Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Is Europe going to restrict teens from using Facebook?
http://www.bbc.com/news/technology-35100328
By the end of this week it could be illegal for any European child under 16 to use Facebook – or Snapchat or any messaging service – without the express consent of their parents. That, according to some interpretations, would be the result of a vote by an obscure committee to raise the digital age of consent from 13 to 16.
Who knew there was a “digital age of consent”?
I certainly didn’t but I am told it is built into the decisions that many online firms make about the age they will allow people to join. In the United States a law called Coppa (Children’s Online Privacy Protection Act) gives extra online protection to children under 13, and Europe has had a similar policy – which is why the likes of Facebook have not allowed children in until they become teenagers.
A last minute amendment to Europe’s Data Protection Regulation, says this: “The processing of personal data of a child below the age of 16 years shall only be lawful if and to the extent that such consent is given or authorised by the holder of parental responsibility over the child.”
Update:
Dr Rachel O’Connell from the consultancy Trust Elevate suggests that new technologies could be used by social networks to detect under-16s and limit what was done with their data without blocking access outright.
Tomi Engdahl says:
Kids under 16 could be ‘banned from the internet’ by EU lawmakers
http://thenextweb.com/eu/2015/12/14/kids-under-16-could-be-banned-from-the-internet-by-eu-lawmakers/
Parents could soon be made to approve their teenagers’ use of social media and chat apps if a last-minute change to data protection laws makes the cut in final discussions starting in the EU tomorrow.
The law would make it illegal for companies to handle data from anyone aged 15 or under without parental consent, effectively stopping young people from using their favorite services, many of which currently use 13 as the lower age limit for their services.
According to the FT, a number of big US tech companies have now “launched a frantic lobbying effort” to stop the amendment being passed.
A petition against the move has also been launched online safety campaigners, who say this decision would prevent under 16s using everything from social media platforms to online games, email and apps.
EU politicians: Don’t ban teenagers from using the Internet
https://www.change.org/p/eu-politicians-don-t-ban-teenagers-from-using-the-internet-13to16privacy
Tomi Engdahl says:
VTech hack: 21-year-old man arrested after millions of children’s personal data breached
http://www.ibtimes.co.uk/vtech-hack-21-year-old-man-arrested-after-millions-childrens-personal-data-breached-1533424
A man has been arrested in connection the alleged hacking of electronic toy manufacturer VTech. The 21-year-old was arrested in Bracknell, Berkshire, on suspicion of unauthorised access to computers to facilitate the commission of an offence and suspicion of causing a computer to perform function to secure/enable unauthorised access to a program/data following the data breach in November.
VTech Holdings Limited confirmed in November that an “unauthorised party” had accessed their customer data, which appeared on their Learning Lodge app store data base.
The database contained general user profile information including name, email address, passwords, IP addresses nd download history. A VTech spokesperson assured customers their credit card details were not breached
However, the profile details of more than six million children worldwide – including their name, gender and birthdate – were breached during the hack.
Craig Jones, head of the Cyber Crime Unit at the South East Regional Organised Crime Unit (SEROCU), said: “Cyber criminality is affecting more and more business around the world and we continue to work with our partners to thoroughly investigate very complex cases.
Tomi Engdahl says:
VTech is just one of a growing roster of firms that have suffered data breaches in recent months. Pub chain Wetherspoons and telecommunications firm TalkTalk both recently lost data in attacks.
Source: http://www.bbc.com/news/technology-35100735
Tomi Engdahl says:
Boeing 787 “Blacklisted” From Some Air Traffic Control Services
http://tech.slashdot.org/story/15/12/15/1355234/boeing-787-blacklisted-from-some-air-traffic-control-services
A software glitch causes the Boeing 787 to report its position incorrectly, which has led Australia and Canada to ‘blacklist’ the aircraft from using ADB-S and until it is resolved the latest Boeing is treated as an aircraft without ADS-B capabilities.
A bugfix is coming to restore ADS-B functionality.
Two ATC agencies ‘blacklist’ 787 over position-data flaw
https://www.flightglobal.com/news/articles/two-atc-agencies-blacklist-787-over-position-data-419916/
Most of the Boeing 787s delivered to date contain a software defect that, in at least five identified aircraft, have erroneously reported their location to controllers, prompting two air traffic management agencies to put the Dreamliner on a “blacklist” for certain services.
Although it denies the software defect creates a safety hazard, Boeing says a service bulletin with instructions for operators to correct the position reporting error will be released “imminently”.
The blacklisting means the 787s are not allowed to use reduced separation procedures offered to other aircraft equipped with ADS-B.
Both agencies launched separate investigations before discovering they had witnessed the same problem
In rare cases, after passing a planned turn upon crossing a waypoint, the data packets that arrived at the transponder would contain either the aircraft’s latitude or longitude, but not both. In those cases, the ADS-B transponder’s software would extrapolate the 787’s position based on the previous flight track before it made a planned turn at a waypoint.
Tomi Engdahl says:
A Dating App For HIV-Positive People Leaked Sensitive Data
http://www.buzzfeed.com/stephaniemlee/a-dating-app-for-hiv-positive-people-leaked-sensitive-data#.qcZDXaz59
More than 5,000 members of Hzone may have had their personal information compromised thanks to an unsecured database.
A security researcher has discovered that user data was until recently leaking from two health apps: Hzone, a dating app for HIV-positive singles, and iFit, a fitness app.
The leaks, which were both repaired as of Monday, are believed to have left the personal information of Hzone and iFit users vulnerable since at least late November and last week, respectively, according to the cybersecurity blog DataBreaches.net, which first reported them.
Two apps with health info found leaking: researcher. Part 2: Hzone
http://www.databreaches.net/two-apps-with-health-info-found-leaking-researcher-part-2-hzone/
Tomi Engdahl says:
Data Encryption in Sharp Focus After Deadly Attacks
http://www.securityweek.com/data-encryption-sharp-focus-after-deadly-attacks
With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle.
Although issues around encryption have been ongoing for decades, the prickly topic has sprung to the fore in recent weeks following killing sprees in Paris and California.
Over the past two years, more sophisticated encryption — notably for smartphones — has become widely available following revelations by former intelligence contractor Edward Snowden about vast US surveillance programs.
But US administration officials as well as local law enforcement are making the case for better access to encrypted data, saying new smartphone and encryption technologies have made it more difficult to thwart “malicious actors.”
“We want to strike the right balance. We want to make sure encryption is not used in a way that does allow for dark space for terrorist groups,” a White House statement said.
Privacy remains a major counter-argument.
Underlining those concerns, an online petition calling on the administration to avoid weakening encryption got more than 100,000 signatures, requiring a White House reply.
Tomi Engdahl says:
Macro Malware Has Returned: Intel Security
http://www.securityweek.com/macro-malware-has-returned-intel-security
Macro malware, one of the most successful threats in the 1990s, has returned to focus in the form of persistent threats targeting organizations, Intel Security (formerly McAfee Labs) reports.
Infecting machines through compromised Microsoft Word documents that spread through extensive spam email campaigns, malicious web pages, and drive-by downloads, macro malware has seen a great increase over the past few quarters, the McAfee Labs Threats Report: November 2015 reveals.
With macro malware becoming popular once again, cybercriminals changed the distribution mechanism to ensure detection is more challenging. While previous campaigns lasted for days or weeks, perpetrators now engage into short lived campaigns, and also change the subject of emails and the carefully crafted attachments to ensure they are not detected and blocked.
What’s more, the compromised files delivered as attachments often behave normally even after performing the malicious activity, which makes infections even more difficult to detect. The bad actors behind macro malware use this entry point to deploy even more malicious applications to the victim’s system, which usually results in more damage being dealt.
Report can be downloaded at
http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-nov-2015.pdf
Tomi Engdahl says:
35,000 MongoDB Instances Exposed Online
http://www.securityweek.com/35000-mongodb-instances-exposed-online
An increasing number of poorly configured MongoDB databases are exposed online, Shodan founder John Matherly revealed on Tuesday.
In July, Matherly reported finding nearly 30,000 instances of the popular NoSQL database management system accessible over the Internet due to configuration issues. The databases identified using the computer search engine Shodan exposed roughly 600 terabytes of data.
Researcher Chris Vickery reported on Monday that over the past two weeks he identified 25 million accounts exposed by leaky databases, including 13 million accounts associated with the controversial OS X security and optimization application MacKeeper and its developer, Kromtech Alliance.
Openly accessible MongoDB instances are a well known issue caused not by a vulnerability in the database management system, but due to the way developers configure the system.
Configuration Issue Exposes 30,000 MongoDB Instances: Researcher
http://www.securityweek.com/configuration-issue-exposes-30000-mongodb-instances-researcher
Matherly also noticed that a majority of the publicly accessible MongoDB instances are hosted in the cloud, particularly DigitalOcean, Amazon, Linode and OVH.
“I’ve actually observed this trend across the board: cloud instances tend to be more vulnerable than the traditional datacenter hosting. My guess is that cloud images don’t get updated as often, which translates into people deploying old and insecure versions of software,” the expert said in a blog post.
These poorly configured instances expose a total of 595.2TB of data. The ten most common database names identified as a result of the Shodan search are local, admin, db, test, config, mydb, video, hackedDB, storage, and trash.
“Faceting on the database name reveals widespread installations that might’ve been misconfigured or otherwise exposed. There are a lot of instances that have some sort of administrative database, so the app that uses MongoDB probably has authentication but the database itself doesn’t,” said Matherly.
This isn’t the first time researchers report finding MongoDB databases exposed on the Web. In February, students from the Saarland University in Germany revealed finding nearly 40,000 exposed instances.
The experts noted at the time that many precompiled MongoDB packages are shipped with a default configuration that binds the service to the localhost (bind_ip is set to 127.0.0.1). However, since in many cases the database and the service using the database are running on different machines, developers remove the “bind_ip” flag to allow all network connections to the database.
This allows access from outside the trusted network and if transfer encryption and proper access control are not set up, the database becomes exposed, researchers said.
Tomi Engdahl says:
Number of leaking MongoDB databases increasing: Shodan founder
http://www.databreaches.net/number-of-leaking-mongodb-databases-increasing-shodan-founder/
Yesterday’s news about a MongoDB database belonging to MacKeeper (Kromtech) leaking certainly got a lot of media attention. But now do read John Matherly’s comments on Shodan. Matherly, the founder of Shodan, notes that the number of available, unauthenticated instances of MongoDB has actually increased in the past few months. Of note, he explains that increase is occurring despite MongoDB having changed their default settings
“Finally, I can’t stress enough that this problem is not unique to MongoDB: Redis, CouchDB, Cassandra and Riak are equally impacted by these sorts of misconfigurations.”
Tomi Engdahl says:
Security holes in popular virus protection software
Kaspersky, McAfee and AVG is known for the popular security software supplier. Therefore it is a bit ironic that their software is found security holes that allow to take control of the computer.
Behind the revelation is an American security company enSilo.
EnSilon According to antivirus software market is $ 3.5 billion and software amounting to 400 million users. Therefore, the potential security problems such software can expose a variety of problems for millions of users.
EnSilo reported a problem with AVG – was fixed in two days.
Since then, the vulnerabilities have been found in McAfee’s Visun Scan Enterprise version 8.8 and Kaspersky Total Security Software in September.
Source: http://etn.fi/index.php?option=com_content&view=article&id=3744:suosituissa-virustutkissa-reikia&catid=13&Itemid=101
Tomi Engdahl says:
Thomas Fox-Brewster / Forbes:
MacKeeper Leaks 13 Million Mac Owners’ Data, Leaves Passwords Open To Easy Cracking — Anti-virus provider MacKeeper is known for pushing the message Apple Mac owners need protection. It needed some extra protection of its own today, after a white hat hacker discovered …
MacKeeper Leaks 13 Million Mac Owners’ Data, Leaves Passwords Open To Easy Cracking
http://www.forbes.com/sites/thomasbrewster/2015/12/14/mackeeper-13-million-apple-mac-data-leak-passwords/
Anti-virus provider MacKeeper is known for pushing the message Apple AAPL -2.12% Mac owners need protection. It needed some extra protection of its own today, after a white hat hacker discovered a database containing 13 million customer records was accessible by just visiting a selection of IP addresses, no username or password required.
Researcher Chris Vickery said he uncovered four IP addresses that took him straight to a MongoDB database, containing a range of personal information, including names, email addresses, usernames, password hashes, phone numbers, IP addresses, system information, as well as software licenses and activation codes. All Vickery had to do was look for openly accessible MongoDB databases on the Shodan search tool.
Tomi Engdahl says:
‘Do Not Track’ Bill Aims To Let Consumers Reject Online Tracking
http://yro.slashdot.org/story/15/12/15/1950258/do-not-track-bill-aims-to-let-consumers-reject-online-tracking
Today, Sens. Richard Blumenthal (CT) and Ed Markey (MA) are introducing the Do Not Track Online Act of 2015 (PDF), which would direct the Federal Trade Commission to create new regulations
A newly introduced piece of federal legislation aims to give consumers more choices about when their browsing behavior is being tracked
“Do Not Track” Bill Hopes To Let Consumers Just Say No To Online Tracking
http://consumerist.com/2015/12/15/do-not-track-bill-hopes-to-let-consumers-just-say-no-to-online-tracking/
Just about anywhere you go online, at least some of your actions are being tracked. Sometimes, it’s as simple and innocuous as measuring unique visits to a website. Other times, it’s more invasive — keeping track of the pages you browse to provide you more targeted advertising. A newly introduced piece of federal legislation aims to give consumers more choices about when their browsing behavior is being tracked.
Today, Sens. Richard Blumenthal (CT) and Ed Markey (MA) are introducing the Do Not Track Online Act of 2015 [PDF], which would direct the Federal Trade Commission to create new regulations “regarding the collection and use of personal information obtained by tracking the online activity of an individual.”
Tomi Engdahl says:
Anonymous hacks European Space Agency ‘for the lulz’
http://www.neowin.net/news/anonymous-hacks-european-space-agency-for-the-lulz
No government agency is safe, not even the ones which aren’t operating on Earth – that seems to be this week’s lesson from Anonymous, who seemingly decided to have fun at the European Space Agency’s expense.
Hackers, working in the name of Anonymous, breached some of the agency’s subdomains with an SQL vulnerability that allowed them to access some databases. On top of the employee usernames and plain text passwords, the hackers also leaked the names, e-mails and passwords of some 8000 subscribers to the ESA domains.
Unfortunately, there’s no clear reason for this attack with the hackers supposedly saying they had taken these actions “for the lulz”. The cyber-attack took place just as the ESA is preparing to launch a mission headed to the International Space Station.
Anonymous has recently taken actions against ISIS, and Donald Trump in the name of human rights and freedom, so this attack against the ESA seems to be out of character.
Tomi Engdahl says:
Stephanie M. Lee / BuzzFeed:
Hzone, a dating app for those who are HIV-positive, leaked sensitive data of over 5K members and took five days to fix the issue after it was reported
A HIV-Positive Dating App Leaked 5,000 Users’ Data
http://www.buzzfeed.com/stephaniemlee/a-dating-app-for-hiv-positive-people-leaked-sensitive-data#.enVk6DyWB
More than 5,000 members of Hzone may have had their personal information compromised thanks to an unsecured database.
In the case of Hzone, such information included names, email addresses, birthdays, relationship statuses, number of children, sexual orientation, sexual experiences, and messages like this, according to DataBreaches.net: “Hi. I was diagnosed 3 years ago now. CD4 and Viral Load is relatively good. I’m therefore not on Meds yet. My 6-monthly blood tests are due in June. Planning to go in meds. I’m worried about the side effects. What kinds of side effect have you experienced? Xx.” As many as 5,000 users appeared in the breach.
Meanwhile, more than 567,000 users were exposed in a data breach involving iFit, an app that syncs with wearable devices and exercise equipment like NordicTrack and Reebok. iFit can collect information like passwords, weight, gender, addresses, credit card data, and workout data (like your heart rate and date and time of your workout).
Both Vickery and DataBreaches.net, whose publisher goes by “Dissent,” alerted Hzone’s developers to the leak. DataBreaches.net reported that Hzone did not secure the leak for five days after it was contacted Dec. 8, nor did it immediately respond to their inquires. “The Hzone leak was particularly frustrating to both of us because although it was the smallest leak I reported, the data were so sensitive,” Dissent told BuzzFeed News in an email. “We simply could not get a response from them despite using their contact form on their web site (both of us tried) and despite email to their support email address, which generated a receipt that it was opened.”
Tomi Engdahl says:
New data porting rules mustn’t overburden businesses with costs, says UK minister
Costliness shouldn’t become ‘barrier to entry’
http://www.theregister.co.uk/2015/12/16/data_portability_requirements_must_not_impose_too_great_a_cost_burden_on_businesses_says_uk_minister/
Rules designed to enable consumers to move their data from one platform to another should not be so costly to comply with that they serve as a “barrier to entry” into markets, the UK’s parliamentary under-secretary of state for the Department for Business, Innovation has said.
Baroness Neville-Rolfe said that the planned new General Data Protection Regulation (GDPR) is likely to give consumers “more control over how their data is to be used” but she raised concern about the impact data portability rules could have on “new ideas, innovation and competition”.
“The technical feasibility and the cost to platforms of providing data in a suitable format obviously needs to be considered because if the costs are too high then that perversely becomes a barrier to entry,” Neville-Rolfe said in giving evidence to the UK parliament’s EU Internal Market Sub-Committee’s ongoing inquiry into online platforms.
“If you can avoid regulation but have strong competition law which tackles the over-mighty when they get over-mighty but also allows a good degree of growth and new innovators that is often the best way,” Neville-Rolfe said.
Tomi Engdahl says:
EU Rules Would Ban Kids Under 16 From Social Media
http://yro.slashdot.org/story/15/12/16/0344208/eu-rules-would-ban-kids-under-16-from-social-media
An anonymous reader sends word of new data protection rules up for vote in the European Parliament which would make it illegal for companies to handle the data of children aged 15 and younger. Currently, such data processing is prohibited only for kids 12 and under. This would affect European teenagers’ ability to use Facebook, Snapchat, Instagram, and many other social media services. This amendment has been opposed not only by the tech companies involved, but by many child safety experts as well
Is Europe really going to ban teenagers from Facebook and the internet?
http://www.theguardian.com/technology/2015/dec/15/europe-ban-teenagers-facebook-internet-data-protection-under-16
New European data protection rules would see companies require parental consent to handle data of those under 16, effectively blocking them from social media
Tomi Engdahl says:
Windows’ authentication ‘flaw’ exposed in detail
Researcher plays lyre, sends Kerberos to sleep
http://www.theregister.co.uk/2015/12/15/devastating_flaw_in_windows_authentication/
Updated Security researcher “dfirblog” has forensically examined what he calls a “devastating” flaw in Windows’ Kerberos authentication system.
The vulnerability cannot be fixed, and the only solution is to use Microsoft’s Credential Guard program to prevent passwords from being stored in memory, according to his extensive blog post.
The flaw results from how the third-party authentication system creates secret keys: by using the password associated with a disabled username (krbtgt). That password is rarely changed, making it possible to bypass the authentication system altogether and allow an attacker to grant themselves admin privileges, as well as create secret passwords for existing users and new users that don’t exist.
Although some of the entry points are time-limited – the system will seek to validate accounts after 20 minutes – because it is possible to create fake users without limit, it is possible to access a system incessantly.
Kerberos is a default authentication protocol in Windows networks and authentication clients and servers. A flaw in the system noticed last year, for example, would enable an attacker to compromise an entire network, including installing programs and deleting data. This flaw appears to be very similar.
Protecting Windows Network –
http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
MEDIA NOTE:
This is not a new flaw, just a good write-up! I don’t know why media reporting this as a new flaw.
Tomi Engdahl says:
Name Server Software found vulnerability allowing the attack – download the update
Name of the Server Software BINDista has found two vulnerabilities. Finnish Communications Regulatory Authority Kyberturvallisuuskeskus urges to download the software update.
Critical vulnerability that the software may refer to a denial of service condition.
The software needs to be updated to version 9.9.8-P2 or P2-9.10.3, Kyberturvallisuuskeskus guides.
Source: http://www.tivi.fi/Kaikki_uutiset/nimipalvelinohjelmistosta-loytyi-hyokkayksen-mahdollistava-haavoittuvuus-lataa-paivitys-6239603
More: https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2015/haavoittuvuus-2015-121.html
Tomi Engdahl says:
Finnish security company Nixu has entered into a cooperation agreement with Nokia Networks for the development and delivery of cyber security services for Nokia customers worldwide. For Nixu agreement has a big role in the company applying for the growth of the international market.
Nixu CEO Petri Kairinen is, of course, pleased with the agreement. – Signed a cooperation agreement with Nokia gives us an important international distribution channel. We specialized expert to be present in several places the security of the construction value chain, and create added value for our customers. We have to hard skills, that it is in demand internationally, Kairinen continue.
Source: http://etn.fi/index.php?option=com_content&view=article&id=3759:nixun-kyberturvaa-nokian-verkkoasiakkaille&catid=13&Itemid=101
Tomi Engdahl says:
Cyber security buck stops with me, says Dido Harding
We wanted to tell customers sooner, but cops wouldn’t let us
http://www.theregister.co.uk/2015/12/16/dido_harding_parliamentary_hearing/
The chief executive of TalkTalk, Dido Harding, has told MPs that she alone is responsible for cyber security at the company, but that the operator does not yet know if the major hack it experienced in October was avoidable.
The hack led to the personal details of more than 156,000 people being accessed by hackers and the company estimating £35m in losses related to the incident.
Speaking to the Culture, Media and Sport Committee yesterday Harding said: “Cyber security is a board level issue, and I am responsible for it.”
She said there was no specific line manager for cyber security as the responsibility cuts across multiple roles in the company.
Asked if that meant sanctions ought to be imposed at board level, she replied that would depend if the loss of data was avoidable or not. “At this stage we just don’t know.”
However, Harding failed to mention that just before the hack the company had been advertising for an information security officer.
“Clearly there is a lot more we can and will do going forward. But we are far from alone in having cyber attacks,” she told MPs.
She said the company had wanted to inform customers of the breach sooner, but had been advised by police not to do so. “One of the most difficult periods was the first 36 hours of the attack,” she said. The company had received a ransom demand and had informed the police. “The next day it was very clear there was a real risk material number of customers data stolen.”
Tomi Engdahl says:
Nearly 1 in 5 health data breaches take years to spot, says Verizon
And 90 per cent of all industries have lost people’s sensitive med info
http://www.theregister.co.uk/2015/12/16/verizon_health_breaches_survey/
Stolen medical information is a prevalent problem across multiple industries, according to a new study by Verizon.
The issue is compounded because many organisations outside of the healthcare sector do not even realise they even hold this type of data.
Common sources of protected health information are employee records (including workers’ compensation claims) or information for health programs. These repositories are frequently poorly protected.
Medical data loss is not just a problem for the healthcare. According to Verizon, 90 per cent of all industries have suffered a data breach that resulted in the loss of medical data, including: retail, finance, mining and educational sectors, amongst others.
Verizon’s researchers analysed 931 incidents of confirmed protected health information breaches involving more than 392 million records. The global study covered 25 countries across North America, Europe and the Asia-Pacific region.
One in five health record breaches involved privilege misuse. Staff not infrequently abused their privileges in order snoop and look at medical records health on the same local area network or on a weakly secure database server on the corporate intranet.
Loss of unencrypted devices is a major problem for the healthcare industry itself. Around a third (31.3 per cent) of incidents where human error was involved in one way or another in data breaches were down to lost devices.
The one positive trend in this area over the last five years is that it’s taking less time for organisations to realise they have a problem. Even so only 31 per cent of incidents are found within days: 31.25 per cent took months and 18.75 per cent took years to find.
Tomi Engdahl says:
CISA Surveillance Bill Hidden Inside Last Night’s Budget Bill
http://yro.slashdot.org/story/15/12/16/1844217/cisa-surveillance-bill-hidden-inside-last-nights-budget-bill
An anonymous reader writes that the Cybersecurity Information Sharing Act (CISA) was inserted into the omnibus budget deal passed by the House of Representatives late last night. Engadget reports: “Last night’s budget bill wasn’t all about avoiding a government shutdown. Packed inside the 2,000-page bill announced by Speaker Paul Ryan (R-WI) is the full text of the controversial Cybersecurity Information Sharing Act (CISA) of 2015. ”
Congress tucked CISA inside last night’s budget bill
The controversial cybersecurity bill passed the Senate in October.
http://www.engadget.com/2015/12/16/congress-tucked-cisa-in-budget-bill/
Despite being labeled as cybersecurity legislation, critics of CISA argue that it’s a surveillance bill that would allow companies to share user info with the US government and other businesses. As TechDirt points out, this version of the bill stripped important protections that would’ve prevented directly sharing details with the NSA and required any personally identifying details to be removed before being shared. It also removes restrictions on how the government can use the data.
Tomi Engdahl says:
PRESTON: The UK’s “Big Brother” Comprehensive National Database System
http://news.slashdot.org/story/15/12/17/0128227/preston-the-uks-big-brother-comprehensive-national-database-system
The investigative journalist Duncan Campbell has written an article at The Register claiming that the UK Government has been secretly creating a database of all telephone calls, financial and travel records for the last 15 years.
Big Brother is born. And we find out 15 years too late to stop him
Elected MPs were deliberately misled by Brit spy agencies
http://www.theregister.co.uk/2015/12/16/big_brother_born_ntac_gchq_mi5_mass_surveillance_data_slurping/
The “Big Brother” comprehensive national database system feared by many MPs has been built behind their backs over the last decade, and even has a name for its most intrusive component: a central London national phone and internet tapping centre called PRESTON.
PRESTON, which collects about four million intercepted phone calls a year, has also recently been used to plant malware on iPhones, according to disclosures by former NSA contractor Edward Snowden. The phones were then targetted for MI5 “implants” (malware), authorised by a ministerial warrant.
Located inside the riverside headquarters of the Security Service, MI5, in Thames House, PRESTON works alongside and links to massive databases holding telephone call records, internet use records, travel, financial, and other personal records held by the National Technical Assistance Centre (NTAC), a little known intelligence support agency set up by Tony Blair’s government in a 1999 plan to combat encryption and provide a national centre for internet surveillance and domestic codebreaking.
The Home Office then commissioned and funded a technical plan to establish an interception network for the domestic internet, and allocated a £25m budget to get NTAC started.
Tomi Engdahl says:
Facebook, Google and Twitter Agree To Delete Hate Speech In Germany
http://tech.slashdot.org/story/15/12/16/1618232/facebook-google-and-twitter-agree-to-delete-hate-speech-in-germany
Facebook, Google, and Twitter have agreed to remove hateful posts from their platforms within 24 hours in Germany, officials announced yesterday. The web companies committed to the move in a new agreement with German authorities, after coming under increased pressure to help curb racism online in the country.
Facebook, Google, Twitter agree to delete hate speech in 24 hours: Germany
http://www.reuters.com/article/us-germany-internet-idUSKBN0TY27R20151215
Germany said on Tuesday that Facebook, Google and Twitter have agreed to delete hate speech from their websites within 24 hours, a new step in the fight against rising online racism following the refugee crisis.
The government has been trying to get social platforms to crack down on the rise in anti-foreigner comments in German on the web as the country struggles to cope with an influx of more than 1 million refugees this year.
The new agreement makes it easier for users and anti-racism groups to report hate speech to specialist teams at the three companies, German Justice Minister Heiko Maas said.
“When the limits of free speech are trespassed, when it is about criminal expressions, sedition, incitement to carry out criminal offences that threaten people, such content has to be deleted from the net,” Maas said. “And we agree that as a rule this should be possible within 24 hours.”
Germany last month launched an investigation into the European head of Facebook over its alleged failure to remove racist hate speech.
Tomi Engdahl says:
Hayes Brown / BuzzFeed:
Brazil imposes 48-hour block on WhatsApp for failing to cooperate in criminal investigation; rival app Telegram says it gained 1.5M+ users there in a day — Brazil Just Blocked WhatsApp Despite Almost Everyone In Brazil Using It — A court has blocked the app that 93% of Brazil’s internet users depend …
Brazil Just Blocked WhatsApp Despite Almost Everyone In Brazil Using It
http://www.buzzfeed.com/hayesbrown/brazil-just-blocked-whatsapp-despite-almost-everyone-in-braz#.stkbqnG59
A court has blocked the app that 93% of Brazil’s internet users depend on for their communication needs.
A court in Brazil has ordered telecommunications companies to block popular messaging service WhatsApp for 48 hours, citing a failure to respond properly to a criminal case.
“Because WhatsApp did not respond to a court order of July 23, 2015, on August 7, 2015, the company was again notified, with there being a fixed penalty in case of non-compliance. As yet the company did not attend the court order, the prosecution requested the blocking of services for a period of 48 hours, based on the law […], which was granted by Judge Sandra Regina Nostre Marques,” the court said in a statement.
Tomi Engdahl says:
The widely used open-source Zen Cart network shop software has found a critical vulnerability that allows attackers to successfully exploit software code execution. Using Aperture does not require a log and it can be done remotely.
Source: http://www.tivi.fi/Kaikki_uutiset/verkkokauppaohjelmistossa-kriittinen-haavoittuvuus-paivita-heti-6240274
More: https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2015/haavoittuvuus-2015-122.html
Tomi Engdahl says:
Microsoft SmartScreen can now block zero-day attacks on Edge and IE
Welcome to the evolution, apparently
http://www.theinquirer.net/inquirer/news/2439678/microsoft-smartscreen-can-now-block-zero-day-attacks-on-edge-and-ie
REDMOND COMPANY Microsoft has approached its customers with some boasts about SmartScreen and how much better it is as protecting people today than it was earlier this week.
The firm said that the SmartScreen system has been a capable security option for some time, and has made its bones in protecting against phishing attacks and malware and that kind of thing. Microsoft does not hang about, though, and it has added to this apparently perfect specimen with protection against drive-by zero-day attacks.
“SmartScreen has protected users from billions of web-based attacks in the last eight years. Over time, SmartScreen has expanded its scope from phishing attacks and socially engineered malware to include warnings for deceptive advertisements and scam support sites,” said the firm in a blogpost.
Evolving Microsoft SmartScreen to protect you from drive-by attacks
https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/
Microsoft SmartScreen, integrated with Microsoft Edge, Internet Explorer, and the Windows operating system, has helped protect users from socially engineered attacks such as phishing and malware downloads since its initial release in Internet Explorer 7. With URL reputation checks and Application Reputation protection, SmartScreen has protected users from billions of web-based attacks in the last 8 years. Over time, SmartScreen has expanded its scope from phishing attacks and socially engineered malware to also include warnings for deceptive advertisements and support scam sites.
Drive-by attacks are malicious web attacks that tend to start on trusted websites, targeting security vulnerabilities in commonly used software. What’s more, they often don’t require any user interaction – so there’s nothing to click, nothing to download – and infection is usually invisible.
Tomi Engdahl says:
6 Men Admit to Running a Global $100M Software Piracy Ring
http://www.wired.com/2015/12/6-men-admit-to-running-a-giant-100m-software-piracy-ring/
If you bought an inexplicably cheap copy of Photoshop or Microsoft Office in the last few years, even from a site as reputable as Overstock.com or Amazon, you may have been an unwitting customer in a $100 million global piracy ring—one that’s now ended with guilty pleas from half a dozen men across nearly as many states.
all six individuals charged in a six-year massive fraud scheme, which prosecutors say sold more than 170,000 copies of Adobe and Microsoft programs including Windows, Office, Photoshop, and Creative Suite, complete with valid registration codes and even physical certificates of authenticity
“It appears to be one the biggest software piracy cases, if not the biggest, the department has ever handled,”
In all, investigators say they’ve tracked $100 million in sales across the six defendants, including an estimated $30 million in profits.
Homeland Security’s case began when customer complaints led the agency to 29-year-old Carey Lee Ross in Kansas City, Missouri. They discovered that Ross’ business, Software Slashers, was reselling tens of thousands of stolen Microsoft software registration codes obtained from a source in China.
Investigators found that the loosely connected ring of software fraudsters were buying real, stolen registration codes, usually listed in an Excel spreadsheet or a Word document, along with counterfeit packaging, official-looking cards on which the stolen registration codes were printed, and faked or stolen certificates of authenticity that were placed on the software packages. In many cases, the same registration codes were resold several times to unwitting customers. If Microsoft or Adobe detected the code’s reuse and disabled the software, the seller would simply offer the customer a new stolen code.
Exactly who in China, Singapore, or Germany supplied those pilfered registration keys isn’t clear
Tomi Engdahl says:
Michael Mimoso / Threatpost:
Juniper discovers backdoor in its NetScreen enterprise firewalls that allows decrypting VPN traffic, admin access, recommends patching immediately — Juniper Finds Backdoor that Decrypts VPN Traffic — Juniper Networks today has released an emergency patch that removes what it’s calling …
Juniper Finds Backdoor that Decrypts VPN Traffic
https://threatpost.com/juniper-finds-backdoor-that-decrypts-vpn-traffic/115663/
Juniper Networks today has released an emergency patch that removes what it’s calling “unauthorized code” from ScreenOS that could allow attackers to decrypt VPN traffic from NetScreen devices.
Juniper has not commented on the origin of the code it found. However, Juniper’s products were singled out, among others, in the National Security Agency’s product catalog developed by its ANT division.
- See more at: https://threatpost.com/juniper-finds-backdoor-that-decrypts-vpn-traffic/115663/#sthash.ghxtDwr9.dpuf
Tomi Engdahl says:
Diane Bartz / Reuters:
ID theft monitoring company LifeLock to pay $100M fine for violating 2010 FTC settlement that required LifeLock protect customer data — LifeLock to pay $100 million to settle U.S. contempt charges: FTC — LifeLock Inc, which sells identity theft monitoring and fraud detection services …
LifeLock to pay $100 million to settle U.S. contempt charges: FTC
http://www.reuters.com/article/us-lifelock-ftc-idUSKBN0U026L20151217
LifeLock Inc, which sells identity theft monitoring and fraud detection services, has agreed to pay $100 million to settle charges that it failed to properly protect its customers’ data, the Federal Trade Commission said on Thursday.
The FTC had accused LifeLock, which is based in Tempe, Arizona, of violating a 2010 court order that required it to take steps to secure data properly and said that LifeLock falsely advertised that it protected that information, among other allegations.
The company charges $9.99 per month to monitor a customers’ accounts to get an early warning of identity theft and to help them clean up the mess when identity theft occurs.
LifeLock said in the court filing that it neither admitted nor denied the FTC’s allegations.
Tomi Engdahl says:
Indexing HTTPS pages by default
http://googlewebmastercentral.blogspot.fi/2015/12/indexing-https-pages-by-default.html
At Google, user security has always been a top priority. Over the years, we’ve worked hard to promote a more secure web and to provide a better browsing experience for users. Gmail, Google search, and YouTube have had secure connections for some time, and we also started giving a slight ranking boost to HTTPS URLs in search results last year. Browsing the web should be a private experience between the user and the website, and must not be subject to eavesdropping, man-in-the-middle attacks, or data modification. This is why we’ve been strongly promoting HTTPS everywhere. As a natural continuation of this, today we’d like to announce that we’re adjusting our indexing system to look for more HTTPS pages. Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to from any page. When two URLs from the same domain appear to have the same content but are served over different protocol schemes, we’ll typically choose to index the HTTPS URL
Although our systems prefer the HTTPS version by default, you can also make this clearer for other search engines by redirecting your HTTP site to your HTTPS version and by implementing the HSTS header on your server.
HTTP Strict Transport Security (HSTS)
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Tomi Engdahl says:
Elizabeth Dwoskin / Wall Street Journal:
Stiff penalties and ambiguous wording of new EU data-protection law raises daunting prospects for US companies
EU Data-Privacy Law Raises Daunting Prospects for U.S. Companies
Sweeping digital-privacy regime runs counter to practices that have become commonplace in the U.S.
http://www.wsj.com/article_email/eu-data-privacy-law-raises-daunting-prospects-for-u-s-companies-1450306033-lMyQjAxMTE1NTE4NjYxNTY3Wj
The sweeping new digital-privacy regime that European Union officials agreed to on Tuesday runs counter to practices that have become commonplace in the U.S., according to several American corporations.
The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
U.S. companies in industries ranging from advertising to health-care have embraced the opportunity to analyze vast amounts of data collected from sensors, apps and other sources. The new law places substantial roadblocks in their way, companies say, by specifically targeting data mining and user profiling.
“It’s going to be a game-changer,” Jack Yang, Chief Privacy Officer and Head of Data Use for Visa, Inc., said of the new European legislation during a San Francisco conference last week on how companies were responding to the law.
“Legal uncertainty and big fines are a toxic cocktail,“ Allan Sørensen, a board member for IAB Europe, an advertising trade group.
While some large U.S. firms have been lobbying behind the scenes, many are only starting to prepare.
“I think people underestimate the impact it will have,” said Eduardo Ustaran, a London-based lawyer at Hogan Lovells, who works with U.S. tech companies.
David Hoffman, global privacy officer of Intel Corp. , said the chip maker was pleased to see the EU move to a greater degree of harmonization of it privacy and data-protection laws. “However, we are concerned about any sanctions regime that would include fines of up to 4% of global revenue,” he said. “Such high sanctions dis-incentivize business and investment.”
EU Officials Reach Agreement on Text of New Privacy Law
Deal on EU privacy law caps four years of haggling, lobbying
http://www.wsj.com/articles/eu-officials-reach-agreement-on-text-of-new-privacy-law-1450209502
Tomi Engdahl says:
Robo-advice alert issued in the US
http://www.investmentweek.co.uk/investment-week/news/2408891/robo-advice-alert-issued-in-the-us?utm_source=taboola&utm_medium=referral&utm_content=idg-pcworld
Financial regulators in the US are warning investors and advisers to beware the limitations of automated investment tools.
Generic economic assumptions, framed questions and de-personalised recommendations that do not properly take into account changing circumstances or investment time horizons are among the concerns identified in an alert issued by the Securities and Exchange Commission and Financial Industry Regulatory Authority.
Automated investment platforms are part of the ‘robo-advice’ sector in the US, though they are also being used by client-facing advisers as supplementary tools to guard against losing business to the traditional robo-advice giants, such as Betterment and Wealthfront.
Tomi Engdahl says:
These hackers prefer a different approach: asking the victims to further spread their malware
http://www.neowin.net/news/these-hackers-prefer-a-different-approach-asking-the-victims-to-further-spread-their-malware
The world of hacking has always been a little volatile and wily, to say the least, but the creators behind a new piece of ransomware called Chimera have really outdone themselves, with a ‘referral’ program designed to further propagate their exploit.
Like any piece of ransomware, Chimera infects your computer and locks you out of your files, pending a hefty ransom (in this case, 2.4 bitcoins or $865) to the team behind it. What makes this particular malware so deserving of its name as the multifaceted fire breathing monster that so terrified the ancient Greeks is its inclusion of multiple – and dare I say, innovative – means of not only further exploiting victims but also inducing them into its world of crime.
First off, unlike most similar exploits, not only will Chimera lock you out of your files but – if a payment is not made within the pre-determined time – also release them online, for anyone to peruse at their leisure. There is, however, no evidence of anyone’s details being made public as of yet
What really sets Chimera apart though – and proves the genius of the criminals behind it – is the accompanying ‘referral’ program. Embedded within the ransom demand is a link to the source code, allowing victims to connect with those behind the attack and “take advantage of…[their] affiliate program”. Those who are so inclined can transmit Chimera to others and earn as much as 50% of all returns. Why pay when you can be paid, I suppose? Making the affiliate program even more lucrative for the hackers is the fact that it adds an extra layer between any potential victims and the masterminds behind the scheme, distancing them from the crime and possibly even adding a ‘crowdsourcing’ aspect to the whole affair.
Tomi Engdahl says:
EFF Launches Panopticlick 2.0
http://yro.slashdot.org/story/15/12/18/1427201/eff-launches-panopticlick-20
The EFF has launched Panopticlick 2.0. In addition to measuring whether your browser exposes unique — and therefore trackable — settings and configuration to websites, the site can now test if you have correctly configured ad- and tracker-blocking software.
https://panopticlick.eff.org/#2
cell phone price says:
Hi there, I think your web site may be having browser compatibility issues.
When I take a look at your site in Safari, it looks fine
however, if opening in I.E., it’s got some overlapping issues.
I merely wanted to give you a quick heads up! Besides that,
great blog!
Tomi Engdahl says:
Chris Velazco / Engadget:
Cybersecurity Information Sharing Act enacted into law by President Obama after being passed as part of omnibus bill
Budget bill heads to President Obama’s desk with CISA intact
Spoiler alert: Obama won’t veto this one.
http://www.engadget.com/2015/12/18/house-senate-pass-budget-with-cisa/
Earlier today, the US House of Representatives passed a 2,000-page omnibus budget bill that contains the entirety of the controversial Cybersecurity Information Sharing Act. Just moments ago, the Senate passed it too. Now the bill is on its way to President Barack Obama’s desk, where he has the option to veto it… except he almost certainly won’t. The gargantuan document lays out a $1.15 trillion spending plan that has received solid (if not unanimous) support from both sides of the aisle and should prevent a government shutdown like the one we saw in 2013. But at what cost?
Tomi Engdahl says:
First on CNN: Newly discovered hack has U.S. fearing foreign infiltration
http://edition.cnn.com/2015/12/18/politics/juniper-networks-us-government-security-hack/
A major breach at computer network company Juniper Networks has U.S. officials worried that hackers working for a foreign government were able to spy on the encrypted communications of the U.S. government and private companies for the past three years.
The FBI is investigating the breach, which involved hackers installing a back door on computer equipment, U.S. officials told CNN. Juniper disclosed the issue Thursday along with an emergency security patch that it urged customers to use to update their systems “with the highest priority.”
The concern, U.S. officials said, is that sophisticated hackers who compromised the equipment could use their access to get into any company or government agency that used it.
One U.S. official described it as akin to “stealing a master key to get into any government building.”
The breach is believed to be the work of a foreign government, U.S. officials said, because of the sophistication involved.
Secret Code Found in Juniper’s Firewalls Shows Risk of Government Backdoors
http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/
Encryption backdoors have been a hot topic in the last few years—and the controversial issue got even hotter after the terrorist attacks in Paris and San Bernardino, when it dominated media headlines
On Thursday, tech giant Juniper Networks revealed in a startling announcement that it had found “unauthorized” code embedded in an operating system running on some of its firewalls.
The code, which appears to have been in multiple versions of the company’s ScreenOS software going back to at least August 2012, would have allowed attackers to take complete control of Juniper NetScreen firewalls running the affected software. It also would allow attackers, if they had ample resources and skills, to separately decrypt encrypted traffic running through the Virtual Private Network, or VPN, on the firewalls.
“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” Bob Worrall, the companies’ CIO wrote in a post. “Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.”
Juniper released patches for the software yesterday and advised customers to install them immediately, noting that firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are vulnerable.
This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire.’
Tomi Engdahl says:
John Goglia / Forbes:
FAA Finally Admits Names And Home Addresses In Drone Registry Will Be Publicly Available
http://www.forbes.com/sites/johngoglia/2015/12/18/faa-finally-admits-names-and-home-addresses-in-drone-registry-will-be-publicly-available/
The FAA finally confirmed this afternoon that model aircraft registrants’ names and home addresses will be public. In an email message, the FAA stated: “Until the drone registry system is modified, the FAA will not release names and address. When the drone registry system is modified to permit public searches of registration numbers, names and addresses will be revealed through those searches.”
I’ve been trying to get to the bottom of whether names and home addresses of model aircraft or hobby drone owners – including children as young as 13 – will be made available by the FAA to the public once the FAA’s new unmanned aircraft registry goes live on Monday. It seems a simple enough question. But it took a while to get a straight answer.
Tomi Engdahl says:
Michael Mimoso / Threatpost:
Facebook and security researcher clash over disclosure best practices and compensation over Instagram bug and researcher’s further systems probing — Facebook, Researcher Spar Over Instagram Vulnerabilities — A security researcher is in a bit of a scrum with Facebook over vulnerability disclosures …
Facebook, Researcher Spar Over Instagram Vulnerabilities – See more at: https://threatpost.com/facebook-researcher-spar-over-instagram-vulnerabilities/115658/#sthash.uyzNf5FW.dpuf
Tomi Engdahl says:
Reuters:
US-listed Chinese security company Qihoo 360 to be taken private in a deal worth about $9.3B
Chinese tech company Qihoo 360 latest to be taken private
http://www.reuters.com/article/us-qihoo-360-m-a-idUSKBN0U118720151218
Qihoo 360 Technology Co (QIHU.N) said it agreed to be acquired by a group of investors in a deal valued at about $9.3 billion, joining a long list of U.S.-listed Chinese technology companies being taken private this year.
Tomi Engdahl says:
Diane Bartz / Reuters:
ID theft monitoring company LifeLock to pay $100M fine for violating 2010 FTC settlement that required LifeLock protect customer data
LifeLock to pay $100 million to settle U.S. contempt charges: FTC
http://www.reuters.com/article/us-lifelock-ftc-idUSKBN0U026L20151217
LifeLock Inc, which sells identity theft monitoring and fraud detection services, has agreed to pay $100 million to settle charges that it failed to properly protect its customers’ data, the Federal Trade Commission said on Thursday.
The FTC had accused LifeLock, which is based in Tempe, Arizona, of violating a 2010 court order that required it to take steps to secure data properly and said that LifeLock falsely advertised that it protected that information, among other allegations.
Tomi Engdahl says:
Issie Lapowsky / Wired:
Obama: law enforcement monitors public social media posts as part of the visa review process
Obama Says the Feds Vet Social Media Before Issuing Visas
http://www.wired.com/2015/12/obama-says-the-feds-vet-social-media-before-issuing-visas/
After the massacre at a San Bernardino, California, holiday party this month, a wave of speculation crested over whether one of the San Bernardino shooters had expressed outward signs on social media that she had been radicalized before being granted a US visa.
Recently, Homeland Security Secretary Jeh Johnson said that there were “certain legal limits” on such social media probes, a comment that presidential candidate Carly Fiorina criticized on stage at the Republican debate this week.
Today, during his year-end press conference, President Barack Obama attempted to clarify what social data is and isn’t included in the vetting process. “Our law enforcement and intelligence professionals are constantly monitoring public posts, and that’s part of the visa review process,” he said. What the government doesn’t have access to, he said, are the multitude of private email, chat, and text platforms that we all use on a daily basis.
That’s why, he said, it’s important for the intelligence community and tech community to work together on ways to allow the government to access that data if it has a lead on a suspected terrorist.
It was just a few years ago, he said, that “we were having a major debate about whether the government was becoming too much like Big Brother. Overall I think we’ve struck the right balance in protecting civil liberties and making sure US citizens’ privacies are preserved.”
Tomi Engdahl says:
Stingrays
A Secret Catalogue of Government Gear for Spying on Your Cellphone
https://theintercept.com/2015/12/17/a-secret-catalogue-of-government-gear-for-spying-on-your-cellphone/
HE INTERCEPT HAS OBTAINED a secret, internal U.S. government catalogue of dozens of cellphone surveillance devices used by the military and by intelligence agencies. The document, thick with previously undisclosed information, also offers rare insight into the spying capabilities of federal law enforcement and local police inside the United States.
The catalogue includes details on the Stingray, a well-known brand of surveillance gear, as well as Boeing “dirt boxes” and dozens of more obscure devices that can be mounted on vehicles, drones, and piloted aircraft. Some are designed to be used at static locations, while others can be discreetly carried by an individual. They have names like Cyberhawk, Yellowstone, Blackfin, Maximus, Cyclone, and Spartacus. Within the catalogue, the NSA is listed as the vendor of one device, while another was developed for use by the CIA, and another was developed for a special forces requirement. Nearly a third of the entries focus on equipment that seems to have never been described in public before.
ANY OF THE DEVICES in the catalogue, including the Stingrays and dirt boxes, are cell-site simulators, which operate by mimicking the towers of major telecom companies like Verizon, AT&T, and T-Mobile.
The Secret Surveillance Catalogue
https://theintercept.com/surveillance-catalogue/
Concerned about the militarization of law enforcement, a source within the intelligence community has provided The Intercept with a secret, internal U.S. government catalogue of dozens of cellphone surveillance devices used by the military and by intelligence agencies. Some of the devices are already in use by federal law enforcement and local police forces domestically, and civil liberties advocates believe others will eventually find their way into use inside the U.S. This product catalogue provides rare insight into the current spy capabilities of local law enforcement and offers a preview of the future of mass surveillance of mobile communications.
Tomi Engdahl says:
Sanders presidential campaign accuses Democrats of dirty data tricks
IT security snafu leads to two tribes going to war
http://www.theregister.co.uk/2015/12/19/sanders_accuses_dems_dirty_data_tricks/
A hacking row is splitting the Democratic Party’s presidential campaign after an incident with the party’s database provider.
Presidential hopeful Bernie Sanders has been cut off from access to the vital voter targeting database after one of his campaign staffers improperly entered the servers of the database’s host provider NGP VAN. The company hosts the campaign profiles for both Hillary Clinton and Sanders, and a 45-minute firewall failure allowed a staffer on the latter’s campaign team to view data from the Clinton’s campaign files.
“We fired the staffer immediately and made certain that any information obtained was not utilized,” said Jeff Weaver, Bernie Sanders 2016 campaign manager, in a statement.
“We are now speaking to other staffers who might have been involved and further disciplinary action may be taken. Clearly, while that information was made available to our campaign because of the incompetence of the vendor, it should not have been looked at. Period.”
Tomi Engdahl says:
New bill would require public companies to disclose cybersecurity credentials
Congress to consider SEC filing add-on
http://www.theregister.co.uk/2015/12/18/bill_for_public_cos_to_disclose_cybersecurity/
A new bill introduced to Congress on Thursday would require US publicly listed companies to disclose who on their Board has cybersecurity expertise.
If it passes, the Cybersecurity Disclosure Act of 2015 would oblige companies to add details of which, if any, of their directors know about online security in filing to the Securities and Exchange Commission (SEC).
The idea is to prompt public companies to recognize their own failings in terms of protecting their data in the wake of a number of high-profile hacking cases and increasingly aggressive state-sponsored efforts to get at valuable commercial information.
Just 11 per cent of public boards have a “high-level understanding of cybersecurity,” according to the National Association of Corporate Directors. According to the Los Angeles Times, two-thirds of public-company board members feel they are ill-prepared for a cyberattack. PricewaterhouseCoopers found that 30 per cent of boards surveyed never talk about cybersecurity at all.
A survey of over 1,000 senior IT people by the Ponemon Institute found that 78 per cent of them had not been asked to brief their Board in the previous year, and 66 per cent of those surveyed said they didn’t think security was a strategic priority for their company.
Tomi Engdahl says:
‘Hacked by China? Hack them back!’ rages US Congress report
How dare they demand we do exactly what we demand of them! The foreign rotters
http://www.theregister.co.uk/2015/11/19/hacked_by_china_hack_them_back_encourages_congressional_report/
A report laid before the US Congress yesterday encouraged lawmakers to allow American companies responding to Chinese miscreants pilfering their data to hack those companies back to save their info.
The US-China Economic and Security Review Commission was established by Congress “to report on the national security implications of the bilateral trade and economic relationship between the United States and the People’s Republic of China.”
Tomi Engdahl says:
Researcher claims Facebook tried to gag him over critical flaw
Zuck’s CSO denies bullying charges, confirms bounty payout
http://www.theregister.co.uk/2015/12/18/facebook_gagged_researcher_over_critical_flaw/
A security researcher who found a critical flaw in Instagram is claiming that Facebook’s chief security officer Alex Stamos tried to get him fired over the discovery.
Earlier this year Wes Wineberg, a contractor with enterprise security intelligence firm Synack, received a tip on IRC about an Instagram server with an open admin panel that could be vulnerable to a flaw in Ruby, since it was using an older version of the software.
After finding a default security code for Ruby online he tried it out and got accepted, enabling remote code execution (RCE) that gave him access to some of the command line. After confirming the flaw was exploitable, he then wrote up a couple of bug reports and submitted them to the Facebook security team’s bug bounty program.
Using the RCE flaw, he checked out the user accounts that were stored on the compromised server and found 60 from Facebook and Instagram employees. Sensibly, the account passwords were encrypted with bcrypt, but he ran them though John the Ripper, an open source password cracker capable of about 250 guesses a second.
However, after a closer examination of a server configuration file, Wineberg found an Amazon Web Services key-pair. A scan revealed 82 different AWS S3 storage buckets associated with the key, but only one of them could be opened. In that he found a second key pair that opened up all 82 buckets.
In there he found Instagram’s crown jewels. The buckets stored the source code for the firm’s servers, SSL certificates and private keys for Instagram.com, iOS and Android app signing keys, and email server credentials.
“To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement,” Wineberg said.
“With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, private pictures and data.”
He filed a detailed report to Facebook indicating seven areas of weakness involved in the hack, and on December 1 sent it in. It was then that the shit hit the fan. Facebook’s CSO called Wineberg’s boss at Synack the same day for a little chat.
Timing is everything
This might sound like a case of corporate bullying, but the timeline of events is important here.
Stamos said, and Wineberg agrees, that the bug report into the initial RCE flaw was confirmed and a payout of $2,500 was made. But when he submitted the flaw report on weak user passwords, Facebook rejected the flaw, and reminded Wineberg that he wasn’t supposed to be going quite so far in his research.
“In the future we expect you will make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research,” the email, sent on October 28, stated.
Fixing the fracas
In his Facebook post Stamos acknowledges many of Wineberg’s points, but states that the timeline that they both agree on does indicate that the researcher crossed an ethical line.
“Those of us who spent time in the security community in the 1990′s and 2000′s remember the bad old days of bug reporting, when there was a constant drumbeat of stories of security researchers trying to responsibly improve security and software vendors responding to them with legal threats,” he said.
Tomi Engdahl says:
US Budget Bill Passes With CISA Surveillance Intact
http://yro.slashdot.org/story/15/12/19/1415251/us-budget-bill-passes-with-cisa-surveillance-intact
Early on Friday, the U.S. Senate approved the 2,000 page ‘omnibus’ budget bill that allocated $1.15 trillion in government funding. Later in the day, President Obama signed it into law. Because the budget bill was so important, many other pieces of unrelated legislation were tacked onto it, including the Cybersecurity Information Sharing Act, a bill notable for giving the government increased internet surveillance powers. Civil rights activists and tech experts largely consider it a “privacy disaster,” and several lawmakers voted against the budget bill solely for CISA’s inclusion.
Obama Signs $1.8 Trillion Tax And Spending Bill Into Law
http://www.npr.org/sections/thetwo-way/2015/12/18/460281572/congress-sends-1-8-trillion-tax-and-spending-bill-to-president-obama
President Obama has signed a $1.1 trillion funding bill that will keep the federal government running until Sept. 30, 2016.