Security trends for 2016

2,232 Comments

1. June 30, 2016 at 11:24 am

   Tomi Engdahl says:

   Finland to lead the EU’s defense agency cyber project

   Finland take a three-year project leading role, together with the Netherlands and Greece.

   Finland starts to pull together with the Netherlands and Greece to the European Defence Agency EDA cyber project. The project is called DA CAT B Project is Cooperation is Cyber ​​Ranges in the European Union, says the Ministry of Defence .

   The EU has defined cyber defence one of its strategic priorities. This promotes active exchange of information and joint exercises.

   Source: http://www.digitoday.fi/yhteiskunta/2016/06/30/suomi-johtamaan-eun-puolustusviraston-kyberhanketta/20167009/66?rss=6

   Reply
2. June 30, 2016 at 11:26 am

   Tomi Engdahl says:

   Large CCTV Botnet Leveraged in DDoS Attacks
   https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html

   DDoS Against a Small Business

   It all started with a small brick and mortar jewelry shop that signed up with us to help protect their site from a DDoS that had taken them down for days. By switching their DNS to the Sucuri Network, we were able to quickly mitigate the attack for them. It was a layer 7 attack (HTTP Flood) generating close to 35,000 HTTP requests per second (RPS) which was more than their web servers could handle.

   Normally, this would be the end of the story. The attack would be mitigated, the attackers would move on after a few hours, and the website owner would be happy. In this case however, after the site came back up, the attacks increased their intensity, peaking to almost 50,000 HTTP requests per second. It continued for hours, which turned into days.

   Since this type of long-duration DDoS is not so common, we decided to dive into what the attackers were doing, and to our surprise, they were leveraging only IoT (Internet of Things) CCTV devices as the source of their attack botnet.

   It is not new that attackers have been using IoT devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long.

   As we extracted the geo-location from the IP addresses generating the DDoS, we noticed that they were coming from all over the world, different countries and networks. A total of 25,513 unique IP addresses came within a couple of hours.

   Compromised CCTV Devices – 25,000 of them

   As we dug deeper into each of these IP addresses, we learned that all of them were running the “Cross Web Server” and had a similar default HTTP page with the “DVR Components” title.

   As far as the DDoS attack, it was a variation of the HTTP flood and cache bypass attack, which is pretty standard and mitigated by the Sucuri Firewall. Very few servers can handle 50,000+ requests per second, but due to our Anycast network and stack optimization, that number is easily mitigated by us.

   IPv6 DDoS

   We don’t see many DDoS attacks leveraging IPv6 yet, and this another thing that surprised us as we saw quite a few of these devices coming from IPv6.

   It wasn’t a big number, but almost 5% of all DDoS attack IP addresses came via IPv6.

   That’s a change we expect to keep happening as IPv6 becomes more popular.

   Unfortunately, as website owners, there is not much you can do to get those 25,000+ CCTVs fixed and protected. You also can’t do much to fix the millions of vulnerable devices on the internet that can be used as botnets and DDoS amplification methods.

   However, you can do your part. If you are an online camera user or vendor, please make sure it is fully patched and isolated from the internet. Actually, not just your online camera, but any device that has Internet access (from DNS resolvers, to NTP servers, and so on).

   Reply
3. June 30, 2016 at 12:17 pm

   Tomi Engdahl says:

   Dan Goodin / Ars Technica:
   Google Project Zero researchers uncover severe vulnerabilities in 25 Symantec and Norton products, exposing millions of users; patches issued — If you use a Symantec or Norton product, now would be a good time to update. — Much of the product line from security firm Symantec contains …

   High-severity bugs in 25 Symantec/Norton products imperil millions
   If you use a Symantec or Norton product, now would be a good time to update.
   http://arstechnica.com/security/2016/06/25-symantec-products-open-to-wormable-attack-by-unopened-e-mail-or-links/

   Reply
4. July 1, 2016 at 11:16 am

   Tomi Engdahl says:

   Michael Kan / PCWorld:
   Kaspersky: Android customers infected with mobile ransomware hit 136K in April 2016, nearly quadrupling from March 2015

   Mobile ransomware use jumps, blocking access to phones
   Kaspersky Lab has detected a spike among its own Android users
   http://www.pcworld.com/article/3090049/security/mobile-ransomware-use-jumps-blocking-access-to-phones.html

   The number of users infected with mobile ransomware is skyrocketing, as hackers try to expand the number of potential victims they can target.

   Compared with a year ago, almost four times as many users are being attacked by mobile ransomware, security firm Kaspersky Lab said on Wednesday.

   It’s a troubling trend. Ransomware has typically targeted PCs by encrypting all the information that is inside the targeted machines, and then holding the data hostage in exchange for money.

   The threat is that users who fail to pay ransom will see all the data erased. Hospitals, schools and police departments have all been major victims. But increasingly, hackers have begun focusing on smartphones.

   Kaspersky looked at its own Android customers and noticed the spike. Between April 2015 and March this year,136,532 of its users encountered a mobile version of ransomware. That’s up from 35,413 in the year earlier period.

   The largest mobile ransomware family detected is called Fusob, Kaspersky said. It was responsible for 56 percent of the attacks during the year and targets Android users.

   Victims are unwittingly downloading it when visiting porn sites. Fusob masquerades as a multimedia player, called xxxPlayer, that’s been designed to watch the porn videos.

   Once downloaded, Fusob can block all user access to a device. Victims are told to pay between $100 and $200 in iTunes gift cards to deactivate the block.

   To avoid ransomware, Kaspersky advises that users regularly update their software and back up all crucial files. Users should also be wary of downloading anything from untrusted sources and look into buying strong security software.

   Reply
5. July 1, 2016 at 11:25 am

   Tomi Engdahl says:

   Encryption, wiretaps and the Feds: THE TRUTH
   New US report suggests fewer peeps are using crypto but it’s probably the other way around
   http://www.theregister.co.uk/2016/06/30/us_government_reports_encrypted_wiretaps_declining/

   Figures published this month suggest fewer Americans are using encryption to secure their communications – but if you look into the detail, the opposite is probably closer to reality.

   The latest Wiretap Report from the US courts system – which counts up the number of requests from investigators to spy on people’s chatter in 2015 – declares:

   The number of state wiretaps in which encryption was encountered decreased from 22 in 2014 to 7 in 2015. In all of these wiretaps, officials were unable to decipher the plain text of the messages.

   Six federal wiretaps were reported as being encrypted in 2015, of which four could not be decrypted.

   So the vast majority of intercepted communications involved smartphones. And later, crucially:

   The three major categories of surveillance are wire, oral, and electronic communications. Table 6 presents the type of surveillance method used for each intercept installed.

   The most common method reported was wire surveillance that used a telephone (land line, cellular, cordless, or mobile). Telephone wiretaps accounted for 94 percent (2,578 cases) of the intercepts installed in 2015, the majority of them involving cellular telephones.

   So the vast majority of wiretaps involved not encrypted text messages and app traffic, but telephone calls – which we all know the Feds have the keys to. If you look at the aforementioned table six, you’ll see pretty much every spying request involved listening in on normal phone calls.

   Reply
6. July 1, 2016 at 11:27 am

   Tomi Engdahl says:

   Guccifer 2.0 Calls DNC Hack His “Personal Project,” Mocks Security Firms
   https://yro.slashdot.org/story/16/07/01/0451205/guccifer-20-calls-dnc-hack-his-personal-project-mocks-security-firms

   The notorious hacker most recently in the news for releasing Clinton Foundation documents has said on Thursday in a blog post that the stolen confidential files from the DNC was his “personal project.” Guccifer 2.0, as he identifies himself as, added that security firms and the DNC may be trying to blame the attack on Russia, but “they can prove nothing! All I hear is blah-blah-blah, unfounded theories, and somebody’s estimates,” he wrote. He claims to be Romanian and says he acted alone, pouring water on the theory that he may be a “smokescreen” to divert attention away from the real culprits

   All the hackers in the world use almost the same tools,” he said. “You can buy them or simply find them on the web.” He broke into the network using a little-known vulnerability found in the DNC’s software, he added. “The DNC used Windows on their server, so it made my work much easier,” he said. “I installed my trojan-like virus on their PCs. I just modified the platform that I bought on the hacking forums for about $1.5k.”

   FAQ from Guccifer 2.0
   https://guccifer2.wordpress.com/2016/06/30/faq/

   Reply
7. July 1, 2016 at 11:29 am

   Tomi Engdahl says:

   3 always-listening gadgets and how to stop them
   http://www.komando.com/tips/325537/3-always-listening-gadgets-and-how-to-stop-them

   One hallmark of being in “the future” is that we’ll be able to talk to our gadgets and they’ll be able to talk back. Thanks to voice-activated personal assistants, it looks like the future has arrived, and it’s cool, but also a little creepy.

   Don’t get us wrong, digital personal assistants like Apple’s Siri are useful tools. You no longer have to type in searches, or scroll through phone numbers, or look through endless websites. Instead, you just ask your virtual personal assistant to help you out, and it does.

   iPhones with Siri, the Amazon Echo, and smartphones and tablets with Google Now, are always listening to you.

   It’s reminiscent of “2001: A Space Odyssey.” That’s the 1968 Stanley Kubrick movie where Hal 9000 becomes the only companion of Dr. Dave Bowman, who’s traveling to Jupiter. Hal 9000 is a computer, and he’s always there, listening and watching, no matter if Dave does or doesn’t want him to.

   If you’ve seen the movie, you know that Hal 9000 isn’t just creepy; he’s dangerous. Thankfully, today’s always-listening devices aren’t mini Hals.

   Reply
8. July 1, 2016 at 12:37 pm

   Tomi Engdahl says:

   Hydra hacker bot spawns internet of things DDoS clones
   LizardStresser makes a messer of Brazil banks, gamer outfits
   http://www.theregister.co.uk/2016/07/01/lizardstresser_ddos/

   Lizard Squad may be mostly behind bars, but their LizardStresser botnet has spawned more than 100 clones.

   According to Arbor Networks’ Matthew Bing, the imitators have lit on the Internet of Things, enslaving thousands of dumb devices with code the hacker group published last year.

   LizardStresser is an illegal booter service partly-arrested hacking group Lizard Squad built on the back of hacked routers.

   Bing says the tweaked and increasing LizardStresser bots have been used to attack banks, telcos, and gaming companies.

   “The number of unique LizardStresser command-and-control sites has been steadily increasing throughout 2016,” Bing says

   “Utilising the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions.

   “LizardStresser is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning.”

   Two of the major Lizard Stresser bots, thought to be run by the same attack group, have set sights on Brazil, Bing says.

   “The threat actors appeared to quickly evolve their tactics minute-by-minute, switching between a HOLD flood to UDP flooding and TCP flooding with a variety of flags. This was likely the threat actors tuning their attacks for maximum impact,” Bing says.

   The DDoS botnet is written in C and runs on Linux, consisting of a client and server.

   Reply
9. July 1, 2016 at 12:41 pm

   Tomi Engdahl says:

   400 million Foxit users need to catch up with patched-up reader
   Toxic Foxit plugs bugs
   http://www.theregister.co.uk/2016/07/01/foxit_patches_756/

   Makers of popular PDF reader Foxit have patched 12 dangerous vulnerabilities that could have resulted in remote code execution.

   Some 400 million users run the flagship reader billed as an alternative to Adobe Reader. Thedozen flaws are patched in Windows and Linux variants.

   Users would need to be conned into opening a malicious PDF with Foxit Reader or PhantomPDF in order to be compromised using the vulnerabilities.

   Reply
10. July 1, 2016 at 12:43 pm

    Tomi Engdahl says:

    Hackers: Ditch the malware, we’re in… Just act like a normal network admin. *Whistles*
    Nmap in hand, they’re soon working pwned systems like a boss – study
    http://www.theregister.co.uk/2016/06/30/hackers_ditch_malware_to_move_around_networks/

    Hackers almost exclusively use standard network admin tools to move around a compromised network once they’ve broken in using malware or other hacking techniques.

    Researchers at security startup LightCyber found that 99 per cent of post-intrusion cyberattack activities did not employ malware, but rather employed standard networking, IT administration and other tools. Attackers use common networking tools in order to conduct “low and slow” attack activities while avoiding detection.

    Once inside a network, an attacker must learn about its layout and map its resources and vulnerabilities in order to locate and steal sensitive data or gain control of network admin or accounting systems, typical goals for both cyberspies and profit-motivated cybercriminals.

    LightCyber discovered that attackers commonly use standard administrator and remote desktop tools to conduct reconnaissance or for lateral movement rather than, as might be imagined, malware.

    Angry IP Scanner, an IP address and port scanner, was the most common tool associated with attack behaviour, followed closely by Nmap, a network discovery and security auditing tool. Angry IP Scanner alone accounted for 27.1 per cent of incidents from the top 10 networking and hacking tools observed in the study. SecureCRT, an integrated SSH and Telnet client, topped the list of admin tools employed in attacks, representing 28.5 per cent of incidents.

    Remote desktop tool TeamViewer and WinVNC were commonly used by hackers to move laterally (from machine to machine) around networks after hackers had gained a foothold by using spear-phishing or other hacking techniques.

    The highest frequency of attacker activity identified after assessing all this attack data was reconnaissance, followed by lateral movement and then command-and-control communication. The most common attack tools observed in the study were classified into the following four categories: networking and hacking tools, admin tools, remote desktop tools and malware.

    More than 70 per cent of active malware used for the initial intrusion was detected only on one site, indicating that it was polymorphic or customised, targeted malware, according to LightCyber.

    2016 Cyber Weapons Report
    Network Traffic Analytics Reveals Tools Attackers Use
    http://lightcyber.com/wp-cyber-weapons-report-lp/

    Reply
11. July 1, 2016 at 12:44 pm

    Tomi Engdahl says:

    Apache, Debian crews patch library with DoS vuln
    Upgrade your libcommons-fileupload-java package
    http://www.theregister.co.uk/2016/07/01/apache_debian_crews_patch_library_with_dos_vuln/

    A file upload library used in Apache Tomcat and various Linux distributions needs patching to plug a denial-of-service vulnerability.

    Discovered by the TERASOLUNA Framework Development Team, the bug in libcommons-fileupload-java, which sits under Apache Commons FileUpload, has the Common Vulnerabilities and Exposures designation CVE-2016-3092.

    The Apache advisory also notes that the bug affects only applications using the File Upload feature introduced in Servlet 3.0.

    Reply
12. July 1, 2016 at 12:45 pm

    Tomi Engdahl says:

    Here’s how police arrested Lauri Love – and what happened next
    A ‘UPS courier’, extradition warrants and legal jiggery-pokery from the cops
    http://www.theregister.co.uk/2016/07/01/usa_vs_love/

    Lauri Love was arrested on suspicion of offences under the Computer Misuse Act 1990 early in the evening of 25 October 2013, when a National Crime Agency officer wearing dungarees and posing as a UPS courier told Love’s mother that Lauri himself had to come to the porch to collect his delivery.

    Reply
13. July 1, 2016 at 12:46 pm

    Tomi Engdahl says:

    700,000 Muslim Match dating site private messages leaked online
    150,000 user profiles bared to world+dog as well – report
    http://www.theregister.co.uk/2016/07/01/muslim_match_data_breach/

    Hackers have leaked the personal details of 150,000 users of the Muslim Match website after breaking into the niche dating portal.

    Almost 150,000 user credentials and profiles, as well as more than 700,000 private messages between users, were posted online.

    “These private messages cover a range of subjects from religious discussion and small talk to marriage proposals,” Vice’s Motherboard website reports.

    A range of information including logged IP addresses and poorly hashed MD5 passwords was exposed by the breach. Some of the private messages contain Skype handles and other potentially sensitive information.

    Hacked: Private Messages From Dating Site ‘Muslim Match’
    https://motherboard.vice.com/read/hacked-private-messages-from-dating-site-muslim-match

    Specialty dating site “Muslim Match” has been hacked. Nearly 150,000 user credentials and profiles have been posted online, as well as over half a million private messages between users.

    Security researcher Troy Hunt has added the data to his breach notification site “Have I Been Pwned?” for the site’s users to check if they are affected by the hack. Meanwhile, technologist Thomas White, otherwise known as TheCthulhu, has released the full dataset publicly, for anyone to download.

    Launched in 2000, Muslim Match is a free-to-use site for people looking for companionship or marriage.

    “I feel disappointed but the site didn’t seem to be secure in the first place. They never used https.”

    Reply
14. July 1, 2016 at 12:48 pm

    Tomi Engdahl says:

    Cracking Android’s full-disk encryption is easy on millions of phones – with a little patience
    Just need a couple of common bugs, some GPUs and time
    http://www.theregister.co.uk/2016/07/01/turns_out_breaking_android_fulldisk_encryption_is_easy_with_the_right_code/

    Android’s full-disk encryption on millions of devices can be cracked by brute-force much more easily than expected – and there’s working code to prove it.

    Essentially, if someone seizes your Qualcomm Snapdragon-powered phone, they can potentially decrypt its file system’s contents with a friendly Python script without knowing your password or PIN.

    The tech details

    Android encrypts a gadget’s file system using a randomly generated 128-bit Device Encryption Key aka the DEK. Android encrypts the DEK using the owner’s PIN or password and stores it alongside the encrypted file system in the device’s flash storage chips. When you give Android the correct PIN or password, it can decrypt the DEK and use the key to unlock the file system.

    However, it’s not quite that simple: the DEK is actually encrypted using the owner’s PIN or password and an encrypted block of data called the KeyMaster Key Blob. That blob contains a 2,048-bit RSA key generated by a KeyMaster program that runs inside a secured portion of the device’s processor. The KeyMaster creates the RSA key, stores it in the blob, and gives an encrypted copy of the blob to Android.

    It’s important to understand that Android and your mobile apps run in the non-secure portion of the processor.

    When you enter your PIN or password, Android takes the encrypted blob, and passes it back to the KeyMaster in the secure portion of the processor along with a scrypt-scrambled copy of your PIN or password. The KeyMaster privately decrypts the blob using a secret key fused into the processor to obtain the long RSA key.

    Scripts to bruteforce Android’s Full Disk Encryption off the device
    https://github.com/laginimaineb/android_fde_bruteforce

    Reply
15. July 2, 2016 at 12:58 pm

    Tomi Engdahl says:

    Nathaniel Popper / New York Times:
    How a handful of Chinese companies that control a majority of the Bitcoin network are playing a central role in the community’s civil wars

    How China Took Center Stage in Bitcoin’s Civil War
    http://www.nytimes.com/2016/07/03/business/dealbook/bitcoin-china.html?_r=0

    A delegation of American executives flew to Beijing in April for a secret meeting just blocks from Tiananmen Square. They had come to court the new kingmakers in one of the strangest experiments in money the world has seen: the virtual currency known as Bitcoin.

    Against long odds, and despite an abstruse structure, in which supercomputers “mine” the currency via mathematical formulas, Bitcoin has become a multibillion-dollar industry. It has attracted major investments from Silicon Valley and a significant following on Wall Street.

    Yet Bitcoin, which is both a new kind of digital money and an unusual financial network, is having something of an identity crisis. Like so many technologies before it, the virtual currency is coming up against the inevitable push and pull between commercial growth and the purity of its original ambitions.

    In its early conception, Bitcoin was to exist beyond the control of any single government or country. It would be based everywhere and nowhere.

    Reply
16. July 4, 2016 at 6:20 am

    Tomi Engdahl says:

    The IoT Sky is Falling: How Being Connected Makes Us Insecure
    http://www.securityweek.com/iot-sky-falling-how-being-connected-makes-us-insecure

    The first chunk of actual sky recently slammed into the ground with a resounding thud.

    The security community has been actively telling the world that the Internet of Things (IoT) is ripe for compromise and exploitation. Unfortunately, the public has shoved aside these “Chicken Little” warnings in hopes of getting all of the promised gee-whiz technologies without the sky actually falling.

    Fortunately, a combined research team from the University of Michigan and Microsoft recently performed in-depth analysis of an IoT home command center and brought the problems into the bright light of day. As sobering as their research results are, they took things a step farther by building four attacks based on their research. These attacks designed real exploits like creating a code for the automated front door lock, stealing a PIN to open other door locks, and disabling detectors and alarms.

    The device at the center of the research is the Samsung SmartThings platform, which is a series of products and associated software that is tied together on a hub device. Samsung sells monitors, alarms, and other devices. There is also a community of products that are SmartThings-enabled ranging from door locks to light and fan switches to home weather systems. The community offers applications for the devices as well as mobile and Web apps to control the devices connected to the platform.

    It’s software that makes an IoT or embedded device different. The device is, by definition, connected to the Internet. Software not designed and constructed to be secure will contain vulnerabilities that can be exploited to gain access to the device. Anything connected to the Internet can be discovered and potentially infiltrated, and the associated software will be the target.

    The research notes that the majority of the vulnerabilities exist in the software of either the device or the software that controls the devices. This is exactly what the security community has feared. This pattern is repeating every time new technology is introduced without proper consideration for the basics of security. It happened when applications moved to the Web, and we dutifully took note of the lessons learned. But when mobile applications took off, we ignored those lessons and repeated the same mistakes. The pattern persisted when the Cloud emerged, and now we see proof that it is happening again with IoT.

    When vulnerabilities are discovered in business applications, there are changes made to remediate the exploits and patches, or new releases are distributed to update the software. There are people in the business whose job it is to ensure that the devices in the business are kept updated to mitigate potential attacks.

    In the IoT scenario, there may be software that isn’t programmed to protect against new and emerging threats. In order to manufacture devices at a competitive price point, manufacturers may not enable that capability (hardware/software) to update the software on the device. This leaves the consumer with the decision to scrap the vulnerable device or hope against an intrusion.

    SmartThings Flaws Expose Smart Homes to Hacker Attacks
    http://www.securityweek.com/smartthings-flaws-expose-smart-homes-hacker-attacks

    Reply
17. July 4, 2016 at 6:21 am

    Tomi Engdahl says:

    Corporate Data Lingering on Old Drives: Advice From The Professionals
    http://www.securityweek.com/corporate-data-lingering-old-drives-advice-professionals

    A 2012 “investigation commissioned by the [UK's Information Commissioner] found that one in ten second-hand hard drives sold online contained personal information.” A new investigation published this week by Blancco Technology Group suggests that 78% of second-hand drives purchased from eBay and Craigslist now contain recoverable corporate or personal information. It seems that we are not improving our security awareness.

    Blancco’s study involved the purchase and examination of 200 drives, both hard disk (around 93%) and solid state (around 8%), from eBay and Craigslist during the first quarter of 2016. While in many cases (but not all) data had been ‘deleted’, Blancco was able to recover data from 78% of the drives. It had been deleted under the operating system rather than securely erased from the drive. This data included company and personal emails, CRM records and spreadsheets.

    Reply
18. July 4, 2016 at 6:22 am

    Tomi Engdahl says:

    Botnet Uses IoT Devices to Power Massive DDoS Attacks
    http://www.securityweek.com/botnet-uses-iot-devices-power-massive-ddos-attacks

    LizardStresser Botnet Abuses IoT Devices in 400Gbps Attack

    LizardStresser, a distributed denial of service (DDoS) botnet that inspired many cybercrime groups to create their own botnets, was recently used in attacks as large as 400 gigabits per second (Gbps) that leverage the power of IoT devices, Arbor Networks researchers reveal.

    Written in C and designed to run on Linux, the botnet malware has had its source code leaked online in early 2015, which inspired DDoS actors to build their own botnets. More recently, however, researchers noticed that the number of unique LizardStresser command and control (C&C) servers has grown, and that actors behind the botnet have been targeting Internet of Things (IoT) devices using default passwords.

    Similar to other botnets, LizardStresser relies on a large number of hosts that connect to a C&C server to conduct malicious activities. The botnet can be used to launch DDoS attacks using a variety of attack methods: HOLD – holds open TCP connections; JUNK – send a random string of junk characters to a TCP port; UDP – send a random string of junk characters to a UDP port; TCP – repeatedly send TCP packets with the specified flags.

    The LizardStresser bots also have a mechanism to run arbitrary shell commands, which allows operators to update the list of C&C servers or to download new malware to them. Since the beginning of this year, Arbor Networks researchers have observed an increase in the unique number of C&C servers the botnet connects to: they are now in excess of a hundred

    Earlier this week, Sucuri researchers also revealed that tens of thousands of compromised CCTV devices have been leveraged in DDoS attacks.

    Reply
19. July 4, 2016 at 6:23 am

    Tomi Engdahl says:

    Hackers Can Exploit LibreOffice Flaw With RTF Files
    http://www.securityweek.com/hackers-can-exploit-libreoffice-flaw-rtf-files

    The developers of the open source office suite LibreOffice informed users this week that they have patched a vulnerability which could allow attackers to execute arbitrary code using specially crafted RTF files.

    The vulnerability, found by Cisco Talos researchers and tracked as CVE-2016-4324, affects the RTF parser in LibreOffice. The flaw can be exploited with an RTF document that contains both a stylesheet and a superscript token.

    “A specially crafted RTF document containing both a stylesheet and superscript element causes LibreOffice to access an invalid pointer referencing previously used memory on the heap. By carefully manipulating the contents of the heap, this vulnerability can be able to be used to execute arbitrary code,” Cisco said.

    Reply
20. July 4, 2016 at 6:23 am

    Tomi Engdahl says:

    U.S. Man Charged in ‘Celebgate’ Nude Photo Hack
    http://www.securityweek.com/us-man-charged-celebgate-nude-photo-hack

    A US man was charged on Friday in relation to one of the biggest celebrity hacks in which a phishing scheme led to nude photos of Hollywood stars being posted online.

    Edward Majerczyk, 28, of Illinois, agreed as part of a deal with federal authorities in Los Angeles to plead guilty to one felony count of unauthorized access to a protected computer to obtain information in what became known as “Celebgate” in 2014.

    The scandal saw nude photos of models and actresses such as Jennifer Lawrence and Kate Upton published online, although none of the celebrities hacked by Majerczyk were named in the plea deal.

    Reply
21. July 4, 2016 at 6:24 am

    Tomi Engdahl says:

    Clinton Interviewed by FBI Over Private Email Use
    http://www.securityweek.com/clinton-interviewed-fbi-over-private-email-use

    The FBI interviewed Hillary Clinton on Saturday about her use of personal email while serving as secretary of state, an issue that has dogged her campaign to become America’s first female president.

    Questions over Clinton’s use of a private account and homebrew server during her time as America’s top diplomat have fueled voter concerns that she is not trustworthy.

    It comes about three weeks before the Democratic National Convention is set to crown Clinton as the party’s official White House nominee.

    Reply
22. July 4, 2016 at 6:24 am

    Tomi Engdahl says:

    RIG Exploit Kit Exposes Millions to SmokeLoader Backdoor
    http://www.securityweek.com/rig-exploit-kit-exposes-millions-smokeloader-backdoor

    The RIG exploit kit (EK), currently one of the most popular crimekits infecting systems around the world, was recently observed in a campaign that potentially impacted millions of users, exposing them to the SmokeLoader (aka Dofoil) malware.

    Now that the Angler EK is gone, other threats in the segment are trying to fill the void, and RIG is one of them, although the Neutrino EK appears to have taken the reign for the time being (albeit the overall EK traffic is only a fraction of what it once was). According to Forcepoint researchers, a recently observed RIG campaign has targeted the users of Sprashivai[.]ru, a Russian Q&A and social networking site.

    The popular website has an estimated 20 million visitors per month, and it makes sense that RIG operators decided to attack it. Over the past couple of years, numerous high-profile sites were targeted by EKs through malvertising or other techniques, in an attempt to expose as many users as possible to the malware they were carrying.

    Reply
23. July 4, 2016 at 6:25 am

    Tomi Engdahl says:

    Microsoft Expands Multi-Factor Authentication Solution
    http://www.securityweek.com/microsoft-expands-multi-factor-authentication-solution

    Microsoft this week announced a series of changes to the security capabilities of Windows 10, including expanded capabilities for Windows Hello, the end-to-end multi-factor authentication solution that eliminates passwords when connecting to various services.

    Reply
24. July 4, 2016 at 6:28 am

    Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Researcher uses exploits to extract disk encryption keys from Android devices with Qualcomm chips; publicly-available attack code works on unpatched devices — Unlike Apple’s iOS, Android is vulnerable to several key-extraction techniques. — Privacy advocates take note …

    Android’s full-disk encryption just got much weaker—here’s why
    Unlike Apple’s iOS, Android is vulnerable to several key-extraction techniques.
    http://arstechnica.com/security/2016/07/androids-full-disk-encryption-just-got-much-weaker-heres-why/

    Privacy advocates take note: Android’s full-disk encryption just got dramatically easier to defeat on devices that use chips from semiconductor maker Qualcomm, thanks to new research that reveals several methods to extract crypto keys off of a locked handset. Those methods include publicly available attack code that works against an estimated 37 percent of enterprise users.

    A blog post published Thursday revealed that in stark contrast to the iPhone’s iOS, Qualcomm-powered Android devices store the disk encryption keys in software. That leaves the keys vulnerable to a variety of attacks that can pull a key off a device. From there, the key can be loaded onto a server cluster, field-programmable gate array, or supercomputer that has been optimized for super-fast password cracking.

    https://bits-please.blogspot.fi/2016/06/extracting-qualcomms-keymaster-keys.html

    Reply
25. July 4, 2016 at 6:29 am

    Tomi Engdahl says:

    Peter Maass / The Intercept:
    Former NSA hacker and author of memos leaked by Snowden including “I Hunt Sysadmins” talks about his work for the agency

    The Hunter
    https://theintercept.com/2016/06/28/he-was-a-hacker-for-the-nsa-and-he-was-willing-to-talk-i-was-willing-to-listen/

    Reply
26. July 4, 2016 at 7:17 am

    Tomi Engdahl says:

    One in 200 enterprise handsets is infected
    iOS bad, but not Android bad
    http://www.theregister.co.uk/2016/07/04/one_in_200_enterprise_handsets_is_infected/

    If your enterprise has 200 mobile devices at least one is infected, so says security firm Skycure

    The Palto Alto firm has uncovered previous nasty Apple bugs, including the No iOS Zone flaw reported by El Reg last year.

    All told about three percent of the locked-down vanilla Cupertino devices are infected, the company says in its latest quarterly threat report

    Chief technology officer Yair Amit says while Android devices are twice as likely to be owned than iOS, Apple gear is no immunity from malware.

    “Malware absolutely exists on enterprise mobile devices and standardising on iOS doesn’t make you safe,” Amit says.

    Reply
27. July 4, 2016 at 7:19 am

    Tomi Engdahl says:

    SQLite developers need to push the patch
    Tempfile permissions a can of worms
    http://www.theregister.co.uk/2016/07/04/sqlite_developers_need_to_push_the_patch/

    SQLite has pushed out an update to fix a local tempfile bug, to address concerns that the bug could be exploitable beyond the merely local.

    The bug was found by KoreLogic and reported to the popular open source database project, before being published at Full Disclosure.

    The issue is that SQLite creates its tempfiles in a directory with incorrect permissions. It’s not a Heartbleed-level vuln, but SQLite is deeply embedded in other packages, so the concern is that they might show insecure behaviours without knowing.

    What KoreLogic worked out is that there are cases where that could be taken advantage of by attacks beyond SQLite: “this might in turn cause software that uses SQLite libraries to behave in unsafe ways, leaking sensitive data, opening up SQLite libraries to attack by deliberately corrupted tempfiles, etc.”

    Since SQLite is used all over the place – by Adobe, Apple, Dropbox, Firefox, Android, Chrome, Microsoft and a bunch of others – it’s a noteworthy bug, even if it’s not yet been exploited.

    The fix is in version 3.13.0

    KL-001-2016-003 : SQLite Tempdir Selection Vulnerability
    http://seclists.org/fulldisclosure/2016/Jul/0

    Reply
28. July 4, 2016 at 7:53 am

    Tomi Engdahl says:

    UN Council: Seriously, Nations, Stop Switching Off the Internet!
    https://yro.slashdot.org/story/16/07/03/0340234/un-council-seriously-nations-stop-switching-off-the-internet?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    “The United Nations officially condemned the practice of countries shutting down access to the internet at a meeting of the Human Rights Council on Friday,” reports the Register newspaper, saying Friday’s resolution “effectively extends human rights held offline to the internet,” including freedom of expression. “The resolution is a much-needed response to increased pressure on freedom of expression online in all parts of the world,”

    UN council: Seriously, nations, stop switching off the damn internet
    Online freedom resolution passes despite best efforts by Russia, China et al
    http://www.theregister.co.uk/2016/07/01/un_officially_condemns_internet_shutdowns/

    The United Nations officially condemned the practice of countries shutting down access to the internet at a meeting of the Human Rights Council on Friday.

    A resolution [PDF] entitled The promotion, protection and enjoyment of human rights on the Internet effectively extends human rights held offline to the internet. It was passed by consensus, but only after a determined effort by a number of countries, including China and Russia, to pull out key parts of the text.

    https://www.article19.org/data/files/Internet_Statement_Adopted.pdf

    Reply
29. July 4, 2016 at 10:38 am

    Tomi Engdahl says:

    Illinois man to plead guilty in celebrity iCloud hacking case
    http://venturebeat.com/2016/07/02/illinois-man-to-plead-guilty-in-celebrity-icloud-hacking-case/

    An Illinois man accused of breaking into the Apple iCloud and Gmail accounts of celebrities to obtain their private photos and videos has agreed to plead guilty to a felony computer hacking charge, prosecutors said on Friday.

    Edward Majerczyk, 28, facing up to five years in prison, is the second man charged in a federal investigation into the leaks of nude photos of several Hollywood actresses, including Oscar winner Jennifer Lawrence, in September 2014.

    According to a plea agreement signed by Majerczyk, he illegally accessed Apple iCloud and Google Gmail accounts belonging to more than 300 people, using an email “phishing” ploy to obtain their user names and passwords.

    Through this scheme, Majerczyk was able to access full iCloud backups belonging to numerous victims, including at least 30 celebrities

    “Many of these backups contained sensitive and private photographs and videos,”

    Reply
30. July 4, 2016 at 10:57 am

    Tomi Engdahl says:

    Israel Accuses Facebook Of Aiding Terrorists and Hampering Police Investigations
    https://tech.slashdot.org/story/16/07/03/1810221/israel-accuses-facebook-of-aiding-terrorists-and-hampering-police-investigations

    “The young generation in the Palestinian Authority suckles all of its incitement against Israel from Facebook and, in the end, goes and commits murders,” Israel’s Minister of Internal Security said Saturday. “Some of the blood of the victims of the recent attacks…is unfortunately on the hands of Mark Zuckerberg, because the police and security forces could have been told about the post of that vile murderer.”

    Israel prepares legislation which would allow it to order social media sites to remove posts it considered threatening

    http://www.jpost.com/Israel-News/Erdan-blames-Facebook-for-aiding-recent-murders-459328

    Facebook defends position on content standards after Israeli censure
    http://www.reuters.com/article/us-israel-facebook-idUSKCN0ZJ0D8

    Facebook is doing its share to remove abusive content from the social network, it said on Sunday in an apparent rejection of Israeli allegations that it was uncooperative in stemming messages that might spur Palestinian violence.

    Beset by a 10-month-old surge in Palestinian street attacks, Israel says that Facebook has been used to perpetuate such bloodshed and Prime Minister Benjamin Netanyahu’s rightist government is drafting legislation to enable it to order social media sites to remove postings deemed threatening.

    Ramping up the pressure, Public Security Minister Gilad Erdan on Saturday accused Facebook of “sabotaging” Israeli police efforts by not cooperating with inquiries about potential suspects in the occupied West Bank and by “set(ting) a very high bar for removing inciteful content and posts”.

    “We have a set of community standards designed to help people understand what’s allowed on Facebook, and we call on people to use our report if they find content they believe violates these rules, so that we can examine each case and take quick action,” the statement said.

    Citing sources familiar with the technology, Reuters reported last month that Facebook and other Internet companies have begun using automation to remove Islamic State videos and other extremist content from their sites.

    Reply
31. July 4, 2016 at 11:08 am

    Tomi Engdahl says:

    American Cities Are Installing DHS-Funded Audio Surveillance
    https://yro.slashdot.org/story/16/07/03/0913203/american-cities-are-installing-dhs-funded-audio-surveillance

    “Audio surveillance is increasingly being used on parts of urban mass transit systems,” reports the Christian Science Monitor. Slashdot reader itwbennett writes “It was first reported in April that New Jersey had been using audio surveillance on some of its light rail lines, raising questions of privacy. This week, New Jersey Transit ended the program following revelations that the agency ‘didn’t have policies governing storage and who had access to data.’”

    Comments:

    That assumes only single microphones per car/train/etc.

    Placement, and quantity can make up for ambient noise, and also permits big brother to know where exactly on said train you were standing when you discussed your seditious materials.

    Small mics places every 3 feet would probably be sufficient to get most conversations.

    As someone who also worked in the entertainment industry, I’d say you ought to reconsider what skilled audio engineers can do.

    When we had a case of equipment get delayed, I’ve had to use the wrong mics and set up recording without a soundcheck. The raw recording was noisy and inconsistent, and the actors’ speech was practically unintelligible. However, with a few minutes at a workstation, I was able to smooth out most of the inconsistency, and even out the noise floor. It was still unintelligible, but that cleared up after some vary careful noise filters were applied. The end result wasn’t stellar, but it was passable.

    The goal here isn’t to have an entertaining immersive audio experience, though. The goal of audio recording on public transit is to provide evidence in a court case.

    Big Brother is listening as well as watching
    http://www.csoonline.com/article/3090502/security/big-brother-is-listening-as-well-as-watching.html

    In a world of ubiquitous security cameras, most people know by now that some form of Big Brother – government or private – is watching them. But they are less likely to know that in some areas, he is also listening.

    While it is not yet widespread, audio surveillance is increasingly being used on parts of urban mass transit systems.

    That is the bad news, in the view of privacy advocates. But the good news is that public awareness can, at least in some cases, curtail it.

    Dennis Martin, former interim executive director of the agency, told the AP that the goal was to “deter criminal activity” and keep passengers safe.

    But he refused to say how the audio data is stored, for how long, who reviewed it and when or how it was destroyed, saying only, “there are laws that govern that and we’re in compliance.”

    Critics, including commuter organizations, contended that the recording violated both the First Amendment (free speech) and Fourth Amendment (unreasonable search) rights of passengers.

    And cities in New Hampshire, Connecticut, Michigan, Ohio, Nevada, Oregon and California have either installed systems or moved to procure them, in many cases with funding from the federal Department of Homeland Security (DHS).

    Transit officials say their initiative is all about protecting passengers. But the debate continues about when public safety measures trample citizens’ right to privacy.

    Lee Tien, senior staff attorney at the Electronic Freedom Foundation (EFF), said deterrence, “is a reasonable thing, but the hard questions remain.

    terrorists bent on attacking a mass transit system, “will just communicate ahead of time, or figure out a way to communicate that does not get picked up by the audio bugs. They are not effective deterrents to those who want to cause harm.”

    Of course, most transit agencies that do audio surveillance post signs notifying riders that it is in use. And some might argue that people cannot expect privacy in public places.

    But Tien contends that, “the law has long understood that privacy protects persons, not places.”

    Herold calls the mass, indiscriminate collection of oral conversations, “a gross violation of privacy.” She said when government authorities, “refuse to answer basic questions about who is getting access to the recordings, how they are being used, and how long they are using them, that raises many privacy red flags.”

    “It’s not just about privacy, it’s about freedom of speech,” Herold said, “Declaring open season on conversations just because they take place in public or communal space will have a chilling effect.”

    Reply
32. July 4, 2016 at 11:14 am

    Tomi Engdahl says:

    Spy Tech That Reads Your Mind
    http://fortune.com/insider-threats-email-scout/

    Leaks, theft, and sabotage by employees have become a major cybersecurity problem. One company says it can spot “insider threats” before they happen—by reading all your workers’ email.

    In any given morning at a big national bank or a Silicon Valley software giant or a government agency, a security official could start her day by asking a software program for a report on her organization’s staff. “Okay, as of last night, who were the people who were most disgruntled?” she could ask. “Show me the top 10.”

    She would have that capability, says Eric Shaw, a psychologist and longtime consultant to the intelligence community, if she used a software tool he developed for Stroz Friedberg, a cybersecurity firm. The software combs through an organization’s emails and text messages—millions a day, the company says—looking for high usage of words and phrases that language psychologists associate with certain mental states and personality profiles. Ask for a list of staffers who score high for discontent, Shaw says, “and you could look at their names. Or you could look at the top emails themselves.”

    Many companies already have the ability to run keyword searches of employees’ emails, looking for worrisome words and phrases like embezzle and I loathe this job.

    It’s not illegal to be disgruntled. But today’s frustrated worker could engineer tomorrow’s hundred-million-­dollar data breach. Scout is being marketed as a cutting-edge weapon in the growing arsenal that helps corporations combat “insider threat,” the phenomenon of employees going bad.

    Though companies have long been arming themselves against cyberattack by external hackers, often presumed to come from distant lands like Russia and China, they’re increasingly realizing that many assaults are launched from within—by, say, the quiet guy down the hall whose contract wasn’t renewed. The most spectacular examples have been governmental—the massive 2010 data dump of more than 700,000 classified files onto WikiLeaks by Chelsea Manning (then known as Pfc. Bradley Manning) and the leaks by former intelligence contractor Edward Snowden in 2013. While those events were sui generis, they opened the world’s eyes to the breathtaking scope of every organization’s vulnerability.

    About 27% of electronic attacks on organizations—­public and private—come from within, according to the latest ­annual cybercrime survey jointly conducted by CSO Magazine, the U.S. Secret Service, PricewaterhouseCoopers, and the Software Engineering Institute CERT program.

    Since 2011, government agencies that handle classified information have been required to have formal insider-threat programs in place. And in May that rule was extended to private contractors who handle such data—some 6,000 to 8,000 companies, according to Randall Trzeciak, who heads CERT’s Insider Threat Center.

    The vast majority of these tools, known as technical indicators, provide ways to monitor computer networks, prevent data loss, alert security to suspicious conduct, or even record keystrokes and take video of individual computer screens. Such solutions let an organization see, for instance, who’s logging onto her computer at odd hours, messing around with electronic tags that demark confidential information, or simply departing from routine in some sudden, marked fashion.

    Still other tools are available to comb through employees’ emails, looking for keywords. But Scout appears to be the email-scanning tool most specifically and ingeniously tailored to try to sniff out insider threats before they occur.

    Ed Stroz acknowledges that Scout does not supplant the many technical tools already available to fight insider threat. But those solutions help only after someone is already “touching, reading, copying, and moving files” he’s not supposed to, he says.

    In a real-life case, a human clinician would then pull up the actual emails, via Scout’s interface, and examine them individually. He would present any messages judged truly worrisome to the client. The client would then decide what action to take, says Weber, after drawing input from managers and its human resources, legal, and security departments. Scout is currently being used in government and in the financial sector, Weber asserts, and is now being tested by clients in manufacturing, health care, and pharmaceuticals. He declines to give numbers.

    Shaw jokes that he originally wanted to call Scout “Big Brother.” Doesn’t it, in fact, invade employees’ privacy?
    “It’s really very respectful of privacy,” Weber insists. He stresses that only a tiny fraction of emails are ever read, and most of those are reviewed only by the outside clinician—never coming to the attention of co-workers or supervisors. From a legal standpoint, Weber explains, in the U.S. a company needs “informed consent” to look at employees’ emails.

    Weber even argues that privacy concerns cut in favor of Scout. “In many cyberattack cases we’re brought into,” he says, “privacy is exactly how people were wronged. Intruders went through their network, read stuff, copied things, photographed them, turned on the microphone or the camera inside the computer—those are huge privacy violations.”

    Reply
33. July 4, 2016 at 1:49 pm

    Tomi Engdahl says:

    “When I first went to Blackhat/Defcon, it was with the wide-eyed anticipation of ‘I’m going to go listen to all of the talks that I can, soak up all of the information possible, and become a supar-1337-haxxor.’ What a let-down of an experience that was. You find the most interesting topics and briefings, wait in lines to get a seat, and find yourself straining your ears to listen to someone that has basically nothing new to say. Most of the talks get hyped up exponentially past any amount of substance they actually provide.”

    Source: https://theintercept.com/2016/06/28/he-was-a-hacker-for-the-nsa-and-he-was-willing-to-talk-i-was-willing-to-listen/

    Reply
34. July 4, 2016 at 1:53 pm

    Tomi Engdahl says:

    “You know, the situation is what it is,” he said. “There are protocols that were designed years ago before anybody had any care about security, because when they were developed, nobody was foreseeing that they would be taken advantage of. … A lot of people on the internet seem to approach the problem [with the attitude of] ‘I’m just going to walk naked outside of my house and hope that nobody looks at me.’ From a security perspective, is that a good way to go about thinking? No, horrible … There are good ways to be more secure on the internet. But do most people use Tor? No. Do most people use Signal? No. Do most people use insecure things that most people can hack? Yes. Is that a bash against the intelligence community that people use stuff that’s easily exploitable? That’s a hard argument for me to make.”

    But it wasn’t a hard argument for me to make, so I tried. Back in the 1990s, in the early days of the web, the uses and hopes for the internet were thought to be joyous and non-commercial. The web would let us talk to one another and would decentralize power and revolutionize the world in good ways.

    “There’s the old adage that the only secure computer is one that is turned off, buried in a box ten feet underground, and never turned on,” he said. “From a user perspective, someone trying to find holes by day and then just live on the internet by night, there’s the expectation [that] if somebody wants to have access to your computer bad enough, they’re going to get it. Whether that’s an intelligence agency or a cybercrimes syndicate, whoever that is, it’s probably going to happen.”

    Spies who do nothing but eavesdrop, slipping into computers and conversations without a trace, have a reputation in popular culture of being troubled in ways that conventional spies are not.

    The Soviet Union is long gone, but in 2016 we live under the specter of far more surveillance than anything the KGB could have dreamed of with its rudimentary bugs and fearful informers. Not just government surveillance — law enforcement can easily obtain our phone and internet records with a warrant from the nearly always compliant courts — but corporate surveillance, too. It’s not just Google and Facebook that might know more details about our lives and friends than the KGB could have imagined in its most feverish dreams of information dominance, but even Zipcar and Amazon.

    There are precautions one can take

    t the end of our three hours together, I mentioned to him that I had taken these precautions—and he approved.

    “That’s fair,” he said. “I’m glad you have that appreciation. … From a perspective of a journalist who has access to classified information, it would be remiss to think you’re not a target of foreign intelligence services.”

    He was telling me the U.S. government should be the least of my worries. He was trying to help me.

    Source: https://theintercept.com/2016/06/28/he-was-a-hacker-for-the-nsa-and-he-was-willing-to-talk-i-was-willing-to-listen/

    Reply
35. July 6, 2016 at 8:56 am

    Tomi Engdahl says:

    FBI Director: Clinton Emails Were Careless, Not Criminal
    http://www.wired.com/2016/07/fbi-director-clinton-emails-careless-not-criminal/

    The FBI’s months-long investigation into Hillary Clinton’s private emails has come to an end. Investigators found that Clinton was “extremely careless” in handling classified information, FBI director James Comey said today. But they do not believe her transgressions warrant criminal charges.

    Investigators interviewed Clinton for three-and-a-half hours over the Fourth of July weekend about her use of a private email server while Secretary of State, and the threat of a possible indictment has hung over her presidential campaign. The final decision on whether or not to bring charges against Clinton still remains with the Department of Justice.

    “In our system the prosecutors make the decisions about whether charges are appropriate,” Comey said. “Our judgment is that no reasonable prosecutor would bring such a case.”

    The FBI searched several servers and email devices Clinton used as Secretary of State and found 110 emails and 52 email chains considered classified at the time they were sent and received, Comey said. Eight of those chains were top secret, the government’s highest security classification.

    The investigation also found several thousand work-related emails not among the 30,000 messages Clinton handed over during the probe.

    The FBI also assessed whether foreign governments had hacked Clinton’s account. Investigators found that Clinton did use her personal account while traveling “in the territory of sophisticated adversaries” but didn’t find any direct evidence of a hack.

    The Politics of Email

    In a statement, Clinton spokesman Brian Fallon said the campaign is “glad that this matter is now resolved.”

    In his remarks, Comey acknowledged that the FBI’s assessment will likely stir up more controversy about the politics of the investigation, but he rejected any claims of undue influence.

    Reply
36. July 6, 2016 at 8:57 am

    Tomi Engdahl says:

    SourceClear Open
    http://www.linuxjournal.com/content/sourceclear-open?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29

    Open source and DevOps have been a boon to software development. Nevertheless, sneaky hackers understand—and exploit—the fact that reusable code also means reusable vulnerabilities to distribute throughout the global software supply chain. To aid developers in navigating this new threat landscape, SourceClear announced a new product, SourceClear Open, a cloud service that tracks thousands of threat sources and analyzes millions of open-source library releases.

    In explaining the need for SourceClear Open, the company notes that developers are held increasingly accountable for security, which creates demand for tools that help them with this responsibility. Unfortunately, traditional security products are insufficient, and public and government-backed software vulnerability databases have limitations.

    https://srcclr.com/

    Reply
37. July 6, 2016 at 8:59 am

    Tomi Engdahl says:

    TP-Link abandons ‘forgotten’ router config domains
    192.168.1.1 is a pain, but it’s better than ‘admin:admin’ on the Web anyhow
    http://www.theregister.co.uk/2016/07/06/tplink_abandons_forgotten_router_config_domains/

    TP-Link, rather than recovering domains it forgot to renew, is going to abandon them.

    The domains in question are tplinklogin.net and tplinkextender.net. They offered configuration services for buyers of the company’s home routers and Wi-Fi link extenders, and are identified on stickers on some devices (not all: two TP-Link routers in the author’s house, one less than three months old, direct users to the more conventional 192.168.1.1 for configuration).

    The domains got scooped up by a squatter using an anonymous registration service, and according to Amity Dan who first noticed the snafu, they’re being offered for sale at US$2.5 million each.

    The biggest risk is if the domains are swept up by malware scum to snare users who go to the sites to reconfigure devices.

    Reply
38. July 6, 2016 at 9:24 am

    Tomi Engdahl says:

    Ponemon Institute research indicate that up to 92 per cent of companies have been the victim of data break-in. Often, breaking through hided device, such as a printer or multifunction device.

    Spiceworks recently implemented HP’s mandate research which respondents IT experts, only 18 percent had to printers and multifunction devices mid-level or high-level risk factors to security threats and infiltrations. However, according to the Ponemon Institute, 92 percent of the Forbes Global 2000
    list for companies reported being compromised in the past year.

    Most worrying, however, that an unprotected or multifunction printer gives access to the corporate network, so that hackers can gain access to sensitive, private or confidential information. In Denmark, a hacker broke through unprotected device to the corporate network, it paralyzed the entire IT system and demanded a ransom firm.

    the threat of cyber attacks will only increase data and network attached susceptible to attacks as the number of devices.

    Burglaries will be costly for companies. Launch cyber-attacks on average, the resulting cost was estimated at $ 7.7 million on an annual basis.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=4664:lahes-kaikkiin-yrityksiin-tehty-tietomurto&catid=13&Itemid=101

    Reply
39. July 6, 2016 at 9:28 am

    Tomi Engdahl says:

    The Commission attacks against cyber threats

    The European Commission launched yesterday a new kyberturvallisuusalan public-private partnership program, which is expected to generate investments of EUR 1.8 billion by 2020. The partnership is part of a series of new initiatives to improve the preparedness and response to launch cyber-attacks and strengthen the competitiveness of the European cyber security

    recent survey that at least 80 per cent of businesses in Europe during the last year focused on at least one cyber security jeopardized the event and the number of safety occurrences in all industries in the world grew by 38 per cent in 2015.This will harm European companies, be they large or small, and threatens to undermine confidence in the digital economy.

    As part of the digital single market strategy, the Commission wishes to strengthen cooperation across borders and between actors and sectors that operate in the field of cyber security for all. In addition, seek to develop innovative and safe technologies, products and services throughout the EU.

    The EU will invest EUR 450 million in this partnership for research and innovation Horizon 2020 program. market players cyber security industry, represented by the European cyber security organization ECSO, the partnership is expected to invest three times as much.
    The project has also national, regional and local governments, research centers and universities will participate

    The Commission also wants to facilitate smaller companies operating in the field of cyber security ‘access to finance and will examine the different options in the context of the investment program. Network and Information Security Directive, which is to be adopted by the European Parliament today, already provides a European-wide information security incidents and responding to them in investigating network operators, in order to cyber threats and breach should be able to react quickly.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=4662:komissio-hyokkaa-kyberuhkien-kimppuun&catid=13&Itemid=101

    Reply
40. July 6, 2016 at 11:07 am

    Tomi Engdahl says:

    Jonathan Stempel / Reuters:
    Appeals court rejects challenge to CFAA anti-hacking law, gives broad leeway to prosecute password theft; critics say ruling may affect routine password sharing

    U.S. appeals court upholds conviction over shared password
    http://www.reuters.com/article/us-usa-cyber-conviction-idUSKCN0ZL2BW

    A divided federal appeals court on Tuesday gave the U.S. Department of Justice broad leeway to police password theft under a 1984 anti-hacking law, upholding the conviction of a former Korn/Ferry International executive for stealing confidential client data.

    The 9th U.S. Circuit Court of Appeals in San Francisco said David Nosal violated the Computer Fraud and Abuse Act in 2005 when he and two friends, who had also left Korn/Ferry, used an employee’s password to access the recruiting firm’s computers and obtain information to help start a new firm.

    Reply
41. July 6, 2016 at 11:09 am

    Tomi Engdahl says:

    The FBI recommends not to indict Hillary Clinton for email misconduct
    ‘None of these emails should have been on any kind of unclassified system.’
    http://www.theverge.com/2016/7/5/12096364/hillary-clinton-email-probe-fbi-indict-private-server

    The Federal Bureau of Investigation has completed its investigation into Hillary Clinton’s use of a personal email server and is recommending that the Department of Justice not indict Clinton, FBI Director James Comey said in a press conference today. The recommendation is not binding, and the ultimate decision will be made by the Department of Justice. Still, the recommendation will likely clear longstanding questions that have dogged Clinton’s presidential campaign for over a year.

    Reply
42. July 6, 2016 at 11:40 am

    Tomi Engdahl says:

    Clinton hid 1000s of emails, put classified data on her server… but shouldn’t be charged – FBI
    https://www.youtube.com/watch?v=87Q-GceujOA&feature=youtu.be

    Though the FBI found that Hillary Clinton and her staff were ‘extremely careless’ with State Department emails hosted on a private server, ‘no reasonable prosecutor’ would bring criminal charges in this case, FBI Director James Comey told reporters Tuesday morning.

    Reply
43. July 6, 2016 at 11:49 am

    Tomi Engdahl says:

    Man arrested following several attacks on Google offices
    http://www.theverge.com/2016/7/5/12100986/google-headquarters-attack-car-arson-shooting-arrest

    A car was burned and shots were fired at a Google building in Mountain View, allegedly by a man who felt “Google was watching him and that made him upset,” according to a police affidavit discovered by the Mercury News.

    destroyed a Google self-driving car

    Google headquarters attacked, allegedly by man who thought company was watching him
    http://www.mercurynews.com/crime-courts/ci_30089923/police-fearing-google-tracking-man-accused-launching-attacks

    Police believe an Oakland man, fearful of being tracked by Google, launched a series of attacks on Google’s company headquarters, including shooting out office windows and tossing Molotov cocktails at a streetview vehicle.

    Reply
44. July 6, 2016 at 1:10 pm

    Tomi Engdahl says:

    Last year, a serious compromised deceiver had secret relationships offered Ashley Madison has been the target of the US Trade Commission investigation. Site hacking exposed millions of its users’ personal information. This information helps users of the site include a tightened money .

    Reuters interviewed Ashley Madison company that owns the Avid Life Media CEO Rob Segal asks cases apologize to the users.

    “We are deeply sorry,” Segal says.

    Sorry feeling does not change the fact that Avid Life Media has been brought against the United States and Canada, a number of actions.

    US Trade Commission’s investigation will focus their investigation while the site false advertising, such as the fact that the users of this information was promised to be safe, even if a fraction proved otherwise.The company still does not know how to burglary took place and who the perpetrator was.

    Source: http://www.tivi.fi/Kaikki_uutiset/kayttajiensa-tiedot-vuotanut-pettajasivusto-petti-asiakkaitaan-roboteilla-toimitusjohtaja-on-pahoillaan-6564988

    Reply
45. July 6, 2016 at 1:18 pm

    Tomi Engdahl says:

    FTC wants a date with Ashley Madison’s fembots
    Bonk-hopefuls’ site’s fake profiles under investigation
    http://www.theregister.co.uk/2016/07/06/ftc_wants_a_date_with_ashley_madisons_fembots/

    The US Federal Trade Commission has decided to add Ashley Madison’s “fembots” to the company’s long list of woes.

    The existence of the fembots – fake profiles used to keep men on the “Life is short, have an affair” forking out funds in case they got lucky – was revealed after the infamous hack of the site.

    The investigation was revealed to Reuters, with executives from owner Avid Life Media saying the FTC was investigating the bots.

    Infidelity website Ashley Madison facing FTC probe, CEO apologizes
    http://www.reuters.com/article/us-ashleymadison-cyber-idUSKCN0ZL09J

    The breach, which exposed the personal details of millions who signed up for the site with the slogan “Life is short. Have an affair,” cost Avid Life Media more than a quarter of its revenue, Chief Executive Rob Segal and President James Millership revealed in an interview, the first by any senior executive since the incident.

    The two executives, hired in April, said the closely held company is spending millions to improve security and looking at payment options that offer more privacy.

    Ashley Madison got plenty of media attention before the hack, with former chief executive Noel Biderman boasting of a $1 billion valuation.

    Segal acknowledged that the company is not worth that much and said Avid still doesn’t know how the attack happened or who was responsible.

    Avid Life is on track to record roughly $80 million in revenue this year, with margin on earnings before interest, taxation, depreciation and amortization of 35 to 40 percent, said Millership. Its 2015 revenue was $109 million, with a 49 percent margin.

    Reply
46. July 7, 2016 at 8:30 am

    Tomi Engdahl says:

    Microsoft Proposes Independent Body to Attribute Cyber Attacks
    http://www.securityweek.com/microsoft-proposes-independent-body-attribute-cyber-attacks

    Microsoft has published a paper that proposes a series of recommended ‘norms’ of good industry behavior in cyberspace, and also a route towards implementing and achieving those norms. Most of the norms are uncontentious and self-evident – but one in particular (which is a form of ‘responsible disclosure’) is less so. Furthermore, the key feature in implementing these norms (the attribution of attacks to attackers) is particularly troublesome.

    Reply
47. July 7, 2016 at 8:31 am

    Tomi Engdahl says:

    Information-Collecting Android Keyboard Tops 50 Million Installs
    http://www.securityweek.com/information-collecting-android-keyboard-tops-50-million-installs

    A third-party keyboard application for Android that had over 50 million installs was found to collect user data and send it to a remote server, Pentest Limited researchers reveal.

    Dubbed “Flash Keyboard” and developed by DotC United, the application was the 11th most popular app in Google Play at the time the researchers began their analysis. Even if it engaged into nefarious activities, the program went unnoticed, yet Google removed the offending app from the storefront after being informed on the issue (although it has already re-approved it).

    In a detailed report (PDF) on the app’s malicious activity, Pentest Limited’s Andrew Pannell explains that the researchers analyzed app version 1.0.27 (currently, the app iteration available in Google Play is 1.0.54).

    Android App: Keyboard or Malware
    https://www.pentest.co.uk/documents/flash-keyboard.pdf

    Reply
48. July 7, 2016 at 8:33 am

    Tomi Engdahl says:

    Windows Information Protection to Address Data Leaks in Windows 10
    http://www.securityweek.com/windows-information-protection-address-data-leaks-windows-10

    One of the features that Microsoft will debut in the upcoming Windows 10 Anniversary Update, is Windows Information Protection (WIP), a feature meant to keep user’s information safe even when data leaks occur.

    Previously referred to as enterprise data protection (EDP), WIP provides Windows with the ability to identify personal and business information, as well as to determine which applications have access to it, Microsoft says. Moreover, it also ensures that Windows can offer the basic controls necessary to determine what users can do with business data.

    WIP has been designed specifically to work with Office365 ProPlus and Azure Rights Management, which can keep business data protected when it leaves the device or when it’s shared with others. With WIP, some of the basic data protection features available in Office365 and Azure Rights Management are coming to Windows itself, Microsoft’s Chris Hallum and Nathan Mercer explain in a blog post.

    Windows already has data protection mechanisms in place, such as BitLocker, which Microsoft touts as a great solution when it comes to lost or stolen devices. When data is accidentally or intentionally leaked, however, BitLocker is ineffective, and this is where WIP comes into play.

    The solution has been designed to work completely behind the scene to keep data secure regardless of where on the device it is located. Moreover, the protection continues even when the data is copied to removable storage devices such as USB drives.

    WIP also ensures that only authorized users and applications can access business data, thus protecting data from leaks, even on devices with multiple user profiles.

    Introducing Windows Information Protection
    https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/introducing-windows-information-protection/

    Reply
49. July 7, 2016 at 8:33 am

    Tomi Engdahl says:

    The IoT Sky is Falling: How Being Connected Makes Us Insecure
    http://www.securityweek.com/iot-sky-falling-how-being-connected-makes-us-insecure

    Reply
50. July 7, 2016 at 9:21 am

    Tomi Engdahl says:

    At a glance | The 4 most popular cyber crimes

    Phishing – The aim is to trick people into handing over their card details or access to protected systems. Emails are sent out that contain either links or attachments that either take you to a website that looks like your bank’s, or installs malware on your system.

    A report by Verizon into data breach investigations has shown that 23% of people open phishing emails.

    Identity theft – According to fraud protection agency Cifas, the number of victims rose by 31 per cent to 32,058 in the first three months of 2015. Criminals use online ‘fraud forums’ to buy and sell credit cards, email addresses and passports.

    Hacking – In a Verizon study of security breaches there were 285 million data exposures, which works out to about 9 records exposed every second. 26% of these attacks were executed internally within organisations.

    It is estimated that 90% of all data records that were used in a crime was a result of hackers employed by organised crime.

    Online harrassment – Over half of adolescents and teens have been bullied online, while 73% of adult users have seen someone harassed in some way online and 40% have experienced it.

    Source: http://www.telegraph.co.uk/technology/2016/07/05/algorithm-can-spot-lies-in-emails-and-dating-sites/

    Reply