Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Researchers Tie Regin Malware To NSA, Five Eyes Intel Agencies
http://yro.slashdot.org/story/15/01/27/1339232/researchers-tie-regin-malware-to-nsa-five-eyes-intel-agencies
Researchers at Kaspersky Lab have discovered shared code and functionality between the Regin malware platform and a similar platform described in a newly disclosed set of Edward Snowden documents 10 days ago by Germany’s Der Spiegel.
Researchers Link Regin to Malware Disclosed in Recent Snowden Documents
http://threatpost.com/researchers-link-regin-to-malware-disclosed-in-recent-snowden-documents/110667
Researchers at Kaspersky Lab have discovered shared code and functionality between the Regin malware platform and a similar platform described in a newly disclosed set of Edward Snowden documents 10 days ago by Germany’s Der Spiegel.
The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together.
The Der Spiegel article describes how the U.S National Security Agency, the U.K.’s GCHQ and the rest of the Five Eyes are allegedly developing offensive Internet-based capabilities to attack computer networks managing the critical infrastructure of its adversaries.
The Regin malware platform was disclosed in late November by Kaspersky Lab and it was quickly labeled one of the most advanced espionage malware platforms ever studied, surpassing even Stuxnet and Flame in complexity. The platform is used to steal secrets from government agencies, research institutions, banks and can even be tweaked to attack GSM telecom network operators.
Tomi Engdahl says:
Meat puppet security sucks… let machines find your flaws
Darktrace: No, no, customers, you’ve got security all wrong
http://www.theregister.co.uk/2015/01/27/darktrace_security_machine_learning/
Commercial organisations have cash to burn on stopping hackers getting into the network, but relatively little to spend on dealing with a breach.
This poses a challenge for Darktrace, a two-year-old organisation founded by former members of the intelligence community and backed by former Autonomy CEO Mike Lynch’s investment fund Invoke Capital.
The company has built an Enterprise Immune System that it claims works in the same way as the human body, analysing traffic and detecting “anomalies” or foreign bodies from the inside.
It does not prevent breaches from occurring but identifies those that are ongoing.
“Threats are becoming more sophisticated, and heavily funded, so it’s not a matter of if but when [a breach will happen],” said Szukalski. “It doesn’t make sense [for end-user organisations] to keep building bigger walls.”
“We are finding there’s great budget in customers for perimeter, malware and endpoint defences, but there isn’t always a budget for network defences from inside the network,” Szukalski told us.
Tomi Engdahl says:
OS X 10.10.2 Includes Fix for ‘Thunderstrike’ Hardware Exploit Affecting Macs
http://www.macrumors.com/2015/01/26/os-x-10-10-2-thunderstrike-exploit-fix/
Apple is readying a fix in OS X 10.10.2 for the so-called “Thunderstrike” hardware exploit targeting Macs equipped with Thunderbolt ports, iMore has learned.
“To secure against Thunderstrike, Apple had to change the code to not only prevent the Mac’s boot ROM from being replaced, but also to prevent it from being rolled back to a state where the attack would be possible again. ”
Thunderstrike is a serious vulnerability discovered earlier this year by security researcher Trammell Hudson, enabling an attacker to replace a Mac’s bootrom with malicious code without a user knowing. Since the malicious code is stored in a low level inaccessible to the user, the problem would remain even if the bootrom was replaced.
The proof-of-concept attack is limited in scope, however, as an attacker would require physical access to the Mac or savvy social engineering skills in order to trick a user into attacking his or her Mac themselves.
‘Thunderstrike’ attack also fixed in OS X 10.10.2
http://www.imore.com/thunderstrike-attack-also-fixed-os-x-10102
In the meantime, no instances of Thunderstrike have been found in wild, and the attack requires either physical access to the targeted computer, or social engineering sufficient to trick the owner into “attacking” themselves.
Tomi Engdahl says:
Using HID Tricks to Drop Malicious Files
http://hackaday.com/2015/01/27/using-hid-tricks-to-drop-malicious-files/
[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.
The system runs on a Teensy 3.0.
you can trick a computer into believing the Teensy is a keyboard.
[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker.
Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations.
Dropping infected/weaponized files using a Human Interface Device
http://www.labofapenetrationtester.com/2015/01/dropping-weaponized-files-using-hid.html
Tomi Engdahl says:
Integrating safety into connected medical devices
http://www.edn.com/design/medical/4438452/Integrating-safety-into-connected-medical-devices?_mc=NL_EDN_EDT_EDN_today_20150127&cid=NL_EDN_EDT_EDN_today_20150127&elq=330b070af4fc43ddb78a63ef29f6f250&elqCampaignId=21359
The growing use of electronics in medical equipment has led to new safety standards; these standards, combined with the increased security requirements brought about through increased connectivity, are placing new demands on developers of medical hardware and software. Providing justification for the safety of an unsecure connected device will be extremely difficult, as potential attacks via the network connection can directly impact the safety functions. This means that both safety and security aspects have to be rigorously considered for new designs.
Over the last few years, microcontroller designers have introduced additional features specifically to help develop safety-related systems. These features are helping software developers tackle the challenges they are facing. For example, support for virtualization in the hardware can help developers use existing, proven code alongside newly developed software without compromising the safety of the overall system.
The medical equipment industry has been adopting electronics based safety technologies with increasingly more complex designs.
As systems become connected, either to share data or for remote operation in “telehealth” applications, the security elements of the designs become equally as important as the safety elements. It is impossible to have safety without security. The need for safe and secure devices has therefore resulted in a wide range of safety standards that have to be considered in the development of medical equipment.
For medical devices and systems, comprehensive risk management is an integral part of ensuring patient safety.
Integration of safe and secure software with regular applications
The increasing need for both safety and security is changing the way systems are designed. One of the key considerations of safety design is separation and the need to separate system elements so that the failure or breach in one part of the system does not have a negative effect on another part of the system which may be running safety-related or secure functions.
Previously, designers used separate processors or even separate system boards to keep safety-related software isolated from regular application software.
Increasingly these critical and non-critical elements can be combined in a single chip using multiple processor cores, or even on a single core that supports the ability to maintain separation through partitions. Different partitions will be separated in terms of resources and timing. Partitioning also allows other software, that doesn’t need such stringent standard conformance, to be added to a design more easily and without increasing the hardware complexity.
Virtualization is one key mechanism for increasing the separation between two or more software partitions executing on the same underlying hardware.
The growth of the connected world is driving new demands on the development of safety-related medical systems. Combining the safety requirements from different medical standards and demonstrating high levels of security is a challenge.
Tomi Engdahl says:
New Technology Detects Cyberattacks By Power Consumption
http://www.eetimes.com/author.asp?section_id=36&doc_id=1325409&
Startup’s “power fingerprinting” approach catches stealthy malware within milliseconds in DOE test.
A security startup launching early next week uses trends in power consumption activity, rather than standard malware detection, to spot cyberattacks against power and manufacturing plants. The technology successfully spotted Stuxnet in an experimental network before the malware went into action.
PFP Cybersecurity, which officially launches on Monday and was originally funded by DARPA, the Defense Department, and the Department of Homeland Security, basically establishes the baseline power consumption of ICS/SCADA equipment such as programmable logic controllers (PLCs), supervisory relays, or other devices and issues an alert when power consumption or RF radiation changes outside of their baseline usage occur. Such changes could be due to malware, as well as to hardware or system failures, for instance.
Tomi Engdahl says:
Lizard Squad Hack Adds to Malaysia Airlines’ Woes
http://www.bloombergview.com/articles/2015-01-26/lizard-squad-hack-adds-to-malaysia-airlines-woes
Around 10 AM local time on Monday morning, visitors to the Malaysia Airlines website were greeted with an image of one of the carrier’s jets flying above the clouds, and a not very funny message: “404 – Plane Not Found.” The tasteless allusion to the still missing Flight MH370 was signed “Cyber Caliphate” and accompanied by a thumping hip-hop tune; the tab marking the site was changed from “Malaysia Airlines” to “ISIS Will Prevail.”
Despite appearances, there’s really only one certainty about this bizarre hack: ISIS had nothing to do with it.
message: “HACKED BY LIZARD SQUAD – OFFICIAL CYBER CALIPHATE.”
So why hack Malaysia Airlines? In a general sense airlines make rich targets for cyber vandals: they’re high-profile companies that depend on an aura of safety and security, so hackers who pull off an airline hack are rewarded with digital notoriety. Given that airlines are also repositories of customer data ranging from credit cards to passport numbers, there are potential financial rewards, as well. Indeed, the biggest surprise about the Malaysia Airlines attack is that — at a time when movie studios and retailers have been under sustained digital attack — somebody didn’t try to hack and deface a major global air carrier earlier.
Malaysia Airlines certainly makes up for in notoriety derived from the twin tragedies that befell it in 2014 — flights MH370 and MH17. Those disasters permanently damaged the carrier’s reputation (mostly through no fault of the airline) and today’s hack only served to remind Malaysians, in particular, that their once-proud state-owned flagship has become the airline that simply can’t catch a break. For a hacker interested in garnering some attention, that’s an inviting target.
There is, of course, one other possible reason that hackers targeted Malaysia Airlines: its website seems likely not to have been as secure as those maintained by other global carriers.
Meanwhile, there’s increasing evidence that the hack was much more than vandalism. Lizard Squad claims to have found “loot” on Malaysia Airlines servers that it plans to eventually “dump” for public consumption.
Will customers flock back to the Malaysia Airlines website once it’s back up? If it turns out that, despite the carrier’s denials, user data really was compromised, the impact on the airlines’ business could be serious. The airline that couldn’t catch a break will become the airline that couldn’t keep its customers’ personal information safe.
Tomi Engdahl says:
GHOST security bug in Linux
http://www.epanorama.net/newepa/2015/01/28/ghost-security-bug-in-linux/
As I expected the flow of security bugs continues this year. Now first serious open source bug disclosed this year following last year’s Heartbleed bug in OpenSSL, the Shellshock bug in Bash and the POODLE bug related to the the SSL v3 fall back issue.
The GHOST vulnerability is a serious weakness in the Linux glibc library. Glibc or the GNU C Library is the most common and an open-source form of the C Standard Library, and part of Linux. The GHOST vulnerability allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.
GHOST has been traced back to a buffer overflow flaw in the the __nss_hostname_digits_dots() function of glibc, otherwise known as GNU C Library, a core part of nearly all Linux systems, according to Qualys’ Amol Sarwate. CVE 2015-023: Nasty bug in glibc gethostby* functions leads to possible wealth of remote code execution opportunities. The GHOST vulnerability is a serious weakness in the Linux glibc library as it allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. GHOST means attackers could take over Linux servers using something as innocent looking as an email. This comes on the heel of other major vulnerabilities with silly names such as Shellshock, Heartbleed, and POODLE.
Tomi Engdahl says:
‘Super-secure’ BlackPhone pwned by super-silly txt msg bug
People always talk about your reputation … Just be good to free()
http://www.theregister.co.uk/2015/01/27/trivial_hole_left_black_phones_open_to_plunder/
Exclusive The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets.
Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.
The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.
“Successful exploitation can yield remote code execution with the privileges of the Silent Text application, which runs as a regular Android app, but with some additional system privileges required to perform its SMS-like functionality such as access to contacts, access to location information, the ability to write to external storage, and of course net access,” Dowd said, noting the bug took him about a week to find.
Tomi Engdahl says:
Symantec data centre security software has security holes
Stop face-palming and start patching – the fixes are out there
http://www.theregister.co.uk/2015/01/23/symantec_patch_data_centre_security_holes/
Security bod Stefan Viehböck has detailed holes in Symantec’s data centre security platforms that the company plugged this week because they allowed hackers to gain privilege access to management servers.
The patches fix holes in the management server for Symantec Critical System Protection (SCSP) 5.2.9 and its predecessor Data Center Security: Server Advanced (SDCS:SA) 6.0.x and 6.0 MP1.
SEC Consult researcher Stefan Viehböck who found the flaws said the products should not be used until a full security audit was conducted.
“Attackers are able to completely compromise the SDCS:SA Server as they can gain access at the system and database level,” Viehböck wrote in an advisory
Tomi Engdahl says:
A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.
UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311.
Source: http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
Tomi Engdahl says:
China blocks virtual private network use
http://www.bbc.com/news/technology-30982198
China has blocked several popular services that let citizens skirt state censorship systems.
Three providers of Virtual Private Network (VPN) systems reported that updates to China’s firewall had hindered people using their services.
The providers affected are Astrill, StrongVPN and Golden Frog.
Many Chinese people use VPNs to visit websites outside the country that they would not be able to reach without the aid of such tools.
Sites blocked in China include services operated by web giants such as Google, Facebook and Twitter.
Chinese state media said the blocks had been imposed “for safety”. Reuters reported that a cybersecurity expert at a state-backed think tank said the upgrades to the nation’s firewall had been carried out to preserve China’s “cyberspace sovereignty”.
The services that have been hit are almost exclusively used by individuals and are often accessed via mobile phones. China has not put any restrictions on the use of VPNs inside large corporations.
StrongVPN said via its blog that it was “working diligently” to restore access to servers it had in China. I
Tomi Engdahl says:
China the world’s largest spam source
Security company Sophos has been ranked the world’s largest spam sender countries based on the amount of spam collected by their spam filters.
Most spam came late last year in China, which rose for the first time the world’s largest spam sender country.
USA: In the past, the number one status as the leading spam country had now dropped to second place
The third was South Korea and Russia in the fourth.
Source: http://www.digitoday.fi/data/2015/01/28/kiinasta-maailman-suurin-roskapostimaa–tiedatko-kuka-spammaa-eniten-per-asukas/20151149/66?rss=6
Tomi Engdahl says:
Drone Maker Enforces No-Fly Zone Over DC, Hijacking Malware Demonstrated
http://tech.slashdot.org/story/15/01/29/0145221/drone-maker-enforces-no-fly-zone-over-dc-hijacking-malware-demonstrated
A recent incident at the White House showed that small aerial vehicles (drones) present a specific security problem. Rahul Sasi, a security engineer at Citrix R&D, created MalDrone, the first backdoor malware for the AR drone ARM Linux system to target Parrot AR Drones, but says it can be modified to target others as well. The malware can be silently installed on a drone, and be used to control the drone remotely and to conduct remote surveillance.
Drone maker DJI will disable its units over Washington, DC, after White House crash
Rookie pilots will get a little extra help determining what’s a no-fly zone
http://www.theverge.com/2015/1/28/7927423/dji-drone-no-fly-white-house-d-c
Following the crash of one of its Phantom drones at the White House on Monday and a response from President Obama that more regulation of drones was needed, Chinese drone maker DJI will reportedly be disabling its units from flying over the DC area. According to the FAA, it was already against federal regulations to fly in that region, not to mention the fact that the pilot told the Secret Service he was drinking.
DJI previously stated to The Verge that it programmed its drones to stop flying when they reached a certain distance from airports. Using the GPS, DJI can track a drone’s position at all time and establish which zones are off limits.
“DJI will release a mandatory firmware update for the Phantom 2, Phantom 2 Vision, and Phantom 2 Vision+ to help users comply with the FAA’s Notice to Airmen (NOTAM) 0/8326, which restricts unmanned flight around the Washington, DC metropolitan area,” the company wrote in a press release this morning. “The updated firmware (V3.10) will be released in coming days and adds a No-Fly Zone centered on downtown Washington, DC and extends for a 25 kilometer (15.5 mile) radius in all directions. Phantom pilots in this area will not be able to take off from or fly into this airspace.”
Tomi Engdahl says:
Adobe’s Latest Zero-Day Exploit Repurposed, Targeting Adult Websites
http://it.slashdot.org/story/15/01/28/1950215/adobes-latest-zero-day-exploit-repurposed-targeting-adult-websites
Adobe issued a patch for bug CVE-2015-0311, one that exposes a user’s browser to become vulnerable to code injection, and the now infamous Angler EK (Exploit Kit). To fall victim to this kind of attack, all someone needs to do is visit a website with compromised Flash files, at which point the attacker can inject code and utilize Angler EK, which has proven to be an extremely popular tool over the past year. This particular version of Angler EK is different, however.
According to FireEye, which has researched the CVE-2015-0311 vulnerability extensively, this exploit has reached people via banner ads on popular adult websites.
Adobe’s Latest Zero-Day Exploit Repurposed, Going Viral Via Adult Websites
Read more at http://hothardware.com/news/adobes-latest-zero-day-exploit-repurposed-going-viral-via-adult-websites#qt2q28LTK3pD6wYd.99
To make sure you’re up-to-date, you can head on over to the official Flash player download page and check
Tomi Engdahl says:
Anonymous No More: Your Coding Style Can Give You Away
http://developers.slashdot.org/story/15/01/28/1937252/anonymous-no-more-your-coding-style-can-give-you-away
Researchers from Drexel University, the University of Maryland, the University of Goettingen, and Princeton have developed a “code stylometry” that uses natural language processing and machine learning to determine the authors of source code based on coding style.
CSI Computer Science: Your coding style can give you away
http://www.itworld.com/article/2876179/csi-computer-science-your-coding-style-can-give-you-away.html
New research shows that programmers have ways of writing code which are almost as unique as fingerprints
Researchers from Drexel University, the University of Maryland,the University of Goettingen, and Princeton have developed a “code stylometry,” which uses natural language processing and machine learning to determine the authors of source code based on coding style. Their findings, which were recently published in the paper “De-anonymizing Programmers via Code Stylometry,” could be applicable to a wide of range of situations where determining the true author of a piece of code is important. For example, it could be used to help identify the author of malicious source code and to help resolve plagiarism and copyright disputes.
The authors based their code stylometry on traditional style features, such as layout (e.g., whitespace) and lexical attributes (e.g., counts of various types of tokens). Their real innovation, though, was in developing what they call “abstract syntax trees” which are similar to parse tree for sentences, and are derived from language-specific syntax and keywords. These trees capture a syntactic feature set which, the authors wrote, “was created to capture properties of coding style that are completely independent from writing style.” The upshot is that even if variable names, comments or spacing are changed, say in an effort to obfuscate, but the functionality is unaltered, the syntactic feature set won’t change.
Here were some of their key findings:
- Their code stylometry achieved 95% accuracy in identifying the author of anonymous code.
- Accuracy rates weren’t statistically different when using an off-the-shelf C++ code obfuscators
- Coding style is more well defined through solving harder problems. The identification accuracy rate improved when the training dataset was based on more difficult programming problems.
In any case, though, be aware that your fingerprints are all over your code, for better or for worse.
Tomi Engdahl says:
Book Review: Designing and Building a Security Operations Center
http://books.slashdot.org/story/15/01/28/180214/book-review-designing-and-building-a-security-operations-center
Many organizations are overwhelmed by the onslaught of security data from disparate systems, platforms and applications. They have numerous point solutions (anti-virus, firewalls, IDS/IPS, ERP, access control, IdM, single sign-on, etc.) that can create millions of daily log messages. In addition to directed attacks becoming more frequent and sophisticated, there are regulatory compliance issues that place increasing burden on security, systems and network administrators. This creates a large amount of information and log data without a formal mechanism to deal with it. This has led to many organizations creating a security operations center (SOC). A SOC in its most basic form is the centralized team that deals with information security incidents and related issues. In Designing and Building a Security Operations Center, author David Nathans provides the basics on how that can be done.
An effective SOC provides the benefit of speed of response time to a security incident. Be it a DDoS attack or malware which can spread throughout a corporate network in minutes, and potentially knock out the network, every second counts in identifying these attacks and negating them before they can cause additional damage. Having a responsive SOC can make all the difference in how a firms deals with these security issues.
The book notes that the SOC is akin to an enterprise nervous system that can gather and normalize vast amounts of log and related data. This can provide continuous prevention, protection and detection by providing response capabilities against threats, remotely exploitable vulnerabilities and real-time incidents on the monitored network.
When building a SOC, the choices are for the most part doing it yourself (DIY) or using an outsourced managed security service provider (MSSP).
The truth is that many firms simply don’t have the staff and budget needed to support an internal SOC. They also don’t have the budget for an MSSP. With that, Mike Rothman of Securosis noted that these firms are “trapped on the hamster wheel of pain, reacting without sufficient visibility, but without time to invest in gaining that much-needed visibility into threats without diving deep into raw log files”.
One important topic the book does not cover is around SIM/SIEM/SEM software. SIEM software can provide a firm with real-time analysis of security alerts generated by network and security hardware, software and other applications.
Many benefits come from an effective SIEM tool being the backbone of the SOC. A SIEM tool consolidates all data and analyzes it intelligently and provides visualization into the environment. But selecting the appropriate SIEM and correctly deploying it is not a trivial endeavor.
Book Review: Security Information and Event Management Implementation
http://books.slashdot.org/story/11/02/23/1328243/book-review-security-information-and-event-management-implementation
“With many different types of log and audit data, Security Information and Event Management (SIEM) attempts to fix that by aggregating, correlating and normalizing the log and audit data. The end result is a single screen that presents all of the disparate data into a common element. While great in theory, the devil is in the details; and there are plenty of details in deploying a SIEM on corporate networks. Security Information and Event Management Implementation provides a solid introduction, overview and analysis of what a SIEM (also known as SIM, SEM, SEIM and others) is, and what needs to go into it for an effective deployment and operation.”
As a technology, SIEM provides real-time monitoring and historical reporting of information security events from networks, servers, systems, applications and more. Many firms have deployed SIEM as a method to address regulatory compliance reporting requirements, in addition to using it as a mechanism in which to build a robust information security operation, integrating the SIEM into their security management and incident response areas.
With that, the good news is that the SIEM market is now at a mature state, with numerous vendors competing off each other. Combined with the level of SIEM adoption, it’s ready for prime time. But ensuring it works in prime time is heavily dependent upon the requirements definitions and planning.
Tomi Engdahl says:
TopSec Mobile
Tap-proof phone calls
http://www.rohde-schwarz.fi/fi/tuotteet/IT-Security/End-To-End_Encryption/TopSec_Mobile.html
The TopSec Mobile is a mobile encryption device for tap-proof end-to-end voice calls using smartphones, PCs, fixed-network phones and satellite terminals.
Companies and government authorities use telephones and smartphones to share confidential information. However, voice calls, particularly on mobile devices, can be easily tapped and recorded. This is why official secrets and confidential company data must be protected by powerful encryption.
It is an external encryption device that connects to smartphones, PCs and satellite terminals via Bluetooth®.
Tomi Engdahl says:
Integrating safety into connected medical devices
http://www.edn.com/design/medical/4438452/Integrating-safety-into-connected-medical-devices?elq=8b67645dc5ef4b4987c5da2404f8219e&elqCampaignId=21380
The growing use of electronics in medical equipment has led to new safety standards; these standards, combined with the increased security requirements brought about through increased connectivity, are placing new demands on developers of medical hardware and software. Providing justification for the safety of an unsecure connected device will be extremely difficult, as potential attacks via the network connection can directly impact the safety functions. This means that both safety and security aspects have to be rigorously considered for new designs.
Tomi Engdahl says:
Secure Because Math: Understanding Machine Learning-based Security Products
https://www.blackhat.com/html/webcast/02192015-secure-because-math.html
It seems that Machine Learning is the new hotness in Information Security. A huge number of security startups in their names that claim that their product will defend or detect more effectively than any other product “because math” and how they use “big data and stuff.”
Indeed, math is powerful and large-scale machine learning is an important cornerstone of much of the information systems that we use today. However, not all algorithms and techniques are born equal. Machine Learning is a most powerful tool box, but not every tool can be applied to every problem and that’s where the pitfalls lie.
Tomi Engdahl says:
Quantum Entanglement Now On-a-Chip
Breakthrough 20 micron enables uncrackable encryption
http://www.eetimes.com/document.asp?doc_id=1325446&
Quantum computing promises to revolutionize future computers, enabling pint-sized hardware to outperform room-filing supercomputers, plus offers uncrackable encryption that foils all hackers no matter how skillful they are. The missing piece of the quantum puzzle was called “spooky action at a distance” by Einstein, namely a reliable source of entangled photons who mirror each others’ state no matter how far apart on standard CMOS silicon chips.
Now Italian scientists at the Università degli Studi di Pavia, in cooperation with the University of Glasgow and the University of Toronto, claim to have surmounted this last engineering hurdle.
“The idea is that pumping laser light inside a tiny ring enhances the probability of two photons interacting. We therefore decided that this enhancement could be used, in particular, for the production of entangled photon pairs,” professor Daniele Bajoni at the Università degli Studi di Pavia told EE Times. “In previous works, we discovered that confining light inside a ring resonator greatly enhances the interaction between light and matter, but our new results were realized by design, not by chance.”
“The most typical algorithm for quantum cryptography using entanglement is the so-called Eckert protocol. In essence two parties (generally named Alice and Bob) exchange a set of entangled photon pairs, let us say idler photons are sent to Alice and signal photons are sent to Bob. Alice performs certain measurements on her photons, obtaining random results (let us say 1100101). If Bob performs the correct measurements on his photons, because of the entanglement, he will get the same string of random bits as Alice. The two can then use this string of random bits to encrypt signals to be sent on normal channels,” Bajoni told us. “If someone eavesdrops the exchange of entangled photons between Alice and Bob, this action will change the properties of the photons, so that Alice and Bob can know if there is an eavesdropper: this makes the communication intrinsically secure.”
Tomi Engdahl says:
Cybercriminals Encrypt Website Databases in “RansomWeb” Attacks
http://www.securityweek.com/cybercriminals-encrypt-website-databases-%E2%80%9Cransomweb%E2%80%9D-attacks
Malicious actors are encrypting website databases and holding them for ransom, Switzerland-based security firm High-Tech Bridge revealed on Wednesday.
File encrypting ransomware has become highly problematic for both regular Internet users and organizations. However, researchers at High-Tech Bridge have spotted a new type of attack that threatens businesses.
The technique, dubbed “RansomWeb,” targets sensitive information stored in website databases. These attacks require a lot of patience, but they can be highly profitable for cybercriminals.
The attackers first compromise the targeted company’s Web application. Then, they modify server scripts so that data is encrypted on-the-fly before it’s inserted into the database. This encryption process happens over a long period of time to avoid raising any suspicion. Once the data is encrypted, victims are sent a ransom demand.
In one operation observed by researchers, the attackers encrypted the database of a financial company over a six-month period. During this time, even the backups were overwritten with encrypted entries, making it difficult to recover the data.
In this particular attack, only critical fields in the database were targeted by the cybercriminals, most likely in an effort to reduce the impact on the Web application’s performance.
The encryption key is stored on a remote Web server accessible only via HTTPS. However, once the encryption process is completed, the key is removed from the server.
“We are probably facing a new emerging threat for websites that may outshine defacements and DDoS attacks. RansomWeb attacks may cause unrepairable damage, they are very easy to cause and pretty difficult to prevent,” said Ilia Kolochenko, CEO of High-Tech Bridge. “Days when hackers were attacking websites for glory or fun are over, now financial profit drives them. The era of web blackmailing, racket and chantage is about to start.”
Tomi Engdahl says:
DDoS-For-Hire Services Market Leads to Boom in DDoS Attacks: Akamai
http://www.securityweek.com/ddos-hire-services-market-leads-boom-ddos-attacks-akamai
Cybercrime is an industry, and a growing market in that industry belongs to those ready to offer distributed denial-of-service attacks for a price, according to a new report from Akamai Technologies.
In its Q4 2014 State of the Internet report, Akamai’s Prolexic Security Engineering and Research Team (PLXsert) blamed DDoS-for-hire services for the rise in reflection-based DDoS attacks. Nearly 40 percent of all DDoS attacks during the quarter used reflection techniques, which rely on Internet protocols that respond with more traffic than they receive and do not need an attacker to gain control over the server or the device.
According to the report, the expansion of DDoS-for-hire services also promoted the use of multi-vector campaigns.
There are several reasons why an attacker would choose to launch a multi-vector attack, explained John Summers, vice president of Akamai’s security business. For example, such attacks could be used to impact multiple components of an enterprise’s backend infrastructure simultaneously, or make an attack more difficult to block.
“Running a modern web site means using multiple systems in coordination: DNS servers, web servers, application servers, login/authentication servers, identity directories, site search servers, content management systems and databases,” he told SecurityWeek. “Being able to bring down any one of these back end infrastructures can result in the entire site being disabled. Often it can be easier to bring down a site by focusing an attack on one of these backend systems. DNS servers, login systems and content management systems are frequent targets.”
“Attackers often use multiple different kinds of attacks vectors so that blocking any one still allows the other attack vectors to pass through and continue to damage the site,” he added. “This is also why attackers frequently change attack vectors during an attack to continuously evade enterprise defenses.”
The tactic is also used to distract from data theft or fraud attempts, he noted.
Tomi Engdahl says:
Security Budgets Are Up – But Are We Spending Wisely?
http://www.securityweek.com/security-budgets-are-are-we-spending-wisely
In plain terms, 2014 sucked for information security. Mega-breaches at retailers, insider theft at banks, and human error at universities and hospitals. The sliver lining may be the fact that senior managers are finally realizing their organizations have to do a better job of securing their networks, users, and data.
Numerous studies over the past few months have shown that organizations are talking about security. Board directors want to know what is being done and senior executives are working with security managers to launch security initiatives. Many organizations are appointing their very first CISOs. In fact, several reports released this month paint a picture of executives increasingly being more aware and investing real budget dollars to improve their security defenses as a result.
“Senior management gets a wake up call and realizes the need for a stronger cyber defense posture,” according to the report.
The fact that information security will be getting a larger piece of the IT budget this year actually makes the findings of Trustwave’s “Security on the Shelf” report even more worrisome. A survey conducted by Osterman Research on the behalf of Trustwave found that many companies had already-paid-for software lying around unused, or had some protective features that weren’t being utilized. In the average organization, “only” 4.8 percent of security-related software was not being used at all, and 23.5 percent was working, but could be better, the report found. One company claimed 60 percent of its security software was shelfware.
All that new spending, and the chances of the technology not being used at all is unnervingly high. The studies suggest that despite increased spending, organizations aren’t necessarily getting more security than previous years.
Organizations in the survey said they 19 percent of its security infrastructure was cloud based or managed services in 2014, and expect that figure to change to 28 percent in 2015.
“The economics are simply too attractive to pass up,”
Tomi Engdahl says:
Insider Threat Denial: The Driverless Car of the Enterprise
http://www.securityweek.com/insider-threat-denial-driverless-car-enterprise
Many modern attacks rely on insiders, whether they are malicious administrators with access often beyond their needs, or external attackers appropriating credentials without the user’s knowledge.
If people are today’s weakest security link, then many organizations are being childish by being in denial about how adequately they are addressing the risk.
Can’t we just get rid of the people?
If you are a security professional, you probably have had dreams of eliminating the weak links. The likelihood of that happening is no better than getting robot cars in the very near future. Still, throwing technology at the problem is tempting, just like it’s tempting to believe that driverless cars are just around the corner.
Professionals are cautious of over-reliance on automation
Expecting that policies coupled with incomplete automated enforcement will sufficiently mitigate the insider risk is just as foolish as enabling the diversion of driver attention with inadequate automobile automation.
But yes, people are still the problem
The key element of Access Governance is the access certification process. On a regular basis (usually every 6-12 months), business managers are required to acknowledge whether their employees have an appropriate level of access to applications or not.
This is a helpful detective control for access privileges that have outlived their necessity.
Like the car with no steering wheel representing a dot out on the horizon, fully automated certifications are not going to replace manual certifications any time soon. But there are enhancements that can be made to augment certifications with information that will reduce the insider threat.
The future approach needs to take into account two deficiencies:
1. Business managers have limited bandwidth and attention for certifications.
2. Even perfect certifications cannot account for rogue administrators or privileges that have been stolen by outsiders.
To address these deficiencies, the future of Access Governance must provide two key capabilities:
1. Better prioritization of access certifications informed by risk. If a business manager is asked only to review in-depth a few high-risk entitlements, they are more likely to take the action seriously.
2. The 6-12 month certification mindset must be changed. Monitoring how insiders use their access, and alerting on abnormal behavior to trigger an ad-hoc certification, can result in better control.
Tomi Engdahl says:
Andrew Jacobs / New York Times:
China acknowledges targeting VPN services to foster the “healthy development” of the nation’s internet, says VPNs are illegal
China Further Tightens Grip on the Internet
http://www.nytimes.com/2015/01/30/world/asia/china-clamps-down-still-harder-on-internet-access.html?_r=0
Gmail has become almost impossible to use here, and in recent weeks the authorities have gummed up Astrill, the software Ms. Jing and countless others depended on to circumvent the Internet restrictions that Western security analysts refer to as the Great Firewall.
Continue reading the main story
Related Coverage
Lu Wei has ratcheted up China’s sophisticated system of online censorship.
Gregarious and Direct: China’s Web DoorkeeperDEC. 1, 2014
By interfering with Astrill and several other popular virtual private networks, or V.P.N.s, the government has complicated the lives of Chinese astronomers seeking the latest scientific data from abroad, graphic designers shopping for clip art on Shutterstock and students submitting online applications to American universities.
But earlier this week, after a number of V.P.N. companies, including StrongVPN and Golden Frog, complained that the Chinese government had disrupted their services with unprecedented sophistication, a senior official for the first time acknowledged its hand in the attacks and implicitly promised more of the same.
The move to disable some of the most widely used V.P.N.s has provoked a torrent of outrage among video artists, entrepreneurs and professors who complain that in its quest for so-called cybersovereignty — Beijing’s euphemism for online filtering — the Communist Party is stifling the innovation and productivity needed to revive the Chinese economy at a time of slowing growth.
Multinational companies are also alarmed by the growing online constraints. Especially worrisome, they say, are new regulations that would force foreign technology and telecom companies to give the government “back doors” to their hardware and software and require them to store data within China.
On Tuesday, however, a senior official at the Ministry of Industry and Information Technology acknowledged that the government was targeting V.P.N.s to foster the “healthy development” of the nation’s Internet and he announced that such software was essentially illegal in China. “The country needs new methods to tackle new problems,”
Tomi Engdahl says:
Andy Greenberg / Wired:
Prosecutors Trace $13.4M in Bitcoins From the Silk Road to Ulbricht’s Laptop — If anyone still believes that bitcoin is magically anonymous internet money, the US government just offered what may be the clearest demonstration yet that it’s not. A courtroom PowerPoint presentation traced hundreds …
Prosecutors Trace $13.4M in Bitcoins From the Silk Road to Ulbricht’s Laptop
http://www.wired.com/2015/01/prosecutors-trace-13-4-million-bitcoins-silk-road-ulbrichts-laptop/
Tomi Engdahl says:
N atasha Lomas / TechCrunch:
CyLon, Europe’s first cyber security incubator launches in London
Europe Gets A Cyber Security Incubator
http://techcrunch.com/2015/01/27/cylon/
London’s — and Europe’s — crowded startup accelerator scene is getting a new addition. Not fintech-related, this time. Rather the focus is cyber security.
The Cyber London (CyLon for short) 12-week program
CyLon’s program will be managed by the Ignite accelerator, and is being run as a not-for-profit, financed by a variety of sponsors
So this is about proximity to promising security startups to help with deal flow in the case of investors, and the chance to pick up future clients in the case of the legal and consultancy firms. Although Luff stressed there won’t be any limits placed on the startups in terms of who they can or can’t work with.
CyLon also has an advisory board to help steer the program.
The criteria for choosing teams to enter the CyLon business bootcamp are being left “quite broad”, according to Luff, to maximize interest and help establish the program. “We are defining this as ‘cyber and information security technologies or products’. That is quite deliberate because we want to encourage a good number of people to take an interest in the program and to apply,” he told TechCrunch.
Security rising
CyLon’s launch PR claims it as “Europe’s first business accelerator program and incubator space dedicated to developing and supporting cyber security startups”. Luff said the timing is right for this to happen because of how Internet security issues have generally been propelled up the agenda — for consumers and businesses alike.
“Most people now are far more aware of this issue and its importance,”
Why should security startups come to London? Being located within a global financial services hub is of course one potential draw, with banking companies obvious targets for selling encryption and other security tech innovations.
U.K. government intelligence agencies also evidently have money to spend on security.
However there are some strong cross-currents pushing in the opposite direction too, given those same U.K. intelligence agencies are conflating national security with dragnet digital surveillance. Last year the head of GCHQ warned publicly about the ‘dangers’ to national security posed by Internet companies’ use of secure communications — effectively making an appeal to them not to use end-to-end encryption.
Tomi Engdahl says:
Intel Announces Broadwell vPro Processors: Wireless Docking and More
by Stephen Barrett on January 29, 2015 7:00 AM EST
http://www.anandtech.com/show/8943/intel-announces-broadwell-vpro-processors-wireless-docking-and-more
While Intel formally announced availability of Broadwell-U processors at CES this year, vendors did not actually have any devices available for purchase containing Intel vPro technology. Today that changes, as Intel states the HP Elite x2 1011 and several devices from Fujitsu sporting 5th Generation Intel vPro processors are now available with more to arrive shortly. Businesses that rely on vPro’s management features are now able to purchase new laptops containing Intel’s Broadwell-U processors with vPro features.
If you’re not familiar with vPro, this is primarily an out-of-band management technology that Intel builds into several of their products such as SSDs, NICs, WiFi cards, chipsets, and CPUs. Intel brands their out-of-band management as Intel Active Management Technology (AMT). While many business professionals experience IT management such as software updates and group policy enforcement, these are all at the OS level. Intel AMT provides IT tools at the hardware level, which means remote PCs can be accessed even when the OS is down or the power is off.
For example, if a device is lost containing sensitive data, AMT could be used to access location services of the device, restrict access, or even erase data. Another neat feature of AMT is using an integrated VNC server, allowing remote monitoring of the Intel integrated graphics feed and even keyboard/mouse control. Going even further, Intel AMT can even redirect the boot process of a PC to an IT provided remote image.
Over time, vPro has broadened to include more than just Intel AMT. Importantly, vPro also includes Intel Trusted Execution Technology (TXT), which works with a Trusted Platform Module (TPM) to secure a device against low level attacks and provide unique secure device identifiers to management systems. With Broadwell vPro processors, Intel is again expanding vPro to encompass more technology with Intel Wireless Docking and Intel Pro Wireless Display. It is important to note that these features are available to manufactures using a vPro package from Intel, but each device may not implement them.
Finally, Intel Identity Protection Technology (IPT) now supports multi-factor authentication. This provides IT with more options to specify which authentication factors can be used for enterprise applications, such as a paired Bluetooth device.
Tomi Engdahl says:
FTC Urges Safeguards for ‘Internet of Things’
http://www.securityweek.com/ftc-urges-safeguards-internet-things
Washington – A US government consumer watchdog agency called Tuesday for better privacy and security to be built into the myriad of connected devices, for fitness, smart homes or other uses.
The “Internet of Things” guidelines released by the US Federal Trade Commission stop short of a new regulatory effort but nonetheless provoked critics who said the agency is overstepping its authority.
“Not only is deeply personal information at stake but as you have more and more devices it means there is more potential for exposure,” Ramirez told the “State of the Net” conference.
“If you want these new technologies to flourish, you want to make sure consumers understand what is happening, understand what is being collected, with whom that information is being shared, how this information is being used.”
The FTC last year studied 12 mobile fitness apps and found they shared data with 76 separate entities.
The agency urged companies to “build security into their devices at the outset, rather than as an afterthought” and to conduct a privacy or security risk assessment.
Tomi Engdahl says:
Danish Secunia publishes regular reports from different countries PC users in the contents of the machine. Finnish Microwave in good is that information security is at the same level as elsewhere. The bad is that the security is really in a bad way.
On average, the Finnish PC user has on their computer 70 programs, of which 41 per cent comes from Microsoft. 7.9 percent of users websurf with machine, and the operating system is not made to critical security updates.
Micros-threatening hazards, almost half, or 48 per cent is due to Microsoft’s programs. Fortunately, users of Microsoft places these holes one mechanism (Windows Update) through.
The bigger problem for the basic user are the 20 to 30 third-party programs, in which the patch is likely to take on their own, the other is different from the process. As a result, nearly half, or 45 percent of the users of java is running in your machine old with holes in it.
Cyber criminals know that the end-users experience programs and even operating systems, updating difficult. As a result, a large part of the machinery is relatively easy to capture the wrong use.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2349:raportti-antaa-synkan-kuvan-suomalaisesta-pc-kayttajasta&catid=13&Itemid=101
Secunia PSI Country Report – Q4 2014: Finland
http://secunia.com/?action=fetch&filename=PSI-Country-Report-%28FI%29-%282014Q4%29.pdf
Tomi Engdahl says:
Verizon Wireless to Allow Complete Opt Out of Mobile ‘Supercookies’
http://bits.blogs.nytimes.com/2015/01/30/verizon-wireless-to-allow-complete-opt-out-of-mobile-supercookies/?_r=0
Verizon Wireless, which has been under fire by privacy advocates since late last year, has decided to make a major revision to its mobile ad-targeting program. Users who do not want to be tracked with an identifier that Verizon uses for ad-targeting purposes will soon be able to completely opt out, the company said on Friday.
Tomi Engdahl says:
Antonia Massa / Bloomberg Business:
Uber’s internal privacy review recommendations: add whistleblower hotline, improve training, customer data access, and privacy disclosure practices
Uber to Improve Privacy Program After Stumble, Review Says
http://www.bloomberg.com/news/articles/2015-01-30/uber-needs-to-improve-privacy-program-after-stumble-review-says
Uber Technologies Inc. should expand its privacy program to improve disclosures, training and employee accountability, according to an internal review that the company commissioned after a customer-data controversy.
The report caps a controversial episode for Uber. In November, a top executive of the San Francisco-based company, Emil Michael, suggested Uber was willing to spend a million dollars to look into journalists’ personal lives. The company also began an investigation into a manager who tracked a reporter’s whereabouts on Uber without her permission.
The revelations caused a backlash. U.S. Senator Al Franken, a Minnesota Democrat who chairs the Senate subcommittee on privacy, technology and the law, sent Uber Chief Executive Officer Travis Kalanick letters questioning the company’s privacy policies, including which employees can access a tool called “God View” that shows customer information.
The brouhaha was a black eye for Uber, which is the most valuable privately held U.S. technology company, with a valuation of $40 billion. The startup is rapidly raising money as it works to expand globally.
In a blog post, Uber said it realizes that with its fast growth, “we haven’t always gotten it right.”
Tomi Engdahl says:
Chinese Walls and Back Doors
http://www.eetimes.com/author.asp?section_id=36&doc_id=1325473&
Qualcomm and U.S. industry are the losers as China’s antitrust regulators help build a new wall around China’s semiconductor industry.
The need to build Chinese walls in the semiconductor industry is taking on a completely new significance as China’s antitrust regulators start to flex their muscles.
The implications affect global companies that aim to keep their foothold in China’s semiconductor market — which by 2012 became the world’s largest, accounting for 52 percent of total demand — that continues to lead industry growth.
The key chipmakers impacted by China’s antitrust initiatives include Qualcomm of the US and MediaTek of Taiwan as well as emerging Chinese companies such as Semiconductor Manufacturing International Corp. (SMIC) and Spreadtrum Communications. The Chinese government, which has aimed to make semiconductors a pillar industry for years, is using antitrust issues to create a level playing field for domestic companies.
The Wall Street Journal on January 27 reported that China’s central government has asked Spreadtrum to custom design “safe phone” processors for officials’ smartphones that in one to two years may replace chips from U.S. suppliers which Beijing suspects may contain back doors to aid foreign spying. To be sure, China may be justified in protecting itself from national security risks, following revelations about U.S. surveillance activities by former National Security Agency contractor Edward Snowden.
China’s antitrust probe of Qualcomm may already be taking a toll on the world’s largest maker of smartphone chips, which today said it has cut expectations for sales and profit this year after losing semiconductor orders and facing stronger competition in China.
Tomi Engdahl says:
IT professionals are very careless
Intel Security has commissioned MSI Research, the study, which examined the corporate IT professionals in the behavior of the public, open Wi-Fi networks. The results show that one in three work laptop or smartphone is connected to a regular public networks.
The results show, according to scientists, that the workplace be painted image data security is very different from the practice of leisure.
The results show that 78 per cent use their private device in the workplace.
79 percent use their work devices for non-road private affairs, so the equipment operating limits go virtually completely confused.
65 percent of those surveyed were of the opinion that it is the company’s IT department do to protect their computer to the private data.
Gartner has estimated that in the next two years, half of the world’s companies has allowed the use of their personal devices at work. This BYOD policy (Bring Your Own Device) is still at an early stage, and not, for example, security issues are far from resolved.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2362:it-ammattilaisetkin-ovat-hyvin-huolimattomia&catid=13&Itemid=101
Tomi Engdahl says:
Google Avoids Fine In UK But Will Change Its Privacy Policies
http://news.slashdot.org/story/15/02/02/0215227/google-avoids-fine-in-uk-but-will-change-its-privacy-policies
Google will alter UK privacy policies but avoids fine from ICO
http://www.v3.co.uk/v3-uk/news/2392883/google-will-alter-uk-privacy-policies-but-avoids-fine-from-ico
Google will change its privacy policies in the UK to make it clearer how the company’s services gather and use data on individuals, after a ruling by the Information Commissioner’s Office (ICO).
The ICO has now announced that Google’s policies were too vague and has set out a list of requirements to which Google must adhere in addressing the regulator’s concerns.
These have been agreed to by Kent Walker, general counsel at Google, in an undertaking with the ICO.
These include making Google’s Privacy Policy easier to find, providing more information on data processing activities, such as the type and purpose of the collection, and clarifying individuals’ rights concerning what is done with this data.
Google must also revise the Privacy Policy to “avoid indistinct language where possible”, and improve the training given to staff about notice and consent requirements for data gathering.
Tomi Engdahl says:
John Bohannon / Science:
Researchers correlate anonymized credit card transactions with as few as 3 piece of outside data, like location info, to trace an individual’s transactions
Credit card study blows holes in anonymity
http://www.sciencemag.org/content/347/6221/468.full
For social scientists, the age of big data carries big promises: a chance to mine demographic, financial, medical, and other vast data sets in fine detail to learn how we lead our lives. For privacy advocates, however, the prospect is alarming. They worry that the people represented in such data may not stay anonymous for long. A study of credit card data in this week’s issue of Science (p. 536) bears out those fears, showing that it takes only a tiny amount of personal information to de-anonymize people.
The result, coming on top of earlier demonstrations that personal identities are easy to pry from anonymized data sets, indicates that such troves need new safeguards. “In light of the results, data custodians should carefully limit access to data,”
But because each individual’s spending pattern is unique, the data have a very high “unicity.” That makes them ripe for what de Montjoye calls a “correlation attack.” To reveal a person’s identity, you just need to correlate the metadata with information about the person from an outside source.
Just knowing an individual’s location on four occasions was enough to fingerprint 90% of the spenders. And knowing the amount spent on those occasions—the equivalent of a few receipts from someone’s trash—made it possible to de-anonymize nearly everyone and trace their entire transaction history with just three pieces of information per person.
One way to protect against correlation attacks is to blur the data by binning certain variables. For example, rather than revealing the exact day or price of a transaction, the public version of the data set might reveal only the week in which it occurred or a price range within which it fell. Binning did not thwart de Montjoye’s correlation attack; instead, it only increased the amount of information needed to de-anonymize each person to the equivalent of a dozen receipts.
Tomi Engdahl says:
Google says it paid last year to white hat hackers total of 1.5 million dollars for bug finding in the company’s products. Bug Hunting compensation are part of Google in 2010, initiated by the Security Rewards Program. Fees received more than 200 researcher. The biggest single pot was 150 000 dollars.
Project Zero and Google in recent weeks have given rise to resentment, particularly Microsoft’s camp. Project Zero’s business model is that the found vulnerabilities are made public 90 days after they have been discovered and have been informed of the manufacturer of the product.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-02-02/Google-palkitsi-valkohattuhakkereita-15-miljoonalla-3214995.html
Tomi Engdahl says:
Web Application Firewalls: Virtual Patching
http://intellavis.com/blog/?p=947
This post shows how a WAF can be used to remediate vulnerabilities without having to change the code.
In an idea world, the secure software develop lifecycle (SSDLC) produces web applications free of security vulnerabilities. In the real-world, there is need for a web application vulnerability management process to assess applications, find these flaws, and help drive them to remediation. Once identified, vulnerabilities in custom applications take time to fix. Essentially, we are taking development time away from creating new functionality to devote to fixing a security issue. This is a costly endeavor at best. At worst, the web application is a legacy application and the company does not have development resources devoted to it.
Virtual Patching is “a security policy enforcement layer that prevents the exploitation of a known vulnerability.” This is one of the primary use cases for a web application firewall. The WAF analyzes transactions and intercepts attacks in transit, so the malicious traffic targeting the vulnerability never reaches the application. The application’s source code was not modified to fix the vulnerability, however the exploitation attempt was still unsuccessful.
As part of security testing within the secure software development lifecyle and as general vulnerability management, dynamic application security testing (DAST) should be conducted against web applications.
In a corporate environment with several applications being developed or many applications being tested within a vulnerability management program, more than one application testing tool could be testing a plethora of web applications. Aggregation and correlation of all of those findings helps the management of a program with a large scope.
Tomi Engdahl says:
How To Protect Your WordPress Website Against DDoS Attacks
http://www.cloudways.com/blog/ddos-attacks-wordpress-security/
Most probably you have heard about DDoS attacks if you have been in the online business for a while.
During a DDoS attack, a target server or network receives requests from compromised systems.
Application Level Attacks
Also known as the Layer-7 DDoS attacks, these usually target the vulnerabilities in web applications by sending traffic to particular sections of a website. This also increases the bandwidth consumption, but Application Level DDoS attacks do not usually take down a website. However, it slows them down by a great deal.
These attacks are much harder to detect as the traffic looks as if it is coming from real humans. These attacks usually utilize HTTP, DNS, and SMTP requests.
Major types of Application Level DDoS attacks are:
1. Request flooding attacks
In the this type of attack, Application Layer receives high amount of requests on HTTP and DNS.
2. Asymmetric attacks
In this this type of attack, Application Layer receives high-workload requests that consume server resources such as RAM and CPU.
3. Repeated one-shot attacks
These attacks target both Application and Network layers by sending high-workload requests on applications combined with TCP sessions.
4. Application Exploit Attacks
This kind of attack target application vulnerabilities that take over or manipulate an application to cause a server or OS malfunction. Most common of them are SQL injection, cookie poisoning and cross-site scripting
Even the mighty fall prey to DDoS attacks
With so many complexities and kinds of DDoS attacks, it has almost become impossible to completely safeguard your servers and applications.
How to protect against DDoS attacks?
There are precautionary steps and methods to lower the effects of DDoS attacks and in many cases, smaller DDoS attacks can be completely overridden.
There are methods that can be employed at the network level to detect and block illegitimate traffic. Most modern networking hardware have specialized hardware accompanied by software that can detect and filter the traffic.
Switches and routers
These days, intelligent routers and switches are equipped with software capable of rate-limiting. Through this, the network hardware can identify bogus IPs that are sending illegitimate requests and block them from further eating away system and network resources. SYN flood attacks and attacks from “dark addresses” can be easily blocked by them.
Intrusion Prevention Systems (IPS)
There are systems that detect the behavior of DDoS attacks. These are offered by many security companies out there that have developed systems that detect legitimate and illegitimate traffic patterns and filter them
Scrubbing and Blackholing
All the incoming traffic is passed through a “scrubbing center” before accessing a network or application. These are maintained by companies that provide DDoS mitigation services and therefore, they cost a lot. But, if you are victim of large DDoS attacks affecting your business, then you have no choice other than to invest in DDoS mitigation service.
Fix vulnerabilities in your WordPress website: Take a stand against DDoS attacks
I must admit that it pains me when I hear news like DDoS attackers exploit WordPress powered websites to carry out large DDoS attacks.
However, the problem remains that WordPress is prone to vulnerabilities and some of the exploits are very easily utilized by DDoS attackers. One reason is that WordPress holds 20% of the CMS and therefore, it is an attractive target. However, a lot of the blame lies on WordPress website operators. Most users do not even know that their website is being used as a zombie to attack another website.
1. Block XML-RPC functionality on WordPress
2. Update your WordPress version REGULARLY
3. Get in contact with your web host
4. Using security plugins
5. Suggestions by Security Analyst on Quora
Tomi Engdahl says:
DEA Planned To Monitor Cars Parked At Gun Shows Using License Plate Readers
http://yro.slashdot.org/story/15/02/01/2117208/dea-planned-to-monitor-cars-parked-at-gun-shows-using-license-plate-readers
According to the Wall Street Journal the proposal shows the challenges and risks facing the U.S. as it looks to new, potentially intrusive surveillance technology to help stop criminals. Many of the government’s recent efforts have scooped up data from innocent Americans, as well as those suspected of crimes, creating records that lawmakers and others say raise privacy concerns. “Automatic license plate readers must not be used to collect information on lawful activity — whether it be peacefully assembling for lawful purposes, or driving on the nation’s highways,” says the ACLU.
Tomi Engdahl says:
Cybersecurity Concerns Seize Center Stage in Davos
http://www.securityweek.com/cybersecurity-concerns-seize-center-stage-davos
If there were any lingering doubts that cybersecurity is a geopolitical issue with global implications, such opinions were cast on the rocks by discussions this past week at the 2015 World Economic Forum in Davos, Switzerland.
Coincidentally – perhaps – amid the palpable unease over cybersecurity concerns coursing through formal discussions and in the hallways, two alternative views of U.S. cybersecurity strategies were receiving notice. One was hopeful; the other doubtful. Both geopolitical.
Hinote’s sense of urgency for the need of more effective cyber defense capabilities and policies resonated with similar sentiments echoing through the halls in Davos.
According to Fortune, cybersecurity fears held the prospect of stopping companies from making important investments in technology. CISCO Systems CEO John Chambers, as head of a corporation which depends on security-driven technology spending, emphasized that “security was bad last year” and unfortunately “this year is going to get worse.” “You can never win,” said Robert Smith, chief executive of Vista Equity Partners, a private equity firm. “It’s a constant battle to just to stay even.”
Other executives expressed concerns that they were expecting the volume of attacks to increase dramatically in the coming year while defenses remained largely ineffective. Mr. Smith added that “The security breaches we had in the last 12 months are going to pale in comparison to these we’re going to have in the next 12 months.”
“However security gets done, it needs to get done” was a common sentiment of executives
Beyond concern over economic and reputational cyber-induced risks lay executives’ concerns of vulnerability of facilities such as power supplies and communications networks.
A popular figure in Davos, cybersecurity guru and Kaspersky Labs head Eugene Kaspersky, a man who knows his way around global cyber threats, confirmed such fears, stating what most attendees perhaps didn’t want to hear: “The main threat scaring me is attacks on critical infrastructure.”
Tomi Engdahl says:
19.5% of HTTPS sites trigger browser warning as they use SHA-1 signed certificates
https://www.elie.net/blog/security/19.5-percent-of-https-sites-trigger-browser-warning-as-they-use-sha-1-signed-certificates
19.5% of HTTPS-enabled sites in Alexa’s Top 1 Million trigger or will trigger a Chrome security warning because they use the now deprecated SHA-1 signature algorithm to sign their HTTPS certificates. Soon those sites will be flagged by all major browsers as insecure.
Last year, browser vendors (Mozilla, Microsoft, Google) agreed to deprecate the use of SHA-1 to sign HTTPS certificates. The reached consensus is that certificates signed using SHA-1 should not be issued after January 1, 2016, or trusted after January 1, 2017. This deprecation was motivated by the growing concerns over SHA-1 security and the possibility of an attacker forging a rogue certificate to intercept HTTPS traffic.
Each browser has defined its own timeline to deprecate SHA-1. Currently Chrome is the only browser (with Firefox following soon) that displays a warning for SHA-1 signed certificates.
To ensure that your certificate is future proof and you won’t be classified as insecure, the next time you renew your certificate, make sure it has a SHA-256 signature. If you are unsure if your certificate is using SHA-256 or SHA-1, there are two simple ways to test: use SSLabs’ SSL Server Test to scan your site or simply visit your site with Chrome and look at the certificate.
Tomi Engdahl says:
How I Learned to Start Worrying and Fear the Commoditization of Threat Intelligence
http://www.securityweek.com/how-i-learned-start-worrying-and-fear-commoditization-threat-intelligence
Specifically, I kept thinking about the trend lately around so much cyber threat intelligence from so many solutions providers delivering feeds from so many similar sources. And, altogether more bothersome, how so many of the providers lately are partnering up with one another to offer access to so many of each others’ threat intelligence feeds inside their own platforms.
Suddenly the movie started making more sense to me than the threat intelligence market. Then it hit me.
Information theory is actually a branch of mathematics that attempts to explain the nature of communications data as it is transmitted, stored or received, as well as the variables that affect its transfer such as noise, the amount of data transmitted, number of distinct and different message sources, the type and size of channel it’s transmitted on, reliability and intelligibility.
Seen this way, information can essentially be treated as mathematically-defined.
Related to this, entropy is a measure of the information contained in a given message.
let’s just say that entropy = boring, noisy, redundant old news.
Again, you may be wondering how this relates to cyber threat intelligence specifically?
To put it in plain terms, there are so many similar pieces of threat intelligence being transmitted so often (i.e. redundant) from so many similar sources at such an alarming rate as to make deriving any real, worthwhile meaning by the receiver of all these threat messages, well, highly unlikely. In other words, there’s so much of the same data being sent from so many of the same sources as to render it essentially useless for the consumer.
“The larger the amounts of information processed or diffused, the more likely it is that information will degrade toward meaningless variety, like noise or information overload, or sterile uniformity…The more information is repeated and duplicated, the larger the scale of diffusion, the greater the speed of processing, the more opinion leaders and gatekeepers and networks, the more filtering of messages, the more kinds of media through which information is passed, the more decoding and encoding, and so on– the more degraded information might be.”
Tomi Engdahl says:
Microsoft Releases Threat Information Sharing Framework
http://www.securityweek.com/microsoft-releases-threat-information-sharing-framework
Threat information-sharing is a phrase that gets thrown often, but there isn’t much agreement on how organizations should be working together or the methods they should be using. This week, Microsoft chimed in on the subject with a 25-page framework offering guidance on effective information sharing and the types of data that needs to be shared.
For the most part, industry and government agree that information sharing is a good idea. The right information exchanged or shared at the right time can enable security professionals and decision makers to reduce risks, deflect attacks, mitigate exploits and enhance resiliency, Paul Nicholas, senior director of Trustworthy Computing at Microsoft, wrote on the Cyber Trust blog this week. “In this case, forewarned really can mean forearmed.”
Some forms of information sharing already exist—the ISACs for various industries, including financial services, retail, and industrial control systems are just a few examples. Industry consortiums and groups have launched several sharing platforms, such as the one from MITRE. But some organizations remain wary about information-sharing for a myriad of reasons, including competitive concerns, liability worries, and reputation damage. Despite years of talking about it, there are still roadblocks to effective, widespread information sharing.
Microsoft defined in the framework document all the parties which need to be involved in an information sharing exchange as well as the necessary types of information which should be included. Exchanges should include governments, private critical infrastructure firms, enterprises, information technology, security companies and security researchers.
According to the framework, information sharing exchanges should discuss successful attacks, including what was stolen, the techniques used, intent, and impact, as well as potential future threats, exploitable vulnerabilities, and ways of mitigating bugs before patches are available. Organizations should exchange best practices, executive-level situational awareness, and strategic analysis of threats they face. Receiving organizations should use the information to its full potential to improve their security, Microsoft said.
It’s also important to remember that information sharing is not going to always be between humans as information can be automatically passed between machines. “It is believed that such systems enable actors not only to identify information important to them more quickly, but also to automate mitigations to threats as they occur,” Nicholas wrote.
In 2014, financial services organizations received 5,000 FS-ISAC cybersecurity alerts providing information of a variety of threats, attacks and other information, and approximately 100,000 technical indicators such as malicious IP addresses, websites, and malware components
“Effective information sharing is not an easy undertaking,” Microsoft’s Nicholas said. “It requires clear definitions and objectives rather than solely words of encouragement, or mandatory requirements.”
A framework for cybersecurity information sharing and risk reduction
https://www.microsoft.com/en-us/download/details.aspx?id=45516&WT.mc_id=rss_alldownloads_all
Tomi Engdahl says:
Researcher Calls Out Microsoft Over Outlook For iOS Security
http://www.securityweek.com/researcher-calls-out-microsoft-over-outlook-ios-security
The recently launched Microsoft Outlook for iOS can be a “security nightmare” for companies, a researcher warned on Thursday.
Outlook for iOS is based on code from Acompli, the mobile email company acquired by Microsoft two months ago. The application was announced by Microsoft on Thursday, along with the preview version of Outlook for Android and several Office apps for Android.
René Winkelmeyer, head of development at Midpoints, has analyzed the iOS email app and discovered several security issues.
Tomi Engdahl says:
Dyre Banking Trojan Uses Worm to Spread Via Microsoft Outlook
http://www.securityweek.com/dyre-banking-trojan-uses-worm-spread-microsoft-outlook
Researchers at Trend Micro have identified a new variant of the financial malware known as Dyre (Dyreza). The threat now targets a larger number of banks and uses some noteworthy propagation and evasion techniques.
In the past months, cybercriminals used the Cutwail spambot to distribute Dyre. However, the new variant spotted by Trend Micro uses a more interesting propagation technique.
It’s worth noting that the worm doesn’t send spam emails to the victim’s contacts. Instead it uses email addresses obtained from a command and control (C&C) server. Once the emails are sent, the worm deletes itself, the security firm said.
Tomi Engdahl says:
David E. Sanger / New York Times:
NSA analysts will be required to delete incidental information on Americans within one year, on foreigners within five — President Tweaks the Rules on Data Collection — WASHINGTON — A year after President Obama ordered modest changes in how the nation’s intelligence agencies collect …
http://www.nytimes.com/2015/02/03/world/president-tweaks-the-rules-on-data-collection.html
Tomi Engdahl says:
BBC:
BMW patches flaw in ConnectedDrive-equipped vehicles that let researches wirelessly open doors
http://www.bbc.com/news/technology-31093065
BMW has patched a security flaw that left 2.2 million cars, including Rolls Royce and Mini models, open to hackers.
The flaw affected models fitted with BMW’s ConnectedDrive software, which uses an on-board Sim card.
The software operated door locks, air conditioning and traffic updates but no driving firmware such as brakes or steering, BMW said.
No cars have actually been hacked, but the flaw was identified by German motorist association ADAC.
ADAC’s researchers found the cars would try to communicate via a spoofed phone network, leaving potential hackers able to control anything activated by the Sim.
The patch, which would be applied automatically, included making data from the car encrypted via HTTPS (HyperText Transfer Protocol Secure) – the same security commonly used for online banking, BMW said.
“On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network,” it said in a statement.
“You would probably have hoped that BMW’s engineers would have thought about [using HTTPS] in the first place,”
Tomi Engdahl says:
Hackers on Blackhat: Hollywood finally gets internet right
http://www.bbc.com/news/blogs-echochambers-30857751
Director Michael Mann’s new film, Blackhat, centres around a convicted hacker who is released from prison to foil the schemes of a villainous rival wreaking havoc around the world.
Given the recent highly visible lapses in cybersecurity, it’s the kind of subject matter that the viewing public might find compelling. It’s not surprising, however, if seasoned hands are a bit more sceptical. Hollywood has a less-than-stellar track record for presenting complex technology in a realistic manner, after all.
“In movies, hacking tends to look like some elaborate digital art that lasts a handful of seconds,” writes Gizmodo’s Adam Clark Estes.
So what’s the verdict on the film from hacking and cybersecurity communities? By most accounts, Blackhat hits pretty close to the mark.
Real hacking is an arduous task that’s visually numbing, Estes says, and the film does a good job of reflecting this reality.
“It looks like hacking because it’s everything that bad Hollywood hacking isn’t: simple white code on a black background, command line arguments, references to things like Tor, keyloggers, and phishing,” he writes. “It’s a little bit boring, too!”
Google’s Parisa Tabriz – who served as a consultant for the film – tells Fusion’s Kashmir Hill: “It’s the most accurate information security film I’ve seen”.
Of course, there are plenty of car chases and gunfights in Blackhat – this is still Hollywood after all.
Blackhat, he says, could give rise to bad policy, as politicians react to cyber-threats by embracing President Barack Obama’s call for harsher criminal sentences for convicted hackers.