Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Advances Get a Grip on Single Photons & Molecules
Single molecules & photons can be detected, emitted
http://www.eetimes.com/document.asp?doc_id=1330340&
The Moscow Institute of Physics and Technology (MIPT) is probing cutting edge diamond technologies to emit single photons (for uncrackable cybersecurity) and graphene to detect single molecules (for pathogen early detection). While experts around the world are also addressing these angstrom (one-tenth of a nanometer) scale problems, few laboratories are making headway in both.
Dmitry Fedyanin, a researcher from MIPT’s Laboratory of Nano-optics and Plasmonics together with his Italian colleague Mario Agio from the University of Siegen (Germany), may have cracked the most vexing problem in uncrackable quantum encryption. By using diamonds as high-speed emitters of single angstrom-scale quantum encoded photons they may have opened the door to high-intensity (that is high-speed of 100-MHz) quantum key communications.
“Our collaborative work is focused on the design and development of infrared single-photon sources, which provide high intensity of single-photon emission under electrical pumping, and are characterized by high energy efficiency and work at room- and high- temperatures alike,” Fedyanin told EE Times in an exclusive interview.
Today single-photon sources for uncrackable encryption keys, such as quantum dots, operate at extremely low rates — just a few photons per second — making their light extremely dim.
Tomi Engdahl says:
Attackers Exploit Flaw in Software Used by US Ports
http://www.securityweek.com/attackers-exploit-flaw-software-used-us-ports
An application used in the transportation sector worldwide is plagued by a high severity SQL injection vulnerability. The hacker who discovered the issue released a proof-of-concept (PoC) exploit without informing the vendor and ICS-CERT says the flaw has already been exploited against organizations in the United States.
The vulnerable application is Navis WebAccess, a web-based app that provides transport operators real-time access to operational logistics information.
A hacker who uses the online moniker “bRpsd” discovered that the product’s publicly accessible news pages are plagued by a SQL injection vulnerability (CVE-2016-5817) that allows a remote attacker to read or modify data stored in the application’s SQL database.
Navis, a subsidiary of Cargotec Corporation, learned about the vulnerability on August 9, one day after the hacker published the PoC exploit. Custom patches for this flaw were released by the vendor on August 10.
Navis WebAccess is a legacy product that is used by only 13 organizations around the world, including five in the United States.
According to ICS-CERT, the vendor has contacted all the affected customers and the patches have been applied by all customers in the United States. However, the agency pointed out that the vulnerability has been exploited against multiple US-based organizations, resulting in data loss.
Since transportation systems is one of the 16 critical infrastructure sectors, ICS-CERT has published a security alert to warn the critical infrastructure community in the U.S., and provide indicators of compromise (IoC) and mitigation advice.
Tomi Engdahl says:
Critical Vulnerability Patched in GnuPG, Libgcrypt
http://www.securityweek.com/critical-vulnerability-patched-gnupg-libgcrypt
The GnuPG Project announced last week the availability of GnuPG and Libgcrypt updates that address a critical security problem affecting all versions released over the past 18 years.
“Due to the flaw, mixing the full entropy pool reduces the stored entropy amount by at least 20 bytes. Furthermore, the flaw makes a part of the PRNG output completely predictable,” the experts wrote in a paper detailing the issue.
According to Werner Koch, the developer of GnuPG, an attacker who obtains 4640 bits from the RNG can easily predict the next 160 bits of output.
Entropy Loss and Output Predictability in the Libgcrypt PRNG
CVE-2016-6313
http://formal.iti.kit.edu/~klebanov/pubs/libgcrypt-cve-2016-6313.pdf
Tomi Engdahl says:
Cyber Risk Prioritization: Fixing What Really Matters
http://www.securityweek.com/cyber-risk-prioritization-fixing-what-really-matters
Today, even mid-sized organizations are dealing with thousands of vulnerabilities across their growing attack surface. Therefore, relying solely on existing intelligence provided by vulnerability scanners should only be a first step in a cyber risk management process. Without determining the risk associated with vulnerabilities, organizations often misalign remediation efforts and resources. This approach not only wastes time and money, it also extends the window of opportunity for hackers to exploit critical vulnerabilities. This begs the question: what steps are required to focus remediation efforts on the threats that represent the biggest risks to an organization?
At last week’s Black Hat USA 2016 in Las Vegas, many practitioners expressed frustration with how to determine which threats and vulnerabilities they should focus their mitigation efforts on. Most organizations face an uphill battle in defending against cyber adversaries, primarily because the attack surface they have to protect has grown significantly and is expected to balloon even further. While it was sufficient in the past to concentrate on network and endpoint protection, nowadays applications, cloud services, mobile devices (e.g., tablets, mobile phones, Bluetooth devices, and smart watches), and the Internet of Things (e.g., physical security systems, lights, appliances, as well as heating and air conditioning systems) represent a much broader attack surface to defend. According to the 2015 Global Risk Management Survey, 84% of cyber-attacks today target the application layer, not the network layer. This is forcing organizations to adopt a more holistic approach to cyber security.
According to Gartner (“Security and Risk Management Scenario Planning, 2020″), by 2020, 30% of global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminals. This prediction is not surprising, considering the fact that leading risk indicators are difficult to identify when cyber attackers, including their strategy, competences, and actions, are unknown.
As we all know, two conditions are required for a security incident to occur: a vulnerability must be present in some form (e.g., a software flaw or insecure programming; insecure configuration of IT infrastructure; insecure business operations; risky behavior by internal staff or other people, conducted maliciously or by mistake) and secondly, a threat must exploit that vulnerability.
Typically, security professionals have no direct control over threats. As a result, organizations have tended to focus on known, more visible facts – vulnerabilities and control failures – while neglecting threats as a factor in cyber risk assessments.
In fact, advanced security operations teams leverage threat intelligence to gather insight into the capabilities, current activities, and plans of potential threat actors (e.g., hackers, organized criminal groups, or state-sponsored attackers) to anticipate current and future threats.
Once internal security intelligence is contextualized with external threat data (e.g., exploits, malware, threat actors, reputational intelligence), these findings must be correlated with business criticality to determine the real risk of the security gaps and their ultimate impact on the business.
Tomi Engdahl says:
Cyber Criminals Are Lurking on Trusted Sites
http://www.designnews.com/author.asp?section_id=1386&doc_id=281339&cid=nl.x.dn14.edt.aud.dn.20160824.tst004c
Any sense of security across the Internet continues to deteriorate as attacks are being reported at an alarming rate. In the last few weeks alone, we’ve seen attacks on the Democratic National Committee; the media company, Penton; and Poland’s Defense Ministry. Add to that fears that cyber criminals are now hiding in common content management systems (CMS), quietly seeking valuable assets.
Recently bloggers have been faced with the prospect of breaches coming from trusted CMS platforms. “Vulnerable blogging platforms create a tremendous risk for a business and those visiting its sites. These vulnerabilities are devastating since just a few content management systems hold the vast majority of the market share,” Craig Young, computer security researcher at Tripwire, a cybersecurity service company, told Design News.
The sites Young refers to undergird some of the world’s most popular web locations. “The top three open-source CMS platforms — WordPress, Joomla, and Drupal — are used by more than 1.5 million sites,” said Young. “Administrators of such sites need to apply security updates as they come out without delay or they may find themselves on the receiving end of an automated attack campaign.”
Tomi Engdahl says:
Dragos Raises $1.2 Million to Counter ICS Cyber Threats
http://www.securityweek.com/dragos-raises-12-million-counter-ics-cyber-threats
Dragos, a startup focused on protecting industrial control systems (ICS) from cyber threats, has raised $1.2 million from startup studio DataTribe.
Founded by a small group of former NSA intelligence officers with experience in ICS security, Dragos offers a network asset discovery and visualization tool called CyberLens. The tool was developed specifically for control systems environments, which often require deep packet inspection through passive network scanning or data collection.
“We built a TOC while in the Intel community to identify nation states targeting critical infrastructure and it was very successful, so we are doing the same thing while developing Intel, analytics and technologies to help automate analyst efforts so that small teams can scale to protect more infrastructure,” Lee told SecurityWeek.
“We will have a threat hunting team that also does incident response, malware analysis, and threat intelligence,” he said.
The company is also developing a data pipeline product that is easily managed and configured that allows customers to collect host, network and relevant ICS data that can be accessed via a single, searchable interface for events and abnormalities. “We’re giving them, in essence, a lightweight industrial SIEM,” Lee said.
Tomi Engdahl says:
Industrial Cybersecurity Firm CyberX Raises $9 Million
http://www.securityweek.com/industrial-cybersecurity-firm-cyberx-raises-9-million
Industrial cybersecurity startup CyberX announced today that it has raised $9 million in new funding to help expand its business and solutions designed to protect the Industrial IoT.
Founded in 2013 by Omer Schneider and Nir Giller, CyberX offers a platform that continuously monitors networks and collects real-time data to help detect abnormal or potentially malicious activity.
Dubbed XSense, the platform was developed to easily connect to an existing setup and act as an invisible layer that models operational technology (OT) networks using what it calls “Industrial Finite State Machine (IFSM) technology.”
The company’s technology is already being used by dozens of enterprises across a range of industries, including energy, oil and gas, transportation, manufacturing and pharmaceuticals, the company told SecurityWeek.
“Using our dedicated Industrial IoT detection technology, IFSM, we have discovered multiple attacks, as well as critical zero-day vulnerabilities in industrial equipment,” said Nir Giller, CTO & Co-founder of CyberX.
Tomi Engdahl says:
Android Botnet Uses Twitter for Receiving Commands
http://www.securityweek.com/android-botnet-uses-twitter-receiving-commands
A newly discovered Android backdoor is using an innovative method of receiving commands: it connects to a Twitter account instead of a command and control (C&C) server, ESET researchers say.
Dubbed Android/Twitoor, the malware was designed to download other malicious applications onto the infected devices and has been active for around a month, researchers say. Fortunately, the threat isn’t spreading through official Android storefronts, but through SMS or malicious URLs sent to its victims.
According to ESET researchers, the backdoor is impersonating a porn player application or MMS program, but it does not present the functionality such software would normally have. After being launched, the malware hides its presence on the infected device and starts checking a defined Twitter account at regular intervals for commands.
Tomi Engdahl says:
Leaked Cisco ASA Exploit Adapted for Newer Versions
http://www.securityweek.com/leaked-cisco-asa-exploit-adapted-newer-versions
Researchers have demonstrated that the Cisco ASA exploit leaked recently by a group called Shadow Brokers can be leveraged for remote code execution against newer versions of the software as well.
The leaked exploit for CVE-2016-6366, dubbed “EXTRABACON,” is several years old so it only works properly on older ASA versions. However, researchers from Hungary-based security firm Silent Signal managed to modify the leaked exploit for ASA 9.2(4), a version released in July 2015.
Moreover, Balint Varga-Perke, IT security expert and co-founder of Silent Signal, told SecurityWeek that the exploit can likely be adapted for even newer versions. The security firm is currently working on automatically generating exploit code for Cisco ASA versions that are currently not supported. Adapting the exploit for ASA 9.2(4) only took Silent Signal researchers a few hours.
“Unfortunately, some only realize the risk of a vulnerability if there is a practical demonstration of it,” Varga-Perke said in an email. “We hope that this development clarifies the risk for the skeptics too.”
According to Cisco’s security advisory for CVE-2016-6366, the vulnerability affects all ASA software releases and all supported versions of SNMP. When the vendor tested the leaked exploit against a Cisco ASA 5506 device running version 9.4(1), the software crashed.
Tomi Engdahl says:
Linux Trojan Brute Forces Routers to Install Backdoors
http://www.securityweek.com/linux-trojan-brute-forces-routers-install-backdoors
A Linux Trojan that emerged more than a year ago is once again actively targeting routers in an attempt to install backdoors on them.
Dubbed Linux.PNScan, the threat was detailed last year, when it was targeting mainly devices with ARM, MIPS, or PowerPC architectures. Now, security researchers from Malware Must Die! say that this ELF worm is hitting x86 Linux systems, with a focus on embedded platforms, specifically those in the “network area of Telangana and Kashmir region of India.”
Last year, Doctor Web researchers suggested that the Trojan might have been installed on routers attacked by its authors, who exploited the ShellShock vulnerability running a script with corresponding settings. The threat, researchers said, was designed for the sole purpose of brute forcing routers and install a script on them which in turn would download a backdoor based on the router architecture (ARM, MIPS, or PowerPC).
The worm Malware Must Die! researchers have observed recently appears to be Linux.PNScan.2, a variation of the original Trojan. Unlike Linux.PNScan.1, which attempted to crack login combinations using a special dictionary, this threat targets specific IP addresses and attempts to connect to them via SSH using one of the following combinations: root;root; admin;admin; or ubnt;ubnt.
Tomi Engdahl says:
Hadoop Data Encryption at Rest and in Transit
http://www.securityweek.com/hadoop-data-encryption-rest-and-transit
In my previous contribution I reviewed Apache Hadoop’s native support for HDFS Encryption, which allows sensitive data to be stored and encrypted on HDFS with keys protected by KMS access control lists.
This notwithstanding, in any real world big data environment there are many other data sources, data-staging areas, temporary files and log files where sensitive data may reside outside of HDFS. And of course sensitive data should also be protected “in transit” when going from end points into the cluster, or when a job runs moving data from one node in the cluster to another. The good news is that there are solutions for encrypting data at rest and in transit that will allow organizations not only to meet regulatory compliance requirements, but more importantly to protect and secure their information assets.
Hadoop Data Encryption: “P.S. Find Robert Langdon”
http://www.securityweek.com/hadoop-data-encryption-ps-find-robert-langdon
Tomi Engdahl says:
Epic Games Forums Hacked Again
http://www.securityweek.com/epic-games-forums-hacked-again
Videogame developer Epic Games informed customers on Tuesday that several of its forums have been breached. The hackers reportedly gained access to information associated with more than 800,000 user accounts.
According to the company, the attackers obtained email addresses and other data from the Unreal Engine and Unreal Tournament forums, but passwords are not affected as they are stored in a different location.
Tomi Engdahl says:
Stockpile Food in Case of Attack, Germany Tells Citizens
http://www.securityweek.com/stockpile-food-case-attack-germany-tells-citizens
Germany on Wednesday urged its population to stockpile food and water in case of terrorist or cyber attacks, as it adopted its first civil defense strategy since the end of the Cold War.
The plan marks the first broad update since 1995, when a dismantling of federal civil defense structures was advocated as security policies were eased in the wake of German reunification.
But the 69-page document warned that “the security policy environment has changed again”.
While acknowledging that “an attack on German territory requiring conventional defence is unlikely,” Europe’s biggest economy should be “sufficiently prepared in case of an existence-threatening development in the future that cannot be ruled out,” the strategy document said.
“The proliferation of weapons of mass destruction and their delivery systems, conflict driven by terrorist means and cyberspace attacks can be a direct threat to Germany and its allies,” it said.
Tomi Engdahl says:
Go Boldly to the Cloud: Embracing the Security Benefits of the Cloud Infrastructure
http://www.securityweek.com/go-boldly-cloud-embracing-security-benefits-cloud-infrastructure
Less than ten minutes driving west from my home, you encounter a vast expanse of large, windowless buildings. Situated near them are impressive physical plants dedicated to cooling these buildings and providing back-up power in the case of a power failure. Whenever I drive past these complexes I always point them out to my passengers and say: “You have heard about the cloud – well, there it is.”
Businesses are moving mission-critical applications to the cloud at a rapid pace. The cost savings and other benefits simply are too persuasive not to move to the cloud. So why do organizations hesitate? Analyst studies cite security concerns as the number one inhibitor of moving sensitive applications to the cloud.
Let me examine these concerns by breaking down the conversation into two pieces: the cloud infrastructure and the applications running in the cloud.
I was once concerned that moving to the cloud was fraught with unknown perils. Then I walked into a cloud security panel of really smart, progressive security types at the RSA Conference in 2014 called “Is the Cloud Really More Secure Than On-Premise?” No less a luminary than Bruce Schneier told the audience to essentially wise up and realize that established cloud providers had more security resources and expertise than any enterprise, and that they provide security that is comparable to or exceeds that of any enterprise.
Tomi Engdahl says:
Evaluating the
Customer Journey
of Crypto-
Ransomware
https://fsecureconsumer.files.wordpress.com/2016/07/customer_journey_of_crypto-ransomware_f-secure.pdf
Malware goes through trends. For a while one type of
malicious scheme takes precedence, for any of various
reasons dies away, and another springs up in its place.
Crypto-ransomware is the latest trend in malware –
and it‘s running a hot streak. 2016 has seen story after
story of business and consumer fi les being rendered
unusable. And not only that, story after story of victims
paying up
Tomi Engdahl says:
New York Times:
WhatsApp to share phone numbers and analytics data of users with Facebook, two years after it said it had no plans to collect data — SAN FRANCISCO — When Facebook bought the start-up WhatsApp in 2014, Jan Koum, WhatsApp’s co-founder, declared that the deal would not affect the digital privacy …
Relaxing Privacy Vow, WhatsApp to Share Some Data With Facebook
http://www.nytimes.com/2016/08/26/technology/relaxing-privacy-vow-whatsapp-to-share-some-data-with-facebook.html
When Facebook bought the start-up WhatsApp in 2014, Jan Koum, WhatsApp’s co-founder, declared that the deal would not affect the digital privacy of his mobile messaging service’s millions of users.
Two years later, in a move that may rankle some of the company’s 1 billion-plus users, WhatsApp will soon begin to share some member information with Facebook.
WhatsApp said on Thursday that it would start disclosing the phone numbers and analytics data of its users with Facebook. It will be the first time the messaging service has connected people’s accounts to the social network to share information
WhatsApp’s privacy policy overhaul raises concerns about potential legal challenges, particularly outside the United States where there are tougher data protection rules. In Europe, for instance, several national regulators have already taken legal action against Facebook
Europe’s top court ruled that current American privacy standards did not offer sufficient protections to the region’s citizens
Tomi Engdahl says:
Andrea Peterson / Washington Post:
Researchers uncover zero-day iOS flaws used to try to remotely steal data from activists, likely sold by malware vendor NSO; Apple releases patch with iOS 9.3.5 — Many people assume their iPhones are secure, but new research sent Apple scrambling to fix vulnerabilities that left users at risk.
This malware sold to governments could help them spy on iPhones, researchers say
http://www.washingtonpost.com/news/the-switch/wp/2016/08/25/this-malware-sold-to-governments-helped-them-spy-on-iphones/
Many people assume their iPhones are secure, but new research sent Apple scrambling to fix vulnerabilities that left users at risk.
Spyware relying on three previously unknown, or “zero-day,” flaws in Apple’s iOS mobile operating system for years made it possible for governments to take over victims’ phones by tricking them into clicking on a link in a text message, according to new reports from Lookout, a cybersecurity firm that looks for security holes in mobile products, and Citizen Lab at the University of Toronto’s Munk School of Global Affairs.
“This is the most sophisticated bad actor we have ever seen targeting mobile phones out in the wild,” said Mike Murray, vice president of security research at Lookout.
3 things CISOs need to know about the Trident iOS vulnerabilities
https://blog.lookout.com/blog/2016/08/25/lookout-trident-pegasus-enterprise-discovery/
The Citizen Lab:
How a government targeted Ahmed Mansoor, an activist in the UAE, with three zero-day exploits meant to infect his iPhone with sophisticated commercial spyware — Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE) …
The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware.
According to the purported NSO Group documentation, once successfully implanted on a phone using an exploit chain like the Trident, Pegasus can actively record or passively gather a variety of different data about the device. By giving full access to the phone’s files, messages, microphone and video camera, the operator is able to turn the device into a silent digital spy in the target’s pocket.
Tomi Engdahl says:
Will Hypervisors Protect Us?
http://semiengineering.com/can-hypervisors-protect-us/
They may not be a silver bullet, but they are a good first step when it comes to securing cars and the Internet of Things. Problems start when people believe the job is complete.
Another day, another car hacked and another report of a data breach. The lack of security built into electronic systems has made them a playground for the criminal world, and the industry must start becoming more responsive by adding increasingly sophisticated layers of protection. In this, the first of a two-part series, Semiconductor Engineering examines how hypervisors are entering the embedded world.
“In the past, if I wanted to have separate tasks running, I would probably design it so that I would have one on the left, one on the right, each running on different processor subsystems and the two would never touch. I would pipeline data from one to the other. They were inherently separated except for the information that they shared. The move to modern hardware, where you have multi-core processors or a farm of machines, means that everything is connected. And yet, you still want to be sure that they do not touch each other – that the jobs don’t infringe upon each other.”
It is the role of the hypervisor to achieve exactly that separation. Its main function is to create and manage virtual machines where the software believes it is running on its own dedicated machine. It is completely unaware of other software that may be running in another virtual machine, even though both are running on the same hardware.
Virtualization has become a staple in the data center and provides many advantages, such as CPU consolidation, fault tolerance and job isolation. But deeply embedded systems are not as regular as server farms and the priorities are different. Embedded systems tend to be heterogeneous and contain different memory architectures. In addition they contain multiple types of processing engines, including CPUs, GPUs and possibly FPGAs.
Hypervisors have seen adoption where the need is the most critical. “The usage of hypervisors is a trend but not a revolution,” says Vicent Brocal, general manager for FentISS. “We have been working with aircraft manufacturers and hypervisors are a key technology for them. The technology has gone through a natural evolution. It is an enabling technology. It provides an opportunity to different sectors in the industry, and most recently in automotive where they are looking to see how it could be applied to their specific needs.”
It is security that is changing the game. “The hypervisor market was primarily for factory automation or automotive markets,”
Control systems are often implemented using a real time operating system (RTOS), but then they want to run graphics rich content on top of Linux or Android. Factory automation was similar, where there is real time control and either Windows or Linux on top of that. In automotive, they want to separate the infotainment from the control systems. The hypervisor can do that.”
But there are other important changes. “Most embedded systems are connected,” points out Majid Bemanian, director of segment marketing for Imagination Technologies. “The majority also have third-party applications running on them as well. With this kind of complexity, most of the players are concerned about how to protect themselves from all sorts of challenges.”
Mixed OSes
A common characteristic of embedded systems that run hypervisors is the combination of a real time function and the need to run a legacy stack of software that is available within a specific operating environment. This has to be done is a safe and productive manner. “Many times, the critical components are real time and have strict timing constraints,” says FentISS’ Brocal. “In the hypervisor, we have a fixed allocation of resources so we can guarantee that the application has the appropriate allocation of CPU processing and other less critical functions that may be running within a Linux environment.”
“If you take a CPU that does not provide a lot of support for the hypervisor, then you will see an overhead around 10% to 15%, but that will drop to less than 1% to 2% with hardware support, depending on workload. In terms of silicon impact, it is noise level. We are talking about a hundred thousand gates in millions of gates.”
Hardware support
None of this can happen without some hardware support. “If hardware support is not provided, the overhead of a hypervisor becomes quite large and in general it just doesn’t make sense,” says Egawa. “Hardware virtualization, trust zone, or several other ideas that are coming up, each accelerate hypervisor performance. We only use 1% of the CPU performance. The target is not only the big CPUs but the IoT market and that requires the usage of microcontrollers. These have very limited memory, so we have to make the hypervisor small and compact.”
Tomi Engdahl says:
Leslie Jones’ Website Taken Down After Horrific Nude Photo Hack
The internet is officially the worst.
http://www.huffingtonpost.com/entry/leslie-jones-website-taken-down-after-horrific-nude-photo-hack_us_57bdce73e4b0287a6e732458
As if Leslie Jones hadn’t suffered enough at the hands of internet, the “Ghostbusters” actress’ personal website was hacked on Wednesday. Private information, including her passport and a driver’s license, as well as multiple nude photos were posted online, TMZ reports.
Jones has been the target of horribly racist attacks ever since she was cast in the reboot of the classic 1984 “Ghostbusters” film, driving her off social media for a brief period in July.
Hackers post ‘Ghostbusters’ star Leslie Jones’ nude photos, private data
http://www.cnet.com/news/hackers-post-ghostbusters-star-leslie-jones-nude-photos/
The actor’s website is reportedly compromised with hackers posting personal identification and private photos alongside racist commentary.
Now, hackers appear to have broken into her personal website and potentially other accounts, posting personal information such as her driver’s license and passport, as well as intimate photos, according to TMZ. The photos were also posted next to a video of Harambe, a 17-year-old gorilla killed at the Ohio zoo earlier this year
The hack marks a new low in a seemingly coordinated effort to harass Jones, who along with her “Ghostbusters” co-stars, became the focus of many people’s hatred.
“Twitter I understand you got free speech I get it,” Jones tweeted at the time. “But there has to be some guidelines when you let spread like that. You can see on the profiles that some of these people are crazy sick. It’s not enough to freeze acct. They should be reported.”
Tomi Engdahl says:
Thomas Fox-Brewster / Forbes:
Everything we know about the secretive NSO Group and its founder Omri Lavie, who are behind the latest iPhone hacks
Everything We Know About NSO Group: The Professional Spies Who Hacked iPhones With A Single Text
http://www.forbes.com/sites/thomasbrewster/2016/08/25/everything-we-know-about-nso-group-the-professional-spies-who-hacked-iphones-with-a-single-text/#44140d2de3d6
NSO Group employees’ lives must seem no different from others in the Israeli tech scene. They turn up every morning at their office in Herzelia, in Tel Aviv’s northern district, take the lift in the plain looking complex – all grey and sandy exteriors – through smart card-lock doors and into to their similarly spartan offices. On the way they give a nod to their neighbours, fraud analysts from EMC-owned RSA, whose job it is to trawl the dark web for cybercriminals’ latest escapades.
But for the last six years, their everyday routine has been nothing less than extraordinary: create the world’s most invasive mobile spy kit without ever exposing their work. Now, though, they’ve been busted exploiting iPhones in some of the most astonishing attacks yet seen in the world of private espionage. The company, according to analyses from Citizen Lab and Lookout Mobile Security, discovered three previously-unknown and unpatched iOS vulnerabilities (known as zero-days) were exploited by the firm, with just one click of a link in a text required to silently jailbreak the phone. This allowed its malware, codenamed Pegasus, to install on the phone, hoovering up all communications and locations of the targeted iPhones. That includes iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram and Skype communications, amongst other data. It can collect Wi-Fi passwords too.
NSO Group has been able to keep its surreptitious work under wraps until now. Previous articles only recorded their move into America and limited information on contracts: one allegedly for the former Panama president Ricardo Martinelli and another for Mexico.
Thanks to the analysis from Citizen Lab and Lookout, it’s almost certain NSO also supplies to the United Arab Emirates (UAE).
Former workers are also too afraid to speak, one telling me in June last year: “I know a lot about their products and how it works but I’m not allowed to publish them… I have a lot to lose and nothing to gain if I share all my knowledge about them.”
Tomi Engdahl says:
Bloomberg:
Hackers at startup MedSec find security vulnerabilites in St. Jude’s medical devices, make deal with investment firm to short manufacturer’s stock
Carson Block’s Attack on St. Jude Reveals a New Front in Hacking for Profit
http://www.bloomberg.com/news/articles/2016-08-25/in-an-unorthodox-move-hacking-firm-teams-up-with-short-sellers
When a team of hackers discovered that St. Jude Medical Inc.’s pacemakers and defibrillators had security vulnerabilities that could put lives at risk, they didn’t warn St. Jude. Instead, the hackers, who work for cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters Capital LLC investment firm, in May. They had a money-making proposal.
MedSec suggested an unprecedented partnership: The hackers would provide data proving the medical devices were life-threatening, with Block taking a short position against St. Jude. The hackers’ fee for the information increases as the price of St. Jude’s shares fall, meaning both Muddy Waters and MedSec stand to profit.
If the bet doesn’t work, and the shares don’t fall, MedSec could lose money, taking into account their upfront costs, including research. St. Jude’s shares declined 4.4 percent to $77.50 at 1:40 p.m. in New York with more than 25 million shares traded.
In April, Abbott Laboratories announced a $25 billion acquisition of St. Jude, and the deal is expected to close by the end of the year. The information about the device vulnerabilities could put it in peril.
MedSec said it found security failures including a lack of encryption and the ability for unauthorized devices to communicate with the pacemakers and defibrillators, which, MedSec claims, could allow anyone to tap into implanted devices and cause potentially fatal disruptions. As scary as it sounds, hacking risks to medical devices have been publicized for nearly a decade and the risk to patient safety is still mostly theoretical to hundreds of thousands of people with St. Jude devices. But cybercriminals have started compromising radiology equipment, blood gas analyzers and other machines inside hospitals and nursing homes to steal data for identity theft.
MedSec is taking a path that some frustrated security experts believe is the only way to create fundamental change: find a way to impose significant monetary penalties on companies it believes are negligent when it comes to protecting consumers. But the startup is doing so in ways that violate some of the most basic standards of ethical security research and in an industry where the stakes are especially high.
MedSec and Muddy Waters said they are withholding key details of the vulnerabilities from the public but are alerting the U.S. Food and Drug Administration, which regulates medical devices, about the flaws.
Tomi Engdahl says:
Wall Street Journal:
US federal court convicts Russian hacker Seleznev in theft and sale of credit cards resulting in $169M in losses; he could face up to 40 years in prison
Son of Russian Lawmaker Convicted in Hacking Case
Roman Seleznev could face between four to 40 years in prison
http://www.wsj.com/article_email/son-of-russian-lawmaker-convicted-in-hacking-case-1472175074-lMyQjAxMTA2ODI4NjAyNDYxWj
The son of a Russian lawmaker was convicted Thursday in federal court in a hacking and fraud case that has provoked Moscow’s ire.
Roman Seleznev of Vladivostok, Russia, was called “one of the most prolific credit card thieves in history” by prosecutors after he allegedly hacked into hundreds of businesses in the U.S. and around the world, stole credit-card data, and sold it on the internet, resulting in more than $169 million in fraud losses.
A federal jury in Seattle convicted Mr. Seleznev of 38 of 40 counts in an indictment that charged him with the theft and sale of more than 2.9 million credit-card numbers.
John Henry Browne, a lawyer for Mr. Seleznev, said his client could face between four and 40 years in prison. The Russian national, who has already served two years behind bars, had pleaded not guilty.
Tomi Engdahl says:
Bruce Schneier / Vox:
Shadow Brokers leak shows how NSA’s tendency to hoard vulnerabilities instead of reporting them is putting our devices and networks at risk
New leaks prove it: the NSA is putting us all at risk to be hacked
Updated by Bruce Schneier on August 24, 2016, 7:10 a.m. ET
http://www.vox.com/2016/8/24/12615258/nsa-security-breach-hoard
The National Security Agency is lying to us. We know that because of data stolen from an NSA server was dumped on the internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others’ computers. Those vulnerabilities aren’t being reported, and aren’t getting fixed, making your computers and networks unsafe.
On August 13, a group calling itself the Shadow Brokers released 300 megabytes of NSA cyberweapon code on the internet. Near as we experts can tell, the NSA network itself wasn’t hacked; what probably happened was that a “staging server” for NSA cyberweapons — that is, a server the NSA was making use of to mask its surveillance activities — was hacked in 2013.
The NSA inadvertently resecured itself in what was coincidentally the early weeks of the Snowden document release. The people behind the link used casual hacker lingo, and made a weird, implausible proposal involving holding a bitcoin auction for the rest of the data: “!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons?”
Still, most people believe the hack was the work of the Russian government and the data release some sort of political message. Perhaps it was a warning that if the US government exposes the Russians as being behind the hack of the Democratic National Committee — or other high-profile data breaches — the Russians will expose NSA exploits in turn.
The Obama administration’s pledge to notify companies about flaws in common software
Over the past few years, different parts of the US government have repeatedly assured us that the NSA does not hoard “zero days” — the term used by security experts for vulnerabilities unknown to software venders. After we learned from the Snowden documents that the NSA purchases zero-day vulnerabilities from cyberweapons arms manufacturers, the Obama administration announced, in early 2014, that the NSA must disclose flaws in common software so they can be patched (unless there is “a clear national security or law enforcement” use).
Playing games with language
There are probably some overly pedantic word games going on. Last year, the NSA said that it discloses 91 percent of the vulnerabilities it finds. Leaving aside the question of whether that remaining 9 percent represents 1, 10, or 1,000 vulnerabilities, there’s the bigger question of what qualifies in the NSA’s eyes as a “vulnerability.”
The NSA’s hubris: the “nobody but us” standard
A phrase you often hear in any discussion of the Vulnerabilities Equities Process is NOBUS, which stands for “nobody but us.” Basically, when the NSA finds a vulnerability, it tries to figure out if it is unique in its ability to find it, or whether someone else could find it, too. If it believes no one else will find the problem, it may decline to make it public. It’s an evaluation prone to both hubris and optimism, and many security experts have cast doubt on the very notion that there is some unique American ability to conduct vulnerability research.
The vulnerabilities in the Shadow Brokers data dump are definitely not NOBUS-level. They are run-of-the-mill vulnerabilities that anyone — another government, cybercriminals, amateur hackers — could discover, as evidenced by the fact that many of them were discovered between 2013, when the data was stolen, and this summer, when it was published. They are vulnerabilities in common systems used by people and companies all over the world.
If there are any vulnerabilities that — according to the standards established by the White House and the NSA — should have been disclosed and fixed, it’s these.
We need to fix this. This is exactly the sort of thing a congressional investigation is for. This whole process needs a lot more transparency, oversight, and accountability. It needs guiding principles that prioritize security over surveillance.
And as long as I’m dreaming, we really need to separate our nation’s intelligence-gathering mission from our computer security mission: We should break up the NSA. The agency’s mission should be limited to nation state espionage. Individual investigation should be part of the FBI, cyber war capabilities should be within US Cyber Command, and critical infrastructure defense should be part of DHS’s mission.
Tomi Engdahl says:
Jordan Pearson / Motherboard:
AlphaBay, the largest darknet market, begins supporting Monero, a cryptocurrency meant to be more anonymous than Bitcoin — Not even bitcoin is anonymous enough for some criminals on the dark net. — For years, the cryptocurrency has been the payment method of choice for people buying …
Meet Monero, the Currency Dark Net Dealers Hope Is More Anonymous Than Bitcoin
http://motherboard.vice.com/read/monero-cryptocurrency-dark-net-drug-dealers-hope-more-anonymous-than-bitcoin-alphabay
Not even bitcoin is anonymous enough for some criminals on the dark net.
For years, the cryptocurrency has been the payment method of choice for people buying and selling drugs and other illegal items on the dark net. But it presents a double bind: bitcoin is pseudonymous, allowing folks to buy meth with a degree of privacy, but it’s also set up so that every transaction is traceable on a public ledger called the blockchain—not exactly ideal if you never, ever, ever want anybody finding out about your online habit.
Now, there’s an alternative. On Monday, AlphaBay—the largest online market for drugs and other unsavoury items like fraud tools—announced on Reddit that the platform is adding support for an ostensibly super-anonymous cryptocurrency called Monero starting on September 1st, citing its “security features.”
So, what is Monero? The first thing to know is that unlike most other bitcoin rivals, Monero wasn’t built using bitcoin’s own code. Instead, it’s based on a protocol called CryptoNote that was first described in a 2012 whitepaper written by one “Nicolas van Saberhagen,”
Bitcoiners will often use a single wallet address, and all transactions connected to it are viewable by anyone. In contrast, Monero creates unique addresses for every transaction with a private “viewkey” that only lets the receiver, and whomever they give the viewkey to, access the full transaction information. In theory, that means no snooping by the feds.
“It makes perfect sense for the darknet auction site to welcome Monero,” Tyler Moffitt, senior threat researcher for security firm Webroot, wrote me in an email. “It’s more secure than bitcoin since the transaction blockchain of bitcoin can be viewed publicly.”
According to former Bitcoin Foundation head and security researcher Peter Vessenes, Monero gets “okay marks” on its core technology, but it could be overpromising when it comes to protecting the privacy of criminals.
“The switching cost from just using bitcoin to using Monero is going to be high, since not only is there a tech shift, a trust issue, there is also greater volatility,” Levin wrote.
Tomi Engdahl says:
FBI says foreign hackers penetrated state election systems
https://www.yahoo.com/news/fbi-says-foreign-hackers-penetrated-000000175.html
The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials.
The FBI warning, contained in a “flash” alert from the FBI’s Cyber Division, a copy of which was obtained by Yahoo News, comes amid heightened concerns among U.S. intelligence officials about the possibility of cyberintrusions, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections.
Johnson emphasized in the call that Homeland Security was not aware of “specific or credible cybersecurity threats” to the election, officials said. But three days after that call, the FBI Cyber Division issued a potentially more disturbing warning, entitled “Targeting Activity Against State Board of Election Systems.” The alert, labeled as restricted for “NEED TO KNOW recipients,” disclosed that the bureau was investigating cyberintrusions against two state election websites this summer, including one that resulted in the “exfiltration,” or theft, of voter registration data. “It was an eye opener,” one senior law enforcement official said of the bureau’s discovery of the intrusions. “We believe it’s kind of serious, and we’re investigating.”
The bulletin does not identify the states in question, but sources familiar with the document say it refers to the targeting by suspected foreign hackers of voter registration databases in Arizona and Illinois. In the Illinois case, officials were forced to shut down the state’s voter registration system for ten days in late July, after the hackers managed to download personal data on up to 200,000 state voters
The Arizona attack was more limited, involving malicious software that was introduced into its voter registration system
“This is a big deal,” said Rich Barger, chief intelligence officer for ThreatConnect, a cybersecurity firm, who reviewed the FBI alert at the request of Yahoo News. “Two state election boards have been popped, and data has been taken. This certainly should be concerning to the common American voter.”
Barger noted that that one of the IP addresses listed in the FBI alert has surfaced before in Russian criminal underground hacker forums. He also said the method of attack on one of the state election systems — including the types of tools used by the hackers to scan for vulnerabilities and exploit them — appear to resemble methods used in other suspected Russian state-sponsored cyberattacks, including one just this month on the World Anti-Doping Agency.
Tomi Engdahl says:
St Jude hits back at short-selling security firm’s claims
Hackable pacemaker report ‘false and misleading’
http://www.theregister.co.uk/2016/08/29/st_jude_hits_back_at_shortselling_security_firms_claims/
The manufacturer of pacemakers and defibrillators has slammed a report by security researchers accusing it of putting customers lives at risk.
On Thursday security startup MedSec claimed that St. Jude Medical pacemakers and defibrillators were easily hackable and that hackers could either run down the batteries in patent’s implanted medical devises or cause them to crash completely. Rather than inform the company, MedSec did a deal with a Wall Street firm to short-sell St. Jude stock and then go public with the news.
Under the terms of the deal MedSec would get paid by Muddy Waters based on how far the stock fell in price. The security firm didn’t inform St. Jude about the flaws it claimed to have found before cashing in.
A day later – presumably after the short sellers had made their profit – St. Jude has responded, pointing out that many of the claims made against their products can’t be justified. The firm hasn’t said if it is complaining to the Securities and Exchange Commission about the issue, but such a move seems likely.
MedSec’s two key claims were that a hacking attack could either disrupt pacemaker functions or run the battery powering the life-saving devices from 50 feet away. This is false the manufacturer claims.
“Once the device is implanted into a patient, wireless communication has an approximate 7-foot range.”
Responsible disclosure rules – that most of the security industry follows – would have meant contacting the manufacturer before going public. Instead the head of MedSec, who happens to be former head of risk management at Bloomberg, leaked the story to her former employer and reaped the benefits.
El Reg will be following up on this story but the damage is done – Wall Street has reaped its profits and expect more FUD stories in the future. After all, serious money is at stake.
Muddying the waters of infosec: Cyber upstart, investors short medical biz – then reveal bugs
Some sharks wear suits and ties
http://www.theregister.co.uk/2016/08/26/muddy_waters_medsec_st_jude_security_flaws/
Tomi Engdahl says:
100 Arrested In New York Thanks To Better Face-Recognition Technology
https://tech.slashdot.org/story/16/08/28/1842239/100-arrested-in-new-york-thanks-to-better-face-recognition-technology
New York doubled the number of “measurement points” used by their facial recognitation technology this year, leading to 100 arrests for fraud and identity theft, plus another 900 open cases. An anonymous reader quotes a report from Ars Technica:
In all, since New York implemented facial recognition technology in 2010, more than 14,000 people have been hampered trying to get multiple licenses. The newly upgraded system increases the measurement points of a driver’s license picture from 64 to 128.
Enhanced DMV facial recognition technology helps NY nab 100 ID thieves
The new system doubles number of facial measurement points from 64 to 128.
http://arstechnica.com/tech-policy/2016/08/enhanced-dmv-facial-recognition-technology-helps-ny-nab-100-id-thieves/
In January, the New York State DMV enhanced its facial recognition technology by doubling the number of measurement points on a driver’s photograph, a move the state’s governor says has led to the arrest of 100 suspected identity thieves and opened 900 unsolved cases. In all, since New York implemented facial recognition technology in 2010, more than 14,000 people have been hampered trying to get multiple licenses.
“Facial recognition plays a critical role in keeping our communities safer by cracking down on individuals who break the law,” Gov. Andrew M. Cuomo said in a statement. “New York is leading the nation with this technology, and the results from our use of this enhanced technology are proof positive that its use is vital in making our roads safer and holding fraudsters accountable.”
The DMV said new licenses won’t be issued until a photo clears the DMV database.
At least 39 US states use some form of facial recognition software.
Tomi Engdahl says:
Big data busts crypto: ‘Sweet32′ captures collisions in old ciphers
Boffins blow up Blowfish and double down on triple DES
http://www.theregister.co.uk/2016/08/29/big_data_busts_crypto_sweet32_captures_collisions_in_old_ciphers/
Researchers with France’s INRIA are warning that 64-bit ciphers – which endure in TLS configurations and OpenVPN – need to go for the walk behind the shed.
The research institute’s Karthikeyan Bhargavan and Gaëtan Leurent have demonstrated that a man-in-the-middle on a long-lived encrypted session can gather enough data for a “birthday attack” on Blowfish and triple DES encryption. They dubbed the attack “Sweet32”.
Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN
CVE-2016-2183, CVE-2016-6329
https://sweet32.info/
Anatomy of a cryptographic collision – the “Sweet32” attack
https://nakedsecurity.sophos.com/2016/08/25/anatomy-of-a-cryptographic-collision-the-sweet32-attack/
Tomi Engdahl says:
illusive networks’ Deceptions Everywhere
http://www.linuxjournal.com/content/illusive-networks-deceptions-everywhere-0?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
illusive networks’ bread and butter is its deception cybersecurity technology called Deceptions Everywhere whose approach is to neutralize targeted attacks and Advanced Persistent Threats by creating a deceptive layer across the entire network. By providing an endless source of false information, illusive networks disrupts and detects attacks with real-time forensics and without disruption to business.
Advan¢ed åttacker decept!on
https://www.illusivenetworks.com/
illusive networks is a cybersecurity company at the forefront of deception technology, the most effective protection against Advanced Attacks. illusive creates an alternate reality, transparently woven into your existing network. Attackers led into this reality will be instantly identified beyond all doubt, triggering a high-fidelity alert you can act upon.
Tomi Engdahl says:
Cybersecurity 101: An Introduction to Deception Technology
https://blog.illusivenetworks.com/-deceptive-technology-introduction?__hstc=19906023.6f83c56299a78cd6a819f4964bb333c2.1472485751747.1472485751747.1472485751747.1&__hssc=19906023.1.1472485751747&__hsfp=1998985086&hsCtaTracking=58c150f6-a7a5-438d-8f76-f89d142719c7%7C93b798a6-52d8-40a9-8988-b449c8926acf
Deception technology is an outside-the-box cybersecurity approach that aims to turn the current paradigm on its head – from reactionary to proactive defense.
Traditional, signature-based security measures continue to fall prey to sophisticated zero-day attacks and advanced persistent threats, despite the fact that companies are spending upwards of $3 million per year on information security.
It’s time for organizations to get proactive, and use deception technology to enhance the way they architect a comprehensive security strategy.
1. Manipulating the One Thing Cyber Attackers Count On
Attackers have long been able to trust companies. They work on the fundamental assumption that the infrastructure data they see is real. Deception technology uses carefully designed lures to attract attackers during infiltration and instantly identify them.
2. Providing Instant Gratification
Deception technology triggers alerts the moment an attacker “trips the wire”. With the average cost of a data breach nearing $4 million, enterprise organizations can’t afford to wait until they’ve already been attacked to start handling the situation.
3. Going Beyond Digital Signatures
Digital signatures act as a fingerprint that identifies a digital threat; however, the rise of advanced persistent threats and zero-day attacks show that attackers are far too sophisticated to make the same mistakes twice.
4. Simplifying the Solution Stack
It’s hard to deny that networking equipment and software is growing more complicated. With the rise of software-defined networking, IT departments must deploy more in-band security appliances (firewalls and intrusion detection systems) to ensure protection.
However, these appliances often fail to keep attackers out, and can also interfere with network performance.
The value of the cybersecurity market is expected to reach $170.21 billion by 2020. Yet, all of this spending is worthless if attackers still enjoy free rein over enterprise networks.
Tweet: In the US alone, companies experience an annual loss of $525 million due to cyber crimeIn the US alone, companies experience an annual loss of $525 million due to cyber crime. It’s clear that current cybersecurity methods aren’t working as well as companies might hope, and that a new approach is necessary.
Honeypot Architecture vs. Deception Technology
https://go.illusivenetworks.com/wp-honeypot-v.-deception-tech-lp?__hssc=19906023.1.1472485751747&__hstc=19906023.6f83c56299a78cd6a819f4964bb333c2.1472485751747.1472485751747.1472485751747.1&hsCtaTracking=a01a63e9-c2a9-4a7a-a70c-13ef840a0358%7C86bc81ae-decf-4352-bdf3-064696847616
Honeypot architecture was innovative at its inception in 1999; it paved the way for a more proactive approach to cyber security and kept attackers at bay.
Today’s cyber attackers are more specialized
Cyber security experts should take a page out of the attackers’ playbook and use a more realistic set of illusions to trap, track and thwart their actions from the start.
Tomi Engdahl says:
Michael Isikoff / Yahoo:
FBI issued warning that two state voter registration databases were breached by suspected foreign hackers; sources: Arizona, Illinois databases were the targets — The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks …
FBI says foreign hackers penetrated state election systems
https://www.yahoo.com/news/fbi-says-foreign-hackers-penetrated-000000175.html
The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials.
The FBI warning, contained in a “flash” alert from the FBI’s Cyber Division, a copy of which was obtained by Yahoo News, comes amid heightened concerns among U.S. intelligence officials about the possibility of cyberintrusions, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections.
U.S. offers states help to fight election hacking
http://mobile.reuters.com/article/idUSKCN10R1QN
The government is offering to help states protect the Nov. 8 U.S. election from hacking or other tampering, in the face of allegations by Republican Party presidential candidate Donald Trump that the system is open to fraud.
Trump has questioned the integrity of U.S. election systems in recent weeks, but his allegations have been vague and unsubstantiated.
The attempts to sow doubts about the 2016 election results coincided with Trump’s slide in opinion polls against Democratic Party candidate Hillary Clinton and missteps in his campaign.
President Barack Obama dismissed the claims as “ridiculous.” “Of course the elections will not be rigged. What does that mean?” Obama said at a news conference the next day.
An Electronic Privacy Information Center report this week said 32 of the 50 states would allow voting by insecure email, fax and internet portals in this election cycle.
Tomi Engdahl says:
Ransdell Pierson / Reuters:
University of Michigan study finds major flaws in MedSec’s criticism of St. Jude cyber security, which had coincided with a deal to short manufacturer’s stock
University study finds flaws in criticism of St. Jude cyber security
http://www.reuters.com/article/us-st-jude-medical-cyber-university-idUSKCN1152I0
University of Michigan researchers on Tuesday said their own experiments undermine recent allegations of security flaws in St. Jude Medical Inc’s pacemakers and other implantable medical devices.
Shares of St. Jude fell 5 percent on Thursday after short-selling firm Muddy Waters and its business partner, cyber security company MedSec Holdings Inc, alleged finding significant security bugs in the company’s Merlin@home device for monitoring implanted heart devices.
The university said its researchers came “to strikingly different conclusions” after generating the conditions reported by Muddy Waters and not finding a security issue.
“We’re not saying the (Muddy Waters) report is false; we’re saying it’s inconclusive because the evidence does not support their conclusions,”
Tomi Engdahl says:
USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB
http://cyber.bgu.ac.il/t/USBee.pdf
Abstract
— In recent years researchers have demonstrated how
attackers could use USB connectors implanted with RF
transmitters to exfiltrate data from secure, and even air-gapped,
computers (e.g., COTTONMOUTH in the leaked NSA ANT
catalog). Such methods require a hardware modification of the
USB plug or device, in which a dedicated RF transmitter is
embedded.
In this paper we present ‘USBee,’ a software that can utilize an
unmodified
USB device connected to a computer as a RF
transmitter. We demonstrate how a software can intentionally
generate controlled electromagnetic emissions from the data bus
of a USB connector. We also show that the emitted RF signals can
be controlled and modulated with arbitrary binary data. We
implement a prototype of USBee, and discuss its design and
implementation details including signal generation and
modulation. We evaluate the transmitter by building a receiver
and demodulator using GNU Radio. Our evaluation shows that
USBee can be used for transmitting binary data to a nearby
receiver at a bandwidth of 20 to 80 BPS (bytes per second).
Tomi Engdahl says:
More banks plundered through SWIFT attacks
Shape up, cause the Bangladesh Bank hack is just the start, SWIFT warns
http://www.theregister.co.uk/2016/08/31/swift_reuters/
Criminals have hacked an unspecified number of new banks, using the SWIFT messaging system already implicated in one of the most lucrative breaches in history.
Reuters reports SWIFT has sent notices to banks around the world warning of breaches and asking the financial institutions to lift their security game.
Hackers of unknown origin stole some US$81 million from Bangladesh Bank and nearly scored almost US$1 billion save for the presence of a typo which raised suspicion, preventing two transactions of US$850 million and US$870 million.
Attackers unknown are now plundering other banks by exploiting neglected local information security infrastructure.
“Customers’ environments have been compromised, and subsequent attempts [were] made to send fraudulent payment instructions,” a SWIFT letter sent to customers and obtained by Reuters reads.
“The threat is persistent, adaptive and sophisticated – and it is here to stay.”
Exclusive: SWIFT discloses more cyber thefts, pressures banks on security
http://www.reuters.com/article/us-cyber-heist-swift-idUSKCN11600C
Tomi Engdahl says:
This Mathematician Says Big Data Is Causing a ‘Silent Financial Crisis’
http://time.com/4471451/cathy-oneil-math-destruction/
Algorithms that we use daily actually thwart equality, says Cathy O’Neil
RECOMMENDED FOR YOU
Courtney Cox Says She Regrets Cosmetic Procedures
Courtney Cox Says She Regrets Cosmetic Procedures
Watch Robert De Niro Reveal the Only Actor Who Made Him Nervous
Watch Robert De Niro Reveal the Only Actor Who Made Him Nervous
Celebrities Pay Tribute to Gene Wilder After His Death
Celebrities Pay Tribute to Gene Wilder After His Death
Will 3D/4D printing change the way industries manufacture?
Promoted
Will 3D/4D printing change the way industries manufacture?
Recommended by
When there is wrongdoing in fields that are both complex and opaque, it often takes a whistle-blower to inform the public. That’s exactly what former quant trader turned social activist Cathy O’Neil has become for the world of Big Data.
Unlike the WMDs that were never found in Iraq, data driven algorithms are all around us. Already, many of our bosses use them to grade our performance. Our children’s teachers are hired and fired by them. They decide who gets access to credit and who pays higher insurance premiums, as well as who will receive online advertising for luxury handbags versus who’ll be targeted by predatory ads for for-profit universities.
O’Neil sees plenty of parallels between the usage of Big Data today and the predatory lending practices of the subprime crisis. In both cases, the effects are hard to track, even for insiders. Like the dark financial arts employed in the run up to the 2008 financial crisis, the Big Data algorithms that sort us into piles of “worthy” and “unworthy” are mostly opaque and unregulated, not to mention generated (and used) by large multinational firms with huge lobbying power to keep it that way. “The discriminatory and even predatory way in which algorithms are being used in everything from our school system to the criminal justice system is really a silent financial crisis,” says O’Neil.
The effects are just as pernicious. Using her deep technical understanding of modeling, she shows how the algorithms used to, say, rank teacher performance are based on exactly the sort of shallow and volatile type of data sets that informed those faulty mortgage models in the run up to 2008.
In higher education, the use of algorithmic models that rank colleges has led to an educational arms race where schools offer more and more merit rather than need based aid to students who’ll make their numbers (thus rankings) look better.
O’Neil has proposed a Hippocratic Oath for mathematicians. She and others also suggest much deeper regulation of the burgeoning field, perhaps via random algorithmic “audits” by regulators, and deeper analysis of how such algorithms work
Tomi Engdahl says:
Revived lawsuit says Twitter DMs are like handing ISIS a satellite phone
http://www.theverge.com/2016/8/30/12717178/twitter-isis-lawsuit-direct-message-revised-complaint
A long-standing lawsuit holding Twitter responsible for the rise of ISIS got new life today, as plaintiffs filed a revised version of the complaint that was struck down earlier this month. In the new complaint, the plaintiffs argue Twitter’s Direct Message service is akin to providing ISIS with physical communications equipment like a radio or a satellite phone.
It’s the plaintiffs’ third attempt, after two previous complaints were struck down by the judge.
Tomi Engdahl says:
Google Login Bug Allows Credential Theft
https://news.slashdot.org/story/16/08/30/2053209/google-login-bug-allows-credential-theft
Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials, or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process. A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue.
Google Login Issue Allows Credential Theft
https://www.onthewire.io/google-login-issue-allows-credential-theft/
Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials. or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process.
A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter.
“Google’s login page accepts a vulnerable GET parameter, namely ‘continue’. As far as I can determine, this parameter undergoes a basic check,”
The login page checks to ensure that the parameter points to *.google.com/*, but doesn’t determine which Google service the parameter is pointing to.
Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user’s credentials. For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. Woods said an attacker also could send an arbitrary file to the target’s browser any time the login form is submitted.
Tomi Engdahl says:
Nokia: mobile viruses more than ever before
Nokia has announced the online threats report. Nokia Threat Intelligence Report shows that mobile devices viruses increased by 96 per cent in the first half.
The report shows that 1.06 per cent of mobile devices was someone infected by malware in April. The figure is a new record.
One in 120 smartphones is contaminated according to Nokia.
Android devices are the most popular platform, with 74 percent of the infected device operates on Android. Windows accounts for 22 per cent and iOS devices only four per cent.
Android users of dangerous road of contamination is downloading unknown applications. According to Nokia, the number of infected Android applications grew by 75 per cent.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4954:nokia-mobiiliviruksia-enemman-kuin-koskaan-aikaisemmin&catid=13&Itemid=101
Tomi Engdahl says:
Forget Software—Now Hackers Are Exploiting Physics
https://www.wired.com/2016/08/new-form-hacking-breaks-ideas-computers-work/
Over the last year and a half, security researchers have been doing exactly that: honing hacking techniques that break through the metaphor to the actual machine, exploiting the unexpected behavior not of operating systems or applications, but of computing hardware itself—in some cases targeting the actual electricity that comprises bits of data in computer memory. And at the Usenix security conference earlier this month, two teams of researchers presented attacks they developed that bring that new kind of hack closer to becoming a practical threat.
Breaking Assumptions
Both of those new attacks use a technique Google researchers first demonstrated last March called “Rowhammer.” The trick works by running a program on the target computer, which repeatedly overwrites a certain row of transistors in its DRAM flash memory, “hammering” it until a rare glitch occurs: Electric charge leaks from the hammered row of transistors into an adjacent row. The leaked charge then causes a certain bit in that adjacent row of the computer’s memory to flip from one to zero or vice versa. That bit flip gives you access to a privileged level of the computer’s operating system.
It’s messy. And mind-bending. And it works.
Rowhammer and similar attacks could require both hardware and software makers to rethink defenses based on purely digital models. “Computers, like all technologies really, are built in layers that make assumptions of one another. Think of a car, assuming its wheels roll and absorb shocks, and don’t melt into goop when they get wet,” says security researcher Dan Kaminsky, who found a fundamental flaw in the Internet’s domain name system in 2008. “What’s interesting about networked technology is the fact that those assumptions can be attacked.”
Those variations on Rowhammer, along with the newest ones presented at Usenix, show that the hacker world is increasingly focused on techniques that break those fundamental assumptions of computing. “Rowhammer is just scratching the surface,” says Dullien. “This has the potential to be a gigantic field of research.”
Making Rowhammer Practical and Specific
The latest attacks take Rowhammer in a new direction, applying it to cloud computing services rather than PCs. One attack by a group of Ohio State researchers used the technique to hack Xen, the software used to partition computing resources on cloud servers into isolated “virtual machines” rented to customers. The hack breaks out of those virtual machines to control deeper levels of the server.
The trick, which the researchers call “Flip Feng Shui,” allowed the group to pull off highly targeted hacks, like sabotaging the process of generating an encryption key so that they could later decrypt a target’s secrets.
The result is an ultra-stealthy physical sabotage technique that’s virtually impossible to detect with digital security measures.
Tomi Engdahl says:
Hack Brief: As FBI Warns Election Sites Got Hacked, All Eyes Are on Russia
https://www.wired.com/2016/08/hack-brief-fbi-warns-election-sites-got-hacked-eyes-russia/
In any other year, hackers breaking into a couple of state government websites through common web vulnerabilities would hardly raise a blip on the cybersecurity community’s radar. But in this strange and digitally fraught election season, the breach of two state board of election websites not only merits an FBI warning—it might just rise to the level of an international incident.
On Monday, an FBI alert surfaced warning state boards of election to take precautions against hackers after two election board websites were breached in recent months. According to Yahoo News, those breaches likely targeted Arizona and Illinois board of election sites, both of which admitted earlier this summer that they’d been hacked.
Tomi Engdahl says:
Finnish Supo storm warning – YLE: “Do not bring mobiles abroad”
The Security Police urges that as mobile phones than laptops home country for foreign trips. Even an ordinary citizen, the SUPO you should be concerned about data security.
YLE interview with SUPO’s Chief Inspector Thomas Portaankorva list three reasons why your phone or laptop is not worth taking trips by. First of all base stations encryption can be turned off, either accidentally or deliberately. Then the tapping of calls is very easy. Secondly, a cell phone and sim card identifiers are available to foreign intelligence services, the phone connects to the local network. Thirdly, the threat Portaankorva raise foreign networks and services are moving viruses.
SUPO depending on the critical systems in Finland all the time trying to target the intrusion.
Source: http://www.tivi.fi/Kaikki_uutiset/supolta-raju-varoitus-yle-ala-vie-kannykkaa-ulkomaille-6578833
Tomi Engdahl says:
Blackhat wannabes proffer probably bogus Linux scamsomware
‘We nicked your files, pay us or we’ll leak,’ warns pastebin note
http://www.theregister.co.uk/2016/09/01/blackhat_wannabes_proffer_bogus_linux_scamsomware/
A new purported ransomware variant is hitting Linux servers, deleting files and demanding payment for the return of lost data.
The scam is possibly a bluff, since it does not follow the regular format of encrypting files and leaving ransom notes for slick and automated payment.
Information on the attacks is scarce. Bleeping Computer researcher Lawrence Abrams suspects it is likely a copy of the deleted files with the web folder uploaded to an attacker’s server, rather than complex encryption being applied.
“In this attack, the attackers most likely do not encrypt the files, and if they do retain the files, probably just upload it to a server under their control,” Abrams says.
New FairWare Ransomware targeting Linux Computers
http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/
Tomi Engdahl says:
Malware exposes payment card data at Kimpton Hotels
http://www.cnet.com/news/malware-exposes-payment-card-data-at-kimpton-hotels/
Servers used to process payments at the boutique hotel chain’s properties are infected with malware designed to steal customer card numbers, names and expiration dates.
Kimpton Hotels has become the latest hotel operator to suffer a major data breach that may have divulged customer payment card data.
The chain of US boutique hotels warned on Wednesday that it had discovered malware on servers that processed payment cards used at some of its hotels and restaurants. The malware was designed to capture customers’ card numbers, cardholder names, expiration dates and internal verification codes, the subsidiary of InterContinental Hotels Group explained in a blog post.
Payment Card Notification
https://www.kimptonhotels.com/promos/payment-card-notification
Kimpton Hotels & Restaurants Notifies Customers of Payment Card Incident
Tomi Engdahl says:
One of Europe’s Biggest Companies Loses 40 Million Euros In Online Scam
https://news.slashdot.org/story/16/08/31/2336207/one-of-europes-biggest-companies-loses-40-million-euros-in-online-scam
Leoni AG, Europe’s biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, announced it lost 40 million euros ($44.6 million) following an online scam that tricked one of its financial officers into transferring funds to the wrong bank account. A subsequent investigation revealed that attackers had scouted the company’s network and procedures, and identified a weak spot to attack. According to authorities, a young woman working as CFO at Leoni’s Bistrita factory in Romania was the target of the scam, when she received an email spoofed to look like it came from one of the company’s top German executives asking her to transfer funds to a bank account.
One of Europe’s Biggest Companies Loses €40 Million in Online Scam
German electrical cable maker Leoni falls victim to BEC scam
Read more: http://news.softpedia.com/news/one-of-europe-s-biggest-companies-loses-40-million-in-online-scam-507818.shtml#ixzz4J0Llp77y
Tomi Engdahl says:
After Breaches At Other Services, Spotify Is Resetting Users’ Passwords
https://it.slashdot.org/story/16/08/31/1847227/after-breaches-at-other-services-spotify-is-resetting-users-passwords
And now, Spotify is asking its users to reset their passwords. The popular music streaming service is “actively resetting a number of users’ passwords,” Motherboard reports, adding that the company is doing this because of the data breaches at other services and websites.
After Breaches At Other Services, Spotify Is Resetting Users’ Passwords
http://motherboard.vice.com/read/spotify-passwords-reset-security-precaution
Popular music streaming service Spotify is actively resetting a number of users’ passwords. The company claims this is in response to data breaches of other websites, implying that the problem may be customers reusing passwords.
“To protect your Spotify account, we’ve reset your password. This is because we believe it may have been compromised during a leak on another service with which you use the same password,” an email sent to a user on Wednesday reads.
“Don’t worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure,” it continues.
On Wednesday, Motherboard broke the news that a 2012 hack of Dropbox had exposed some 68 million email addresses and hashed passwords. This summer, the public learned of huge hacks of Myspace, LinkedIn, VK.com.
Tomi Engdahl says:
MedSec’s ‘hackable pacemaker’ report autopsy: Bombshell crash claim in doubt
No conclusive evidence of bricked devices, say uni experts
http://www.theregister.co.uk/2016/09/01/medsec_uni_study_questioned/
Researchers at the University of Michigan (U-M) have poured doubt on one claim by MedSec that St Jude Medical’s implanted pacemakers and defibrillators are remotely breakable.
Last week MedSec went public with a report saying that life-giving devices sold by St Jude Medical could be wirelessly compromised by hackers – who could either brick the vital equipment or empty their batteries of charge by sending malicious signals from afar.
Rather than try to get the issue fixed with the manufacturer, MedSec partnered with investment firm Muddy Waters Capital to short St Jude’s stock. This allowed the pair to cash in when they made their vulnerability findings public and the healthcare company’s share price fell.
St Jude called the damning MedSec dossier “false and misleading.”
Now U-M says some of the security shortcomings detailed in the MedSec report aren’t as serious as first feared. The uni researchers attempted to recreate MedSec’s attacks and found that in one case so far, the evidence the security firm presented is flawed.
“We’re not saying the report is false. We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue,” said Kevin Fu, U-M associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security.
In El Reg’s view, if the communications are temporarily disrupted it’s hard to see how this is a super serious issue.
That’s what all of last week’s screaming headlines were based on.
“While medical device manufacturers must improve the security of their products, claiming the sky is falling is counterproductive,” Fu noted. “Healthcare cybersecurity is about safety and risk management, and patients who are prescribed a medical device are far safer with the device than without it.”
The U-M researchers are still going through the MedSec report, so there’s room for more discoveries or revisions to their conclusions. In the meantime, the whole case has raised concerns among many in the computer security industry that the startup’s unorthodox tactics may have needlessly terrified patients using St Jude’s products.
“It’s my personal view that ethically it’s really hard to understand why people would have to go through this,” Sam Rehman, CTO of application security vendor Arxan Technologies, told The Reg. “The whole point of the security industry is to build trust by protecting systems.”
Tomi Engdahl says:
Cybersecurity system design, vulnerabilities
http://www.controleng.com/single-article/cybersecurity-system-design-vulnerabilities/a58c61d65a4399d05b3b62f9429005e9.html?OCVALIDATE&ocid=101781
Intelligent systems, at home or in the workplace, can have vulnerabilities, especially with greater complexities and interconnections through the Internet of Things. We should embed cybersecurity in devices and systems and proceed with caution, according to Control Engineering Russia, in this article edited for Control Engineering.
To what extent can we trust things, such as intelligent industrial networked devices? Will they behave as expected with unlimited Internet access? To what extent can we manage and control them? Will our lives become unpredictable and uncontrollable with widespread use of the Industrial Internet of Things (IIoT) concepts?
Engineers generally assume that mechanisms serve their intended purpose. Is that always true? The “smarter” something is, the quicker we lose control and become fully dependent on it. As smart things demand greater attention, will they demand ongoing fine control and management?
Risks beyond original designs
Progress continues as more smart devices and systems become available in homes and in the workplace. All information security officers recommend caution. Alexandr Meleshkin said, “Perils are possible since humans are prone to making mistakes,” suggesting that if developers release products at the expense of reliability, software vulnerabilities and poor performance may result. Alexandr Bolshev agreed, pointing to many existing hazards requiring attention beyond initial consideration of developers, integrators, and users.
Tomi Engdahl says:
LeakedSource:
In the 2012 Last.fm hack, details of 43.57M accounts were stolen; 96% of hashed passwords were able to be cracked within 2 hours
http://www.leakedsource.com/blog/lastfm
LeakedSource has exposed every single mega breach of 2016 including LinkedIn, MySpace, and VK.com but because we are the most effective breach notification service in the world, we’re back with more.
Tomi Engdahl says:
Stephen Schrauger / Schrauger.com:
How WoSign, a Chinese CA, issued a valid SSL cert for GitHub’s primary domain to a subdomain user, and didn’t revoke it even after vulnerability was reported
The story of how WoSign gave me an SSL certificate for GitHub.com
https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com
Tomi Engdahl says:
Example of the dangers what can happen if you give people reasons to expect that there is election fraud happening (think case of there would be cyber-attack against election in the future):
Deadly Protests Shake Gabon After Allegations Of Election Fraud
http://www.npr.org/sections/thetwo-way/2016/09/01/492258400/deadly-protests-in-gabon-after-allegations-of-election-fraud
In the capital of Gabon, Libreville, hundreds of people have been arrested and at least three people have died amid protests after the sitting president was declared the winner of last weekend’s disputed election.
The European Union also called on the government to assure its citizens that the election had been fair.