Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Dissension Grows Inside Anonymous Because Of Political Propaganda
https://news.slashdot.org/story/16/04/28/2259249/dissension-grows-inside-anonymous-because-of-political-propaganda
Political tensions relating to the U.S. presidential race are creating turmoil inside the Anonymous hacker collective, muddling waters even more in a group that’s known for its lack of leadership and a common goal. The most recent Anonymous infighting relates to the actions of the group’s most famous news portal known as AnonHQ, who’s been showing downright public support for Bernie Sanders,
Tomi Engdahl says:
Top Security Experts Say Anti-Encryption Bill Authors Are ‘Woefully Ignorant’
https://yro.slashdot.org/story/16/04/28/1954255/top-security-experts-say-anti-encryption-bill-authors-are-woefully-ignorant
In a Wall Street Journal editorial titled “Encryption Without Tears,” Sens. Richard Burr and Dianne Feinstein pushed back on widespread condemnation of their Compliance with Court Orders Act, which would require tech companies to provide authorities with user data in an “intelligible” format if served with a warrant. But security experts Bruce Schneir, Matthew Green, and others say the lawmakers entirely misunderstand the issue. “On a weekly basis we see gigabytes of that information dumped to the Internet,” Green told the Daily Dot. “This is the whole problem that encryption is intended to solve.” He added: “You can’t hold out the current flaws in the Internet as a justification for why the Internet shouldn’t be made secure.”
Top security experts say senators behind anti-encryption bill are ‘woefully ignorant’
http://www.dailydot.com/politics/encryption-security-argument-burr-feinstein-op-ed/
The senators behind a controversial encryption bill defended their work in an op-ed on Wednesday night, but security experts pounced on their reasoning and said it was evidence of their technological illiteracy.
In a Wall Street Journal editorial titled “Encryption Without Tears,” Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) pushed back on widespread condemnation of their Compliance with Court Orders Act, which would require tech companies to provide authorities with user data in an “intelligible” format if served with a warrant.
Silicon Valley companies, technologists, and civil-society groups have blasted the bill because it would effectively outlaw end-to-end encryption, which shields users’ communications so that even the companies cannot read them.
The legislation is part of a decades-long battle between law-enforcement officials who say tech companies should only use breakable encryption and security experts who say unbreakable encryption is a vital tool for digital safety.
Tomi Engdahl says:
GCHQ Has Disclosed Over 20 Vulnerabilities This Year, Including Ones in iOS
http://motherboard.vice.com/read/gchq-vulnerabilities-mozilla-apple
Earlier this week, it emerged that a section of Government Communications Headquarters (GCHQ), the UK’s signal intelligence agency, had disclosed a serious vulnerability in Firefox to Mozilla. Now, GCHQ has said it helped fix nearly two dozen individual vulnerabilities in the past few months, including in highly popular pieces of software like iOS.
“So far in 2016 GCHQ/CESG has disclosed more than 20 vulnerabilities across a number of software products,”
Tomi Engdahl says:
Another Day, Another Hack: Millions of User Accounts for Streaming App ’17′
http://motherboard.vice.com/read/another-day-another-hack-millions-of-user-accounts-for-streaming-app-17?trk_source=recommended
Quite literally, every day someone gets hacked. Whether that’s a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another.
A hacker is advertising a cache of email addresses, poorly secured passwords, phone numbers, and other information from users of photo sharing and video streaming app ’17′, which is particularly popular in Asia.
The data is being sold on The Real Deal, a dark web market that specialises in stolen information and computer exploits.
The data was allegedly obtained via an app server, and not the company’s website, the hacker advertising the data told Motherboard in an encrypted chat.
“Vuln[erability] and some shit security,”
The passwords were hashed using the notoriously weak MD5 algorithm. Because of this, Motherboard was quickly able to obtain users’ full passwords by using simple online tools.
In all, the hacker claims to have obtained information on 30 million users.
Tomi Engdahl says:
The Intercept:
US Director of National Intelligence James Clapper complains that Edward Snowden sped up spread of encryption by seven years
Spy Chief Complains That Edward Snowden Sped Up Spread of Encryption by 7 Years
https://theintercept.com/2016/04/25/spy-chief-complains-that-edward-snowden-sped-up-spread-of-encryption-by-7-years/
THE DIRECTOR OF NATIONAL INTELLIGENCE on Monday blamed NSA whistleblower Edward Snowden for advancing the development of user-friendly, widely available strong encryption.
The shortened timeline has had “a profound effect on our ability to collect, particularly against terrorists,” he said.
When pressed by The Intercept to explain his figure, Clapper said it came from the National Security Agency. “The projected growth maturation and installation of commercially available encryption — what they had forecasted for seven years ahead, three years ago, was accelerated to now, because of the revelation of the leaks.”
Asked if that was a good thing, leading to better protection for American consumers from the arms race of hackers constantly trying to penetrate software worldwide, Clapper answered no.
“From our standpoint, it’s not … it’s not a good thing,” he said.
Technologists have been tirelessly working to strengthen encryption for decades, not just the past few years.
Tomi Engdahl says:
Hipster hackers cook up ‘artisan’ Squiblydoo attack
Native OS tools, living off the land… it’s all very crunchy
http://www.theregister.co.uk/2016/04/29/squiblydoo/
Hackers have figured out how to bypass application whitelisting software by utilising tools that are built into Windows by default.
Squiblydoo allows a user with normal privileges to download and execute a script hosted on a remote server. All of this is done with signed Microsoft binaries that are installed with the operating system.
Carbon Black warns that Squiblydoo is geared towards evading detection and blocking mechanisms. The techniques evident in Squiblydoo continues a trend of attackers using native OS tools to conduct attacks, previously seen with malware written in PowerShell, it adds.
Tomi Engdahl says:
Google AI gains access to 1.2m confidential NHS patient records
Deal with Royal Free London to slurp info surprises and shocks
http://www.theregister.co.uk/2016/04/29/google_given_access_to_reams_of_confidential_patient_information/
Google has been given access to huge swatches of confidential patient information in the UK, raising fears yet again over how NHS managers view and handle data under their control.
In an agreement uncovered by the New Scientist, Google and its DeepMind artificial intelligence wing have been granted access to current and historic patient data at three London hospitals run by the Royal Free NHS Trust, covering 1.6 million individuals.
That would include any chronic illness people may be suffering from and the circumstances over why they were admitted – for example, if they have suffered a drug overdose. The agreement provides Google with access to data going back five years and is far more expansive than expected
Tomi Engdahl says:
Man jailed for failing to decrypt hard drives
http://www.bbc.com/news/technology-36159146
A man has been held in prison for seven months after failing to decrypt two hard drives that investigators suspect contain indecent images of children.
A court order says the man will remain jailed “until such time that he fully complies” with an order to unlock the password-protected devices.
The US man, who has not been charged with possessing illegal images, is appealing against his detention.
“He has never in his life been charged with a crime,” wrote his lawyer.
The case highlights the US government’s ongoing battle with data encryption.
The man, a former police sergeant, cannot be named for legal reasons.
The investigators had been monitoring the online network Freenet and decided to search the man’s home, according to news site Ars Technica.
Child sex abuse image suspect jailed indefinitely for refusing to decrypt hard drives
Man to remain locked up “until such time that he fully complies” with court order.
http://arstechnica.co.uk/tech-policy/2016/04/child-porn-suspect-jailed-for-7-months-for-refusing-to-decrypt-hard-drives/
A Philadelphia man suspected of possessing child sexual abuse images has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives.
The suspect, a former Philadelphia Police Department sergeant, has not been charged with any child sex abuse crimes. Instead, he remains indefinitely imprisoned in Philadelphia’s Federal Detention Center for refusing to unlock two drives encrypted with Apple’s FileVault software in a case that once again highlights the extent to which the authorities are going to crack encrypted devices. The man is to remain jailed “until such time that he fully complies” with the decryption order.
The suspect’s attorney, Federal Public Defender Keith Donoghue, urged a federal appeals court on Tuesday to release his client immediately, pending the outcome of appeals. “Not only is he presently being held without charges, but he has never in his life been charged with a crime,”
Tomi Engdahl says:
Fareed vs Edward Snowden on encryption
http://edition.cnn.com/videos/tv/2016/04/29/exp-gps-snowden-debate-clip.cnn
Fareed Zakaria, GPS
A sneak peak of a spirited debate with former NSA contractor on government access to encrypted devices, in light of Apple’s legal battle with the FBI.
Source: CNN
Tomi Engdahl says:
Craig Wright revealed as Bitcoin creator Satoshi Nakamoto
http://www.bbc.com/news/technology-36168863
Australian entrepreneur Craig Wright has publicly identified himself as Bitcoin creator Satoshi Nakamoto.
His admission ends years of speculation about who came up with the original ideas underlying the digital cash system.
Mr Wright has provided technical proof to back up his claim using coins known to be owned by Bitcoin’s creator.
Prominent members of the Bitcoin community and its core development team have also confirmed Mr Wright’s claim.
Mr Wright has revealed his identity to three media organisations – the BBC, the Economist and GQ.
At the meeting with the BBC, Mr Wright digitally signed messages using cryptographic keys created during the early days of Bitcoin’s development. The keys are inextricably linked to blocks of bitcoins known to have been created or “mined” by Satoshi Nakamoto.
Renowned cryptographer Hal Finney was one of the engineers who helped turn Mr Wright’s ideas into the Bitcoin protocol, he said.
Tomi Engdahl says:
Hackers steal millions of Minecraft passwords
http://www.bbc.com/news/technology-36168860
Hackers have stolen login data for more than seven million members of the Minecraft site Lifeboat.
Lifeboat lets members run servers for customised, multiplayer maps for the smartphone edition of Minecraft.
There is evidence that the stolen information, including email addresses and passwords, is being offered on sites that trade in hacked data.
Analysis suggests passwords were very weakly protected so attackers could easily work them out.
“A large portion of those passwords would be reverted to plain text in a very short time,” he said in a blogpost about the breach.
This often lead to other security problems, he said, because many people re-use passwords so finding out one can lead attackers to compromise accounts on other sites.
Breach concealment is not a security strategy
https://www.troyhunt.com/breach-concealment-is-not-a-security-strategy/
Tomi Engdahl says:
IoT security spending to reach $348m in 2016: Gartner
http://www.zdnet.com/article/iot-security-spending-to-reach-348m-in-2016-gartner/
Gartner predicts worldwide security spending on the Internet of Things will reach $348 million this year, a figure up 23.7 percent from 2015
Tomi Engdahl says:
Snowden: Without encryption all stops
Edward Snowden underlined the importance of encryption again Sunday on CNN’s Fareed Zakaria with in its the debate . According to him, it is “the backbone of the whole network security”.
“Encryption save lives. It will protect our property,” Snowden said.
“Without it, the whole economy shuts down, the administration stops. Everything stops.”
Encryption is a challenge, he says that it is the plain math.
In order for the government to ensure access to the criminal devices, it is for the need to create a key that can end up in the hands of criminals.
“We require people to leave the home keys under the doormat for the police, but, unfortunately, the same key can not find anyone else in person in the world”.
Source: http://www.tivi.fi/Kaikki_uutiset/snowden-ilman-salausta-kaikki-pysahtyy-6546698
Video: http://edition.cnn.com/videos/tv/2016/04/29/exp-gps-snowden-debate-clip.cnn
Tomi Engdahl says:
TTIP Leaks
http://www.ttip-leaks.org/
Greenpeace Netherlands has released secret TTIP negotiation documents. We have done so to provide much needed transparency and trigger an informed debate on the treaty.
Whether you care about environmental issues, animal welfare, labour rights or internet privacy, you should be concerned about what is in these leaked documents. They underline the strong objections civil society and millions of people around the world have voiced: TTIP is about a huge transfer of power from people to big business.
Tomi Engdahl says:
Economist:
Craig Wright could well be Bitcoin creator Satoshi Nakamoto, but nagging questions remain — Craig Steven Wright claims to be Satoshi Nakamoto. Is he? — Evaluating his claim will involve a multi-step paternity test — IMAGINE that the paternity of a particularly brilliant child is in doubt …
Craig Steven Wright claims to be Satoshi Nakamoto. Is he?
Evaluating his claim will involve a multi-step paternity test
http://www.economist.com/news/briefings/21698061-craig-steven-wright-claims-be-satoshi-nakamoto-bitcoin
Dan Kaminsky / Dan Kaminsky’s Blog:
Craig Wright recycled a Satoshi-signed transaction from 2009, tried to pass it off as new — Validating Satoshi (Or Not) — SUMMARY: — Yes, this is a scam. Not maybe. Not possibly. — Wright is pretending he has Satoshi’s signature on Sartre’s writing.
Validating Satoshi (Or Not)
https://dankaminsky.com/2016/05/02/validating-satoshi-or-not/
SUMMARY:
Yes, this is a scam. Not maybe. Not possibly.
Wright is pretending he has Satoshi’s signature on Sartre’s writing. That would mean he has the private key, and is likely to be Satoshi. What he actually has is Satoshi’s signature on parts of the public Blockchain, which of course means he doesn’t need the private key and he doesn’t need to be Satoshi. He just needs to make you think Satoshi signed something else besides the Blockchain
He probably would have gotten away with it if the signature itself wasn’t googlable by Redditors.
Tomi Engdahl says:
Michigan electricity utility downed by ransomware attack
Don’t click on the links, don’t click on the links, don’t …
http://www.theregister.co.uk/2016/05/03/michigan_electricity_utility_downed_by_ransomware_attack/
A water and electricity authority in the US State of Michigan has needed a week to recover from a ransomware attack that fortunately only hit its enterprise systems.
Lansing’s BWL – Board of Water & Light – first noticed the successful phishing attack on its corporate systems on April 25, and has had to keep systems including phone servers locked down since then.
Tomi Engdahl says:
Wi-Fi network named ‘mobile detonation device’ grounds plane
Fears spark two-hour delay as nervous passengers disembark
http://www.theregister.co.uk/2016/05/03/wifi_hotspot_named_mobile_detonation_device_grounds_plane/
Australian airline QANTAS delayed a flight for two hours on Saturday after a passenger reported seeing a Wi-Fi network named “Mobile detonation device”.
The passenger reported the network’s name to crew, who in turn reported it to the captain of the 737, which was due to fly from Melbourne to Perth.
The captain demanded that the offending device be produced, an order that apparently had no result.
Crew were eventually satisfied the SSID posed no threat and the plane made it to Perth without incident, albeit a couple of hours late.
Tomi Engdahl says:
Greenpeace leaks TTIP texts, reveals strained negotiations
Dispute settlement, environmental regulation still sticking points
http://www.theregister.co.uk/2016/05/03/greenpeace_leaks_ttip_texts_reveals_strained_negotiations/
The controversial EU-US Transatlantic Trade and Investment Partnership (TTIP) treaty text has been leaked to Greenpeace.
The documents have been posted at http://www.ttip-leaks.org, and in the main they’ve been picked over for their impact on environmental regulation.
On that topic, European commentators are hitting the roof, because it’s clear that the US wants dramatic reductions in the EU’s environmental protections. For example, any new European environmental or public health standards would have to go through the treaty process.
Tomi Engdahl says:
Minature car maker drops massive malware
Unpatched Joolma possible entry point for Angler, Cryptxxx combo
http://www.theregister.co.uk/2016/05/03/maisto/
Popular die cast car manufacturer Maisto has been slinging the deadly Angler exploit kit which in turn installs the Cryptxxx ransomware on victim machines.
The site appears to have been compromised through an outdated Joomla content management system in what is likely the pseudo-darkleech campaign reported by Sucuri. Malwarebytes researcher Jerome Segura says the attackers have moved from targeted Apache to Microsoft IIS servers.
Malicious code was injected directly into the homepage and bears the same pattern as the pseudo-darkleech campaign,” Segura says, before advising “… users should ensure that their computers are fully up-to-date and remove unnecessary or risky plugins such as Flash or Silverlight.”
Kaspersky offers a tool to decrypt the ransomware for free after the researchers found exploitable vulnerabilities.
The Angler exploit kit is one of the most dangerous and capable in the world
Kaspersky cracks CryptXXX, throws lifeline to ransomware victims
Nasty bug tries to confuse you by glowing slow on external storage encryption
http://www.theregister.co.uk/2016/04/27/cryptxxx_cracked/
Tomi Engdahl says:
I am Craig Wright, inventor of Craig Wright
I can prove I am the man who can prove he is the man who invented Bitcoin
http://www.theregister.co.uk/2016/05/03/bitcoin_craig_wright/
“If you are going through hell, keep going.” – Albert Einstein, 1991.
I remember reading that quote on a motivational poster somewhere or other many years ago. I have carried it with me uncomfortably ever since. There’s no easy way to fold a poster into your pocket. I think I am now finally at peace with what old Bertie meant.
If I am going through hell as Satoshi Nakamoto, keep going as Craig Wright.
Yesterday, I told the world I planned to prove I am Satoshi Nakamoto, the inventor of Bitcoin. Many didn’t believe me. Therefore, today, I’m taking it one step further.
I plan to prove that I am Craig Wright, the inventor of Craig Wright.
Key verification
Bitcoin is built on math. Satoshi Nakamoto is built on cryptography. Craig Wright is built on OpenSSL commands. And Craig Wright is built on something stronger.
Well, I am not that Craig Wright.
Nor I am the Craig Wright who published buggy bash scripts and command-line snippets to his blog for verification that simply don’t work – or quietly load files pointed to by an environment variable.
Tomi Engdahl says:
Audiophile torrent site What.CD fully pwnable thanks to wrecked RNG
Use of mt_rand means there’s free .flac for those who crack
http://www.theregister.co.uk/2016/05/02/what_cd_security_flaw/
WAHckon Users of popular audiophile torrent site What.CD can make themselves administrators to completely compromise the private music site and bypass its notorious download ratio limits.
What.CD is the world’s most popular high quality music private torrent site that requires its users to pass an interview testing their knowledge of audio matters before they are granted an account. Users must maintain a high upload to download ratio to continue to download from the site.
A Wellington-New-Zelaand-based independent security researcher known as ss23 (@ss2342) says the site is using the mt_rand insecure random number generator in its otherwise secure and well-crafted Gazelle open source content management system.
He disclosed the vulnerability to the site administrators 12 months ago and was told it would be fixed soon.
“I reported it a year ago, and they acknowledged it but said ‘don’t worry about it’.”
He said it was the only exploit he found in the Gazelle content management system which was otherwise secure.
Tomi Engdahl says:
MongoDB on breaches: Software is secure, but some users are idiots
When will you lazy louts learn to configure your instances?
http://www.theregister.co.uk/2016/05/03/mongodb_security_breaches_vp_speaks/
You shouldn’t expect to see any end to data breaches caused by misconfigured instances of MongoDB soon, the company’s strategy veep has told The Register.
MongoDB is a fairly popular document store in the database world, used by eBay, Foursquare, and The New York Times.
It’s open source, available under the GNU APL v3.0 license, though a commercial version is available – alongside the regular array of support and services work – from the database’s eponymous developer, formerly known as 10gen.
Late last month, 93 million Mexican voters’s personal details an AWS-hosted MongoDB instance were exposed, as uncovered by security researcher Chris Vickery.
That instance had been configured without any security settings, but so was another when information was stolen from the unsecured test server of a dating site for “beautiful people”, while yet another one, this time containing 13 million MacKeeper users’ information, was again found to be unsecured back in December.
At the time, Shodan hacker John Matherly alleged that there was “a total of 595.2 TB of data exposed on the internet via publicly accessible MongoDB instances that don’t have any form of authentication.”
Stirman confessed the number of data breaches occurring was “a little frustrating.
“It’s literally as simple as creating a username and password.”
“Why would anyone ever not have security? I think it really is simply a matter of convenience,” Stirman stated.
MongoDB’s open source version doesn’t ship pre-secure, which is not unusual among database software. It also runs with the default TCP port 27012, and security researchers have been able to search this port-space to find a large number of servers running in publicly accessible space on the internet that were completely open on the internet. While other databases have also been found to be regularly left open to the ‘net, Stirman said that MongoDB “is particularly popular.”
“We have an ongoing series of campaigns to educate users and customers of best practices,” the strategy veep added. “We can’t force them to make these changes, but we can educate them.”
Tomi Engdahl says:
NoScript and other popular Firefox add-ons open millions to new attack
Unlike many browsers, Firefox doesn’t always isolate an add-on’s functions.
http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
Tomi Engdahl says:
I Am Satoshi Nakamoto
http://hackaday.com/2016/05/03/i-am-satoshi-nakamoto/
OK, you got me. I’m not. Neither is Dorian Nakamoto, pictured above, and neither is this [Craig White] guy. Or at least, his supposed proof that he is “Satoshi” doesn’t stand up to scrutiny. Indeed, you can re-create it yourself and pretend to be “Satoshi” too.
“Satoshi Nakamoto” is the person or group of people who invented Bitcoin, and who holds a decent fortune’s worth of the currency.
If Dan “DNSSEC” Kaminsky can’t verify a signature, there’s a good chance it’s not the real deal.
The really embarrassing part is that this [Craig White] character claimed to be Satoshi in December 2015.
TP’s Go Bitcoin Tests – Addresses
http://gobittest.appspot.com/Address
Tomi Engdahl says:
EFF revises IM safety ratings after pen testers pop ‘secure’ tools
Pen tests find holes galore in common messaging apps
http://www.theregister.co.uk/2016/04/28/pen_testers_find_nasty_holes_in_eff_security_ticked_im_clients/
Australian security duo Matt Jones and Daniel Hodson have found dangerous vulnerabilities in popular instant messaging platforms marked “secure” by the Electronic Frontier Foundation’s (EFF) Scorecard.
The EFF says its Secure Messaging Scorecard (SMS) should not be viewed as an endorsement of a given IM platform and says it will update the page to make that statement clearer.
Secure Messaging Scorecard
Which apps and tools actually keep your messages safe?
https://www.eff.org/secure-messaging-scorecard
Tomi Engdahl says:
The Dark Arts: Anonymity
http://hackaday.com/2016/05/03/the-dark-arts-anonymity/
Love him or hate him, Edward Snowden knew a thing or two about anonymity.
One of these documents was a power point presentation of the NSA complaining about how the TAILS operating system was a major thorn in their side.
He used PGP
In this article, we’re going to go over the basics of anonymity, and introduce you to methods of staying anonymous while online.
Tomi Engdahl says:
Privacy for anyone anywhere
https://tails.boum.org/
Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:
use the Internet anonymously and circumvent censorship;
all connections to the Internet are forced to go through the Tor network;
leave no trace on the computer you are using unless you ask it explicitly;
use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.
Tomi Engdahl says:
Apple Stole My Music. No, Seriously.
https://blog.vellumatlanta.com/2016/05/04/apple-stole-my-music-no-seriously/
“The software is functioning as intended,” said Amber.
“Wait,” I asked, “so it’s supposed to delete my personal files from my internal hard drive without asking my permission?”
“Yes,” she replied.
I had just explained to Amber that 122 GB of music files were missing from my laptop.
What Amber explained was exactly what I’d feared: through the Apple Music subscription, which I had, Apple now deletes files from its users’ computers. When I signed up for Apple Music, iTunes evaluated my massive collection of Mp3s and WAV files, scanned Apple’s database for what it considered matches, then removed the original files from my internal hard drive. REMOVED them. Deleted. If Apple Music saw a file it didn’t recognize—which came up often, since I’m a freelance composer and have many music files that I created myself—it would then download it to Apple’s database, delete it from my hard drive, and serve it back to me when I wanted to listen, just like it would with my other music files it had deleted.
This led to four immediate problems:
1. If Apple serves me my music, that means that when I don’t have wifi access, I can’t listen to it.
2. What Apple considers a “match” often isn’t.
3. Although I could click the little cloud icon next to each song title and “get it back” from Apple, their servers aren’t fast enough to make it an easy task.
4. Should I choose to reclaim my songs via download, the files I would get back would not necessarily be the same as my original files. As a freelance composer, I save WAV files of my own compositions rather than Mp3s.
If you’re wondering why Apple hasn’t been sued yet, it’s because the iTunes Terms of Use vaguely warn of this issue, then later indemnify Apple and preclude any litigation from users who’ve been boned
I recovered my original music files only by using a backup I made weeks earlier. Many people don’t back up as often as they should, though, so this isn’t always an option.
Tomi Engdahl says:
Tess Stynes / Wall Street Journal:
FireEye CEO Dave DeWalt to step down, will be replaced by president Kevin Mandia as company posts earnings short of expectations
FireEye Names Mandia as CEO; Its Loss Widens
Revenue is at low end of its expectations, and the cybersecurity company cut its sales view for the year
http://www.wsj.com/article_email/fireeye-names-mandia-as-ceo-loss-widens-1462484056-lMyQjAxMTA2MDA2NTAwNTU2Wj
FireEye Inc. reported a wider loss for the first quarter and named Kevin Mandia as its new chief executive.
Shares fell 8% to $14.70 in recent after-hours trading as the cybersecurity company also projected a wider loss for the second quarter than analysts had feared and revenue that missed Wall Street’s view.
FireEye’s main business is selling software to large organizations to detect malicious computer code, or malware. Where FireEye tries to prevent attacks with its software, its Mandiant unit, acquired in late 2013, has focused on investigating security breaches that have occurred.
Though FireEye, which went public in 2013, has continued to log increases in revenue and billings, the company’s spending has also grown as it has expanded.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Qualcomm issues fix for 5 year old Android security flaw that exposes SMS, call history; Android versions prior to 4.3 mostly affected — Critical Qualcomm security bug leaves many phones open to attack — Fix still isn’t available for most users, and many will probably never get it.
Critical Qualcomm security bug leaves many phones open to attack
Fix still isn’t available for most users, and many will probably never get it.
http://arstechnica.com/security/2016/05/5-year-old-android-vulnerability-exposes-texts-and-call-histories/
Tomi Engdahl says:
william Alden / BuzzFeed:
Internal documents show Palantir losing some top-tier clients and on track to turn over 20% of its staff in 2016
Inside Palantir, Silicon Valley’s Most Secretive Company
https://www.buzzfeed.com/williamalden/inside-palantir-silicon-valleys-most-secretive-company?utm_term=.jgXvqWgQp#.fdmjwBdZN
A cache of internal documents shows that despite growing revenue, Palantir has lost top-tier clients, is struggling to stem staff departures, and isn’t collecting most of the money it touts in high-value deals.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Following highly publicized report of 272M email credentials for sale in Russia, Mail.ru and Google both say 98%+ of credentials on their services are invalid
Garbage in, garbage out: Why Ars ignored this week’s massive password breach
When a script kiddie sells 272 million accounts for $1, be very, very skeptical.
http://arstechnica.com/security/2016/05/the-massive-password-breach-that-wasnt-google-says-data-is-98-bogus/
Earlier this week, mass panic ensued when a security firm reported the recovery of a whopping 272 million account credentials belonging to users of Gmail, Microsoft, Yahoo, and a variety of overseas services. “Big data breaches found at major email services” warned Reuters, the news service that broke the news. Within hours, other news services were running stories based on the report with headlines like “Tech experts: Change your email password now.”
Since then, both Google and a Russia-based e-mail service unveiled analyses that call into question the validity of the security firm’s entire report.
“More than 98% of the Google account credentials in this research turned out to be bogus,” a Google representative wrote in an e-mail.
Separately, Mail.ru, Russia’s biggest e-mail provider, has said that more than 99.98 percent of the credentials it received from security firm Hold Security turned out to be invalid accounts.
Since most of these services require users to supply an email address as a user name, it’s not surprising that the compiled list would contain millions of addresses provided by some of the world’s biggest providers. But even if the credentials were valid—a big if, given the results of Google’s and Mail.ru’s analysis—that doesn’t mean the list automatically provided a way to gain access to an affected user’s Gmail or Hotmail account. That would happen only if a user reused the password on both a third-party website and the Gmail or Hotmail account. Yes, that practice is all too common, but it’s nowhere near universal.
Tomi Engdahl says:
Malvertising is increasing in sophistication and prevalence, and often being used to distribute ransomware. According to the FBI, criminals are netting an estimated $325–500 million a year through these scams.
Tomi Engdahl says:
The recent high-profile “Panama Papers” exploit, which resulted in the theft of 2.6 terabytes of data from the Mossack Fonseca law firm, highlighted the firm’s failure to effectively secure and manage its open source software.
Although the exploited component has yet to be pinpointed, the breach investigation has revealed that Mossack Fonseca was delinquent in patching known open source vulnerabilities in both Drupal and WordPress. This lapse exposed sensitive client information.
Open source software is an essential element in application development today and this breach raises the question: What are the best practices for securing and managing open source to avoid exploitation?
Source: https://www.brighttalk.com/webcast/13983/202713?utm_source=marketo&utm_medium=emailinvite&utm_campaign=WBN-2015-04-25-6-Myths&mkt_tok=eyJpIjoiTlRJNE4ySmhOR0ptT1RobSIsInQiOiJFbUdicGpLWUlsSFZzRlZPQkdkR1NpU0JFcXNTTVRCaThTN1pTQ0ZXWXBTenlXKzFBckxXc2dPdTc0WHdybkpxZVVqYU10Tkt3Y0tmXC92RDJKVDl4cEkxT1VtckVjU0ZkQTlneEZJTng1XC9nPSJ9
Tomi Engdahl says:
Ubuntu Founder Pledges No Back Doors in Linux
http://www.eweek.com/enterprise-apps/ubuntu-founder-pledges-no-back-doors-in-linux.html
VIDEO: Mark Shuttleworth, founder of Canonical and Ubuntu, discusses what might be coming in Ubuntu 16.10 later this year and why security is something he will never compromise.
One thing that Ubuntu Linux users will also continue to rely on is the strong principled stance that Shuttleworth has on encryption. With the rapid growth of the Linux Foundation’s Let’s Encrypt free Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate platform this year, Shuttleworth noted that it’s a good idea to consider how that might work in an integrated way with Ubuntu.
Overall, he said, the move to encryption as a universal expectation is really important.
“We don’t do encryption to hide things; we do encryption so we can choose what to share,” Shuttleworth said. “That’s a profound choice we should all be able to make.”
Shuttleworth emphasized that on the encryption debate, Canonical and Ubuntu are crystal clear.
“We will never backdoor Ubuntu; we will never weaken encryption,” he said.
Tomi Engdahl says:
Lego Robots Crack Gesture-Based Security
https://it.slashdot.org/story/16/05/08/2135234/lego-robots-crack-gesture-based-security
Lego Robots outfitted with a “finger” made from molded Play-Doh were able to bypass seven different gesture-based security systems at least 70% of the time, according to a new study funded by DARPA. Gestural ID systems “tend to take a rosy view of the security world in which hackers attempt to breach such defenses via crude impersonation,”
Lego-Driven Robot Programmed To Hack Gesture-Based Security
http://motherboard.vice.com/read/lego-driven-robot-programmed-to-hack-touch-screen-authentication-systems
Among the many clever post-password authentication schemes currently under development is multi-touch gesture analysis. The basic idea is to observe a user’s movements on a touchscreen device for some period of time and to come up with a gestural profile unique to that individual. Then, based on this profile, the system can verify a user’s identity continuously as they use the device.
The idea sounds fishy, yes. Couldn’t some hacker just observe those same gestures and then mimic them to gain access to a system?
While gestural ID systems are getting a lot of research play these days thanks to error rates trending toward the low single-digits, they also tend to take a rosy view of the security world in which hackers attempt to breach such defenses via crude impersonation, e.g. when one hacker-user attempts to mirror some target-user
A DARPA-funded report titled “Robotic Robbery on the Touch Screen” published recently in the journal ACM Transactions on Information and System Security looks at gestural authentication through the eyes of a more sophisticated hacker. It presents two Lego-driven robotic attacks on a touch-based authentication system—one is based on gestural statistics collected over time from a large population of users and the other is based on stealing gestural data directly from a user. Both were pretty effective.
“Both attacks are launched by a Lego robot that is trained on how to swipe on the touch screen,” the paper explains.
While continuous gesture-based authentication is really only meant to be a backup to other (one-time) authentication methods, its apparent leakiness should be concerning.
Toward Robotic Robbery on the Touch Screen
http://dl.acm.org/citation.cfm?id=2898353
Tomi Engdahl says:
Parents Could Be Sued By Their Kids For Posting Pictures of Them On Facebook
https://yro.slashdot.org/story/16/05/09/1340213/parents-could-be-sued-by-their-kids-for-posting-pictures-of-them-on-facebook
Next time you share pictures of your children on Facebook, you will want to take their permission before doing that. French authorities have warned parents in France of fines of up to $50,000 and a year in prison for publishing intimate photos of their children on social media without permission.
Could children one day sue parents for posting baby pics on Facebook?
http://www.theguardian.com/sustainable-business/2016/may/08/children-sue-parents-facebook-post-baby-photos-privacy?CMP=oth_b-aplnews_d-2
Pictures once kept hidden in family photo albums are now being shared with the world, and children may not appreciate it in the future
That photo of your toddler running around in a nappy or having a temper tantrum? Think before you post it on Facebook. That’s the advice from French authorities, which have warned parents in France they could face fines of up to €45,000 (£35,000) and a year in prison for publishing intimate photos of their children on social media without permission, as part of the country’s strict privacy laws.
It’s a development that could give pause for thought for many parents used to sharing details of their children’s lives across social media. A 2015 study by internet company Nominet found parents in the UK post nearly 200 photos of their under fives online every year, meaning a child will feature in around 1,000 online photos before their fifth birthday.
Tomi Engdahl says:
Creator of online money Liberty Reserve gets 20 years in prison
http://money.cnn.com/2016/05/06/technology/liberty-reserve-prison/index.html?iid=hp-stack-dom
Before the virtual currency Bitcoin there was Liberty Reserve — and its founder just got sentenced to 20 years in prison.
Arthur Budovsky, 42, ran an online digital money business out of Costa Rica called Liberty Reserve. The U.S. government contended that the whole thing was just a massive, $6 billion money laundering operation.
For seven years starting in 2006, anyone could use Liberty Reserve’s website to transfer money with little oversight. All the site required was someone’s name, e-mail address, and birthday. Normally, banks have stricter standards to avoid funneling criminal funds.
But that’s exactly what Liberty Reserve turned into, according to federal agents. It became a favorite for stashing cash by credit card traffickers and identity thieves.
Liberty Reserve fell into the U.S. government’s sights, because it ran such a huge operation without oversight. In the post-9/11 world, law enforcement was keen to keep track of every dollar to avoid it ending up funding terrorists.
In January, Budovsky pleaded guilty to money laundering and admitted to secretly moving at least $122 million.
Tomi Engdahl says:
Email Mishap Leaks Google Staff Data
https://tech.slashdot.org/story/16/05/09/1440201/email-mishap-leaks-google-staff-data
Google has suffered a data breach which compromised the security of its employees, after the company’s staff benefits vendor mistakenly sent an email containing sensitive data to the wrong recipient. Google has sent a formal apology to an undisclosed number of affected employees.
Email mishap leaks Google staff data
https://thestack.com/security/2016/05/09/email-mishap-leaks-google-staff-data/
Search giant Google has suffered a data breach which compromised the security of its employees, after the company’s staff benefits vendor mistakenly sent an email containing sensitive data to the wrong recipient.
The document explains how the third-party company, which provides Google with benefits management services, sent the personal information to a benefits manager at another firm by accident. The data included staff names and social security numbers, among other sensitive details.
Luckily for Google, the person who received it immediately recognised it as incorrectly directed private information, deleted the contents and notified Google’s vendor of the issue. Google is now conducting further investigation to ‘determine the facts’ and is working with the third-party provider to ensure that a similar incident doesn’t happen again.
Tomi Engdahl says:
Babycare e-tailer Kiddicare admits customer data breach
Info has been doing the rounds underground
http://www.theregister.co.uk/2016/05/09/kiddicare_data_breach/
Babycare retailer Kiddicare has warned customers that personal data shared with the store has been stolen by hackers.
The compromised data is restricted to name, delivery address, telephone number and email address, according to Kiddicare, which is keen to stress that customer payment details or credit/debit card information has not been accessed.
Tomi Engdahl says:
UK.biz is still clueless at fending off malware attacks, says survey
Security is a custom ‘more honoured in the breach’
http://www.theregister.co.uk/2016/05/09/uk_gov_breaches_survey/
Two-thirds of large UK businesses were hit by a cyber breach or attack in the past year, according to a UK government-sponsored survey.
Nearly seven out of 10 attacks on all firms involved viruses, spyware or malware according to a poll of UK enterprises carried out as part of the Cyber Security Breaches Survey.
Tomi Engdahl says:
Six-year-old patched Stuxnet hole still the web’s biggest killer
Crusty bait makes for great phishing
http://www.theregister.co.uk/2016/05/09/sixyearold_patched_stuxnet_hole_still_the_webs_biggest_killer/
The six-year-old vulnerability first burnt by Stuxnet remains the internet’s chief pwning vector and is a key instrument of the world’s worst exploit kit known as Angler.
The vulnerability is a hole in Windows Shell that is both long since patched and well publicised as part of its discovery in the US’ Stuxnet worm, the killer malware that laid waste to the Natanz uranium enrichment plant.
Tomi Engdahl says:
Todd Shields / Bloomberg:
FCC and FTC ask smartphone makers and mobile carriers for information on phone patching process, express concern about long delays and unpatched older devices — FCC and FTC ask for information on process for issuing patches — Letters go to carriers AT&T, Verizon and to device makers
Apple, Google and Mobile Carriers Asked About Security Fixes
http://www.bloomberg.com/news/articles/2016-05-09/apple-google-and-wireless-carriers-asked-by-u-s-about-security
Smartphone makers such as Apple Inc. and Google and mobile carriers including AT&T Inc. and Verizon Communications Inc. face an inquiry by U.S. regulators into how they review and release security updates to combat cyberthieves and Internet vandals.
The Federal Communications Commission and Federal Trade Commission both issued statements Monday saying they want to know more about how and when vulnerabilities are being patched as consumers and businesses face hacking threats related to their increased reliance on mobile broadband.
“We are concerned” that “there are significant delays in delivering patches to actual devices — and that older devices may never be patched,” the FCC said in a sample of letters sent to companies that the agency posted on its website.
Tomi Engdahl says:
Paul Sawers / VentureBeat:
Opera launches a free and unlimited VPN app for iOS — European technology titan Opera Software is today launching a virtual private network (VPN) client for iPhones and iPads. This launch comes three weeks after the announcement of such a feature for its desktop Opera browser.
Opera launches a free and unlimited VPN app for iOS
http://venturebeat.com/2016/05/09/opera-launches-a-free-and-unlimited-vpn-app-for-ios/
European technology titan Opera Software is today launching a virtual private network (VPN) client for iPhones and iPads. This launch comes three weeks after the announcement of such a feature for its desktop Opera browser.
With Opera VPN for iOS, the Norwegian company — which is being acquired by a consortium of Chinese firms for $1.2 billion — brings a completely free and unlimited VPN to iOS, letting users bypass geo-restrictions for online content, circumvent firewalls, block ads, and thwart ad-tracking cookies. It’s the result of Opera’s acquisition of North American VPN SurfEasy last March.
When the VPN / proxy arrived in the developer version of Opera for desktop a few weeks back, it only supported three “virtual locations” — the U.S., Canada, and Germany, but with the iOS launch, you can now pretend to be in Singapore and the Netherlands, too. It also supports English, Arabic, French, German, Indonesian, Japanese, Portuguese, Russian, and Spanish.
While there are many third-party VPNs out there already, such as perennial favorite TunnelBear, they typically require payment to unlock unlimited access.
Anyone who is super paranoid about being tracked online will feel safer using an existing service that charges a fee. But among those who are simply seeking access to a service that’s banned in their country, workplace, or on their college campus, Opera VPN will likely find some fans.
Tomi Engdahl says:
Wall Street Journal:
Sources: Dataminr, which utilizes Twitter’s full firehose, bars US intelligence agencies from accessing its services at Twitter’s request
Twitter Bars Intelligence Agencies From Using Analytics Service
Social media firm cuts access to Dataminr, a service used to identify unfolding terror attacks, political unrest
http://www.wsj.com/article_email/twitter-bars-intelligence-agencies-from-using-analytics-service-1462751682-lMyQjAxMTE2MzAwODUwNzgzWj
Twitter Inc. cut off U.S. intelligence agencies from access to a service that sifts through the entire output of its social-media postings, the latest example of tension between Silicon Valley and the federal government over terrorism and privacy.
The move, which hasn’t been publicly announced, was confirmed by a senior U.S. intelligence official and other people familiar with the matter. The service—which sends out alerts of unfolding terror attacks, political unrest and other potentially important events—isn’t directly provided by Twitter, but instead by Dataminr Inc., a private company that mines public Twitter feeds for clients.
Twitter owns about a 5% stake in Dataminr, the only company it authorizes both to access its entire real-time stream of public tweets and sell it to clients.
Tomi Engdahl says:
If You See Anything, Say Something? Math on a Plane
http://hackaday.com/2016/05/09/if-you-see-anything-say-something-math-on-a-plane/
The Washington Post reports that a woman told an Air Wisconsin crew that she was too ill to fly. In reality, she was sitting next to a suspicious man and her illness was a ruse to report him to the crew.
Authorities questioned the man. What was his suspicious activity? Was he assembling a bomb? Carrying a weapon? Murmuring plans for destruction into a cell phone? No, he was writing math equations. University of Pennsylvania economics professor [Guido Menzio] was on his way to deliver a speech and was reviewing some differential equations related to his work.
[Menzio] says he was treated well, and the flight was only delayed two hours
However, this–to me–highlights a very troubling indicator of the general public’s level of education about… well… everything. It is all too easy to imagine any Hackaday reader looking at a schematic or a hex dump or source code could have the same experience.
Professor’s airplane math didn’t equal airplane threat
https://www.washingtonpost.com/national/health-science/professors-airplane-math-didnt-equal-airplane-threat/2016/05/07/dda7546a-146f-11e6-a9b5-bf703a5a7191_story.html
An Ivy League professor said his flight was delayed because a fellow passenger thought the math equations he was writing might be a sign he was a terrorist.
American Airlines confirms that the woman expressed suspicions about University of Pennsylvania economics professor Guido Menzio.
“Not seeking additional information after reports of ‘suspicious activity’ … is going to create a lot of problems, especially as xenophobic attitudes may be emerging,” he said.
Tomi Engdahl says:
Security Expert Jailed For Reporting Vulnerabilities In Lee County, FL Elections
https://it.slashdot.org/story/16/05/09/1811210/security-expert-jailed-for-reporting-vulnerabilities-in-lee-county-fl-elections
Information Security Professional David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the Lee County, Florida Elections Office run by Sharon Harrington, the Lee County Supervisor of Elections.
Researcher arrested after reporting pwnage hole in elections site
Savage Havij
http://www.theregister.co.uk/2016/05/09/researcher_arrested_after_reporting_pwnage_hole_in_elections_site/
Vanguard Cybersecurity man David Levin was arrested after exploiting and disclosing SQL injection vulnerabilities that revealed admin credentials in the Lee County state elections website.
The Florida Department of Law Enforcement says the 31-year-old Estero man hacked into Lee County state elections website on 19 December. Levin (@realdavidlevin) faced three third-degree felony counts of property crime. Levin was released on a US$15,000 bond.
A Florida Department of Law Enforcement official said in a statement that Levin turned himself in after an arrest warrant was issued.
“Levin used a specialist software program to obtain illegal access to the Lee County state elections website and while he had access he obtained several usernames and passwords of employees in the elections office,”
Levin detailed the SQL injection in a YouTube video shot with elections supervisor Dan Sinclair explaining how he used the Havij security tool to find the holes. He says he then used credentials stored in cleartext to login to supervisor accounts.
“This is about as sophisticated as a system was 10 years ago and this is 2016,”
Lee County Supervisor of Elections Server Security Issues
https://www.youtube.com/watch?v=38rsseDeFYQ
http://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/
Tomi Engdahl says:
Finance bods SWIFT to update after Bangladesh hack
But infosec folk say full revamp needed
http://www.theregister.co.uk/2016/04/29/bangladesh_swift_mega_hack_analysis/
Security vendors are pushing for a more comprehensive revamp of the SWIFT international inter-bank financial transaction messaging system beyond a update prompted by an $81m hack against Bangladesh’s central bank.
The loss of $81m (part of an attempted $950m heist) in February’s Bangladesh cyber-heist – reckoned to be the biggest ever bank theft – has subsequently been linked to the bank’s use of second-hand $10 switches on its network and a lack of firewalls.
As well as network infrastructure weaknesses, the hackers behind the heist used custom malware specifically created to target SWIFT.
The code even adjusted the SWIFT system’s printed reports to hide fraudulent transfers from the Bangladesh central bank account at the New York Federal Reserve Bank.
Tomi Engdahl says:
Experian Audience Engine knows almost as much about you as Google
Could form one of the most powerful personal intelligence systems in the world
http://www.theregister.co.uk/2016/05/09/experian_audience_engine_knows_almost_as_much_about_you_as_google/
We have grown so used to credit reference giants like Experian knowing almost as much about us as Google, but unlike Google, they put this information up for sale. This is perhaps why we have forgotten that Experian could form the basis of one of the most powerful personal intelligence systems in the world. And that it is a short step from there to taking away most of Nielsen’s advertising business through advanced advertising decision-making.
By asking everyone who supplies you with basic services like broadband, car finance and groceries, and establishing that you are a basically credit worthy person, Experian only has to take on board a few more transaction details, such as buying access to your credit card statement, to know everything that you are likely to buy. It is a small step from there to choosing which advertising and which TV programmes you should see.
Tomi Engdahl says:
Lauri Love case: NCA’s legal backdoor for crypto keys bid rejected by judge
National Crime Agency must use existing RIPA powers, judge rules.
http://arstechnica.co.uk/tech-policy/2016/05/lauri-love-nca-legal-backdoor-crypto-keys-rejected-by-judge/
A judge has refused a request by the National Crime Agency (NCA) to require a man accused of hacking into US computers to hand over his encryption keys as part of a civil claim.
The case concerns the computer scientist and activist Lauri Love, whom the US authorities wish to extradite in connection with alleged hacking of US government computers.
The NCA was seeking to create a dangerous precedent that effectively would have allowed the UK police to circumvent the safeguards found in the Regulation of Investigatory Powers Act 2000 (RIPA), the main legislation covering this area.
RIPA contains powers to force individuals to hand over their passwords or face prosecution, but also comes with extensive protections to ensure that the use of this power is reasonable
Love had earlier told The Intercept that he wouldn’t hand over the keys whatever the judge ruled: “The NCA are trying to establish a precedent so that an executive body—i.e., the police—can take away your computers and if they are unable to comprehend certain portions of data held on them, then you lose the right to retain them. It’s a presumption of guilt for random data.”