Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
If you installed this game from Google’s Play Store, your Android phone may be infected!
http://betanews.com/2015/12/21/if-you-installed-this-game-from-googles-play-store-your-android-phone-may-be-infected/
While many detractors of iOS point to Apple’s strict access to the App Store, others — like me — applaud it. While it might be harder to get an app approved for download in Apple’s store, it is arguably more secure. Conversely, Google’s Play Store can sometimes feel like the wild west. Sure, Apple’s process is not infallible either, but many consider it to be the gold standard. Apple’s stronger and more stringent screening process not only helps to block malicious apps, but weeds out low-quality offerings too. Overall, neither process is perfect.
Today, a startling discovery was made in the Google Play Store for Android. You see, a malicious app masquerading as a game made it past Google’s security screeners, putting millions of users at risk. Had anti-malware company Lookout not discovered it, there is no telling how many Android users could have installed it.
“Lookout discovered a solitaire app in Google Play’s gaming category that is actually a version of the malware family FruitSMS, which conducts premium SMS fraud and charges people for typically free services.”
Tomi Engdahl says:
Oracle ordered to admit on its website that it lost the plot on Java security
Database giant settles out of court with US regulator over ‘patch lies’
http://www.theregister.co.uk/2015/12/22/ftc_oracle_java/
Oracle bungled the security updates of its Java SE software so badly it must publish a groveling letter prominently on its website for the next two years.
After gobbling up Java along with Sun in 2010, Oracle’s software updates for Java SE would only affect the latest version installed. If you had multiple versions of Java SE on your system, only the latest would be replaced when installing or upgrading to a new release – leaving the old and insecure copies of Java SE on the system for hackers and malware to exploit. Vulnerabilities lurking in the outdated installations can be abused to hijack computers, steal passwords, and so on.
Why would you have multiple versions on one machine? Well, Oracle’s hopeless code would never remove old builds of Java SE from PCs: each update would leave the old vulnerable versions in place like ticking time bombs. According to US watchdog the FTC, Oracle knew in 2011 that its software was broken, as internal documents admitted the “Java update mechanism is not aggressive enough or simply not working.”
Oracle fixed its installer in August 2014 to cleanse systems of older copies of Java SE, but the FTC is still jolly cross with the California tech giant – particularly because Java SE has apparently been installed on more than 850 million PCs. The regulator sued the database goliath, accusing it of breaking consumer protection laws by lying about the security of its applications.
In a settlement announced on Monday, Oracle must provide a means for people to rid their systems of older builds of Java SE, or the corporation will face fines. It must also encourage antivirus makers Avast, AVG, ESET North America, Avira, McAfee, Symantec, and Trend Micro, and Firefox maker Mozilla, to put out security advisories about the Java SE cockup.
The IT titan must “notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software.”
Tomi Engdahl says:
Australian government urges holidaymakers to kill two-factor auth
Um, not sure you thought this one through
http://www.theregister.co.uk/2015/12/22/australian_government_twofactor_auth/
The Australian government is urging its citizens to turn off two-factor authentication while abroad.
The myGov website allows Australians to tap into a broad range of government services including tax payments, health insurance, child support, and so on. Since this tends to involve sensitive personal information, it’s wise to protect one’s account with two-factor authentication – such as a one-time code texted to a phone that needs to be given to the website while logging in.
There’s a fear that while citizens are overseas, they may not be able to reliably get these text messages (or be charged an extra fee to receive them) if they try to use myGov. So the advice is: turn off this protection when out the country, and turn it back on again when you return.
Except, of course, that rather misses the entire reason for two-factor authentication, and puts convenience above the actual security of your information.
What’s more, people are significantly more likely to be using online services in less secure settings when they are abroad, making the decision to remove a vital mechanism all the more likely that their accounts will be compromised.
In other words, this is really terrible advice.
The entire point of two-factor auth is to make it so that if someone manages to snatch a look at your username and password, they can’t automatically log into your account.
As such, the Australian government is doing is the exact opposite of what it should be doing, which is educating people about alternative ways to secure their accounts, rather than pushing the crazy message that security is about convenience and that you should simply drop it when it requires a little extra effort,
Tomi Engdahl says:
George Osborne fires starting gun on £20m coding comp wheeze
Institute of Coding will teach, er, secure coding. Got it?
http://www.theregister.co.uk/2015/11/19/uk_gov_institute_coding_comp/
Security vendors and training organisations have welcomed plans by the UK government to open a £20m competition along with a new “Institute of Coding”.
The proposals were floated during a speech by UK Chancellor George Osborne on cyber-security and the fight against terrorism at GCHQ on Tuesday, during which also he announced £1.9bn funding for cyber security and a new National Cyber Centre.
Paul Farrington, senior solutions architect at application security firm Veracode, commented: “Our world is run on software – medical devices, finance, IoT, access to knowledge via Internet, etc – so any foundational security training must include the ability to code securely.”
He continued: “The opportunity for young people to gain affirmative training in coding goes beyond just providing them with the ability to design and build, but will give them a greater understanding about the issues and responsibilities that developers face in ensuring that their code remains secure.”
Shortcomings in applications security – often caused by coders making well understood mistakes – are putting consumer and enterprise data at risk. Improving application security training for developers in crucial in closing these gaps.
“Coding vulnerabilities in web applications remain one of the most frequent patterns in confirmed breaches and account for up to 35 per cent of breaches in some industries,”
“The Institute will help in educating the next generation of coders by having security principles built into their training,”
Tomi Engdahl says:
32C3: Towards Trustworthy x86 Laptops
http://hackaday.com/2015/12/28/32c3-towards-trustworthy-x86-laptops/
Security assumes there is something we can trust; a computer encrypting something is assumed to be trustworthy, and the computer doing the decrypting is assumed to be trustworthy. This is the only logical mindset for anyone concerned about security – you don’t have to worry about all the routers handling your data on the Internet, eavesdroppers, or really anything else. Security breaks down when you can’t trust the computer doing the encryption. Such is the case today. We can’t trust our computers.
In a talk at this year’s Chaos Computer Congress, [Joanna Rutkowska] covered the last few decades of security on computers – Tor, OpenVPN, SSH, and the like. These are, by definition, meaningless if you cannot trust the operating system. Over the last few years, [Joanna] has been working on a solution to this in the Qubes OS project, but everything is built on silicon, and if you can’t trust the hardware, you can’t trust anything.
And so we come to an oft-forgotten aspect of computer security: the BIOS, UEFI, Intel’s Management Engine, VT-d, Boot Guard, and the mess of overly complex firmware found in a modern x86 system. This is what starts the chain of trust for the entire computer, and if a computer’s firmware is compromised it is safe to assume the entire computer is compromised.
Firmware is also devilishly hard to secure: attacks against write protecting a tiny Flash chip have been demonstrated. A Trusted Platform Module could compare the contents of a firmware, and unlock it if it is found to be secure. This has also been shown to be vulnerable to attack.
But Intel has an answer to everything, and to the house of cards for firmware security, Intel introduced their Management Engine. This is a small microcontroller running on every Intel CPU all the time that has access to RAM, WiFi, and everything else in a computer. It is security through obscurity, though.
Is there hope for a truly secure laptop? According to [Joanna], there is hope in simply not trusting the BIOS and other firmware. Trust therefore comes from a ‘trusted stick’ – a small memory stick that contains a Flash chip that verifies the firmware of a computer independently of the hardware in a computer.
Tomi Engdahl says:
Ben Blanchard / Reuters:
China passes controversial counter-terrorism law that requires tech companies hand over encryption keys and other sensitive information to government — China passes controversial counter-terrorism law — China’s parliament passed a controversial new anti-terrorism law on Sunday …
China passes controversial counter-terrorism law
http://www.reuters.com/article/us-china-security-idUSKBN0UA07220151228
China passed a controversial new anti-terrorism law on Sunday that requires technology firms to help decrypt information, but not install security “backdoors” as initially planned, and allows the military to venture overseas on counter-terror operations.
The law has attracted deep concern in Western capitals, not only because of worries it could violate human rights such as freedom of speech, but because of the cyber provisions. U.S. President Barack Obama has said that he had raised concerns about the law directly with Chinese President Xi Jinping.
While a provision in an initial draft that would require companies to keep servers and user data within China was removed from the final law, technology companies will still have to provide help with sensitive encryption information if law enforcement authorities demand it.
Tomi Engdahl says:
RT:
Turkish sites under intensifying, weeks long DDoS attacks that disrupted some banking services over the holidays; Anonymous claims responsibility — Turkish banks & government sites under ‘intense’ attacks on Christmas holidays — Turkey is suffering from a wave of cyber-attacks on financial …
Turkish banks & government sites under ‘intense’ attacks on Christmas holidays
https://www.rt.com/news/327119-turkey-banks-cyber-attacks/
Turkey is suffering from a wave of cyber-attacks on financial and government websites which intensified over Christmas, reportedly resulting in the temporary disruption of credit card transactions.
A video released this week and attributed to Anonymous vowed retribution for Ankara’s alleged ties with ISIS.
The attacks on Turkish servers have been persistent in recent weeks, but on Christmas day Turkish banks suffered a website outage and reportedly saw sporadic disruption to credit card transactions. Isbank, Garanti and Ziraat Bank were among the targets, local media reported.
“It is hard to determine where these attacks are coming from”
“The attacks are serious,” a spokesman for internet provider Turk Telekom, Onur Oz, told Reuters. “But the target is not Turk Telekom. Instead, banks and public institutions are under heavy attack.”
Tomi Engdahl says:
Nathaniel Popper / New York Times:
How Gary Alford, an IRS special agent assigned to work with the DEA, used Google search, old chat room logs, and more to track down Silk Road’s Ross Ulbricht — The Tax Sleuth Who Took Down a Drug Lord — Gary L. Alford was running on adrenaline when he arrived for work on a Monday in June 2013 …
The Tax Sleuth Who Took Down a Drug Lord
http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html?_r=0
Gary L. Alford was running on adrenaline when he arrived for work on a Monday in June 2013, at the Drug Enforcement Administration office in the Chelsea neighborhood of Manhattan. A tax investigator, he had spent much of the weekend in the living room of his New Jersey townhouse, scrolling through arcane chat rooms and old blog posts, reading on well after his fiancée had gone to sleep.
The work had given Mr. Alford what he believed was the answer to a mystery that had confounded investigators for nearly two years: the identity of the mastermind behind the online drug bazaar known as Silk Road — a criminal known only by his screen name, Dread Pirate Roberts.
While Silk Road by mid-2013 had grown into a juggernaut, selling $300,000 in heroin and other illegal goods each day, federal agents hadn’t been able to figure out the most basic detail: the identity of the person running the site.
It ultimately took Mr. Alford, 38, more than three months to gather enough evidence to prevail upon his colleagues to take his suspect seriously. After he convinced them, though, the man he identified, Ross W. Ulbricht, was arrested and Silk Road shuttered. The night of the arrest, Mr. Alford got an email from one of the other special agents at the center of the case: “Congrats Gary, you were right,” it said.
Tomi Engdahl says:
Joseph Cox / Motherboard:
North Korea’s homegrown Red Star OS computers watermark all documents and media files on inserted USB sticks, to track underground sharing
Inside North Korea’s Totalitarian Operating System
http://motherboard.vice.com/read/inside-north-koreas-totalitarian-operating-system
The goal of a totalitarian regime is to control everything in a country: information, resources, and power. In the 21st century, that even includes omnipotence over the code that the country’s computers use.
Enter RedStar OS: North Korea’s own Linux based operating system, designed to monitor its users and remain resilient to any attempts to modify or otherwise exert control over it. On Sunday at Chaos Communication Congress, a security, art, and politics conference held annually in Hamburg, Germany, researchers Niklaus Schiess and Florian Grunow presented their in-depth investigation of the third version of the operating system.
Schiess and Grunow wanted to document the inner workings of RedStar because its use of freely available software, and in particular Linux, goes against the principles of the open source movement.
“They are using something that is supposed to support free-speech,” Grunow said.
As for what it actually looks like, “it’s a fully featured desktop system,” Schiess told Motherboard. Under the hood, RedStar is based on Fedora 11
Tomi Engdahl says:
Jason Schreier / Kotaku:
Valve says caching issue that allowed Steam users to view pages of others has been fixed, believes no other unauthorized actions were allowed on accounts — Steam Goes Nuts, Offers Access To Other People’s Accounts — Steam faced something of a catastrophe this afternoon …
http://kotaku.com/steam-goes-nuts-offers-access-to-other-peoples-account-1749718979
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Tomi Engdahl says:
Andy Greenberg / Wired:
Profile of Samy Kamkar, hacker behind MySpace Samy worm, Evercookie, and OwnStar, who now showcases his skills on his YouTube channel named Applied Hacking
The Greatest Hits of Samy Kamkar, YouTube’s Favorite Hacker
http://www.wired.com/2015/12/the-greatest-hits-of-samy-kamkar-youtubes-favorite-hacker/
In an age when hackers hire themselves out to organized crime schemes and sell secret intrusion techniques to spy agencies, Samy Kamkar takes a more fun-loving approach to dropping zero-day exploits: YouTube.
Kamkar is the one-man production team and star of a video series he calls Applied Hacking, a YouTube channel that has grown into a tour-de-force display of the 30-year-old coder’s prolific digital mischief. At his peak output, he teaches his more than 50,000 subscribers new security tricks on an almost weekly basis. No household item is safe from his curiosity: He’s tweaked a kid’s toy to open garage doors, 3D-printed a Masterlock-cracking robot, devised a fake charger that can sniff keystrokes, pranked a friend with a doorbell-ringing text message attack, and built a flying drone that can seek out and wirelessly hijack other victim drones.
“I just assume everything is vulnerable,” Kamkar says. “It’s a pretty safe bet.”
Tomi Engdahl says:
191 million voters’ personal info exposed by misconfigured database
http://www.databreaches.net/191-million-voters-personal-info-exposed-by-misconfigured-database/
191 Million US Voters’ Personal Info Exposed by Misconfigured Database
Monday, December 28, 2015 Swati Khandelwal
http://thehackernews.com/2015/12/us-voter-database-hacked.html
Tomi Engdahl says:
Misconfigured Database Exposes Details of 191 Million Voters
http://www.securityweek.com/misconfigured-database-exposes-details-191-million-voters
A misconfigured database whose owner has yet to be identified exposes the personal details of 191 million U.S. voters, researcher Chris Vickery has warned.
The database containing the records of more than 191 million individuals, totaling over 300 gigabytes of information, includes names, gender data, home addresses, mailing addresses, phone numbers, dates of birth, party affiliations, and other details dating back to 2000.Voter database found online
Vickery and others have searched the database for their own records and found that the details stored in it are accurate. Another concerning aspect is that the publicly accessible database also includes the records of police officers.
Fortunately, social security numbers and driver’s license numbers are not affected. However, the leaked information still poses serious security and privacy risks.
The researcher has identified dozens of leaky databases over the past month and he has done his best to contact impacted organizations. However, in this case, tracking down the operator of the database appears to be a difficult task.
Vickery has been assisted by DataBreaches.net and Steve Ragan of Salted Hash in trying to identify the entity responsible for the database, but they haven’t had any success and the database is still online. DataBreaches.net and Ragan have contacted a congressman’s political action committee (PAC) and several political data firms, including Political Data, L2 Political, Aristotle, NGP VAN and Catalist.
DataBreaches.net has reached out to both the FBI and the California Attorney General’s Office
Other Leaky Databases
Vickery has identified dozens of poorly configured database management systems that at one point exposed more than 30 million credentials. The list of leaky databases identified by the expert are associated with MacKeeper, Hello Kitty owner Sanrio, Alliance Health, Uncle Maddio’s Pizza Joint, OkHello, Slingo and many others.
Tomi Engdahl says:
Malware hit the big hotel chain Hyatt – all customers are invited to review payments
Hotel chain Hyatt has asked its customers to review their credit card bills after the company discovered a malicious program payments data handlers machines.
The chain has not provided other information in the burglary.
Hackers have apparently been able to get hold of your credit card information.
Hyatt has about 630 hotels in 52 different destinations
Source: http://www.tivi.fi/Kaikki_uutiset/haittaohjelma-iski-isoon-hotelliketjuun-kaikkia-asiakkaita-pyydetaan-tarkastamaan-maksut-6242038
Official note from Hyatt can be found at http://www.hyatt.com/protectingourcustomers/
Tomi Engdahl says:
Entire US voter registration record leaks (191 million)
https://www.reddit.com/r/privacy/comments/3yinij/entire_us_voter_registration_record_leaks_191/
I’m Chris Vickery. I know your phone number, address, date of birth, and more (if you’re registered to vote in the US).
I have recently downloaded voter registration records for 191 million Americans from a leaky database. I believe this is every registered voter in the entire country. To be very clear, this was not a hack.
The mysterious, insecure database is currently configured for public access. No password or other authentication is required at all. Anyone with an internet connection can grab all 300+ gigabytes.
Update: BIG ANNOUNCEMENT: I’m happy to confirm that the database is now offline! Thank you to whoever finally took if down!
Tomi Engdahl says:
Steve Ragan / CSO:
Names, dates of birth, addresses, phone numbers, voting history for 191M US voters exposed by misconfigured database whose owner remains unidentified — Database configuration issues expose 191 million voter records — Massive database exposed to public, major political data managers deny ownership
Database configuration issues expose 191 million voter records
http://www.csoonline.com/article/3018592/security/database-configuration-issues-expose-191-million-voter-records.html
Massive database exposed to public, major political data managers deny ownership
A misconfigured database has led to the disclosure of 191 million voter records. The database, discovered by researcher Chris Vickery, doesn’t seem to have an owner; it’s just sitting in the public – waiting to be discovered by anyone who happens to be looking.
he database was discovered by researcher Chris Vickery, who shared his findings with Databreaches.net. The two attempted to locate the owner of the database based on the records it housed and other details. However, their attempts didn’t pan out, so they came to Salted Hash for assistance.
“My immediate reaction was disbelief,” Vickery said.
“I needed to know if this was real, so I quickly located the Texas records and ran a search for my own name. I was outraged at the result. Sitting right in front of my eyes, in a strange, random database I had found on the Internet, were details that could lead anyone straight to me. How could someone with 191 million such records be so careless?”
The database contains a voter’s full name (first, middle, last), their home address, mailing address, a unique voter ID, state voter ID, gender, date of birth, date of registration, phone number, a yes/no field for if the number is on the national do-not-call list, political affiliation, and a detailed voting history since 2000. In addition, the database contains fields for voter prediction scores.
All voter information, except for a few elements protected by law in some states, is public record. For example, in Ohio, voter records are posted online. Other states make obtaining voter records a bit more challenging or outright expensive, but they’re still available. For the most part, voter data is restricted to non-commercial purposes.
The database discovered by Vickery doesn’t contain Social Security Numbers or driver license numbers, but it’s still a massive collection of data.
Again, most states or data brokers require that anyone obtaining voter data affirm that they’re not going to use it for commercial gain and that they’ll follow all related state laws.
Yet, because the information Vickery discovered is in a database available to anyone on the Internet who knows how to find it, it’s essentially unrestricted data.
“This file has all the basic information that a voter file would have on you: your address, date of birth, every election you did or didn’t vote in, and some basic demographic information. Campaigns use all of [this] information to target their messages more efficiently: to make sure they’re targeting not just the right people, but people who will actually end up voting. Most of this data is public record, with the caveat that it can only be used for campaign purposes,” explained Maclen Zilber, a Democratic political consultant with the firm Shallman Communications.
“Some major voting data companies will give each voter a rating of how likely they are to turn out and vote”
Who owns the database?
As for the firms contacted by Salted Hash, each of them denied that the database was theirs
data is housed as part of a Linux build
How was this database compiled?
To be perfectly clear, this story is not related to the Sanders / Clinton incident at all.
In fact, the Sanders and Clinton campaigns share the exact same DNC voter database. The information exposed was added by one campaign, and the glitch allowed the other campaign to see it.
What Vickery has discovered is worse, because the data he discovered isn’t a client score – it’s a complete voter record for 191 million registered voters. The problem is, no one seems to care that this database is out there and no one wants to claim ownership.
As it turns out, many state and county elections offices charge for access to voter data.
But did the data in the exposed voter database come from Nation Builder? Based on the database schema and formatting, yes, it did. The personal voter file given to me by Vickery is clearly from a Nation Builder data set.
In the U.S., few vendors maintain a national voter file.
Each vendor that deals with national voter files has their own distinct approach to creating unique identifiers for voters.
In my voter record, the voter ID and the field names point directly to Nation Builder as the source of the data that’s been exposed.
But is Nation Builder to blame? Not really…
So while Nation Builder denied any claim to the IP and the leaked database, it’s entirely possible they might know who developed it – but that would require an extensive records check. This is because a developer or campaign wishing to access the Nation Builder Election Center would need to register their contact details, such as name and email address.
However, Nation Builder is under no obligation to identify customers, and once the data has been obtained, they cannot control what happens to it. In short, while they provided the data that’s in my newly leaked voter record, they’re not liable in any way for it being exposed.
And to be clear, I don’t blame Nation Builder for my leaked record either, I blame the person(s) who developed the database and poorly configured its hosting. I’m just not sure who they are yet.
Based on the voter count and some of the records, the database appears to be from Nation Builder’s 2014 update
The concern is the potential for abuse. Stalking and the exposure of people who normally don’t share their personal information is certainly an issue.
There are other long term issues too. The personal information in this database, including political affiliation, date of birth, could be used to construct a targeted Phishing campaign.
Tomi Engdahl says:
Orin Kerr / Washington Post:
How the Cybersecurity Act of 2015 broadens the powers of network operators to conduct surveillance for the government
How does the Cybersecurity Act of 2015 change the Internet surveillance laws?
https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/12/24/how-does-the-cybersecurity-act-of-2015-change-the-internet-surveillance-laws/
The Omnibus Appropriations Act that President Obama signed into law last week has a provision called the Cybersecurity Act of 2015. The Cyber Act, as I’ll call it, includes sections about Internet monitoring that modify the Internet surveillance laws. This post details those changes, focusing on how the act broadens powers of network operators to conduct surveillance for cybersecurity purposes. The upshot: The Cyber Act expands those powers in significant ways, although how far isn’t entirely clear.
Tomi Engdahl says:
V8 Javascript Fixes (Horrible!) Random Number Generator
http://hackaday.com/2015/12/28/v8-javascript-fixes-horrible-random-number-generator/
According to this post on the official V8 Javascript blog, the pseudo-random number generator (PRNG) that V8 Javascript uses in Math.random() is horribly flawed and getting replaced with something a lot better. V8 is Google’s fast Javascript engine that they developed for Chrome, and it’s used in Node.js and basically everywhere. The fact that nobody has noticed something like this for the last six years is a little bit worrisome, but it’s been caught and fixed and it’s all going to be better soon.
Tomi Engdahl says:
Jeremy Seth Davis / SC Magazine:
Flawed Chrome extension forcibly installed by AVG antivirus software could have exposed browsing history and other personal data of 9M+ users
AVG’s Chrome extension exposes personal data of 9 million users
http://www.scmagazine.com/avgs-chrome-extension-exposes-personal-data-of-9-million-users/article/462119/
Google Project Zero researcher Tavis Ormandy discovered a vulnerability, since fixed, in AVG Web TuneUp, a Chrome extension that forcibly installs when users install the AVG antivirus software.
The extension, which has over 9 million active users, contains a serious flaw that exposes users’ browsing history, cookies, and personal data to attackers.
“This extension adds numerous JavaScript API’s to chrome, apparently so that they can hijack search settings and the new tab page,” wrote Ormandy in the bug report. “The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.”
Tomi Engdahl says:
Wall Street Journal:
Sources: NSA continued to spy on some allies after Snowden leaks, also capturing communications with US lawmakers and Jewish groups
U.S. Spy Net on Israel Snares Congress
National Security Agency’s targeting of Israeli leaders also swept up the content of private conversations with U.S. lawmakers
http://www.wsj.com/article_email/u-s-spy-net-on-israel-snares-congress-1451425210-lMyQjAxMTA1MTI0OTgyNjk4Wj
President Barack Obama announced two years ago he would curtail eavesdropping on friendly heads of state after the world learned the reach of long-secret U.S. surveillance programs.
But behind the scenes, the White House decided to keep certain allies under close watch, current and former U.S. officials said. Topping the list was Israeli Prime Minister Benjamin Netanyahu.
The National Security Agency’s targeting of Israeli leaders and officials also swept up the contents of some of their private conversations with U.S. lawmakers and American-Jewish groups.
Stepped-up NSA eavesdropping revealed to the White House how Mr. Netanyahu and his advisers had leaked details of the U.S.-Iran negotiations
Before former NSA contractor Edward Snowden exposed much of the agency’s spying operations in 2013, there was little worry in the administration about the monitoring of friendly heads of state because it was such a closely held secret. After the revelations and a White House review, Mr. Obama announced in a January 2014 speech he would curb such eavesdropping.
In closed-door debate, the Obama administration weighed which allied leaders belonged on a so-called protected list, shielding them from NSA snooping.
Tomi Engdahl says:
Casey Newton / The Verge:
Twitter cracks down on harassment by rearranging paragraphs in its terms of service — In the wake of former CEO Dick Costolo admitting the company “suck[s] at dealing with abuse,” Twitter has devoted many blog posts to explaining how seriously it takes the issue.
Twitter cracks down on harassment by rearranging paragraphs in its terms of service
Spot the difference, if you can
http://www.theverge.com/2015/12/29/10684616/twitter-harassment-abuse-rules
Tomi Engdahl says:
Micah Lee / The Intercept:
Windows 10 disk encryption keys are uploaded to Microsoft; Home users can delete copy from account, only Pro and Enterprise users can opt out when re-encrypting — Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key — One of the excellent features …
Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key
https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/
ONE OF THE EXCELLENT FEATURES of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen. But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key — which can be used to unlock your encrypted disk — to Microsoft’s servers, probably without your knowledge and without an option to opt out.
The fact that new Windows devices require users to backup their recovery key on Microsoft’s servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts
“The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well,” says Matthew Green, professor of cryptography at Johns Hopkins University. “There are certainly cases where it’s helpful to have a backup of your key or password. In those cases you might opt in to have a company store that information. But handing your keys to a company like Microsoft fundamentally changes the security properties of a disk encryption system.”
As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel it to hand over your recovery key, which it could do even if the first thing you do after setting up your computer is delete it.
As Green puts it, “Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.”
Of course, keeping a backup of your recovery key in your Microsoft account is genuinely useful for probably the majority of Windows users, which is why Microsoft designed the encryption scheme, known as “device encryption,” this way. If something goes wrong and your encrypted Windows computer breaks, you’re going to need this recovery key to gain access to any of your files. Microsoft would rather give their customers crippled disk encryption than risk their data.
“When a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible. Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key,” a Microsoft spokesperson told me. “The recovery key requires physical access to the user device and is not useful without it.”
Tomi Engdahl says:
How Hollywood Caught the UK’s Most Prolific Movie Pirates
By Andy on December 27, 2015
https://torrentfreak.com/how-hollywood-caught-the-uks-most-prolific-movie-pirates-151227/
Last week the UK’s most prolific movie pirates were handed sentences totaling 17 years. With claims in court that the men went to great lengths to hide their identities, just how easy was it to catch them? Papers detailing the investigation obtained by TorrentFreak reveal that tracking the men down was a relatively simple affair.
Following a three year investigation by Hollywood-backed anti-piracy group the Federation Against Copyright Theft, last week five of the UK’s most prolific movie pirates were sentenced in the West Midlands.
The men were behind several interrelated movie release groups including RemixHD, 26K, UNiQUE, DTRG and HOPE/RESISTANCE.
“Over a number of years the groups illegally released online more than 2,500 films including Argo, the Avengers and Skyfall,” FACT said in a statement.
“The outreach of their criminality was vast. On just one website where the group shared their films there had been millions of downloads.”
TF has obtained papers detailing the FACT investigation and they reveal that unmasking the men was surprisingly easy.
Tomi Engdahl says:
European Payment Card Protocols Wide Open To Fraud
http://yro.slashdot.org/story/15/12/29/172235/european-payment-card-protocols-wide-open-to-fraud
Researchers have discovered serious security vulnerabilities in a pair of protocols used by software in some point-of-sale terminals, bugs that could lead to easy theft of money from customers or retailers. The vulnerabilities lie in two separate protocols that are used in PoS systems, mainly in Germany, but also in some other European countries.
Payment Card Protocols Wide Open to Fraud
https://www.onthewire.io/payment-card-protocols-wide-open-to-fraud/
Researchers have discovered serious security vulnerabilities in a pair of protocols used by software in some point-of-sale terminals, bugs that could lead to easy theft of money from customers or retailers.
The vulnerabilities lie in two separate protocols that are used in PoS systems, mainly in Germany, but also in some other European countries. Karsten Nohl, a prominent security researcher, and two colleagues, discovered that ZVT, an older protocol, contains a weakness that enables an attacker to read data from credit and debit cards under some circumstances. In order to exploit the vulnerability, an attacker would need to have a man-in-the-middle position on the target network, which isn’t usually a terribly high barrier for experienced attackers.
The attacker also would have the ability to steal a victim’s PIN from a vulnerable terminal, thanks to the use of an easy timing attack. Having the PIN, along with the ability to read the victim’s card data from the terminal, would allow an attacker to execute fraudulent transactions.
“This mechanism is protected by a cryptographic signature (MAC). The symmetric signature key, however, is sometimes stored in Hardware Security Modules (HSMs), of which some are vulnerable to a simple timing attack, which discloses valid signatures.”
Nohl and his colleagues also discovered a problem with the ISO 8583 protocol, which is used for communications between payment terminals and payment processors. One version of this protocol, known as Poseidon, has an authentication flaw related to the way the secret key is implemented in terminals. Many terminals use the same secret key, which makes it somewhat less-than-secret. The researchers discovered that they could manipulate data on a target terminal and get access to the merchant account for that terminal.
“Therefore, after changing a single number (Terminal ID) in any one terminal, that terminal provides access to the merchant account that Terminal ID belongs to. To make matters worse, Terminal IDs are printed on every payment receipt, allowing for simple fraud. Fraudsters can, among other things, refund money, or print SIM card top-up vouchers – all at the cost of the victim merchant,” the researchers wrote.
Tomi Engdahl says:
BlackHat US 2013 – Karsten Nohl – Rooting Sim Cards
https://www.youtube.com/watch?v=wBzb-Zx4rsI
Tomi Engdahl says:
32C3: Beyond Your Cable Modem
http://hackaday.com/2015/12/29/32c3-beyond-your-cable-modem/
[Alexander Graf] gave an absolutely hilarious talk at 32C3 about the security flaws he found in cable modems from two large German ISPs. The vulnerability was very serious, resulting in remote root terminals on essentially any affected cable modem, and the causes were trivial: unencrypted passwords in files that are sent over
While [Alexander] was very careful to point out that he’d disclosed all of these vulnerabilities to the two German cable ISPs that were affected, he notably praised one of them for its speedy response in patching up the holes. As for the other? “They’d better hurry up.” He also mentions that, although he’s not sure, he suspects that similar vulnerabilities are present in other countries. Oh dear.
A very interesting point in the talk is the way that [Alexander] chose to go about informing the cable ISPs. Instead of going to them directly and potentially landing himself in jail, he instead went to the press, and let his contacts at the press talk to the ISPs. This both shielded him from the potential initial heat and puts a bit of additional pressure on the ISPs to fix the vulnerability — when the story hits the front page, they would really like to be ahead of the problem.
Tomi Engdahl says:
32C3: Shopshifting — Breaking Credit Card Payment Systems
http://hackaday.com/2015/12/30/32c3-shopshifting-breaking-credit-card-payment-systems/
Credit card payment systems touch all of our lives, and because of this there’s a lot riding on the security of that technology. The best security research looks into a widely deployed system and finds the problems before the bad guys do. The most entertaining security presentations end up finding face-palmingly bad practices and having a good laugh along the way. The only way to top that off is with live demos. [Karsten Nohl], [Fabian Bräunlein], and [dexter] gave a talk on the security of credit-card payment systems at the 32nd annual Chaos Communications Congress (32C3) that covers all the bases.
While credit card systems themselves have been quite well-scrutinized, the many vendor payment networks that connect the individual terminals haven’t. The end result of this research is that it is possible to steal credit card PINs and remotely refund credits to different cards — even for purchases that have never been made.
The first hack fools someone into entering their credit card PIN into a terminal, and then logging it to a PC. With the stripe data and the PIN, the credit card is totally compromised. Normally, you shouldn’t be able to change this part of the terminal’s behavior, but they manage to figure out the terminal’s secret password that enables creating arbitrary menus, and the game is over.
This was possible because the terminal checks the validity of the password byte by byte. You could therefore look for times that the CPU took a couple more cycles to respond and determine that you had a correct byte. Iterate this eight times, and the eight-byte password is cracked.
The second hack is even more embarrassing. Armed with a password that [Fabian] found in a leaked document on the Internet, a terminal’s ID number (printed on every receipt), and a brute-forceable port address, they could initiate random purchases and refunds remotely.
Finally, and this is our favorite part, [dexter] goes through how he defeated the supposedly-secure hardware security machine (HSM) that holds the “secret” passwords on every card reader machine out there. The clever design stores the password in SRAM with a battery backup, and makes it very difficult to open the box without disconnecting the power, causing the bits to fade away.
just the right place to wedge a grounded needle under the shield
Is there a lesson in all this? Don’t store passwords on devices that you’re giving out to hundreds of thousands of stores.
Tomi Engdahl says:
Law enforcement versus Silicon Valley’s idle problem children
From Ashley Madison to hackable Jeeps
http://www.theregister.co.uk/2015/12/29/security_year_in_review/
Year in review Tensions have been building for a while on the back of revelations from NSA contractor turned whistleblower Edward Snowden but 2015 marked the outbreak of full-on hostilities between tech firms in Silicon Valley and Western governments.
Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” (a phrase first used by FBI chief James Comey) as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.
The application of end-to-end encryption means that private encryption keys are held on devices and not by firms providing the services, so there is nothing for tech providers to hand over – even if they are served with a warrant.
Technologists such as Apple’s Tim Cook and cryptographers argue that governments are trying to weaken encryption. Any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals.
Tomi Engdahl says:
Watch infosec bods swipe PINs, magstripe data from card readers live on stage
http://www.theregister.co.uk/2015/12/30/payment_system_vulnerabilities/
Vulnerabilities in two widely deployed payment system protocols can be exploited to steal PINs, spoof transactions, and secretly reroute cash into other accounts.
The security shortcomings affect two protocols: ZVT, used by 80 per cent of German payment terminals, and Poseidon, a dialect of the global payment standard ISO 8583. The vulnerabilities were disclosed by ace researchers Karsten Nohl and Fabian Bräunlein at the 32nd Chaos Communications Congress, held this week in Germany.
ZVT is a protocol between cash registers and card readers, and Poseidon is used between the card readers and merchant banks. Neither require authentication, and ZVT is used over Ethernet – wired and wireless.
Through ARP spoofing, in which an attacker’s device masquerades as another system on a network, a crook can receive a copy of the card’s magstripe data sent from the card reader. Rather than go straight to the cashier’s machine, the data passes through the thief’s device, and can be used to clone new cards for fraud.
Clearly, the crim has to be on the same network as the reader and the register to pull this off. If a store uses an insecure wireless network to hook up readers and registers, the infiltration is all too easy; otherwise, it’ll have to be an inside job, or a case of physically tampering with shop equipment when no one’s looking.
Tomi Engdahl says:
Patch now! Flash-exploitin’ PC-hijackin’ attack spotted in the wild by Huawei bods
Adobe squeezes out one last batch of security fixes for 2015
http://www.theregister.co.uk/2015/12/28/adobe_flash_security_update/
Adobe has issued new versions of Flash to patch a load of security flaws – one of which is being exploited in the wild.
Curiously, that particular vulnerability (CVE-2015-8651) was reported to the Photoshop giant by Kai Wang and Hunter Gao of Huawei’s IT security department. Could the Chinese tech goliath have caught miscreants trying to exploit the bug to infect its systems? Adobe said the flaw is being used “in limited, targeted attacks.”
People should upgrade their installation of Flash – whether on Windows, OS X, Linux or Chrome OS – as soon as possible before criminals start exploiting more of the bugs. Adobe normally emits security updates on the second Tuesday of the month, but has decided get this one out to folks early.
If your Windows or Mac has Flash version 20.0.0.267 or 18.0.0.324 installed, then you are patched; likewise for version 20.0.0.267 for Google Chrome, 20.0.0.267 for Edge and Internet Explorer 11 on Windows 10; 20.0.0.267 for IE 10 and 11 on Windows 8.x; and 11.2.202.559 for Linux.
Tomi Engdahl says:
Commish: It’s amazing parliament agreed to track 22bn Brits’ car trips. Oh right – it didn’t
Spy camera boss raises questions over ANPR slurp
http://www.theregister.co.uk/2015/12/30/cops_anpr_database_hold_22bn_records/
The legality of a police Automatic Number Plate Recognition (ANPR) database has been called into question by the UK’s Surveillance Camera Commissioner. The National ANPR data centre now holds 22 billion car journeys, he said.
By 2015 it was estimated that the data centre was receiving around 30 million number plate “reads” each day, according to a report by Tony Porter.
The development of the National ANPR Strategy in England and Wales has led to a network of approximately 8,300 cameras connected into to a centralised police database, noted the report.
Each force retains a back office function and retains, in each instance, the obligation of Data Controller relating to that system.
In 2015, the Home Office earmarked £5m to support the development of the National ANPR Service, including cloud-based storage.
The Surveillance Camera Commissioner said in the report: “There is no statutory authority for the creation of the national ANPR database; its creation was never agreed by parliament; and no report on its operation has even been laid before parliament.”
Tomi Engdahl says:
AT&T Snaps Up Assets, Talent From Carrier iQ, Phone Monitoring Startup Goes Offline
http://techcrunch.com/2015/12/30/att-snaps-up-assets-talent-from-carrier-iq-as-phone-monitoring-startup-goes-offline/
Remember Carrier iQ? In the years before Edward Snowden’s revelations about the NSA, the name and its software became synonymous with creepy, unseen monitoring of everything that you do on a smartphone on behalf of carriers and phone makers — allegedly in the name of better user experience.
Now the company appears to be no longer.
TechCrunch has confirmed that AT&T has acquired certain software assets from Carrier iQ, along with some staff. The site itself — and the wider company, it seems — has gone offline.
“We’ve acquired the rights to Carrier iQ’s software, and some CIQ employees moved to AT&T,” an AT&T spokesperson tells us. AT&T signed on as a customer years ago to use the CIQ software across phones on its network to troubleshoot wireless quality for its customers, and the spokesperson went on to explain that this still the case.
Tomi Engdahl says:
Daniel Cooper / Engadget:
Samsung’s new Tizen-based TVs will have GAIA security with pin lock for credit card and other personal info, data encryption, built-in anti-malware system, more — Samsung says its new Tizen TVs will be harder to hack — Samsung has announced that its next generation of Tizen smart TVs will be a lot harder to crack than before.
Samsung says its new Tizen TVs will be harder to hack
After a year in which the weakness of smart TVs were exploited, Samsung goes on the offensive.
http://www.engadget.com/2015/12/30/samsung-tizen-tv-security/
Samsung has announced that its next generation of Tizen smart TVs will be a lot harder to crack than before. The firm has created Gaia, a security product for its 2016 range that promises to do for TV what Knox did for its smartphones. Some of the features promised include locking your credit card information with a smartphone-style pin, encrypting the data it sends out and a built-in anti-malware system. In addition, the TVs will ship with physical encryption chips to make it that much harder for others to access your microphone or, in some models, webcam.
Samsung’s betting big on the internet of things to help recover some of its lost profits, and wants the TV to sit at the heart of this strategy. It believes that people will want to activate their lights, heating and garage doors all from the comfort of their couch without having to take their eyes off The Big Bang Theory. If smart TVs get a reputation for being easy to hack, then Samsung’s models are hardly likely to be big sellers.
Tomi Engdahl says:
Wall Street Journal:
Sources: NSA continued to spy on some allies after Snowden leaks, also capturing communications with US lawmakers and Jewish groups
U.S. Spy Net on Israel Snares Congress
NSA’s targeting of Israeli leaders swept up the content of private conversations with U.S. lawmakers
http://www.wsj.com/article_email/u-s-spy-net-on-israel-snares-congress-1451425210-lMyQjAxMTA1MTI0OTgyNjk4Wj
Tomi Engdahl says:
Jason Schreier / Kotaku:
Valve Apologizes For Steam’s Christmas Malfunction, Says It Affected 34,000 Users — Valve has finally apologized for last week’s Steam Christmas disaster, explaining in a lengthy statement today that the issues stemmed from a Denial of Service attack and wound up exposing the information of around 34,000 users.
Valve Apologizes For Steam’s Christmas Malfunction, Says It Affected 34,000 Users
http://kotaku.com/valve-says-steams-christmas-malfunction-affected-about-1750324479
Valve has finally apologized for last week’s Steam Christmas disaster, explaining in a lengthy statement today that the issues stemmed from a Denial of Service attack and wound up exposing the information of around 34,000 users.
Valve said they’re still working to identify the affected users and will contact them once the process is complete.
On Friday afternoon, December 25, users on Steam found that the digital network had malfunctioned, causing other people’s account information to show up in the store and settings. This lasted around an hour before Valve shut down Steam and fixed the problem.
Today, Valve broke everything down, explaining that they’d been hit by multiple DoS attacks that have caused a wide variety of issues. In an attempt to thwart some of the attacks, Valve inadvertently caused a caching malfunction that exposed some users’ personal information.
“In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic,” the company wrote. “During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users.”
Tomi Engdahl says:
Tech Companies Face Criminal Charges If They Notify Users of UK Government Spying
http://news.slashdot.org/story/15/12/31/0339255/tech-companies-face-criminal-charges-if-they-notify-users-of-uk-government-spying
Last week, Yahoo became the latest company promising to alert users who it suspected were being targeted by state-sponsored attacks (excepting Microsoft, who made a similar announcement just today). Twitter, Facebook and Google had previously assured their users that they would be warned of any potential government spying. The UK, it seems, isn’t happy about this. They are pushing through a bill that will punish the leaders of any company that warns its users about British snooping with up to two years in prison.
Tech companies face criminal charges if they notify users of UK government spying
http://www.techspot.com/news/63292-tech-companies-face-criminal-charges-if-they-notify.html
Last week, it was reported that Yahoo had become the latest company that promised to alert users who it suspected were being spied on by state-sponsored actors. Twitter, Facebook and Google had previously assured their users that they would also warn them of any potential government spying. The UK, it seems, isn’t happy about this, and is pushing through a bill that will see the bosses of any company that warns its members that British agencies are monitoring them face up to two years in prison.
Specifically, UK ministers want to make it a criminal offence for tech firms to warn users of requests for access to their communication data made by security organizations such as MI5, MI6 and GCHQ (the Government Communications Headquarters).
Tomi Engdahl says:
NSA Cheerleaders Discover Value of Privacy Only When Their Own Is Violated
http://yro.slashdot.org/story/15/12/30/2351224/nsa-cheerleaders-discover-value-of-privacy-only-when-their-own-is-violated?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The Wall Street Journal reported yesterday that the NSA under President Obama targeted Israeli Prime Minister Benjamin Netanyahu and his top aides for surveillance. In the process, the agency ended up eavesdropping on “the contents of some of their private conversations with U.S. lawmakers and American-Jewish groups” about how to sabotage the Iran Deal. All sorts of people who spent many years cheering for and defending the NSA and its programs of mass surveillance are suddenly indignant now that they know the eavesdropping included them and their American and Israeli friends rather than just ordinary people. The long-time GOP chairman of the House Intelligence Committee and unyielding NSA defender Pete Hoekstra last night was truly indignant to learn of this surveillance.
Spying on Congress and Israel: NSA Cheerleaders Discover Value of Privacy Only When Their Own Is Violated
https://theintercept.com/2015/12/30/spying-on-congress-and-israel-nsa-cheerleaders-discover-value-of-privacy-only-when-their-own-is-violated/
The long-time GOP chairman of the House Intelligence Committee and unyielding NSA defender Pete Hoekstra last night was truly indignant to learn of this surveillance
But all that, of course, was before Hoekstra knew that he and his Israeli friends were swept up in the spying of which he was so fond. Now that he knows that it is his privacy and those of his comrades that has been invaded, he is no longer cavalier about it. In fact, he’s so furious that this long-time NSA cheerleader is actually calling for the criminal prosecution of the NSA and Obama officials for the crime of spying on him and his friends.
This pattern — whereby political officials who are vehement supporters of the Surveillance State transform overnight into crusading privacy advocates once they learn that they themselves have been spied on — is one that has repeated itself over and over. It has been seen many times as part of the Snowden revelations, but also well before that.
Tomi Engdahl says:
Lessig: Future Tech Will Help Privacy Catch Up With the Internet
http://yro.slashdot.org/story/15/12/30/239212/lessig-future-tech-will-help-privacy-catch-up-with-the-internet
In a new interview, Harvard law professor Lawrence Lessig shared his view of the future of privacy in this age of data breaches. “The average cost per user of a data breach is now $240 — think of businesses looking at that cost and saying, ‘What if I can find a way to not hold that data, but the value of that data?’ When we do that, our concept of privacy will be different. Our concept so far is that we should give people control over copies of data. In the future, we will not worry about copies of data, but using data.
Lawrence Lessig: Technology Will Create New Models for Privacy Regulation
http://blogs.wsj.com/cio/2015/12/30/lawrence-lessig-how-technology-policy-will-evolve/
There’s no consensus about how the use of personal information should be governed, in the U.S. or globally. What do you think the best international framework for regulating the use of data should be?
What is happening in the technology space will really change in the next three to five years. At MIT, the Enigma group basically makes it possible to use and maintain data without holding data. I am able to ping the server and it processes nothing beyond the data that I need to know … it will make sense for people to no longer hold data, accept in a very narrow sense.
The average cost per user of a data breach is now $240 … think of businesses looking at that cost and saying “What if I can find a way to not hold that data, but the value of that data?” When we do that, our concept of privacy will be different. Our concept so far is that we should give people control over copies of data. In the future, we will not worry about copies of data, but using data. The paradigm of required use will develop once we have really simple ways to hold data. If I were king, I would say it’s too early. Let’s muddle through the next few years. The costs are costly, but the current model of privacy will not make sense going forward.
If I ping a service, and it tells me someone is over 18, I don’t need to hold that fact. … The level of security I have to apply … [is not] the same [that] would be required if I was holding all of this data on my servers. This will radically change the burden of security that people will have.
I think the market will move strongly in that direction. Let the bank keep the money you have. You hold it once in awhile when you want to use it. That is the analogy here.
… I don’t hold data on how old you are, but I could of course capture that data once I ping the server. Then the law needs to control the actual uses of the data, make it possible for systems to insist on single-use purposes.
That … is what the future of privacy regulation looks like. I think the future will be one where I will be able to block (certain) data on a driver from being passed through to an insurance company.
The Snowden revelations triggered a lot of conversation about what the limits of mass government surveillance ought to be. Do you think that any further tightening of those limits is likely, or in order?
I don’t see the political will to really do anything about that. The Snowden revelations advanced hope that there would be this really excited response that would get government to impose really strict regulations. There was some posturing made, and it seemed like we were heading in that direction, but I don’t think we are going there. The NSA won’t be free to do everything, but especially now, we are not going to back away from the war on terror, no matter how idiotic this way of conducting this war is.
Now that the Safe Harbor agreement governing the exchange of data between the U.S. and Europe has been struck down by European courts, do you foresee a sustained push to rein in U.S. Internet businesses in Europe?
I am skeptical. They are going to make it seem that they are protecting privacy, but when push comes to shove, if certain services are not available to you because of privacy restrictions, you back out of restrictions. This is where I think new architecture is going to be so important.
Do you think that the concept of Net Neutrality, which advanced during the Obama administration, will survive coming challenges?
The thing that people will resist … the slogan says regulation should be more technology neutral. I am not sure I ever heard a more idiotic statement in my life. There is no neutrality here, just different modes …
Tomi Engdahl says:
Pavel Polityuk / Reuters:
Ukraine investigates malware attack on a power grid that may have caused a blackout in Ivano-Frankivsk region
Ukraine to probe suspected Russian cyber attack on grid
http://www.reuters.com/article/us-ukraine-crisis-malware-idUSKBN0UE0ZZ20151231?feedType=RSS&feedName=technologyNews
Ukraine will investigate a suspected cyber attack on its power grid, the energy ministry said on Thursday, an incident the country’s secret service has blamed on Russia.
A power company in western Ukraine, Prykarpattyaoblenergo, said on Dec. 23 that a swath of the area it serves had been left without energy, including the regional capital Ivano-Frankivsk, due to “interference” in the work of the system.
Tomi Engdahl says:
BBC:
Sources: BBC websites hit by DDoS attack, services disrupted for several hours — Web attack knocks BBC websites offline — All the BBC’s websites were unavailable early on Thursday morning because of a large web attack. — The problems began about 0700 GMT and meant visitors …
Web attack knocks BBC websites offline
http://www.bbc.com/news/technology-35204915
All the BBC’s websites were unavailable early on Thursday morning because of a large web attack.
The problems began about 0700 GMT and meant visitors to the site saw an error message rather than webpages.
Sources within the BBC said the sites were offline thanks to what is known as a “distributed denial of service” attack.
An earlier statement tweeted by the BBC laid the blame for problems on a “technical issue”.
Tomi Engdahl says:
A top-secret document revealed that UK spy agency GCHQ exploited vulnerabilities in Juniper firewalls. Dated February 2011, it also makes clear that the exploitation went on with the knowledge and apparent cooperation of the NSA. The security vulnerabilities in 13 different models of firewalls made by Juniper Networks were disclosed earlier in December and contained a backdoor disguised to look like debug code.
Source: http://arstechnica.co.uk/business/2015/12/europes-top-tech-news-december-2015/
More: https://theintercept.com/2015/12/23/juniper-firewalls-successfully-targeted-by-nsa-and-gchq/
Tomi Engdahl says:
BBC:
BlackBerry to keep operating in Pakistan after authorities drop demands to access users’ messages — Blackberry to keep operating in Pakistan — Blackberry is no longer going to shut down its operations in Pakistan as it has resolved a row concerning its users’ messages.
Blackberry to keep operating in Pakistan
http://www.bbc.com/news/technology-35204922
Blackberry is no longer going to shut down its operations in Pakistan as it has resolved a row concerning its users’ messages.
Tomi Engdahl says:
Joseph Cox / Motherboard:
Tor Project launching a bug bounty program with HackerOne, sponsored by Open Technology Fund — The Tor Project Is Starting a Bug Bounty Program — The Tor Project, the non-profit that maintains software for anonymity on the internet, will soon be offering a bug bounty program …
The Tor Project Is Starting a Bug Bounty Program
http://motherboard.vice.com/read/the-tor-project-is-starting-a-bug-bounty-program
The Tor Project, the non-profit that maintains software for anonymity on the internet, will soon be offering a bug bounty program, meaning those who find vulnerabilities in Tor applications could get paid for their efforts.
The announcement was made during the recurring “State of the Onion” talk at Chaos Communication Congress, an art, politics and security conference held annually in Hamburg, Germany.
Tomi Engdahl says:
The FBI Refused Our FOIA Request for Information About Its Attack on Tor
http://motherboard.vice.com/read/the-fbi-refused-our-foia-request-for-information-about-its-attack-on-tor?trk_source=recommended
The FBI and Carnegie Mellon University (CMU) really don’t want to talk about their relationship.
The FBI has decided to neither confirm nor deny the existence of any emails, documents, or contracts between the agency and university in response to a Freedom of Information Act (FOIA) request filed by Motherboard.
“Please be advised that it is the FBI’s policy to neither confirm nor deny the existence of any records which would tend to indicate or reveal whether an individual organization is supplying material or investigatory assistance to the FBI,” the response, dated November 19 2015 reads.
Tomi Engdahl says:
McAfee Security Manager lets anybody bypass managers’ security
‘Specially crafted username’ opens the keys to the kingdom of FAIL
http://www.theregister.co.uk/2015/12/07/mcafee_security_manager_lets_managers_bypass_security/
McAfee’s Enterprise Security Manager (ESM) needs patching, as smartly as you can manage, due to an administrator-level authentication bypass.
The advisory here says “a specially crafted username” can get past the Security Information & Event Management logins without authentication, and without a password, “if the ESM is configured to use Active Directory or LDAP”.
That gives the attacker access to NGCP – the default username created at first installation – without checking the password assigned to NGCP when it was created.
Designated CVE-2015-8024, the bug covers “McAfee Enterprise Security Manager (ESM), Enterprise Security Manager/Log Manager (ESMLM), and Enterprise Security Manager/Receiver (ESMREC) 9.3.x before 9.3.2MR19, 9.4.x before 9.4.2MR9, and 9.5.x before 9.5.0MR8, when configured to use Active Directory or LDAP authentication sources, allow remote attackers to bypass authentication by logging in with the username ‘NGCP|NGCP|NGCP;’ and any password”, the advisory states.
spy shop London says:
Hi to every one, as I am really keen of reading this
weblog’s post to be updated on a regular basis. It contains nice material.
doorman bouncer says:
Hi everyone, it’s my first visit att this site, and article is really fruityful in favor of
me, keep up posting such articles.
non lethal weapons says:
you’re in point of fact a excellent webmaster. The website loading speed
is incredible. It kind of feels that you are doing any distinctive trick.
Also, The contents are masterpiece. you have performed a wonderful activity on this subject!
ROADLUX says:
Hi! you have done a great job. your website is really a very informative. I really appreciate your website.
thanks for sharing.
Belkin Setup says:
yes you are right… Cyber security need to be more secure … because cyber crimes are increasing day by day … and with out security our country will suffer most … nice article ..full of interesting information…