Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Meet Matrix, an Open Standard for De-centralized Encrypted Communications
http://www.securityweek.com/meet-matrix-open-standard-de-centralized-encrypted-communications
In the early days of the internet, communication was by email. Originally siloed by companies like Compuserve, AT&T and Sprint so that messages could only be exchanged with others on the same system, email is now ubiquitous. Pretty much anyone can communicate with anyone else without worrying about app or device or browser.
Today there are additional methods of communicating via the internet, such as chat and voice. These new methods, however, are currently similar to early email: siloed by different vendors so that users can communicate only with other users on the same system. Matrix.org aims to change this, so that any user on one system can communicate with any user on a different system; just like email today.
Matrix is an open standard for interoperable, decentralized, real-time communication over IP. It can be used for any type of IP communication: IM, VoIP, or IoT data. One system already operating on Matrix is the open team collaboration app, Riot. While Riot is described as “a simple and elegant collaboration environment that gathers all of your different conversations and app integrations into one single app,” it can actually communicate with any user anywhere in the Matrix ecosphere.
http://matrix.org/
Tomi Engdahl says:
Loyalty card? Really? Why data-slurping store cards need a reboot
An IoT marriage is the future
http://www.theregister.co.uk/2016/11/28/retail_loyalty_card_reboot/
Loyalty cards – the little buggers are everywhere these days.
More than 20 years later and despite advancements in technology elsewhere in retail, and with the advent of things such as CRM, the loyalty card remains very much the same.
Still, they are logging items purchased by customers, gathering data that helps retailers build a profile then target them with offers or incentives to come back to the shop or restaurant again.
But with new data streams now available to retailers, it raises the question: is the importance of the loyalty card scheme and its data diminishing?
One of the reasons for this is that retailers haven’t yet moved quickly enough to make their loyalty proposition digital.
A report from mobile engagement firm Urban Airship found that the majority of consumers (62 per cent) were more likely to use their loyalty card if it was on their phone – and it’s perhaps unsurprising that the Tesco Clubcard and Nectar Card both have released smartphone apps to fill this void.
Integrating other data touch points – such as those from the Internet of Things (IoT) and a web browser – with the loyalty scheme data could prove to be even more beneficial, especially if this is done in realtime.
It’s an emotional connection that retailers will be hoping loyalty cards can begin to help offer along with personalised interactions, says Jason Foster, the former head of big data, analytics and marketing technologies at Marks & Spencer.
“[Loyalty schemes] need to get back to traditional retailing where the shopkeeper knew every customer that walked in the door, what they like, don’t like, who they live near and members of their family,” he said. “This used to enable traders to give a highly personal shopping experience to every customer.”
Another big consideration for retailers is that a huge part of their customer base is set to be “Generation Z” – who may be happier to share their data if it benefits them, but are also savvier in the way they shop.
The Rare report found that 65 per cent of loyalty scheme members said they would still shop with the brand if the loyalty programme no longer existed, meaning that for the majority of people a loyalty proposition wouldn’t affect their intention to purchase. However, on the flip side, a third of people think it’s a vital component of their relationship with that brand.
Tomi Engdahl says:
The Internet Society is unhappy about security – pretty much all of it
It’s all fun and games until someone loses a life
http://www.theregister.co.uk/2016/11/28/isoc_security_policy/
The Internet Society (ISOC) is the latest organisation saying, in essence, “security is rubbish – fix it”.
Years of big data breaches are having their impact, it seems: in its report released last week, it quotes a 54-country, 24,000-respondent survey reporting a long-term end user trend to become more fearful in using the Internet (by Ipsos on behalf of the The Centre for International Governance Innovation).
Report author, economist and ISOC fellow Michael Kende, reckons companies aren’t doing enough to control breaches.
“According to the Online Trust Alliance, 93 per cent of breaches are preventable” he said, but “steps to mitigate the cost of breaches that do occur are not taken – attackers cannot steal data that is not stored, and cannot use data that is encrypted.”
Internet trust at all time low; not enough being done to protect data, says Internet Society report
http://www.internetsociety.org/news/internet-trust-all-time-low-not-enough-being-done-protect-data-says-internet-society-report
Five step approach identified to address data breaches and increase online trust
Tomi Engdahl says:
Firefox to Add “In Your Face” Warnings About Insecure Login Pages
http://www.bleepingcomputer.com/news/software/firefox-to-add-in-your-face-warnings-about-insecure-login-pages/
Mozilla engineers are preparing a very intrusive, but quite useful method of warning users that they’re about to enter sensitive passwords and login via an insecure HTTP connection.
Ryan Feeley, a user experience designer for Mozilla Toronto, provided this week a preview of an upcoming Firefox feature on Twitter.
“We’ll let you know when you go to type your password into an insecure (HTTP) page or form,” Feeley wrote on Twitter, and posted the following image.
Tomi Engdahl says:
‘Likely Hacker Attack’ Hits Almost 1 Million German Homes
http://www.securityweek.com/likely-hacker-attack-hits-almost-1-million-german-homes
Internet service for almost one million households in Germany was disrupted by likely deliberate hacking, provider Deutsche Telekom said Monday.
Around 900,000 customers using specific models of router have been affected since Sunday afternoon, the firm said, with some unable to connect at all while others suffered intermittent problems.
“We believe that influence was exerted on the routers from outside,” a Telekom spokesman told AFP, saying software had been installed on the devices that prevented them from connecting to the company’s network.
It did not provide details of which models of router — network hardware that connects households to their internet and telephone service provider — were affected.
Deutsche Telekom said that its engineers and colleagues from the companies that produce the devices had been working through the night to find a solution.
Customers affected have been advised to disconnect their routers from the network since the problems began on Sunday afternoon.
Germany has been the target of repeated cyber attacks in recent years.
Tomi Engdahl says:
cURL Security Audit Reveals Several Vulnerabilities
http://www.securityweek.com/curl-security-audit-reveals-several-vulnerabilities
The latest version of cURL patches nearly a dozen vulnerabilities, more than half of which were discovered as a result of an audit conducted recently by security experts.
cURL is an open source command line tool and library designed for transferring data. cURL is used by thousands of software applications, including networking devices, printers, media equipment, phones, tablets, TVs and even cars.
Daniel Stenberg, lead developer of cURL and Mozilla employee, requested a security audit of cURL from the Mozilla Secure Open Source (SOS) program. The audit was conducted over a 20-day period in August and September by five testers at Germany-based security services provider Cure53.
The audit revealed a total of 23 issues, including nine security flaws.
The latest version of cURL, version 7.51.0, patches a total of 11 vulnerabilities.
Tomi Engdahl says:
Ransomware Attack Disrupts San Francisco Rail System
http://www.securityweek.com/ransomware-attack-disrupts-san-francisco-rail-system
A ransomware attack that began on November 25 forced the San Francisco Municipal Transport Authority (SFMTA, or ‘Muni’) to progressively close ticketing machines and open the gates to its railway system.
Through Saturday and into Sunday, passengers were able to ride for free, some thinking it was a Black Friday holiday promotion. The station computers, however, showed the message “You Hacked, ALL Data Encrypted. Contact For Key([email protected])ID:681 ,Enter.”
SFMTA has so far given little official information, but did say the attack disrupted some internal computer systems, including email.
All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!” and demanded 100 bitcoins (about $73,000) for the decryption key.
The disruption to travelers was eliminated when the SFMTA allowed passengers to ride for free. By removing a driving factor from the equation, the hack loses value and the ransom will likely go unpaid.”
Tomi Engdahl says:
PCI DSS 3.2: Third Party Service Providers, It’s Time to Step Up
http://www.securityweek.com/pci-dss-32-third-party-service-providers-its-time-step
On November 1, 2016, the latest version of the Payment Card Industry Data Security Standard (PCI DSS 3.2) took effect. The PCI DSS 3.2 has a number of notable changes, particularly for third party service providers.
During the past few years, we have seen a barrage of data breaches where the attackers broke in through a third party service provider. According to a Ponemon Institute study, nearly half of risk professionals say their organization experienced a data breach caused by one of their vendors. Seventy three percent see the number of cyber security incidents involving vendors increasing and 65 percent say it is difficult to manage cyber security incidents involving vendors. Although the pure financial impact can often be mitigated through contracts or insurance, the reputational impacts are a lot more difficult to mitigate.
The fact that the PCI DSS 3.2 puts more responsibility on vendors to ensure their users are adopting secure cyber practices will tremendously help ease the burden.
One PCI DSS 3.2 requirement that stands out is that executive management for service providers is required to “establish responsibility” for the protection of cardholder data and a PCI DSS compliance program. The requirement is intended to “ensure executive-level visibility into the PCI DSS compliance program.”
Tomi Engdahl says:
The Past, Present, and Future of Cyber Security
http://www.securityweek.com/past-present-and-future-cyber-security
It’s No Longer Feasible to Manage Threats Individually, Given the Sheer Volume of Security Gaps That Exist.
Faced with hundreds, thousands, and even hundreds of thousands of vulnerabilities across their IT infrastructures leaves security practitioners at a virtually insurmountable disadvantage. The result is often lengthy dwell times and asynchronous iterations that limit the effectiveness of cyber security programs. This begs the question what is holding us back from prevailing against cyber-attacks. And more importantly, what are emerging approaches that allow organizations to transition from a traditional domain expert model to an interactive, iterative, and collaborative model.
According to Gartner (see ‘Designing an Adaptive Security Architecture for Protection from Advanced Attacks’, January 2016), enterprises often make the mistake of implementing a reactive, rather than pro-active approach to cyber security. They often rely on blocking techniques, which are proven to be ineffective.
First, many organizations, and even vendors, are still focusing on the network layer, while barely acknowledging other areas of the attack surface; for example, the application layer. What’s needed instead is a holistic view of the attack surface, to match the strategies and capabilities of adversaries
Second, most vulnerability management tools rely on Common Vulnerabilities and Exposures (CVE), which can lead to a misalignment of resources and efforts.
To improve the odds of defeating cyber-attacks, organizations can implement the following three best practices:
1. Given the shortage of qualified security professionals, leverage technology to automate as many security operations tasks as possible.
2. Increase the frequency of security posture assessments as propagated by the National Institute of Standards and Technology’s “continuous monitoring and diagnostic” guidelines.
3. Lastly, extend protection measures to address today’s growing attack surface. This includes moving beyond the network layer and endpoints, to include applications, databases, cloud environments, the Internet of Things, etc.
Tomi Engdahl says:
Firefox 0day in the wild is being used to attack Tor users
Publicly released exploit works reliably against a wide range of Firefox versions.
http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
There’s a zero-day exploit in the wild that’s being used to execute malicious code on the computers of people using Tor and possibly other users of the Firefox browser, officials of the anonymity service confirmed Tuesday.
Word of the previously unknown Firefox vulnerability first surfaced in this post on the official Tor website. It included several hundred lines of JavaScript and an introduction that warned: “This is an [sic] JavaScript exploit actively used against TorBrowser NOW.” Tor cofounder Roger Dingledine quickly confirmed the previously unknown vulnerability and said engineers from Mozilla were in the process of developing a patch.
According to security researchers who analyzed the code, it exploits a memory corruption vulnerability that allows malicious code to be executed on computers running Windows.
“It’s basically almost EXACTLY the same as the payload used in 2013,” TheWack0lian told Ars. “It exploits some vuln that executes code very similar to that used in the 2013 Tor browser exploit. Most of the code is identical, just small parts have changed.”
[tor-talk] Javascript exploit
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
Tomi Engdahl says:
This is an annotation and very brief analysis of the payload used by the Tor Browser Bundle exploit. Earlier I pasted a dump here: http://pastebin.com/AwnzEpmX
https://tsyrklevich.net/tbb_payload.txt
Tomi Engdahl says:
Ernesto / TorrentFreak:
Copyright holders asked Google to remove 1B+ allegedly infringing links in past year; Google removed more than 90% of the reported links
Google Asked to Remove a Billion “Pirate” Search Results in a Year
https://torrentfreak.com/google-asked-to-remove-a-billion-pirate-search-results-in-a-year-161128/
Copyright holders asked Google to remove more than 1,000,000,000 allegedly infringing links from its search engine over the past twelve months. A new record, in line with the continued rise of takedown requests and the increase in pressure on Google to do more to tackle piracy.
Copyright holders continue to flood Google with DMCA takedown requests, targeting “pirate links” in the company’s search results.
In recent years the number of notices has exploded, breaking record after record.
This week TorrentFreak crunched the numbers in Google’s Transparency Report and found that over the past 12 months Google has been asked to remove over a billion links to allegedly infringing pages, 1,007,741,143 to be precise.
More than 90 percent of the links, 908,237,861 were in fact removed. The rest of the reported links were rejected because they were invalid, not infringing, or duplicates of earlier requests.
https://www.google.com/transparencyreport/removals/copyright/explore/?
Tomi Engdahl says:
UK’s new Snoopers’ Charter just passed an encryption backdoor law by the backdoor
How far will it go? You’ll have to ask the Home Secretary
http://www.theregister.co.uk/2016/11/30/investigatory_powers_act_backdoors/
Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.
As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliged ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand “technical” changes to software and systems.
Thus, by “technical capability,” the government really means backdoors and deliberate security weaknesses so citizens’ encrypted online activities can be intercepted, deciphered and monitored.
In effect, the UK government has written into law a version of the much-derided Burr-Feinstein Bill proposed in the US, which would have undermined encryption in America. A backlash derailed that draft law.
In short, what the law’s passage through Parliament has done to the UK government’s ability to force tech companies and telcos to introduce backdoors into their technologies is make it slower and a little tougher.
Does it prevent the UK government from breaking encryption? It absolutely does not. In fact, it foresees it.
Does it mean that customers will be made aware that their communications and traffic are compromised by a backdoor? No, it does not. All of the checks and balances are safely contained within the upper levels of government and the judiciary.
Based on what both the UK and US government have done in the past with all-encompassing orders that are time-based rather than product-based, and considering the fact there is nothing that says it has to be done on a case-by-case basis, it’s a safe bet that the government will approve one-size-fits-all “technical capability” notices for specific companies.
Nuts of it
Most critically, if a Cabinet minister decides she wants a backdoor to be introduced into some software, is there anything that can stop him or her? The answer to that is almost certainly no, except she can be slowed down and would likely make some concessions to move ahead.
If the Home Secretary and the Prime Minister both want a backdoor into some service is there anything that can stop them? Again, no, but a brave Investigatory Powers Commissioner could delay it for a few years.
And in the broader picture, will the UK government be able to force the likes of Twitter or Facebook or Google or Apple to introduce backdoors and/or hand over user data? And the answer to that is: let’s wait and see.
Tomi Engdahl says:
The Internet Archive Is Building a Canadian Copy To Protect Itself From Trump
https://politics.slashdot.org/story/16/11/29/1855212/the-internet-archive-is-building-a-canadian-copy-to-protect-itself-from-trump
The Internet Archive, a digital library nonprofit that preserves billions of webpages for the historical record, is building a backup archive in Canada after the election of Donald Trump.
Today, it began collecting donations for the Internet Archive of Canada, intended to create a copy of the archive outside the United States.
The Internet Archive is building a Canadian copy to protect itself from Trump
‘The history of libraries is one of loss’
http://www.theverge.com/2016/11/29/13778188/internet-archive-of-canada-backup-trump-surveillance-censorship
The Internet Archive, a digital library nonprofit that preserves billions of webpages for the historical record, is building a backup archive in Canada after the election of Donald Trump. Today, it began collecting donations for the Internet Archive of Canada, intended to create a copy of the archive outside the United States.
“On November 9th in America, we woke up to a new administration promising radical change,” writes founder Brewster Kahle. “It was a firm reminder that institutions like ours, built for the long-term, need to design for change. For us, it means keeping our cultural materials safe, private and perpetually accessible. It means preparing for a web that may face greater restrictions. It means serving patrons in a world in which government surveillance is not going away; indeed it looks like it will increase.”
The Internet Archive provides some of the most comprehensive preservation of our digital ephemera, for both intellectual study and practical use — including journalistic fact checking. Kahle estimates it will cost “millions” of dollars to host a copy of the Internet Archive in Canada, but it would shield its data from some American legal action.
The future of privacy and surveillance under the Trump administration remains unpredictable, but the president-elect has shown support for greater law enforcement surveillance powers and legal censorship, including “closing that internet up in some ways” to fight terrorism. “Somebody will say, ‘Oh freedom of speech, freedom of speech.’ These are foolish people,”
Tomi Engdahl says:
Help Us Keep the Archive Free, Accessible, and Reader Private
http://blog.archive.org/2016/11/29/help-us-keep-the-archive-free-accessible-and-private/
The history of libraries is one of loss. The Library of Alexandria is best known for its disappearance.
Libraries like ours are susceptible to different fault lines:
Earthquakes,
Legal regimes,
Institutional failure.
So this year, we have set a new goal: to create a copy of Internet Archive’s digital collections in another country. We are building the Internet Archive of Canada because, to quote our friends at LOCKSS, “lots of copies keep stuff safe.” This project will cost millions. So this is the one time of the year I will ask you: please make a tax-deductible donation to help make sure the Internet Archive lasts forever.
On November 9th in America, we woke up to a new administration promising radical change. It was a firm reminder that institutions like ours, built for the long-term, need to design for change.
Tomi Engdahl says:
The UK Is About to Legalize Mass Surveillance
http://motherboard.vice.com/read/mass-surveillance-in-the-uk-is-now-legal
On Tuesday, the UK is due to pass its controversial new surveillance law, the Investigatory Powers Act, according to the Home Office.
The Act, which has received overwhelming support in both the House of Commons and Lords, formally legalizes a number of mass surveillance programs revealed by Edward Snowden in 2013. It also introduces a new power which will force internet service providers to store browsing data on all customers for 12 months.
Civil liberties campaigners have described the Act as one of the most extreme surveillance laws in any democracy, while law enforcement agencies believe that the collection of browsing data is vital in an age of ubiquitous internet communications.
“The Investigatory Powers Act 2016 will ensure that law enforcement and the security and intelligence agencies have the powers they need in a digital age to disrupt terrorist attacks, subject to strict safeguards and world-leading oversight,” a statement from the Home Office reads.
Tomi Engdahl says:
Are you using the free Wi-Fi networks? It may not be worth
Especially for holidays is nice to find a cafe that offers a cup in addition to free wireless internet connection. Security company Kaspersky Lab, according to such a router, you may not want to join. Nearly one-third of them are completely unprotected and are just waiting to steal your information.
Kaspersky Lab to analyze as many as 31 million free Wi-Fi base stations in different parts of the world. Of these, as many as 28 percent were classified as risks in terms of security. In practice, all passing through these base stations data – personal messages, passwords and documents – can be intercepted.
Quarters, or 25 percent of the world’s Wi-Fi network is not encrypted or protected from any type of password. Three per cent to encrypt traffic to the WEP protocol that is broken in minutes with tools that can be downloaded for free online.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5498:kaytatko-ilmaisia-wifi-verkkoja-ei-ehka-kannattaisi&catid=13&Itemid=101
Tomi Engdahl says:
The Guardian:
The Guardian has moved to HTTPS, partly to stop ISPs tracking what readers are reading, information the paper believes “may be used against them”
The Guardian has moved to HTTPS
https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https
Discover why and how the Guardian has moved to HTTPS, the secure version of the web protocol that helps to protect user privacy
Tomi Engdahl says:
Mary Beth Quirk / Consumerist:
New York Governor Andrew Cuomo signs law criminalizing resale of tickets obtained via bots — Perhaps you’ve been here before: you’re waiting patiently, albeit a bit anxiously, for the moment when you can buy tickets to a concert or sporting event online. But despite your best efforts …
New York Bars Scalpers From Using Bots To Snap Up Tickets Before Everyone Else
https://consumerist.com/2016/11/29/new-york-bars-scalpers-from-using-bots-to-snap-up-tickets-before-everyone-else/
Perhaps you’ve been here before: you’re waiting patiently, albeit a bit anxiously, for the moment when you can buy tickets to a concert or sporting event online. But despite your best efforts and quick action, you find that someone has swooped in and snapped up all the tickets, leaving you to the mercies of online resellers that may jack up the cost of tickets.
“It’s predatory, it’s wrong and, with this legislation, we are taking an important step towards restoring fairness and equity back to this multi-billion dollar industry.”
Tomi Engdahl says:
Hackers Are Trading Hundreds of Thousands of xHamster Porn Account Details
http://motherboard.vice.com/read/hackers-are-trading-hundreds-of-thousands-of-xhamster-porn-account-details
Hundreds of thousands of user account details for porn site xHamster are being traded on the digital underground.
The database of nearly 380,000 users, provided to Motherboard by for-profit breach notification site LeakBase, includes usernames, email addresses, and what appears to be poorly-hashed passwords.
The database includes some 40 email addresses belonging to the US Army, and 30 related to various US, UK, and other countries’ government bodies.
According to LeakBase, the data was being traded at around the same time a hacker found a vulnerability in xHamster’s website earlier this year, but it is not clear how exactly this database was obtained.
Tomi Engdahl says:
Dell Cameron / The Daily Dot:
Barrett Brown is released after four-plus years in prison following charges stemming from Stratfor hack, must pay $890,250 in restitution for sharing a link — Dallas-based journalist Barrett Brown walked free from prison on Tuesday morning after spending more than four years behind bars.
Barrett Brown leaves prison still chained to a crime he didn’t commit
http://www.dailydot.com/layer8/barrett-brown-free/
Dallas-based journalist Barrett Brown walked free from prison on Tuesday morning after spending more than four years behind bars.
The 35-year-old cause célèbre, convicted in January 2015 after spending more than two years in pretrial confinement, faces a laundry list of post-release restrictions and obligations, including drug treatment, mental health evaluations, and computer monitoring.
Brown has been ordered to continue paying at least $200 every month to Stratfor, the Austin-based intelligence firm, over the devastating cyberattack that nearly crippled the company five years ago. While Brown had no foreknowledge of the security breach—which, despite popular belief, occurred more than a month prior to the involvement of Anonymous hacker Jeremy Hammond and his AntiSec crew—Brown is nevertheless stuck paying $890,250 in restitution for a computer crime he had neither the skillset nor the inclination to carry out himself.
An offbeat agitator, Brown is what David Carr, the late New York Times journalist, described as “a pretty complicated victim.”
Brown’s case was often depicted in the press as having potentially far-reaching consequences for journalists and researchers.
The U.S. government’s position, Heath said, was that Brown, by copying and pasting a hyperlink in a chatroom, had done the “same thing” as the hackers who had actually infiltrated the company and stolen thousands of credit cards, which they used—and Brown did not—to allegedly rack up more than $700,000 in fraudulent charges. “Regardless of whether or not it had been made public by somebody else,” Heath told the court, “Mr. Brown took material, data, credit card information that he understood to be stolen and purposefully trafficked in it to another location for other people to use.”
The prosecution admitted it had no evidence that anyone who clicked on the link shared by Brown had stolen any money.
A Verizon security team, contracted to audit Stratfor’s servers in January 2012, found that only three out of 12 mandated fraud prevention requirements had been met. Eight of the nine security requirements not met by Stratfor directly contributed to the breach, the researchers found. The firm’s corporate environment and e-commerce environment were not properly segregated as they should have been; there was no anti-virus solution deployed on any of the systems reviewed by investigators; and the company’s stored customer data was not protected with industry-standard encryption.
“In light of a confirmed system breach,” Verizon reported, “it should be noted that several distinct vulnerabilities and network configurations existed that allowed this breach and subsequent data compromise to occur.”
Tomi Engdahl says:
Europol Red-faced as Terror Data Appears Online
http://www.securityweek.com/europol-red-faced-terror-data-appears-online
Europol admitted on Wednesday that confidential information on terror investigations were accidentally put online, as it launched a probe into what it called a “very serious incident.”
Dutch investigative TV programme Zembla, which broke the story, said around 700 pages on terror investigations — particularly analysis on terror groups — appeared online, including the names and contact details of hundreds of people with terror links.
The breach happened after the woman, “an experienced police officer… uploaded Europol data to a private storage device… in clear contravention of Europol policy,” Europol spokesman Gerald Hesztera told AFP.
“A security investigation in coordination with the respective authorities at national level is ongoing…(but) current information suggests that the breach was not ill-intended,” he said.
Tomi Engdahl says:
Cyber Defenders Must Focus on the Ends, Not the Means
http://www.securityweek.com/cyber-defenders-must-focus-ends-not-means
Too Many Organizations Focus on the Means, Rather than the Ends
For those of us who have worked in security operations and incident response for a while, we’ve seen that an attacker will use whatever means are necessary to accomplish a given end. In other words, to execute the attacker’s objectives, he or she will take whatever path will lead to success.
Although this famous question is traditionally asked in a moral context, that is not my purpose or place here. Rather, if we dissect this question analytically, we find that it provides us a model we can use to improve our respective security postures. To better understand what I’m getting at, let’s abstract security into a different model inspired by this question: the ends and the means.
Unfortunately, in security, we focus almost entirely on the means. Perhaps ironically, it is the ends that we should instead be focused on. What do I mean by this? If we go back to first principles and think about risk mitigation, it should become clearer. Allow me to illustrate through a few examples.
Internet of Things (IoT)
There is plenty of buzz and hype surrounding IoT, and in fact, infected IoT devices have been blamed for several recent DDoS attacks. There is no question that building security into IoT devices will remain an important topic for years to come.
If you’re a defender, you’re may be struggling to make sense of IoT. You may get drive-by enquiries from management.
Perhaps you are also wondering how to include IoT under the umbrella of your existing security program.
These are all valid concerns, and I believe that, for the defender, the answers lie in focusing on the ends, rather than the means. Compromising IoT devices is a means for an attacker.
What is the attacker after? What is the risk that poses to the organizations?
Cloud
securing an enterprise in transition seem like a daunting task. Until we shift our focus to the ends, that is.
When we look at the cloud as a means for an attacker to steal data, disrupt business, commit fraud, or any number of possible outcomes, our perspective shifts. Instead of trying to protect the cloud like we protect a traditional enterprise network, we move to focusing on mitigating the risks that could result from unauthorized access to information or resources in the cloud.
Within this framework, we move to understanding how we can mitigate risk through monitoring and response.
Spear Phishing
It will likely surprise no one that attackers are still leveraging spear phishing as a means into an organization quite regularly. Sometimes, people ask me why this is the case. In my opinion, the answer is quite simple: it’s easy and it works. Spear phishing seems to be one of the favorite ways attackers gain a foothold inside an organization for the purpose of compromising credentials, moving laterally, acquiring information, exfiltrating data, and other types of nefarious activities.
Tomi Engdahl says:
“Gooligan” Android Malware Steals Authentication Tokens to Hack User Accounts
http://www.securityweek.com/gooligan-android-malware-compromises-more-1-million-google-accounts
“Gooligan” Android Malware Steals Authentication Tokens to Compromise More Than 1 Million Google User Accounts
Researchers from Check Point Software Technologies shared details on Wednesday of new Android malware that has compromised more than a million Google Accounts.
Dubbed Gooligan by the security firm, the malware targets devices running Android 4 and 5, which represent nearly 74 percent of Android devices currently in use.
According to Check Point, the mobile malware can steal authentication tokens stored on devices which can be used to access sensitive data from Gmail, Google Photos, Google Docs and other services, including G Suite.
Check Point’s research team originally discovered Gooligan’s code in a malicious app called SnapPea last year. They discovered a new variant in August 2016 which they say is infecting 13,000 Android devices per day, with approximately 57 percent of infected devices located in Asia and about nine percent in Europe.
“The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack messages,” Check Point explained in a blog post.
After gaining control over the Android device, the cybercriminals behind Gooligan make money by fraudulently installing apps from Google Play and rating them on behalf of the victim, Check Point said. Gooligan installs at least 30,000 apps daily on compromised devices, totaling more than 2 million apps since the campaign first kicked off.
“If your account has been breached, a clean installation of an operating system on your mobile device is required.”
Check Point Press Releases
More Than 1 Million Google Accounts Breached by Gooligan, New Android Malware Variant
Check Point reveals a major Google security breach, caused by a new Android malware variant that infects over 13,000 devices every day
https://www.checkpoint.com/press/2016/1-million-google-accounts-breached-gooligan-new-android-malware-variant/
Tomi Engdahl says:
How to Use SDN/NFV to Fight Cyber Attacks
http://www.btreport.net/articles/2016/11/how-to-use-sdn-nfv-to-fight-cyber-attacks.html?cmpid=enlmobile11292016&eid=289644432&bid=1598858
Recent cyber attacks using Internet of Things (IoT) devices have highlighted the value of SDN/NFV in fighting cyber crime.
IoT devices have been leveraged in at least two large distributed denial-of-service (DDoS) attacks in the last couple of months, commonly referred to as the Marai botnet. Boiled down to basics, software is used to scan specific ports, looking for a way to get to the SSH or Telnet command on a device. There are user names and passwords hardcoded on a device used to access these systems. The device can be used as a control bot to launch an attack.
The much talked-about network functions virtualization (NFV) and software defined networking (SDN) could play a vital role in solving security issues as the industry moves forward, wrote Steve Goeringer, principal security architect, CableLabs, in a recent blog post.
The IoT devices exist as part of a device chain in an ecosystem that delivers feature rich and dramatic services to users, so the security solution needs to be holistic, Goeringer explained to BTR. “With NFV and SDN, we can use an open distributed architecture that leverages these new virtualization technologies to provide more dynamic, flexible security solutions that are easier to patch and upgrade.”
NFV and SDN offer standardized features, processes and protocols so that security tools can be deployed more quickly and applications can be patched more easily.
Privacy is an ongoing concern, particularly as consumers are wearing more devices. However, operators do need to be able to trace attacks to the maliciously used device. Scriber suggests that devices need an “immutable, attestable, and unique identifier” to enable this. Confidentiality should be protected with encryption. Problem is that some IoT devices do not have the processing power traditionally needed for PKI. However, Elliptical Curve Cryptography requires smaller keys, Scriber said.
Network protection against attacks like the one described above requires security in all IoT devices down to the lightbulb and thermostat. Both have computational power, a processor, storage, memory, an operating system, etc., and use credentials the homeowner has provided to operate on the local network. While a PC uses antivirus software and is frequently scanned, this does not happen on an IoT device like a lightbulb.
One of the consortiums he was speaking about is the Open Connectivity Foundation, comprising more than 250 manufacturing companies, network operators, device aggregators, chip manufacturers, and others. Work is being done on many different security angles, including device communication, cryptography, onboarding and offboarding, and how control to these devices is accessed.
“That is how we are defining an infrastructure for IoT: (Looking for a mechanism) that can be used for very small devices on up. When we talk about devices too small or constrained to do this, we limit their capabilities on the network,” Scriber said. The smallest of devices also might have a trusted partner that goes with it for network operations.
Tomi Engdahl says:
Microsoft Experts Launch Anti-Recon Tool for Windows 10, Server 2016
http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016
Itai Grady and Tal Be’ery of the Microsoft Advanced Threat Analytics (ATA) research team have released a new tool designed to help security teams harden the Windows 10 and Windows Server 2016 machines on their network against reconnaissance attempts.
Dubbed “SAMRi10” (pronounced Samaritan), the tool is a simple PowerShell script that changes the default Security Account Manager (SAM) access permissions on Windows 10 and Windows Server 2016 in an effort to prevent attackers from collecting potentially valuable recon information.
Tomi Engdahl says:
Newly Uncovered Tor Browser Exploit Targeted Dark Web Child Porn Site
https://motherboard.vice.com/read/tor-browser-zero-day-exploit-targeted-dark-web-child-porn-site-giftbox
On Tuesday, reports surfaced of an exploit being deployed in the wild against users of the anonymizing software Tor Browser. Like other Tor Browser exploits used in the past, it was likely used to target visitors of a dark web child pornography site, Motherboard has found.
The existence of the exploit first emerged when a pseudonymous tipster published the code on a Tor mailing list.
“This is an Javascript exploit actively used against TorBrowser NOW,” they wrote.
Motherboard has found several reports that the code had been deployed on a Tor hidden service peddling child pornography
active discussion on another child pornography site about the malware
“NIT Found! Suspected to be Operated by Law Enforcement,” the entry continues. A NIT, or a network investigative technique, is a general term used by the FBI to describe the agency’s malware.
On Tuesday, a pseudonymous user on Hacker News also said the exploit was used on the “CP site” GiftBox.
The site administrators said they were shutting down the main GiftBox site on November 15
The Tor Browser is based on Mozilla’s Firefox
Joshua Yabut, a researcher who analyzed the exploit, told Ars Technica that the code is “100 percent effective for remote code execution on Windows systems.” The payload of this latest malware points to an IP address of 5.39.27.226, a server in France belonging to hosting provider OVH.
The code for the exploit has been public for nearly 24 hours now, meaning there is a chance that others may have attempted to use it themselves before it had been patched.
Tomi Engdahl says:
Tor Browser vulnerability used to attack visitors to a child porn site
http://www.theverge.com/2016/11/30/13799498/tor-browser-vulnerability-child-porn-fbi-exploit
A child pornography site called Giftbox has been attacking its users with a newly discovered exploit in the Tor Browser, according to an exclusive report from Motherboard. According to one user, the exploit was present on the main page, giving attackers a clear way to plant malware on any computer that visited the site.
It’s not clear what the attackers used the exploit for, or what any resulting programs might have done, but such an exploit would have been an easy way for law enforcement to track down anyone visiting the illegal site.
The new exploit isn’t an attack on Tor itself, which disguises traffic by routing it through a larger network. Instead, the attack focuses on the Tor Browser, a modified version of Firefox designed for connecting to websites that can only be accessed through the Tor network.
There’s no clear evidence for who’s behind the attack, but the tactics are very similar to a number of recent FBI operations. In 2013, the FBI took down a number of hidden services on the Freedom Hosting network, employing a similar browser-based exploit. A year later, the FBI took control of a child porn site called Playpen and — rather than shutting the site down — used it to actively seed tracking malware to its visitors, using that information to identify and prosecute them.
That operation is still legally controversial, but soon it will be much easier for US judges to authorize similar hacks. On December 1st, new amendments to the rules of criminal procedure are set to take effect, allowing judges to write warrants for networked computers regardless of their location.
That new legal power, combined with the growing availability of law enforcement malware, would make it much easier for agencies to target and prosecute anonymous figures online, potentially causing significant collateral damage to systems in the process.
Tomi Engdahl says:
Bitcoin Exchange Ordered To Give IRS Years of Data On Millions of Users
https://yro.slashdot.org/story/16/12/01/2034208/bitcoin-exchange-ordered-to-give-irs-years-of-data-on-millions-of-users
Last month, instead of asking for data relating to specific individuals suspected of a crime, the Internal Revenue Service (IRS) demanded America’s largest Bitcoin service, Coinbase, to provide the identities of all of the firm’s U.S. customers who made transactions over a three year period because there is a chance they are avoiding paying taxes on their bitcoin reserves.
Bitcoin Exchange Ordered to Give IRS Years of Data on Millions of Users
http://gizmodo.com/bitcoin-exchange-ordered-to-give-irs-years-of-data-on-m-1789544707
Tomi Engdahl says:
Multiple Vulnerabilities In AirDroid Opens At Least 10 Million Android Users To MITM Attacks, Hijackings
https://it.slashdot.org/story/16/12/02/0354251/multiple-vulnerabilities-in-airdroid-opens-at-least-10-million-android-users-to-mitm-attacks-hijackings
AirDroid is a popular Android application that allows users to send and receive text messages and transfer files and see notifications from their computer. Zimperium, a mobile security company, recently released details of several major security vulnerabilities in the application, allowing attackers on the same network to access user information and execute code on a user’s device. Since there are between 10 and 50 million installations of the app, many users may be imperiled by AirDroid.
The security issues are mainly due to AirDroid using the same HTTP request to authorize the device and send usage statistics. The request is encrypted, but uses a hardcoded key in the AirDroid application (so essentially, everyone using AirDroid has the same key).
Tomi Engdahl says:
French Man Sentenced To Two Years In Prison For Visiting Pro-ISIS Websites
https://yro.slashdot.org/story/16/12/01/2232251/french-man-sentenced-to-two-years-in-prison-for-visiting-pro-isis-websites
According to French media, a court in the department of Ardeche on Tuesday sentenced a 32-year-old man in France to two years in prison for repeatedly visiting pro-ISIS websites — even though there was no indication he planned to stage a terrorist attack.
French man sentenced to two years in prison for visiting pro-ISIS websites
Conviction handed down under controversial law that has drawn criticism from rights groups
http://www.theverge.com/2016/12/1/13805168/france-isis-website-browsing-history-prison-conviction
A man in France was sentenced to two years in prison this week for repeatedly visiting pro-ISIS websites, even though there is no indication that he planned to stage a terrorist attack. The 32-year-old, whose name has not been released, was convicted by a court in the department of Ardèche on Tuesday under a new law that has drawn scorn from civil liberties groups.
According to French media, police discovered the man’s browsing history after conducting a raid on his house. During the investigation, they found pro-ISIS images and execution videos on his phone, personal computer, and a USB stick.
Tomi Engdahl says:
Shamoon malware returns to again wipe Saudi-owned computers
Iran suspected as likely source of re-vamped nastyware
http://www.theregister.co.uk/2016/12/02/accused_iranian_disk_wiper_returns_to_destroy_saudi_orgs_agencies/
Thousands of computers in Saudi Arabia’s civil aviation agency and other Gulf State organisations have been wiped by the Shamoon malware after it resurfaced some four years after wiping thousands of Saudi Aramco workstations.
Security firms FireEye, CrowdStrike, McAfee, PaloAlto, and Symantec reported on the advanced sabotage malware which United States intelligence officials say is Iran’s handiwork.
Tomi Engdahl says:
Google Chrome and (weird) DNS requests
http://www.dshield.org/diary/Google%2BChrome%2Band%2B(weird)%2BDNS%2Brequests/10312
in order to speed up browsing Google Chrome does a lot of DNS requests in advance (DNS prefetching – this can be even turned on and off in Chrome’s options). When Chrome is started it will lookup domain names for previously opened web pages early in the startup process so if the user clicks on one of those links Chrome can connect to the target site immediately.
Among those requests Chrome also tries to find out if someone is messing up with the DNS (i.e. “nasty”ISPs that have wildcard DNS servers to catch all domains). Chrome does this by issuing 3 DNS requests to randomly generated domain names, for every DNS extension configured.
How bad is this? Well, it’s not too bad but it is certainly causing some extra traffic, especially since it depends on caching of (mostly) negative answers.
DNS Prefetching
https://sites.google.com/a/chromium.org/dev/developers/design-documents/dns-prefetching
Tomi Engdahl says:
Russia Says Foreign Spies Plotted Huge Cyberattack
http://www.securityweek.com/russia-says-foreign-spies-plotted-huge-cyberattack
Russia on Friday said it had uncovered plans by foreign intelligence services to carry out massive cyberattacks this month targeting the country’s financial system.
The FSB security service said in a statement that it had received information on “plans by foreign secret services to carry out large-scale cyberattacks from December 5.”
Russia FlagIt said the planned attacks were aimed at “destabilizing Russia’s financial system including the activities of a number of major banks.”
The claim came after Moscow-based security giant Kaspersky said in November that a massive cyberattack had hit at least five of Russia’s largest banks.
The FSB did not say which countries’ secret services were involved in the latest plot against Russian banks but alleged the attacks would use servers and “command centers” located in the Netherlands belonging to Ukrainian hosting company BlazingFast.
Tomi Engdahl says:
Researchers Propose Software Mitigations for Rowhammer Attacks
http://www.securityweek.com/researchers-propose-software-mitigations-rowhammer-attacks
A team of researchers has proposed two software-based methods that could be used to mitigate Rowhammer, a type of attack that exploits weaknesses in the design of dynamic random-access memory (DRAM).
Rowhammer attacks are possible due to increasing DRAM density, which has led to memory cells being physically smaller and closer together. If a row is accessed repeatedly, it causes bit flips in adjacent memory rows.
The first working privilege escalation exploits leveraging Rowhammer were disclosed by Google researchers in March 2015. Experts later created a JavaScript implementation, and they recently demonstrated that the attack can even be used to root some Android devices.
Rowhammer attacks are not easy to mitigate, particularly using software. The most efficient mitigation involves redesigning DRAM modules. However, researchers from the Technische Universität Darmstadt and the University of Duisburg-Essen in Germany have now come up with what they call “practical and generic software-only defenses.”
The first method, dubbed B-CATT, doesn’t require any changes to the OS and it can be used on all x86 systems. B-CATT is a bootloader extension that locates and disables vulnerable physical memory. Vulnerable memory addresses are identified using existing Rowhammer exploitation tools. Since OSs are designed to handle unavailable memory regions, B-CATT should not break any system functionality, researchers said.
The second mitigation, G-CATT (Generic-CATT), aims to prevent bit flips from affecting memory locations belonging to high-privileged security domains, such as the kernel and co-located virtual machines. It does this by ensuring that memory between the row controlled by the attacker and the row storing the targeted data are separated by at least one row.
The researcher believes the B-CATT idea is “fairly good,” but there are some weak points,
CAn’t Touch This: Practical and Generic Software-only Defenses Against Rowhammer Attacks
https://arxiv.org/pdf/1611.08396v1.pdf
Tomi Engdahl says:
FBI, GCHQ Get Foreign Hacking Authority
http://www.securityweek.com/fbi-gchq-get-foreign-hacking-authority
Changes to Rule 41 of the federal rules of criminal procedure come into force today, giving the FBI (with a judicially granted search warrant) authority to hack computers in any jurisdiction, and potentially overseas. This happened just two days after the UK’s Investigatory Powers Act (IPA) was granted royal assent and became law. The latter gives Britain’s Government Communications Headquarters (GCHQ) the legal authority to ‘mass hack’ outside of the UK..
Although this is a major expansion of FBI authority, it is merely an expansion of existing authority. This is not the case with the UK’s Investigatory Powers Act. It has been known since Snowden’s revelations that GCHQ hacks into computers; but it had been doing so illegally.
The new IPA (PDF) now makes this legal. It does not use the term ‘hacking’ but describes it as ‘equipment interference’.
Targeted local hacking is also a bit of a misnomer. The Act contains the concept of a ‘general warrant’ where the target could be a group or an organization or a location rather than an individual even within the UK. If GCHQ believed a terrorist threat was imminent in a particular town, it could obtain a warrant that could effectively cover everyone in that town.
Hacking, however, is not the only new or expanded surveillance capability provided by the IPA. Two that are causing particular concern are the retention of everybody’s internet data by ISPs for 12 months, and the provision for what amounts to a general encryption backdoor.
Critics point to recent ISP breaches, including Three Mobile and TalkTalk. With so much more personal data being held, the ISPs will become prime targets for cyber criminals and even foreign states — and the suggestion is that some of these ISPs will undoubtedly and inevitably be breached.
The encryption backdoor is fittingly backdoored into the legislation.
“The Secretary of State may give a relevant operator a technical capability notice” where the obligations include “the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data…”
Tomi Engdahl says:
Facebook:
Facebook, Microsoft, Twitter, and YouTube will create a database to share hashes of terrorist images and recruitment videos removed from their services — Facebook, Microsoft, Twitter and YouTube are coming together to help curb the spread of terrorist content online.
Partnering to Help Curb Spread of Online Terrorist Content
http://newsroom.fb.com/news/2016/12/partnering-to-help-curb-spread-of-online-terrorist-content/
Facebook, Microsoft, Twitter and YouTube are coming together to help curb the spread of terrorist content online. There is no place for content that promotes terrorism on our hosted consumer services. When alerted, we take swift action against this kind of content in accordance with our respective policies.
Starting today, we commit to the creation of a shared industry database of “hashes” — unique digital “fingerprints” — for violent terrorist imagery or terrorist recruitment videos or images that we have removed from our services. By sharing this information with each other, we may use the shared hashes to help identify potential terrorist content on our respective hosted consumer platforms. We hope this collaboration will lead to greater efficiency as we continue to enforce our policies to help curb the pressing global issue of terrorist content online.
Tomi Engdahl says:
Andy Greenberg / Wired:
The White House releases recommendations from a nine-month study of US cybersecurity issues; it is now up to the Trump administration to implement them
Obama Has a Plan to Fix Cybersecurity, But Its Success Depends on Trump
https://www.wired.com/2016/12/obama-cybersecurity-plan/
The Obama White House has had to reckon with cybersecurity like no other presidential administration in history, from China’s 2009 hack of Google, to the Office of Personnel Management breach, to the rise of botnets built from dangerously insecure “internet-of-things” devices. Now, in the waning days of Obama’s presidency, his team has a new plan to shore up America’s protections from digital threats. Whether any of it happens, though, is up to Donald Trump.
Late Friday afternoon last week, the White House’s Commission on Enhancing National Cybersecurity released the results of a nine-month study of America’s cybersecurity problems. Its recommendations, in a hundred-page report, cover a lot of ground. It proposes fixing the shambolic security of internet-of-things consumer devices like routers and webcams, re-organizing responsibility for the cybersecurity of federal agencies, and fostering a new generation of skilled American cybersecurity experts, among other actionable steps.
But as President Obama acknowledged in a statement accompanying those recommendations, actualizing them is largely out of his hands.
COMMISSION ON ENHANCING NATIONAL CYBERSECURITY
https://www.whitehouse.gov/sites/default/files/docs/cybersecurity_report.pdf
Tomi Engdahl says:
Brian Barrett / Wired:
IBM launches Watson for Cybersecurity beta program involving 40 companies across indurstries like finance, healthcare, and more — You may know Watson as IBM’s Jeopardy-winning, cookbook-writing, dress-designing, weather-predicting supercomputer-of-all trades.
IBM’s Watson Now Fights Cybercrime in the Real World
https://www.wired.com/2016/12/ibm-watson-for-cybersecurity-beta/
You may know Watson as IBM’s Jeopardy-winning, cookbook-writing, dress-designing, weather-predicting supercomputer-of-all trades. Now it’s embarking on its biggest challenge yet: Preventing cybercrime in finance, healthcare, and other fields.
Starting today, 40 organizations will rely upon the clever computers cognitive power to help spot cybercrime. The Watson for Cybersecurity beta program helps IBM too, because Watson’s real-world experience will help it hone its skills and work within specific industries. After all, the threats that keep security experts at Sun Life Financial up at night differ from those that spook the cybersleuths at University of New Brunswick.
Watson isn’t starting from scratch here. IBM researchers started training Watson in the fundamentals of cybersecurity last spring so the computer could begin to analysize and prevent threats. Now it graduates to real-world situations to further hone its skills. Think of it as the world’s smartest intern.
Tomi Engdahl says:
Greg Avery / Denver Business Journal:
Cybersecurity company Optiv cancels IPO plans after selling majority stake to private equity firm KKR — The IPO of Denver-based cybersecurity company Optiv Security Inc. has been canceled and it will stay privately held after private equity firm KKR became the majority owner of the business.
Optiv IPO halted by private equity purchase
http://www.bizjournals.com/denver/news/2016/12/06/optiv-ipo-halted-by-private-equity-purchase.html?page=all
Tomi Engdahl says:
Priya Anand / BuzzFeed:
After Uber updated to track user locations five minutes after rides end, EFF asks for a rollback
Privacy Advocates Want Uber To Stop Tracking Users After Rides End
https://www.buzzfeed.com/priya/eff-wants-uber-to-stop-tracking-users-after-rides-end?utm_term=.wu3vqrXKl#.qlQzdBK3V
The Electronic Frontier Foundation said users should have the ability to opt-out of an app update that tracks riders five minutes after they’ve been dropped off.
Tomi Engdahl says:
Beware! Firefox updates may reset preferences
http://www.ghacks.net/2016/12/05/beware-firefox-updates-may-reset-preferences/
Firefox updates should not have any impact on a user’s custom configuration of the browser. There are a couple of exceptions to the rule. One is, if Mozilla decides to remove a preference from the browser, or rename it.
Tomi Engdahl says:
China and Russia aren’t ready to go it alone on tech, but their threats are worryingly plausible
Vendors caught between risks and fear of missing out on growth markets
http://www.theregister.co.uk/2016/12/07/russia_china_tech_policy/
China and Russia are populous, wealthy nations that the technology industry has long-regarded as exceptional growth prospects.
And then along came Edward Snowden, whose suggestions that American vendors were complicit in the United States’ surveillance efforts gave governments everywhere a reason to re-think their relationship with big technology companies.
Russia and China both responded by citing a combination of national security concerns and a desire to grow their own technology industries as the twin motivations for policies that make it harder for foreign technology companies to access their markets.
Both nations now operate approved vendor lists that government agencies and even business must consider when shopping for technology. Russia’s forcing web companies to store personal data on its soil. China demands to see vendors’ source code and has made the price of admission to its market a joint venture with a local firm, along with a technology transfer deal. Last month China also passed a security law requiring vendors to assist local authorities with investigations while further restricting internet freedoms.
“If China were a smaller market there is no way the government would get away with the controls of the internet, supporting domestic industry and requiring technology transfer,” he says. “You could not get away with it and still be part of the global supply chain.”
Tomi Engdahl says:
Veritas lays off ’30 per cent’ of sales staff – merry Christmas!
Let’s hope it protects your information better than it protects its own jobs
http://www.theregister.co.uk/2016/12/06/veritas_layoffs/
Veritas has axed 30 percent of its sales staff in the US and Europe, The Register has learned.
The data security biz was spun out of Symantec and entered private ownership just after the turn of the year. The company is based in Mountain View, California, and employs about 7,000 people.
Tomi Engdahl says:
Big Switch takes big bet it can beat off big denial of service attacks
Yuge attacks. The best attacks. Terabit-scale attacks from internet things
http://www.theregister.co.uk/2016/12/07/big_switch_takes_big_bet_it_can_beat_off_big_attacks/
Big Switch Networks is taking aim at the kinds of IoT-based attacks that have rocked the Internet this year.
Headlining its BigSecure Architecture release today is a service chaining solution the company’s chief product officer Prashant Gandhi told Vulture South can scale up to deflect a terabit-scale attack in about ten minutes, but will also “give you the ability to survive for hours”.
For a purely volumetric attack, Gandhi said the software-defined networking (SDN) controller in the demilitarised zone (DMZ) can reconfigure the service chain “so the traffic is redirected to the [security] infrastructure for mitigation”.
The controller then uses flow-based policies and access control lists to tell switches to drop the attack traffic.
However, as we’ve seen in the attacks against Dyn’s domain name services and Krebsonsecurity.com, Mirai-based botnet attacks may be volumetric but they’re coming from a host of different source IP addresses – all those compromised Internet of Things devices.
“You can leverage a pool of x86 services,” Gandhi said. “The virtual machines can be scaled out, and the SDN allows the traffic to be distributed across the servers.”
Putting the defences in software on a bunch of x86 servers isn’t expensive, making it affordable to activate the defences only when they’re needed.
That’s where the fast response comes from, Gandhi said: it should be possible to activate, program, and validate the infrastructure within ten minutes or so when an attack is detected.
BigSecure arrives as part of the latest round of updates to Big Switch Networks’ Big Monitoring Fabric. A deployment comprises its Big Monitoring Fabric SDN controller; a BMF Service Node (a 40 Gbps to 150 Gbps Intel DPDK-based node that handles filtering, deep packet inspection, service flow inspection, and filtering); and a pool of x86 resources providing the network function virtualisation (NFV) tool farm.
Third party tools like A10 Networks threat protection are supported, and the whole lot’s designed to run on white-box Ethernet from outfits like Dell EMC and Edgecore Networks.
Tomi Engdahl says:
Blustor’s CyberGateTM: A Secure Solution to a Global Problem
https://www.eeweb.com/blog/eeweb/blustors-cybergatetm-a-secure-solution-to-a-global-problem
Approximately 15 million Americans each year fall victim to identity theft—and these losses total upwards of $50 billion. Each year, criminals develop more advanced ways to steal identities, putting millions of Americans at risk. Our personal security is more at risk than ever, leaving many people to seek out a simple solution to a growing problem.
Blustor is offering just that, with the CyberGateTM Personal Mobile Cloud. Designed to empower people to control the important things in their life, this credit card sized device safeguards your data and digital identify with your own biometric information.
For more information, check out the video and Indiegogo campaign,
https://www.indiegogo.com/projects/cybergate-personal-mobile-cloud–2#/
Tomi Engdahl says:
Don’t Get Caught in the Noise, Focus Your Security on What You can Control
http://www.securityweek.com/dont-get-caught-noise-focus-your-security-what-you-can-control
Trying to Focus on Everything at Once is the Same as Focusing on Nothing at All…
Data has become the obsession of the security industry. Experts and vendors tell businesses that they need all the threat intelligence, logs, and traces they can get their hands on. In fact, handling all of these raw feeds has become a major “big data” problem. Unfortunately this tsunami of records often obscures sophisticated attacks and can create unwarranted confidence in our ability to detect intrusions.
Attackers also have access to all the same monitoring tools that we use and can test their tools and techniques against them to ensure they stay under the radar. The most sophisticated attackers often use tools and vulnerabilities that have literally never been seen before. Monitoring systems are very hard pressed to recognize and identify these kinds of attacks. Historically attackers have been able to spend months inside a victim’s network before they are discovered, often by a third party.
Part of the problem is that our computing environments are so complex and busy that many kinds of hostile actions can hide in the noise. Smart attackers modulate their activity to mimic normal user behavior.
Tomi Engdahl says:
Intelligence or Not Intelligence? That is the Question.
http://www.securityweek.com/intelligence-or-not-intelligence-question
Open Web Intelligence
Most organizations track online mentions of their brand and stakeholders via search engines, social media, paste sites, and other open web sources. However, by the time such information reaches the open web, it is likely outdated, has already been exploited by threat actors
Full Coverage
Unfortunately, the unicorn of “full coverage” of the Deep & Dark Web continues to plague the industry. The Deep & Dark Web is immeasurably vast, contains dangerous regions, and is extremely difficult to access.
Predictive Intelligence
While analyzing past trends in intelligence and security can certainly serve as a valuable guide for organizations — no one wants a repeat of the same issue — intelligence cannot be predicted by analyzing history. Past activity is not an indicator or predictor of future event
In Summary
Cyber threat intelligence will most likely always present unique challenges for all parties involved — it is, by its nature, complex. Decision-makers should take time to identify and analyze their organizations’ intelligence needs before pursuing thorough due-diligence on any potential vendor. More data does not equal better intelligence. However, contextual intelligence derived from Deep & Dark Web data can deliver truly invaluable insights for better decision-making when gathered and processed correctly, securely, and by individuals with ample skills.
Tomi Engdahl says:
‘Spy’ Toys Face Complaints From EU, US Watchdogs
http://www.securityweek.com/spy-toys-face-complaints-eu-us-watchdogs
EU and US consumer watchdogs announced Tuesday they are filing complaints against a clutch of smart toys that can “spy” on children and their homes, for allegedly breaching privacy and data protection laws.
The complaints target smart toys My Friend Cayla, i-QUE Intelligent Robot and Hello Barbie, according to the European Consumer Organisation BEUC and US groups like the Electronic Privacy Information Center (EPIC). Complaints are being filed with French and other European authorities as well as the US Federal Trade Commission.
Internet-connected Cayla and i-QUE, manufactured by Los Angeles-based Genesis Toys, hook up with a user via a phone or tablet while Hello Barbie links to the internet through Wi-Fi, said the consultancy Bouvet on behalf of the Norwegian Consumer Council.
“By purpose and design, these toys record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information,” EPIC and other US watchdogs said in their complaint, which they say “concerns toys that spy”.
“The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards,” they said.
Tomi Engdahl says:
Flash Player Remains Main Target of Exploit Kits: Report
http://www.securityweek.com/flash-player-remains-main-target-exploit-kits-report
The most common vulnerabilities used by exploit kits in the past year affect Flash Player, Windows, Internet Explorer and Silverlight, according to a report published on Tuesday by threat intelligence firm Recorded Future.
In its 2015 report, Recorded Future said Flash Player weaknesses represented eight of the top ten flaws leveraged by exploit kits. This year, Flash accounted for six of the top ten vulnerabilities.
The security firm’s analysis of 141 exploit kits showed that an Internet Explorer flaw tracked as CVE-2016-0189 was the most referenced on security blogs, deep web forum postings and dark web sites. The vulnerability was exploited in targeted attacks before Microsoft released a patch, but shortly after the fix became available, it was integrated into several major exploit kits, including Sundown, Neutrino, RIG and Magnitude.
The flaw that was adopted by the highest number of exploit kits is Flash Player’s CVE-2015-7645. The exploit has been integrated into Neutrino, Angler, Magnitude, RIG, Nuclear, Spartan and Hunter.