadison.com failed to protect its users’ information,” attorney Ted Charney told the paper. “In many cases, the users paid an additional fee for the website to remove all of their user data, only to discover that the information was left intact and exposed.”
You know what’s happening at Ashley Madison. It’s all below anyway. Things look bleak for people who looked for no-strings hookups but did not consider that they were putting a lot of their information onto the internet and its web servers. Searchable databases of users have been released and, yep, people are searching them.
found 14,000 government officials
“With such diversity of individuals, whose information was compromised through the Ashley Madison hack, you have to wonder what the lasting impact of this breach can be,”
“What are the implications to the companies these individuals work for? Will these individuals give in to blackmail to betray their employer, save their marriage or relationship? What can this data, plus the information from breaches like OPM, be used for to compromise our national security or trade secrets? These are all questions employers should be asking themselves.”
“People will always be a risk to any company’s security strategy. When I was a penetration tester, I always relied on other people to gain access into an environment,”
“I would commonly drop USB drives in parking lots, relying on someone to pick it up and plug it into their workstation just to see, out of curiosity, what was on the drive. Nine out of 10 times this would grant me access into the customer’s environment.”
“The hackers stated that, if Ashley Madison didn’t shut down, it would expose the databases and information hacked from the popular online cheating site. Today it appears that promise came true and Ashley Madison did not buckle or shut down,”
The implications of the hack on the infidelity website are already bad. It puts personal information in harm’s way and it puts philandering lotharios at risk of sour moods and awkward evenings, never mind divorce courts and the resulting legal fees.
The fallout, messy and grubby as it is, is pretty fascinating, however, and shows that, wherever you go in the world, you have a strong chance of being approached for a no-strings – unless that is your thing – night in a hotel room with an otherwise legally attached stranger.
“Contrary to current media reports, and based on accusations posted online by a cyber criminal, the paid delete option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity,” it said in a statement.
The security industry has reacted to news of the leak with warnings about the risks of losing data and exposing personal preferences, something that might be keenly felt in some of the Ashley Madison community.
“Data is the new currency and the breach at Ashley Madison shows attackers are not only looking to steal consumer information for profit but to hold companies hostage,” said Eric Chiu, president and co-founder of cloud security company HyTrust.
“Dating sites have lots of very personal information, including contact information, dates of birth and sexual preferences.
“This information can be used to steal additional information and ultimately the person’s identity, and to embarrass or hold individuals to ransom, especially given that many will want to keep this information secret from colleagues or spouses.”
Tomi Engdahl says:
Dark website Agora closes over Tor vulnerability suspicions
http://www.scmagazine.com/dark-website-agora-closes-over-tor-vulnerability-suspicions/article/435278/
Agora, one of the largest online black market sites, halted operations after concerns arose that vulnerabilities in Tor’s hidden services could lead to its servers being located.
The concerns stem from a Massachusetts Institute of Technology (MIT) study, released last month, detailing how certain attacks could expose servers, according to published Reports.
“We have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on,” Agora’s administrators said in a message originally posted to Agora’s dark web home and then reposted to Reddit.
Tomi Engdahl says:
Drum roll, please …. Results are in for the collective noun for security vulns
It’s a fix! A security fix!
http://www.theregister.co.uk/2015/08/28/security_vulns_collective_noun/
To recap: the recent rash of Android vulnerabilities has made it clear that a new collective noun for such flaws, and possibly a separate one for security bugs in general, was required. We can talk about a pack of lies and a wad of notes, but there’s no collective noun for vulnerabilities, for shame.
Aside from showing what a contrarian lot Reg commentards are, the poll showed a general tiredness with the overused term of cyber, which got kicked into the long grass
Sticking with one or two terms might get tired (or worse, boring) really quickly, so we’re offering all seven of those that did well in the poll as options for collection nouns. Greedy? Maybe.
Hatstand: 258 votes
Windows: 161 votes
Plague: 148 votes
Panic: 145 votes
Nest: 135 votes
Scourge: 126 votes
Overflow: 122 votes
Tomi Engdahl says:
Even when told not to, Windows 10 just can’t stop talking to Microsoft
It’s no wonder that privacy activists are up in arms
http://arstechnica.co.uk/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/
Tomi Engdahl says:
Jailbreaking pirates popped in world’s largest iCloud raid
Cheaters, tweakers, hackers and crackers torn up by nasty Cydia bundle.
http://www.theregister.co.uk/2015/08/31/keyraider_apple/
The largest Apple credential raid in history has seen nearly a quarter of a million accounts compromised by malware targeting app pirates.
The hack spree affecting at least 225,000 valid Apple accounts is hitting targeting jailbroken iThings in which users break Cupertino’s strict device security device controls.
Jailbreaking is popular but actively smothered by Apple which releases updates to squash necessary exploits. The modification is performed in order to tap into additional tweaks through the alternative Cydia store, and by some wanting to pirate apps.
“We believe this to be the largest known Apple account theft caused by malware,” Xiao says.
“The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.
“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying.”
Tomi Engdahl says:
The Coming Terrorist Threat From Autonomous Vehicles
http://yro.slashdot.org/story/15/08/30/1539258/the-coming-terrorist-threat-from-autonomous-vehicles
Alex Rubalcava writes that autonomous vehicles are the greatest force multiplier to emerge in decades for criminals and terrorists and open the door for new types of crime not possible today. According to Rubalcava, the biggest barrier to carrying out terrorist plans until now has been the risk of getting caught or killed by law enforcement so that only depraved hatred, or religious fervor has been able to motivate someone to take on those risks as part of a plan to harm other people. “A future Timothy McVeigh will not need to drive a truck full of fertilizer to the place he intends to detonate it,” writes Rubalcava. “A burner email account, a prepaid debit card purchased with cash, and an account, tied to that burner email, with an AV car service will get him a long way to being able to place explosives near crowds, without ever being there himself.”
According to Rubalcava the reaction to the first car bombing using an AV is going to be massive, and it’s going to be stupid. There will be calls for the government to issue a stop to all AV operations, much in the same way that the FAA made the unprecedented order to ground 4,000-plus planes across the nation after 9/11.
A Roadmap for a World Without Drivers
https://medium.com/@alexrubalcava/a-roadmap-for-a-world-without-drivers-573aede0c968
Tomi Engdahl says:
Linux Foundation releases PARANOID internal infosec guide
Workstation security tips for system administrators.
http://www.theregister.co.uk/2015/08/31/harden_like_linux_foundation/
Linux Foundation project director Konstantin Ryabitsev has publicly-released the penguinistas’ internal hardening requirements to help sysadmins and other paranoid tech bods and system administrators secure their workstations.
The baseline hardening recommendations are designed that balance security and convenience for its many remote admins, rather than a full-blown security document.
The document is designed to be adapted to individual admins’ requirements, and contains explanations justifying security paranoia.
Severity levels range from low to critical, and escalate to “paranoid” for those willing to operate in blacked-out faraday cages under more inconvenient but secure conditions.
“You may read this document and think it is way too paranoid, while someone else may think this barely scratches the surface.
“Security is just like driving on the highway – anyone going slower than you is an idiot, while anyone driving faster than you is a crazy person.”
Linux workstation security checklist
https://github.com/lfit/itpol/blob/master/linux-workstation-security.md
Tomi Engdahl says:
Ellen Nakashima / Washington Post:
Anonymous administration officials say US may issue sanctions against Chinese companies and individuals who have benefited from cyber theft of US trade secrets
U.S. developing sanctions against China over cyberthefts
https://www.washingtonpost.com/world/national-security/administration-developing-sanctions-against-china-over-cyberespionage/2015/08/30/9b2910aa-480b-11e5-8ab4-c73967a143d3_story.html
The Obama administration is developing a package of unprecedented economic sanctions against Chinese companies and individuals who have benefited from their government’s cybertheft of valuable U.S. trade secrets.
The U.S. government has not yet decided whether to issue these sanctions, but a final call is expected soon — perhaps even within the next two weeks
Issuing sanctions would represent a significant expansion in the administration’s public response to the rising wave of cyber-economic espionage initiated by Chinese hackers, who officials say have stolen everything from nuclear power plant designs to search engine source code to confidential negotiating positions of energy companies.
The White House declined to comment on specific sanctions, but a senior administration official, speaking generally, said: “As the president said when signing the executive order enabling the use of economic sanctions against malicious cyber actors, the administration is pursuing a comprehensive strategy to confront such actors. That strategy includes diplomatic engagement, trade policy tools, law enforcement mechanisms, and imposing sanctions on individuals or entities that engage in certain significant, malicious cyber-enabled activities. The administration has taken and continues to introduce steps to protect our networks and our citizens in cyberspace, and we are assessing all of our options to respond to these threats in a manner and timeframe of our choosing.”
China is not the only country that hacks computer networks for trade secrets to aid its economy, but it is by far the most active, officials say. Just last month, the FBI said that economic espionage cases surged 53 percent in the past year, and that China accounted for most of that.
The expected sanctions move will send two signals, a second administration official said. “It sends a signal to Beijing that the administration is going to start fighting back on economic espionage, and it sends a signal to the private sector that we’re on your team. It tells China, enough is enough.”
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Former FireEye intern pleads guilty to developing Dendroid spyware for Android; sentencing scheduled for Dec. 2
Former security intern admits developing super-stealthy Android spyware
Dendroid cost $300, made it easy to take pictures and record audio and video.
http://arstechnica.com/security/2015/08/former-security-intern-admits-developing-super-stealthy-android-spyware/
A former intern at security firm FireEye has admitted in federal court that he designed a malicious software tool that allowed attackers to take control of other Android phones so they could spy on their owners.
Morgan Culbertson, 20, pleaded guilty to federal charges involving Dendroid, a software tool that provided everything needed to develop highly stealthy apps that among other things took pictures using the phone’s camera, recorded audio and video, downloaded photos, and recorded calls. According to this 2014 blog post from Android security firm Lookout, at least one app built with Dendroid found its way into the official Google Play market, in part thanks to code that helped it evade detection by Bouncer, Google’s anti-malware screening system.
Culbertson, who last month was one of 70 people arrested in an international law enforcement sting targeting the Darkode online crime forum, said in a LinkedIn profile that he spent four months at FireEye.
Tomi Engdahl says:
Parker Higgins / Electronic Frontier Foundation:
Aborted Wikipedia ban in Russia and GitHub ban in China show how HTTPS encryption can limit censorship as governments are reluctant to block the entire sites
Russia’s Wikipedia Ban Buckles Under HTTPS Encryption
https://www.eff.org/deeplinks/2015/08/russias-wikipedia-ban-buckles-under-https-encryption
Dueling forces of encryption and government censorship came to a head in Russia this week in the form of an order to block Wikipedia. One Wikipedia article in particular (about charas hashish) was deemed to run afoul of the country’s restrictions on content related to drugs. This is just the latest in a deeply troubling campaign of censorship—but because the Wikimedia Foundation uses HTTPS-encrypted connections for all of its sites, the government was left with only the option of ordering the entire site blocked, or leaving the offending page accessible.
That’s because HTTPS encryption protects not just the contents of the communications between browsers and the web sites they’re visiting, but also the specific pages on those sites—in other words, everything “after the slash” in a URL.
Contrast that to when you visit an unencrypted site, like a New York Times article: that connection can be monitored by your ISP, the network operator (like your employer, if you’re on a work network), or even others on the same wireless connection. There are obvious privacy implications here—after all, that’s a lot of people who can look over your shoulder—but also, if you combine that eavesdropping ability with a governmental power to mandate blocks, the result is censorship that can be very granular. Visits to a particular page can be identified and blocked; even keywords in the text of a web page can trigger censorship.
That leads to the argument that granular censorship is preferable in certain cases, because more material is allowed to stay up and accessible. A major counter-argument to that point has long been that blocking large chunks of the Internet is more disruptive, and not as easily enforced, and so less likely to happen at all. Extreme censorship measures are more visible: they encourage residents in those countries to note the existence of censorship, and learn about and adopt censorship circumvention technologies, which are in many cases also more secure against government snooping, and nudges governments away from blocking altogether.
This isn’t the first time censorship efforts have been dialed back in the face of HTTPS leading to governments conspicuously overblocking. The government of China briefly suspended access to Github over a handful of software repositories, but relented in the face of public pushback. Similarly, the government of Iran has only occasionally blocked Google services, despite its now-discontinued Reader serving as a proxy for unfiltered news from the open web.
Tomi Engdahl says:
Andy Greenberg / Wired:
Why It’s Hard to Sue the NSA: You Have to Prove It Spied on You — Here’s a big problem with secret spying programs in the US: To dismantle them with a lawsuit, someone has to prove that their privacy rights were infringed. And that proof is almost always a secret.
Why It’s Hard to Sue the NSA: You Have to Prove It Spied on You
http://www.wired.com/2015/08/hard-sue-nsa-prove-spied/
Here’s a big problem with secret spying programs in the US: To dismantle them with a lawsuit, someone has to prove that their privacy rights were infringed. And that proof is almost always a secret.
‘The problem is that you can’t get a court to answer the question of whether a government’s activities are illegal until you prove something that the government won’t allow you to prove.’
Tomi Engdahl says:
Elias Groll / Foreign Policy:
How journalist Brian Krebs used publicly available information to possibly identify the Ashley Madison hacker — The Curious Case of @deuszu, the Ashley Madison Hack, and an American Journalist — As word has trickled out on the Internet of the massive breach of adultery website Ashley Madison …
The Curious Case of @deuszu, the Ashley Madison Hack, and an American Journalist
http://foreignpolicy.com/2015/08/27/the-curious-case-of-deuszu-the-ashley-madison-hack-and-an-american-journalist/
On July 19, journalist Brian Krebs revealed that Ashley Madison’s servers had been hacked. That report was based on a link to a cache of Ashley Madison data he was provided by the Impact Team, the group claiming to be behind the hack. Shortly after his story posted, @deuszu tweeted the same link. And when the Impact Team posted Ashley Madison’s user date, @deuszu beat the news cycle again, scooping tech outlets Wired and Ars Technica.
Zu’s ability to advance news of the hack has led Krebs, arguably today’s most prominent chronicler of cybercrime, to a simple conclusion: The person or people behind the @deuszu Twitter account either carried out the Ashley Madison hack or know those who did. “Here’s a person who has the inside track of what the Ashley Madison hackers have been doing,”
In a case that has exposed the most privately held secrets of millions of people, Krebs’s investigation is notable for its total reliance on open-source material. If Zu is in fact connected to the breach, he has been astoundingly arrogant in the amount of information he has posted online, given the ease with which it has been collected by Krebs.
The investigation itself is a fascinating case study in how morsels of online information can be pieced together to make a basically convincing case that a social media profile and those who have access to it are connected to a hacking affair that has captivated the world.
It’s not the first time Krebs has carried out such an investigation. Following the widespread theft of credit card data from Target, Krebs identified the Ukrainian hacker Andrew Hodirevski as one of the people responsible for selling the stolen credit card information on the Internet underground.
“One thing that I find with these malicious or criminal hackers is that they just can’t help themselves,” Krebs said, referring to their proclivity for broadcasting information about their exploits. “They have tremendous egos, and they end up digging their own graves.”
Krebs isn’t claiming to have solved this case. “These are my observations. Are they 100 percent right? I’m sure they’re not,” he said. “Is there a pattern here that deserves more scrutiny? Yes.”
The Ashley Madison hack has generated intense public interest and is fairly unprecedented in the recent history of massive data breaches. Stealing credit cards or social security numbers can certainly be damaging, but exposing a spouse’s desire to have an affair is a far more personal matter. Reports have surfaced of hackers trying to blackmail those whose account information has been leaked. There are even reports of suicides connected to the breach.
Tomi Engdahl says:
Hacker Killed by Drone Was Islamic State’s ‘Secret Weapon’
Targeting of Islamic State’s electronics expert shows how digital warfare has upset balance of power on modern battlefield
http://www.wsj.com/article_email/hacker-killed-by-drone-was-secret-weapon-1440718560-lMyQjAxMTE1NjIxODMyMzg2Wj
Mr. Hussain was killed by a U.S. drone strike on Tuesday while he was in a car in Raqqa, Syria, U.S. officials said. That he was targeted directly shows the extent to which digital warfare has upset the balance of power on the modern battlefield.
Islamic State didn’t build a large cyber force like the U.S.’s National Security Agency or China’s People’s Liberation Army. Instead, it had people like Mr. Hussain, a convicted hacker whose suite of inexpensive digital tools threatened to wreak havoc on even the world’s most-powerful country. Islamic State communications described him as one of the group’s secret weapons, said one person who has seen them.
“If you don’t have anybody who is kind of fluent in computer operations, you’ve got a problem,” said Michael Sulmeyer, a former cyberpolicy expert for the Pentagon now at the Belfer Center for Science and International Affairs at Harvard University’s John F. Kennedy School of Government. “The ballgame is pretty much the coder or the individual.”
Tomi Engdahl says:
University student pleads guilty, faces 10 years for Android malware
http://purplesim.com/index.php/2015/08/31/university-student-pleads-guilty-faces-10-years-for-android-malware/
Morgan C. Culbertson, a student from Carnegie Mellon University on Tuesday admitted in federal court to designing and attempting to promote malware that allowed users to take control of other people’s Android smartphones/tablets.
“I’m sorry to the people to whom my software may have compromised their privacy,” Mr. Culbertson stated in pleading guilty to conspiracy to damage protected computer systems.
He informed U.S. District Judge Maurice Cohill Jr. that he was pleading guilty because “I committed the crime” and promised that in the future he would use his expertise to protect computer users.
Assistant U.S. Attorney James Kitchen mentioned that in 2013 Mr. Culbertson, who called himself “Android” online, conspired with another man, “Mike” from the Netherlands, to design a product known as Dendroid and sell it on Darkode, an underground web-based market for criminals and hackers.
Tomi Engdahl says:
‘Ultrasecure’ metal phone to launch December 18
http://www.cnet.com/news/ultrasecure-metal-phone-to-launch-december-18/
The Turing phone, which promises total hacker protection, goes on pre-order in September and ships in time for the holidays.
Turing Robotic Industries isn’t the first company to attempt to build a super secure smartphone that will keep even the most agile hackers out, but it’s determined to try.
On Thursday, the California-based company announced that three variations of its Turing Phone will ship on December 18, with pre-orders beginning September 24 for two special-edition models.
Turing has named Foxconn, which also makes Apple’s iPhones among other brands, as its manufacturer.
Turing Robotic Industries is just one phone brand of many new upstarts that are trying to break into the punishing world of smartphone sales, amid a general slowdown in the industry. Focusing on security is one way the brand hopes to differentiate itself from better-known mainstream companies like Samsung and LG, and in doing so gain a community following.
http://www.turingphone.com/
Tomi Engdahl says:
Sensory brings mobile device security through combined voice and face detection
http://www.zdnet.com/article/sensory-brings-mobile-device-security-through-combined-voice-and-face-detection/?ftag=YHR05c7fba
Need two-factor, biometric authentication for apps and data on mobile devices? Sensory’s TrulySecure was just certified by the FIDO Alliance as safe and secure.
Need to keep data away from prying eyes on your smartphone or tablet? Sensory wants to help. The company announced on Thursday that its TrulySecure biometric authentication method combining both voice and facial recognition is certified by the Fast Identification Online, or FIDO, Alliance.
Instead of relying on just one or the other biometric checks, TrulySecure can work in tandem with both. A device’s camera is used to verify your visual identity while your spoken word — saying a previously captured unlock command — is used to unlock an app.
Sensory says you can choose to rely on one or the other biometric authentication measures for apps that don’t require more robust security. Or you can beef things up by requiring both actions to open a single app.
The choice to use a single authentication factor is useful for faster access to apps and data. And the nice part is that it can be left up to the user. Of course, when you need two-factor authentication, TrulySecure provides that option as well.
Sensory says its security software is smart enough to detect the difference between a picture of someone compared to the actual person in front of the device camera; important since it can be easy to snap a pic of someone as a security workaround.
Tomi Engdahl says:
Yael Grauer / Wired:
A look at some of the real-life apps and tools used in Mr. Robot, a TV drama about hacking
A Peek Inside Mr. Robot’s Toolbox
http://www.wired.com/2015/08/peek-inside-mr-robots-toolbox/
“We’re in a culture where you have access to everybody. You can text your grandmother. You can look up your high school friends on Facebook. You literally have no excuse to not be able to connect to people but yes, you can still feel loneliness.” In fact, our all-pervasive access to social media and mobile communication can actually exacerbate that loneliness, making people feel more isolated despite being more connected than ever.
It’s within this potent cocktail of frustration and idealism that Fsociety, the show’s hacktivist collective, hopes to make its mark. “Hackers really do have these sort of extreme ideas and opinions about capitalism and the corruption of capitalism… that sort of bravado they have is kind of a badge of honor,”
That kind of paranoia—Esmail’s included—may be irrational to some extent, but that doesn’t make it any less palpable. Esmail believes society and technology play into these fears. “[Governments and corporations] really do have the tools to follow you. They really do have the tools to monitor you, if they wanted to, so the mere fact that it exists just kind of amps that paranoia,” he says.
DeepSound
He used DeepSound, an audio converter tool, to hide all of the files on everyone he’s hacked—as well as his own old family photos—within WAV and FLAC audio files.
ProtonMail
If you assumed Elliot would run his own server or be an early adopter of Pond , episode 8’s revelation that he has a ProtonMail account may have come as a surprise. ProtonMail is a browser-based email service incorporated in Switzerland created by researchers who met at a CERN research facility.
“One of the benefits of ProtonMail is that it’s end-to-end encryption, and it’s in a way that even the owners of ProtonMail can’t see your content, and there’s no IP logging,”
Raspberry Pi
A Raspberry Pi is that tiny and delightfully inexpensive computer that helps you learn programming and build your own digital toys. Turns out, it can also be used to gain remote access to HVAC systems.
Tastic RFID Thief
Mobley was armed with Bishop Fox’s Tastic RFID Thief, a long-range radio frequency identification (RFID) reader that saves your score on a microSD card as a text file so you can clone the badge later
RSA SecurID
RSA SecurID’s two-factor authentication adds a layer of security to a company’s protected resources by requiring users to not only enter their RSA SecurID pin, but a one-time password generated within the app—which lasts only 60 seconds
Kali Linux
Kali Linux, BackTrack’s Linux’s successor, is a Debian-based version of Linux that’s specifically built for penetration testing and security auditing and is used in multiple episodes of Mr. Robot. It’s free, open source, and pre-installed with hundreds of pen testing programs, so it’s perfect for cracking Wi-Fi passwords, bypassing anti-virus software, and testing security vulnerabilities on your network. Many of the tools used in Mr. Robot are utilized within Kali.
John the Ripper
Its primary purpose is to detect weak Unix passwords, but it can crack weak passwords with several thousand (or even several million) attempts per second. John the Ripper is available within the Kali Linux platform.
Metasploit and Meterpreter
Metasploit is an exploit development and delivery system that allows users to create and execute exploits, typically for penetration testing.
Meterpreter is just one of several hundred payloads that can be used within Metasploit
Social-Engineer Toolkit
TrustedSec’s Social-Engineer Toolkit is an open-source pen testing framework designed specifically for simulating social engineering attacks, such as phishing, spear phishing, credential harvesting, and more.
FlexiSPY
monitoring software on a lover’s Android phone. After gaining root privilege by using SuperSU, he installs FlexiSPY, a tool that lets you monitor other people’s device activities with an online portal.
Tomi Engdahl says:
Over 225,000 Apple accounts compromised via iOS malware
http://www.net-security.org/malware_news.php?id=3089
Researchers from Palo Alto Networks and China-based WeipTech have unearthed a scheme that resulted in the largest known Apple account theft caused by malware. All in all, some 225,000 valid Apple accounts have been compromised.
The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices. Most of the victims are Chinese – the malware is distributed through third-party Cydia repositories in China – but users in other countries have also been affected (European countries, the US, Australian, South Korea, and so on).
“The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device,” Palo Alto researcher Claud Xiao explained. “KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.”