Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Hacked in a public space? Thanks, HTTPS
Kali Linux, laptop, coffee – hack on!
http://www.theregister.co.uk/2016/05/20/https_wifi_trust_in_a_public_place/
Have you ever bothered to look at who your browser trusts? The padlock of a HTTPS connection doesn’t mean anything if you can’t trust the other end of the connection and its upstream signatories. Do you trust CNNIC (China Internet Network Information Centre). What about Turkistan trust or many other “who are they” type certificate authorities?
Even if you do trust whoever issued the certificate it doesn’t mean much if the network cannot be trusted. A lot of experts claim “HTTPS is broken” and here is one small example of why. If you sit in a coffee shop and go surfing you can quite easily end up being the victim of a man-in-the-middle (MitM) attack. All a potential attacker needs is a copy of Kali Linux, a reasonably powerful laptop and coffee!
But wait, you cry, aren’t certificates supposed to protect us from exactly this type of thing? Yes but… essentially in our coffee-shop scenario the connection can be forced to run via the MitM laptop using a program called SSLstrip to copy the data as it is passed back and forth to Gmail.
We get the traffic from the victim by poisoning the ARP cache and pretending to be the router. SSLStrip forces a victim’s browser into communicating via an attacker’s laptop in plain-text over HTTP, with the adversary proxies the modified content from an HTTPS server.
Of course, you need to hack the coffee shop’s router, too.
The HTTPS between Gmail and you is now readable because you get the derypted plain text data before it is encrypted and sent to Gmail.
Tomi Engdahl says:
Don’t Use Allo
http://motherboard.vice.com/read/dont-use-google-allo
The buzziest thing Google announced at its I/O conference Wednesday was Allo, a chatbot-enabled smartphone messaging app that looks to take on iMessage, Facebook Messenger, and the Facebook-owned WhatsApp.
Early sentiment about Allo is overwhelmingly positive: It looks beautiful, lets you doodle on images before you send them, comes with stickers as well as emojis, and it’s the first Google product to offer end-to-end encryption, which is certainly a good thing.
But if you care at all about your privacy, you should not use Google Allo.
Allo’s big innovation is “Google Assistant,” a Siri competitor that will give personalized suggestions and answers to your questions on Allo as well as on the newly announced Google Home, which is a competitor to Amazon’s Echo.
On Allo, Google Assistant will learn how you talk to certain friends and offer suggested replies to make responding easier. Let that sink in for a moment: The selling point of this app is that Google will read your messages, for your convenience.
Tomi Engdahl says:
Synopsys Aims to Deliver ‘Software Signoff’ Platform
http://www.eetimes.com/document.asp?doc_id=1329723&
The longtime leader of EDA’s largest firm said Tuesday (May 18) that his company aims to deliver a “software signoff platform” that would certify that software has been analyzed for known security vulnerabilities prior to release.
Aart de Geus, Synopsys Inc.’s president and co-CEO, said in an interview with EE Times following the company’s better-than-expected fiscal second quarter report, said its growing Software Integrity Group would surpass the $100 million mark in sales this year.
Much as EDA tools used to provide a verification signoff on a chip design prior to manufacture, Synopsys’ Software Integrity Platform would provide certification that software has been checked for vulnerabilities prior to its release, de Geus said. He added that the company expects to deliver this capability to the market this year.
”In this case, ‘signoff’ means signing off that the known vulnerabilities [in software] have been found automatically, have indeed been checked out,” de Geus told EE Times. “That’s a very powerful thing and that’s getting a lot of attention.”
Tomi Engdahl says:
2016 Underground Hacker Marketplace – It’s a Good Time to Be a Bad Guy
https://webinar.darkreading.com/2110?keycode=DRWE01
Imagine a marketplace where illegal vendors offer hackers a wide range of goods, tools, and training to enable them to exploit or breach unsuspecting individuals, groups or organizations. Now imagine the walls of this marketplace lined with advertisements offering services and information. The point is, the underground marketplace is booming and only getting bigger, more sophisticated, and competitive.
Tomi Engdahl says:
EU countries call for the removal of barriers to data flows
https://flipboard.com/@thenewsdesk/technology-shjum1jiz/eu-countries-call-for-the-removal-of-barriers-to-data-flows/a-b6a2lIgLRRCcbwYV_GtDXw%3Aa%3A43591897-039294f897%2Freuters.com
Half of the European Union’s member states on Monday called for the removal of barriers to the free flow of data both within and outside the 28-nation bloc to ensure the continent can benefit from new data-driven technologies.
“It is vital for European competitiveness to take a positive approach to new advancements in digital technologies and business models,”
“Europe can benefit significantly from new data-driven technologies if the right future-proof regulatory framework is established.”
The Commission last year unveiled its Digital Single Market strategy, a wide-ranging plan to knock down barriers in the online world to give Europe a better chance of competing with mainly U.S. tech giants.
Tomi Engdahl says:
SWIFT moves on security in wake of hacking attacks
’cause the hackers gonna hack, hack, hack
http://www.theregister.co.uk/2016/05/20/swift_moves_on_security_in_wake_of_hacking/
The team behind the SWIFT financial transaction network is taking another look at its security after several hacking attempts against its customers.
In February, hackers managed to siphon off $81m from Bangladesh’s central bank in a raid that – but for a spelling mistake that alerted an analyst – could have taken a lot more. Vietnam’s Tien Phong Bank has since admitted that it too has lost money in a similar attack, and now SWIFT (Society for Worldwide Interbank Financial Telecommunication) is taking another look at how to protect its customers.
“SWIFT has recently shared information regarding a number of fraudulent payment cases where affected customers suffered a breach in their local payment infrastructure,” the group said in a letter to customers.
“We would like to reassure you again that SWIFT’s network, services and software were not compromised. While customers are responsible for the security of their own environment, security is our top priority and as an industry-owned cooperative we are committed to helping our customers fight against cyber-attacks.”
SWIFT reminded its users that its terms and conditions require them to report security information to the company, and said it would also be asking for additional diagnostic data from them in some cases.
“Your organisation’s role in this effort is critical,” it said.
The changes come after some in the security industry have criticized the organization, saying its current security model is outdated and designed to protect against “types of attacks that were prevalent a decade ago.”
Tomi Engdahl says:
“I’m with Stupid” Locky network gets hacked and dissed
https://blog.avira.com/im-with-stupid-locky/
A few months ago, we reported on a white hack against Dridex where the malicious payload was removed and an Avira antivirus downloader added.
This month, it seems that a very successful Locky ransomware distribution network has been the victim of a similar attack by a white hacker.
Locky is a ransomware that encrypts the files and personal data on computers after infecting them and then extorts money from the victims afterwards
The spreading of this ransomware via email is fairly direct: A JavaScript is masked as an invoice and attached to the email. The infection process starts once the recipient is tricked and clicks on the attached file to execute it.
The JavaScript inside the attachment is usually obfuscated which means the real content isn’t visible or understandable for the reader.
But in place of the expected ransomware, we downloaded a 12 byte text file with the plain message “Stupid Locky”.
It seems that someone was able to access one of the command and control servers and replaced the original Locky ransomware with a dummy file. And I do mean dummy in the fullest expression of the word.
PSA Payload Via Hacked Locky Host
https://labsblog.f-secure.com/2016/05/17/psa-payload-via-hacked-locky-host/
Tomi Engdahl says:
Inside Nuclear’s Core: Unraveling a Ransomware-as-a-Service Infrastructure
http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/
The Check Point Research team has uncovered the entire operation of one of the world’s largest attack infrastructures. Exploit Kits are a major part of the Malware-as-a-Service industry, which facilitate the execution of ransomware and banking trojans, among others. Their creators rent them to cybercriminals who use them to attack unsuspecting users. Nuclear is one of the top Exploit Kits, both in complexity and in spread.
We offer you the Inside Nuclear’s Core: Unraveling a Malware-as-a-Service Infrastructure report, a unique, first-of-its-kind view into the heart of a cybercriminal syndicate. First, we review the Malware-as-a-Service infrastructure, created by the Exploit Kit’s developers. Second, we inspect the attackers’ use of the Nuclear foundation to spread malware worldwide. We also review the effect these campaigns have on the victims, and assess the damage caused by the perpetrators.
Doing the math, we can infer that the perpetrator behind Nuclear’s operation accumulates revenue of approximately $100,000 a month.
http://blog.checkpoint.com/wp-content/uploads/2016/08/InsideNuclearsCore_UnravelingMalwarewareasaService.pdf
Tomi Engdahl says:
Nine Days Later, Flash Zero-Day CVE-2016-4117 Already Added to Exploit Kits
CVE-2016-4117 spotted in Magnitude exploit kit attacks
Read more: http://news.softpedia.com/news/nine-days-later-flash-zero-day-cve-2016-4117-already-added-to-exploit-kits-504356.shtml#ixzz49U1EBPUJ
Tomi Engdahl says:
Monica Nickelsburg / GeekWire:
Microsoft amends terms for its consumer services to address terrorism-related content, expands “notice-and-takedown” policy, mulls Bing partnerships with NGOs — The threat of terrorism has escalated the age-old battle between national security and individual rights …
Microsoft outlines new policies for dealing with terrorist content
http://www.geekwire.com/2016/microsoft-outlines-new-policies-dealing-terrorist-content/
The threat of terrorism has escalated the age-old battle between national security and individual rights — and technology companies are often caught in the crosshairs.
Apple’s dispute with the FBI and WhatsApp’s skirmishes with the Brazilian government are just two recent examples of a conflict that’s been playing out for decades. In what could be viewed as a preemptive move, Microsoft outlined a new set of policies for dealing with terrorist content on its consumer services.
“It’s inevitable – and understandable – that digital technology has become a focus of demands for new measures to combat terrorism,” Microsoft said in a blog post Friday. “The Internet has become the primary medium for sharing ideas and communicating with one another, and the events of the past few months are a strong reminder that the Internet can be used for the worst reasons imaginable.”
Under the amended terms of use, Microsoft will expand it’s “notice-and-takedown” policy, removing content flagged as terrorist-related.
Tomi Engdahl says:
Ransomware Adds DDoS Attacks To Annoy More People
https://it.slashdot.org/story/16/05/21/2322211/ransomware-adds-ddos-attacks-to-annoy-more-people
Ransomware developers have found another method of monetizing their operations by adding a DDoS component to their malicious payloads. So instead of just encrypting your files and locking your screen, new ransomware versions seen this week also started adding a DDoS bot that quietly blasts spoofed network traffic at various IPs on the Internet.
Ransomware Adds DDoS Capabilities to Annoy Other People, Not Just You
Malware coders get creative, bundle DDoS bots and ransomware
Read more: http://news.softpedia.com/news/ransomware-adds-ddos-capabilities-for-annoying-other-people-not-just-you-504323.shtml#ixzz49Ua7JotQ
Tomi Engdahl says:
New Analysis: The Most Hackable Programming Language Is Hands-Down PHP
http://motherboard.vice.com/read/new-analysis-the-most-hackable-programming-language-is-php-by-a-mile?trk_source=recommended
Based on code analyses and scans of 50,000 different applications written within the past 18 months, cloud security firm Veracode has compiled a list of the most and least secure programming languages. Software engineers won’t find it especially surprising, with PHP, venue for many a popular and ready-made hack, blowing away the competition.
Some 86 percent of analyzed programs written in PHP came with at least one cross-site scripting (XSS) vulnerability; 56 revealed at least one SQL injection bug; and 73 percent had encryption issues. Of applications written in the ColdFusion language, which serves a web scripting role similar to PHP and is already fairly notorious in its vulnerabilities, 62 percent revealed an SQL injection bug.
Scripting/web development languages were generally worse off than their more traditional counterparts, such as Java and C++. 21 percent of Java apps were found to have SQL injection vulnerabilities, while 29 percent of applications written within Microsoft’s .NET framework, which serves to unify several different foundational languages in one execution environment (like Java), had the SQL vulnerability.
Tomi Engdahl says:
New MIT Tool Quickly Roots Out Hidden Web App Security Bugs
http://motherboard.vice.com/read/new-mit-tool-quickly-roots-out-lurking-web-app-security-bugs?trk_source=recommended
It’s a funny time for software testing. As more and more software is replaced by web applications—the cloud, that is—software bugs have more and more come to mean security holes. That is, interacting with software now so often means exposing data, which means trusting the builders of said software to entirely new degrees. And, as builders, we really need to not fuck that up.
Software testing—or debugging—is intense, tedious, and imperfect. Hence, software is full of bugs. Hence, software producers offer sometimes very large cash bounties to people that can find those bugs. A funny time.
Computer scientists from MIT have developed a new automated tool that can quickly comb through many thousands of lines of code written using the popular web framework Ruby on Rails looking for security vulnerabilities
Tomi Engdahl says:
Vulnerabilities Found in Siemens SIPROTEC Protection Relays
http://www.securityweek.com/vulnerabilities-found-siemens-siprotec-protection-relays
Researchers discovered that Siemens’ SIPROTEC protection relays are plagued by a couple of medium severity information disclosure vulnerabilities. Firmware updates have been released by the vendor for some of the affected products.
The security holes affect SIPROTEC 4 and SIPROTEC Compact devices, which provide protection, control, measurement and automation functions for electrical substations and other applications. The products are deployed worldwide in the energy and other sectors.
According to advisories published this week by Siemens and ICS-CERT, the integrated web server of the vulnerable products allows an attacker with access to the network to obtain sensitive device information (CVE-2016-4784).
This flaw affects the EN100 Ethernet modules found in SIPROTEC 4 and SIPROTEC Compact devices, and the Ethernet service interface on Port A of several SIPROTEC Compact models.
The second vulnerability, which affects only EN100 Ethernet modules, allows an attacker on the network to access a portion of the device’s memory content (CVE-2016-4785). This issue is also related to the integrated web interface.
ICS-CERT noted that even a low-skilled attacker can exploit the vulnerabilities as long as they can gain access to the network hosting the devices.
Versions 4.26 and earlier of the firmware running on EN100 Ethernet modules are affected by the vulnerabilities. Siemens has plugged the security holes by updating the firmware to version 4.27.
This is the second advisory published by ICS-CERT for Siemens SIPROTEC products.
Tomi Engdahl says:
How Copyright Law Is Being Misused To Remove Material From the Internet
https://tech.slashdot.org/story/16/05/23/154211/how-copyright-law-is-being-misused-to-remove-material-from-the-internet
Revealed: How copyright law is being misused to remove material from the internet
https://www.theguardian.com/technology/2016/may/23/copyright-law-internet-mumsnet
When Annabelle Narey posted a negative review of a building firm on Mumsnet, the last thing on her mind was copyright infringement
Writing a bad review online has always run a small risk of opening yourself up to a defamation claim. But few would expect to be told that they had to delete their review or face a lawsuit over another part of the law: copyright infringement.
Mumsnet received a warning from Google: a takedown request had been made under the American Digital Millennium Copyright Act (DMCA), alleging that copyrighted material was posted without a licence on the thread.
As soon as the DMCA takedown request had been filed, Google de-listed the entire thread. All 126 posts are now not discoverable when a user searches Google for BuildTeam – or any other terms. The search company told Mumsnet it could make a counterclaim, if it was certain no infringement had taken place, but since the site couldn’t verify that its users weren’t actually posting copyrighted material, it would have opened it up to further legal pressure.
In fact, no copyright infringement had occurred at all. Instead, something weirder had happened. At some point after Narey posted her comments on Mumsnet, someone had copied the entire text of one of her posts and pasted it, verbatim, to a spammy blog titled “Home Improvement Tips and Tricks”.
Whoever sent the takedown request, Mumsnet was forced to make a choice: either leave the post up, and accept being delisted; fight the delisting and open themselves up to the same legal threats made against Google; or delete the post themselves, and ask the post to be relisted on the search engine.
Mumsnet deleted the post, and asked Google to reinstate the thread
Censorship by copyright
The motivation of Ashraf can only be guessed at, but censorship using the DMCA is common online. The act allows web hosts a certain amount of immunity from claims of copyright infringement through what is known as the “safe harbour” rules: in essence, a host isn’t responsible for hosting infringing material provided they didn’t know about it when it went up, and took it down as soon as they were told about it.
In practice, however, this means that web hosts (and the term is broadly interpreted, meaning sites like YouTube, Twitter and Google count) are forced to develop a hair-trigger over claims of copyright infringement, assuming guilt and asking the accused to prove their innocence.
Tomi Engdahl says:
ProPublica:
Crime prediction software, increasingly used to guide sentencing in US, found to be biased against black defendants in study of 7K cases — There’s software used across the country to predict future criminals. And it’s biased against blacks. — ON A SPRING AFTERNOON IN 2014 …
Machine Bias
https://www.propublica.org/article/machine-bias-risk-assessments-in-criminal-sentencing
There’s software used across the country to predict future criminals. And it’s biased against blacks.
Tomi Engdahl says:
Sarah Perez / TechCrunch:
Google plans to bring password-free logins to Android apps by year-end via Project Abacus — Google’s plan to eliminate passwords in favor of systems that take into account a combination of signals – like your typing patterns, your walking patterns, your current location, and more …
Google plans to bring password-free logins to Android apps by year-end
http://techcrunch.com/2016/05/23/google-plans-to-bring-password-free-logins-to-android-apps-by-year-end/
Google’s plan to eliminate passwords in favor of systems that take into account a combination of signals – like your typing patterns, your walking patterns, your current location, and more – will be available to Android developers by year-end, assuming all goes well in testing this year. In an under-the-radar announcement Friday afternoon at the Google I/O developer conference, the head of Google’s research unit ATAP (Advanced Technology and Projects) Daniel Kaufman offered a brief update regarding the status of Project Abacus, the name for a system that opts for biometrics over two-factor authentication.
Google’s ATAP Wants To Eliminate Passwords For Good
http://techcrunch.com/2015/05/29/googles-atap-wants-to-eliminate-passwords-for-good/
Tomi Engdahl says:
Ingrid Lunden / TechCrunch:
Multi-cloud security startup vArmour raises $41M more, led in part by Telstra
http://techcrunch.com/2016/05/24/multi-cloud-security-startup-varmour-raises-41m-more-led-in-part-by-new-strategic-telstra/
“What you are finding is that if you are a business with an old fashioned firewall or monitoring tools, the maintenance streams alone on those can fund getting our product,”
vArmour’s solution differs from some other security services in that many of the latter are focused at defending an organization’s IT infrastructure from the perimeter. vArmour, on the other hand, sits inside networks, and when it detects a problem, its software segments it off. Eades says that right now there is a bifurcation in attacks, with the biggest threats not just from nation states, but also organized crime. The latter has given rise to more ransomware attacks, he added. “It is very sophisticated and lasts a long period of time.” So to help build a better historical profile, the company also offers forensics for more advanced threats.
Tomi Engdahl says:
Margaret Sullivan / Washington Post:
Obama administration promised transparency, but delivered opacity, stonewalling FOIA requests, punishing a whistleblower, and threatening a reporter with jail — Some things just aren’t cool. One of those, according to our no-drama president, is ignorance.
Obama promised transparency. But his administration is one of the most secretive
https://www.washingtonpost.com/lifestyle/style/obama-promised-transparency-but-his-administration-is-one-of-the-most-secretive/2016/05/24/5a46caba-21c1-11e6-9e7f-57890b612299_story.html
Some things just aren’t cool. One of those, according to our no-drama president, is ignorance.
“It’s not cool to not know what you’re talking about,” President Obama said during his recent Rutgers University commencement address. It was a swipe clearly intended for he-who-didn’t-need-to-be-named: Donald Trump, the likely Republican nominee for president.
After early promises to be the most transparent administration in history, this has been one of the most secretive. And in certain ways, one of the most elusive. It’s also been one of the most punitive toward whistleblowers and leakers who want to bring light to wrongdoing they have observed from inside powerful institutions.
Promising transparency and criticizing ignorance, but delivering secrecy and opacity? That doesn’t serve the public or the democracy. And that’s deeply uncool.
Tomi Engdahl says:
Exploit for Recently Patched Flash Flaw Added to Magnitude EK
http://www.securityweek.com/exploit-recently-patched-flash-flaw-added-magnitude-ek
The authors of the Magnitude exploit kit have already started integrating an exploit for a recently patched Adobe Flash Player vulnerability.
The flaw in question, tracked as CVE-2016-4117, was discovered by FireEye researchers on May 8. The vulnerability, described as a type confusion, had been exploited in the wild using specially crafted Microsoft Office documents.
Adobe plugged the Flash Player security hole, along with 24 other vulnerabilities, on May 12 with the release of versions 21.0.0.242 and 11.2.202.616.
Tomi Engdahl says:
Manhunt After Millions Stolen in Hours-long Japan ATM Heist
http://www.securityweek.com/manhunt-after-millions-stolen-hours-long-japan-atm-heist
A manhunt is underway for criminals who looted millions from Japan’s cash machines nationwide in an hours-long heist, officials and reports said Monday.
Armed with fake credit card details from South Africa’s Standard Bank, the thieves hit 1,400 convenience store ATMs in a coordinated attack earlier this month.
The international gang members, reportedly numbering around 100 people, each made a series of withdrawals in less than three hours, Japanese media said.
Their haul totaled 1.4 billion yen ($13 million), according to the reports, with machines in Tokyo and Osaka among those targeted.
It was not clear how the gang made off with the equivalent of millions of dollars so quickly as the cash machines usually limit withdrawals to 100,000 yen ($910) a day.
Tomi Engdahl says:
Critical Vulnerability Plagues 60% of Android Devices
http://www.securityweek.com/critical-vulnerability-plagues-60-android-devices
A Critical Elevation of Privilege (EoP) vulnerability in the Qualcomm Secure Execution Environment (QSEE) affects around 60 percent of all Android devices around the world, despite being already fixed, researchers warn.
The culprit is an EoP flaw in the Widevine QSEE TrustZone application, namely CVE-2015-6639, which was resolved in January when Google issued patches for 12 security flaws in Android. The bug could enable a compromised, privileged application with access to QSEECOM to execute arbitrary code in the Trustzone context.
A short explanation of how the bug works would be the following: QSEECOM is a Linux kernel device that allows regular user-space processes such as the mediaserver (which runs in the normal operating system, or “Normal World”) to communicate with trusted applications (or trustlets) in a secure OS that manages protected services and hardware (which is called “Secure World”). Thus, malicious code running in the Normal World can call trustlets and exploit vulnerabilities in them to compromise the device.
Tomi Engdahl says:
Google Optimizes Safe Browsing API for Mobile
http://www.securityweek.com/google-optimizes-safe-browsing-api-mobile
Google on Friday announced a new version of its Safe Browsing API and a focus on maximizing protection for both mobile and desktop users.
Initially designed to provide developers with access to the company’s lists of suspected unsafe sites, Safe Browsing has evolved into a protection mechanism for users around the world. Over the past few years, Google has made several improvements to Safe Browsing, which now includes alerts for potentially unwanted programs (PUPs).
Tomi Engdahl says:
Attack on Swiss Defense Firm Linked to Turla Cyberspies
http://www.securityweek.com/attack-swiss-defense-firm-linked-turla-cyberspies
The recent cyber espionage attack aimed at Swiss defense firm RUAG was carried out by the Russia-linked threat group known as Turla, according to a report commissioned by the Swiss government.
RUAG is a Bern-based technology company owned by the Swiss government. The organization specializes in aviation, space and defense with products ranging from satellite equipment to ammunition.
News of a cyberattack on RUAG came to light earlier this month when Switzerland’s Defense Minister Guy Parmelin revealed that his ministry was targeted by malicious actors in January while he was attending the World Economic Forum.
Tomi Engdahl says:
Pastejack attack turns your clipboard into a threat
CTRL-V vector turns “not evil” into “evil” without the target noticing
http://www.theregister.co.uk/2016/05/25/pastejack_attack_turns_your_clipboard_into_a_vector/
Once, you could use HTML/CSS to manipulate the clipboard, but it was not a good way to do so. Now a security bod has worked out how to do it in JavaScript and reckons it’s a lot more dangerous.
At first glance, it looks like purely a stunt-attack, except for this: a phishing e-mail purporting to be from tech support could trick a victim into dropping a message into a terminal window and executing it – not realising that what’s in the clipboard got changed on the way.
Dylan Ayrey, who published the exploit at GitHub, explains: “If a user attempts to copy the text with keyboard shortcuts, i.e. ctrl+c or command+c, an 800ms timer gets set that will override the user’s clipboard with malicious code”.
Tomi Engdahl says:
Microsoft explains which cloud security problems are your problem
And reveals that for really bad problems, Microsoft will break Azure to fix it
http://www.theregister.co.uk/2016/04/15/cloud_problems_are_no_problem_when_you_know_your_problems_and_microsofts_problems/
Microsoft has issued guidelines about Azure security that spell out when a problem is your problem and when a problem is Microsoft’s problem.
Tomi Engdahl says:
Mark Scott / New York Times:
EU proposes new rules to protect minors, combat hate speech, and mandate that video streaming services have 20% European content
Europe Seeks Greater Control Over Digital Services
http://www.nytimes.com/2016/05/26/technology/eu-proposals-apple-netflix-facebook.html?_r=0
If European regulators get their way, Netflix may soon have to do more than just offer “Unbreakable Kimmy Schmidt” with French subtitles.
European officials proposed on Wednesday a new set of rules that could force Netflix and other video streaming services to carry a minimum amount of local content in individual countries, as well as to help pay for its development.
It is part of a broader effort to regulate how the 500 million people in the region can buy, access and consume online services like video streaming and messaging applications.
The changes form the building blocks for Europe’s broad plan for a single digital market, a strategy that officials say they hope will help bolster the region’s sluggish economy.
“The way we watch TV or videos may have changed, but our values don’t,” Günther H. Oettinger, the European commissioner in charge of the digital economy, said in a statement on Wednesday. “With these new rules, we will uphold media pluralism.”
European policy makers said that online streaming rivals currently invested only around 1 percent of their annual revenue in local content.
European officials also said on Wednesday that they were still reviewing potential new rules to control how so-called online platforms like Facebook and Amazon operate in the 28-member bloc.
European officials also said they were looking into making it easier for people to move their digital information between online platforms by the end of the year, giving them greater control over data that companies collected on their daily digital lives.
Tomi Engdahl says:
Bloomberg:
Sources: Google is aiming to reduce Android fragmentation by pressuring carriers, OEMs into pushing out updates more quickly — Web giant creates rankings that could shame ecosystem laggards — Friendly tactics also used to unify top phone operating system
Google Steps Up Pressure on Partners Tardy in Updating Android
http://www.bloomberg.com/news/articles/2016-05-25/google-steps-up-pressure-on-partners-tardy-in-updating-android
Getting phone makers and carriers to update to the latest version of Android has been one of the thorniest challenges facing Google as it tries to widen the use of its mobile software and generate more sales from its apps and web services.
Now, Google is getting serious about remedying what ails Android, and it’s using both carrots and sticks to get partners to keep the world’s most popular mobile operating system more up to date.
The issue — a mishmash of different smartphones running outdated software lacking the latest security and features — has plagued Android since its debut in 2007. But Google has stepped up its efforts recently, accelerating security updates, rolling out technology workarounds and reducing phone testing requirements.
Tomi Engdahl says:
Software Development Below the Security Poverty Line
http://www.securityweek.com/software-development-below-security-poverty-line
A product manager approaches the security architect. “Please,” the product manager says, “I only have one or two more releases of this product before the program is cancelled. Won’t you please sign off on shipping without your security requirements so that we can afford to implement a few more features?”
They are operating below the security poverty line.
Wendy Nather coined the term “security poverty line” to describe how organizations operate when they have insufficient investment in IT security. The phrase stuck a chord with me immediately because it vividly describes the frustration of a how it feels to be a security person in an organization operating below the security poverty line like this. It applies equally to software development organizations as the anecdote above demonstrates.
Development teams living below the security poverty line are either unfamiliar with secure coding standards or haven’t taken the time to train other members of the development team. They don’t use dynamic and static analysis tools. They don’t have SDLC processes in place or if they do, the organization ignores them. Every vulnerability notification is an emergency. Basic security hygiene activities get deprioritized in favor of features that have a positive ROI.
A recent NTIA survey reports that 45% of U.S. Internet users are refraining from spending time and money on the Internet due to security and privacy concerns.
Tomi Engdahl says:
Austrian Firm Fires CEO After $56-million Cyber Scam
http://www.securityweek.com/austrian-firm-fires-ceo-after-56-million-cyber-scam
Austrian aircraft parts maker FACC said Wednesday that it has fired its chief executive of 17 years after cyber criminals stole some 50 million euros ($55.7 million) in a so-called “fake president” scam.
Press reports said that in January a FACC employee wired around 50 million euros, equivalent to almost 10 percent of annual revenues, after receiving emailed instructions from someone posing as Stephan
By the time the firm, which began life making skis before expanding into aeronautics, realized the mistake, it was too late. The money had disappeared in Slovakia and Asia, the Standard daily reported.
The company said Wednesday that the scam, also known as “bogus boss” or “CEO fraud” and increasingly popular with sophisticated organized criminals, cost it 41.9 million euros in its 2015/16 business year.
Tomi Engdahl says:
Asia Hotbed of IT Piracy Despite Economic Growth: Report
http://www.securityweek.com/asia-hotbed-it-piracy-despite-economic-growth-report
Unlicensed Software Use Still High Globally Despite Costly Cybersecurity Threats
More than 60 percent of all computer software installed in the Asia-Pacific in 2015 was unlicensed, the worst of any region, despite growing economies and anti-piracy efforts, an industry watchdog said Wednesday.
The Software Alliance — which includes giants like Microsoft, Apple, Intel, Oracle and Adobe — said in a report that the unlicensed software in Asia had a value of $19.1 billion last year.
Piracy rates were most rampant in Bangladesh, Pakistan and Indonesia at more than 80 percent. The global piracy average was 39 percent.
While the worldwide piracy rate decreased by four percentage points from 2013, Asia saw only a one percentage point decline to 61 percent over the two-year period, said the report, which did not cover mobile devices.
Tomi Engdahl says:
Pastejacking Attack Allows Hackers to Execute Malicious Code
http://www.securityweek.com/pastejacking-attack-allows-hackers-execute-malicious-code
The fact that web browsers allow developers to manipulate the content of the clipboard can be exploited by attackers to trick unsuspecting users into executing potentially malicious code on their systems.
Experts demonstrated several years ago that HTML/CSS tricks could be used to add arbitrary content to the clipboard without the user’s knowledge. However, the method detailed by developer and security expert Dylan Ayrey, dubbed “Pastejacking,” relies on JavaScript to accomplish the task.
“What’s different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it’s easier to copy in hex characters into the clipboard, which can be used to exploit VIM,” Ayrey explained.
A proof-of-concept (PoC) developed by the expert shows the threat posed by a Pastejacking attack when the user pastes commands copied from the web browser into the terminal. The example provided by Ayrey shows how an attacker can trick the user into thinking that they are copying echo “not evil” when in fact the string that gets copied is echo “evil”\n.
The \n (newline) character ensures that the command is executed automatically when pasted into the terminal without the user having to press the enter/return key.
Tomi Engdahl says:
Hillary Clinton broke law with private email server – top US govt watchdog
System also came under hacking attacks (just like everything else on the internet)
http://www.theregister.co.uk/2016/05/26/inspector_general_clinton_broke_law_private_email_server/
A report by the US State Department’s Office of the Inspector General (OIG) has found presidential wannabe Hillary Clinton did breach record-keeping laws – by using a personal server for work emails. The watchdog added she was not alone in the practice.
The 89-page dossier [PDF] found that three senior State Department figures had broken the rules by using personal email accounts for departmental business: Colin Powell, Hilary Clinton, and Scott Gration, the US ambassador to Kenya.
General Powell, who was Secretary of State from 2001 to 2005, had a private line installed in his office and used a laptop to exchange emails with colleagues and department staff. He was unable to provide copies of all emails sent to investigators.
State Dept. IT Staff Told To Keep Quiet About Clinton’s Server
https://politics.slashdot.org/story/16/05/25/2142250/state-dept-it-staff-told-to-keep-quiet-about-clintons-server
Former U.S. Secretary of State Hillary Clinton’s decision to use a private email server ran afoul of the government’s IT security and record retention requirements, according to a report by the department’s inspector general released today. This use of a private email server did not go unnoticed within the Department of State’s IT department. Two IT staff members who raised concerns about Clinton’s use of a private server were told not to speak of it.
Tomi Engdahl says:
Tor To Use Distributed RNG To Generate Truly Random Numbers
https://yro.slashdot.org/story/16/05/25/2347238/tor-to-use-distributed-rng-to-generate-truly-random-numbers
Tor developers have been working on the next iteration of the Tor network and its underbelly, the Onion routing protocol, in order to create a stronger, harder-to-crack anonymous communications system. To advance the project, the developer team schedules brainstorming and planning meetings at regular intervals.
Tor network working on top of a revamped Onion protocol that uses a new algorithm for generating random numbers, never before seen on the Internet. The Tor Project says it created something it calls “a distributed RNG”
Tor to Use Never-Before-Seen Distributed RNG to Generate Truly Random Numbers
Read more: http://news.softpedia.com/news/tor-to-use-never-seen-before-distributed-rng-to-generate-truly-random-numbers-504461.shtml#ixzz49kJY3ui8
Tomi Engdahl says:
DDOS-as-a-service offered for just five dollars
Freelancer-finding site Fiverr boots out sellers, but DDOS prices are plunging everywhere
http://www.theregister.co.uk/2016/05/26/booter_bandits_booted_for_flogging_five_buck_ddos_dross/
Freelancer-finding site Fiverr has booted out users offering distributed denial of service attack for-hire groups for as low as US$5.
Fiverr is a service that connects buyers with professionals like designers and developers, many of whom offer their services for not much more than the price of a beer.
Incapsula security wonks Igal Zeifman and Dan Breslaw found and reported crims who were found flogging the stresser or booter services on the site.
Tomi Engdahl says:
Blighty’s National Cyber Security Centre cyber-reveals cyber-blueprints
NCSC will address best practices and incident response
http://www.theregister.co.uk/2016/05/26/uk_cyber_security_centre_blueprint/
The UK government has released the prospectus for its National Cyber Security Centre (NCSC), ahead of the launch of the facility this Autumn.
The blueprint [PDF] outlines that the NCSC will act as a hub for sharing best practices in security between public and private sectors, and will tackle cyber incident response.
As previously reported, the NCSC is being set up to aggregate the UK’s cyber expertise. Working with the Bank of England on new cyber security guidance for financial firms is also due to be among its initial objectives.
Tomi Engdahl says:
China gets big data fever, backed by security push
Government promises more data-sharing and analytics of everything
http://www.theregister.co.uk/2016/05/27/china_gets_big_data_fever_backed_by_security_push/
Chinese premier Li Keqiang has graced an otherwise obscure big data conference with his presence and outlined a new national analytics strategy.
Speaking at the Big Data Industry Summit & China E-commerce Innovation and Development Summit in Guiyang this week, Li said China will accelerate efforts to share information between all levels of government to spur business growth and reduce red tape. Li also outlined a plan to gather supply chain and transport data from around the nation in order to optimise both efforts and accelerate China’s transition from manufacturing to whatever comes next.
The premier also said China’s government aims to harden the nation’s digital infrastructure, to protect agains commercial and state-backed espionage. Privacy scored a mention in Li’s speech, too, as part of an intention to combat online crime.
Development of telecommunications infrastructure in rural areas will be accelerated to help things along.
Tomi Engdahl says:
Quiet cryptologist Bill Duane’s war with Beijing’s best
The co-developer of RSA’s SecureID explains how he fought against Chinese crack
http://www.theregister.co.uk/2016/05/27/the_quiet_cryptologists_war_with_beijings_best/
In March 2011, a suspected-to-be-Beijing-backed hacking unit infiltrated security giant RSA, successfully subverted its SecureID product and hacked top American defence contractor Lockheed Martin.
That attack left Bill Duane stressed and exhausted. Duane is a quiet cryptologist who co-developed the SecureID token. As the attack became apparent, he moved out of home and into a hotel across from RSA’s office, to fight what would become a personal battle with an elite Chinese hacking unit.
Those long hours were needed because the breach is one of the most significant in history. The hacking unit known as PLA (People’s Liberation Army) Unit 61398, or to the intelligence industry as Byzantine Candor, Comment Crew, and APT 1, operated out of a shabby building in the outskirts of Shanghai and excelled in plundering highly-secure US firms.
The Chinese hackers learned of Duane’s involvement and began targeting him. They did this despite that the distinguished engineer having virtually no online presence, no photos indexed by Google, no social media accounts, despite a tech sector career spanning more than four decades.
“No organisation can muster the defence against these attackers,”
Tomi Engdahl says:
Anonymous Hackers Turned Stock Analysts Are Targeting US, Chinese Corporations
https://news.slashdot.org/story/16/05/26/2212249/anonymous-hackers-turned-stock-analysts-are-targeting-us-chinese-corporations
A smaller group of Anonymous, called Anonymous Analytics, reached the conclusion that DDoSing is stupid and never fixes anything, so they decided to use their hacking skills and stock market knowledge to make a difference in another way. For the past years, the group has been compiling market reports on U.S. and Chinese companies and publishing their results. Their reports have been noticed by the stock market, who recently started to react to their findings. The most obvious case was of Chinese lottery machine maker REXLot. The hackers discovered that REXLot inflated its revenue and the amount of cash on its balance sheet, based on the amount of interest earned.
Other companies on which the group published market reports include Qihoo 360 and Western Union.
Comment:
his is the inherent risk. Their ethical radars are somewhat wonky to say the least, how long before they use the tactic of releasing false information about a company they dislike simply to crash their share price or worse abuse it to make a small fortune themselves. If they stick to the truth fine, but I just don’t see them not being tempted to abuse trust.
http://www.anonanalytics.com/2016/04/rexlot-holdings-ii.html
Tomi Engdahl says:
Bank in the UK? Plans afoot to make YOU liable for bank fraud
Wonder whose idea that was…
http://www.theregister.co.uk/2016/05/26/bank_fraud_liability_shake_up/
Bank customers may be obliged to bear the bill for fraud against their accounts, under proposed changes under consideration between banks, the UK government and GCHQ.
Under the plans, individuals or companies with poor online security could be “frozen out of banking services or even excluded from the system whereby banks compensate customers whose accounts are hacked”, the Financial Times reports.
UK banks – unlike those in the US – routinely cover the costs of online fraud, at least in cases where customer negligence (such as sharing PIN codes or cards with third parties) is excluded. Pushing the burden of fraudulent losses towards customers is likely to be hugely controversial. Bankers’ bonuses in the wake of taxpayer-funded bailouts of several banks in 2008 have already caused a huge series of rows and radical changes in liability for online banking fraud through phishing and banking trojans is likely to be even more contentious.
The circumstances suggest that ministers are floating an idea they already know is controversial, even politically unpalatable. If anything comes to light it’s likely to be much diluted.
Some security vendors – normally cheerleaders for UK government security plans – have already expressed opposition to the possible banking liability shake-up.
Tomi Engdahl says:
Smartphone Surveillance Tech Used To Target Anti-Abortion Ads At Pregnant Women
https://news.slashdot.org/story/16/05/26/222200/smartphone-surveillance-tech-used-to-target-anti-abortion-ads-at-pregnant-women
Rewire reports: “Last year, an enterprising advertising executive based in Boston, Massachusetts, had an idea: Instead of using his sophisticated mobile surveillance techniques to figure out which consumers might be interested in buying shoes, cars, or any of the other products typically advertised online, what if he used the same technology to figure out which women were potentially contemplating abortion, and send them ads on behalf of anti-choice organizations?”
Google has been reportedly tracking users on around 80 percent of all ‘Top 1 Million’ domains. Facebook is doing something similar.
Anti-Choice Groups Use Smartphone Surveillance to Target ‘Abortion-Minded Women’ During Clinic Visits
https://rewire.news/article/2016/05/25/anti-choice-groups-deploy-smartphone-surveillance-target-abortion-minded-women-clinic-visits/
Women who have visited almost any abortion clinic in the United States have seen anti-choice protesters outside, wielding placards and chanting abuse. A Boston advertiser’s technology, when deployed by anti-choice groups, allows those groups to send propaganda directly to a woman’s phone while she is in a clinic waiting room.
Tomi Engdahl says:
Millennials Value Speed Over Security, Says Survey
https://yro.slashdot.org/story/16/05/26/2019205/millennials-value-speed-over-security-says-survey
Millennials stand apart from other Americans in preferring faster Internet access to safer Internet access, according to a new survey. When digital-authentication firm SecureAuth asked people from all age groups whether they would rather be safer online or browse faster online, 57 percent of Americans chose security and 43 percent chose speed. But among millennials, the results were almost reversed: 54 percent chose speed over security. Young people are also more willing than the overall population to share sensitive information over public Wi-Fi connections, which are notoriously insecure as they allow anyone on the network to analyze and intercept passing traffic.
Unlike other Americans, millennials value speed over security online
http://www.dailydot.com/politics/americans-internet-security-speed-preferences-survey/
Millennials stand apart from other Americans in preferring faster Internet access to safer Internet access, according to a new survey.
When digital-authentication firm SecureAuth asked people from all age groups whether they would rather be safer online or browse faster online, 57 percent of Americans chose security and 43 percent chose speed. But among millennials, the results were almost reversed: 54 percent chose speed over security.
“Surprisingly, most millennials don’t think they’re at risk,” SecureAuth CEO Craig Lund said in a statement to the Daily Dot. “They have grown up being so connected on so many social media sites, it never occurred to them that the danger is out there—not to mention that the preference for being connected and involved can often take precedence over the potential risk.”
Tomi Engdahl says:
Data Analytics Rarely Leveraged to Detect Fraud
http://www.securityweek.com/data-analytics-rarely-leveraged-detect-fraud
Proactive Data Analytics Accounts for Just 3 Percent of Fraud Detected
A new report released by KPMG this week on fraud shows little major change when compared to previous reports – except perhaps that there are more female fraudsters today than there were previously. Statistically, fraudsters tend to be male, management, working in groups colluding with outsiders, and aged between 35 and 55. But there is one particularly worrying statistic: technology-assisted fraud is increasing while technology-assisted detection is falling.
Cyber fraud is an emerging threat, and technology already plays a part in 53 percent of frauds. In North America, technology played a ‘significant’ part in enabling fraud, compared to 24 percent worldwide. But technology is not being used to detect and prevent fraud. “Proactive data analytics, searching for fraud amid anomalies and suspicious business activity, accounts for only 3 percent of frauds detected,” says the report.
“We find that executives know that hackers and criminal organizations can wreak havoc on companies; they read about such cases almost every day in the media. But they often don’t believe it can happen to them, whether or not they have built defenses against the threat,” suggests Ron Plesco, Cyber Investigations Lead in the US.
A major recommendation of the report (PDF) is the increased use of technological defenses.
Data analytics is seen as the primary remedy against fraud. “Companies can use advanced data analytics technology to search for suspicious and unusual business activity amid millions of daily transactions,” said Phillip Ostwalt, partner and Global Investigations Network Leader at KPMG LLP. “However, many are not capitalizing on such technology while fraudsters find new ways to gain access to confidential information, manipulate accounting records and camouflage misappropriations.”
There are two primary approaches to analytics. The first is manual, making use of the technologies companies already have. Searching logs can help visually recognize anomalies – but logs are so massive that this is only really feasible when the analyst already knows what he or she is looking for.
The second approach is to use one of the many new threat detection tools that can employ some form of behavioral analytics, such as those offered by RSA, ThreatMetrix, Guardian Analytics, or even Splunk. The difficulty here is setting the detection rules to a level that is manageable; that is, likely to detect genuine issues without overwhelming the security team with inconsequential warnings.
“A few companies’ organizations are deploying behavioral analytics, and there is certainly more discussion about how to do so, and what data to utilize,”
Tomi Engdahl says:
“Wekby” Group Uses DNS Requests for C&C Communications
http://www.securityweek.com/wekby-group-uses-dns-requests-cc-communications
Palo Alto Networks researchers noticed that a China-linked advanced persistent threat (APT) actor has been using a piece of malware that leverages DNS requests for command and control (C&C) communications.
The attackers delivered the malware using an infrastructure that includes domains made to look like they belong to major organizations such as Logitech and Global Print.
The hackers first deliver a dropper designed to add registry keys for persistence, and decrypt and execute a file that contains the pisloader payload. The payload is obfuscated using a ROP technique and contains random assembly instructions to make reverse engineering more difficult.
Pisloader uses DNS requests for C&C communications, which allows it to bypass certain security products that don’t properly inspect this type of traffic.
An increasing number of threats have been leveraging the technique, including point-of-sale (PoS) malware such as FrameworkPOS and Multigrain.
Tomi Engdahl says:
12 more banks now being investigated over Bangladeshi SWIFT heist
Symantec becomes the second firm to link the hack to the Sony Pictures attack.
http://arstechnica.com/security/2016/05/12-more-banks-now-being-investigated-over-bangladeshi-swift-heist/
The investigation into the attempted $1 billion electronic heist at the Central Bank of Bangladesh has expanded to as many as 12 more banks that all use the SWIFT payment network.
Security firm FireEye, investigating the hack, has been contacted by numerous other banks, including some in New Zealand and the Philippines. While most of the attempted transfers in the original heist were canceled, some $81 million was sent to the Philippines and subsequently laundered through casinos. The SWIFT organization in a statement said that some of these reports may be false positives and that banks should rigorously review their computing environments to look for hackers.
Symantec, meanwhile, has corroborated earlier claims from BAE Systems that the hackers that stole from the Bangladesh Bank are linked to the hackers that have attacked targets in the US and South Korea since 2009 and that hacked Sony Pictures in 2014.
The continuing evidence of malicious access to the SWIFT network is putting increasing pressure on the industry-owned organization. SWIFT’s systems rely, fundamentally, on carefully controlled access to its network using air-gapped systems and other forms of isolation.
Tomi Engdahl says:
$1B Bangladesh heist: Officials say SWIFT technicians left bank vulnerable
Bank officials say it wasn’t their fault that sensitive systems were exposed to hackers.
http://arstechnica.com/security/2016/05/1b-bangladesh-heist-officials-say-swift-technicians-left-bank-vulnerable/
Technicians from the global payment network SWIFT left Bangladesh’s Central Bank vulnerable to an attack that saw attackers steal $81 million, according to Bangladeshi police and bank officials speaking to Reuters.
Bank officials speaking anonymously said that contrary to SWIFT’s own policies, the SWIFT system was connected to the bank’s main network, and hence to the Internet at large. Instead of using firewalls and/or VLANs to segment networks and restrict access, the technicians instead used a dumb unmanaged switch that they found unused at the bank, police said. This lack of separation left the SWIFT system much more exposed to hackers than it might otherwise have been.
Reuter’s sources further said that the technicians set up a wireless network so that they could access the SWIFT systems without having to be in the same locked room. This wireless network was not removed or disabled when the work was completed, and the network was only protected by a simple password.
Tomi Engdahl says:
Vijith Assar / The Verge:
Genius’ web annotator tool exposed sites on genius.it to XSS attacks by ignoring CSP policy
How Genius annotations undermined web security
http://www.theverge.com/2016/5/25/11505454/news-genius-annotate-the-web-content-security-policy-vulnerability
To comment on other people’s websites, Genius broke a 20-year-old browser security system
Until early May, when The Verge confidentially disclosed the results of my independent security tests, the “web annotator” service provided by the tech startup Genius had been routinely undermining a web browser security mechanism. The web annotator is a tool which essentially republishes web pages in order to let Genius users leave comments on specific passages. In the process of republishing, those annotated pages would be stripped of an optional security feature called the Content Security Policy, which was sometimes provided by the original version of the page. This meant that anyone who viewed a page with annotations enabled was potentially vulnerable to security exploits that would have been blocked by the original site. Though no specific victims have been identified, the potential scope of this bug was broad: it was applied to all Genius users, undermined any site with a Content Security Policy, and re-enabled all blocked JavaScript code.
The primary way Genius annotations are accessed on the web is by adding “genius.it” in front of any URL as a prefix. The genius.it server reads the original content behind the scenes, adds the annotations, and delivers the hybrid content. The Genius version of the page includes a few extra scripts and highlighted passages, but until recently it also eliminated the original page’s Content Security Policy. The Content Security Policy is an optional set of instructions encoded in the header of the HTTP connection which tells browsers exactly which sites and servers should be considered safe — any code which isn’t from one of those sites can then be ignored.
Content Security Policies were first introduced in 2012 and are not yet in widespread use, since they can interfere with scripts used for advertising and social-network functionality, and thus tend to be implemented only by sites with high security standards.
Having a Content Security Policy in place drastically limits the viability of a type of attack called “cross-site scripting,” or “XSS,”
The easiest way to hijack a site with a JavaScript exploit is to run the code as an “inline script,” which means the code is simply printed directly on the page as part of the content instead of being called from a separate file. A Content Security Policy typically prohibits inline scripts, instead allowing only scripts hosted on remote servers that have been specifically whitelisted. The vast majority of cross-site scripting attacks rely on getting code to simply appear on pages and then execute, so this added restriction removes their primary publication method.
After we initially disclosed the Content Security Policy issue, Genius correctly pointed out that the risk of cross-site scripting attacks was minimal
The cross-site scripting prevented by the Content Security Policy is one of a broad class of security issues collectively known as “code injection.”
Content Security Policies are a stricter and more powerful reinvention of an important defense against cross-site scripting called the “same-origin policy,” a browser behavior that has been universal practice for the past 20 years. The same-origin policy says that information from a page is only available to a script if that same page also served the script. This means that even if a malicious script somehow gets added to a page and starts running, the browsers will refuse to let it access the page’s content. So to a malicious attacker, there are really two key ingredients to a successful XSS exploit: first, they have to find a way to inject the code and get it to run, and only then can they use it to do something terrible. Once the same-origin policy was in place, the first step actually became harder than the second.
The restrictions of the same-origin policy don’t mean much in many vanilla web-development tasks, because a site and its scripts are often served from the same domain. Sometimes there are legitimate reasons to share data between servers, though, so there are several technically sound workarounds which bypass the same-origin policy, like JSONP and CORS headers.
A less elegant but simpler way to bypass the same-origin policy is called a “proxy,” which is a server-side tool that reads content and then just immediately outputs it again. After going through a proxy, the transmitted data appears to be coming from a known friendly server, and a browser’s same-origin security checks won’t block the client-side script’s ability to access it. This is usually done for specific files or data feed
Unlike most other proxies, the Genius proxy does not just pass the content through unchanged. Instead, it rewrites the page very slightly, to insert a set of new scripts — which, among other things, start listening to postMessage.
There can be little argument that Genius has one of the most compelling proxy services on the market. The web annotator is best-in-class technology, a powerful and groundbreaking tool wrapped up in a slick user interface. As a result, the company now also has a modest but growing library of exclusive and original user-generated content. But the viability of this entire system relies on their proxy first overriding browser security — otherwise, per the same-origin policy, their annotation code wouldn’t be able to touch the page text in order to highlight it.
So with all this in mind, is the Genius web annotator actually a form of cross-site scripting?
Well, not in the conventional sense — it doesn’t actually fall into any of those three categories, mostly because the site-crossing happens server-side through the proxy instead of in the browser. Of course, the goal of the web annotator is not to harvest user information for malicious ends. But internet security is a continually evolving field in which maybe “conventional sense” doesn’t mean much. Forget that “cross-site scripting” is an established term. The web annotator runs JavaScript code using two sites simultaneously: its own server, and the original content being annotated. By any sufficiently literate interpretation, this is cross-site scripting. That is simply what those words mean.
All this not to say that we shouldn’t have proxy servers like the one Genius uses, nor services based on them. But for the most part, other proxy services are just passing packets of data along, not altering their content.
Once you start browsing Genius there’s no natural way to stop — every link just points to more Genius content
Genius removed the Content Security Policy primarily in order to let their inline script rewrite the links; that change wasn’t technically required by the annotations themselves.
This means that if the company is successful, there could be a future where it starts to make sense to view large swaths of the web through Genius, with its additional content ready to go.
This is in part why there is no opt-out mechanism for site owners. If you squint, this tactic looks vaguely reminiscent of Uber’s consistently ruthless expansion into new cities, often with little regard for the relevant local ordinances. Even though the Content Security Policy bug is now fixed, Genius still has another problem: they need to add as much user-generated content as possible right away — currently the vast majority of redirects don’t contain any annotations.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
Hacker behind LinkedIn’s 117M e-mail database claims to have 360M Myspace user emails with passwords
Hacker Tries To Sell 427 Milllion Stolen MySpace Passwords For $2,800
http://motherboard.vice.com/read/427-million-myspace-passwords-emails-data-breach
There’s an oft-repeated adage in the world of cybersecurity: There are two types of companies, those that have been hacked, and those that don’t yet know they have been hacked.
MySpace, the social media behemoth that was, is apparently in the second category. The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever. And it looks like the data is being circulated in the underground by other hackers as well.
It’s unclear when the data was stolen from MySpace, but both the hacker, who’s known as Peace, and one of the operators of LeakedSource, a paid hacked data search engine that also claims to have the credentials, said it’s from a past, unreported, breach.
“Once data gets traded a few times, eventually it will make its way to somebody who is not trustworthy to keep it a secret, and then it will spread like branches of a tree.”
“It’s the nature of information. ‘Three can keep a secret, if two of them are dead,’” the operator told me in an online chat. “Once data gets traded a few times, eventually it will make its way to somebody who is not trustworthy to keep it a secret, and then it will spread like branches of a tree.”
The passwords were originally “hashed” with the SHA1 algorithm, which is known to be weak and easy to crack, LeakedSource wrote. What’s worse, the company didn’t “salt” the passwords in the hashing process.
That’s why LeakedSource’s operator told me they expect to crack 98 or 99 percent of them by the end of the month, though the operator declined to say how many have been already cracked.
While the social network, which was one of the largest site on the internet more than 10 years ago, is now just a shell of its former self, this is still a significant hack.
If the total numbers are accurate, this is one of the largest data thefts ever.
If all the data indeed comes from MySpace, this would be the largest breach of emails and passwords ever, topping the list on the data breach awareness site Have I Been Pwned.
https://haveibeenpwned.com/
Tomi Engdahl says:
Reuters:
Sources: the Feinstein-Burr encryption bill has lost support in Congress, likely won’t be introduced this year
Push for encryption law falters despite Apple case spotlight
http://www.reuters.com/article/us-usa-encryption-legislation-idUSKCN0YI0EM
After a rampage that left 14 people dead in San Bernardino, key U.S. lawmakers pledged to seek a law requiring technology companies to give law enforcement agencies a “back door” to encrypted communications and electronic devices, such as the iPhone used by one of the shooters.
Now, only months later, much of the support is gone, and the push for legislation dead, according to sources in congressional offices, the administration and the tech sector.
Draft legislation that Senators Richard Burr and Dianne Feinstein, the Republican and Democratic leaders of the Intelligence Committee, had circulated weeks ago likely will not be introduced this year and, even if it were, would stand no chance of advancing, the sources said.
Key among the problems was the lack of White House support
Tomi Engdahl says:
Dissent Doe / The Daily Dot:
FBI raids home of security researcher who discovered unencrypted sensitive health data of 22K dental patients on an unsecured public FTP server — Someone alerts you to exposed, unencrypted patient information on your FTP server. Is the correct response to thank them profusely or try to have them charged as a criminal hacker?
FBI raids dental software researcher who discovered private patient data on public server
http://www.dailydot.com/politics/justin-shafer-fbi-raid/
Someone alerts you to exposed, unencrypted patient information on your FTP server. Is the correct response to thank them profusely or try to have them charged as a criminal hacker?
It is not a trick question. Once again, a security researcher has found himself facing possible prosecution under a federal statute known as the Computer Fraud and Abuse Act (CFAA). His crime, according to a dental-industry software company, was accessing what had been left publicly available on the open Internet.
Shafer was responsible for exposing the fact that Dentrix software, produced by Henry Schein Dental, was misleading customers when it claimed to provide “encryption.”
So why was the FBI raiding Shafer and treating him like a dangerous criminal?
one agent subsequently informed Shafer, it stemmed from an incident in February, when Shafer discovered another security vulnerability in dental records, this one a publicly available File Transfer Protocol (FTP) server operated by the team behind Eaglesoft, a dental practice management software.
led him to an anonymous FTP server that allowed anyone access. When Shafer looked at the files on the publicly available server and saw a directory with patient data, he took steps to alert Patterson to secure the protected health information.
Shafer discovered the exposed patient data at the beginning of February and contacted DataBreaches.net to request help with the notification and responsible disclosure.
DataBreaches.net, Shafer found that 22,000 patients had had their unencrypted sensitive health information at risk of access by others.
To recap: Shafer reported that Patterson Dental had left patient data on an unsecured FTP server, and then he called attention to another vulnerability in one post in February, and then again in a second post in March. And now, according to an FBI agent, Patterson Dental was allegedly claiming that in accessing their unsecured anonymous FTP server, Shafer had accessed it “without authorization” and should be charged criminally under CFAA.
Shafer is now left wondering, is this an attempt to silence or discredit him?
“At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an ‘unprotected website’ that is ‘open to the public.’”
The same should be true of FTP servers that have no protection on them and are indexed where anyone can find them via a search engine, legal experts say.
while exposing a company’s inadequate security may not be good for its business, chilling security research could be bad for consumers and all businesses.