Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
You Should Automate These Security Functions Now
http://www.securityweek.com/you-should-automate-these-security-functions-now
To help enterprises get the most of automation from a security perspective (and not break anything!), I’ve compiled the top security functions to automate today and what not to (yet).
Automate it today:
• Threat sharing: When the network is attacked, you need to know about it immediately – period. Relying on human threat monitoring is an antiquated and inefficient method to protect against attacks.
• Security updates: Automatically pushing security updates to protect against known vulnerabilities, especially ones that are rated at critical or high severity levels, is a straightforward operation that you should immediately automate.
Security functions that still need humans:
• Policy decisions: While automating policy delivery is a key step towards securing the network, knowing when to push the policies requires a level of nuance that a machine can’t determine on its own.
• Threat Modeling: While there are several tools that can help companies effectively threat model a new product or new corporate environment, it requires thoughtful analysis. Understanding, what is being deployed and the potential attack vectors requires critical thought by someone with knowledge of the application being secured.
Tomi Engdahl says:
Security Architecture: The Inherent Value of Transparency and Diagnostics
http://www.securityweek.com/security-architecture-inherent-value-transparency-and-diagnostics
Shining a light onto the security apparatus is the first step – providing transparency and answers to some very basic questions, including:
• How efficiently are the products in my security architecture doing the job they were bought to do, per the security risk?
• How accurate is each product or service?
• Are the products really meeting my business security compliance requirements (e.g., HIPPA, PCI DSS, etc.)?
• Can I break down my security apparatus and “see” each product’s contribution, and criticality, for the organization in terms of the cyber-kill-chain stages?
• What would have happened if I had disabled a product?
Once we have the answers to these questions, we are much better equipped to plan the most efficient and effective security posture for the organization. The positive impact on ROI cannot be overstated. It is likely that every medium-large organization is paying for dozens of products and services that are redundant, outdated, or underperforming. Transparency and diagnostics can give clear answers, enabling the organization to streamline, prioritize and cut out the unnecessary fat.
Here are some feasible approaches that can bring high quality diagnostic results:
• Security Analytics Systems – There are various security analytics solutions today that claim to be able to collect all security events from security tools and “connect the dots” in order to find out if a real attack campaign is on its way – separating noise from real effecting security events. If these systems could also provide us a break-down of “true” events vs. the noise per each security vendor, this would provide CISOs with the required visibility into tools’ effectiveness.
• Kill-chain Effectiveness – It is an industry fact that some tools are better in certain types of attack vectors and are dysfunctional in others, and this can actually change over time. Associating the security events each tool generates with the various kill-chain stages can help CISOs understand where each tool can contribute to the organization, then identify gaps and prioritize the tools accordingly.
• Mix-and-match Simulation – One of the “dreams” of any CISO is to be able to simulate ‘what-if’ scenarios that would test various combinations of security tools and vendors, working together in order to detect, investigate and mitigate types of advanced attack campaigns, and be provided with a “quality score”, an index that compares the different tools. We are not there yet, but the emerging field of security orchestration technologies seem to be on the right track to finally achieving this .
Tomi Engdahl says:
If the CIA Isn’t Secure, Who Is?
http://www.securityweek.com/if-cia-isnt-secure-who
The More Pervasive Transparency is Into the Network, the Better the Chances of Early Detection
Whether you’ve been hacked already or not, your chances of cruising through “connected” life unscathed are about as thin as a Seattle mixologist’s mustache these days. And that’s pretty scary—in more than one way.
Think about it. The CIA conducts extensive background investigations. It requires polygraph examinations to gain a security clearance and determine eligibility for access to classified information. I mean, I saw Meet the Parents. The applicant-screening process looks foolproof.
And yet, by all indications, a malicious insider still made off with a boatload of secret CIA hacking tools.
The Devil Inside
It’s worrisome that our intelligence agencies can’t protect themselves from insider threats and scandal. But as reported by Reuters, “Government agencies estimate that there is one insider threat for every 6,000 to 8,000 employees.” Even if some quick math makes the percentage of possible threats seem low, think about the fact that federal, state, and local government employs about 22 million people. One bad breach alone can have far-reaching repercussions.
Keeping Abreast of Network Activity
Again, as evidenced by the CIA hack, sometimes, no matter how prepared you try to be, no matter how many policies and procedures you’ve put in place, no matter how healthy you try to stay, bad stuff can still happen.
Tools need context to differentiate between good and bad. In other words, they need 100 percent visibility into traffic traversing the network. Without it, a malware protection tool can’t determine if an executable is good or bad; a data loss protection tool can’t decide if a document should be allowed to leave a network. And really, what’s the use of having a tool if you can’t provide it the traffic it needs to do its job?
The better and more pervasive transparency is into the network, the better the chances of early detection. If you can catch a bad guy before he’s had a chance to manipulate or exfiltrate data (Stage 0), your business will be in much better shape than if he’s already invaded every system, absconded with the crown jewels, and left you with nothing but a red skull flashing on your screen (stage 4).
You always think it’s not going to be you. That you won’t get hacked. That bad stuff happens to other companies, other people. Sooner or later though, your turn may come. First, will you be able to recognize it when it does? And, perhaps more important, be able to react appropriately?
Tomi Engdahl says:
There’s now a tool to test for NSA spyware
A script that detects a related code implant has shown as many as 100,000 systems worldwide may be infected
http://www.pcworld.com/article/3191728/security/theres-now-a-tool-to-test-for-nsa-spyware.html
Has your computer been infected with a suspected NSA spying implant? A security researcher has come up with a free tool that can tell.
Luke Jennings of security firm Countercept wrote a script in response to last week’s high-profile leak of cyberweapons that some researchers believe are from the U.S. National Security Agency. It’s designed to detect an implant called Doublepulsar, which is delivered by many of the Windows-based exploits found in the leak and can be used to load other malware.
The script, which requires some programming skill to use, is available for download on GitHub.
A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
https://github.com/countercept/doublepulsar-c2-traffic-decryptor
Tomi Engdahl says:
Did the CIA hack you? Wikileaks leak may allow antivirus vendors to tell
http://www.pcworld.com/article/3178072/security/cia-made-malware-now-antivirus-vendors-can-find-out.html
Security researchers are concerned that WikiLeaks may have mislead the public with the CIA document dump.
WikiLeaks has redacted the actual source code from the files to prevent the distribution of cyber weapons, it said. Nevertheless, the document dump—if real—still exposes some of the techniques that the CIA has allegedly been using.
Among those techniques are ways to bypass antivirus software from vendors including Avira, Bitdefender and Comodo, according to some of the leaked documents.
The documents even include some snippets of code that antivirus vendors can use to detect whether a hacking attempt may have come from the CIA, said Jake Williams, founder of security company Rendition InfoSec.
“In the documents, they (the CIA) mention specific code snippets used in operational tools,” Williams said. Antivirus vendors can use this to look at their customers’ networks for any traces of past intrusions.
That might be a big blow to the CIA’s surveillance operations. Now anyone, including foreign governments, can use the WikiLeaks dump to figure out if the CIA ever targeted them, according to Williams.
“I would bet my bank account that the hackers of the CIA have spent all day trying to remove their tools from high value networks,” he said.
Tomi Engdahl says:
Computer hacker Adam Mudd attacked gaming websites
http://www.bbc.com/news/uk-england-beds-bucks-herts-39666593
A teenager made about £360,000 by creating computer hacking software which cost universities, gaming websites and other businesses millions of pounds, a court has heard.
Adam Mudd, 20, of Hertfordshire, has already admitted offences under the Computer Misuse Act.
The Old Bailey heard he lives with his parents and the crimes were about “status”.
He is expected to be sentenced next week.
The court heard Mudd created the Titanium Stresser “malware” in 2013, when he was 16 years old, and sold it to cyber criminals across the world.
The programme had 112,000 registered users who were responsible for about 1.7 million “distributed denial of service” attacks on websites, including gaming sites such as RuneScape, Minecraft and Xbox Live.
The court heard there were about 25,000 attacks on RuneScape and the company which owns it spent £6m trying to defend itself.
Prosecutors said Mudd carried out 594 attacks himself
Tomi Engdahl says:
The Threat to Critical Infrastructure – Growing Right Beneath Our Eyes
http://www.securityweek.com/threat-critical-infrastructure-growing-right-beneath-our-eyes
Nation-States do Not Fear Reprisal and are Likely to use ICS Artacks as a Component of Geo-Political Conflict
I’ve working in Industrial Control Systems (ICS) security for years and I’ve had conversations with hundreds of IT security and OT/ICS network practitioners. I’ve talked with them about the need to drive better security strategies for their industrial networks, gain deeper visibility, implement stronger defenses, and bridge the collaboration gap between security teams and the shop floor. My early conversations left me concerned as there didn’t seem to be much recognition of a problem. Increasingly, we’ve been met with a more encouraging amount of agreement in those discussions – from energy, to manufacturing, to oil and gas and so on – a majority understand they have serious problems to fix but we’d estimate only roughly 50% of those are prioritizing their resources to fix them.
What of the remaining 50%? They fall into two categories:
A. They don’t understand the level of exposure of their ICS networks/have a false sense of security. Unlike IT networks where dozens of security technologies are deployed/reporting back on activity, ICS networks are generally a blind spot for Security teams.
B. They think the risk is still hypothetical / doesn’t warrant a priority focus over the dozens of IT Security projects they need to tackle because the volume of attacks pales in comparison to the noisy IT domain.
To a degree, when using this attack based calculus, these folks aren’t – or, better phrased, weren’t wrong. The daily barrage of attacks from all angles and from all adversaries isn’t a reality in ICS…yet. Clearly, there are major gaps that need to be filled on the IT side to drive better security – and as a result, this needs to be a priority. But where the argument falls apart rather quickly is when we do the math – literally! The only way to adequately prioritize activities is to calculate the risk. I’ve attempted this below by using the cyber risk framework outlined in NIST 800-82, taking into account the rapidly evolving ICS threat landscape, and measuring the consequence (impact) of attacks on these networks against those felt in the IT domain.
Industrial Control Systems Risk = t v x(tv) where t = threat, v = vulnerability and x(tv) = consequence of the threat successfully exploiting the vulnerability
Let’s Start with Consequence (Impact):
One could argue rather reasonably that the ‘cat and mouse’ or ‘whack-a-mole’ approach to IT security that we’ve relied upon for the past 10-20 years has been ‘effective enough.’
In ICS, we aren’t talking about data theft, we’re not talking about micro-level impact where individuals, companies or certain Government agencies/agendas are impacted – we’re talking about a macro level issue related to the potential disruption of essential services that drive the global economy and support day to day life. We cannot afford to rely on the same (sub)standard we used in IT Security over the past 10 years.
et’s look at Vulnerability Next:
In the context of ICS, it is more meaningful to assess “attack surface exposure” of which vulnerabilities are just one aspect. We need to understand that there is inherent exposure due to some serious systemic issues:
1. There are many unique ICS threat vectors due to:
• Flat networks
• Legacy systems which can be 20-30 years old / systems shipped without security as a focus
- Many of these systems are ‘end of life’
- New systems are being shipped on insecure, ‘end of life’ operating systems like WinXP
• Increasing interconnectivity
• Poor remote access designs/remote access allowed for multiple vendors
2. There is basic or completely missing cyber hygiene in ICS networks compared to what we expect in IT.
3. Vulnerabilities
• Many vulnerabilities don’t have patches (or the gear is end of life) – consider a 2016 FireEye Report which found that 33% of the 1,552 known vulnerabilities analyzed had no patch at the time of disclosure
• Many systems cannot be patched because of uptime requirements on the shop floor – consider a 2016 Kaspersky study which looked at patching in ICS and found that for one widely used vendor, “the proportion of the vendor’s software with unpatched vulnerabilities…could range between 17% and 93%.”
The “red lines” that conventional wisdom once held would prevent disruptive or destructive attacks against critical infrastructure have now been crossed numerous times, and we can safely assume they will be again.
Tomi Engdahl says:
Denmark Says Russia Hacked Defense Ministry Emails
http://www.securityweek.com/denmark-says-russia-hacked-defense-ministry-emails
Denmark on Monday denounced Moscow’s “aggressive” behavior after a report accused Russian hackers of infiltrating the defense ministry’s email accounts.
“This is part of a continuing war from the Russian side in this field, where we are seeing a very aggressive Russia,” Defense Minister Claus Hjort Frederiksen told Danish news agency Ritzau.
A report published Sunday by the Centre for Cyber Security accused a group of pro-Kremlin hackers of breaking into the emails of defense ministry employees in 2015 and 2016.
“The hacked emails don’t contain military secrets, but it is of course serious,”
Tomi Engdahl says:
Tanium Blasted for Using California Hospital Network for Sales Demos
http://www.securityweek.com/tanium-blasted-using-california-hospital-network-sales-demos
Tanium Accused of Exposing California Hospital’s Network in Sales Demos Without Client Permission
“For years, cybersecurity startup Tanium Inc. pitched its software by showing it working in the network of a hospital it said was a client…” wrote the WSJ. The problem here is that the demo was live and uncensored, giving out details of the client’s name (the El Camino Hospital in Mountain View, California) and IT infrastructure, apparently without authorization to do so.
‘Start-up’ is a misleading description: Tanium is neither new (it was founded ten years ago), nor small (it was last valued at $3.5 billion). It has, however, been growing rapidly; and that might be part of the problem.
“When you start to develop a new product,” Stuart Okin, SVP of Product at 1E told SecurityWeek, “the very first thing you do is solve the problem of how you are going to demonstrate it.”
Okin’s solution was to develop an in-house emulator using virtual machines. Tanium doesn’t seem to have had such a plan. Exactly what happened isn’t clear, beyond that Tanium seems to have had a direct link into the hospital’s system and was able to demonstrate the product in action, live.
In doing so, viewers would have been able to discover information about the network’s infrastructure and its strengths and weaknesses — knowledge that would have been invaluable to a potential attacker. In his letter, Hindawi acknowledges mistakes. Without mentioning El Camino, he writes, “We should have done better anonymizing that customer’s data.”
Tomi Engdahl says:
Cardinal RAT Remained Hidden for Two Years
http://www.securityweek.com/cardinal-rat-remained-hidden-two-years
A recently discovered remote access Trojan (RAT) that abuses Excel macros in an innovative way has been active for more than two years, Palo Alto Networks security researchers reveal.
Dubbed Cardinal RAT, the malware had a very low volume over the two-year timeframe, with only 27 total samples found to date. The manner in which the threat is delivered, however, is both innovative and unique: malicious macros in Microsoft Excel documents are used to compile embedded C# (C Sharp) source code into an executable that downloads the RAT.
Tomi Engdahl says:
Hardcoded Credentials Give Attackers Full Access to Moxa APs
http://www.securityweek.com/hardcoded-credentials-give-attackers-full-access-moxa-aps
Taiwan-based industrial networking, computing and automation solutions provider Moxa has released an update for some of its wireless access points (APs) to address a critical vulnerability that can be exploited by hackers to gain complete control of affected devices.
Researchers at Cisco’s Talos intelligence and research group have analyzed Moxa’s AWK-3131A AP/bridge/client product, which is recommended for any type of industrial wireless application, and discovered hardcoded credentials corresponding to an account that cannot be disabled or removed.
Tomi Engdahl says:
Locky Ransomware Returns in New Necurs-driven Campaign
http://www.securityweek.com/locky-ransomware-returns-new-necurs-driven-campaign
Locky was the dominant ransomware in 2016, but was less active in the first quarter of 2017. Now the threat is back with a new Necurs-driven campaign, which was first spotted on April 21. Necurs is a major botnet with estimates last year of up to 1.7 million captive computers.
Tomi Engdahl says:
Matthew Hughes / The Next Web:
Atlassian’s messaging platform HipChat hacked over weekend: names, email addresses, and hashed passwords may have been exposed — Over the weekend, an unknown intruder broke into HipChat, the Atlassian-owned team communication platform, and made off with a significant amount of data.
Hipchat was hacked over the weekend, and it’s bad
https://thenextweb.com/insider/2017/04/24/hipchat-hacked-weekend-bad/
Over the weekend, an unknown intruder broke into HipChat, the Atlassian-owned team communication platform, and made off with a significant amount of data.
According to a security notice published on the HipChat blog, the attacker was able to access user-account information, including names, email addresses, and hashed passwords.
He also noted that the attacker did not access user financial or credit card information.
But here’s where it takes a turn for the worse, as in a small number of instances (around 0.05 percent), the attacker was able to access messages and content within rooms.
In the other 99.95 percent of instances, it’s possible the attacker accessed room metadata. This isn’t great either. You can glean a lot from metadata.
In response to the breach, the company is taking several proactive steps. The company has invalidated passwords on all HipChat-connected accounts believed to be affected, and emailed password reset instructions.
Hipchat is also trying to solve the issue that lead to this catastrophic break-in. The issue lies in a third-party library, which contained an unpatched security vulnerability. Atlassian is currently working on a fix.
Tomi Engdahl says:
China ‘hacked’ South Korea to wreck Star Wars missile shield
FireEye fingers Middle Kingdom infiltration teams
https://www.theregister.co.uk/2017/04/21/china_accused_south_korea_hack/
Tomi Engdahl says:
Wall Street IT Engineer Hacks Employer to See If He Will Be Let Go
https://www.bleepingcomputer.com/news/security/wall-street-it-engineer-hacks-employer-to-see-if-he-will-be-let-go/
On Friday, April 7, the FBI arrested Zhengquan Zhang, a 31-year-old IT engineer, who now stands accused of installing malware on his employer’s servers to steal proprietary source.
Among Zhang’s duties, according to his LinkedIn page and an FBI affidavit, the suspect was tasked with managing the source code of KCG’s trading platform and the trading algorithms the company used to automate some of its financial transactions.
This investigation revealed that starting December 2016, when Zhang was promoted to his supervisor role, the suspect installed malware on the company’s servers to record credentials for other users.
Tomi Engdahl says:
>10,000 Windows computers may be infected by advanced NSA backdoor
Did script kiddies use DoublePulsar code released by NSA-leaking Shadow Brokers?
https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor/
Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week’s leak by the mysterious group known as Shadow Brokers.
DoublePulsar, as the NSA implant is code-named, was detected on more than 107,000 computers in one Internet scan.
Tomi Engdahl says:
Are we ready to bid the SIEM farewell?
Shortcomings in the SIEM technology and the next-gen technology intended to replace the existing tools
http://www.csoonline.com/article/3189759/data-protection/are-we-ready-to-bid-the-siem-farewell.html
At this year’s Infiltrate Security Conference in Miami, John Grigg walked the audience through a common target network where a known and commonly used SIEM had been integrated in order to show participants how to exploit onto the SIEM, find intel, and cover their tracks.
Though SIEM technologies are supposed to help secure the networks, Grigg said that they are often misconfigured, which creates more vulnerabilities.
Even though some of the legacy tools are pretty cool, Grigg said the problem is that no one really knows the platform that well. “The vendor who built it knows it from a design standpoint. Then there’s the re-selllers, the guys who install it, the internal IT guys who inherit the systems, but they tend to never really focus on it.”
By the time they have called in an expert to help fix a problem, they are at least a few degrees of separation away from the people who know the product.
Tomi Engdahl says:
There’s now a tool to test for NSA spyware
A script that detects a related code implant has shown as many as 100,000 systems worldwide may be infected
http://www.pcworld.com/article/3191728/security/theres-now-a-tool-to-test-for-nsa-spyware.html
A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
https://github.com/countercept/doublepulsar-c2-traffic-decryptor
Tomi Engdahl says:
Kremlin-backed DNC hackers going after French presidential hopeful Macron
Everyone, everything’s a target for mysterious APT28 crew
https://www.theregister.co.uk/2017/04/25/apt28_macron_hack/
The Russian cyberespionage group blamed for the infamous US Democratic National Committee email leak launched targeted phishing attacks against French presidential candidate Emmanuel Macron’s campaign as recently as last month.
Security researchers at Trend Micro warn that the APT28 crew have also targeted Germany’s Christian Democratic Union (the party of Chancellor Angela Merkel).
The group is creating highly sophisticated phishing emails, almost perfectly replicating legitimate URLs and using a technique called “tabnabbing”, which swaps inactive open tabs with an illegitimate site. APT28 (AKA Pawn Storm or Fancy Bear) often posed as hacktivists in order to trick media into publishing compromised data, such as email spools.
Tomi Engdahl says:
Ex-NSA techies launch data governance tool for future algorithm-slavery
Immuta debuts Projects for machine learning governance, ‘interpretability is key’ – CEO
https://www.theregister.co.uk/2017/04/25/immuta_data_governance_tool/
Immuta, a data governance startup in Maryland run by former US National Security Agency technicians, has developed a method to govern how data is used by machine learning algorithms.
Dubbed “Projects,” the new addition to Immuta’s data governance platform embeds what the company considers “key GDPR [EU's General Data Protection Regulation] concepts, such as purpose-based restrictions and audits on data,” which will allow data scientists to run complicated algorithms on data without breaching privacy laws.
Tomi Engdahl says:
Samuel Gibbs / The Guardian:
Thai man broadcasts killing his 11-month-old child with Facebook Live; the two clips were taken down after 24 hours, garnering 112K and 258K views respectively
Facebook under pressure after man livestreams killing of his daughter
https://www.theguardian.com/technology/2017/apr/25/facebook-thailand-man-livestreams-killing-daughter
Distressing footage of murder of 11-month old in Thailand was accessible to Facebook users for approximately 24 hours before being taken down
A Facebook spokesperson said: “This is an appalling incident and our hearts go out to the family of the victim. There is absolutely no place for content of this kind on Facebook and it has now been removed.”
A YouTube spokesperson said: “YouTube has clear policies that outline what’s acceptable to post and we quickly remove videos that break our rules when they’re flagged.”
Tomi Engdahl says:
4 tips for disinfecting your data center
http://www.cablinginstall.com/articles/pt/2017/04/4-tips-for-disinfecting-your-data-center.html?cmpid=enl_cim_cimdatacenternewsletter_2017-04-25
Cyberattacks have pretty much become a part of every day life. Security firm ForeScout’s ‘State of Cyber Defense Maturity Report’ found that more than 96 percent of organizations experienced a major IT security breach in the past year.
1. Anti-Virus and Firewalls Are Not Enough – Do you think for a moment that Sony, Target or any of the big financial institutions that have suffered breaches didn’t have firewalls and AV in place?
2. Implement Whitelisting, Add Intrusion Detection – According to McAfee, dynamic application whitelisting strengthens security defenses and helps to prevent malicious software and other unapproved programs from running.
3. Security Analytics – The web should be regarded as a hostile environment filled with predators. As the bad guys are already inside, data center managers should be trying to figure out how to close the timeline to discovery.
4. Boost the Human Perimeter – Perhaps the most important thing to realize is that technology alone will never solve the problem.
Tips for Disinfecting Your Data Center
http://www.datacenterknowledge.com/archives/2017/04/14/tips-disinfecting-data-center/
Cyberattacks have pretty much become a part of every day life. Security firm ForeScout’s State of Cyber Defense Maturity Report found that more than 96 percent of organizations experienced a major IT security breach in the past year. One in six organizations had five or more significant security incidents in the past 12 months, and almost 40 percent had two or more incidents.
“The media reports of stolen information or compromised networks are almost a daily occurrence,” wrote Ray Boisvert, president of I-Sec Integrated Strategies. “The stories are increasingly alarming and the trend line is troublesome.”
Anti-Virus and Firewalls Are Not Enough
Implement Whitelisting, Add Intrusion Detection
Security Analytics
Boost the Human Perimeter
Tomi Engdahl says:
Cisco CIO says automation, analytics fortify, extend life of existing data centers
http://www.cablinginstall.com/articles/pt/2017/04/cisco-cio-says-automation-analytics-fortify-extend-life-of-existing-data-centers.html?cmpid=enl_cim_cimdatacenternewsletter_2017-04-25
Cisco Systems Inc. CIO Guillermo Diaz last week told The Wall Street Journal that a program of automation and network data analytics has extended the capacity of its five remaining data centers, and that the company won’t need to build a new one for at least seven years.
Tomi Engdahl says:
Chipotle Investigating Payment Card Breach
http://www.securityweek.com/chipotle-investigating-payment-card-breach
Fast-casual restaurant chain Chipotle Mexican Grill, which has more than 2,000 locations in the United States and other countries, informed customers on Tuesday that its payment processing systems have been breached.
Chipotle said it recently detected unauthorized activity on the network that supports payment processing for its restaurants.
Tomi Engdahl says:
Flaws in Hyundai App Allowed Hackers to Steal Cars
http://www.securityweek.com/flaws-hyundai-app-allowed-hackers-steal-cars
South Korean carmaker Hyundai has released updates for its Blue Link mobile applications to address vulnerabilities that could have been exploited by hackers to locate, unlock and start vehicles.
The Blue Link application, available for both iOS and Android devices, allows users to remotely access and monitor their car. The list of features provided by the app includes remote engine start, cabin temperature control, stolen vehicle recovery, remote locking and unlocking, vehicle health reports, and automatic collision notifications.
Researchers at security firm Rapid7 discovered that the app had two potentially serious flaws related to a log transmission feature introduced in December 2016.
Tomi Engdahl says:
Gabriela Vatu / Softpedia News:
FalseGuide botnet malware, hidden in over 40 fake game companion guides, may have infected ~2M Android devices; apps have been removed from Google Play
FalseGuide Malware in Play Store Infects 2M Users, Forces Phones to Join Botnet
Dozens of infected apps went under Google’s radar
http://news.softpedia.com/news/falseguide-malware-installed-by-600k-android-users-forces-phones-to-join-botnet-515155.shtml
About 600,000 Android users have mistakenly installed malware on their devices straight from Google Play, the company’s official app store.
According to cybersecurity researchers from Check Point, the malware was hidden in more than 40 fake companion guide apps for popular games, such as Pokemon GO and FIFA Mobile, which led to the malware’s name being FalseGuide.
While originally it was believed the oldest fake guide to hit Google Play was uploaded in February this year, making this a recent campaign, the researchers went a little deeper and discovered additional apps from back in November 2016.
FalseGuide was believed to have infected north of 600,000 users, but the number now sits at 2 million Android users, all of whom have mistakenly downloaded and installed malware on their devices while seeking guides for their favorite games.
After infection, FalseGuide creates a silent botnet out of the infected devices for adware purposes.
Tomi Engdahl says:
An Analog Charge Pump Fabrication-Time Attack Compromises A Processor
http://hackaday.com/2017/04/25/an-analog-charge-pump-fabrication-time-attack-compromises-a-processor/
We will all be used to malicious software, computers and operating systems compromised by viruses, worms, or Trojans. It has become a fact of life, and a whole industry of virus checking software exists to help users defend against it.
Underlying our concerns about malicious software is an assumption that the hardware is inviolate, the computer itself can not be inherently compromised. It’s a false one though, as it is perfectly possible for a processor or other integrated circuit to have a malicious function included in its fabrication. You might think that such functions would not be included by a reputable chip manufacturer, and you’d be right. Unfortunately though because the high cost of chip fabrication means that the semiconductor industry is a web of third-party fabrication houses, there are many opportunities during which extra components can be inserted before the chips are manufactured. University of Michigan researchers have produced a paper on the subject (PDF) detailing a particularly clever attack on a processor that minimizes the number of components required through clever use of a FET gate in a capacitive charge pump.
On-chip backdoors have to be physically stealthy, difficult to trigger accidentally, and easy to trigger by those in the know. Their designers will find a line that changes logic state rarely, and enact a counter on it such that when they trigger it to change state a certain number of times that would never happen accidentally, the exploit is triggered. In the past these counters have been traditional logic circuitry
The University of Michigan backdoor is not a counter but an analog charge pump. Every time its input is toggled, a small amount of charge is stored on the capacitor formed by the gate of a transistor, and eventually its voltage reaches a logic level such that an attack circuit can be triggered. They attached it to the divide-by-zero flag line of an OR1200 open-source processor, from which they could easily trigger it by repeatedly dividing by zero.
http://static1.1.sqspcdn.com/static/f/543048/26931843/1464016046717/A2_SP_2016.pdf
Tomi Engdahl says:
Teenage hacker jailed for masterminding attacks on Sony and Microsoft
https://www.theguardian.com/technology/2017/apr/25/teenage-hacker-adam-mudd-jailed-masterminding-attacks-sony-microsoft?CMP=twt_gu
Adam Mudd jailed for two years for creating attack-for-hire business responsible for more than 1.7m breaches worldwide
A man has been jailed for two years for setting up a computer hacking business that caused chaos worldwide.
Adam Mudd was 16 when he created the Titanium Stresser program, which carried out more than 1.7m attacks on websites including Minecraft, Xbox Live and Microsoft and TeamSpeak, a chat tool for gamers.
He earned the equivalent of more than £386,000 in US dollars and bitcoins from selling the program to cybercriminals.
Mudd pleaded guilty and was sentenced at the Old Bailey.
The court heard that Mudd, who lived with his parents, had previously undiagnosed Asperger syndrome and was more interested in status in the online gaming community than the money.
The court heard that the defendant, now 20, carried out 594 of the distributed denial of service (DDoS) attacks against 181 IP addresses between December 2013 and March 2015.
He admitted to security breaches against his college while he was studying computer science. The attacks on West Herts College crashed the network, cost about £2,000 to investigate and caused “incalculable” damage to productivity, the court heard.
Tomi Engdahl says:
Selling Media Players With Pirate Add-ons is Illegal, Says Top EU Adviser
https://torrentfreak.com/selling-mediaplayers-with-pirate-add-ons-is-illegal-161208/
Selling media players with pirate add-ons violates EU law, according to a recommendation from Advocate General Campos Sánchez-Bordona. He issued the advice in a landmark case over the legality of pre-loaded XBMC/Kodi devices, which are widely sold across Europe. Whether users of these players also liable depends on whether they know that the content is infringing.
Online streaming continues to gain in popularity, both from authorized and pirate sources.
Particularly popular are Kodi-powered applications or set-top boxes. While Kodi itself is a neutral platform, there are lots of add-ons available that turn it into a pirate’s heaven.
In Europe, the European Court of Justice is currently handling a landmark case that should provide more clarity on the legality of set-top boxes that are sold with “links” to infringing content.
The issue was raised in a case between Dutch anti-piracy group BREIN and the Filmspeler.nl store, which sells “piracy configured” media players. While these devices don’t ‘host’ any infringing content, they ship with add-ons that make it very easy to watch infringing content.
The sale of a multimedia player which enables films that are available illegally on the internet to be
viewed easily and for free on a television screen could constitute an infringement of copyright
http://curia.europa.eu/jcms/upload/docs/application/pdf/2017-04/cp170040en.pdf
Tomi Engdahl says:
How leaked NSA spy tools created a hacking free-for-all
http://money.cnn.com/2017/04/25/technology/nsa-doublepulsar-hacking-tool/
Hackers have compromised thousands of computers around the world with a government-grade spy tool.
A backdoor published in a trove of leaked NSA hacking tools is being loaded onto vulnerable Windows computers. The attacks demonstrate what happens when people fail to regularly update their machines.
The hacks were leaked almost two weeks ago by the anonymous Shadow Brokers group and contain a backdoor called DOUBLEPULSAR. It can be remotely installed on Windows machines that have not been patched since March. This allows hackers to take over the computers and execute tasks as if they were the computer’s administrator.
As of Monday, there are over 144,000 machines infected with this backdoor, according to research from Dan Tentler, founder and CEO of The Phobos Group security firm. Tentler built a tool to scan the internet for Windows machines vulnerable to the backdoor, and says the number is steadily climbing. He estimates between 200,000 and 300,000 could be infected by the end of the week.
NSA’s powerful Windows hacking tools leaked online
http://money.cnn.com/2017/04/14/technology/windows-exploits-shadow-brokers/index.html
A hacking group has dumped a collection of spy tools allegedly used by the National Security Agency online. Experts say they are damaging.
The exploits, published by the Shadow Brokers on Friday, contain vulnerabilities in Windows computers and servers. They may have been used to target a global banking system. One collection of 15 exploits contains at least four Windows hacks that researches have already been able to replicate.
Tomi Engdahl says:
After blitzing FlexiSpy, hackers declare war on all stalkerware makers: ‘We’re coming for you’
App dev ransacked after gang used test/test login, it is claimed
https://www.theregister.co.uk/2017/04/25/hackers_attack_stalkerware_flexispy/
A Brit biz selling surveillance tools that can be installed on phones to spy on spouses, kids, mates or employees has been comprehensively pwned by hackers – who promise similar stalkerware peddlers are next.
The miscreants, supposedly Brazilian and dubbing themselves the Decepticons, have explained how they, allegedly, easily infiltrated FlexiSpy before snatching its source code and other files, and wiping as many servers as they could. That code has now leaked online, and the gang say they are on the warpath.
“We’re just, like, this group of guys, you know? We can hack these people, and we can expose their secrets, but it’s up to everyone to make a difference,” the team said on Monday.
“If you’re a spouseware vendor, we’re coming for you. Stop, rethink your life, kill your company, and be a better person.”
FlexiSpy is one of a number of creepy outfits making a living selling borderline-legal code to people who are paranoid that their significant other is cheating on them, or that their kids or staff are up to no good.
Judging by an analysis of the source obtained by the hackers, once quietly slipped onto a victim’s mobe, the FlexiSpy software silently records incoming and outgoing calls, rifles through text messages, tracks the device’s location, and records interactions with apps like WhatsApp and Tinder. This intelligence is then beamed back to the suspicious spouse or boss.
Basically, it’s a total privacy and psychological nightmare. FlexiSpy offers spyware that runs on Android, iOS, Windows PCs and Apple Macs.
To infiltrate the developer’s servers, the hackers exploited one of the oldest tricks in the book: poor password security.
FlexSpy Application Analysis Part 2
http://www.cybermerchantsofdeath.com/blog/2017/04/23/FlexiSpy-pt2.html
Tomi Engdahl says:
Samsung Smart TV pwnable over Wi-Fi Direct, pentester says
Sammy says trust-known-MACs code is a feature not a bug
https://www.theregister.co.uk/2017/04/26/samsung_smart_tv_wifi_direct_security_flaw/
A security researcher is complaining that Samsung isn’t making a serious response to a vulnerability in its Smart TVs.
The bug, discovered by pen-test outfit Neseso, concerns the televisions’ implementation of Wi-Fi Direct authentication. An attacker only needs to sniff out the MAC address of a trusted device to connect to the TV. From there they potentially enjoy a jump-off point to a target’s network.
Neseso says it’s published its discovery at Full Disclosure because Samsung doesn’t consider it a security risk.
Samsung Smart TV Wi-Fi Direct Improper Authentication
http://seclists.org/fulldisclosure/2017/Apr/101
Tomi Engdahl says:
IBM Watson Now Being Used To Catch Rogue Traders
https://slashdot.org/story/17/04/25/1758207/ibm-watson-now-being-used-to-catch-rogue-traders
Referred to as Watson Financial Services, the new product will become a monitoring tool within companies to search through every trader’s emails and chats, combining it with the trading data on the floor. The objective? To see if there are any correlations between suspicious conversations online and activity that could be construed as rogue trading.
IBM Watson now being used to catch rogue traders
https://www.siliconrepublic.com/machines/ibm-watson-catching-rogue-traders
The power of IBM Watson’s analytical tools is now going to be harnessed within the financial sector to catch rogue traders in action.
The power of IBM Watson’s analytical tools is now going to be harnessed within the financial sector to catch rogue traders in action.
Now, according to the The Wall Street Journal, it is trying its hand at being a detective in the financial sector in order to spot any potential rogue traders.
Referred to as Watson Financial Services, the new product will become a monitoring tool within companies to search through every trader’s emails and chats, combining it with the trading data on the floor.
Tomi Engdahl says:
An Israeli startup armed with $45 million is taking on Google and Apple in the race to sell your personal data
http://nordic.businessinsider.com/otonomo-selling-car-data-2017-4?r=US&IR=T
Israel-based startup Otonomo is capitalizing on the fact that cars, once the symbol of American escapism, are becoming repositories of your personal data.
Cars have only become connected to the internet in the last few years, but sensors to support autonomous driving capabilities and smart infotainment consoles are contributing to an influx of data that the auto industry has never seen before.
McKinsey & Co. predicts car data could become a $750 billion industry by 2030.
So it’s no wonder everyone wants a slice of the pie
“Traditional car manufacturers will be joined by content/service providers, end-to-end mobility providers, infrastructure providers, and insurers in the competition for the connected customer as new services and business models will allow them to access customers in the car and target this new value pool.”
Founded in 2015, Otonomo uses a cloud solution to collect data, organize it, and sell it to third parties. The startup says it works with 9 major automakers
“Google and Apple are the best in the world at monetizing data. They want to do it also in the car and the car guys understand it,” Otonomo CEO and co-founder Ben Volkow told Business Insider. “[Automakers] see us as a strategic partner to help play the same game.”
Tomi Engdahl says:
MasterCard Reveals Next-Generation Card With Built-In Fingerprint Reader
http://interestingengineering.com/mastercard-reveals-next-generation-card-with-built-in-fingerprint-reader/
Major credit card company MasterCard is testing out the “next generation biometric card” that will include a user’s fingerprint onto the card.
The card combines both biometric scanning and the traditional four-digit personal identification number (PIN). At the check out of a store, customers would both place their thumb on a chip while in the card reader. Then, they would type in their PIN. If the PIN matches the thumbprint, the transaction is approved.
The tests happened in South Africa.
“Consumers are increasingly experiencing the convenience and security of biometrics,”
Using biometrics could make thieves getting ahold of credit and debit card purchases much harder.
Tomi Engdahl says:
Mysterious Hajime Botnet Grows to 300,000 IoT Devices: Kaspersky
http://www.securityweek.com/mysterious-hajime-botnet-grows-300000-iot-devices-kaspersky
Hajime, a piece of Internet of Things (IoT) malware that emerged in October 2016, has already ensnared roughly 300,000 devices in a botnet, Kaspersky Lab researchers say.
The malware emerged around the same time the infamous Mirai botnet started making the rounds, and is targeting the same devices that this threat does, but without using them to launch distributed denial of service (DDoS) attacks. Instead, it simply closes some ports to keep the infected devices away from Mirai and similar threats.
What’s certain, however, is that Hajime’s author continues to update the code, as recently made changes were seen in the attack module. At the moment, the worm supports three different attack methods: TR-069 exploitation, Telnet default password attack, and Arris cable modem password of the day attack. The TR-069 exploit was implemented only recently, Kaspersky reveals.
TR-069 (Technical Report 069), a standard published by the Broadband Forum, is used by ISPs to manage modems remotely via TCP port 7547 (some devices use port 5555). By abusing the TR-069 NewNTPServer feature, attackers can execute arbitrary commands on vulnerable devices. Late last year, the TR-069 attack was used to crash nearly 1 million modems from Deutsche Telekom.
Tomi Engdahl says:
Organizations Fail to Maintain Principle of Least Privilege
http://www.securityweek.com/organizations-fail-maintain-principle-least-privilege
Security requires that confidential commercial data is protected; compliance requires the same for personal information. The difficulty for business is the sheer volume of data generated makes it difficult to know where all the data resides, and who has access to it. A new report shows that 47% of analyzed organizations in 2016 had at least 1,000 sensitive files open to every employee; and 22% had 12,000 or more.
These figures come from the Varonis 2016 Data Risk Assessments report.
One of the problems highlighted by Varonis is that organizations fail to maintain the principle of least privilege in their access control. It found a total of 48 million folders, or an average of 20% of all folders, accessible to global groups. “Many data breaches are opportunistic or rudimentary in nature, and many originate from an insider, or an insider whose credentials or system has been hijacked,” warns Varonis. “Excessive user access through global groups is a key failure point for many security and compliance audits.”
That’s not to say that all organizations fail. At one end of the scale, a government entity had only 29 of 290,000 folders open to everyone (with none containing sensitive files); while at the other end, an insurance firm had 35% of 86.4 million folders open to all employees.
Focusing more specifically on ‘sensitive’ files (potentially containing PII, PHI, card details, SSNs and intellectual property), Varonis found a similar range of access. One company in the construction trade had only 0.01% of almost 1000 sensitive files open to the everyone group. Conversely, a banking institution had 80% of more than 245,000 sensitive files accessible to every employee.
Apart from audit and compliance issues, Varonis points to the Panama Papers as an illustration of the dangers. In April 2016, 11.5 million confidential files belonging to the Panama law firm Mossack Fonseca were leaked to a German newspaper, revealing how its clients hid billions of dollars in tax havens.
Tomi Engdahl says:
UK Government Complains After Twitter Cuts Data Access
http://www.securityweek.com/uk-government-complains-after-twitter-cuts-data-access
The British government has complained to Twitter over a block on access to data from the social network, which it was reportedly using to track potential terror attacks, officials said Wednesday.
“The government has protested against this decision and is in ongoing discussions with Twitter to attempt to get access to this data,” a Home Office spokesman said.
Prime Minister Theresa May’s spokesman declined to specify exactly what the data was and why it was important, saying only that “we wish to have access to this information
But he told reporters: “The fight against terrorism is not just one for the police and the security services. Social media and tech companies have a role to play.”
The Daily Telegraph newspaper reported that the government had been tracking terms related to potential terror attacks via a third-party firm, but this had now been blocked.
Tomi Engdahl says:
FTP becoming Forgotten Transfer Protocol as Debian turns it off
Distro download servers are too hard to run and users ignore them anyway
https://www.theregister.co.uk/2017/04/27/debian_to_turn_off_ftp/
Debian is shutting down its public File Transfer Protocol (FTP) services, because hardly anybody uses them any more and they’re hard to operate and maintain.
The reasons are pretty simple: Debian contributor Cédric Boutillier says “FTP servers have no support for caching or acceleration”, which probably means Debian has to throw more hardware at FTP than is sensible. He also notes that most software implementations “have stagnated and are awkward to use and configure…the protocol is inefficient and requires adding awkward kludges to firewalls and load-balancing daemons.”
And then there’s the fact that “usage of the FTP servers is pretty low as our own installer has not offered FTP as a way to access mirrors for over ten years.”
Tomi Engdahl says:
FYI: You can blow Intel-powered broadband modems off the ‘net with a ‘trivial’ packet stream
All too easy to choke enemies’ gateways, it seems
https://www.theregister.co.uk/2017/04/27/intel_puma6_chipset_trivial_to_dos/
Broadband modems using Intel’s bungled Puma 6 chipset can be overloaded and virtually knocked offline by a trivial stream of packets, it is claimed.
Effectively, if there’s someone you don’t like, and they are one of thousands upon thousands of people using a Puma 6-powered home gateway, and you know their IP address, you can kick them off the internet, we’re told.
This week, inquisitive netizens discovered that, when presented with even modest amounts of packets – as little as 1.5Mbps – modems equipped with a Puma 6 can be slowed to a crawl.
According to one engineer who spoke to El Reg on the issue, the flaw would be “trivial” to exploit in the wild and would effectively render the targeted box useless for the duration.
“You send a stream of 200Kbps of TCP, UDP or maybe even ICMP to different port numbers and it has a tiny table to keep track of these and become immd unresponsive. It comes back after you stop,” our tipster explains.
“It can be exploited remotely and there is no way to mitigate the issue.”
This will be particularly frustrating for Puma 6 modem owners because the boxes are pitched as gigabit internet modems
The Puma 6 chipset is used in a number of ISP-branded cable modems
Tomi Engdahl says:
British Cops Will Scan Every Fan’s Face At the Champions League Final
https://news.slashdot.org/story/17/04/26/2052240/british-cops-will-scan-every-fans-face-at-the-champions-league-final
Using a new facial recognition surveillance system, British police will scan every fan’s face at the UEFA Champions League on June 3rd and compare them to a police database of some 500,000 “persons of interest.” “According to a government tender issued by South Wales Police, the system will be deployed during the day of the game in Cardiff’s main train station, as well as in and around the Principality Stadium situated in the heart of Cardiff’s central retail district.”
British Cops Will Scan Every Fan’s Face at the Champions League Final
https://motherboard.vice.com/en_us/article/british-cops-will-scan-every-fans-face-at-the-champions-league-final
South Wales Police is piloting facial recognition at one of Europe’s biggest sporting events.
Tomi Engdahl says:
Hacking Group Is Charging German Companies $275 For ‘DDoS Tests’
https://news.slashdot.org/story/17/04/26/231213/hacking-group-is-charging-german-companies-275-for-ddos-tests
“A group calling itself XMR Squad has spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to pay $275 for ‘testing their DDoS protection systems,’ reports Bleeping Computer. Attacks were reported against DHL, Hermes, AldiTalk, Freenet, Snipes.com, the State Bureau of Investigation Lower Saxony, and the website of the state of North Rhine-Westphalia. The attack against DHL Germany was particularly effective”
XMR Squad Is Charging German Companies €250 for “DDoS Tests”
https://www.bleepingcomputer.com/news/security/xmr-squad-is-charging-german-companies-250-for-ddos-tests-/
A group calling itself XMR Squad has spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to pay €250 ($275) for “testing their DDoS protection systems.”
German DDoS protection firm Link11 reported attacks against DHL, Hermes, AldiTalk, Freenet, Snipes.com, the State Bureau of Investigation Lower Saxony, and the website of the state of North Rhine-Westphalia.
The group sent emails to all the companies it targeted. In the emails, they didn’t ask for a ransom to stop the attacks, but a fee for having already carried out what they called a DDoS protection test.
Usually, these types of groups launch DDoS attacks and then send emails to their victims requesting for payments to stop the attacks. XMR Squad’s emails looked like invoices for unrequested DDoS tests.
Furthermore, the ransom note didn’t include payment instructions, which is weird, to say the least. DDoS ransoms are usually handled in Bitcoin or another anonymous cryptocurrency. It was strange to see the group ask for payment in Euros, as the group’s name included the term XMR, the shortname for Monero, an anonymous cryptocurrency.
Tomi Engdahl says:
Doug Olenick / SC Magazine US:
Trend Micro report details political-influence activities of cyber espionage group Pawn Storm, aka APT28, Fancy Bear, Sednit, over the last two years
Trend Micro breaks down Pawn Storm tactics, methods and goals
https://www.scmagazine.com/trend-micro-breaks-down-pawn-storm-tactics-methods-and-goals/article/652841/
Trend Micro made its case in a 41-page report entitled Two Years of Pawn Storm.
Just because the attack vector is somewhat easy to pull off does not mean the attacks themselves are simple. Pawn Storm, also known as Apt28, Fancy Bear, Sofacy and most likely Guccifer 2.0, spends a great deal of time and effort to target and properly socially engineer their attacks to ensure the group receives the required results. And the targets themselves indicate that the group is not shy about going after the world’s heavy hitters, to include the Democratic National Party, the German Christian Democratic Union (CDU) headed by Angela Merkel, the Turkish and Montenegro parliaments and most recently Pawn Storm was tied to efforts designed to influence the French presidential election.
The most unusual aspect of Pawn Storm is unlike almost every other cybercrime organization Pawn Storm is not interested in financial gain, but instead stealing credentials which can then be used to influence local politics.
https://media.scmagazine.com/documents/295/trend_micro-two-years-of-pawn-_73730.pdf
Tomi Engdahl says:
Which Cybersecurity Products Use Deep Packet Inspection and Why?
http://www.qosmos.com/blog_qosmos/which-cybersecurity-products-use-deep-packet-inspection-and-why/
SIEM is not obviously associated with DPI. Here is how DPI can play a major role: SIEM and other security analytics products use Netflow and IDS info to describe network activity and create a timeline mapping actors and actions. But results are not always satisfactory since Netflow lacks Layer 7 application info and IDS logs and events tend to focus on alerts, not actions.
DPI adds valuable information, which can be indexed by SIEM: referring party, session cookies, server codes, etc. This improves the accuracy of SIEM: searching is more fine-grained, alerting more accurate and there are fewer false positives.
IP Classification, Metadata Extraction and Content Extraction for Network Security
http://www.qosmos.com/cybersecurity/overview/
Qosmos provides the richest view into network traffic on the market today, with thousands of protocols and metadata attributes. Take advantage of our experience from a wide array of security use cases, including in virtualized environments (SDN & NFV).
Tomi Engdahl says:
DoD Launches “Hack the Air Force” Bug Bounty Program
http://www.securityweek.com/dod-launches-hack-air-force-bug-bounty-program
Following the success of the “Hack the Pentagon” and “Hack the Army” initiatives, the U.S. Department of Defense announced on Wednesday the launch of the “Hack the Air Force” bug bounty program.
“Hack the Air Force” will be the Pentagon’s largest bug bounty project as it’s open to experts not only from the United States, but also from Five Eyes countries, which includes the United Kingdom, Canada, Australia and New Zealand.
The program, run on the HackerOne platform, aims to help the Air Force strengthen its critical assets. White hat hackers who report vulnerabilities will be eligible for monetary rewards, but the exact amounts have not been specified.
Announcing The Largest DoD bug bounty challenge ever: Hack The Air Force
https://www.hackerone.com/blog/announcing-the-largest-dod-bug-bounty-challenge-ever-hack-the-air-force
Tomi Engdahl says:
Blueprint for a Modern Enterprise Security Program
http://www.securityweek.com/blueprint-modern-enterprise-security-program
There’s no doubt, we’re living in a data and intelligence-driven world when it comes to enterprise security. The volume, velocity, and complexity of information security data that must be processed to detect advanced attacks and, at the same time, support new business initiatives has been growing exponentially. However, data in its raw form is still only a means to an end. This begs the question: How can modern enterprise security programs be adapted to gain actionable insight from all the data they collect?
According to Gartner (see ‘Information Security Is Becoming a Big Data Analytics Problem’, written by Neil MacDonald), 40% of enterprises actively analyze at least 10 terabytes of data for information security intelligence, up from less than 3% in 2011. Traditionally, this data is gathered from the perimeter, meaning the network and endpoints. However, in today’s dynamic threat landscape organizations need to extend their ‘monitoring coverage’ to include applications, databases, mobile devices, the Internet of Things, and emerging technologies such as microservices and containers. That being said, organizations will be forced to process even greater amounts of data.
Considering the ongoing skill and expertise shortage, and increasing frequency and sophistication in threat activities, many organizations are rethinking their enterprise security model. Rather than adding more tools, organizations need to implement a new, more efficient approach that is based on continuous cyber risk scoring for improved situational awareness and actionable insights. The objective is to move to full and / or semi-automation of operational activities.
In this context, intelligence-driven cyber risk management is often seen as a clear path for organizations to operationalize cyber security practices, breaking down silos, and enhancing security operations tasks through automation.
Besides leveraging cyber risk management tools, organizations should also consider the following measures to ensure they’re operationalizing security intelligence as effectively as possible:
• Assure ongoing categorization of assets within the organization to establish a benchmark for determining the business impact of threats and prioritization of remediation actions.
• Apply best practices outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework; especially their referenced security controls library.
• Increase the frequency of vulnerability scans and other methods to gather more timely security intelligence, which can assist in the detection of security gaps, control failures, and also verify if remediation actions were effective.
Tomi Engdahl says:
If Loose Lips Sink Ships, What do They do to Enterprise Security?
http://www.securityweek.com/if-loose-lips-sink-ships-what-do-they-do-enterprise-security
Yes, users are the weakest link in security and we’ve all heard of them falling victim to phishing attacks or leaving their laptop on a bus. But some users will share information that seems innocuous, yet can be used by attackers in social engineering attacks, which are easier, lower risk and less costly than many technical exploits. Let’s look at a few examples of not-so-obvious information sharing.
Out-of-office notifications
An email “out of office” message that includes details of when a user will return from vacation can be used to gain the confidence of another employee to share information. The attacker, posing as a co-worker, could convince another employee (indicated in the out-of-office email) that they are under a deadline to complete a report that needs information before the vacationing employee returns.
From a policy perspective, consider allowing out-of-office notifications only for internal employees.
Social Media
We put a lot of personal information up on social media, simply because the profile template asks us for it. Information related to your role, job title, projects worked, company history and skills are standard and is often publically accessible. While this information may not be confidential from a corporate perspective, it is a gold mine of information for con artists.
Sharing with press and vendors
Many enterprises have policies against sharing specific security controls and policies outside of the company. Given past experiences in working with customers, I can attest to the difficulty in publicizing success stories, for good reason. But it can be human nature to show off too much when the cameras are rolling.
For example, a crew filming a “top secret” Super Bowl security center in February 2014 exposed the WiFi network’s credentials. In 2015, a French television network, while reporting on its own security incident, actually filmed a staffer in their offices with user names and passwords written down and visible in the background. A cybersecurity startup exposed a California hospital’s network in demonstrations without permission.
Counter-intelligence operations
While recent reports indicate that the Carl Vinson to Korea story was not an intentional ruse, it certainly wouldn’t be the first example of disinformation from a government. The parallel in IT security is next-gen honeypots.
While honeypots have been around as a distraction to attackers for many years, providing attractive but fabricated information, the next generation of technologies are more sophisticated.
Tomi Engdahl says:
Facebook admits: governments exploited us to spread propaganda
https://www.theguardian.com/technology/2017/apr/27/facebook-report-government-propaganda?CMP=share_btn_tw
Company will step up security to clamp down on ‘information operations’
Facebook suspended 30,000 accounts in France before presidential election
Facebook has publicly acknowledged that its platform has been exploited by governments seeking to manipulate public opinion in other countries – including during the presidential elections in the US and France – and pledged to clamp down on such “information operations”.
In a white paper authored by the company’s security team and published on Thursday, the company detailed well-funded and subtle techniques used by nations and other organizations to spread misleading information and falsehoods for geopolitical goals. These efforts go well beyond “fake news”,
“We have had to expand our security focus from traditional abusive behavior, such as account hacking, malware, spam and financial scams, to include more subtle and insidious forms of misuse, including attempts to manipulate civic discourse and deceive people,” said the company.
The company also explained how it monitored “several situations” that fit the pattern of information operations during the US presidential election. The company detected “malicious actors” using social media to share information stolen from other sources
Tomi Engdahl says:
Fundamentals of Fingerprint Scanning
http://hackaday.com/2017/04/27/fundamentals-of-fingerprint-scanning/
So now that I have two phones with fingerprint scanners on them, I decided I needed to know more about what’s going on in there.
Sure, I assumed the sensor was capacitive (but maybe not, I found out). Plus we all know some super glue, scotch tape, and gummy bears are all you need to fake one out. However, that’s been known for about 15 years and we are still seeing phones and other devices rolling out with the same scanners. So for now, put aside the debate about whether we should be using fingerprint scanners. Let’s talk about how those sensors work.
Your Unhashable Fingerprints Secure Nothing
https://hackaday.com/2015/11/10/your-unhashable-fingerprints-secure-nothing/
Tomi Engdahl says:
Stealing Cars for 20 Bucks
http://hackaday.com/2017/04/27/stealing-cars-for-20-bucks/
[Yingtao Zeng], [Qing Yang], and [Jun Li], a.k.a. the [UnicornTeam], developed the cheapest way so far to hack a passive keyless entry system, as found on some cars: around $22 in parts, give or take a buck. But that’s not all, they manage to increase the previous known effective range of this type of attack from 100 m to around 320 m. They gave a talk at HITB Amsterdam, a couple of weeks ago, and shown their results.
The attack in its essence is not new, and it’s basically just creating a range extender for the keyfob. One radio stays near the car, the other near the car key, and the two radios relay the signals coming from the car to the keyfob and vice-versa. This version of the hack stands out in that the [UnicornTeam] reverse engineered and decoded the keyless entry system signals, produced by NXP, so they can send the decoded signals via any channel of their choice. The only constraint, from what we could tell, it’s the transmission timeout. It all has to happen within 27 ms. You could almost pull this off over Internet instead of radio.
The actual keycode is not cracked, like in a HiTag2 attack. It’s not like hacking a rolling key keyfob either. The signals are just sniffed, decoded and relayed between the two devices.
Chasing Cars: Keyless Entry System Attacks
https://conference.hitb.org/hitbsecconf2017ams/sessions/chasing-cars-keyless-entry-system-attacks/