Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Is security outfit Norse Corp dead or just temporarily TITSUP?
‘Imploding’ says Brian Krebs
http://www.theregister.co.uk/2016/02/01/is_norse_corp_dead_or_just_temporarily_titsup/
Security startup Norse Corp has gone ominously dark.
The outfit, famous for picking scabs from FreeBSD and mesmerising users with a “live DDoS map”, isn’t contactable on the Web right now.
Early in January, The Register reported layoffs in the business, amounting to as much as half its staff at the time.
Now, Brian Krebs reports that the CEO had been asked to step down, replaced by board member Howard Bain and he speculates that a forced merger might be on the cards.
The company was also accused of faking some of its attack data, with Dragos Security’s Robert Lee saying it had invented Iranian attack numbers in 2015.
“The report was confusing but the data clearly revealed that the “attacks” from Iranian Internet addresses were actually Internet scans from locations such as Iranian universities and hospitals,” he continued.
Krebs quotes former Norse Corp data scientist Mary Landesman as saying the data behind the attack map was “disappointing”.
Tomi Engdahl says:
Firefox Warns of Password Requests Over HTTP
http://www.securityweek.com/firefox-warns-password-requests-over-http
Mozilla is taking another step to protect users, by adding a new warning icon when passwords are requested over non-secure connections.
Starting with Firefox DevEdition 46, developers will be informed about this privacy and security risk by displaying a lock with a red strikethrough when passwords are requested on non-secure pages. The browser has been alerting developers on the issue via the Developer Tools Web Console since Firefox 26.
In a recent blog post, Mozilla security engineer Tanvi Vyas explains that websites should handle usernames and passwords with care and should request the latter only over secure connections, such as HTTPS. However, since non-secure connections such as HTTP are often used to handle passwords, Firefox Developer Edition is now warning developers on the issue.
No More Passwords over HTTP, Please!
https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
Firefox Developer Edition 46 warns developers when login credentials are requested over HTTP.
Username and password pairs control access to users’ personal data. Websites should handle this information with care and only request passwords over secure (authenticated and encrypted) connections, like HTTPS. Unfortunately, we too frequently see non-secure connections, like HTTP, used to handle user passwords. To inform developers about this privacy and security vulnerability, Firefox Developer Edition warns developers of the issue by changing the security iconography of non-secure pages to a lock with a red strikethrough.
How does Firefox determine if a password field is secure or not?
Firefox determines if a password field is secure by examining the page it is embedded in. The embedding page is checked against the algorithm in the W3C’s Secure Contexts Specification to see if it is secure or non-secure. Anything on a non-secure page can be manipulated by a Man-In-The-Middle (MITM) attacker. The MITM can use a number of mechanisms to extract the password entered onto the non-secure page. Here are some examples:
Change the form action so the password submits to an attacker controlled server instead of the intended destination. Then seamlessly redirect to the intended destination, while sending along the stolen password.
Use javascript to grab the contents of the password field before submission and send it to the attacker’s server.
Use javascript to log the user’s keystrokes and send them to the attacker’s server.
Note that all of the attacks mentioned above can occur without the user realizing that their account has been compromised.
Tomi Engdahl says:
Your Line of Business Hates Access Certifications – You Should Too!
http://www.securityweek.com/your-line-business-hates-access-certifications-you-should-too
Like Many Compliance-driven Efforts, Access Certifications are Often Hastily Implemented to Satisfy Auditors…
Line of business (LOB) managers hate access certifications (or recertifications). From their perspective, it’s a bit like asking them to systematically visit every seat in a theater, during the feature film, and act as “theater police”, checking ticket stubs to catch people sneaking in from another movie. It’s distracting from the conduct of business and is seen as useless administrative overhead. So it’s no wonder that LOB managers look for short cuts, such as rubber-stamping access approval for everyone.
Many regulated organizations are accomplishing access certifications on time, which may be enough to satisfy an auditor, but it hasn’t reduced risk for our organizations. By allowing managers to mindlessly approve access for everyone, there are too many people with too much access. And that’s why, if you believe that compliance does not equal security, or as a security professional you care about managing risk, you should hate access certifications too – at least the way most of us do them today.
Why are access certifications so flawed?
Much of the investment in access certifications has been focused on making the job easier on IT professionals. We’ve automated entitlement collection, report creation and distribution. LOB managers are bothered, then harassed and re-harassed to complete their reviews and certify access with ruthless automated precision. If they’re lucky, we give them a fancy user interface to make checking boxes easier, but then turn off the “select all” and “next” buttons, just to make certain they’re inefficient at rubber stamping.
Reducing the burden on the business without increasing risk
What LOB users need is clarity and simplicity in identifying access that should be revoked. In a theater full of 200 people, rather than check every person’s ticket stub, what if the manager could focus on the four tweenagers in the R-rated movie? Managers need context and prioritization to help them make appropriate decisions while reviewing access.
Tomi Engdahl says:
Data Loss Prevention: Make It Work
http://www.securityweek.com/data-loss-prevention-make-it-work
Like leg warmers, data loss prevention (DLP) is back. Unlike leg warmers, DLP is actually cool, increasingly sophisticated, and something, to steal from Tim Gunn, companies will want to make work.
As the name implies, DLP is about preventing loss or misuse of data. By various means, including content discovery and analysis, it helps preclude end users from accidentally or maliciously sharing sensitive, critical, and confidential data that might put a business at risk. For instance, DLP enables administrators to set up policies (from a library of predefined content selectors) or, even, create custom rules to check outgoing emails (including attachments). If anything appears amiss, DLP can either quarantine emails for review, request users to modify data, or block emails and notify senders.
The concept isn’t a new one, but the ability to put it to use in an easier, more viable manner is.
DLP Making Headlines. Again.
Look at Google for Work. While Google’s been using tools for encryption, control sharing, mobile device management, and two-factor authentication to help secure email, they recently announced an additional layer of protection: DLP for Gmail. I mean, if Google’s hip to DLP, maybe it is time to take a closer look at this technology. Again.
In its report, “The Data Loss Prevention Market by the Numbers: 2014-2019,” 451 Research predicts the DLP market to grow to $1.7B by 2019. Similarly, as revealed in its “Forecast Overview: Information Security, Worldwide, 3Q15 Update,” Gartner expects DLP to be among the fastest-growing security segments through 2019, with a combined annual growth rate of 9.9 percent.
Well DLP, don’t they love you? And why shouldn’t they?
When it works, DLP provides a range of business benefits, including compliance support and intellectual property protection. Today, thanks to increased compute power, the cloud, and advanced machine learning techniques, DLP solutions are faster at inspecting content, more accurate in building and tuning policies, and more efficient in managing policy violations.
Tomi Engdahl says:
It’s Official, Ransomware Has Gone Corporate
http://www.securityweek.com/its-official-ransomware-has-gone-corporate
In late 2014 my company predicted that ransomware attacks would shift from consumers to businesses to extort larger ransoms for unlocking encrypted files. Unfortunately, this prediction has come true.
Recent Data from the FBI’s Internet Crime Complaint Center (IC3) shows ransomware continues to spread and is infecting devices around the globe. IC3 identified CryptoWall as the most significant ransomware threat targeting U.S. individuals and businesses.
Tomi Engdahl says:
Show me the Money: Cybercriminals Hijack Online Resources to Boost Profits
http://www.securityweek.com/show-me-money-cybercriminals-hijack-online-resources-boost-profits
The Angler exploit kit is one of the largest and most effective exploit kits on the market. It has been linked to several high-profile malvertising and ransomware campaigns, and has been a major factor in the overall explosion of ransomware activity over for the last several years. Angler uses proxy servers located on servers of service providers as a conduit to malicious payloads, with one of the main perpetrators targeting up to 90,000 victims a day and generating more than $30M annually.
SSHPsychos (also called Group 93) was one of the largest DDoS networks ever observed.
Attackers are increasingly using browser add-ons as a way to distribute malware. Users inherently trust add-ons and security teams often view these add-ons as a low-severity threat. In reality, malicious browser extensions can steal information and can be a major source of data leakage for businesses. Every time a user opens a new web page with a compromised browser, malicious browser extensions collect data which can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Adversaries also incorporate the Domain Name Service (DNS) into sophisticated campaigns to help their malware succeed in three ways: to gain command and control, to exfiltrate data, or to redirect. They use DNS to connect to sites that are known bad or suspicious, yet few companies monitor DNS for security purposes.
Tomi Engdahl says:
Illegal football streams are ‘dangerous’, study says
http://www.bbc.com/news/technology-35434765
Football fans who access free streams of top matches are putting their devices, and personal privacy, at great risk, according to a study.
It says the most popular sites are attracting upwards of eight million visits per month.
Like many free services, the pirate sites rely on advertising.
But with few reputable brands willing to attach their name to illegal distribution, the sites turn to malicious ads to pull in profits.
Of the thousands of streams studied, the researchers said that as many as half planted malicious software on the users’ machine through forced ads and other deceptive techniques.
The researchers examined how the sites are run and from where.
As well as pop-up and overlay advertising, they observed an increase in sites demanding users install browser plug-ins in order to watch a free stream.
“[To watch the stream] you have to install the extension, and once the user installs the extensions, it can infect any website the user is visiting,” lead researcher Zubair Rafique told the BBC.
The study analysed over 5,000 aggregator domains – that is, sites which collate free streams for visitors to browse and watch.
Because of that separation between the aggregator sites and media streaming services, it’s difficult for authorities to effectively stamp out football piracy.
Though several aggregator sites have been shut down, the video streams are quickly moved to a different site, and the cycle continues. Aggregator sites will usually offer several different streams for the same match.
“We discovered that nearly 25% of live streams originate from the servers hosted in Belize,” the study noted.
“More than 60% of analyzed streams originate from the media servers provided by only five companies located in Belize, Switzerland, the Netherlands, Sweden, and Canada.
It’s Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services
https://zubairrafique.files.wordpress.com/2015/10/flis_ndss16.pdf
Tomi Engdahl says:
David E. Sanger / New York Times:
New technologies like connected TVs, cars, bulbs, wearables, and more give government ample means to track suspects, Berkman Center study finds — New Technologies Give Government Ample Means to Track Suspects, Study Finds — WASHINGTON — For more than two years the F.B.I. and intelligence agencies …
New Technologies Give Government Ample Means to Track Suspects, Study Finds
http://www.nytimes.com/2016/02/01/us/politics/new-technologies-give-government-ample-means-to-track-suspects-study-finds.html?_r=0
For more than two years the F.B.I. and intelligence agencies have warned that encrypted communications are creating a “going dark” crisis that will keep them from tracking terrorists and kidnappers.
Now, a study in which current and former intelligence officials participated concludes that the warning is wildly overblown, and that a raft of new technologies — like television sets with microphones and web-connected cars — are creating ample opportunities for the government to track suspects, many of them worrying.
“ ‘Going dark’ does not aptly describe the long-term landscape for government surveillance,” concludes the study, to be published Monday by the Berkman Center for Internet and Society at Harvard.
The study argues that the phrase ignores the flood of new technologies “being packed with sensors and wireless connectivity” that are expected to become the subject of court orders and subpoenas, and are already the target of the National Security Agency as it places “implants” into networks around the world to monitor communications abroad.
The products, ranging from “toasters to bedsheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables,” will give the government increasing opportunities to track suspects and in many cases reconstruct communications and meetings.
Tomi Engdahl says:
US government’s $6bn super firewall doesn’t even monitor web traffic
Einstein not so smart, wide open to old-days as well as zero-days
http://www.theregister.co.uk/2016/02/01/us_government_super_firewall_audit/
The US government’s firewall, named Einstein, is not as smart as its name would suggest.
A report [PDF] by the General Accounting Office (GAO) into the National Cybersecurity Protection System (NCPS) has concluded that it is only “partially meeting its stated system objectives.” Which is a polite way of saying it sucks.
Among the extraordinary pieces of information to emerge are the fact that the system – which has cost $5.7bn to develop – does not monitor web traffic for malicious content, just email. It can’t uncover malware on a system and it doesn’t monitor cloud services either.
The system also carries out only signature-based threat assessment and intrusion detection
If that wasn’t enough, the department behind the system – the Department of Homeland Security (DHS) – hasn’t included anything to measure the system’s own performance so it doesn’t even know if it’s doing a good job or not. And it is failing to ask for or share information with other agencies, effectively making it blind.
It is hardly surprising then that the uptake of Einstein has not exactly been stellar. The report notes that federal agencies have adopted the NCPS “to varying degrees.”
Einstein was created in 2003 for intrusion detection. The idea was that it would automatically collect and analyze federal agencies’ network traffic. In 2009, a second version was deployed that added signatures (digital fingerprints of known viruses and exploit code) to the system and put emitted alerts if malicious activity was discovered. And then in 2013, it was updated again to block malicious traffic from either entering or leaving network, using indicators developed by the DHS.
Despite having spent $1.2bn in 2014 and $5.7bn in total, however, the system still only monitors certain types of network packets – and that does not include web traffic or cloud services.
It doesn’t include anomaly based and stateful purpose detection methods – which are commonplace in most halfway decent intrusion detection systems
The system has 228 sensors to pick up information across the .gov network, the report reveals, and has over 9,000 signatures in its systems
Even better, despite spending millions to protect US government networks, the DHS reckons it’s not its job to protect US government networks. Officials told the GAO: “It is the responsibility of each agency to ensure their networks and information systems are secure while it is the responsibility of DHS to provide a baseline set of protections and government-wide situational awareness, as part of a defense-in-depth information security strategy.”
The GAO tested the system by trying to exploit 489 known vulnerabilities in Adobe Acrobat, Flash, Internet Explorer, Java and Microsoft Office. Of them, just 29, or six per cent, were picked up by the scanners and stopped
GAO Report to Congressional Committees:
DHS Needs to
Enhance Capabilities,
Improve Planning,
and Support Greater
Adoption of Its
National
Cybersecurity
Protection System
http://www.gao.gov/assets/680/674829.pdf
Tomi Engdahl says:
Stop using Microsoft Edge’s InPrivate mode if you value your privacy
http://betanews.com/2016/01/30/stop-using-microsoft-edges-inprivate-mode-if-you-value-your-privacy/
Edge has already got some stick for its lack of extension support — “it’s coming, it’s coming!” Yeah, whatever… so’s Christmas — but now it turns out that InPrivate mode is a privacy nightmare. It is possible to peak behind the curtain and see which sites have been visited when using a browsing mode that should mask this.
There are similar features found in other browser. Chrome has Incognito mode, Safari has Private Browsing, Firefox has… actually, Firefox has Private Browsing too. Whatever the name, what these browsing modes all have in common is that once the browser is closed, there is no record of which sites have been visited. That’s not to say that ISPs and law enforcement agencies wouldn’t be able to determine the browsing history, but from a local point of view it is as though no browsing has taken place.
But Edge is different.
Somewhat counterintuitively, Edge actually records browsing history in InPrivate mode. More than this, by examining the WebCache file it is a relatively simple task for someone to reconstruct full browsing history, regardless of whether surfing was performed in regular or InPrivate mode. These were the finding of infosec expert Brent Muir.
Windows 10 – Microsoft Edge Browser Forensics
http://bsmuir.kinja.com/windows-10-microsoft-edge-browser-forensics-1733533818
Since IE10 browsing history records are no longer stored in Index.DAT files, but are instead stored in an Extensible Storage Engine (ESE) database format, and Microsft Edge is no different. In fact most of the Edge artefacts are stored in ESE databases.
This ESE database can be interpreted by EseDbViewer, ESEDatabaseView or Joachim Metz excellent esedbexport tool.
As well as the history records this database also stores Cookies, HTTP POST request header packets (in hex) and downloads.
The ESE log files often provide information from the PrivacIE browsing session too, these logs files can be located
Actual cached files related to the websites visited through PrivacIE mode are also stored to disk and can be located in the usual cache directories
So what does this all tell you about PrivacIE mode? Well it isn’t that private after all.
Tomi Engdahl says:
Socat slams backdoor, sparks thrilling whodunit
Year-old bug ruined crypto
http://www.theregister.co.uk/2016/02/03/socat_backdoor_fix/
Popular admin tool Socat has issued a patch for an error that’s been in the code for 12 months and is so egregious some fear it could be a backdoor.
The problem, revealed here, is simple: the Socat SSL implementation uses a non-prime number as its Diffie-Hellman p parameter.
Socat is akin to the famous *nix cat command, but it’s able to pipe results to and from network addresses (which is why security is essential).
As Openwall’s post states: “… since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes it possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out.”
If there’s some reason you can’t use the patched code (linked in the Openwall post), Diffie-Hellman ciphers should be disabled for now.
Tomi Engdahl says:
WordPress under attack by whack-a-mole ad-scam malware
JavaScript attack spreads among sites, re-infects after cleansing
http://www.theregister.co.uk/2016/02/03/wordpress_javascript_malware_attack/
Sucuri threat researcher Denis Sinegubko says a “massive” advertising scam campaign is affecting users visiting WordPress sites, injecting backdoors and constantly re-infecting sites.
The prolific virus-destroyer (@unmaskparasites) says writers are injecting code into all JavaScript files on a targeted WordPress sites.
Sinegubko says first time visitors will cop a cookie that generates fraudulent advertising income for VXers.
“This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files,” Sinegubko says.
“This malware uploads multiple backdoors into various locations on the web server and frequently updates the injected code.
“This is why many webmasters are experiencing constant re-infections post-cleanup of their .jsfiles.”
Massive Admedia/Adverting iFrame Infection
https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
This malware only infects first time visitors, it sets the ad-cookie cookie (er2vdr5gdc3ds) that expires in 24 hours and injects an invisible iframe.
The use of the third level domains is typical for “domain shadowing.” This involves adding malicious subdomains on legitimate second level domains after gaining access to DNS records
It is worth mentioning that all the malicious domains and subdomains point to servers to Digital Ocean’s network
It’s not common to see malware hosted there
Constant Reinfections
This malware uploads multiple backdoors into various locations on the webserver and frequently updates the injected code. This is why many webmasters are experiencing constant reinfections post-cleanup of their .js files.
The malware tries to infect all accessible .js files. This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination. It’s not enough to clean just one site (e.g. the one you care about) or all but one (e.g. you don’t care about a test or backup site) in such situations – an abandoned site will be the source of the reinfection. In other words, you either need to isolate every sites or clean/update/protect all of them at the same time!
Tomi Engdahl says:
Google to divert extremist searches to anti-radicalisation websites
http://www.theguardian.com/uk-news/2016/feb/02/google-pilot-extremist-anti-radicalisation-information
Search engine giant reveals plans for pilot scheme to home affairs committee hearing, with Facebook and Twitter also probed over extremism policies
Users of Google who put extremist-related entries into the search engine are to be directed towards anti-radicalisation links under a pilot programme, MPs have been told by an executive for the company. The initiative, aimed at countering the online influence of groups such as Islamic State, is running alongside another pilot scheme designed to make videos posted by extremists easier to identify.
The schemes were mentioned by Anthony House, senior manager for public policy and communications at Google, who was appearing alongside counterparts from Twitter and Facebook at a home affairs select committee hearing on countering extremism. “We should get the bad stuff down, but but it’s also extremely important that people are able to find good information, that when people are feeling isolated, that when they go online, they find a community of hope, not a community of harm,” he said.
All three were challenged by MPs about the extent of their companies’ roles in combating the use of social media by groups such as Isis for propaganda and recruitment purposes.
Labour MP Chuka Umunna asked: “What is the threshold beyond which you decide … that you must proactively notify the law enforcement agencies?”
House and Milner said their threshold was “threat to life”, while Nick Pickles, UK public policy manager at Twitter, told the MPs: “We don’t proactively notify. Because Twitter’s public, that content is available, so often it’s been seen already.”
Tomi Engdahl says:
Games
Video Game Cheaters Outed By Logic Bombs
http://games.slashdot.org/story/16/02/02/1732254/video-game-cheaters-outed-by-logic-bombs
A Reddit user decided to tackle the issue of cheaters within Valve’s multiplayer shooter Counter Strike: Global Offensive in their own unique way: by luring them towards fake “multihacks” that promised a motherlode of cheating tools, but in reality, were actually traps designed to cause the users who installed them to eventually receive bans.
Counter-Strike Player Says Their Fake Hacks Got Thousands Of Cheaters Banned
http://steamed.kotaku.com/counter-strike-player-says-their-fake-hacks-got-thousan-1756465584
Counter-Strike has a cheating problem. One player decided to do something about it. Something, shall we say, creative.
In a post on Reddit, AndroidL explained that they released a handful of fake “multihacks” that promised everything from wallhacking, to aimbotting, to bunnyhopping, to crazy lean angles. If you can name it, AndroidL’s dirty hack pack probably claimed to contain it. Naturally, punks on the prowl for illicit upper hands ate it right up.
Then, according to AndroidL, they got banned. En masse. Because, you know, that was the idea.
Apparently the “hacks” received 26,000+ views and 5,500+ downloads before it was all said and done
Tomi Engdahl says:
EU Proposes End of Anonymity For Bitcoin and Prepaid Card Users
http://yro.slashdot.org/story/16/02/02/224206/eu-proposes-end-of-anonymity-for-bitcoin-and-prepaid-card-users
In June the European Commission will propose new legislation to effectively end the possibility of anonymous payment, by forcing users of virtual currencies like Bitcoin, and of prepaid credit cards, to provide identity details. Additionally the EC intends to propose monitoring inter-bank transfers within Europe
Though the proposed measures are intended to heap new pressure on the financing of terrorism, a report from Interpol last week concluded that terrorist funding methods have not changed substantially in recent years
EU proposes end of anonymity for Bitcoin and prepaid card users
https://thestack.com/security/2016/02/02/eu-proposes-end-of-anonymity-for-bitcoin-and-prepaid-card-users/
In June the European Commission will propose new measures which will effectively end the possibility of staying anonymous while using virtual currencies such as Bitcoin and prepaid credit cards. The mooted legislation is intended to fight the funding of terrorism, in spite of a report from Europol less than a week ago which found no fundamental change in the way terrorism is funded in recent years, or any particular connection with virtual currencies.
In December the EC proposed a Directive on combatting terrorism [PDF] criminalising terrorist financing techniques, as well as training and travel for terrorist purposes. In May 2015 the EU adopted the Fourth Anti-Money Laundering Package, and the new regulations are intended to bring virtual currencies and prepaid cards – and, in effect, any ‘burner’-style anonymous currency methods – under the terms of that legislation, with full oversight.
The ‘Bitcoin-ban’ will effectively prevent Bitcoin from being turned back into ‘real money’ within the EU, and the primary effect such legislation is likely to have will be in the area of illicit purchases from the ‘dark net’, where users can currently purchase drugs to be posted to an address of their choice from the various outlets that survived the fall of the Silk Road deep web narcotics websites.
France had asked for all this and more
The Treasury Department report concludes that ‘The evidence available indicates that digital currencies have been used by illicit actors, but the information does not suggest that digital currencies have, at present, been widely adopted as a payment vehicle in the wider criminal community.’
Commission presents Action Plan to strengthen the fight against terrorist financing
The European Commission is today presenting an Action Plan to strengthen the fight against the financing of terrorism.
http://europa.eu/rapid/press-release_IP-16-202_en.htm
The recent terrorist attacks in the European Union and beyond demonstrate the need for a strong coordinated European response to combatting terrorism. The European Agenda for Security had identified a number of areas to improve the fight against terrorist financing. Today’s comprehensive Action Plan will deliver a strong and swift response to the current challenges, building on existing EU rules and complementing them where necessary. Through concrete measures, it will adapt or propose additional rules to deal with new threats.
Vice-President Valdis Dombrovskis, in charge of the Euro and Social Dialogue, said: “With today’s Action Plan we are moving swiftly to clamp down on terrorist financing, starting with legislative proposals in the coming months. We must cut offterrorists’ access to funds, enable authorities to better track financial flows to prevent devastating attacks such as those in Paris last year, and ensure that money laundering and terrorist financing is sanctioned in all Member States. We want to improve the oversight of the many financial means used by terrorists, from cash and cultural artefacts to virtual currencies and anonymous pre-paid cards, while avoiding unnecessary obstacles to the functioning of payments and financial markets for ordinary, law-abiding citizens.”
Preventing the movement of funds and identifying terrorist funding
Terrorists are involved in a variety of both licit and illicit activities to finance terrorist acts. Tracking financial flows can help to identify and pursue terrorist networks. New financial tools and payment modes create new vulnerabilities that need to be addressed. Closing off options for terrorism funding is crucial for security, but measures in this field may also touch on the lives and the economic activity of citizens and companies throughout the EU. This is why the Commission’s proposals will balance the need to increase security with the need to protect fundamental rights, including data protection, and economic freedoms.
https://www.europol.europa.eu/sites/default/files/publications/changes_in_modus_operandi_of_is_in_terrorist_attacks.pdf
http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/european-agenda-security/legislative-documents/docs/20151202_directive_on_combatting_terrorism_en.pdf
Tomi Engdahl says:
Socat Weak Crypto Draws Suspicions Of a Backdoor
http://yro.slashdot.org/story/16/02/02/213203/socat-weak-crypto-draws-suspicions-of-a-backdoor
Socat is the latest open source tool to come under suspicion that it is backdoored. A security advisory published Monday warned that the OpenSSL address implementation in Socat contains a hard-coded Diffie-Hellman 1024-bit prime number that was not prime. “The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p,”
Socat Warns Weak Prime Number Could Mean It’s Backdoored – See more at: https://threatpost.com/socat-warns-weak-prime-number-could-mean-its-backdoored/116104/#sthash.Le7QlUjR.dpuf
Tomi Engdahl says:
Dan Goodin / Ars Technica:
eBay tells security firm it has no plans to fix bug that lets attackers bypass restrictions on auction pages and run custom JavaScript — eBay has no plans to fix “severe” bug that allows malware distribution — Clever “JSF**K” technique allows hackers to bypass eBay block of JavaScript.
eBay has no plans to fix “severe” bug that allows malware distribution
Clever “JSF**K” technique allows hackers to bypass eBay block of JavaScript.
http://arstechnica.com/security/2016/02/ebay-has-no-plans-to-fix-severe-bug-that-allows-malware-distribution/
eBay has no plans to fix a “severe” vulnerability that allows attackers to use the company’s trusted website to distribute malicious code and phishing pages, researchers from security firm Check Point Software said.
The vulnerability allows attackers to bypass a key restriction that prevents user posts from hosting JavaScript code that gets executed on end-user devices. eBay has long enforced the limitation to prevent scammers from creating auction pages that execute dangerous code or content when they’re viewed by unsuspecting users. Using a highly specialized coding technique known as JSFUCK, hackers can work around this safeguard. The technique allows eBay users to insert JavaScript into their posts that will call a variety of different payloads that can be tailored to the specific browser and device of the visitor.
The post went on to say that Check Point researchers privately reported the security hole to eBay in mid-December. On January 16, eBay officials informed Check Point that they had no plans to issue a fix. The post didn’t explain the reason behind eBay’s decision.
eBay Platform Exposed to Severe Vulnerability
http://blog.checkpoint.com/2016/02/02/ebay-platform-exposed-to-severe-vulnerability/
Check Point alerts eBay to an online sales platform vulnerability which allows cyber criminals to distribute phishing and malware campaigns.
eBay, the online auction and e-commerce giant, has locations in over 30 countries and serves more than 150 million active users worldwide. As a successful company with a massive customer base, it’s no surprise that the corporation has been the target of many cyberattacks.
Check Point has discovered a severe vulnerability in eBay’s online sales platform. This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious Java script code on targeted eBay users. If this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft.
Tomi Engdahl says:
Liam Tung / ZDNet:
Google’s Project Zero details security flaws in Malwarebytes software 90 days after privately disclosing; fix could take three weeks
Google lays bare security flaws in anti-malware product with 250 million users
http://www.zdnet.com/article/google-lays-bare-security-flaws-in-anti-malware-product-with-250-million-users/
Malwarebytes says it will take about a month to deploy a patch to fix vulnerabilities found by Google’s Project Zero bug hunters.
Google’s bug-hunting squad, Project Zero, first notified the internet-security firm of the four vulnerabilities in November but on Tuesday went ahead and detailed the separate flaws and attack methods in a redacted report published on the group’s bug repository.
Project Zero researcher Tavis Ormandy found that the Malwarebytes client was fetching malware signature updates over unencrypted HTTP, leaving those definitions open to tampering in a man-in-the-middle attack.
Project Zero offers vendors 90 days to fix flaws and alert customers before publishing details of bugs its researchers have found. Malwarebytes appears to have been given an extension, with its grace period technically having expired on January 11.
“Unfortunately, vulnerabilities are the harsh reality of software development,” Kleczynski said. “A vulnerability disclosure program is one way to accelerate the discovery of these vulnerabilities and empower companies like Malwarebytes to fix them.”
They have also come under the spotlight following a report by The Intercept that Britain’s GCHQ had sought a warrant to probe Kaspersky antivirus for security flaws to aid its own hacking efforts.
The NSA has also taken a keen interest in non-US antivirus products, including Kaspersky, ESET, and F-Secure.
Tomi Engdahl says:
MIT paints giant target on new “hack-proof” chip
Opinion: Stop calling things “hack-proof.”
http://www.zdnet.com/article/mit-paints-giant-target-on-hack-proof-contactless-chip/
MIT researchers and Texas Instruments have developed a new radio-frequency (RFID) chip that it calls “hack-proof.”
The high-security chip, if it hits mainstream adoption, could well be a game-changer that could help prevent credit card fraud (through contactless payments), for instance. That’s because it sets itself apart from other RFID-chips. The chip is able to resist power-glitch attacks, which can be used to bypass limits on incorrect password entries in password-protected devices, because it comes with on-board power that is “virtually impossible to cut,” according to the press release.
Hack-proof RFID chips
New technology could secure credit cards, key cards, and pallets of goods in warehouses.
http://news.mit.edu/2016/hack-proof-rfid-chips-0203
Tomi Engdahl says:
College kids sue Google for ‘spying’ on them with Apps for Education
Cali group says lawsuit is first of many privacy sueballs against Chocolate Factory
http://www.theregister.co.uk/2016/02/03/college_students_sue_google/
A group of four current and former University of California, Berkeley students are suing Google, claiming its Apps for Education service illegally spied on them.
In a suit [PDF] filed in the US Northern California district court, the group says Google used its education bundles to intercept student emails without their notification or consent.
The email content, the suit claims, was analyzed by Google and used to generate advertising profiles. UC Berkeley offers the Apps for Education package to both its students and faculty.
https://consumermediallc.files.wordpress.com/2016/02/googlecompt.pdf
Tomi Engdahl says:
Google says Comodo’s ‘secure’ browser isn’t safe to use at all
http://thenextweb.com/google/2016/02/03/google-says-comodos-secure-browser-isnt-safe-to-use-at-all/
In an advisory published today, a Google engineer has pointed out that security firm’s Comodo suite of tools to stay safe online actually exposes users to possible attacks.
Tavis Ormandy, an information security engineer at Google, reports that the Comodo Internet Security suite installs a new browser called Chromodo and sets it as default during setup.
Ormandy says that when you install Comodo Internet Security, “All shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.”
What’s especially worrying is that Chromodo disables Chrome’s same-origin policy, which allows a script to access data in another script only if they’re both from the same site.
Without this setting in place, users are vulnerable to attackers who could attempt to intercept their traffic via malicious sites.
Update: Charles Zinkowski, director of corporate communications for Comodo, said in a statement:
” The vulnerability was not with Comodo or the Chromodo browser itself, but rather with an add-on. It has been fixed and addressed.”
Issue 704: Comodo: Comodo “Chromodo” Browser disables same origin policy, Effectively turning off web security.
https://code.google.com/p/google-security-research/issues/detail?id=704
Tomi Engdahl says:
Amazon launches Certificate Manager, offering free SSL/TLS certificates for AWS resources
http://www.geekwire.com/2016/amazon-launches-certificate-manager-offering-free-ssltls-certificates-for-aws-resources/
Amazon has announced a new service called AWS Certificate Manager, offering free SSL/TLS certificates for AWS resources. Back in June, GeekWire reported that Amazon had applied to become a root certificate authority, and now it is clear what that application was for.
Secure Socket Layer (SSL) / Transport Security Layer (TLS) certificates enable encrypted communication over a network, most often between a web server and a web browser. These certificates are purchased from third-party certificate providers like Symantec, Comodo and RapidSSL and can cost $50 to hundreds of dollars, depending on the level of identity verification performed.
sponsor-aws-200 wideOffering free SSL certificates for AWS resources is going to grab the attention of developers. Many spend hundreds, if not thousands, of dollars each year to obtain and renew certificates. Now an AWS developer can add free certificates to run their applications on services like Elastic Load Balancer and Amazon CloudFront distributions.
The process of obtaining a new certificate has always been messy, requiring the generation of a Certificate Signing Request on the server being protected, sending that request to a certificate provider, and then installing the certificate once it is received. Since Amazon is managing the whole process, all of that goes away and certificates can be quickly issued and provisioned on AWS resources automatically.
Certificate renewal is another pain point that AWS hopes to solve. Tracking certificate renewal dates, making sure that payment methods are current and then installing the renewal certificate can be more painful that obtaining the original certificate. Many developers has mistakenly let a certificate lapse, bringing down their application for users.
Tomi Engdahl says:
Experts question customized TLS implementation after Amazon s2n flaw
http://searchsecurity.techtarget.com/news/4500259922/Experts-question-customized-TLS-implementation-after-Amazon-s2n-flaw
Amazon’s s2n passed its first test by patching a flaw quickly, but experts said enterprises still need to be wary of the complexities surrounding TLS implementation.
Tomi Engdahl says:
Marco Rubio Wants To Permanently Extend NSA Mass Surveillance
http://politics.slashdot.org/story/16/02/04/221228/marco-rubio-wants-to-permanently-extend-nsa-mass-surveillance
Marco Rubio wants Congress to permanently extend the authorities governing several of the National Security Agency’s controversial spying programs, including its mass surveillance of domestic phone records. The Florida Republican and 2016 presidential hopeful penned an op-ed on Tuesday condemning President Obama’s counterterrorism policies and warning that the U.S. has not learned the “fundamental lessons of the terrorist attacks of Sept. 11, 2001.”
Marco Rubio Wants to Permanently Extend NSA Mass Surveillance
http://www.nationaljournal.com/s/32926/marco-rubio-wants-permanently-extend-nsa-mass-surveillance
The Florida Republican and likely White House contender is further separating himself from other 2016 hopefuls in the Senate.
Rubio called on Congress to permanently reauthorize core provisions of the post-9/11 USA Patriot Act, which are due to sunset on June 1 of this year and provide the intelligence community with much of its surveillance power.
“This year, a new Republican majority in both houses of Congress will have to extend current authorities under the Foreign Intelligence Surveillance Act, and I urge my colleagues to consider a permanent extension of the counterterrorism tools our intelligence community relies on to keep the American people safe,” Rubio wrote in a Fox News op-ed.
Rubio for years has positioned himself as a vocal defense hawk in Congress, and he has repeatedly defended the NSA’s spy programs revealed to the public by former agency contractor Edward Snowden.
It also underscores the divisions among Rubio and his fellow Republican senators expected to jockey for the White House—namely, Sens. Ted Cruz of Texas and Rand Paul of Kentucky.
Paul has vowed to work to block the Patriot Act’s reauthorization entirely this year
“If Senator Rubio believes that millions of innocent Americans should be subject to intrusive and unconstitutional government surveillance, surely he would have no objections to the government monitoring his own actions and conversations,” Polis said in a statement Tuesday. “Maybe after his 2016 strategy documents are accidentally caught up in a government data grab, he’ll rethink the use of mass surveillance.”
Tomi Engdahl says:
Hackers attack 20 mln accounts on Alibaba’s Taobao shopping site
http://www.reuters.com/article/alibaba-cyber-idUSL3N15J1P2
Feb 4 Hackers in China attempted to access over 20 million active accounts on Alibaba Group Holding Ltd’s Taobao e-commerce website using Alibaba’s own cloud computing service, according to a state media report posted on the Internet regulator’s website.
Analysts said the report from The Paper led to the price of Alibaba’s U.S.-listed shares falling as much as 3.7 percent in late Wednesday trade.
An Alibaba spokesman on Thursday said the company detected the attack in “the first instance”, reminded users to change passwords, and worked closely with the police investigation.
Chinese companies are grappling a sharp rise in the number of cyber attacks, and cyber security experts say firms have a long way to go before defences catch up to U.S. counterparts.
In the latest case, hackers obtained a database of 99 million usernames and passwords from a number of websites, according to a separate report on a website managed by the Ministry of Public Security.
The hackers then used Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts, the ministry website said.
Tomi Engdahl says:
Your brain is your key
Brainprints could replace passwords
http://www.binghamton.edu/magazine/index.php/magazine/feature/your-brain-is-your-key
Do you like pizza? Would you consider yourself a boat enthusiast, a landlubber or none of the above? Does comedian Adam Sandler make you laugh or make you cringe?
Your responses to certain stimuli — foods, celebrities, words, seafaring vessels, you name it — might seem trivial, but they say a lot about you. In fact (with the proper clearance), these responses could gain you access into restricted areas of the Pentagon.
A new technology developed at Binghamton University can identify you simply by measuring your brain’s response to different stimuli. The technology has garnered attention from media outlets around the world, including National Geographic, which spent a day interviewing and filming on campus. It’s called brainprint, and it could revolutionize the security industry.
“When you take hundreds of these images, where every person is going to feel differently about each individual one, then you can be really accurate in identifying which person it was who looked at them just by their brain activity,” Laszlo says.
The new biometric
If you’ve ever used a fingerprint scanner to access a gym or your smartphone, you’ve used a biometric system.
The idea of using brain activity as a biometric had been proposed before, but most of these approaches focused on active thinking. For example, you would think of a car, your brain activity would be recorded, and you would access the system again by thinking of the same car. Brainprint is different.
“The key idea is that we want to identify and recognize the individual person based on their inside thinking. Inside-brain activity is not visible to anyone else,” Jin says. “Even more exciting is that we want to use a nonvolitional response. That means even the user cannot be aware of it.”
Laszlo and Jin want to establish a new biometric, one that can’t be compromised. It’s gruesome to think about, but someone could easily cut off your finger and use your fingerprint to impersonate you.
“If someone’s fingerprint is stolen, that person can’t just grow a new finger to replace the compromised fingerprint — the fingerprint for that person is compromised forever,” Laszlo says. “Fingerprints are ‘non-cancellable.’ Brainprints, on the other hand, are potentially cancellable. So, in the unlikely event that attackers were actually able to steal a brainprint from an authorized user, the authorized user could then ‘reset’ his brainprint.”
If a criminal tried to force someone, at gunpoint, to use his or her brainprint, the person wouldn’t have the capability to do so.
“We think that you can’t even threaten somebody and have their brainprint still work, because if you threaten someone, say with violence, that makes them stressed out,”
While engineers have been responsible for most attempts at brain biometrics, brainprint is the result of a unique collaboration between an engineer [Jin] and a psychologist [Laszlo].
Tomi Engdahl says:
Date site users regularly scammed
http://www.bbc.com/news/technology-35482216
Almost half of the people who use dating sites and apps have been scammed or spammed, suggests research.
Carried out by security firm Symantec, the study quizzed more than 3,000 people across Europe about what happened when they searched for love.
Daters fell victim to blackmail, were subjected to revenge porn and were tricked by people who assumed fake identities to steal cash.
One expert said scammers pass around lists of people who are susceptible.
While most people found what they were looking for via dating apps and sites, for some it was a more fraught experience that cost them much emotionally and sometimes financially, said Nick Shaw, European head of Symantec’s Norton division.
“When people go online looking for love and affection they may not be as vigilant as they might be elsewhere,” he said. “They look for the good rather than the bad.”
Software bots
The research showed that 48% of those questioned in the UK, France and Germany for the survey had received spam and scam messages from others on dating services.
Around 32% had received requests for cash from the people they got talking to and 28% had been catfished – ie tricked by someone who had assumed a fake identity by stealing images or videos.
About 32% had been threatened with the release of compromising images they had shared and 11% had seen this content put online without their consent.
Tomi Engdahl says:
Mystery hacker pwns Dridex Trojan botnet… to serve antivirus installer
Ah, great. Ave AV
http://www.theregister.co.uk/2016/02/04/dridex_botnet_pwned/
Part of the distribution channel of the Dridex banking Trojan botnet may have been hacked, with malicious links replaced by installers for Avira Antivirus.
Avira reckons the pwnage is down the the work of an unknown white hat hacker.
The Dridex botnet has remains a menace even after a high profile takedown operation in late 2015. Malicious code used to seed Dridex typically comes in the form of spam messages with malicious attachments, often a Word document embedded with malicious macros.
Once the file has been opened, the macros download the payload from a hijacked server, and the computer is infected. Dridex creates a key-logger on infected computers as well as using transparent redirects and webinjects to manipulate banking websites.
But the recent hack means part of the botnet has been requisitioned to quite different ends. “The content behind the malware download URL has been replaced, it’s now providing an original, up-to-date Avira web installer instead of the usual Dridex loader,” explained Moritz Kroll, a malware expert at Avira.
The end result is that instead of the Dridex malware that they would have received, victims get a valid, signed copy of Avira instead.
“We still don’t know exactly who is doing this with our installer and why – but we have some theories,”
“A whitehat may have hacked into infected web servers using the same vulnerabilities the malware authors used in the first place and has replaced the bad stuff with the Avira installer,”
Tomi Engdahl says:
Everything You Need To Know About the Big New Data-Privacy Bill In Congress
http://politics.slashdot.org/story/16/02/05/0041208/everything-you-need-to-know-about-the-big-new-data-privacy-bill-in-congress
The United States and the European Union have agreed to a transatlantic data-sharing arrangement to protect U.S. companies’ overseas activities and European citizens’ privacy, but another initiative—one that’s still working its way through Congress—could be just important to U.S.–E.U. relations and transnational privacy rights. The Judicial Redress Act is considered essential to a broader agreement between the U.S. and Europe over the sharing of data in criminal and terrorism investigations.
Everything you need to know about the big new data-privacy bill in Congress
http://www.dailydot.com/politics/what-is-the-judicial-redress-act-europe-data-privacy-bill/
The Judicial Redress Act is considered essential to a broader agreement between the U.S. and Europe over the sharing of data in criminal and terrorism investigations. The negotiations over the newly announced E.U.–U.S. Privacy Shield may have received more attention, but the concerns at the heart of this bill are no less important.
What does the Judicial Redress Act do?
The bill authorizes the attorney general to extend the protections of the Privacy Act of 1974 to the citizens of designated foreign countries.
The Privacy Act empowers Americans to challenge U.S. companies’ disclosure of their private data to the government, as well as the government’s use of the data and any inaccuracies in resulting federal records about them.
Why is this important?
Government agencies regularly use warrants to compel U.S. tech companies to turn over user data—including that of foreigners—but only U.S. citizens, relying on the Privacy Act, can challenge those procedures.
Americans and Europeans may differ on many questions of governance, but they agree that privacy and checks on government power are important. Privacy is considered a fundamental right in the European Union, akin to freedom of speech in the United States.
The amendment says that the attorney general can only add foreign countries to the Privacy Act list if he or she certifies that:
1. The country has a deal with the U.S. regarding privacy protections for data shared in the course of joint investigations, or has “effectively shared” such information with the U.S. and adequately protects privacy;
2. The country allows U.S. companies to transfer its citizens’ data between its territory and the United States; and
3. The aforementioned data-transfer agreement does not “materially impede the national security interests of the United States.”
Why is this problematic? Because conservative lawmakers are concerned that Privacy Shield, the newly announced data-transfer agreement, will impede national-security investigations. By requiring the attorney general to certify otherwise, this amendment raises the bar for implementing the law.
Okay, and who’s on the other side? Who’s pressing for the bill?
The U.S. tech industry.
Last week, after the bill passed the Senate committee, the Information Technology Industry Council urged the full chamber to “quickly pass the Judicial Redress Act to improve national security and our collective economies.”
Tomi Engdahl says:
Anti-Malware Maker Files Lawsuit Over Bad Review
http://yro.slashdot.org/story/16/02/05/0148212/anti-malware-maker-files-lawsuit-over-bad-review
In a lawsuit filed January 8, 2016, Enigma Software, maker of anti-malware software SpyHunter, accuses self-help portal Bleeping Computer of making ‘false, disparaging, and defamatory statements.’ At issue: a bad review posted by a user in September, 2014. The lawsuit also accuses Bleeping Computer of profiting from driving traffic to competitor Malwarebytes via affiliate links:
http://www.bleepingcomputer.com/frivolous-lawsuits/enigma-software/Enigma-Software-vs-BleepingComputer.com-Amended.pdf
Tomi Engdahl says:
Justin Lynch / Motherboard:
The tragedy of Ethiopia’s internet: an instrument of surveillance, and only 3.7% have access
http://motherboard.vice.com/read/the-tragedy-of-ethiopias-internet
Tomi Engdahl says:
Steve Ragan / CSO:
Hackers leak names and contact details of over 9K DHS staff, claim DOJ is next — Hackers leak DHS staff directory, claim DOJ is next — Staff directory contains details on over 9,000 employees — On Sunday, an account on Twitter posted a Department of Homeland Security staff directory with 9,355 names.
Hackers leak DHS staff directory, claim DOJ is next
http://www.csoonline.com/article/3030702/security/hackers-leak-dhs-staff-directory-claim-doj-is-next.html
Staff directory contains details on over 9,000 employees
On Sunday, an account on Twitter posted a Department of Homeland Security staff directory with 9,355 names. Shortly after the DHS data was posted, the account went on to claim that an additional data dump focused on 20,000 FBI employees was next.
The published staff directory is exactly what you think it is – the name, title, email address, and phone number of more than 9,000 DHS employees.
The titles range from engineers, to security specialists, program analysts, InfoSec and IT, all the way up to director level. More than 100 staffers are listed with an Intelligence related title.
Calls placed to the phone numbers listed went directly to voicemail in most cases, but checks against other public staff directories confirmed the list.
As for why the data was posted to begin with, the message with the posted staff directly stated simply:
“This is for Palestine, Ramallah, West Bank, Gaza, This is for the child that is searching for an answer…”
Tomi Engdahl says:
How to Crack Open a SentrySafe in Less Than 5 Seconds (VIDEO)
SentrySafe is the most respected fire safe manufacturer in the country, but you don’t need an electronic code, or any special skills, to gain access to what’s locked away inside.
In the video above, a guy named Mr. Locksmith shows you how to open an 86-pound SentrySafe in less than five seconds with a rare-Earth magnet.
Open Sentry Safe in less than 5 seconds.
https://www.youtube.com/watch?v=ApJQ2wcYjBo
New Sentry Electronic Fire Safe Opened in Seconds with No Sign of Entry Video
https://www.youtube.com/watch?v=u3p5KUNfDG0
Tomi Engdahl says:
Don’t Trust Your Hotel Room Safe
https://www.youtube.com/watch?v=vW7M84khZy8
The safe in our hotel room can be opened with all zeros.
How secure is your hotel safe?
https://www.youtube.com/watch?v=sg-Ib5Echns
Tomi Engdahl says:
Julia Fioretti / Reuters:
French data protection authority gives Facebook three months to stop tracking non-users and halt some transfers of personal data to US
French data privacy regulator cracks down on Facebook
http://www.reuters.com/article/us-facebook-france-privacy-idUSKCN0VH1U1
The French data protection authority on Monday gave Facebook three months to stop tracking non-users’ web activity without their consent and ordered the social network to stop some transfers of personal data to the United States.
The French order is the first significant action to be taken against a company transferring Europeans’ data to the United States following an EU court ruling last year that struck down an agreement that had been relied on by thousands of companies, including Facebook, to avoid cumbersome EU data transfer rules.
The transatlantic Safe Harbour pact was ruled illegal last year amid concerns over mass U.S. government snooping and EU data protection authorities said firms had three months to set up alternative legal arrangements for transferring data.
That deadline expired last week meaning regulators can now start taking legal action against companies still relying on Safe Harbour for approval to transfer data.
Tomi Engdahl says:
Eric Geller / The Daily Dot:
Obama unveils $19B Cybersecurity National Action Plan, asking Congress for 35% increase in cybersecurity funding
Obama unveils $19 billion plan to overhaul U.S. cybersecurity
http://www.dailydot.com/politics/obama-cybersecurity-national-action-plan-budget-request/
President Obama on Tuesday unveiled an expansive plan to bolster government and private-sector cybersecurity, establishing a federal coordinator for cyber efforts, proposing a commission to study future work, and asking Congress for funds to overhaul dangerously obsolete computer systems.
The Cybersecurity National Action Plan contains initiatives to better prepare college students for cybersecurity careers, streamline federal computer networks, and certify Internet-connected devices as secure. It also establishes a Federal Privacy Council to review how the government stores Americans’ personal information, creates the post of Chief Information Security Officer, and establishes a Commission on Enhancing National Cybersecurity.
“I’m confident that if we take these steps, we can make a different and substantially improve our cybersecurity both now and in the long run,” Michael Daniel, Obama’s cybersecurity coordinator, told reporters during a press call on Monday afternoon.
Tomi Engdahl says:
Lucian Constantin / PCWorld:
Identity thieves obtain 100,000 electronic filing PINs from IRS system — The automated attack attempted to obtain E-file PINS for over 460,000 people using previously stolen personal data — The Internal Revenue Service was the target of an attack that used stolen social security numbers …
Identity thieves obtain 100,000 electronic filing PINs from IRS system
http://www.pcworld.com/article/3031906/security/identity-thieves-obtain-100000-electronic-filing-pins-from-irs-system.html
The automated attack attempted to obtain E-file PINS for over 460,000 people using previously stolen personal data
The Internal Revenue Service was the target of an attack that used stolen social security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically.
The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address.
Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it.
The personal taxpayer data used during the attack was not obtained from the IRS, but was stolen elsewhere, the agency said in a statement.
Tomi Engdahl says:
Guardian:
US intelligence chief James Clapper says IoT vulnerabilities may be exploited to improve surveillance
US intelligence chief: we might use the internet of things to spy on you
http://www.theguardian.com/technology/2016/feb/09/internet-of-things-smart-home-devices-government-surveillance-james-clapper
James Clapper did not name specific agency as being involved in surveillance via smart-home devices but said in congressional testimony it is a distinct possibility
The US intelligence chief has acknowledged for the first time that agencies might use a new generation of smart household devices to increase their surveillance capabilities.
As increasing numbers of devices connect to the internet and to one another, the so-called internet of things promises consumers increased convenience – the remotely operated thermostat from Google-owned Nest is a leading example. But as home computing migrates away from the laptop, the tablet and the smartphone, experts warn that the security features on the coming wave of automobiles, dishwashers and alarm systems lag far behind.
“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” Clapper said.
Clapper did not specifically name any intelligence agency as involved in household-device surveillance.
Tomi Engdahl says:
Cisco ASA IKEv1- and IKEv2 implementation has a critical vulnerability
Cisco ASA firmware files from the Internet Key Exchange protocol IKEv1- and IKEv2 implementations has been fixed a critical vulnerability. The vulnerability allows execution or denial of service denial attacker’s code, if sent to the device shaped in a particular way UDP packets.
Source: https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2016/haavoittuvuus-2016-025.html
More:
Critical Cisco ASA IKEv2/v2 Vulnerability. Active Scanning Detected
https://isc.sans.edu/forums/diary/Critical+Cisco+ASA+IKEv2v2+Vulnerability+Active+Scanning+Detected/20719/
Tomi Engdahl says:
EMV, IoT and Board Agendas Shape Cyber Fraud
http://www.securityweek.com/emv-iot-and-board-agendas-shape-cyber-fraud
Cyber crime and financial fraud are converging as fraud becomes a preferred method to monetize stolen data. As a result, cyber security as a profession is evolving rapidly, and becoming a necessity in government agencies and private sector organizations. That alignment of interests, coupled with a technology and technique arms race, is manifesting a never-ending struggle. Pitted against organized crime, nation-states, and other attackers are businesses, regulators, law enforcement and security professionals working to exploit or defend vulnerabilities respectively.
Based on our work in cyber defense and fraud prevention, BAE Systems has identified three major developments related to information security that in the coming months will have material impacts on both people and business.
First, a significant reduction of in-person credit card fraud in the U.S. is imminent due to the implementation of “Chip and Signature,” or the EMV (Europay, MasterCard, Visa) technical standard for point-of-sale vendor payment terminals.
Next, the growth of the Internet of Things (IoT), the universe of Internet-enabled physical objects, such as devices, vehicles, and buildings, will greatly compound cyber risk exposure for both consumers and companies. Vulnerabilities in toys, cars, printers, and other inter-connected devices have already been demonstrated.
Lastly, cyber defense will complete its evolution from an information technology (IT) issue to a company-wide matter, touching on supply chains, contractors, and third parties that represent weak links or access points for attacks.
Tomi Engdahl says:
Charting a Middle Path on the Encryption Debate
http://www.securityweek.com/charting-middle-path-encryption-debate
Information security is one of those big ideas that affects us at all levels, whether as individuals, businesses, nations, and even international relations. In most cases, these different perspectives bring equally different concerns and challenges to security. Yet today, the debate on encryption is replaying across the spectrum of information security.
The issue is that while everyone wants their own data to remain private, things get a bit murky when bad guys start using encryption to hide their actions. Law enforcement and intelligence agencies want the ability to peer into a suspect’s secrets in order to prevent a crime. Enterprise security likewise, wants to see into encrypted traffic in order to reveal malicious content and attacks.
The problem is that asking for security backdoors that only benefit the good guys is like asking for bullets that only hurt the bad guys. Legal and political wrangling aside, that’s simply not how encryption works. Math works equally well for everyone, and an encryption scheme is either sound or not. Vulnerabilities are available to anyone who finds them
The recent incident of backdoors found in Juniper firewalls provides spot-on example. Juniper discovered that an unknown remote attacker compromised its firewalls by planting malicious code in its operating system. This vulnerability impacted a wide variety of organizations, from private enterprises to governments and the U.S. Department of Defense.
The irony is that early analysis indicates that the planted code was made possible due to an encryption backdoor that is believed to be the work of the NSA. Regardless of who was behind the original flaw, it’s a stinging example of how any vulnerability in encryption schemes, no matter how small, can lead to serious damage. The backdoor that allows you to spy can be used to spy on you.
A similar event continues to play out in enterprise networks, although in reverse. Organizations increasingly want to perform SSL decryption on their end-users’ traffic to find hidden exploits or malware that might be hiding inside.
The problem is that SSL decryption schemes make use of some of the same man-in-the-middle techniques that allow attackers to commit fraud.
However, all is not lost. New approaches to detecting threats are gaining momentum that doesn’t rely on breaking decryption in order to analyze or detect a threat. Instead of taking a “payload or bust” approach, new analysis models leverage metadata to reveal threats and malicious intent.
Tomi Engdahl says:
What is the Real Cost of “Good Enough” Security?
http://www.securityweek.com/what-real-cost-good-enough-security
If you read my pieces regularly, you might have guessed that approaching security operations and incident response in a strategic, holistic, and analytical way is something I’m passionate about. Perhaps not surprisingly, it’s a topic I often discuss during presentations, discussions, and meetings. Sometimes, I receive feedback or hear statements such as:
● “I think an 80% solution will be just fine here”
● “I don’t have the time or resources to strategically assess and improve my security program”
● “I will choose the lowest cost option”
Is an 80% solution acceptable? Before we discuss that question, consider the following examples that help illustrate what 80% really means:
● Four hours and 48 minutes of unsafe drinking water each day
● Four hours and 48 minutes without electricity each day
● One out of every five cars on the road without brakes
● One out of every five planes missing routine safety inspection
● One out of every five illustrative examples not being particularly good
I could go on listing examples here for hours, but I believe you understand the point.
The point of these examples is to illustrate that, although it may be difficult, when it comes to risk mitigation, we should be aiming for the right solution. There will always be limitations and resource constraints. But if we start out by aiming for an 80% solution, we will probably wind up with far less than that.
No Time For Strategy
Although it can be difficult, there is a definite need to come up for air. In the near-term, yes, it will pull some resources away from day-to-day work. But in the long-term, if done correctly, taking a strategic, holistic, and analytical approach to security will make far better use of those same resources and will allow organizations to improve their security postures far more quickly and efficiently than they would be able to do otherwise.
Think Total Cost
When people say “I am going with the lowest cost option”, what I often hear is “I am going with the lowest upfront cost option”. When organizations think about the cost of a solution, they should be thinking about the total cost. As you might expect this is more complex than merely the upfront cost plus yearly maintenance costs.
The total cost of a given solution will include some obvious and very tangible costs, such as:
● Real estate (rack space)
● Human resources to operate and maintain the solution
● Human resources to use the solution
● Power
● The cost of the technology piece to the solution
● Human resources to develop and follow the process piece of the solution
● Training
Calculating total cost of ownership (TCO) can be complex, but it is an exercise that brings tremendous benefits to the organizations that calculate it correctly.
Tomi Engdahl says:
5 New Rules to Make Escalations More Effective and Efficient
http://www.securityweek.com/5-new-rules-make-escalations-more-effective-and-efficient
There is a new adage in the security world: don’t assume you will be hacked, but assume you have already been hacked. This forces security professionals to re-examine the validity of the Cyber Kill Chain model—which reinforces traditional, perimeter-focused, malware-prevention thinking—and develop new strategies to deal with persistent and smart attackers, including insider threats.
Traditional incident management approaches that rely on network monitoring and detection of attacks are also falling short in today’s agile and distributed computing world. Three factors contribute to this security shortfall:
5 Security incident management tips
• Heterogeneity, size, and scale of computing processes are too large and diffuse for human beings to keep up.
• As cloud computing emerges, ownership of the infrastructure (from a network monitoring perspective) not only cannot be assumed, it must be discounted. Increasingly, even enterprise data center networks are untrusted.
• Dynamic, temporal workloads pushed forward by technologies such as Linux Containers make it more difficult to apply traditional chokepoint technologies.
These factors make escalation of cyber incidents a huge problem for security staff. To this, here are 5 new rules organizations can enforce to make (inevitable) escalations more effective and efficient.
1. Always full cycle, full stack. Security today for the most part is bolted-on vs. built-in to application development cycles. This leaves applications unknowingly vulnerable. If application developers or DevOps teams can build security practices and software into applications, it reduces vulnerabilities later and provides critical information to response teams trying to track down the source or movement of a breach.
2. Shrink your “attack surface.” The traditional perimeter technology model means that security technologies must cover a lot of digital real-estate, the cyber equivalent of guarding a 1000-mile border between countries.
3. Gain visibility. You cannot stop what you cannot see. If you are trying to protect the attack surface of your data center or cloud, you must be able to recognize the chart attack patterns in real time (watch malware in action).
4. Increase the speed to quarantine. Being able to see an attack is a great first step. Being able to quarantine the offending computing resources is just as critical. Time to discovery and remediation of compromised computing is one of the most critical factors in limiting the scope of damage of an attack.
5. Reduce the human middleware. I love people, but they are hell on computer processes. Miskeying IP addresses, closing ports and processes, or just misplacing information is unfortunate in most computing actions but potentially lethal in security.
Tomi Engdahl says:
Let’s Encrypt’s Public Beta–Panacea or Placebo?
http://www.securityweek.com/lets-encrypts-public-beta-panacea-or-placebo
In medicine, the very belief that you’re doing something to improve your medical condition has enormous efficacy. This is called the Placebo Effect. Most modern medicines can only dream of obtaining efficacy results on par with the Placebo Effect, so strong is it.
Not so in security. Doing something that you believe improves your condition when it actually doesn’t is truly dangerous because it sets up a false sense of security. And the result can be a decreased level of awareness.
In the first eight hours of the public beta, LE issued 10,000 certificates, or about one every three seconds. Clearly there’s demand for free certificates. The more than 500,000 certificates issued since then make LE one of the largest CAs in the world.
The demand for the free certificates from LE is coming from three sources. The first are the disgruntled customers of the existing CA industry. “As a customer, I hated my CA. I felt ripped off by the lot of them every time I had to renew my certs,”
The second source of demand for LE’s free certificates are all the security-minded people who are spinning up new, low-value services on the Internet (bloggers). This group is in LE’s wheelhouse as well.
The third group is the automation camp. One of LE’s strengths is that the only way to get a certificate issued is through automation with the Automatic Certificate Management Environment (ACME) protocol. People spinning up applications with Chef, Puppet, or Ansible like the idea of fetching a “real” certificate with a single script command.
Actually, there’s a fourth group as well; cyber criminals looking to provide valid certificates for rogue domains.
Security researcher Ryan Hurst has pointed out that abusing certificate authorities is not a new phenomenon, so let’s accept that LE isn’t alone in this respect.
Unlike other CAs that issue certificates that don’t expire for years, LE is issuing short-lived certificates (90 days). All certificates are being published to the Certificate Transparency (CT) project, and you can see them at the crt.sh site.
Yes, you see that right. They are all going to expire on March 8th.
This mass expiration could be worrisome. Sometime between now and March 8th, each of the 100,000 websites will need to renew their LE certificates.
Users are going to be running into expired certificate warnings all over the place. After a while they are going to just start clicking through them. Expired certificate warnings will be the new car alarms—people hear them all the time, but no one does anything except ignore them. Certificate expiration warnings may lose efficacy.
And that brings us back to the placebo effect. LE is supposed to increase overall Internet security by increasing the number of websites that have the ability to use HTTPS instead of HTTP. But right now, during the public beta, it may simply be that people believe it will work. Belief works for medicine, but not for security. One way or the other, we’ll know soon.
Tomi Engdahl says:
Windows 10 Worst Secret Spins Out Of Control
http://www.forbes.com/sites/gordonkelly/2016/02/09/windows-10-data-tracking-spying-levels/#1bbf2af7aa99
Back in November Microsoft confirmed Windows 10’s worst kept secret: its extensive telemetry (or ‘spying’ as it has been labelled) cannot be stopped. What no-one realised until now, however, is just how staggering the extent of this tracking really is…
Blowing the lid on it this week is Voat user CheesusCrust whose extensive investigation found Windows 10 contacts Microsoft to report data thousands of times per day. And the kicker? This happens after choosing a custom Windows 10 installation and disabling all three pages of tracking options which are all enabled by default.
The raw numbers come out as follows: in an eight hour period Windows 10 tried to send data back to 51 different Microsoft IP addresses over 5500 times. After 30 hours of use, Windows 10 expanded that data reporting to 113 non-private IP addresses. Being non-private means there is the potential for hackers to intercept this data. I’d argue this is the greatest cost to owning Windows 10.
Windows 10 telemetry network traffic analysis, part 1: (v/technology)
submitted 7 days ago by CheesusCrust
https://voat.co/v/technology/comments/835741
Tomi Engdahl says:
Bitcoin’s governance bungles stain the blockchain’s reputation
If the cryptocurrency can’t organise its own evolution, we lose a chance at better security
http://www.theregister.co.uk/2016/02/11/bitcoins_bungles_stain_the_blockchains_reputation/
Civilisation is an agreement. We agree to pay our tax, obey the laws, and generally avoid berserking around the joint. Where these agreements breaks down you get riots that scale into civil wars, then collapse. That’s less of an issue so long as the problem is over there – so that when a culture soils the sheets you don’t have to deal with the stink.
But if there’s one lesson of the connected era, it’s that there is no more over there.
At their sleeping babies.
It turns out that an entire class of webcams parents use to keep an eye on their offspring have such poor security settings that it’s possible to take a snap of the sleeping children from pretty much anywhere on the Internet. Neat, huh?
Over the last few years we’ve learned ‘hardware is hard’. Now we’re learning, ‘firmware is harder’.
Firmware has to operate the device reliably, and handle all of the issues that arise from maintaining a connection to that cesspool of hackers and state actors we charmingly call the Internet. Firmware has to hold the line against the barbarians. That’s job #1. If that fails, then the hardware becomes a Trojan Horse.
With the number of connected devices per household heading from the tens into the hundreds over the next few years, that’s a lot of firmware that has to be just about perfect in its capacity to defend against attacks.
This problem isn’t new, it’s simply scaled to the point where it touches almost every one of us, almost all the time. In a world of connected objects, we keep walking into the buzz saws of vulnerability. But there is another way.
That work continues. It’s never been more important. Yet, just as the blockchain rises to become a pillar of our IoT security strategies, the protocol behind it has developed some serious scaling issues.
The Bitcoin community can’t seem to reach consensus on the changes required to grow up. It’s quite possible that at some point later this year the transaction volume on the Bitcoin blockchain will make something designed for reliability unreliable enough that no one will be able to trust it.
Tomi Engdahl says:
Putin’s internet guru says ‘nyet’ to Windows, ‘da’ to desktop Linux
In Soviet Russia, computer uninstalls you!
http://www.theregister.co.uk/2016/02/11/putins_internet_guru_says_nyet_to_windows/
The Russian government says it is looking to dump Microsoft and adopt Linux as the operating system for agency PCs.
In an interview with Bloomberg, Russian internet advisor German Klimenko said the state will consider moving all of its networks off the Microsoft platform and onto an unspecified Linux build instead.
Citing Microsoft’s capitulation to the US government in honoring sanctions against Russia, Klimenko said that the Redmond software giant had reached the “point of no return” with Moscow and that 22,000 government agencies and municipal offices were prepared to drop Windows right now.
“It’s like a wife seeing her husband with another woman – he can swear an oath afterward, but the trust is lost,” Klimenko was quoted as saying.
Tomi Engdahl says:
Why Is Embedded Security So Difficult?
http://www.designnews.com/author.asp?section_id=1386&doc_id=279564&cid=nl.x.dn16.edt.aud.dn.20160208&dfpPParams=ind_184,industry_consumer,industry_gov,industry_machinery,industry_medical,kw_43,aid_279564&dfpLayout=blog
As security has become a hot topic in IoT, engineering teams building connected devices are beginning to put it much higher on their list of priorities. While this is clearly good news, it doesn’t mean that concerns over embedded device security will soon be over or that headlines of attacks against embedded devices will suddenly disappear.
Engineers designing devices for the IoT face a significant set of challenges. Security is a complex subject: Hackers continue to develop new exploits; they only need to find one way in. Worst of all, attacks against embedded devices are highly replicable. Embedded devices are mass produced to be virtually identical. A vulnerability, once discovered, can be used to exploit any device of that type.
Challenges in Security Embedded Devices
Why exactly is it so hard to keep bad guys out? We are pretty good at preventing bank robberies, and at limiting what they get when they actually do rob a bank. Why can’t we do this with embedded devices?
This question was put to me recently by a friend who works in the physical security business making sure people don’t break into banks, casinos, chemical processing plants, and other highly secure facilities.
There are a number of reasons that embedded security is hard. A few of the top challenges include:
The low cost of attack
The weakest link problem
A lack of expertise and training
Tomi Engdahl says:
Kim Zetter / Wired:
Security researchers spot re-used code, passwords, and obfuscation methods from Sony hack, indicating original hackers are still active
Evidence Suggests the Sony Hackers Are Alive and Well and Still Hacking
http://www.wired.com/2016/02/evidence-suggests-the-sony-hackers-are-alive-and-well-and-still-hacking/
TENERIFE, Spain—The massive hack against Sony in late 2014 was sudden and loud. The perpetrators made themselves known four days before Thanksgiving with a red skull emblazoned on computer screens company-wide and an ominous warning that they were about to spill Sony secrets.
A few days later they began to leak what they claimed was more than 100 terabytes of stolen data, including damaging emails and sensitive employee data. The scorched earth attack left Sony crippled for months after the attackers also destroyed data and systems on their way out the digital door, rendering some Sony servers inoperable in a move that cost the company an estimated $35 million in IT infrastructure repairs.
But a month later, after the US government blamed North Korea for the hack and some observers began calling the breach an act of terrorism, the attackers suddenly went silent. Or did they?
“[T]hey didn’t disappear…not at all,” Guerrero-Saade said during a presentation with Blasco this week at the Kaspersky Security Analyst Summit in Spain.
If true, it would mean the hackers who demonstrated an “extremely high” level of sophistication in the Sony attack have been dropping digital breadcrumbs for at least the last year, crumbs that researchers can now use to map their activity and see where they’ve been. The clues include—to name a few—re-used code, passwords, and obfuscation methods, as well as a hardcoded user agent list that showed up repeatedly in attacks, always with Mozilla consistently misspelled as “Mozillar.”
They began their investigation with samples of the Destover malware—the destructive component that was responsible for overwriting the master boot record and other critical data on hacked Sony computers—and used them and other data to produce a “taxonomy” of related attacks.
They wrote a series of so-called YARA rules based on tiny similarities and quirks that stood out in the Sony samples and the attackers’ techniques, which made them think that if they ever saw those quirks again, it would likely be in a breach conducted by the same guys. YARA is a tool for uncovering malicious files or patterns of suspicious activity on systems or networks that share similarities. YARA rules—essentially search strings—help analysts find, group, and categorize related malware samples and draw connections between them in order to build malware families and uncover groups of attacks that might otherwise go unnoticed.
Tomi Engdahl says:
Motherboard:
UK police arrest teen hacker thought to be Cracka, who is allegedly behind CIA and FBI breaches
Teen Allegedly Behind CIA, FBI Breaches: ‘They’re Trying to Ruin My Life.’
http://motherboard.vice.com/read/uk-police-arrest-teenage-hacker-cia-john-brennan-fbi-cyberattacks
The months-long series of hacks and pranks by a group of alleged teenage hackers on the US government and its high-level officials might have finally come to an end.
Police authorities in the UK, working in conjunction with the FBI, have arrested a teenager who they believe is behind the cyberattacks that started last year, when a group of hackers broke into the AOL email account of CIA Director John Brennan. Officials have not released the identity of arrested teenager, but he is suspected of being the hacker known as “Cracka,” the leader of a hacktivist group called “Crackas With Attitude.”
The teenager said authorities arrested him on Tuesday, and are accusing him of the attacks on Brennan, White House officials, and the recent hack on the Department of Justice, which resulted in the publication of the names and contact information almost 30,000 FBI and DHS employees.
The alleged hacker, who declined to reveal his real name, said he refused to answer any questions from the police, and was subsequently released on bail after spending 7 hours in a cell. He also denied being Cracka, saying “I’m not who you think I am
;)”
That was just the first in a long series of brazen hacks, which the hackers bragged about publicly on Twitter. The hackers always claimed their actions were all done to support the plight of the Palestinian people, a sentiment they often summed up with the simple hashtag #FreePalestine.
The group then targeted other high-level officials, including FBI’s executive assistant Amy Hess, US spy chief James Clapper, a former senior executive at the National Geospatial-Intelligence Agency, and President Barack Obama’s senior advisor on science and technology John Holdren, among others.
The hackers, who claimed to be all teenagers, normally hit low-hanging targets, such as the victim’s internet service provider accounts using social engineering techniques. But in early November, the hackers claimed to have gained access to a series of sensitive law enforcement portals, where they allegedly found a database of government employees. In the following days, the posted around 4,000 of those names online, potentially exposing undercover agents.