Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
When Security Experts Gather to Talk Consensus, Chaos Ensues
http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chaos-ensues/
Security researchers and vendors have long been locked in a debate over how to disclose security vulnerabilities, and there’s little on which the two sides agree. Apparently this extends even to the question of whether they should meet to hash out their disagreements.
“The DMCA has already created a chilling effect on some research,” one participant, who asked to remain anonymous, said. “The Wassenaar agreement is [also] a problem. This is the Commerce Department. What makes you think they won’t take [information gathered from this meeting] to Congress [to get legislation passed]?”
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Experts warned Patreon of major website flaw 5 days before breach: development error also committed on thousands of other sites allows remote code execution
Patreon was warned of serious website flaw 5 days before it was hacked
Even worse: Thousands of other sites are making the same facepalm-worthy mistake.
http://arstechnica.com/security/2015/10/patreon-was-warned-of-serious-website-flaw-5-days-before-it-was-hacked/
Five days before Patreon.com officials said their donations website was plundered by hackers, researchers at a third-party security firm notified them that a serious programming error could lead to disastrous results. The researchers now believe the vulnerability was the entry point for attackers who went on to publish almost 15 gigabytes’ worth of source code, user password data, and private messages.
The error was nothing short of facepalm material. Patreon developers allowed a Web application tool known as the Werkzeug utility library to run on its production servers. Specifically, according to researchers at Swedish security firm Detectify, one or more of Patreon’s live Web apps—that is, the same Web apps real users relied on when visiting the real site—was running Werkzeug debugging functions. A simple query on the Shodan search service brought the goof to the attention of Detectify researchers, who in turn notified Patreon officials on September 23. Adding to their concern, the same Shodan search shows thousands of other websites making the same game-over mistake.
Tomi Engdahl says:
Brian X. Chen / New York Times:
Tests of top 50 news sites with three ad-blockers on iPhone show significant decrease in load times for many sites, modest increase in battery life
Putting Mobile Ad Blockers to the Test
http://www.nytimes.com/2015/10/01/technology/personaltech/ad-blockers-mobile-iphone-browsers.html?_r=0
To block ads or not to block ads on your mobile device? That’s the philosophical dilemma facing consumers since Apple added support for ad blockers to its iPhone operating system a couple of weeks ago.
To help answer the question, we decided to put multiple ad blockers to the test. Over the course of four days, we used several ad-blocking apps on our iPhones and measured how much the programs cut down on web page data sizes and improved loading times, and also how much they increased the smartphone’s battery life.
We will get to the results in a minute, after a quick primer on the ethical debate surrounding ad blocking. While such technology has existed for years — it has long been available on PC browsers — ad blockers are new for iPhones and iPads. Using the blockers is easy: You download one of the programs from the App Store and then set your Safari web browser to enable the blocking. Ads are choked off inside the browser when you load mobile websites, but the blockers do not stop ads from appearing in apps.
If anything, ad blockers increase transparency into the different paths that publishers take when integrating ads into their websites. Some publishers appear to carefully consider how ads affect the performance of your device, while others either do not care or lack the resources to do so.
As for me, the test results spurred me to keep Purify enabled on my iPhone. While I’m browsing, the app lets me easily denote a website whose ads I want to allow to be shown, an action known as “whitelisting.”
That means the websites I enjoy visiting that have slimmer ads — like TheGuardian.com, and, ahem, NYTimes.com — will be whitelisted. But sites saddled with ads that belong in digital fat camp will remain blocked for the sake of my data plan.
Tomi Engdahl says:
ATM Skimmer Gang Firebombed Antivirus Firm
http://krebsonsecurity.com/2015/09/atm-skimmer-gang-firebombed-antivirus-firm/
It’s notable whenever cybercime spills over into real-world, physical attacks. This is the story of a Russian security firm whose operations were pelted with Molotov cocktail attacks after exposing an organized crime gang that developed and sold malicious software to steal cash from ATMs.
molotovThe threats began not long after December 18, 2013, when Russian antivirus firm Dr.Web posted a writeup about a new Trojan horse program designed to steal card data from infected ATMs. Dr.Web received an email warning the company to delete all references to the ATM malware from its site.
The anonymous party, which self-identified as the “International Carders Syndicate,” said Dr.Web’s ATM Shield product designed to guard cash machines from known malware “threatens activity of Syndicate with multi-million dollar profit.”
The threat continued:
“Hundreds of criminal organizations throughout the world can lose their earnings. You have a WEEK to delete all references about ATM Skimmer from your web resource. Otherwise syndicate will stop cash-out transactions and send criminal for your programmers’ heads. The end of Doctor Web will be tragic.”
In an interview with KrebsOnSecurity, Dr.Web CEO Boris Sharov said the company did not comply with the demands. On March 9, 2014, someone threw a Molotov cocktail at the office of a third-party company that was distributing Dr.Web’s ATM Shield product. Shortly after that, someone attacked the same office again.
After a third attack on the St. Petersburg office, a suspect who was seen running away from the scene of the attack was arrested but later released because no witnesses came forward to confirm he was the one who threw the bomb.
Sharov said Dr.Web analysts believe the group that threatened the attacks were not cyber thieves themselves but instead an organized group of programmers that had sold — but not yet delivered — a crimeware product to multiple gangs that specialize in cashing out hacked ATM cards.
“We think this group got very nervous by the fact that we had published exactly what they’d done, and it was very untimely for them, they were really desperate,”
Tomi Engdahl says:
Bidding for Breaches, Redefining Targeted Attacks
http://krebsonsecurity.com/2015/09/bidding-for-breaches-redefining-targeted-attacks/
A growing community of private and highly-vetted cybercrime forums is redefining the very meaning of “targeted attacks.” These bid-and-ask forums match crooks who are looking for access to specific data, resources or systems within major corporations with hired muscle who are up to the task or who already have access to those resources.
A good example of this until recently could be found at a secretive online forum called “Enigma,” a now-defunct community that was built as kind of eBay for data breach targets. Vetted users on Enigma were either bidders or buyers — posting requests for data from or access to specific corporate targets, or answering such requests with a bid to provide the requested data. The forum, operating on the open Web for months until recently, was apparently scuttled when the forum administrators (rightly) feared that the community had been infiltrated by spies.
“On Enigma, members post a bid and call on people to attack certain targets or that they are looking for certain databases for which they are willing to pay,” Jolles said. “And people are answering it and offering their merchandise.”
Those bids can take many forms, Jolles said, from requests to commit a specific cyberattack to bids for access to certain Web servers or internal corporate networks.
“I even saw bids regarding names of people who could serve as insiders,” she said. “Lists of people who might be susceptible to being recruited or extorted.”
BLURRING GEOGRAPHIC BOUNDARIES
In some respects, the above-mentioned forums — as exclusive as they appear to be — are a logical extension of cybercrime forum activity that has been maturing for more than a decade.
As I wrote in my book, Spam Nation: The Inside Story of Organized Cyber Crime — From Global Epidemic to Your Front Door, “crime forums almost universally help lower the barriers to entry for would-be cybercriminals. Crime forums offer crooks with disparate skills a place to market and test their services and wares, and in turn to buy ill-gotten goods and services from others.”
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Experts warned Patreon of major website flaw 5 days before breach: a development error also committed on thousands of other sites allows remote code execution — Patreon was warned of serious website flaw 5 days before it was hacked — Even worse: Thousands of other sites are making the same facepalm-worthy mistake.
Patreon was warned of serious website flaw 5 days before it was hacked
Even worse: Thousands of other sites are making the same facepalm-worthy mistake.
http://arstechnica.com/security/2015/10/patreon-was-warned-of-serious-website-flaw-5-days-before-it-was-hacked/
Results of a Shodan search performed on September 11 made it clear Patreon was vulnerable to code-execution attacks.
The error was nothing short of facepalm material. Patreon developers allowed a Web application tool known as the Werkzeug utility library to run on a public-facing subdomain. Specifically, according to researchers at Swedish security firm Detectify, one or more of Patreon’s live Web apps on zach.patreon.com was running Werkzeug debugging functions. A simple query on the Shodan search service brought the goof to the attention of Detectify researchers, who in turn notified Patreon officials on September 23. Adding to their concern, the same Shodan search shows thousands of other websites making the same game-over mistake.
Tomi Engdahl says:
Jai Vijayan / darkREADING:
Researchers find curious Linux.WiFatch malware on tens of thousands of routers and IoT devices that appears to be securing infected systems
And Now A Malware Tool That Has Your Back
http://www.darkreading.com/vulnerabilities—threats/and-now-a-malware-tool-that-has-your-back/d/d-id/1322451
In an unusual development, white hat malware is being used to secure thousands of infected systems, not to attack them, Symantec says.
Security researchers at Symantec have been tracking a malware tool that, for a change, most victims wouldn’t actually mind have infecting their systems–or almost, anyway.
The threat dubbed Linux.Wifatch compromises home routers and other Internet-connected consumer devices. But unlike other malware, this one does not steal data, snoop silently on victims, or engage in other similar malicious activity.
Instead, the author or authors of the malware appear to be using it to actually secure infected devices. Symanetc believes the malware has infected tens of thousands of routers and other IoT systems around the world. Yet, in the two months that the security vendor has been tracking Linux.Wifatch it has not seen the malware tool being used maliciously even once.
Wifatch has one module that attempts to detect and remediate any other malware infections that might be present on a device that it has infected. “Some of the threats it tries to remove are well known families of malware targeting embedded devices,” Ballano wrote.
Another module appears designed specifically to protect Dahua DVR and CCTV systems. The module allows Wifatch to set the configuration of the device so as to cause it to reboot every week, presumably as a way to get rid of any malware that might be present or running on the system.
Most Wifatch infections that Symantec has observed have been over Telnet connections to IoT devices with weak credentials, according to the vendor.
In keeping with its vigilante role, once Wifatch infects a device it tries to prevent other malicious attackers from doing the same by shutting down the Telnet service. It also connects to a peer-to-peer network to receive periodic updates.
Wifatch is mostly written in Perl and targets IoT devices based on ARM, MIPS and SH4 architectures. The hitherto white hat malware tool ships with a separate static Perl interpreter for each targeted architecture.
“Whether the author’s intentions are to use their creation for the good of other IoT users—vigilante style—or whether their intentions are more malicious remains to be seen,” the researcher said.
Router infections can be hard for end users to detect. However, it is possible to get rid of Wifatch on an infected device simply by rebooting it. Users should also consider updating their device software and changing default passwords on home routers and IoT devices, Ballano said.
Tomi Engdahl says:
Security
Russian hacker, nabbed in Spain, cops 4+ years for Citadel botnet
Should have stayed under the skirt of Mother Russia. Just a thought
http://www.theregister.co.uk/2015/09/30/rainerfox_sentenced/
Dimitry Belorossov – a Russian cyber-criminal who used the Citadel banking trojan – has been sentenced to four years and six months in a US prison after pleading guilty to conspiring to commit computer fraud.
Belorossov, who was known by criminal associates as Rainerfox, was alleged to have operated a Citadel command and control server.
The Russian controlled over 7,000 victim computers, stated an initial court document, which declared his sentencing was scheduled for 27 May.
“As malware and hacking toolkits continue to victimise computer users around the world, we will step up our efforts to focus internationally on the criminals who develop these programs,” stated Horn.
Belorossov, 22, will have to pay roughly $320,000 in restitution to his victims, and will spend three years under supervised release following his four and half years in prison. A large number of the court documents from USA vs Dimitry Belorossov remain sealed.
Tomi Engdahl says:
Malware Investigator
http://malwareinvestigator.gov/
Malware Investigator is a tool that provides users the ability to submit suspected malware files and within as little as an hour, receive detailed technical information about what the malware does and what it may be targeting.
Through Malware Investigator, the FBI will lead a collaborative effort with members of the law enforcement community, academia, and the private sector, to protect businesses deemed critical to the nation’s infrastructure. Malware Investigator will provide its users a trusted venue in which to investigate, analyze, study, and collaborate about malware threats.
Why it’s Important: Impact!
Malware is the chief instrument of cyber attacks today. Following the exponential growth of malware variants in the past ten years, organizations dedicated to reducing cyber incidents must have a means to quickly understand the functionality and characteristics of suspicious files, and also have the ability to collaborate these results with others. Whether it be for law enforcement officers pursuing cyber criminals, IT professionals seeking to mitigate attacks, or researchers understanding the cyber threat landscape, Malware Investigator provides its users with a powerful system to help accomplish these goals.
Tomi Engdahl says:
GitHub Launches Support For U2F Security Keys
http://techcrunch.com/2015/10/01/github-launches-support-for-u2f-security-keys/
Today at its first user conference, GitHub Universe, GitHub announced that it’s launching support for FIDO Universal 2nd Factor (U2F) security keys from companies like Yubico and others. These physical USB keys automatically generate a second-factor code for you when you plug them in, so you no longer have to enter a six-digit code from Google Authenticator, Authy and similar apps.
Two-factor authentication makes it very hard for attackers to launch a phishing or man-in-the-middle attack against you, but they can’t completely eradicate this threat either. Using a U2F security key adds another layer of protection, because the key won’t exchange information with any other site but the one you already authorized when you first set it up. This only works with Google Chrome, though, because other browsers don’t feature built-in U2F support yet.
GitHub already supported two-factor authentication through apps like Authenticator and over SMS. The company’s VP of security Shawn Davenport told me that about 300,000 of GitHub’s 11 million users currently use two-factor authentication. To increase this number — and jumpstart the adoption of security keys on GitHub — the company has partnered with Yubico, and it’s allowing the first 5,000 buyers to purchase keys for $5 and is offering a 20 percent discount for those who miss the cutoff.
Tomi Engdahl says:
‘I’m dissappointed’: Zoe Quinn Speaks Out on UN Cyberviolence Report
http://motherboard.vice.com/read/im-disappointed-zoe-quinn-speaks-out-on-un-cyberviolence-report?trk_source=popular
On September 24th, video game developer Zoe Quinn and cultural critic Anita Sarkeesian, both targets of Gamergate, testified in front of the United Nations about online harassment. The same day, the United Nations Broadband Commission released the report “Cyber Violence Against Women and Girls,” which instantly sparked controversy for its claims that video games cause violence, among other things.
So do anti-harassment activists think video games cause violence?
“Overall, I’m disappointed in it,” Quinn said to me in an email about the report. “It’s an important subject that deserves to be addressed but how it’s addressed matters just as much, if not more. Unfortunately, it feels like the issues with the report might have ultimately kneecapped an otherwise potentially useful resource.”
The report has come under fire for its troublingly broad purview as well as its reliance on dubious sources to make controversial claims—one of which is the claim that violent video games and movies cause violence.
UN report cites research about how video games are turning kids into “killing zombies”
the quoted phrase “killing zombies” is sourced from this extremely questionable article from 2000 that links school shootings to video games
The links between video games and violence are deeply controversial, and the science behind such claims—even when framed within less ridiculous articles—is very much contested.
“Sex trafficking, sex work, and pornography should not have been included in a report about online abuse,” Harper told me. “It was a distraction from other valid concerns that should have been covered more thoroughly”
“I’m grateful that the UN is taking notice of the very real problems of online abuse, and I was thankful to see stories from all across the globe as well,” Quinn told me. “More data that looks at online abuse as it manifests in different ways is always a good thing. However, it’s unfortunate that the report has so many problems between needlessly bringing in video games as a scapegoat… and trying to cram a huge, complex issue like sex trafficking into general online abuse issues.”
Tomi Engdahl says:
Hacking concerned 4.6 million customers – company knew nothing
When the network is broken, service representatives you should openly tell you what happened, so that customers can make measures to protect their data. In doing so, for example, a number of financial service Patreon, which was broken into on Monday. Within a short time to all the customers had left a message for the incident. But things do not always go so smoothly. One such case is a provider of investment services to the US Scottrade.
Scottrade leaked information into the hands of cyber criminals for the period for several months in 2013 and 2014 at the end of the beginning. The leak affected 4.6 million of the company client – many of whom were playing big sums of money.
In its opinion, the media Scottrade told that it was unaware burglary until authorities contacted in August. The company waited until October before customers were told nothing, because in his own words, the firm wanted to complete their studies.
Source: http://www.tivi.fi/Kaikki_uutiset/tietomurto-koski-4-6-miljoonaa-asiakasta-firma-ei-tiennyt-mitaan-6001984
Tomi Engdahl says:
Experian-T-Mobile US hack: ‘We trusted them, now that trust is broken’
Who guards the cyber-guards?
http://www.theregister.co.uk/2015/10/02/experian_t_mobile_breach_analysis/
The IT security breach that spilt the personal details of an estimated 15 million T-Mobile US phone contract applicants has thrown a new spotlight on the risks of breaches at third-party companies.
T-Mobile’s own systems weren’t compromised. Rather, the source of the leak was Experian, the company that processed the carrier’s credit applications.
Experian reckons the data lifted from its computers included names, addresses, and dates of birth that were stored unencrypted. No payment card or banking information was leaked. But the hacked databases also included encrypted fields containing such information as “Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment” – and “encrypted” may actually be too strong a word.
“Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible,” T-Mobile US chief exec John Legere said in a letter to customers.
The leak was an “isolated incident over a limited period of time,” according to Experian – where “limited period” should be taken to mean several years. Unidentified hackers obtained access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between September 1, 2013 and September 16, 2015. Law enforcement agencies have been notified.
Tomi Engdahl says:
Hackers hid Carphone Warehouse breach with DDoS smokescreen – report
Crims aim to cause just enough chaos to get in and out
http://www.theregister.co.uk/2015/08/11/carphone_warehouse_ddos_before_giant_data_breach/
Hackers reportedly swamped Carphone Warehouse with junk traffic as a smokescreen, before breaking into systems and stealing the personal details of 2.4m customers.
Up to 90,000 customers may also have had their encrypted credit card details accessed, the UK-based mobile phone reseller admitted at the weekend. Customers with accounts at OneStopPhoneShop.com, e2save.com and mobiles.co.uk are understood to have been potentially affected by the data breach.
An unnamed source with knowledge of the attack on Carphone Warehouse told the Daily Telegraph that its online systems were getting swamped with junk traffic in the run-up to the discovery of the breach last Wednesday (August 5).
Cyber-crooks run DDoS attacks while carrying out more significant data breaches, either to keep security response staff too busy to follow up alerts that can provide an early warning sign of intrusion, or to trick them into relaxing security controls such as firewall rules.
Tomi Engdahl says:
UK gets the Ashley Madison fear: Data privacy moans on the up
No one needs to know about my gardening mag habit
http://www.theregister.co.uk/2015/10/05/uk_data_privacy_complaint_rise/
Consumer complaints about the way personal data is handled increased by 30 per cent from 2013 to 2014, according to figures from Pinsent Masons, acquired via several Freedom of Information requests to the Information Commissioners Office (ICO).
Pinsent Masons said the increase in consumer complaints highlights increasing levels of public unease over how big business and other organisations store personal information.
High profile attacks on corporations such as Sony and Target, and the recent damaging attack on infidelity site Ashley Madison, have raised public awareness about how personal data is treated, the law firm claims.
“Information security isn’t a new issue; businesses have always had a responsibility to protect customer data. But as consumers are increasingly finding themselves left exposed as a result of cyber attacks, concern is clearly growing,” said Luke Scanlon, technology lawyer at the firm.
“The chances are that they wouldn’t be making these complaints without having been directly impacted in some way,” he added.
Businesses can be fined up to £500,000 by the ICO under the Data Protection Act if the regulator finds that the company has failed to take appropriate measures to protect customer information.
“We’re definitely seeing the cyber-attack threat moving up the corporate food chain to being a C-suite issue. Nobody wants to be the one who gets hit, and many bluechips are now role-playing what happens in that scenario,”
Around 90 per cent of large organisations and 74 per cent of small businesses experienced information security breaches in the past year, according to a UK government-commissioned survey published in June 2015. However, it is not currently mandatory to report data breaches.
Tomi Engdahl says:
Amazon boards windows against leet key-stealing neighbours
Want security? No no no don’t go co-lo.
http://www.theregister.co.uk/2015/10/02/amazon_boards_windows_against_leet_keystealing_neighbours/
Amazon has patched a vulnerability that could have let users to steal the RSA keys of other co-located customers.
The complex attack – getting to CPU code cache isn’t trivial – would, if successful, give an attacker a whole 2048-bit key used in other Elastic Compute Cloud instances.
Worcester Polytechnic Institute researchers reported the flaw to Amazon and described the work in the Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud [pdf].
They say their “full-fledged” attack which exploits new subtle leaks and attack vectors and is further reminder of the need to better isolate cloud instances.
“The cross-VM leakage is present in public clouds and can become a practical attack vector for both co-location detection and data theft,” they say.
“Therefore, users have a responsibility to use latest improved software for their critical cryptographic operations.”
Public cloud providers should enact placement policies for public cloud to reduce the attack vectors, and use smarter cache management policies at hardware and software levels.
Seriously, get off my cloud!
Cross-VM RSA Key Recovery in a Public Cloud
https://eprint.iacr.org/2015/898.pdf
Tomi Engdahl says:
Nuclear power plant bosses not too cyber-security savvy – report
No ‘executive-level awareness’ + legacy issues = quite worrying
http://www.theregister.co.uk/2015/10/05/nuclear_plants_cyber_denial_man_in_the_middle/
The nuclear industry is ignorant of its cybersecurity shortcomings, claimed a report released today, and despite understanding the consequences of an interruption to power generation and the related issues, cyber efforts to prevent such incidents are lacking.
Nuclear plants don’t understand their cyber vulnerability, stated the Chatham House report, which found industrial, cultural and technical challenges affecting facilities worldwide. It specifically pointed to a “lack of executive-level awareness”.
The study was conducted over an 18-month period and involved 30 interviews with “experts from several different countries, including the US, UK, Canada, France, Germany, Japan, Ukraine and Russia.”
Among its more frightening discoveries is that the notion “nuclear facilities are ‘air gapped’” is a “myth”, as “the commercial benefits of internet connectivity mean[s] that nuclear facilities” are increasingly networked.
Cybersecurity problems facing the industry largely result from legacy issues. As most industrial control systems at nuclear facilities were developed in the 1960s and 1970s (“when computing was in its infancy”) cybersecurity was not a consideration in their design.
“One example of the ‘insecure by design’ nature of industrial control systems is the lack of authentication and verification,” found the report. This obedience leaves nuclear facilities’ control systems “particularly vulnerable to man-in-the-middle attacks that alter the communication between two devices”.
The report (PDF) details seven “known cyber security incidents at nuclear facilities” between 1992 and 2014:
At Ignalina nuclear power plant (1992) in Lithuania, a technician intentionally introduced a virus into the industrial control system, which he claimed was “to highlight cyber security vulnerabilities”.
The David-Besse nuclear power plant (2003) in Ohio was infected by the Slammer worm which disabled a safety monitoring system for almost five hours.
The Browns Ferry nuclear power plant (2006) in Alabama experienced a malfunction of both the reactor recirculation pumps and the condensate deminerliser controller (a type of PLC).
The Hatch nuclear power plant (2008) was shutdown as an unintended consequence of a contractor’s software update.
An Unnamed Russian nuclear power plant (circa 2010) was revealed by Eugene Kaspersky to have been “badly infected by Stuxnet”.
South Korea’s Korea Hydro and Nuclear Power Co. commercial network (2014) was breached, and information was stolen. The attack was subsequently attributed to North Korea.
Natanz nuclear facility and Bushehr nuclear power plant (2010)
The most well-known incident dated back to 2010, when a worm was found to be burrowing into industrial Supervisory Control And Data Acquisition (SCADA) systems on a global level.
Dubbed Stuxnet, the worm was programmed to remain dormant unless it detected the particular hardware fingerprint of an industrial software system manufactured by Siemens.
“The point is that risk is probability times consequence. And even though the probability might be low, the consequence of a cyber incident at a nuclear plant is extremely high.
Cyber Security at Civil Nuclear Facilities: Understanding the Risks – See more at: https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks#sthash.qBBrovkw.dpuf
Tomi Engdahl says:
Experian hack: T-Mobile customer data is already on sale on the dark web
OK, maybe it is time to press the panic button
http://www.theinquirer.net/inquirer/news/2428677/experian-hack-puts-15-million-t-mobile-punters-at-risk
DATA HACKED FROM EXPERIAN is already on sale on the dark web and is available for grabbing by bad actors, phishers, malware writers and ID thieves.
Security firm Trustev is credited with the dark web discovery, although is it very possible that the underworld got to it first. Trustev and the internet are calling the dump a fullz, which means that it contains a lot of personal information.
T-Mobile customers make up a chunk of the potentially affected 15 million victims.
“The data included some personally identifiable information for approximately 15 million consumers in the US, including those who applied for T-Mobile USA postpaid services or device financing from 1 September 2013 through 16 September 2015, based on Experian’s investigation to date.”
Affected punters are being contacted and will be offered credit services, including two years of credit monitoring (although this may have lost some of its shine), and some identity protection services through its own ProtectMyID service.
Experian recommended that these services are embraced.
Tomi Engdahl says:
Hacked Mattel Toy Can Open Garage Doors in Seconds
Security researcher Samy Kamkar can crack some garage door codes using a hacked Mattel children’s toy called IM-ME.
http://www.securitysales.com/article/hacked_mattel_toy_can_open_garage_doors_in_seconds
LOS ANGELES — A security researcher has revealed that a hacked Mattel children’s toy can become a universal garage door opener.
Some garages are protected by a code that is equivalent to a two-character security password, WIRED reports.
Kamkar built Open Sesame from a discontinued Mattel toy called the IM-ME, a little pocket computer that let kids chat with nearby friends. Kamkar was able to hack the device using an open source hardware attachment and a cheap antenna.
An ordinary garage-door opener, cycling through all the 4,096 combinations could take at least 29 minutes, according to Kamkar. However, the hacking tools developed for the IM-me allowed him to get that time down to less than 10 seconds, Tom’s Guide reports.
Kamkar first used the device at his newly built Los Angeles-based condo, where he discovered that his own garage door was vulnerable to Open Sesame’s attack
Hacked Child’s Toy Opens Your Garage Door in Seconds
http://www.tomsguide.com/us/garage-door-hack-childs-toy,news-21060.html
As if you couldn’t tell from the fun Samy Kamkar has had hacking Master Lock combinations, he doesn’t like being told that something is off-limits. That unstoppable quest for new frontiers has now led Kamkar to your garage door, which he might be able to open with a child’s toy before you’ve finished reading this sentence. Or, in more technical terms, in under 10 seconds.
Not only can Kamkar — a Los Angeles-based independent hacker, developer and consultant — open any garage door that uses a hard-wired, fixed-code password, but his only weapon is the aforementioned children’s toy, a discontinued product called the IM-me that was marketed by Mattel to replicate texting on a single-use device for young girls.
This Hacked Kids’ Toy Opens Garage Doors in Seconds
http://www.wired.com/2015/06/hacked-kids-toy-opens-garage-doors-seconds/
Americans’ garages, those sacred suburban havens of automobiles and expensive tools, are probably more important to us than many of our online accounts. But some garages are only protected by a code whose security is equivalent to a two-character password. And security researcher Samy Kamkar can crack that laughable safeguard in seconds, with little more than a hacked child’s toy.
OpenSesame
http://samy.pl/opensesame/
OpenSesame is a device that can wirelessly open virtually any fixed-code garage door in seconds, exploiting a new attack I’ve discovered on wireless fixed-pin devices. Using a child’s toy from Mattel.
Source code: https://github.com/samyk/opensesame
Vulnerable Vendors: The following vendors appear to directly sell (obviously) insecure products as of June 4, 2015:
Nortek / Linear / Multi-Code, example product
NSCD/North Shore Commercial Door, example product
Previously Vulnerable Vendors: The following vendors have old models that are vulnerable, but current models appear secure from these attacks (or are no longer offered):
Chamberlain
Liftmaster
Stanley
Delta-3
Moore-O-Matic
Prevention: If you are using a gate or garage which uses “fixed codes”, to prevent this type of attack, ensure you upgrade to a system which clearly states that it’s using rolling codes, hopping codes, Security+ or Intellicode. These are not foolproof from attack, but do prevent the OpenSesame attack along with traditional brute forcing attacks.
Tomi Engdahl says:
New Malware Called YiSpecter Is Attacking iOS Devices in China And Taiwan
http://techcrunch.com/2015/10/05/new-malware-called-yispecter-is-attacking-ios-devices-in-china-and-taiwan/
Cybersecurity firm Palo Alto Networks has identified new malware, which it calls YiSpecter, that infects iOS devices by abusing private APIs. Most affected users live in China and Taiwan.
Once it infects a phone, YiSpecter can install unwanted apps; replacing legitimate apps with ones it has downloaded; force apps to display full-screen advertisements; change bookmarks and default search engines in Safari; and send user information back to its server. It also automatically reappears even after users manually delete it from their iOS devices.
In the post, Palo Alto Networks’ security researcher Claud Xiao wrote that by abusing enterprise certificates and private APIs, YiSpecter is not only able to infect more devices, but “pushes the line barrier of iOS security back another step.”
YiSpecter first spread by masquerading as an app that allows users to view free porn. It then infected more phones through hijacked traffic from Internet service providers, a Windows worm that first attacked QQ (an IM service by Tencent), and online communities where users install third-party apps in exchange for promotion fees from developers.
Tomi Engdahl says:
Japan begins mega-rollout of 100 million+ national IDs
… just months after leaking over a million pensioners’ data
http://www.theregister.co.uk/2015/10/05/japanese_queasy_over_govs_national_id_rollout/
The Japanese government has launched the nation’s first national identification system for social security and taxation purposes, despite widespread grumbling from its ageing population.
Residents of Japan, including foreigners, are being assigned unique 12-digit numbers as of Monday under the new My Number identification system, reported the Japan Times.
In addition, the My Number ID-system has provoked “serious concerns about invasions of privacy and the security of personal information.”
Complaints were also raised about “the heavy burden the project will put on businesses” which “will be tasked with collecting the identification numbers of employees and part-time workers — not to mention their family dependents.”
Concern regarding the centralisation of so much personal data comes on the heels of a massive data breach of Japan’s Pension Service which saw approximately 1.25m elderly citizens’ sensitive data exposed.
Tomi Engdahl says:
Linux: 16 Security Packages Against Windows and Linux Malware Put to the Test
https://www.av-test.org/en/news/news-single-view/linux-16-security-packages-against-windows-and-linux-malware-put-to-the-test/
As Linux PCs are increasingly used to connect Windows PCs, they ought to use a security package as well. The lab at AV-TEST put 16 current security solutions to the test under Ubuntu – against Linux and Windows threats. The result is bitter for several products: for some, 85% of the Windows malware goes through unrecognized, and up to 75% of pure Linux malware remains undetected.
The Linux world is largely considered a safe fortress against malware, including various types of trojans. But many Linux machines run in a network with Windows PCs. Roughly half of all Web servers, for instance, run with a Linux system. These in turn serve billions of users on the Web. That’s why Web servers are a tempting target to be used as a bridgehead for Windows malware threats.
50 percent of all Web servers work with Linux
A successful attack normally does not infect the system or the kernel. Rather, it focuses on the applications running on the Linux PC or Web server. They can be more easily hijacked or harnessed as a means to replicate. Major hacker attacks have already been carried out on Web servers via SQL injection or cross-site scripting. But desktop PCs with Linux are also an attractive target. After all, running applications with security gaps are found there as well, e.g. the Firefox browser or tools such as the Adobe Reader.
Having infiltrated a system, malware seldom causes any damage under Linux, as it actually expects a Windows system. Infected files simply remain dormant, waiting for the opportunity to attack a Windows system. To do so, it is often sufficient to copy files from a Linux environment to Windows.
Detection of Windows malware
A total of eight out of 16 products detected between 99.7 and 99.9% of the 12,000 Windows attackers used in the test: Avast, F-Secure, Bitdefender, ESET, eScan, G Data, Kaspersky Lab (server version) and Sophos. Only the security package from Symantec achieved 100%.
Noticeably weaker are the detection rates of McAfee with 85.1% and Comodo with 83%. Alarmingly feeble are the results of Dr. Web with 67.8%, F-Prot with 22.1% and ClamAV with only 15.3%!
Detection of Linux malware
More and more perfidious malware threats are also being developed for Linux and put into circulation. The lab unleashed on the systems 900 actually already known attackers for Linux. The result, however, looks significantly different than the detection rates under Windows. Only Kaspersky Endpoint Version achieved 100-percent detection under Linux. Following close behind with 99.7 percent was ESET – AVG still reached 99 percent
Linux is secure – isn’t it?
Most Linux users are convinced that they are using one of the most secure systems available. That statement is indeed true if you only look at the system and disregard everything else. Because it is occasional unsafe third-party applications or user errors that can turn Linux PCs or servers into virus cesspools. This is also confirmed by the latest study by Kaspersky for the first quarter of 2015: over 12,700 attacks were launched via botnets, using a Linux system as their basis, by contrast only 10,300 attacks came from botnets with a Windows system. What’s more, the life cycle of Linux-based botnets is much longer than those based on Windows. This is because it is much more difficult to ferret out and neutralize zombie networks such as these, as servers under Linux are seldom equipped with special protection solutions – unlike devices and servers under Windows.
Tomi Engdahl says:
Antivirus tools miss almost 70 percent of malware within the first hour
http://betanews.com/2015/02/12/antivirus-tools-miss-almost-70-percent-of-malware-within-the-first-hour/
The report finds that within the first hour of submission, AV products missed nearly 70 percent of malware. Further, when rescanned to identify malware signatures, only 66 percent were identified after 24 hours, and after seven days the total was 72 percent. It took more than six months for AV products to create signatures for 100 percent of new malicious files.
Tomi Engdahl says:
GCHQ’s SMURF ARMY can hack smartphones, says Snowden. Again.
Uber-leaker tells BBC’s Panorama stuff he’s told others before
http://www.theregister.co.uk/2015/10/06/gchqs_smurf_army_can_hack_smartphones_says_ed_snowden/
Whistleblower Edward Snowden has given an interview to BBC investigative programme Panorama in which he’s added further detail on an array of tools named after the Smurfs* that allow UK intelligence agencies to hack smartphones.
Privacy International has already aired much of what Snowden explained to Panorama, namely that a tool called “Nosey Smurf” turns on a phone’s microphone to use it for audio surveillance
Tomi Engdahl says:
Search engine can find the VPN that NUCLEAR PLANT boss DIDN’T KNOW was there – report
No ‘exec-level awareness’, warns research
http://www.theregister.co.uk/2015/10/05/nuclear_plants_cyber_denial_man_in_the_middle/
The nuclear industry is ignorant of its cybersecurity shortcomings, claimed a report released today, and despite understanding the consequences of an interruption to power generation and the related issues, cyber efforts to prevent such incidents are lacking.
The report adds that search engines can “readily identify critical infrastructure components with” VPNs, some of which are power plants. It also adds that facility operators are “sometimes unaware of” them.
Nuclear plants don’t understand their cyber vulnerability, stated the Chatham House report, which found industrial, cultural and technical challenges affecting facilities worldwide. It specifically pointed to a “lack of executive-level awareness”.
Cybersecurity problems facing the industry largely result from legacy issues. As most industrial control systems at nuclear facilities were developed in the 1960s and 1970s (“when computing was in its infancy”) cybersecurity was not a consideration in their design.
“One example of the ‘insecure by design’ nature of industrial control systems is the lack of authentication and verification,” found the report. This obedience leaves nuclear facilities’ control systems “particularly vulnerable to man-in-the-middle attacks that alter the communication between two devices”.
Cyber Security at Civil Nuclear Facilities: Understanding the Risks – See more at: https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks#sthash.1ldBoesk.dpuf
Tomi Engdahl says:
European Court looks at Facebook, says Safe Harbour data-sharing is invalid
Privacy groups agree
http://www.theinquirer.net/inquirer/news/2429138/european-court-looks-at-facebook-says-safe-harbour-data-sharing-is-invalid
SAFE HARBOUR IS INVALID, according to judges at the European Court of Justice, and nations can now resist the sharing of data with the US. This could cause problems for busineses, while improving things for the privacy aware.
The ruling in the case, known in legal circles as Maximillian Schrems v Data Protection Commissioner (PDF), means that national regulators can deny and suspend data transfers to the US.
This potentially means overtime for agents at the National Security Agency (NSA), but closer to home it may damage businesses that rely on and deal with data to survive.
“In short, Schrems wants to prevent US intelligence agencies gaining access to his personal data by making it harder for US-based businesses to collect personal data about EU citizens,” explained Robert Lands, partner and head of intellectual property at law firm Howard Kennedy.
“In the face of the Snowden revelations, it is clear that Safe Harbour is not worth the paper it’s written on. We need a new agreement that will protect EU citizens from mass surveillance by the NSA,” said Open Rights Group executive director Jim Killock.
Mark Thompson, privacy practice leader at thinking outfit KPMG, added that companies will now have to turn to the local authortities for guidance on what to share and where.
“Global companies will be looking towards regulators for a sensible solution in the near future. There is a risk that, if rules around data transfers aren’t handled pragmatically, this will result in a restriction on the flow of personal information across global organisations which could have a detrimental impact on their business models,” he said.
Tomi Engdahl says:
Phone thieves to face harsher penalties for data theft
Pictures and texts worth more than a mobe
http://www.theregister.co.uk/2015/10/06/phone_thieves_to_face_harsher_penalties_for_data_theft/
The Sentencing Council for England and Wales has issued new guidelines for judges ruling in theft cases and in the section on “general theft”
The guidelines say that harm is assessed by reference to the financial loss that results from the theft and any significant additional harm suffered by the victim.
The council believes that the loss of a phone that contains irreplaceable photographs or email, text or voice messages will come under the remit of emotional harm, and this will be reflected in tougher – albeit unspecified – sentences for those who steal phones.
Tomi Engdahl says:
International Exploit Kit Angler Thwarted By Cisco Security Team
http://yro.slashdot.org/story/15/10/06/1419235/international-exploit-kit-angler-thwarted-by-cisco-security-team
Researchers at a Cisco security unit have successfully interrupted the spread of a massive international exploit kit which is commonly used in ransomware attacks.
International exploit kit Angler thwarted by Cisco security team
https://thestack.com/security/2015/10/06/international-exploit-kit-angler-thwarted-by-cisco-talos/
Researchers at a Cisco security unit have successfully interrupted the spread of a massive international exploit kit which is commonly used in ransomware attacks, holding user data hostage and demanding payment for its release.
The Talos security team were monitoring the notorious malware, Angler Exploit Kit, which they report is one of the most effective tools for stealing personal information, with a 40% infiltration rate.
Tomi Engdahl says:
Amir Mizroch / Wall Street Journal:
Silicon Valley companies make side agreements with EU to continue transferring data to US, build data centers in Europe to enable long-term compliance
U.S. Tech Firms Look To Data Centers on European Soil
http://blogs.wsj.com/digits/2015/10/06/u-s-tech-firms-look-to-data-centers-on-european-soil/
Silicon Valley companies say they’ve been preparing for today’s European Court of Justice decision invalidating the U.S.-Europe Safe Harbor agreement on data transfers.
Their lawyers have been working to come up with legal mechanisms to keep them in compliance with EU data protection laws. But they’ve also been spending billions building data storage and processing facilities on European soil, reducing the need to transfer data to the U.S. in the first place. That effort dovetails with an explosion of cloud based services that require more data centers.
IDC estimates that in 2015, $8.2 billion will be spent in Europe on professional cloud services, an increase from only $560 million in 2010.
“U.S. companies must look at local operations to process data,”
Tomi Engdahl says:
Hacking Wireless Printers With Phones on Drones
http://www.wired.com/2015/10/drones-robot-vacuums-can-spy-office-printer/
You might think that working on a secured floor in a 30-story office tower puts you out of reach of Wi-Fi hackers out to steal your confidential documents.
But researchers in Singapore have demonstrated how attackers using a drone plus a mobile phone could easily intercept documents sent to a seemingly inaccessible Wi-Fi printer. The method they devised is actually intended to help organizations determine cheaply and easily if they have vulnerable open Wi-Fi devices that can be accessed from the sky. But the same technique could also be used by corporate spies intent on economic espionage.
For their demo they use a standard drone from the Chinese firm DJI and a Samsung phone. Their smartphone app searches for open printer SSIDs and company SSIDs. From the SSIDs, the app can identify the name of the company they’re scanning as well as the printer model. It then poses as the printer and forces any nearby computers to connect to it instead of the real printer. Once a document is intercepted, which takes just seconds, the app can send it to an attacker’s Dropbox account using the phone’s 3G or 4G connection, and also send it on to the real printer so a victim wouldn’t know the document had been intercepted.
The attack zone is limited to 26 meters in radius. But with dedicated hardware, an attacker could generate a signal that is significantly stronger and extend that range further, Elovici notes. Any computer inside the attack zone will opt to connect to the fake printer over the real one, even if the real printer is closer in proximity to the rogue one.
Tomi Engdahl says:
U.S. Tech Firms Look To Data Centers on European Soil
http://blogs.wsj.com/digits/2015/10/06/u-s-tech-firms-look-to-data-centers-on-european-soil/
Silicon Valley companies say they’ve been preparing for today’s European Court of Justice decision invalidating the U.S.-Europe Safe Harbor agreement on data transfers.
Their lawyers have been working to come up with legal mechanisms to keep them in compliance with EU data protection laws. But they’ve also been spending billions building data storage and processing facilities on European soil, reducing the need to transfer data to the U.S. in the first place. That effort dovetails with an explosion of cloud based services that require more data centers.
IDC estimates that in 2015, $8.2 billion will be spent in Europe on professional cloud services, an increase from only $560 million in 2010.
Last year, Amazon opened a data center in Frankfurt, its first major data center in continental Europe, in part to show it complies with strict German data-privacy laws.
Tomi Engdahl says:
IP camera makers pressure researcher to cancel security talk
The presentation contained details of software flaws in major cameras
http://www.pcworld.com/article/2989309/security/ip-camera-makers-pressure-researcher-to-cancel-security-talk.html#tk.rss_all
An upcoming talk covering security problems in Internet-connected cameras has been canceled after opposition from some manufacturers.
Gianni Gnesa was scheduled to give a presentation titled “Abusing Network Surveillance Cameras” on Oct. 14 at the Hack in the Box GSEC conference in Singapore.
Internet-connected video camera, or IP cameras, are widely used for security systems, offering the advantage that footage can be streamed anywhere remotely. But anything connected to the Internet poses risks if not properly secured.
According to a writeup on the conference website, Gnesa planned to expose vulnerabilities in major surveillance cameras and show how an attacker could used them to stay undetected.
But the writeup also says Gnesa decided to pull the talk after “legal pressure from the manufacturers affected.”
Security researchers sometimes encounter resistance from technology vendors when they find vulnerabilities in their products.
Occasionally, the situations escalate, with companies turning to their legal departments and the courts to block the release of sensitive information.
Tomi Engdahl says:
Factory settings FAIL: Data easily recovered from eBayed smartphones, disks
Gotta hand it to Apple and that encryption key, it really works
http://www.theregister.co.uk/2015/10/07/data_wiping_analysis_ebay_disk/
Data recovery experts have found a raft personal information from used hard drives and mobile phones purchased from Amazon, eBay and Gazelle in the UK, US and Germany.
The research, by Blancco Technology Group and Kroll Ontrack, once again shows that failure to erase data from discarded devices continues to be a problem, years after the issue first surfaced.
Residual data was recovered from 35 per cent of the mobile phones analysed. This information included 2,153 emails and 10,838 texts. In more than half of the devices from which data was recovered, it was kit where the user had attempted to delete it, normally a restoration of factory settings.
As most Reg readers will know this process does not actually overwrite or delete data and simply restores kit to its original state, meaning the information is still readily recoverable for those with access to specialised software.
Some devices contained enough data to easily identify the original owner. Interestingly, no residual data was found on any of the Apple iOS devices analysed.
“Apple devices use encrypted storage so deletion of the encryption key makes recovery impossible,” Henry explained. “But Android devices, on the other hand, do not use this method and rely upon a user overwriting data to erase it and prevent it from being recoverable.”
Blancco/Kroll purchased a set of hard drives, and found that 75 per cent showed that a deletion attempt was made. One in four were resold without any deletion method applied. Files were successfully recovered from almost half (48 per cent) of the hard drives analysed.
“Whether you’re an individual, a business or a government/state agency, failing to wipe information properly can have serious consequences,” Blancco’s Henry added.
“One of the more glaring discoveries from our study is that most people attempt in some way or another to delete their data from electronic equipment. But while those deletion methods are common and seem reliable, they aren’t always effective at removing data permanently and they don’t comply with regulatory standards,”
Tomi Engdahl says:
Now it’s the security industry’s turn to be burned by cloud
Amazon ignites Web Applications Firewall to char security chaff
http://www.theregister.co.uk/2015/10/07/amazon_throws_waf_to_sieve_security_chaff/
Amazon has launched web application firewall to help customers guard against common web exploits.
The web attic touts the service as a means to ink custom rules to block attack patterns like SQL injection and cross-site scripting and offering the ability to quickly deploy application rules.
Rules can be set based on IP address, HTTP headers, URI strings, and configured through the API or management console. The more rules set the higher the cost.
Amazon Web Services man Jeff Barr offers a case study of how the WAF could work.
“[Attackers] could run through a list of common or default usernames and passwords, or they could attempt to exploit a known system, language, or application vulnerability perhaps powered by SQL injection or cross-site request forgery as the next step,” Barr says
“Like it or not, these illegitimate requests are going to be flowing in 24 by 7.
“Even if you keep your servers well-patched and do what you can to keep the attack surface as small as possible, there’s always room to add an additional layer of protection.”
Amazon has slapped chicken feed service pricing on the WAF, asking for 60 cents per million hits, US$1 a rule, and $5 for each access control list.
Tomi Engdahl says:
Remote code exec hijack hole found in Huawei 4G USB modems
Ruskies sling malicious packet to trigger denial of service.
http://www.theregister.co.uk/2015/10/07/remote_code_exec_hijack_hole_found_in_huawei_4g_usb_modems/
Positive Technologies researchers Timur Yunusov and Kirill Nesterov have found since-patched remote execution and denial of service vulnerabilities in a popular Huawei 4G USB modem that can allow attackers to hijack connected computers.
The Huawei E3272 USB modem sells from about US$120 on Amazon.
Researchers say the vulnerabilities are exploitable through malicious packets sent to the device’s gateway, and thanks to cross-site scripting (XSS) and stack overflow holes.
“By exploiting detected flaws, an intruder can gain rights on a remote modem, take control over the computer connected to the vulnerable modem, and obtain access to the subscriber’s account in the mobile operator’s portal,” the researchers say.
Tomi Engdahl says:
Representing the European information industry umbrella organization of Digital Europe warns that the decision of the Court of Justice of the European Union Safe Harbour agreement cancellation with the United States damage the economy based on European data.
Digital Europe calls on the EU and US decision-makers to establish as soon as possible a new, long a haven for a negotiated agreement.
Source: http://www.tivi.fi/Kaikki_uutiset/turvasatamapaatos-puhuttaa-teknologiateollisuudessa-tyointensiivinen-asia-6002687
A safety haven agreement for scrap – keeping records of online services in Europe would raise prices
European Court of Justice announced Tuesday that allowed the disclosure of information to the United States the contract is not valid. The decision does not lead to immediate changes in network activity, but this is a major change, not just the contributions received, says research house Gartner research director Carsten Casper.
“The decision changed the political climate. Now, it was decided that national officials will have greater autonomy in relation to data protection,” says Casper Tiville.
After the decision, the business will continue unchanged until further notice and retention of data in the United States will not cease immediately.
The online service companies, it follows a situation where not enough that one is acting to ensure an EU-wide agreement, but the legality of the operation have to consider that EU-regulation model.
Now 28 member local authorities to make their own policies on how information can be transferred to the United States.
Carsten points out that at this stage the authorities leave to investigate the matter, when citizens make on alerts and want to know how their data is being processed. The study process takes time.
The EU would like to standardize practices and it should be in a hurry to get officials to agree on a common line. If the EU does not act quickly, starting with Member States to make independent decisions on their own behalf as it deems best practices.
For business the Safe Harbour Agreement invalidity does not automatically mean that the information would not be able to keep the United States. There are other contractual models that allow for the transfer of private information from another. They are now taking place to explore.
The situation of beneficiaries of lawyers and operate hosting services in the EU, while some companies decide to increase the data recording portion of the country.
Casper does not believe that the decision to increase the security of EU citizens. The NSA can still access the data, if companies use alternative agreements and will continue to retain data in the United States. He suspects that the intelligence services will be able to spy on the data olevilta Europe servers.
“Despite the weak legal protection went away and it is replaced by another, the situation is unlikely to improve”
Help a situation possibly coming the other way: Currently being negotiated agreement that would allow EU citizens in prosecutions in the United States, a network giants home ground.
Source: http://www.tivi.fi/Kaikki_uutiset/turvasatama-romuksi-tietojen-sailyttaminen-euroopassa-nostaisi-verkkopalvelujen-hintoja-6002630
Tomi Engdahl says:
Amazon launches Inspector, a tool that automatically finds security and compliance issues
http://venturebeat.com/2015/10/07/amazon-launches-inspector-a-tool-that-automatically-finds-security-compliance-issues/
Amazon Web Services (AWS) today announced Amazon Inspector, a sort of bot service that looks for and identifies potential security and compliance vulnerabilities.
Amazon Inspector is available in preview today. A blog post has more detail on the service.
Amazon Inspector – Automated Security Assessment Service
https://aws.amazon.com/blogs/aws/amazon-inspector-automated-security-assessment-service/
The EC2 instances and other AWS resources that make up your application are identified by tags. When you create the assessment, you also define a duration (15 minutes, 1 / 8 / 12 hours, or 1 day).
During the assessment, an Inspector Agent running on each of the EC2 instances that play host to the application monitors network, file system, and process activity. It also collects other information including details of communication with AWS services, use of secure channels, network traffic between instances, and so forth. This information provides Inspector with a complete picture of the application and its potential security or compliance issues.
The initial launch of Inspector will include the following sets of rules:
Common Vulnerabilities and Exposures
Network Security Best Practices
Authentication Best Practices
Operating System Security Best Practices
Application Security Best Practices
PCI DSS 3.0 Assessment
Tomi Engdahl says:
Centrify:
What Experian and T-Mobile Didn’t Learn from the Target Hack — The Experian/T-Mobile hack demonstrates that corporations haven’t learned the lessons from the massive Target breach — there are simple rules for protecting identity and reducing the risk of data breaches.
What Experian and T-Mobile Didn’t Learn from the Target Hack
http://blog.centrify.com/experian-breach-insider-threats/
Immediate thoughts were of unauthorized credit card transactions, canceled cards. Identity theft. Inconvenience and the sense of violation from a “trusted” 3rd party, Experian.
I’m aware of vulnerability in most companies as a result of my current work in security software.
Lessons from Target
The Target data breach, outlined in this Krebs on security article is insightful and instructive for senior executives.
A quick refresher: In 2013, retail giant Target exposed 40 million customer debit and credit cards in a highly-publicized breach. Lawsuits from banks and customer class-actions will be in the billions of dollars, and has potential to bring the company down.
Target’s external network defenses were and are strong. Verizon’s forensic team were unable to penetrate firewalls, but they were weak and unprotected on the inside. The source of the Target breach was malware, delivered in an email to a small Target business partner (Fazio Mechanical).
Once inside Fazio, hackers stole Target’s VPN credentials. On the inside, hackers had easy access to internal systems. According to Verizon investigators, password policies were weak and unenforced. The hackers gained unauthenticated access and eventually, full access to the Target network.
From a security practitioner perspective, managing security is complex. The security vendor landscape is fragmented and noisy. Hundreds of vendors pitch solutions for their piece of the puzzle. Meanwhile, every company is at risk from insider threats, even though they may be in compliance. Security consulting firm, Mandiant, noted that 100% of recent data breaches investigated involved stolen credentials.
12 Simple Rules to Protect Identity and Reduce Risk of #databreach
Adopt continuous compliance policy.
Enforce security best practices.
Segment networks and restrict access to sensitive information on a need-to-know basis.
Restrict privilege — executives and administrators only get credentials for the systems they maintain.
Enforce a single source of identity — everyone logs-in as themselves and are unable to change identity.
Enforce strong password policies.
Install single sign-on systems and process to prevent stale, unused and reused password vulnerabilities.
Adopt multi-factor authentication, with a user’s mobile phone as the second factor.
Protect data on mobile devices using MDM policies that enable remote lock and wipe.
Secure remote access for 3rd parties and business partners without using a VPN.
Record, watch, audit and alert on privileged user sessions.
Prevent shared account administrator access to Root and corporate systems, except in break-glass situations.
Tomi Engdahl says:
Inside Target Corp., Days After 2013 Breach
http://www.krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-breach/
Tomi Engdahl says:
Washington Post:
Obama administration decides not to seek legislation forcing companies to decrypt data for law enforcement, but doesn’t disavow a legislative mandate
Obama administration opts not to force firms to decrypt data — for now
https://www.washingtonpost.com/world/national-security/obama-administration-opts-not-to-force-firms-to-decrypt-data–for-now/2015/10/08/1d6a6012-6dca-11e5-aa5b-f78a98956699_story.html
After months of deliberation, the Obama administration has made a long-awaited decision on the thorny issue of how to deal with encrypted communications: It will not — for now — call for legislation requiring companies to decode messages for law enforcement.
Rather, the administration will continue trying to persuade companies that have moved to encrypt their customers’ data to create a way for the government to still peer into people’s data when needed for criminal or terrorism investigations.
“The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” FBI Director James B. Comey said at a Senate hearing Thursday of the Homeland Security and Governmental Affairs Committee.
Tomi Engdahl says:
Rene Ritchie / iMore:
Apple removes “a few” apps that install root certificates, including in-app ad blocker Been Choice
App Store removes root certificate-based ad blockers over privacy concerns
http://www.imore.com/app-store-removes-root-certificate-based-ad-blockers-over-privacy-concerns
Root certificate-based apps don’t just block ads, they deeply inspect all your traffic, even private and secure traffic.
While Apple has provided a mechanism to create safe, private content blocking extensions for Safari on iPhone and iPad, recently apps like Been Choice have taken it a step further, installing root certificates in order to block ads inside apps as well. The problem with that type of blocking is that it intermediates secure connections and exposes all your private internet traffic to the blocker. Essentially, it’s a voluntary person-in-the-middle attack. For that reason, Apple is removing those apps from the App Store.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
SHA1, one of Internet’s crucial cryptographic algorithms used in 28% of digital certificates, could break by year’s end
SHA1 algorithm securing e-commerce and software could break by year’s end
Researchers warn widely used algorithm should be retired sooner.
http://arstechnica.com/security/2015/10/sha1-crypto-algorithm-securing-internet-could-break-by-years-end/
SHA1, one of the Internet’s most crucial cryptographic algorithms, is so weak to a newly refined attack that it may be broken by real-world hackers in the next three months, an international team of researchers warned Thursday.
SHA1 has long been considered theoretically broken, and all major browsers had already planned to stop accepting SHA1-based signatures starting in January 2017. Now, researchers with Centrum Wiskunde & Informatica in the Netherlands, Inria in France, and Nanyang Technological University in Singapore have released a paper that argues real-world attacks that compromise the algorithm will be possible well before the cut-off date. The results of real-world forgeries could be catastrophic since the researchers estimate SHA1 now underpins more than 28 percent of existing digital certificates.
A series of attacks on MD5, a hashing algorithm that’s much more collision-prone than SHA1, provides a glimpse at the dire results of collision attacks
Kicking the can
Thursday’s research showing SHA1 is weaker than previously thought comes as browser developers and certificate authorities are considering a proposal that would extend the permitted issuance of the SHA1-based HTTPS certificates by 12 months, that is through the end of 2016 rather than no later than January of that year. The proposal argued that some large organizations currently find it hard to move to a more secure hashing algorithm for their digital certificates and need the additional year to make the transition.
Tomi Engdahl says:
At Experian, Security Attrition Amid Acquisitions
http://krebsonsecurity.com/2015/10/at-experian-security-attrition-amid-acquisitions/
T-Mobile disclosed last week that some 15 million customers had their Social Security numbers and other personal data stolen thanks to a breach at Experian, the largest of the big American consumer credit bureaus. But this actually wasn’t the first time that a hacking incident at Experian exposed sensitive T-Mobile customer data, and that previous breach may hold important clues about what went wrong more recently.
“What the board of directors at Experian wanted security-wise and the security capabilities on the ground were two completely different things,” Tate said. “Senior leadership there said they were pursuing a very aggressive growth-by-acquisition campaign. The acquisition team would have a very strict protocol on how they assess whether a business may be viable to buy, but the subsequent integration of the business into our core security architecture was just a black box of magic in terms of how it was to be implemented. And I’m not saying successful magic at all.”
Another recent former security employee at Experian who agreed to talk on condition of anonymity said it was clear that the company’s board was not well-informed about the true state of security within the company’s various business units.
Tomi Engdahl says:
Amazon Launches Web Application Firewall for AWS
http://www.securityweek.com/amazon-launches-web-application-firewall-aws
Amazon announced on Tuesday the availability of AWS WAF, a web application firewall that helps Amazon Web Services customers protect their apps from common exploits.
AWS WAF, launched on the first day of Amazon’s AWS re:Invent 2015 conference, is designed to give users control over the type of traffic that is allowed or not allowed to reach their web applications. By defining Access Control Lists (ACLs), rules, and actions, users can block SQL injection, cross-site scripting (XSS) and other common attack patterns. Rules can also be created for each user’s specific application.
The new security product also includes a full-featured API that can be used to automate the creation, deployment and maintenance of rules.
Jeff Barr, chief evangelist for Amazon Web Services, published a blog post detailing the various AWS WAF concepts, including conditions, rules, web ACLs, and actions.
Barr explained that conditions are designed for inspecting incoming requests. They can analyze the incoming IP address and various parameters of the request, such as URI, query string, HTTP header, and HTTP method.
New – AWS WAF
https://aws.amazon.com/blogs/aws/new-aws-waf/
Tomi Engdahl says:
Microsoft Leaks User Account Identifiers in Clear Text
http://www.securityweek.com/microsoft-leaks-user-account-identifiers-clear-text
Users of Microsoft web applications such as Outlook or OneDrive don’t benefit from the level of privacy they may expect, a Chinese developer has discovered.
According to the developer, who goes by the name of ramen-hero, Outlook.com, OneDrive, and Microsoft’s account pages incorporate a unique user identifier known as CID in URLs. Unique to each user, the CID is a 64-bit integer associated with each Microsoft account and is used in Microsoft APIs for user identification.
The issue is that because the CID is included in the host name part of the URL, it can be viewed by anyone monitoring the DNS traffic or with access to the web traffic of a user. This numeric identifier appears each time a user accesses Outlook.com, OneDrive, or the Microsoft account page, even if the request is made over an HTTPS connection.
Tomi Engdahl says:
Cisco Introduces New Vulnerability Disclosure Format
http://www.securityweek.com/cisco-introduces-new-vulnerability-disclosure-format
Cisco has announced a new and more streamlined format for disclosing security vulnerabilities in an effort to make it easier for network administrators to prioritize their response.
Based on feedback from customers, Cisco has made the security advisory listing page easier to navigate and it has simplified the process of searching for specific advisories.
In addition to classifying vulnerabilities based on their CVSS, Cisco has introduced a Security Impact Rating (SIR) system that rates flaws as having critical, high, medium or low severity based on their CVSS score. The SIR has been made highly visible in each advisory.
Tomi Engdahl says:
Iran-Based Hacking Crew Uses Fake LinkedIn Profiles In Espionage Attacks
http://tech.slashdot.org/story/15/10/08/2345202/iran-based-hacking-crew-uses-fake-linkedin-profiles-in-espionage-attacks?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The Iranian hacker group Cleaver has been directing a cyber spying campaign at bodies in the Middle East across a network of fake LinkedIn accounts
Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles
http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/
Summary
While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.
Tomi Engdahl says:
Cisco VPN vulnerability could let enterprise passwords out the door
Security research never sleeps
By Dave Neal
http://www.theinquirer.net/inquirer/news/2429777/cisco-vpn-vulnerability-could-let-enterprise-passwords-out-the-door
A PROBLEM WITH CISCO VPN systems could be exposing enterprise passwords to the sort of people who use them for bad things.
Yesterday we had Cisco warning about someone else’s problem, but today we have a company called Volexity volleying a shot in Cisco’s direction. Volexity said that it has found two exploitable vulnerabilities that can be used to drain details from databases. It reckons that this represents an upscaling in attacks, their means and their methods.
Tomi Engdahl says:
Phil Zimmerman: Britain needs to be less culturally accepting of surveillance
Encryption isn’t enough to protect us
http://www.theinquirer.net/inquirer/news/2429633/phil-zimmerman-britain-needs-to-be-less-culturally-accepting-of-surveillance
BRITONS MUST BE less “culturally accepting” of surveillance if they want to protect themselves from cyber snoops and government spies, according to Silence Circle founder Phil Zimmermann.
Zimmermann, who created Pretty Good Privacy, one of the world’s most popular email encryption systems, said at IP Expo 2015 in London on Thursday that surveillance is getting “easier and easier” in the UK.
The country needs technologies such as phone and email encryption, but it also needs “cultural tools” that prompt citizens to change their expectations and demands and to “push back” at surveillance, he said.
“Britain is not an easy society to persuade to push back because you have surveillance cameras everywhere and there seems to be a cultural acceptance of this here, which I’ve never been able to understand,” said Zimmerman.
“We can create technologies that help us a little bit to push back against surveillance, and that’s what I do because that’s something I know how to do, but you also have to push back in the public policy space to try to persuade governments – and all the governments in Europe, especially here – to not create an increasingly pervasive surveillance environment.”
Tomi Engdahl says:
SIgn Of the Times: Calif. Privacy Protections Signed Into Law
http://yro.slashdot.org/story/15/10/08/232223/sign-of-the-times-calif-privacy-protections-signed-into-law?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The EFF reports a spot of bright news from California: Governor Jerry Brown today signed into law the California Electronic Communications Privacy Act. CalECPA, says the organization, “protects Californians by requiring a warrant for digital records, including emails and texts, as well as a user’s geographical location. These protections apply not only to your devices, but to online services that store your data.”
SB-178 Privacy: electronic communications: search warrant. (2015-2016)
http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160SB178