Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Hackers exploited the CVE-2014-9222 flaw, also known as ‘Misfortune Cookie’, to hack thousands of home routers and abuse them for WordPress attacks.
http://securityaffairs.co/wordpress/57961/hacking/wordpress-attacks-routers.html
Tomi Engdahl says:
New Bill Forces Cybersecurity Responsibility Into the Boardroom
http://www.securityweek.com/cybersecurity-disclosure-act-2017-forces-security-responsibility-boardroom
The need for board-level responsibility for cyber security is generally accepted but not always applied. A new bill introduced to the Senate seeks to change this by requiring a board level statement of cyber security expertise or practice in annual SEC filings
Tomi Engdahl says:
The Linux remote vulnerability tracked as CVE-2016-10229 poses Linux systems at rick of hack if not patched.
http://securityaffairs.co/wordpress/57998/hacking/cve-2016-10229-linux.html
Tomi Engdahl says:
Government Hackers Used Microsoft Word Zero-Day to Install Spyware on Russian Targets
https://motherboard.vice.com/en_us/article/government-hackers-used-microsoft-word-zero-day-to-install-spyware-on-russian-targets?utm_content=bufferfabe6&utm_medium=social&utm_source=linkedin.com&utm_campaign=buffer
The hackers exploited the unknown vulnerability to install spyware made by the infamous surveillance company FinFisher.
An unknown group of government hackers used the recently discovered vulnerability in Microsoft Word to target Russian victims with booby-trapped documents.
Tomi Engdahl says:
With laptops banned onboard aircraft, your data is no longer yours if you fly
https://www.privateinternetaccess.com/blog/2017/04/with-laptops-banned-onboard-aircraft-your-data-is-no-longer-yours/
New US regulations ban laptops on board some aircraft, requiring laptops to be in checked luggage. One of the first things you learn in information security is that if an adversary has had physical access to your computer, then it is not your computer anymore. This effectively means that the US three-letter agencies are taking themselves the right to compromise any computer from any traveler on these flights.
Tomi Engdahl says:
Prisoners Build DIY Computers and Hack Prison Network
http://hackaday.com/2017/04/17/prisoners-build-diy-computers-and-hack-prison-network/
The Internet is everywhere. The latest anecdotal evidence of this is a story of prison inmates that build their own computer and connected it to the internet. Back in 2015, prisoners at the Marion Correctional Institution in Ohio built two computers from discarded parts which they transported 1,100 feet through prison grounds (even passing a security checkpoint) before hiding them in the ceiling of a training room. The information has just been made public after the release of the Inspector General’s report (PDF)
Prison Inmates Used DIY Computers To Hack Prison Network
http://www.tomshardware.com/news/diy-computers-prison-network-hack,34140.html
Tomi Engdahl says:
Big Linux bug, low security concerns
http://www.zdnet.com/article/real-linux-bug-false-security-concerns/
A long-fixed bug in how Android and Linux handles UDP network connections has caused a lot of unnecessary worry.
The National Institute of Standards and Technology and Symantec announced a LinuxKernel
bug that made the LinuxKernel 4.4 and earlier vulnerable to remote code-execution. In turn, an attacker could exploit this issue to execute arbitrary code. Worse still, even failed exploits might cause denial-of-service attacks.
There’s only one problem with this analysis and the resulting uproar: It’s wrong.
Yes, the bug existed.
“Only old versions that had the backport of 89c22d8c3b27 (“net: Fix skb csum races when peeking”) needs the backport of 197c949e7798fbf28cfadc6.
Besides that, very few programs ever use MSG_PEEK.
Cases where the bug both exists and can be exploited are vanishingly small.
“Not sure it’s as exploitable as claimed.”
“Fake news, fake bugs.”
The bug also exists in Android and it was only fixed in Google April 2017′s patch release.
This security hole appears to be much ado about nothing. It sounds bad, but the closer you look at it, the harder it is to find even an edge case where it might be exploited.
Tomi Engdahl says:
Flaws in Bosch Car Dongle Allow Hackers to Stop Engine
http://www.securityweek.com/flaws-bosch-car-dongle-allow-hackers-stop-engine
Vulnerabilities found by researchers in Bosch’s Drivelog Connect product can be exploited by hackers to inject malicious messages into a vehicle’s CAN bus. The vendor has implemented some fixes and is working on adding more attack protections.
Bosch’s Drivelog Connect is a service that provides information about the condition of a vehicle, including potential defects, service deadlines, and data on fuel consumption and driving behavior. The product includes a dongle called Drivelog Connector, which is connected to the car’s OBD2 diagnostics interface, and a mobile application that communicates with the dongle via Bluetooth.
Researchers at automotive cybersecurity firm Argus have identified some potentially serious vulnerabilities in the communications between the mobile app and the dongle.
Tomi Engdahl says:
Targeted Malware Inflated With Junk Data to Avoid Detection
http://www.securityweek.com/targeted-malware-inflated-junk-data-avoid-detection
A piece of malware used in targeted attacks aimed at South Korea and Japan is inflated with junk data in an effort to avoid detection. While the technique is not exactly new, researchers at Kaspersky Lab believe this particular malware is noteworthy.
The security firm came across the malware while analyzing attacks involving a malware toolkit dubbed “XXMM.” The threat, disguised as a file named srvhost.exe in an effort to avoid raising suspicion, had a size of more than 100 Mb.
The size of malware samples typically ranges between a few kilobytes and a few megabytes, depending on how they are packaged. Cybercriminals have also been known to hide malware in movie or ISO files, which can result in malware that has a size of hundreds of megabytes or even a few gigabytes.
What makes Wali interesting is the fact that it’s not delivered as a 100 Mb file. The initial loader is roughly 1 Mb in size, but its two dropper components append tens of megabytes of garbage data to the final malware executable file.
“While this technique may seem inefficient in its primitive approach to bypass detection, we believe that in certain cases this malware may stay below the radar of incident responders and forensic analysts who use YARA rules to scan hard drives,” explained Kaspersky’s Suguru Ishimaru.
“The reason is that one of the common practices for YARA rule authors is to limit the size of scanned files, which is aimed mainly at improving performance of the scanning process.”
Tomi Engdahl says:
CradleCore Ransomware Sold as Source Code
http://www.securityweek.com/cradlecore-ransomware-sold-source-code
The author of a new piece of ransomware is selling their creation on underground forums as source code, Forcepoint security researchers have discovered.
Dubbed CradleCore, the threat breaks from the ransomware-as-a-service (RaaS) business model that many miscreants have adopted lately, and allows “customers” to take advantage of customizable source code.
The ransomware is provided as a C++ source code, paired with the necessary PHP web server scripts and a payment panel. According to Forcepoint, the malware emerged on several Tor-based sites some two weeks ago, priced at 0.35 Bitcoin (around $400) but negotiable.
Tomi Engdahl says:
Cerber Dominates Ransomware Charts
http://www.securityweek.com/cerber-dominates-ransomware-charts
Cerber, one of the most active malware families over the past year, has increased its share of the ransomware market to 87% in the first quarter of 2017, Malwarebytes Labs reports.
The threat accounted for 70% of the ransomware market in January, but increased its presence in February and March, amid a major decrease in Locky attacks, from 12% in January to less than 2% in March, Malwarebytes’ Cybercrime tactics and techniques Q1 2017 report (PDF) reads.
https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf
Tomi Engdahl says:
Beyond Nation-states: The Disappearing Line Between Attacker Capabilities
http://www.securityweek.com/beyond-nation-states-disappearing-line-between-attacker-capabilities
In the incident response world, we used to draw a clear line between the capabilities of attackers affiliated with nation-states and those not affiliated with any nation-state. Nation-state attackers always seemed to be the most well equipped and the most sophisticated attackers. Then, over the last few years, that line began to blur.
The sophistication of attackers with criminal or financial, rather than nation-state motives began to increase significantly. We now find ourselves in a completely different threat landscape. As the 2017 M-Trends report notes, “Today, the line between the level of sophistication of certain financial attackers and advanced state sponsored attackers is not just blurred – it no longer exists.”
Tomi Engdahl says:
Distinctions: Threat Information vs.Threat Intelligence
http://www.securityweek.com/distinctions-threat-information-vsthreat-intelligence
When my team analyzes a threat campaign for example, we look at it through the lens of the “Avenue of Approach”, which breaks out the following:
• Industry Target – What specific organization(s) or group(s) is the actor going after?
• Technology Target – What technology (i.e. Adobe Flash, Internet Explorer, etc.) used by the organization(s) use that can be exploited by the actor to carry out an attack?
• Delivery Method – How did the actor deliver the payload to the target (i.e. spear-phishing, third party compromise, etc.)?
• Exploit Used – What specific exploit and/or known (or unknown for that matter) vulnerability was used by the actor?
• Presence Achieved – What level of presence (i.e. privileged accounts, database access, etc.) did that actor gain/use in order to carry out their attack?
• Effect/Harm Caused – What was the impact (i.e. stolen IP, service downtime, etc.) caused by the attack?
Understanding the avenue of approach provides meaningful context of what the threat is, how it works, what it targets, and what the impact is to an organization.
Tomi Engdahl says:
Stressing Over Stolen and Abused User Credentials?
http://www.securityweek.com/stressing-over-stolen-and-abused-user-credentials
We live in a world where security operations professionals often find themselves fighting logs, not threats. They constantly worry that their organization’s defenses will be overrun and valuable data stolen or lost. In honor of Stress Awareness Month, we have an opportunity to reflect on ways to lower your operational burden, the chance of a breach and your stress levels by preventing the theft and abuse of valid user credentials.
Despite the attention attacks like zero day exploits receive, techniques such as these generally are not seen in the real world. Why? These tools are expensive and time-consuming to develop and deploy. When used, they are often deployed by highly sophisticated adversaries with ties to nation-states, cyber mercenaries for hire or other well-resourced attackers. These groups tend to reserve their more advanced attack methods for targets with the potential to yield a big payday or achieve a specific geopolitical goal, big enough to offset the cost of identifying a novel vulnerability exploit and essentially “burning” it by releasing it into the wild. Even for high-value targets, tried-and-true methods like phishing and stolen credential usage are more likely to occur because they are simple and effective.
Given this, most security professionals should focus their efforts on identifying and preventing attack methods, such as credential phishing.
Process
Credential-based attacks must be addressed from a process perspective as well. Some process-level questions that organizations should consider include:
• How do employees initiate the workflow to investigate potential phishing attempts?
• If a data breach occurs on services used by employees in their personal time (possibly due to sharing passwords, which should be against policy), should company passwords be reset?
• Can you automatically block phishing websites or email?
• Is automation in place to block indicators of compromise (IoCs) extracted from investigations?
• How am I protecting sensitive resources if attackers gain access to legitimate credentials?
Remember, the best way to orchestrate the prevention of credential-based attacks is through an informed policy driving the right processes.
There are three essential use cases that automated platforms can solve for:
• Automatically identify and prevent employees from visiting credential phishing sites. This approach must be powered by threat intelligence informed by a global network of sensors with the analytics to identify new malicious sites, blocking them without human intervention.
• Look for the leakage of password-based credentials to unknown sites, which may not be categorized as phishing at the time. When identified, the platform must be able to block the user from transmitting credentials to these non-approved locations.
• Use policy-based multi-factor authentication enforced at the network level to protect critical applications and stop attackers from using stolen credentials to conduct lateral movement within the network.
Tomi Engdahl says:
A Lithuanian phisher tricked two big US tech companies into wiring him $100 million
http://www.theverge.com/2017/3/21/15014614/doj-lithuanian-scammer-email-phishing-scam-tech-companies
The Department of Justice today unsealed an indictment against a Lithuanian scammer who managed to trick two American tech companies into wiring him $100 million.
Tomi Engdahl says:
Sean Gallagher / Ars Technica:
Allegations about cybersecurity company Cylance using bogus malware to close deals shed light on the complex nature of AV product testing in the industry
Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance
On the front lines of the antivirus industry’s “testing wars.”
https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/
Last November, a systems engineer at a large company was evaluating security software products when he discovered something suspicious.
One of the vendors had provided a set of malware samples to test—48 files in an archive stored in the vendor’s Box cloud storage account. The vendor providing those samples was Cylance, the information security company behind Protect, a “next generation” endpoint protection system built on machine learning. In testing, Protect identified all 48 of the samples as malicious, while competing products flagged most but not all of them. Curious, the engineer took a closer look at the files in question—and found that seven weren’t malware at all.
That led the engineer to believe Cylance was using the test to close the sale by providing files that other products wouldn’t detect—that is, bogus malware only Protect would catch.
Protect has been highly ranked by a number of industry analysts for its innovative approach to “advanced endpoint security,” the broad term used to describe products designed to stop modern malware and other threats to personal computers. Protect bases its detection and blocking of malware on machine learning technology. Rather than use heuristics that look for behaviors matching specific rules, Protect has been “trained” using “the DNA markers of 1 billion known bad and 1 billion known good files,”
But over the past year, competitors and testing companies have accused Cylance of using product tests that favor the company. These critics have also accused Cylance of using legal threats to block independent, competitive testing.
So Cylance has run a series of its own shootout events to prove the superiority of Protect—tests that at least one competitor has called out as being “unfair.”
Such concerns around anti-malware testing extend far beyond Cylance and have existed for years.
“If you just go and you pull down malware from any of the well known virus repository sites,” Skipper said, “anyone who has a relationship with those sites is going to score a 100 on the test” as a byproduct of already having access to all the malware samples.
In addition to distributing its own malware samples through its “Test it Yourself” website, Cylance has pointed customers to a website called TestMyAV—a source for malware samples and testing methodologies for small and medium businesses to use to evaluate endpoint security products.
Cylance’s contention that many third-party tests are inaccurate is not without merit. Nearly everyone Ars spoke with agreed that many anti-malware tests were flawed
The problem is that few can agree on what “real-world conditions” actually mean—and vendors support definitions that play to their strengths.
Tomi Engdahl says:
The Seven Most Dangerous New Attack Techniques, and What’s Coming Next
http://intelligentsystemssource.com/the-seven-most-dangerous-new-attack-techniques-and-whats-coming-next/
https://www.youtube.com/watch?list=PLeUGLKUYzh_j1Q75yeae8upX-T1FLmZWf&time_continue=1&v=45_ciRquXBE
Which are the most dangerous new attack techniques? How do they work? How can you stop them? What’s coming next and how can you prepare? This fast-paced briefing provides answers from the three people best positioned to know the answers: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the US and the top expert on cyberattacks on industrial control systems.
Tomi Engdahl says:
OBD-II Dongle Attack: Stopping a Moving Car via Bluetooth
http://hackaday.com/2017/04/14/obd-ii-dongle-attack-stopping-a-moving-car-via-bluetooth/
Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.
Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack.
The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device. The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.
A Remote Attack on the Bosch Drivelog Connector Dongle
https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/
Tomi Engdahl says:
Motherboard:
A look at Retina-X and FlexiSpy, spyware companies whose surveillance software is used by ordinary people to tap each other’s phones
Inside the ‘Stalkerware’ Surveillance Market, Where Ordinary People Tap Each Other’s Phones
https://motherboard.vice.com/en_us/article/inside-stalkerware-surveillance-market-flexispy-retina-x
Surveillance starts at home.
This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
Tomi Engdahl says:
Apr 19, 2017 | 4:18 PM EDT
Exclusive: Putin-linked think tank drew up plan to sway 2016 U.S. election – documents
http://mobile.reuters.com/article/idUSKBN17L2N3
A Russian government think tank controlled by Vladimir Putin developed a plan to swing the 2016 U.S. presidential election to Donald Trump and undermine voters’ faith in the American electoral system, three current and four former U.S. officials told Reuters.
strategy papers
recommended the Kremlin launch a propaganda campaign on social media and Russian state-backed global news outlets
messaging about voter fraud
and
damage Clinton’s reputation
The documents were central to the Obama administration’s conclusion that Russia mounted a “fake news” campaign and launched cyber attacks
Neither of the Russian institute documents mentioned the release of hacked Democratic Party emails to interfere with the U.S. election
Tomi Engdahl says:
Beware the Ides of April – Cybercriminals and Tax Season
http://www.securityweek.com/beware-ides-april-cybercriminals-and-tax-season
Bad Actors Will do Whatever They Can to Take Advantage of the Lucrative Tax Season
Made famous by Shakespeare’s Julius Caesar, “Beware the Ides of March” was a message to Julius Caesar warning of his assassination on March 15. Although the consequences aren’t as dire, a similar warning is also in order for businesses and individuals in the U.S. around the Ides of April – the traditional tax filing deadline and, in recent years, a deadline for cybercriminals to profit from tax season.
This year the trend continues. There are numerous instances of bad actors requesting and selling items pertaining to tax fraud across criminal sites on the open and dark web. It has been reported that already at least 120,000 individuals have been affected by W-2 phishing incidents this year.
Tomi Engdahl says:
You Can’t Protect Your Assets If You Don’t Understand Them
http://www.securityweek.com/you-cant-protect-your-assets-if-you-don%E2%80%99t-understand-them
The Starting Point for Any Cyber Risk Management Program Must be Identifying Assets and Their Attributes
I was recently reminded of a famous quote by former Secretary of Defense, Donald Rumsfeld, “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.”
Nowhere is that statement more valid than in IT asset management. Most of us agree that IT asset management (ITAM) is the least sexy topic in cyber. However, you can’t protect what you don’t know about. Without visibility into your information assets, their value, where they live, how they relate to each other and who has access to them, any strategy for protection would be inherently incomplete and ineffective. It would kind of be like trying to buy a property insurance policy without telling the insurance company the construction, number, size, value and contents of the buildings you are trying to protect. The starting point for any cyber risk management program, internal or regulatory, must be identifying assets and their attributes.
Tomi Engdahl says:
To See or Not to See? It Shouldn’t be a Question
http://www.securityweek.com/see-or-not-see-it-shouldnt-be-question
In today’s world, IT professionals may find themselves asking some tough questions about network visibility: How do we see the whole network? What tools do we need? How do we stay compliant? Although not life or death questions, hats off to Hamlet, they are important to ask for an organization’s security posture. This is especially true considering the rise in data and network complexity, coupled with concerns about privacy and security.
Innovations in digital business, big data, social collaboration and the Internet of Things have pushed the limits of existing computing systems, in turn, forcing companies to up level their infrastructure including taking to the cloud. Encryption has also taken over half of the web. Organizations and their workforce have gained new levels of productivity and security in the process but have sacrificed visibility and control. This can be a problem considering all the sensitive information being handled by the modern corporate network.
In such an environment, sophisticated exploits still occur, information is still hijacked— all while complexity hinders the ability to see what is going on in the networks at a granular level. It makes it a difficult task to take on but it’s not without a solution.
Peering Through the Mask
Full visibility is necessary when it comes to security. But some things should stay hidden, ranging from Personally Identifiable Information (PII) to critical production data. Standards and regulations on data are in place across industries that limit who can view and use it. How do you have both?
Data masking, where data access restriction essentially makes data invisible, replaces vulnerable, or sensitive data by obfuscating parts of it or replacing it with information that looks real. In essence, when data is masked, it’s altered so that the basic information remains the same but the key values are changed.
Here are some cases in which masking can be particularly useful.
Testing
- Companies must often have true-to-life datasets to test and develop relevant software.
Monitoring and Recording
- Companies usually need to monitor and record data, but by law cannot store PII.
SSL Decryption
- While protecting data, Secure Socket Layer (SSL) encryption also poses a risk, as hackers leverage encrypted data to sneak in and pilfer sensitive information. As such, organizations decrypt and examine SSL traffic passing through their network to ensure there is no malicious activity. But SSL decryption means anyone with access to the monitoring tools can view the sensitive data behind the encryption. Fortunately, there are tools that can decrypt SSL data while masking the data that shouldn’t be exposed.
Not all data masking solutions are created equal. To ensure you have the right one, it’s imperative that the organization already know how it is going to be used. In all, it’s about what is being masked, how easy access to data is meant to be and how it will be distributed.
Ultimately, security in today’s complex networks and regulations comes down to how a network is seen — not if all of it can be seen. With so much data floating around, it will be up to the company to decide how they approach the problem.
Tomi Engdahl says:
Chrome, Firefox Users Exposed to Unicode Domain Phishing
http://www.securityweek.com/chrome-firefox-users-exposed-unicode-domain-phishing
Malicious actors can create legitimate-looking phishing domains by leveraging the fact that some popular web browsers fail to properly protect their users against homograph attacks.
Web developer Xudong Zheng has demonstrated how an attacker could have registered the domain name “xn--80ak6aa92e.com,” which is displayed by web browsers such as Chrome, Opera and Firefox as “apple.com.”
Tomi Engdahl says:
Flaw in Drupal Module Exposes 120,000 Sites to Attacks
http://www.securityweek.com/flaw-drupal-module-exposes-120000-sites-attacks
A critical vulnerability has been found in a Drupal module used by many websites. While the flaw has been fixed, Drupal developers initially advised users to migrate as the affected module had not been updated for several years.
Tomi Engdahl says:
Karmen Ransomware Deletes Decryptor If Sandbox is Detected
http://www.securityweek.com/karmen-ransomware-deletes-decryptor-if-sandbox-detected
Karmen Ransomware Deletes Decryptor Component When Detecting a Sandbox Environment or Analysis Software
A recently discovered Hidden Tear ransomware offspring is being sold on underground forums as a Ransomware-as-a-Service (RaaS), priced at just $175, Recorded Future researchers reveal.
Dubbed Karmen, the malware appears to have been around since December 2016, when incidents involving it were reported in Germany and the United States. However, the threat started being advertised on underground forums only in March.
After having a closer look at the malware, Recorded Future security researchers discovered that it is derived from the Hidden Tear open source ransomware. They also found out that Karmen was using the AES-256 encryption protocol for the encryption of targeted files on the local machine.
Wannabe-criminals buying the ransomware are provided the option to change various settings courtesy of a control panel that doesn’t require advanced technical knowledge to operate. They can also track infected systems via a “Clients” page. A Dashboard offers information such as the number of infected machines, earned revenue, and available updates for the malware.
Tomi Engdahl says:
Microsoft: Latest ‘Shadow Brokers’ Exploits Already Patched
http://www.securityweek.com/microsoft-latest-shadow-brokers-exploits-already-patched
The hacker group calling itself “Shadow Brokers” has made public another batch of files allegedly obtained from the NSA-linked threat actor tracked as the Equation Group. Microsoft has assured customers that these new exploits don’t affect up-to-date systems.
The Shadow Brokers recently published a password to a previously leaked file and many believed it would represent the group’s last dump. However, the hackers released another round of files on Friday, including exploits for Windows and IBM’s Lotus Domino platform. The leaked files also appear to show that the Equation Group breached the SWIFT banking network and monitored a number of Middle Eastern banks.
Tomi Engdahl says:
Mary Jo Foley / ZDNet:
Microsoft says it will now roll out twice yearly updates for Windows and Office in March and September, starting with “Redstone 3” — IT Pros, mark your calendars. Starting in September 2017 with Windows 10 ‘Redstone 3,’ Microsoft will begin rolling out new feature updates …
Microsoft to roll out new Windows 10, Office feature releases twice annually
http://www.zdnet.com/article/microsoft-to-roll-out-new-windows-10-office-feature-releases-twice-annually/
IT pros, mark your calendars. Starting in September 2017 with Windows 10 “Redstone 3,” Microsoft will begin rolling out new feature updates to Windows and Office 365 ProPlus together, twice a year.
To date, predicting when Microsoft would roll out new feature upgrades to Windows 10 and Office has been a guessing game for IT pros. But starting this September, that situation should become more predictable.
Microsoft is committing to delivering two Windows 10 and two Office client feature upgrades each year, with the target delivery dates being March and September, officials said today, April 20.
Tomi Engdahl says:
Matthew Nussbaum / Politico:
Trump misses 90-day deadline to publish cybersecurity plan after alleged Russian hacking in 2016 election, and there is no evidence of anyone working on it — He pledged in January to quickly develop a program for countering hackers, but no one seems to know who’s in charge of developing it or where it is.
Trump blows his deadline on anti-hacking plan
http://www.politico.com/story/2017/04/20/trump-cybersecurity-hackers-237385
He pledged in January to quickly develop a program for countering hackers, but no one seems to know who’s in charge of developing it or where it is.
President-elect Donald Trump was very clear: “I will appoint a team to give me a plan within 90 days of taking office,” he said in January, after getting a U.S. intelligence assessment of Russian interference in last year’s elections and promising to address cybersecurity.
Thursday, Trump hits his 90-day mark. There is no team, there is no plan, and there is no clear answer from the White House on who would even be working on what.
It’s the latest deadline Trump’s set and missed — from the press conference he said his wife would hold last fall to answer questions about her original immigration process to the plan to defeat ISIS that he’d said would come within his first 30 days in office.
Tomi Engdahl says:
Encryption system developed to hide private information from database queries
http://www.controleng.com/single-article/encryption-system-developed-to-hide-private-information-from-database-queries/accf584fe743044af1f6c5520ebde8be.html
Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) and Stanford University have developed an encryption system designed to disguises users’ database queries so they reveal no private information.
Most website visits these days entail a database query—to look up airline flights, for example, or to find the fastest driving route between two addresses.
But online database queries can reveal a surprising amount of information about the people making them. And some travel sites have been known to jack up the prices on flights whose routes are drawing an unusually high volume of queries.
Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) and Stanford University have developed an encryption system that disguises users’ database queries so that they reveal no private information.
The system is called Splinter because it splits a query up and distributes it across copies of the same database on multiple servers. The servers return results that make sense only when recombined according to a procedure that the user alone knows. As long as at least one of the servers can be trusted, it’s impossible for anyone other than the user to determine what query the servers executed.
Honest broker
Of course, if the site that hosts the database is itself collecting users’ data without their consent, the requirement of at least one trusted server is difficult to enforce.
Wang, however, points to the increasing popularity of services such as DuckDuckGo, a search engine that uses search results from other sites, such as Bing and Yahoo, but vows not to profile its customers.
“We see a shift toward people wanting private queries,” Wang said.
Division of labor
Splinter uses a technique called function secret sharing, which was first described in a 2015 paper by a trio of Israeli computer scientists.
Systems for disguising database queries have been proposed in the past, but function secret sharing could make them as much as 10 times faster. In experiments, the MIT and Stanford researchers found that Splinter could return a result from a database with millions of entries—including a duplicate of the Yelp database for selected cities—in about a second.
With function secret sharing, a database query is converted into a set of complementary mathematical functions, each of which is sent to a different database server. On each server, the function must be applied to every record in the database; otherwise, a spy could determine what data the user is interested in. Every time the function is applied to a new record, it updates a value stored in memory. After it’s been applied to the last record, the final value is returned to the user. But that value is meaningless until it’s combined with the values reported by the other servers
Splinter has also been engineered to run efficiently on real database systems. Most modern computer chips, for instance, are hardwired to implement the encryption scheme known as AES. Hardwiring makes AES hundreds of times faster than it would be if it were implemented in software, but AES has some idiosyncrasies that make it less than ideal for function secret sharing. Through a clever combination of software processes and AES encryption, the MIT and Stanford researchers were able to make Splinter 2.5 times as efficient as it would be if it used the AES circuits alone.
Tomi Engdahl says:
Half Baked IoT Stove Could Be Used As A Remote Controlled Arson Device
http://hackaday.com/2017/04/20/half-baked-iot-stove-could-be-used-as-a-remote-controlled-arson-device/
[Pen Test Partners] have found some really scary vulnerabilities in AGA range cookers. They are connected by SMS by which a mobile app sends an unauthenticated SMS to the AGA to give it commands for instance preheat the oven, You can also just tell your AGA to turn everything on at once.
The problem is with the web interface; it allows an attacker to check if a user’s cell phone is already registered, allowing for a slow but effective enumeration attack. Once the attacker finds a registered device, all they need to do is send an SMS, as messages are not authenticated by the cooker, neither is the SIM card set up to send the messages validated when registered.
IoT Aga. Cast iron Security Flaw
https://www.pentestpartners.com/blog/iot-aga-cast-iron-security-flaw/
the latest Aga models are loads more efficient, so I looked in to replacing it. One even features ‘Total Control’ through a mobile and web app. I wanted to know more about its security before spending extra on this option.
Inspecting the mobile app revealed that it simply passes messages to an API. Unsurprising.
However, the mobile app communicates over plain text HTTP. The Android app explicitly disables certificate validation through use of ALLOW_ALL_HOSTNAME_VERIFIER. Even if it did offer SSL, it would thus be trivial for rogues to intercept and modify traffic.
Digging deeper, it turns out that a physical module is added to the Aga. It contains a GSM SIM, to which the customer has to subscribe to Orange/EE (at £6/month).
It looks like this; note the Tekelek branding
The Aga is controlled by SMS.
Seriously, the web app sends text messages to your cooker.
That’s really quite an odd concept, particularly as many Agas are in remote locations in the country so don’t have great mobile reception. Yet internet access and Wi-Fi routers are ubiquitous. So Aga’s choice of mobile comms costs customers >£70 extra per year and doesn’t help those in poor mobile reception areas!
We can only assume that Aga did it this way to keep costs down. A shame, as a Wi-Fi module done right and conventional mobile app/API would be unlikely to have cost them much more to develop.
The web app is where things got quite interesting
Here’s the login and registration page, all over plain text HTTP, just like that mobile app. They hadn’t bothered to protect customer data in transit at all
There’s enumeration of the SIM Card Number. They don’t actually mean that, they actually mean the phone number.
Put in a valid number (i.e. +44 845 712 52 as suggested by the app when you make an invalid entry) and you’ll see that it’s already registered
So those with nefarious intentions could enumerate a list of all the valid Aga cooker phone numbers. Time consuming, but likely effective.
Whilst we’re there, the password policy is only 5 characters. This is starting to get pretty irresponsible of Aga; customers will have their cookers compromised.
But surely there is validation of the number and authentication of messages, right?
Umm, no. There’s no link sent to validate the number or the account. Nothing.
Yes, hackers could turn other people’s Agas off.
All you have to do is simply send a text message to the Aga.
One could also power up people’s Agas when they’re not looking, wasting electricity. They draw around 30 Amps in full heat-up mode, so if you could switch enough Agas on at once, one could cause power spikes. That’s a bit fanciful though.
The web interface also lends itself to spamming the hell out of people using SMS at Aga’s expense.
Disclosure was a train wreck. We tried Twitter, every email address we could find and then rang them up. No response to any of the messages we left.
Come on Aga, sort it out. This isn’t acceptable. Get rid of the silly SMS based remote control module and put in a nice secure Wi-Fi enabled module with mobile app.
Disclosure
As always, we attempt to establish private contact with the manufacturer in order to pass details of the security vulnerability and agree a disclosure timeline.
This doesn’t always go well in IoT and certainly didn’t with Aga Rangemaster!
I don’t blame Andy – he was trying to help, but it seems no-one at Aga had briefed their technical team about the mobile app, nor how to escalate a security incident.
Tomi Engdahl says:
True-Random Number Generator
https://hackaday.io/project/21054-true-random-number-generator
Modern security and cryptography call for a source of true-random numbers. This design creates them from thermal noise in a resistor.
This design creates a random bitstream from the analog random fluctuations that are inherent in resistors. This requires a lot of gain, and typically would be sensitive to interfering signals that would overwhelm the noise and ruin the randomness of the output. This design entry is based on the circuit in my US patent 6,070,178, which has expired. This project adds a new interface to the random number generator to make it compatible with modern computers. This practical device provides anyone who needs it with access to cryptographically-secure true-random numbers. It is simple enough that many people will be able to build versions the device using a wide variety of generic components. The purpose of this contest entry is to spread knowledge of this circuit widely, in the hope that its use will make it more difficult for malicious actors to create a single point of failure in privacy and security.
Other applications of true-random numbers are gaming and engineering simulation.
Tomi Engdahl says:
Inside the ‘Stalkerware’ Surveillance Market, Where Ordinary People Tap Each Other’s Phones
Surveillance starts at home.
https://motherboard.vice.com/en_us/article/inside-stalkerware-surveillance-market-flexispy-retina-x
This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
Tomi Engdahl says:
Flaws in Bosch Car Dongle Allow Hackers to Stop Engine
http://www.securityweek.com/flaws-bosch-car-dongle-allow-hackers-stop-engine
Vulnerabilities found by researchers in Bosch’s Drivelog Connect product can be exploited by hackers to inject malicious messages into a vehicle’s CAN bus. The vendor has implemented some fixes and is working on adding more attack protections.
Tomi Engdahl says:
You Think You Can’t Be Phished?
http://hackaday.com/2017/04/19/you-think-you-cant-be-phished/
Well, think again. At least if you are using Chrome or Firefox. Don’t believe us? Well, check out Apple new website then, at https://www.apple.com . Notice anything? If you are not using an affected browser you are just seeing a strange URL after opening the webpage, otherwise it’s pretty legit. This is a page to demonstrate a type of Unicode vulnerability in how the browser interprets and show the URL to the user. Notice the valid HTTPS.
So what’s going on? This type of phishing attack, known as IDN homograph attacks, relies on the fact that the browser, in this case Chrome or Firefox, interprets the “xn--” prefix in a URL as an ASCII compatible encoding prefix. It is called Punycode and it’s a way to represent Unicode using only the ASCII characters used in Internet host names. Imagine a sort of Base64 for domains.
Different alphabets have different glyphs that work in this kinds of attacks. Take the Cyrillic alphabet, it contains 11 lowercase glyphs that are identical or nearly identical to Latin counterparts.
This affects the current version of Chrome browser, which is version 57.0.2987 and the current version of Firefox, which is version 52.0.2. This does not affect Internet Explorer or Safari browsers. If you are using Firefox, you can switch off the Punycode translation in about:config by changing network.IDN_show_punycode to true. If you are using Chrome, you’ll have to wait for the update. Or manually check the HTTPS certificate in HTTPS enabled websites.
Tomi Engdahl says:
Alex Barnsbee / IOActive Labs Research:
Researchers find 10 vulnerabilities in 20+ Linksys Smart Wi-Fi routers; Linksys issues security advisory to mitigate risks until new firmware is available — Last year I acquired a Linksys Smart Wi-Fi router, more specifically the EA3500 Series. I chose Linksys (previously owned by Cisco …
Linksys Smart Wi-Fi Vulnerabilities
http://blog.ioactive.com/2017/04/linksys-smart-wi-fi-vulnerabilities.html
After reverse engineering the router firmware, we identified a total of 10 security vulnerabilities, ranging from low- to high-risk issues, six of which can be exploited remotely by unauthenticated attackers.
Tomi Engdahl says:
Google Won’t Trust Symantec and Neither Should You
http://www.darkreading.com/endpoint/google-wont-trust-symantec-and-neither-should-you/a/d-id/1328682
As bad as this controversy is for Symantec, the real damage will befall the company and individual web sites deemed untrustworthy by a Chrome browser on the basis of a rejected Symantec certificate.
Tomi Engdahl says:
What happens to your data once it is on the dark web?
http://www.ibtimes.co.uk/what-happens-your-data-once-it-dark-web-1617115
IBTimes UK looks into why user credentials are so valuable to hackers and traded over the dark web.
The dark web is the murky underworld of the Internet where hundreds of online communities illegally trade a wide variety of commodities, from stolen user data to drugs and weapons. Over the past few years, given the alarming escalation of data breaches, dark web marketplaces are reportedly flooded with stolen user credentials being traded for a quick buck.
the dark web is home to both high-profile cybercrime syndicates as well as low-level “script kiddies”.
Stolen credentials are generally listed on the dark web to be sold so hackers can make a quick buck. Barysevich said that different kinds of user credentials have different value to cybercriminals.
“Employee credentials to various corporate networks are the rarest commodity on the underground and often sold to vetted and established buyers, fetching anywhere from a couple of hundred to thousands of dollars.”
Barysevich said that stolen data is likely “resold in bulk” via “automated marketplaces.
Cybercriminals are known to use stolen credentials to launch cybercrime campaigns as well as perpetuate crimes such as identity theft and scams. However, user data has other uses and can allow hackers entry into corporations.
Tomi Engdahl says:
Nicole Perlroth / New York Times:
Russian hacker Roman Seleznev sentenced to 27 years for theft, sale of 2M+ CC numbers resulting in $170M+ in losses, the longest hacking-related sentence in US
Russian Hacker Sentenced to 27 Years in Credit Card Case
https://www.nytimes.com/2017/04/21/technology/russian-hacker-sentenced.html
Federal prosecutors have yet to capture or convict the foreign computer criminals believed to be behind the hackings of big retailers like Target and Neiman Marcus.
But in a rare, major victory in Federal District Court in Seattle, the Justice Department netted a big player in a Russian digital crime ring who is the son of a prominent Russian lawmaker. And now, law enforcement officials have made an example of him.
Mr. Seleznev’s schemes led to the theft and resale of more than two million credit card numbers, resulting in losses of at least $170 million. That total could grow to billions of dollars, according to court documents. Among Mr. Seleznev’s victims were 3,700 financial institutions and 500 businesses around the world, including several restaurants in the Seattle area.
“Simply put, Roman Seleznev has harmed more victims and caused more financial loss than perhaps any other defendant that has appeared before the court,” federal prosecutors said in their sentencing memorandum. “This prosecution is unprecedented.”
Given the large number of victims and financial losses, federal sentencing guidelines indicated that Mr. Seleznev should receive a life sentence, but prosecutors recommended the 30-year term.
The 27-year sentence he received is expected to send a message to other Russian computer criminals.
Tomi Engdahl says:
Two open source secure email services
https://opensource.com/article/17/3/secure-email?sc_cid=7016000000127ECAAY
Keep your email private with the help of these two open source services for securing your email.
ProtonMail boasts that it keeps your email messages “encrypted at all times.” It does a good job of that. The only time a message isn’t encrypted is when it lands in a recipient’s inbox.
Tutanota takes a similar approach to protecting your emails. Your inbox is encrypted, and you have the option to either encrypt the message or not. In case you’re wondering, messages are end-to-end encrypted if you’re sending to someone with a Tutonota email address.
If you do choose to encrypt the message (and why wouldn’t you?), you’re asked to create a password that the recipient will use to decrypt all emails that you send them
Tomi Engdahl says:
Cyber Risk Auditor Raises $20M Amid ‘Viral’ Customer Growth
http://fortune.com/2017/04/18/cybergrx-seriesb/
CyberGRX believes it has solved a security problem that has long vexed many companies: How to ensure that third-party suppliers don’t provide a way for hackers to attack their networks? As Target can attest, these vendors—such as point-of-sale companies or caterers—can amount to a soft underbelly of a corporate network.
The solution is to create a clearinghouse for cyber-risk in which a third party, CyberGRX, vets the suppliers and confirms they are taking the right steps to keep hackers away. CyberGRX’s clearinghouse model, which is being used by the likes of private equity firm Blackstone and insurer Aetna, also saves chief security officers from spending hundreds of hours vetting individual vendors.
“The adoption rate is very strong—in fact, it’s viral,”
The way the approach works is that customers who wish to use the clearinghouse complete an initial questionnaire about their cyber risks. CyberGRX then maintains the risk profiles and updates them every quarter. Companies that require extra assurances in specific areas can request CyberGRX to conduct additional vetting, though Cowan says few have needed to do this so far.
The process can spare chief security officers from the tedious task of auditing dozens or hundreds of vendors to ensure they follow proper cyber-hygiene. Meanwhile, it ensures vendors do not have to prove their security competence over and over to each new customer—they can simply show they have been vetted by CyberGRX.
“There was such a gross inefficiency in the market—simply doing an audit once and making it available to everyone yields huge benefits, especially in cost,”
Tomi Engdahl says:
The History of Fileless Malware – Looking Beyond the Buzzword
https://zeltser.com/fileless-malware-beyond-buzzword/
What’s the deal with “fileless malware”? Though many security professionals cringe when they hear this term, lots of articles and product brochures mention fileless malware in the context of threats that are difficult to resist and investigate.
The notion of fileless malware has been gaining a lot of attention at industry events, private meetings and online discussions. This might be because this threat highlights some of the deficiencies in old-school endpoint security methods and gives new approaches an opportunity to highlight their strengths.
What is Fileless Malware?
Let’s get this out of the way: Fileless malware sometimes has files. Most people today seem to be using the term fileless malware in a manner consistent with the following definition:
Fileless malware is malware that operates without placing malicious executables on the file system.
This definition accommodates situations where the infection began with a malicious script or even a benign executable on the file system. It also matches the scenarios where the specimen stored artifacts in the registry, even though Windows keeps registry contents on disk. It applies regardless of the way in which the infection occurred, be it an exploit of a vulnerability, a social engineering trick, or a misuse of some feature.
The notion of malicious code that resides solely in memory certainly existed prior to the 21st century. Yet, it wasn’t until the highly-prolific Code Red worm left its mark on the Internet in 2001,
Gartner used the term “non-malware attack” in a 2017 report that highlighted Carbon Black. However, another Gartner report published a month later used “fileless attacks” instead.
I like the idea of saying “non-malware attacks” for incidents that rely solely on legitimate system administration tools and other non-malicious software.
Tomi Engdahl says:
Hitachi built an AI security system that follows you through a crowd
https://qz.com/958467/hitachi-built-an-ai-security-system-that-follows-you-through-a-crowd/
A new AI security system for airports can pick out every little detail about you. And then it follows you.
Hitachi’s new AI system can classify people based on more than a hundred characteristics, including your gender, what you’re wearing, what you’re carrying, how old you are and how you’re walking.
“In Japan, the demand for such technology is increasing because of the Tokyo 2020 Olympics,”
The software can be used to flag and monitor suspicious behavior, say, or help find missing children. The software can be instructed to track people with certain characteristics, but it can also find people in a crowd.
Privacy advocates see a couple of problems with such software.
Tomi Engdahl says:
Sheera Frenkel / BuzzFeed:
How Russian hacking evolved: simple credit card schemes in the ’90s, takeover by organized crime in the ’00s, and now joint criminal and government hacker teams
https://www.buzzfeed.com/sheerafrenkel/inside-the-hunt-for-russias-hackers?utm_term=.rbA941oa2y#.dsry7XjJAZ
Tomi Engdahl says:
Digital risks are everywhere, and they threaten your company’s bottom line. While a strong information security program is a necessity, effective risk management also requires a state of the art cyber insurance policy. Analyzing all the areas of risk and potential loss as well as ensuring you are properly covered can be daunting.
Source: http://www.itmanagement.com/research/why-cyber-insurance-matters-47622?mid=6158450&lgid=3441165&mailing_id=2865831&tfso=147839&lpid=513
Tomi Engdahl says:
White-hat Botnet Infects, Then Secures IoT Devices
http://hackaday.com/2017/04/24/white-hat-botnet-infects-then-secures-iot-devices/
[Symantec] Reports Hajime seems to be a white hat worm that spreads over telnet in order to secure IoT devices instead of actually doing anything malicious.
In a crazy turn of events, it now seems that the worm is actually securing devices affected by another major IoT botnet, dubbed Mirai, which has been launching DDoS attacks. More recently a new Mirai variant has been launching application-layer attacks since it’s source code was uploaded to a GitHub account and adapted.
Hajime is a much more complex botnet than Mirai as it is controlled through peer-to-peer propagating commands through infected devices.
” The author can open a shell script to any infected machine in the network at any time, and the code is modular, so new capabilities can be added on the fly. It is apparent from the code that a fair amount of development time went into designing this worm.”
So where is this all going?
So far this is beginning to look like a cyber battle of Good vs Evil. Or it’s a turf war between rival cyber-mafias. Only time will tell.
Hajime worm battles Mirai for control of the Internet of Things
https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things
The Hajime worm appears to be the work of a white hat hacker attempting to wrestle control of IoT devices from Mirai and other malicious threats.
A battle is raging for control of Internet of Things (IoT) devices. There are many contenders, but two families stand out: the remains of the Mirai botnet, and a new similar family called Hajime.
Hajime was first discovered by researchers in October of last year and, just like Mirai (Linux.Gafgyt), it spreads via unsecured devices that have open Telnet ports and use default passwords. In fact, Hajime uses the exact same username and password combinations that Mirai is programmed to use, plus two more.
But that’s where the similarities end.
Unlike Mirai, which uses hardcoded addresses for its command and control (C&C) server, Hajime is built on a peer-to-peer network. There isn’t a single C&C server address, instead the controller pushes command modules to the peer network and the message propagates to all the peers over time. This is typically considered a more robust design as it makes takedowns more difficult.
Hajime is also stealthier and more advanced in comparison to Mirai. Once on an infected device, it takes multiple steps to conceal its running processes and hide its files on the file system. The author can open a shell script to any infected machine in the network at any time, and the code is modular, so new capabilities can be added on the fly. It is apparent from the code that a fair amount of development time went into designing this worm.
Over the past few months, Hajime has been spreading quickly. Symantec has tracked infections worldwide, with large concentrations in Brazil and Iran. It is hard to estimate the size of the peer-to-peer network, but modest estimates put it in the tens of thousands.
Reasons behind the worm
There are some features that are noticeably missing from Hajime. It currently doesn’t have any distributed denial of service (DDoS) capabilities or any attacking code except for the propagation module. Instead, it fetches a statement from its controller and displays it on the terminal approximately every 10 minutes. The current message is:
Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay sharp!
The above message is cryptographically signed and the worm will only accept messages signed by a hardcoded key, so there is little question that this message is from the worm’s true author
Tomi Engdahl says:
Chrome Addresses Threat of Unicode Domain Spoofing
http://www.securityweek.com/chrome-addresses-threat-unicode-domain-spoofing
Google on Wednesday released Chrome 58 to the stable channel for Windows, Mac and Linux to address 29 vulnerabilities, including an issue that rendered users vulnerable to Unicode domain phishing.
Demonstrated by web developer Xudong Zheng, the bug resides in the use of Unicode characters in Internet hostnames through Punycode. By using characters that may look the same but are represented differently in Punycode, malicious actors can spoof legitimate websites and use them in phishing attacks.
Chrome 58 addresses the bug, which Google refers to as an URL spoofing in Omnibox (CVE-2017-5060). Assessed only a Medium severity rating, the vulnerability earned Xudong Zheng a $2000 bounty.
Tomi Engdahl says:
Corporate Users Increasingly Targeted With Exploits: Kaspersky
http://www.securityweek.com/corporate-users-increasingly-targeted-exploits-kaspersky
A report published by Kaspersky Lab on Thursday shows that the number of attacks involving exploits increased significantly in 2016 compared to the previous year, but the number of attacked users actually dropped.
The security firm observed more than 700 million attempts to execute an exploit in 2016, which represents a 25% increase compared to 2015. However, the number of users attacked was only 4.3 million, compared to nearly 5.5 million in the previous year.
This indicates that while fewer users encountered exploits, the likelihood of coming across an exploit increased as the number of websites and spam messages delivering such threats has continued to grow.
Of all the exploit attacks observed by Kaspersky in 2016, more than 15% were aimed at corporate machines. The number of targeted corporate users increased from 538,000 in 2015 to 690,000 in 2016.
While Windows and web browsers were the most targeted applications in both 2015 and 2016, their share decreased significantly last year, making more room for Android and Microsoft Office exploits.
Tomi Engdahl says:
Mastercard Launches Fingerprint-Based Biometric Card
http://www.securityweek.com/mastercard-launches-fingerprint-based-biometric-card
Mastercard announced on Thursday the launch of a biometric card that combines chip technology with fingerprints in order to allow consumers to easily authorize financial transactions and verify their identity when making a purchase.
Before using the fingerprint feature, cardholders need to register the card with their bank. During this process, the user’s fingerprint is converted into an encrypted digital template and stored on the card.
When making an in-store payment, customers dip their card into the point-of-sale (PoS) terminal and scan their fingerprint on the embedded sensor. If the fingerprint matches the one stored on the card, the user is authenticated and the transaction is approved.
In the future, Mastercard plans to combine the new biometric feature with contactless technology in order to make purchases even more convenient.
The new cards have so far been tested in South Africa by supermarket chain Pick n Pay and Barclays Africa subsidiary Absa Bank. Trials are also being planned for Europe and the Asia Pacific region in the coming months. In the meantime, these cards work at any existing EMV terminal without requiring any software or hardware upgrades.
Tomi Engdahl says:
Arrest of WikiLeaks’s Assange a ‘Priority’: US Top Cop
http://www.securityweek.com/arrest-wikileakss-assange-priority-us-top-cop
The arrest of WikiLeaks founder Julian Assange is a US “priority,” Attorney General Jeff Sessions said Thursday, as media reports indicated his office was preparing charges against the fugitive anti-hero.
“We are going to step up our effort and already are stepping up our efforts on all leaks,” Sessions, America’s top cop, said at a news conference in response to a reporter’s question about a US priority to arrest Assange.
The Justice Department chief said a rash of leaks of sensitive secrets appeared unprecedented.
“This is a matter that’s gone beyond anything I’m aware of. We have professionals that have been in the security business of the United States for many years that are shocked by the number of leaks and some of them are quite serious,” he said.
“Whenever a case can be made, we will seek to put some people in jail.”
Prosecutors in recent weeks have been drafting a memo that looks at charges against Assange and members of WikiLeaks that possibly include conspiracy, theft of government property and violations of the Espionage Act, the Washington Post reported, citing unnamed US officials familiar with the matter.