Security trends for 2015

Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.

Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.

According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.

Despite the high profile CryptoLocker takedown, ransomware scams remain an all-too-real threat. Crooks are developing more sophisticated encryption schemes to support their fraud.

The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.

There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?

Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.

It seems like year 2014 has almost been “The Year of PoS Breaches.”  Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers.  I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.

Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations.  Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.

Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.

As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.

Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.

Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.

It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.

Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.

Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.

Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.

Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.

There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.

Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.

More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.

Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.

Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.

You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before.  End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.

 

3,101 Comments

  1. Tomi Engdahl says:

    ProPublica:
    FAQs on encryption: how terrorists use messaging apps, what big tech is doing, and what the government is proposing

    Fact-Checking the Debate on Encryption
    The existence of coded communications is a reality and the U.S. may not be able to do much about it.
    http://www.propublica.org/article/fact-checking-the-debate-on-encryption

    As politicians and counter-terrorism officials search for lessons from the recent attacks in Paris and San Bernardino, California, senior officials have called for limits on technology that sends encrypted messages.

    It’s a debate that has repeatedly recurred for more than a decade.In the 1990s, the Clinton Administration directed technology companies to store copies of their encryption keys with the government. That would have given the government a “backdoor” to allow law enforcement and intelligence agencies easy access to encrypted communications. That idea was dropped after sharp criticism from technologists and civil liberties advocates.

    More recently, intelligence officials in Europe and the United States have asserted that encryption hampers their ability to detect plots and trace perpetrators. But many have questioned whether it would be practical or wise to allow governments widespread power to read encrypted messages.

    Q: Are terrorists really using encrypted messages to plot attacks?

    A: There’s mounting evidence that terrorist groups are using encryption, but so does nearly everyone living in modern society. Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely.

    Intelligence officials have said that the planner of the Paris terrorist attacks used encryption technology, but police also found that one of the Paris terrorists was using an unencrypted cellphone.

    Q: Are Google, Apple, Facebook and Twitter thwarting law enforcement through their use of encryption?

    A: In the past few years, Silicon Valley tech companies have added layers of encryption to their cellphones and websites in an effort to assure users that their data is safe from both hackers and spies. That encryption has also made it harder for law enforcement officials to read what is transmitted by those devices.

    In congressional testimony this month, FBI Director James Comey said that encryption is now part of “terrorist tradecraft.”

    Q: But can’t the National Security Agency just crack any code it wants?

    A: It’s not clear how much encryption the NSA can break.

    Q: I heard that there is a “golden key” that unlocks all encryption. Is there such a thing?

    A: Not yet and it’s not clear it will ever exist. The U.S. government has been trying to figure out how to access encrypted data for decades. However, wiretapping a phone call is far easier than creating a backdoor into encryption technology.

    Q: Are there less complicated ways to give law enforcement and intelligence officials the access they say they need?

    A: The White House working group offered three additional ideas for “backdoors” into encryption. All required manufacturing or software changes by U.S. providers and all involved significant political or technical problems.

    Q: Will any of these backdoor schemes work?

    A: They all have flaws. A big one: Users could easily bypass all of the backdoor options by creating their own layers of encryption.

    Q: So what is the government proposing?

    A: The short answer is that the government has quietly dropped its requests for a backdoor.

    Reply
  2. Tomi Engdahl says:

    Kim Zetter / Wired:
    Secret Code Found in Juniper’s Firewalls Shows Risk of Government Backdoors — Encryption backdoors have been a hot topic in the last few years—and the controversial issue got even hotter after the terrorist attacks in Paris and San Bernardino, when it dominated media headlines.

    Secret Code Found in Juniper’s Firewalls Shows Risk of Government Backdoors
    http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/

    CNN:
    FBI investigating breach at Juniper; US officials say attack likely to be state-sponsored; DHS assessing scope of compromised communications

    First on CNN: Newly discovered hack has U.S. fearing foreign infiltration
    http://edition.cnn.com/2015/12/18/politics/juniper-networks-us-government-security-hack/

    Washington (CNN)A major breach at computer network company Juniper Networks has U.S. officials worried that hackers working for a foreign government were able to spy on the encrypted communications of the U.S. government and private companies for the past three years.

    The FBI is investigating the breach, which involved hackers installing a back door on computer equipment, U.S. officials told CNN. Juniper disclosed the issue Thursday along with an emergency security patch that it urged customers to use to update their systems “with the highest priority.”

    Reply
  3. Tomi Engdahl says:

    mnot’s blog:
    IESG advances addition of HTTP status code 451 to allow sites to convey they can’t show content due to legal restrictions, in stance against online censorship — Why 451? — Today, the IESG approved publication of “An HTTP Status Code to Report Legal Obstacles”.

    Why 451?
    https://www.mnot.net/blog/2015/12/18/451

    Today, the IESG approved publication of “An HTTP Status Code to Report Legal Obstacles”. It’ll be an RFC after some work by the RFC Editor and a few more process bits, but effectively you can start using it now.

    Tim Bray brought this draft to the HTTP Working Group some time ago, because he (and many others) thought it was important to highlight online censorship; the 403 status code says “Forbidden”, but it doesn’t say “I can’t show you that for legal reasons.” Hence, 451 (which is also a great tip of the hat to Ray Bradbury).

    What 451 Can and Can’t Do

    By its nature, you can’t guarantee that all attempts to censor content will be conveniently labeled by the censor. Although 451 can be used both by network-based intermediaries (e.g., in a firewall) as well as on the origin Web server, I suspect it’s going to be used far more in the latter case, as Web sites like Github, Twitter, Facebook and Google are forced to censor content against their will in certain jurisdictions.

    Reply
  4. Tomi Engdahl says:

    Database Leak Exposes 3.3 Million Hello Kitty Fans
    http://it.slashdot.org/story/15/12/20/2226248/database-leak-exposes-33-million-hello-kitty-fans

    “A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery,”

    The database houses 3.3 million accounts containing records including first and last names, email addresses, unsalted SHA-1 password hashes, password hint questions and their corresponding answers, along with other information.

    Database leak exposes 3.3 million Hello Kitty fans
    http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html

    A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals.
    space rocket launch
    CSO salaries expected to sky rocket

    Recent report says CSO salaries could reach a quarter of a million dollars.
    Read Now

    Vickery contacted Salted Hash and Databreaches.net about the leaked data Saturday evening.

    Vickery also noted that accounts registered through the fan portals of the following websites were also impacted by this leak: hellokitty.com; hellokitty.com.sg; hellokitty.com.my; hellokitty.in.th; and mymelody.com.

    In addition to the primary sanriotown database, two additional backup servers containing mirrored data were also discovered. The earliest logged exposure of this data is November 22, 2015.

    While having sensitive details exposed is bad enough for adults, when the information relates to a child – it’s worse. If someone managed to compromise a child’s identity, the fraud might not be detected for years, because most parents don’t monitor their child’s credit record.

    Given the way things have been, considering all the data breaches in the last year or two, It might be a good idea to start doing so. Yearly credit reports are free, and victims of identity theft can obtain access to all necessary reports at not cost.

    Recovering from Identity Theft
    https://www.consumer.gov/articles/1016-recovering-identity-theft

    Reply
  5. Tomi Engdahl says:

    The CIA Secret to Cybersecurity That No One Seems to Get
    http://www.wired.com/2015/12/the-cia-secret-to-cybersecurity-that-no-one-seems-to-get/

    If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices.

    The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Edward Snowden’s NSA leaks revealed the US government has its own national and international hacking to account for. And the Ponemon Institute says 110 million Americans saw their identities compromised in 2014. That’s one in two American adults.

    The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.

    How Did We Get Here?

    One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about.

    Malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Network security seeks to protect those endpoints with firewalls, certificates, passwords, and the like, creating a secure perimeter to keep the whole system safe.

    This wasn’t difficult in the early days of the Internet and online threats. But today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. As Ajay Arora, CEO of file security company Vera, notes, there is no perimeter anymore. It’s a dream of the past.

    But the security paradigm remains focused on perimeter defense because, frankly, no one knows what else to do. To address threats, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats.

    Reply
  6. Tomi Engdahl says:

    Hillary Clinton says for crypto ‘maybe the back door is the wrong door’
    Calls for ‘Manhattan Project’ to blow up animosity between tech industry and spookhauses
    http://www.theregister.co.uk/2015/12/20/hillary_clinton_says_for_crypto_maybe_the_back_door_is_the_wrong_door/

    Democratic presidential front-runner Hillary Clinton has waded deeper in to the debate on encryption with the observation that “maybe the back door is the wrong door”.

    Speaking at a debate for Democratic candidates, Clinton was asked if she would legislate “to give law enforcement a key to encrypted technology”.

    Clinton’s response was to say “I would hope that, given the extraordinary capacities that the tech community has and the legitimate needs and questions from law enforcement, that there could be a Manhattan-like project, something that would bring the government and the tech communities together to see they’re not adversaries, they’ve got to be partners.”

    She went on to say “maybe the back door is the wrong door, and I understand what Apple and others are saying about that.”

    That position weakens Clinton’s previous calls for weaker encryption, but just what other “doors” she referred to was not explained.

    Reply
  7. Tomi Engdahl says:

    VMware, Xen, issue urgent patches
    It’s going to be a virtual Christmas for virtualisation admins
    http://www.theregister.co.uk/2015/12/21/vmware_xen_issue_urgent_patches/

    Reply
  8. Tomi Engdahl says:

    Currency Exchange Website Accused of Cyber Terrorism By Venezuelan Government
    http://yro.slashdot.org/story/15/12/21/0440237/currency-exchange-website-accused-of-cyber-terrorism-by-venezuelan-government

    A U.S.-based website that covers the unofficial exchange rate between the U.S. dollar and the Bolivar, the Venezuelan currency, has been accused of cyber terrorism in a civil complaint. Venezuela, suffering from ever increasing inflation, maintains very tight controls on currency exchange, and accuses the website operators of racketeering and conspiracy.

    As Venezuelan economy collapses further, gov’t targets US-based currency news site
    Pres. Nicolas Maduro said he’d ask US to extradite “bandits” behind DolarToday.com.
    http://arstechnica.com/tech-policy/2015/12/to-halt-venezuelan-currency-news-site-central-bank-sues-in-us-court/

    The US-based website that publishes a daily unofficial exchange rate between American dollars and Venezuelan bolivares has recently filed a vigorous defense in a strange international lawsuit. The site, DolarToday, was sued in October 2015 by the Central Bank of Venezuela (CBV) in federal court in Delaware, where the site is based.

    In its bizarre and bombastic civil complaint, the US-based lawyer for the CBV argued that the three Venezuelan-American men who run the site are engaged in “cyber-terrorism” designed to create “the false impression that the Central Bank and the Republic are incapable of managing Venezuela’s economy.”

    The CBV formally accuses DolarToday of violating a major anti-racketeering and criminal conspiracy statute (RICO Act), false advertising, unjust enrichment, and strangely, breaching a Venezuelan civil statute that refers to “causing harm.” (Obviously, an American federal court is unlikely to adjudicate claims made under Venezuelan law.)

    Reply
  9. Tomi Engdahl says:

    Iranian hackers ‘targeted’ New York dam
    http://www.bbc.com/news/technology-35151492

    Iranian hackers penetrated the computers controlling a dam near New York, reveals the Wall Street Journal.

    The 2013 attack did no damage but revealed information about how computers running the flood control system worked, said the paper.

    Hackers working for nation states regularly hit national infrastructure targets, said a separate AP report.

    About 12 times in the last decade hackers have won high-level access to power networks, it said.

    Detailed plans

    Extensive information about the Bowman Avenue dam in Rye, New York state was taken by the hackers, experts familiar with the incident told the newspaper.

    An investigation pointed to Iran as the likely source of the attack and alerted US authorities to the significant cyber warfare capabilities of that nation, said the report The same group of hackers that attacked Bowman Avenue was also implicated in separate attacks on three US financial firms, it added.

    The US power network has also come under regular attack by “sophisticated foreign hackers” said AP in an extensive investigation.

    Many times security researchers had found evidence that hackers had won access to these sensitive systems. So far, all the attacks seemed intent on gathering detailed information, including engineering drawings, about networks and facilities.

    One extensive campaign gave hackers access to 82 separate plants spread across the US and Canada.

    The knowledge accumulated by the attackers has not been used to shut down the power plants or change the way they work

    Hackers could get at the power plants and other parts of national infrastructure because many of the systems were set up long before the need to protect them against remote attacks became apparent.

    Reply
  10. Tomi Engdahl says:

    New bill would require public companies to disclose cybersecurity credentials
    Congress to consider SEC filing add-on
    http://www.theregister.co.uk/2015/12/18/bill_for_public_cos_to_disclose_cybersecurity/

    A new bill introduced to Congress on Thursday would require US publicly listed companies to disclose who on their Board has cybersecurity expertise.

    If it passes, the Cybersecurity Disclosure Act of 2015 would oblige companies to add details of which, if any, of their directors know about online security in filing to the Securities and Exchange Commission (SEC).

    The idea is to prompt public companies to recognize their own failings in terms of protecting their data in the wake of a number of high-profile hacking cases and increasingly aggressive state-sponsored efforts to get at valuable commercial information.

    Reply
  11. Tomi Engdahl says:

    Donald Trump wants to shut off the Internet
    The Republican presidential candidate suggests that the US cut off Iraq and Syria from the Web.
    http://www.cnet.com/news/donald-trump-wants-to-shut-down-the-internet/

    If terrorists are using the Internet, then take the Internet away.

    That’s what Donald Trump, the front-runner to be the Republican nominee for president of the United States, suggested last night at the final debate of the year.

    Trump tempered the remark by saying the US should shut down the Web in ISIS-controlled Syria and Iraq, but his idea could still be a logistical nightmare.

    Regardless of the technical hurdles, experts say it’s also just a terrible idea.

    “Preventing entire populations from getting access to basic information would be a human-rights catastrophe, particularly for areas of the world that are already war-torn,” said Thomas Ristenpart, a computer science professor at Cornell Tech. The ability to find information with Internet connected smartphones is vital to refugees fleeing ISIS in Syria, for example.

    Reply
  12. Tomi Engdahl says:

    iOS banking apps security still not good enough, says researcher
    Repeat test throws up improved results from 2013 but problems remain
    http://www.theregister.co.uk/2015/12/18/ios_banking_app_audit/

    The security of mobile banking apps has improved over the last two years but there’s still scope for improvement.

    Ariel Sanchez, security consultant for IOActive, has revisited research into the topic first conducted two years ago to see if there’s been any improvement.

    Although security has increased over the two years, many apps still remain vulnerable.

    As before, the research covered 40 mobile banking apps for iOS in use around the world. Sanchez confined himself to looking for client side security weaknesses or vulnerabilities and didn’t include any server-side testing.

    His testing methodology is explained in much more detail in a blog post here. iOS does not name the apps or the banks who released the apps it tested.

    Five of the 40 audited apps failed to validate the authenticity of the SSL certificates presented, which makes them susceptible to Man-in-The-Middle (MiTM) attacks. And more than a third (35 per cent) of the apps contained non-SSL links throughout the application. This shortcoming would allow an attacker to intercept traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or attempt similar scams.

    In addition 30 per cent of them failed to validate incoming data. leaving them potentially vulnerable to JavaScript injections.

    (In)secure iOS Mobile Banking Apps – 2015 Edition
    http://blog.ioactive.com/2015/12/by-ariel-sanchez-two-years-ago-idecided.html

    Reply
  13. Tomi Engdahl says:

    Microsoft updates Trusted Root Certificate Program to reinforce trust in the Internet
    https://blogs.technet.microsoft.com/mmpc/2015/12/17/microsoft-updates-trusted-root-certificate-program-to-reinforce-trust-in-the-internet/

    Certificate Authorities to be removed in January 2016

    Reply
  14. Tomi Engdahl says:

    Windows 10 now opens with iris

    Microsoft’s Windows 10 operating system is a new Windows Hello technology that allows devices that open without a password by fingerprint, face or iris form. Now the Swedish Tobiista has become the first iris recognition act in the company, which is the first movement of the eye next Windows 10 with a validated detection technology.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=3779:windows-10-avautuu-nyt-iiriksella&catid=13&Itemid=101

    Reply
  15. Tomi Engdahl says:

    Quantum cryptography was long considered as unbreakable, but a few years ago Canadian researchers managed to crack the encryption.

    Now researchers at Linköping universities have also shown that hole can be found in quantum cryptography.

    The Swedish researchers say the energy-time encoding, which forms the basis of many quantum encryption technology, is vulnerable to attacks. The research has been published in the journal Science Advances.

    The energy-time encoding, based on the fact that the connection between the sender and the recipient are tested at the same time when the encryption key is created. Two photons sent to the link in opposite directions at the same time. At both ends of the interferometer is combined with a small phase change. This “disorder” allows data connection to both the pasta compared with each other.

    If photon burst is listened to, data composed of noise and this can reveal one quantum theorem – If the connection is secure, and the noise detected, the rest of the data can be used as an encryption key to protect the message.

    Larsson says that photon source can be replaced by a conventional light source, so that the listener can identify the key code sequence. Larsson article presents a number of methods by which this deficiency can be corrected through quantum cryptography.

    Quantum cryptography there are already commercial solutions, but apparently they are not already in commercial use.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=3780:ruotsalaistutkijat-loysivat-aukon-kvanttisalauksesta&catid=13&Itemid=101

    Reply
  16. Tomi Engdahl says:

    Instagram Hack Reveals The Risks Of Bug Bounty Programs
    http://www.fastcompany.com/3054875/elasticity/instagram-hack-reveals-the-risks-of-bug-bounty-programs?partner=rss

    After a security researcher dove deep into its systems, Facebook says it plans to review its bug bounty guidelines.

    A security researcher who discovered vulnerabilities in an Instagram server apparently traded barbs this week with Instagram parent Facebook’s chief security officer over whether his explorations of the system’s weaknesses went beyond ethical limits.

    Researcher Wesley Wineberg said in a blog post that, despite efforts to work within a Facebook bug bounty program that allows outside security researchers to investigate holes in Facebook systems, the company threatened him with legal action and even contacted the CEO of a company where he does contract work.

    “If the company I worked for was not as understanding of security research I could have easily lost my job over this,” Wineberg wrote.

    In a Thursday post of his own, Facebook chief security officer Alex Stamos wrote that some action Wineberg took in downloading data accessible through the vulnerabilities “was not ethical behavior” and that contacting the company was essentially a last resort effort to make sure Wineberg didn’t release potentially sensitive data.

    “There was direct communication with Wes where we specifically asked him not to do this,” Stamos wrote in a follow-up comment. “Finding somebody responsible who could mediate was the least aggressive of several possible next steps.”

    Wineberg—who has apparently successfully participated in other companies’ bug bounty programs—wrote that he sought to comply with Facebook’s bug bounty policies, which require participants to “make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.”

    But Facebook says that his explorations into company systems and downloads of proprietary data went beyond the program’s rules.

    According to accounts by both Wineberg and Stamos, Wineberg initially discovered an Instagram server was running a Web-accessible administrative console with vulnerabilities that could let hackers run arbitrary commands on the machine. He reported the danger to Facebook, which ultimately offered him a $2,500 reward through the bounty program.

    “Up to this point, everything Wes had done was appropriate, ethical, and in the scope of our program,” wrote Stamos.

    After reporting the security hole, Wineberg, who wasn’t immediately available for comment, wrote that he used the access it provided to search for additional weaknesses in the system. He found credentials for a database on the server and used those credentials to download usernames and encrypted passwords for a Web-accessible administrative tool running on the machine.

    Reply
  17. Tomi Engdahl says:

    Private messaging
    For iPhone and Android
    https://whispersystems.org/

    Open Whisper Systems is both a large community of volunteer Open Source contributors, as well as a small team of dedicated grant-funded developers. Together, we’re working to advance the state of the art for secure communication, while simultaneously making it easy for everyone to use.

    Reply
  18. Tomi Engdahl says:

    Juniper’s Backdoor Password Disclosed, Likely Added In Late 2013
    http://it.slashdot.org/story/15/12/21/1257200/junipers-backdoor-password-disclosed-likely-added-in-late-2013

    In a blog post on Rapid7′s community portal Sunday, HD Moore posted some notes on the Juniper ScreenOS incident, notably that his team discovered the backdoor password that enables the Telnet and SSH bypass. Quoting: “Although most folks are more familiar with x86 than ARM, the ARM binaries are significantly easier to compare due to minimal changes in the compiler output. … Once the binary is loaded, it helps to identify and tag common functions. Searching for the text “strcmp” finds a static string that is referenced in the sub_ED7D94 function.”

    CVE-2015-7755: Juniper ScreenOS Authentication Backdoor
    Posted by hdmoore Employee in Information Security on Dec 20, 2015 6:00:44 PM
    https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor

    On December 18th, 2015 Juniper issued an advisory indicating that they had discovered unauthorized code in the ScreenOS software that powers their Netscreen firewalls. This advisory covered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor that allows an attacker to bypass authentication in the SSH and Telnet daemons. Shortly after Juniper posted the advisory, an employee of FoxIT stated that they were able to identify the backdoor password in six hours. A quick Shodan search identified approximately 26,000 internet-facing Netscreen devices with SSH open. Given the severity of this issue, we decided to investigate.

    Juniper’s advisory mentioned that versions 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 were affected.

    ScreenOS is not based on Linux or BSD, but runs as a single monolithic kernel. The SSG500 firmware uses the x86 architecture, while the SSG5 and SSG20 firmware uses the XScale (ARMB) architecture. The decompressed kernel can be loaded into IDA Pro for analysis. As part of the analysis effort, we have made decompressed binaries available in a GitHub repository

    Although most folks are more familiar with x86 than ARM, the ARM binaries are significantly easier to compare due to minimal changes in the compiler output.

    The argument to the strcmp call is <<< %s(un='%s') = %u, which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code.

    The interesting thing about this backdoor is not the simplicity, but the timing. Juniper's advisory claimed that versions 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 were affected, but the authentication backdoor is not actually present in older versions of ScreenOS.

    Detecting the exploitation of this issue is non-trivial, but there are a couple things you can do. Juniper provided guidance on what the logs from a successful intrusion would look like

    Although an attacker could delete the logs once they gain access, any logs sent to a centralized logging server (or SIEM) would be captured, and could be used to trigger an alert.

    FoxIT has a created a set of Snort rules that can detect access with the backdoor password over Telnet and fire on any connection to a ScreenOS Telnet or SSH service

    Reply
  19. Tomi Engdahl says:

    Hello Kitty hack exposes 3.3 million users’ details, says infosec bod
    Users left exposed on community site
    http://www.theregister.co.uk/2015/12/21/hello_kitty_hack_exposes_33_million_users_details/

    Up to 3.3 million Hello Kitty users have had their personal data exposed due to a database breach at the brand’s online community SanrioTown.com, a security researcher has discovered.

    The sanriotown.com breach had been discovered online by researcher Chris Vickery who informed security blog Salted Hash.

    The exposed records include users’ names, birthdates, gender, nationality, email addresses, unsalted SHA-1 password hashes, and password hint questions.

    “While having sensitive details exposed is bad enough for adults, when the information relates to a child it’s far worse.

    “If someone managed to compromise a child’s identity, the fraud might not be detected for years because most parents don’t monitor their child’s credit record,” noted Salted Hash writer Steve Ragan

    Parents warned as Hello Kitty data breach leaks details of 3.3m user accounts
    http://www.theguardian.com/technology/2015/dec/21/hello-kitty-data-breach-leaks-details-3-3million-user-accounts
    SanrioTown, the online community for Hello Kitty fans, suffers leak of information including names, birth dates and email addresses

    The database was available online, where it was found by researcher Chris Vickery, who contacted security blog Salted Hash with the information over the weekend.

    It’s the second major leak of information from a child-focused product in a month. In late November, electronic toymaker VTech was hacked, with customer data for millions of children stolen. The VTech hack even saw the theft of photos taken by the company’s toys, as well as download histories, encrypted passwords and password retrieval questions.

    Reply
  20. Tomi Engdahl says:

    Hackers ‘stole a master key’ to U.S. government
    http://edition.cnn.com/videos/tv/2015/12/18/hackers-spied-on-us-government-message-lead-perez-live.cnn

    U.S. officials warn hackers may have accessed U.S. government communications. CNN’s Evan Perez explains the security breach is akin to “stealing a master key into government buildings.”

    Reply
  21. Tomi Engdahl says:

    Iranian hackers targeted New York dam, had a quick nosy around
    US has highest number of industrial-control systems online, says security bods
    http://www.theregister.co.uk/2015/12/21/iranian_hackers_target_new_york_dam/

    Iranian hackers penetrated the online control system of a New York dame in 2013, according to reports, and poked around inside the system.

    The Wall Street Journal reported that hackers gained access to the dam through a cellular modem, according to an unclassified Homeland Security summary of the case.

    Two sources said the summary refers to the Bowman Avenue Dam, a small facility 20 miles outside of New York. They said the hackers didn’t take control of the dam but probed the system, citing people familiar with the matter.

    The Department of Homeland Security has declined to comment on the incident.

    The analysts detected a machine that was crawling the internet for vulnerable US industrial-control systems. The hackers appeared to be focusing on certain internet addresses, according to the people.

    The US has the highest number of industrial-control systems connected to the internet in the world, with 57,000 systems, according to researchers at Shodan.

    Iranian Hackers Infiltrated New York Dam in 2013
    Cyberspies had access to control system of small structure near Rye in 2013, sparking concerns that reached to the White House
    http://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559?mod=WSJ_TechWSJD_NeedToKnow

    Reply
  22. Tomi Engdahl says:

    Predictable: How AV flaw hit Microsoft’s Windows defences
    An ecosystem issue explained
    http://www.theregister.co.uk/2015/12/11/anti_virus_trips_up_windows_defences/

    Could it be that time spent by Microsoft on software security counts for naught?

    Possibly – based on the findings of an investigation by enSilo that found some of the best-known AV names are susceptible to new vulnerabilities.

    The results are alarming, suggesting an entire of ecosystem unwittingly opening a back door into systems for hackers and malware writers.

    But what exactly is the problem and what’s the cause? We reported the breaking story here, but what are the details?

    Well, the core problem stems from anti-virus products allocating a memory page write permissions at a fixed, predictable address.

    enSilo cottoned on to the problem at a customer site in March 2015, after it investigated a snag involving its data exfiltration prevention platform and security technology from AVG, also installed in the customer’s environment.

    An investigation by enSilo revealed a flaw in AVG Internet Security which effectively enabled a threat actor to exploit old vulnerabilities in a third party application (such as Acrobat Reader) in order to compromise the underlying Windows system. enSilo disclosed this issue to AVG, which promptly patched the vulnerability.

    According to enSilo the issue arise with various versions of particular anti-virus packages, as listed below:

    McAfee Virus scan Enterprise version 8.8. The security snag crops up in the Anti Malware + Add-on Modules, scan engine version (32 bit) 5700.7163, DAT version 7827.0000, Buffer Overflow and Access Protection DAT version 659. enSilo states this issue is yet to be resolved – a claim firmly denied by Intel Security, which said it patched the bug in late August.
    Kaspersky Total Security 2015 – 15.0.2.361 – kts15.0.2.361en_7342. Kaspersky silently fixed the issue with a patch dated 24 September, according to enSilo.
    AVG Internet Security 2015 build 5736 + Virus database 8919. AVG patched the bug on 12 March

    Reply
  23. Tomi Engdahl says:

    Are you the keymaster? Alternatives in a LogMeIn/LastPass universe
    Grumble release valve
    http://www.theregister.co.uk/2015/12/02/password_manager_get_out_options/

    LogMeIn’s purchase of LastPass password manager service was not well received by LastPass users. In fact that outrage was sufficient that LastPass quickly shut down comments on its blog. Why the outrage and who is LogMeIn?

    LogMeIn may be best known as the company that shut down its free remote desktop sharing service with a mere week’s warning in early 2014.

    For its part, LastPass says its business model is not changing and that the service will remain essentially as-is under its new owners.

    Unfortunately for LastPass fans, if you dig around the Internet Archive you can find similar statements from Delicious, Pownce, Bump and countless other small services that were purchased and later abandoned. LastPass may well be different, but since there’s a chance you might only have a week to find something new, now is a good time to start looking for alternatives.

    There are two broad categories of password managers. The cloud-based solutions like LastPass offer automatic syncing between devices, while others like KeePass reside on your local machine and you’re on your own for syncing (which can be done via Dropbox, OwnCloud, SpiderOak, Syncthing or any other you already use). The primary difference between the two approaches comes down to control of your data.

    Cloud-based sync services store your data on their servers. The best of these offer zero-knowledge storage, which is to say that your data is encrypted and decrypted only on your devices.

    If you’re looking for a drop-in cloud based replacement for LastPass, there are dozens available, but the big standout is Dashlane. It has everything you’re used to with LastPass – browser plugins, autofill, password strength indicator, secure notes.

    Dashlane offers a free tier if you just want to try it out, but the free version doesn’t sync between devices

    Another noteworthy possibility in the cloud-based category is Encryptr. Encryptr is free, open source (based on the Crypton project, itself an outgrowth of SpiderOak), and reasonably cross platform. It’s currently available for Android, Windows, Linux, and Mac OS X. An iOS version is in the works, but not yet available.

    The problem with Encryptr is that it currently lacks browser integration, which makes it a considerably less capable LastPass replacement.

    Other services worth investigating include the more enterprise-oriented Secret Server and AuthAnvil, as well as ZohoVault (which is offering a year of its business version for free to LastPass users). There’s also the biometric-based Sticky Password.

    The problem with replacing LastPass with another, similar cloud-based service is two-fold. First you may well find yourself back here again in a few years when the new service is sold and, second, the only real advantage is the built-in syncing. But chances are you’re already using some kind of sync service – be it SpiderOak, Dropbox, Owncloud, SyncThing, and so on – why not sync your passwords yourself?

    If you handle the syncing yourself, all you need to worry about is finding an application that can encrypt and decrypt your data on all your devices. Fortunately there are quite a few apps that can do that, most notably KeePass.

    Depending on your platform, KeePass may not be quite a simple as LastPass, but it does place everything directly under your control, which means you won’t have to worry about any web services shutting down or company being sold.

    Reply
  24. Tomi Engdahl says:

    Alex Hern / Guardian:
    Apple calls on UK government to scale back investigatory powers bill, says it would “weaken security for hundreds of millions of law-abiding customers” — Apple calls on UK government to scale back snooper’s charter — Tech company makes rare foray into British politics …

    Apple calls on UK government to scale back snooper’s charter
    http://www.theguardian.com/technology/2015/dec/21/apple-uk-government-snoopers-charter-investigatory-powers-bill

    Tech company makes rare foray into British politics in a submission to the committee on the investigatory powers bill

    Apple has called for changes to the UK government’s investigatory powers bill, over fears it would weaken the security of “personal data of millions of law-abiding citizens”.

    In a submission to the bill committee, released on Monday, the Californian technology firm expressed major concerns and called for wholesale changes before the bill is passed.

    “We believe it would be wrong to weaken security for hundreds of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat,” Apple said. “In this rapidly evolving cyber-threat environment, companies should remain free to implement strong encryption to protect customers”

    The investigatory powers bill was presented to the House of Commons by the home secretary, Theresa May, in November and is currently at the committee stage.

    Apple highlighted the main areas of the bill that it wants to see changed. It told the committee that passages in the bill could give the government the power to demand Apple alters the way its messaging service, iMessage, works. The company said this would weaken encryption and enable the security services to eavesdrop on iMessage for the first time.

    In its submission, Apple said: “The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers. A key left under the doormat would not just be there for the good guys. The bad guys would find it too.”

    “It would place businesses like Apple – whose relationship with customers is in part built on a sense of trust about how data will be handled – in a very difficult position,” Apple says.

    It isn’t the first time Apple has spoken out against the IP bill. The week after it was released, the company’s chief executive, Tim Cook, told the Daily Telegraph that the law could have “very dire consequences”.

    He said: “We believe very strongly in end-to-end encryption and no back doors. We don’t think people want us to read their messages. We don’t feel we have the right to read their emails.

    “Any back door is a back door for everyone,” he added. “Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a back door can have very dire consequences.”

    “The indiscriminate collection of mass data is going to have a massive cost.”

    Reply
  25. Tomi Engdahl says:

    Five new threat every second!

    Intel currently owned security company McAfee has introduced a recent report from the dangers of the network. The report is furious to read. The only way to remain out of reach of the attacks seem to stay out of the net. McAfee laboratory in the network for 327 new threat every minute. That is more than five in every second!

    Source: http://etn.fi/index.php?option=com_content&view=article&id=3784:viisi-uutta-uhkaa-joka-sekunti&catid=13&Itemid=101

    McAfee Labs
    Threats Report
    November 2015
    http://www.mcafee.com/hk/resources/reports/rp-quarterly-threats-nov-2015.pdf

    Reply
  26. Tomi Engdahl says:

    Javascript User Prohibitions Are Like Content DRM, But Even Less Effective
    http://it.slashdot.org/story/15/12/21/2249217/javascript-user-prohibitions-are-like-content-drm-but-even-less-effective

    It always puzzles me whenever I run across a post somewhere that uses Javascript to try to prevent me from copying and pasting text, or even viewing the source. These measures are simple enough to bypass just by disabling Javascript in my browser. It seems like these measures are very similar to the DRM publishers insist on slapping onto e-books and movie discs—easy to defeat, but they just keep throwing them on anyway because they might inconvenience a few people.

    Javascript user prohibitions are content DRM in microcosm—and even less effective
    http://www.teleread.com/chris-meadows/javascript-user-prohibitions-are-content-drm-in-microcosmand-even-less-effective/

    What’s more, when I hit Ctrl+U to try to view the source (as you can often get around copy-paste blocks by doing that), another little Javascript window popped up to tell me that was forbidden, too.

    That made me a little angry

    So I took about thirty seconds to look up how to do it, then I went into my Chrome settings and turned off Javascript. I still couldn’t copy and paste directly from the page, but viewing source worked just fine. A quick copy-and-paste of the relevant portion of the page source into Notepad, a little bit of clicking around and backspacing to get rid of the HTML formatting, and I could copy and paste it into the Hangouts window with no problem.

    What on earth moves someone to try to lock their words down to the point where you can’t copy and paste them out of an ordinary web page? It’s counterproductive.

    Furthermore, it’s ineffective. This isn’t a form of DRM where you need to crack encryption. All you need to do is tell your web browser, “Okay, stop doing what that web site tells you and do what I tell you instead.” Is trying to lock down content like that really doing to do anything more than annoy someone who knows their way around web browsers?

    And what kind of contempt does that show for your readers? Copying and pasting a relevant paragraph here and there is one of the primary ways people relate to content now.

    If you don’t want your words copied and shared, don’t post them in public on the Internet. If someone is going to copy your entire post and try to pass it off as their own, most of them will be savvy enough to do that whether you use Javascript or not.

    And when you get right down to it, this is effectively a parable for digital rights management in general. Yes, stripping the DRM from e-books is a little more complicated and involved, and it relies on someone out there being willing to do the grunt work for you of coding up a way to crack the digital lock. But once that code is out there, anyone willing to Google it and download it can do it, so any e-book you buy from Amazon or Barnes & Noble or even check out of your local library can be freed of its fetters just by dragging and dropping it into Calibre.

    The same holds true for movies. The DRM on DVDs was defeated long ago by DVDJon. Even the DRM on Blu-rays, which changes every so often, is re-cracked just as soon as it changes

    That doesn’t make it legal, and it certainly doesn’t make it morally right to redistribute those cracked copies via peer-to-peer. But illegal isn’t the same as infeasible—and prohibiting a user operation such as copying and pasting or viewing source doesn’t make it infeasible either.

    Incidentally, it’s against the law in the US and a number of other places to tell people how to bypass DRM. In theory, it could be illegal to tell people how to turn Javascript off, too—except that the US law only applies to effective protection measures. And while I’m not a lawyer myself, and there’s some debate over how effective DRM is in general, it seems unlikely that anyone could see a “protection measure” you bypass by simply turning Javascript off as being “effective” enough to come in for that kind of legal protection. Some people keep Javascript turned off in their browsers as a matter of course, and they wouldn’t even encounter the pop-ups or the lock out of viewing the source.

    Reply
  27. Tomi Engdahl says:

    A Proposal For Dealing With Terrorist Videos On the Internet
    http://tech.slashdot.org/story/15/12/22/0446218/a-proposal-for-dealing-with-terrorist-videos-on-the-internet

    Recent claims by some (mostly nontechnical) observers that it would be “simple” for services like YouTube to automatically block “terrorist” videos, in the manner that various major services currently detect child porn images are nonsensical. One major difference is that those still images are detected via data “fingerprinting” techniques that are relatively effective on known still images compared against a known database, but are relatively useless outside the realm of still images

    December 21, 2015
    A Proposal for Dealing with Terrorist Videos on the Internet
    http://lauren.vortex.com/archive/001139.html

    As part of the ongoing attempts by politicians around the world to falsely demonize the Internet as a fundamental cause of (or at least a willing partner in) the spread of radical terrorist ideologies, arguments have tended to focus along two parallel tracks.

    First is the notorious “We have to do something about evil encryption!” track. This is the dangerously loony “backdoors into encryption for law enforcement and intelligence agencies” argument, which would result in the bad guys having unbreakable crypto, while honest citizens would have their financial and other data made vastly more vulnerable to attacks by black hat hackers as never before.

    The other track in play relates to an area where there is much more room for reasoned discussion — the presence on the Net of vast numbers of terrorist-related videos, particularly the ones that directly promote violent attacks and other criminal acts.

    Make no mistake about it, there are no “magic wand” solutions to be found for this problem, but perhaps we can move the ball in a positive direction with some serious effort.

    Both policy and technical issues must be in focus.

    In the policy realm, all legitimate Web firms already have Terms of Service (ToS) of some sort, most of which (in one way or another) already prohibit videos that directly attempt to incite violent attacks or display actual acts

    When we move beyond such directly violent videos, the analysis becomes more difficult, because we may be looking at videos that discuss a range of philosophical aspects of radicalism

    Politicians tend to promote the broadest possible censorship laws that they can get away with, and so censorship tends to be a slippery slope that starts off narrowly and rapidly expands to other than the originally targeted types of speech.

    We must also keep in mind that censorship per se is solely a government power — they’re the ones with the prison cells and shackles to seriously enforce their edicts.

    The correct way to fight this class of videos is with our own information, of course. We should be actively explaining why (for example) ISIL/ISIS/IS/Islamic State/Daesh philosophies are the horrific lies of a monstrous death cult.

    Yes, we should be doing this effectively and successfully. And we could, if we put sufficient resources and talent behind such information efforts. Unfortunately, Western governments in particular have shown themselves to be utterly inept in this department to date.

    Have you seen any of the current ISIL recruitment videos? They’re colorful, fast-paced, energetic, and incredibly professional. Absolutely state of the art 21st century propaganda aimed at young people.

    By contrast, Western videos that attempt to push back against these groups seem more on the level of the boring health education slide shows we were shown in class back when I was in elementary school.

    Small wonder that we’re losing this information war. This is something we can fix right now, if we truly want to.

    The foundational issue is that immense amounts of video are being uploaded to services like YouTube (and now Facebook and others) at incredible rates that make any kind of human “previewing” of materials before publication entirely impractical, even if there were agreement (which there certainly is not) that such previewing was desirable or appropriate.

    Services like Google’s YouTube run a variety of increasingly sophisticated automated systems to scan for various content potentially violating their ToS, but these systems are not magical in nature, and a great deal of material slips through and can stay online for long periods.

    These facts tend to render nonsensical recent claims by some (mostly nontechnical) observers that it would be “simple” for services like YouTube to automatically block “terrorist” videos, in the manner that various major services currently detect child porn images.

    Reply
  28. Tomi Engdahl says:

    From http://lauren.vortex.com/archive/001139.html :

    As part of the ongoing attempts by politicians around the world to falsely demonize the Internet as a fundamental cause of (or at least a willing partner in) the spread of radical terrorist ideologies, arguments have tended to focus along two parallel tracks.

    First is the notorious “We have to do something about evil encryption!” track. This is the dangerously loony “backdoors into encryption for law enforcement and intelligence agencies” argument, which would result in the bad guys having unbreakable crypto, while honest citizens would have their financial and other data made vastly more vulnerable to attacks by black hat hackers as never before. That this argument is made by governments that have repeatedly proven themselves incapable of protecting citizens’ data in government databases makes this line of “reasoning” all the more laughable. More on this at:

    Why Governments Lie About Encryption Backdoors:
    http://lauren.vortex.com/archive/001137.html

    Reply
  29. Tomi Engdahl says:

    Google Joins Mozilla, Microsoft In Pushing For Early SHA-1 Crypto Cutoff
    http://tech.slashdot.org/story/15/12/22/023225/google-joins-mozilla-microsoft-in-pushing-for-early-sha-1-crypto-cutoff

    Due to recent research showing that SHA-1 is weaker than previously believed, Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism. Both companies have argued that there are millions of people in developing countries that still use browsers and operating systems that do not support SHA-2, the replacement function for SHA-1

    Reply
  30. Tomi Engdahl says:

    Oracle Settles Charges Regarding Fake Java Security Updates
    http://news.softpedia.com/news/oracle-settles-charges-regarding-fake-java-security-updates-497982.shtml

    Oracle representatives have agreed to come to a settlement with the Federal Trade Commission (FTC) in a four-year-old legal battle regarding falsely advertised Java security updates.

    Java, a popular piece of software with over 850 million users worldwide, is often used both online and for offline applications, such as games, chat apps, in browser plugins, and more.

    According to the FTC, in 2010, after Oracle acquired Java via the Sun purchase, the company promised and falsely delivered Java security updates.

    As an FTC investigation discovered, Oracle was delivering Java updates that only removed recent versions of Java SE but left behind extremely old releases, even if known to be extremely vulnerable.

    The FTC filed an official complaint, but officials said that Oracle continued with this insufficient and inefficient update process until August 2014.

    Reply
  31. Tomi Engdahl says:

    Hackers hit the kiddies and leak personal records of over three million Hello Kitty customers
    Hack exposed names, email addresses, passwords, birth dates and locations of those registered
    http://www.theinquirer.net/inquirer/news/2440013/hackers-hit-the-kiddies-and-leak-personal-records-of-over-three-million-hello-kitty-customers

    HACKERS HAVE YET AGAIN targeted the little ones in a data leak that has affected millions of Hello Kitty customers.

    Details of 3.3 million user records were hacked via website called Sanriotown.com, an online community for the popular Japanese character Hello Kitty, owned by Sanrio Co, a Japanese firm that designs, licenses and produces products based on pop-culture characters.

    The hack was uncovered by Chris Vickery, the vulnerability hunter who discovered the much-publicised hack at VTech, and exposed records including names, email addresses, passwords, birth dates and locations of those registered with the website.

    Reply
  32. Tomi Engdahl says:

    New Microsoft adware rules could stop another Superfish security scare
    http://www.theguardian.com/technology/2015/dec/22/new-microsoft-adware-rules-stop-superfish-security-scare

    From March, adware on Windows will have to be easily removable and not able to hijack users’ connections

    Microsoft will “detect and remove” insecure adware from Windows PCs in 2016, the company has announced.

    The move could prevent a repeat of Lenovo’s embarrassing self-inflicted security hole from March this year, by requiring that any advertising-based software only use a web browser’s official methods for installation, execution, disabling and removal.

    The target of Microsoft’s new policy, announced on Monday, is software like Superfish, the adware which Lenovo shipped pre-installed on its consumer laptops for a period in 2014 and 2015. That software hijacks a user’s connection, using a “man in the middle” technique, in order to display adverts, even on webpages which do not normally have them.

    Keeping browsing experience in users’ hands
    https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/

    Reply
  33. Tomi Engdahl says:

    HIV Dating Company Accuses Researchers of Hacking Database
    http://yro.slashdot.org/story/15/12/22/1422216/hiv-dating-company-accuses-researchers-of-hacking-database

    Slashdot readers will recall the story posted last week about the misconfiguration of the MongoDB database that powers Hzone, a dating app for the HIV-positive, and the ensuing threat of HIV infection the company hurled at DataBreaches.net, who sent the notification

    But that’s not the end of the story. Among other twists and turns that point to a CEO who was in way over his head, in several emails to Dissent, the admin of DataBreaches.net, Hzone CEO Justin Robert accused Dissent of changing the Hzone user database. But follow-up emails suggest that the company couldn’t tell what was accessed or when, as Robert says Hzone doesn’t have ‘a strong tech team to maintain the site.’

    HIV dating company accuses researchers of hacking database
    http://www.csoonline.com/article/3017191/security/hiv-dating-company-accuses-researchers-of-hacking-database.html

    Hzone CEO calls the disclosure a condemnable act, accuses researcher and Databreaches.net of malicious hacking

    Justin Robert, the CEO of Hong Kong-based Hzone, has issued a statement regarding the public disclosure that his company’s app used a misconfigured database and exposed 5,000 users. But rather than answers, his statements and random accusations only lead to more questions.

    Sometime before November 29, the database that powers a dating app for HIV-positive singles (Hzone) was misconfigured and exposed to the web.

    The database housed personal information on more than 5,000 users including date of birth, relationship status, religion, country, biographical dating information (height, orientation, number of children, ethnicity, etc.), email address, IP details, password hash, and any messages posted.

    The researcher who discovered the database, Chris Vickery, turned to Databreaches.net for help getting the word out about the data breach and for assistance with contacting the company to address the issue.

    Once HZone responded to the notification emails, the first message threatened Dissent with HIV infection, though Robert later apologized for that, and later said it was a misunderstanding. Subsequent emails asked Dissent to keep quiet and not disclose the fact that Hzone users were exposed.

    In a statement, Hzone CEO, Justin Robert, says that the original notification emails went to the junk folder, which is why they were missed. However, according to his statements sent to the media – including Salted Hash – his company was working for a week to get the situation resolved.

    The statement also called those (including yours truly) in the media reporting on the data breach immoral, because we’re hyping the issue.

    However, it isn’t hype. The information in this database could cause real harm to the users exposed. Given that the company didn’t want the issue disclosed to begin with, the media were right to disclose the incident instead of allowing it to be covered up. If anything, the coverage might have helped alert users that they were – at one point – at risk. Based on his original statements, Robert didn’t have any intention of notifying them.

    Eventually, the company did place a notification on their homepage.

    “Hzone made a mistake in their security. If they had better contact information, they could have known sooner, secured the leak promptly, thanked the researcher, and moved forward after notifying their users. Instead, they have lashed out, made defamatory accusations, and issued threats.”

    Reply
  34. Tomi Engdahl says:

    How to log into any backdoored Juniper firewall – hard-coded password published
    Did the NSA knacker ScreenOS? Probably not
    http://www.theregister.co.uk/2015/12/21/security_code_to_backdoor_juniper_firewalls_revealed_in_firmware/

    The access-all-areas backdoor password hidden in some Juniper Networks’ Netscreen firewalls has been published.

    Last week it was revealed that some builds of the devices’ ScreenOS firmware suffer from two severe security weaknesses: one allows devices to be commandeered over SSH and Telnet, and the other allows encrypted VPN communications to be monitored by eavesdroppers.

    An analysis by security firm Rapid 7 of the firmware’s ARM code has uncovered more details on that first vulnerability – specifically, a hardcoded password that grants administrator access. And that password is: <<< %s(un='%s') = %u.

    regardless of the username given, it allows anyone to bypass authentication, and the password is hardwired into the operating system.

    The Rapid 7 team found more than 26,000 internet-facing Netscreen systems with SSH open.

    "This is interesting because although the first affected version was released in 2012, the authentication backdoor did not seem to get added until a release in late 2013 (either 6.3.0r15, 6.3.0r16, or 6.3.0r17)."

    That date is important because it potentially derails a rumor that has been floating around the internet over the weekend: that the backdoor was created as part of a top-secret NSA plan to hijack Juniper's kit for spying purposes.

    This rumor spread after people fished out an NSA document published by Der Spiegel in which the intelligence agency claimed to have full control over Juniper's Netscreen firewalls.

    But that slide was made in 2008. That's five years before this particular backdoor was added to ScreenOS. It's possible another backdoor was present in earlier builds, but no one has evidence of that.

    Also, the NSA slide focuses on implanting surveillance malware in a device, rather than compromising the firmware's source code to introduce a hidden skeleton key. The backdoor found by Rapid 7 seems too heavy-handed for the US spy agency.

    If anything, ScreenOS's use of the Dual EC DRBG random number generator in its encryption is more worrying, and points to potential NSA interference. That algorithm is the same engine that was championed by the NSA even as independent security researchers pointed out that it was seriously flawed.

    Reply
  35. Tomi Engdahl says:

    Google’s SHA-1 snuff plan is catching up with Microsoft, Mozilla
    Alphabet subsidiary names Jan 1st, 2017, but hopes it can move it to July 1, 2016
    http://www.theregister.co.uk/2015/12/22/googles_sha1_snuff_plan_is_catching_up_with_microsoft_mozilla/

    Google has outlined its approach to deprecating the compromised SHA-1 hash in its Chrome browser.

    Like the rest of the security world, Google believes the SHA-1 cipher just isn’t safe any more. That’s a reasonable position, because it’s been cracked without enormous effort. Mozilla, Microsoft and Facebook have all therefore proposed to stop using it and also make life hard for those relying on SHA-1 certificates.

    Google’s now explained its plan for SHA-1.

    The Alphabet subsidiary’s cunning plan starts with Chrome 48, due early in 2016 and tweaked so that it presents users with a warning if a site is signed with an SHA-1 certificate that:

    is signed with a SHA-1-based signature
    is issued on or after January 1, 2016
    chains to a public CA

    Subsequent versions of Chrome will display errors if SHA-1 certificates are employed.

    On or before January 1, 2017, “Chrome will completely stop supporting SHA-1 certificates.”

    Reply
  36. Tomi Engdahl says:

    Microsoft encrypts explanation of borked Windows 10 encryption
    Disk vault Bitlocker snubs self-encrypting drives – when’s the fix?
    http://www.theregister.co.uk/2015/12/04/windows_10_bitlocker/

    We know Microsoft can be pretty secretive about its spyware-as-a-service Windows 10, but Redmond has now taken its furtiveness to a whole new level.

    You may or may not know that its disk encryption tool Bitlocker has suddenly stopped working in the latest version of its operating system for a number of people.

    Bitlocker refuses to work if you try to enable it on a self-encrypting drive with the hardware-accelerated encryption switched on

    Reply
  37. Tomi Engdahl says:

    Cisco Systems Will Be Auditing Their Code For Backdoors
    http://it.slashdot.org/story/15/12/22/1558211/cisco-systems-will-be-auditing-their-code-for-backdoors

    In the wake of the discovery of two backdoors on Juniper’s NetScreen firewall devices, Cisco Systems has announced that they will be reviewing the software running on their devices, just in case. Anthony Grieco, a Senior Director of the Security and Trust Organization at Cisco, made sure to first point out that the popular networking equipment manufacturer has a “no backdoor” policy.

    Cisco Systems will be auditing their code for backdoors
    http://www.net-security.org/secworld.php?id=19266

    Reply
  38. Tomi Engdahl says:

    How to Think Like a Hacker and Act Like a Security Pro
    http://www.securityweek.com/how-think-hacker-and-act-security-pro

    A rite of passage for new parents is child-proofing—securing the home from threats to children. Most experts on the subject highly recommend that parents make their way around the house on their hands and knees in order to experience the environment from a child’s perspective. This may be the only way to see the threats that aren’t obvious from an adult’s point of view.

    The same is true when building security into an application. Obviously, there are lists of common vulnerabilities and other guidance in the form of best practices to consider. However, to really protect software you need to consider the hacker’s point of view of the application. You need to think like a hacker, but act like a security pro.

    hinking like a hacker is not just about the technical aspects of the hack. There are a few other things to think about:

    Think Like a Hacker

    • What’s the hacker’s motivation? What do they hope to gain?

    • Is the hacker targeting you specifically, or are they opportunistic and you just happen to have vulnerabilities that make you a target?

    • How will they attack?

    • When will they attack?

    For example, if you are a target of convenience, understand that hackers are more than happy to take the path of least resistance. This is why protecting against obvious, well-known attack vectors is critical. While there is a lot of mystery and intrigue around advanced persistent threats (APTs), hackers have no interest investing time and effort into building an APT when using simple, well-traveled attacks such as SQL injection will do the trick.

    Reply
  39. Tomi Engdahl says:

    Patient Data Breaches Affect 90% of Industries: Verizon
    http://www.securityweek.com/patient-data-breaches-affect-90-industries-verizon

    Patient data breaches affect 90% of industries, according to Verizon’s 2015 Protected Health Information Data Breach Report

    Stolen medical information is an issue that affects 18 out of 20 industries, making the problem more widespread than previously believed, Verizon’s 2015 Protected Health Information Data Breach Report reveals.

    Reply
  40. Tomi Engdahl says:

    PCI Council Extends Deadline to Migrate Off Vulnerable SSL Encryption
    http://www.securityweek.com/pci-council-extends-deadline-migrate-vulnerable-ssl-encryption

    The Payment Card Industry Security Standards Council (PCI SSC) has set a new deadline for when organizations that process payments should complete the migration off vulnerable SSL and early TSL encryption

    Initially set to June 2016, the migration date has been pushed back two years, to June 2018, the global forum for the development of payment card security standards announced (PDF), giving payment processing entities more time to fully implement the TLS 1.1 encryption or higher in their systems.

    PCI SSC included the initial deadline for the migration in the PCI Data Security Standard, version 3.1 (PCI DSS 3.1), which was published in April 2015. The Council also announced that the new deadline date will be included in the next version of the PCI Data Security Standard, which should be issued next year.

    Reply
  41. Tomi Engdahl says:

    Sarah Perez / TechCrunch:
    Google begins testing login system that uses phone notifications for authentication instead of passwords — Google Begins Testing Password-Free Logins — Google confirmed this morning it’s now testing a new way to sign into your Google account without having to type in a password.

    Google Begins Testing Password-Free Logins
    http://techcrunch.com/2015/12/22/google-begins-testing-password-free-logins/#.b5imzi:iDX2

    Google confirmed this morning it’s now testing a new way to sign into your Google account without having to type in a password. Instead, those who have been invited to try this new method of logging in authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.

    Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.

    This new password-free login option, on the other hand, is about speeding up logins by offering a different way of signing in altogether.

    Reply
  42. Tomi Engdahl says:

    Joseph O’Sullivan / The Seattle Times:
    Washington Governor Jay Inslee says a programming glitch has caused as many as 3,200 inmates to be released early since 2002, by a median amount of 49 days

    Inslee: Error releases up to 3,200 inmates early
    http://www.seattletimes.com/seattle-news/politics/inslee-error-releases-inmates-early-since-2002/

    Gov. Jay Inslee announced Tuesday the Washington Department of Corrections has been making mistakes in calculating sentences since 2002, resulting in thousands of inmates leaving prison early. Corrections officials learned of a problem in 2012.

    For three years, state Department of Corrections staff knew a software-coding error was miscalculating prison sentences and allowing inmates to be released early. On Tuesday, Gov. Jay Inslee gave the damning tally: up to 3,200 prisoners set free too soon since 2002.

    Once the broader problem was discovered, a scheduled software fix got caught up in repeated IT delays, yet to be explained.

    “That this problem was allowed to continue to exist for 13 years is deeply disappointing,” Inslee said. “It is totally unacceptable, and frankly it is maddening.”

    Reply
  43. Tomi Engdahl says:

    Matthew Green / A Few Thoughts …:
    How hackers piggybacked on an existing backdoor in Juniper’s ScreenOS software to create a backdoor of their own — On the Juniper backdoor — You might have heard that a few days ago, Juniper Systems announced the discovery of “unauthorized code” in the ScreenOS software that underlies the NetScreen line of devices.

    On the Juniper backdoor
    http://blog.cryptographyengineering.com/2015/12/on-juniper-backdoor.html?m=1

    You might have heard that a few days ago, Juniper Systems announced the discovery of “unauthorized code” in the ScreenOS software that underlies the NetScreen line of devices. As a result of this discovery, the company announced a pair of separate vulnerabilities, CVE-2015-7755 and CVE-2015-7756 and urged their customers to patch immediately.

    The first of these CVEs (#7755) was an authentication vulnerability, caused by a malicious hardcoded password in SSH and Telnet. Rapid7 has an excellent writeup of the issue. This is a pretty fantastic vulnerability, if you measure by the impact on security of NetScreen users. But on the technological awesomeness scale it rates about a two out of ten, maybe a step above ‘hit the guy with a wrench’.

    The second vulnerability is a whole different animal. The advisory notes that CVE-7756 — which is independent of the first issue — “may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic.” This is the kind of vulnerability that makes applied cryptographers cry tears of joy.

    And while every reasonable person knows you can’t just drop “passive decryption vulnerability” and expect the world to go on with its business, this is exactly what Juniper tried to do. Since they weren’t talking about it, it fell to software experts to try to work out what was happening by looking carefully at firmware released by the company.

    Now I want to be clear that I was not one of those software experts. IDA scares the crap out of me. But I’m fortunate to know some of the right kind of people, like Steve Checkoway, who I was able to get on the job

    And yes, it was worth it. Because what Ralf and Steve et al. found is beyond belief. Ralf’s excellent post provides all of the technical details, and you should honest just stop reading now and go read that. But since you’re still here, the TL;DR is this:

    For the past several years, it appears that Juniper NetScreen devices have incorporated a potentially backdoored random number generator, based on the NSA’s Dual_EC_DRBG algorithm. At some point in 2012, the NetScreen code was further subverted by some unknown party, so that the very same backdoor could be used to eavesdrop on NetScreen connections. While this alteration was not authorized by Juniper, it’s important to note that the attacker made no major code changes to the encryption mechanism — they only changed parameters. This means that the systems were potentially vulnerable to other parties, even beforehand. Worse, the nature of this vulnerability is particularly insidious and generally messed up.

    The most famous (alleged) example of deliberate random number generator subversion was discovered in 2007 by Dan Shumow and Neils Ferguson from Microsoft, when they announced the possibility of a backdoor in a NIST standard called Dual_EC_DRBG.

    Dual EC relies on a special 32-byte constant called Q, which — if generated by a malicious attacker — can allow said attacker to predict future outputs of the RNG after seeing a mere 30 bytes of raw output from your generator.

    The NIST specification of Dual_EC comes with a default value for Q that was generated by the NSA.

    Although it was not widely publicized before this week, Juniper’s ScreenOS devices have used Dual EC for some time — probably since before Juniper acquired NetScreen Technologies.

    First, ScreenOS doesn’t use the NSA’s default Q. Instead, they use an alternative Q value that was generated by Juniper and/or NetScreen.

    Next, ScreenOS uses Dual EC in a strange, non-standard way.

    Thus Dual EC is safe only if you assume no tiny bug in the code could accidentally leak out 30 bytes or so of raw Dual EC output. If it did, this would make all subsequent seeding calls predictable, and thus render all numbers generated by the system predictable. In general, this would spell doom for the confidentiality of VPN connections.

    And unbelievably, amazingly, who coulda thunk it, it appears that such a bug does exist in many versions of ScreenOS, dating to both before and after the “unauthorized code” noted by Juniper.

    So if this was the authorized code, what the hell was the unauthorized code?

    The creepiest thing about CVE-2015-7756 is that there doesn’t seem to be any unauthorized code. Indeed, what’s changed in the modified versions is simply the value of the Q point. According to Ralf this point changed in 2012, presumably to a value that the hacker(s) generated themselves. This would likely have allowed these individuals to passively decrypt ScreenOS VPN sessions.

    In the more recent Juniper patch to fix the vulnerability, Q is simply set back to the the original Juniper/NetScreen value.

    To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge! They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world.

    So why does this matter?

    For the past several months I’ve been running around with various groups of technologists, doing everything I can to convince important people that the sky is falling. Or rather, that the sky will fall if they act on some of the very bad, terrible ideas that are currently bouncing around Washington — namely, that our encryption systems should come equipped with “backdoors” intended to allow law enforcement and national security agencies to access our communications.

    One of the most serious concerns we raise during these meetings is the possibility that encryption backdoors could be subverted.

    Specifically, that a backdoor intended for law enforcement could somehow become a backdoor for people who we don’t trust to read our messages. Normally when we talk about this, we’re concerned about failures in storage of things like escrow keys. What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that.

    The problem with cryptographic backdoors isn’t that they’re the only way that an attacker can break into our cryptographic systems. It’s merely that they’re one of the best. They take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes.

    Reply
  44. Tomi Engdahl says:

    Kim Zetter / Wired:
    Experts’ findings suggest NSA is at least indirectly responsible for Juniper backdoor because of the weakness NSA embedded in the Dual_EC encryption algorithm

    Researchers Solve Juniper Backdoor Mystery; Signs Point to NSA
    http://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/

    Reply
  45. Tomi Engdahl says:

    Juniper’s VPN security hole is proof that govt backdoors are bonkers
    If you let in the Feds, you’ll let in anyone
    http://www.theregister.co.uk/2015/12/23/juniper_analysis/

    Juniper’s security nightmare gets worse and worse as experts comb the ScreenOS firmware in its old NetScreen firewalls.

    Just before the weekend, the networking biz admitted there had been “unauthorized” changes to its software, allowing hackers to commandeer equipment and decrypt VPN traffic.

    In response, Rapid7 reverse engineered the code, and found a hardwired password that allows anyone to log into the boxes as an administrator via SSH or Telnet.

    Now an analysis of NetScreen’s encryption algorithms by Matthew Green, Ralf-Philipp Weinmann, and others, has found another major problem.

    “For the past several years, it appears that Juniper NetScreen devices have incorporated a potentially backdoored random number generator, based on the NSA’s Dual EC DRBG algorithm,” wrote Green, a cryptographer at Johns Hopkins University.

    “At some point in 2012, the NetScreen code was further subverted by some unknown party, so that the very same backdoor could be used to eavesdrop on NetScreen connections. While this alteration was not authorized by Juniper, it’s important to note that the attacker made no major code changes to the encryption mechanism – they only changed parameters.”

    The Dual EC DRBG random number generator was championed by the NSA, although researchers who studied the spec found that data encrypted using the generator could be decoded by clever eavesdroppers.

    Reply
  46. Tomi Engdahl says:

    Cisco cops to enterprise IOS XE vulnerability
    Patch published
    http://www.theregister.co.uk/2015/12/23/cisco_ios_xe_vuln/

    Cisco’s latest operating system update ships with a vulnerability that could let hackers seize control of network devices.

    The giant has admitted to the hole in its IOS XE release 16.1.1 that, if exploited, would let an attacker force a device to reload.

    IOS XE is Cisco’s operating system for routers, switches and appliances but 16.1.1 was only for the enterprise-class 3650/3850 stackable switches.

    The update shipped in early December.

    Reply
  47. Tomi Engdahl says:

    Ask Slashdot: How To Deal With a Persistent and Incessant Port Scanner?
    http://ask.slashdot.org/story/15/12/23/0310250/ask-slashdot-how-to-deal-with-a-persistent-and-incessant-port-scanner

    What would you do if your firewall was being persistently targeted by port scans from a specific group of machines from one particular company? I run a Sophos UTM9 software firewall appliance on my home network. Works great, and the free Home Use license provides a bunch of really nice features normally only found on commercial-grade gear. One of those is the ability to detect, block, and report port scans, and under normal circumstances I only get the occasional alert when some script kiddie comes a-knocking at my door.

    But in recent months I have been getting flooded with alerts of scans from one particular company. I initially reported it to my own ISP’s (RoadRunner’s) abuse desk, on the assumption that if they’re scanning me then they’re probably scanning a bunch of my neighbors as well, and any responsible ISP would probably want to block this BS, but all I ever got back was an automated acknowledgment and zero action. So I used DNS lookup and WHOIS to find their phone number, and spoke with someone there; it appears that they’re a small outfit, and I was assured that they had a good idea where it was coming from and that they would make it stop. Indeed, it did stop a few days later but then it was back again, unabated, after another week or so. So last week I called them again, and was once again assured of a resolution. No dice, the scans continue to pour in.

    I’ve already blocked their subnet at my firewall, but the UTM apparently does attack detection before filtering, so that didn’t stop the alerts.

    Start automatically bouncing every report to their abuse address? Sic Anonymous on them? Start calling them every time? I’m open to suggestions.

    Comments:

    Report it once, to their abuse address. If it continues (it did), block their IP-range. Problem solved (unless you have a lot of spare time and really WANT to waste time on this instead of reading a book or play computer games).

    So this time report it to appropriate authorities and if they don’t take your case make a public letter into their local newspaper asking them what they are up to.

    If you listen to the Security Now podcast, this sort of thing is all over the internet. It’s a nasty place out there and actors from anywhere and everywhere are always checking addresses for vulnerabilities, etc. I suspect we all get that sort of thing.

    Unless it is DDOS’ing you, why is it an issue?

    Problem with these commercial products is that they want to prove their usefulness be regularly raising alarms. And, they miss essential features like IP based whitelisting. Portscans and probes are to standard to be bothered about, just block and forget.

    Use a decent open source product like pfsense instead. I’ve had an appliance with pfsense for years and I forget it’s even there.

    Reply
  48. Tomi Engdahl says:

    Cisco probes self for Juniper-style backdoors, silently mouths: ‘We’re doing this for yooou’
    No holes in our code, we promise, but we’ll check anyway
    http://www.theregister.co.uk/2015/12/22/cisco_code_review/

    n the wake of the Juniper firewall backdoor scandal, Cisco is reviewing its source code to make sure there are no similar nasty surprises lurking within.

    “Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions,” Cisco said in an advisory.

    “These include, but are not limited to undisclosed device access methods or ‘backdoors’, hardcoded or undocumented account credentials, covert communication channels, or undocumented traffic diversion.”

    Having said that, in light of the Juniper cluster-fsck, Cisco will, we’re told, conduct a thorough audit of its code to make sure no sneaky coder has been fiddling with its firmware to make its equipment less secure. This will include examining the source code, and hiring penetration testers to stage attacks and see if weaknesses can be found.

    The networking giant has committed to publishing the results of the research and will let customers know if any holes have been found, once patches are available.

    But there’s also the fact that Cisco is keen to preserve customer confidence. Ever since the Edward Snowden leaks, Cisco has seen sales take a hit, particularly in Asia, over fears that it’s a stooge for the NSA.

    Reply
  49. Tomi Engdahl says:

    Xen Project blunder blows own embargo with premature bug report
    Malicious guest could eat your virtual rigs from the inside
    http://www.theregister.co.uk/2015/12/23/xen_blunder_blows_own_embargo_with_premature_bug_report/

    The Xen Project has reported a new bug, XSA-169, that means “A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.”

    The fix is simple – running only paravirtualised guests – but the bug is a big blunder for another reason.

    Xen is very widely used by big cloud operators, principally Amazon Web Services. Xen bugs are therefore very, very valuable to criminals because if they can learn of a vulnerability they have millions of targets to attack. The Xen Project therefore cooked up new rules designed specifically to ensure that big operators get a couple of weeks in which to sort things out before world+dog is told about the bug.

    Those processes weren’t followed for XSA-169, as the notice of the bug sheepishly admits “The fix for this bug was publicly posted on xen-devel, before it was appreciated that there was a security problem.

    Reply
  50. Tomi Engdahl says:

    Schools told to monitor pupils’ web use to prevent radicalisation
    http://www.bbc.com/news/uk-35157910

    Schools in England must set online filters and monitor pupils’ internet use under plans to protect them from radicalisation, education secretary Nicky Morgan said.

    Ministers are concerned young people could be targeted by extremists, possibly via school computers.

    Mrs Morgan said some pupils had been able to access information about so-called Islamic State at school.

    Teaching unions said schools would welcome greater clarity on the plans.

    The reforms, which have been published for consultation, follow several cases where school children either travelled, or attempted to travel, to Syria.

    Their head teacher has said there is no evidence they were radicalised at school as pupils cannot access social media on the academy’s computers.
    Image copyright Metropolitan Police

    Mrs Morgan said: “As a parent, I’ve seen just what an important role the internet can play in children’s education. But it can also bring risks, which is why we must do everything we can to help children stay safe online – at school and at home.”

    The proposed measures include showing young people how to use the internet responsibly and making sure parents and teachers are able to keep youngsters safe from exploitation and radicalisation, she added.

    The reforms will also address other issues such as cyberbullying and pornography, the Department for Education (DfE) said.

    Many schools already have systems in place to filter and monitor pupils’ online activity, but the new guidelines are designed to strengthen requirements to keep children safe and spot concerns quickly.

    The National Association of Head Teachers (NAHT) said schools are “doing many of these things anyway”, but they would welcome “greater clarity” on how to deploy appropriate filters and monitoring systems.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*