Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Google revises app review process following phishing attacks
The company will also add manual reviews for some apps that request user data.
https://www.engadget.com/2017/05/12/google-revises-app-review-process/
In the wake of the Google Docs phishing debacle last week, Google has added a few new safeguards to better protect us from these types of attacks. The Gmail app for Android scans for suspect links and Google has tightened up its policies on third party authentication to help keep phishing scams from even getting to you. Today, the company has come out with more guidelines and systems at the developer level that should help prevent even more of these attempts.
Tomi Engdahl says:
Brad Smith / Microsoft on the Issues:
Microsoft decries “stockpiling of vulnerabilities by governments”, citing NSA, CIA leaks, reiterates points from its Feb. call for a “Digital Geneva Convention” — Early Friday morning the world experienced the year’s latest cyberattack.
The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack
Read more at https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#FrHZ46MKvkVGwuEg.99
Tomi Engdahl says:
UK Group Fights Arrest Over Refusing To Surrender Passwords At The Border
https://yro.slashdot.org/story/17/05/15/0559200/uk-group-fights-arrest-over-refusing-to-surrender-passwords-at-the-border
The human rights group Cage is preparing to mount a legal challenge to UK anti-terrorism legislation over a refusal to hand over mobile and laptop passwords to border control officials at air terminals, ports and international rail stations… The move comes after its international director, Muhammad Rabbani, a UK citizen, was arrested at Heathrow airport in November for refusing to hand over passwords.
Campaign group to challenge UK over surrender of passwords at border control
https://www.theguardian.com/politics/2017/may/14/campaign-group-to-challenge-uk-over-surrender-of-passwords-at-border-control
Cage plans to challenge anti-terrorism laws that allow border officials to demand passwords after arrest of its international director at Heathrow
The human rights group Cage is preparing to mount a legal challenge to UK anti-terrorism legislation over a refusal to hand over mobile and laptop passwords to border control officials at air terminals, ports and international rail stations.
Cage, which campaigns on issues such as torture, discrimination and wrongful imprisonment, is planning to fight the issue as a surveillance v privacy test case.
He said he had cooperated as usual and handed over his laptop and mobile phone. On previous occasions, when asked for his passwords, he said he had refused and eventually his devices were returned to him and he was allowed to go.
But there was a new twist this time: when he refused to reveal his passwords, he was arrested under schedule 7 provisions of the terrorism act and held overnight at Heathrow Polar Park police station before being released on bail. He expects to be charged on Wednesday.
Tomi Engdahl says:
So your client’s under-spent on IT for decades and lives in fear of an audit
Oh-so-trendy infrastructure as code could save your bacon
https://www.theregister.co.uk/2017/05/12/infrastructure_as_code/
Infrastructure as code is a buzzword frequently thrown out alongside DevOps and continuous integration as being the modern way of doing things. Proponents cite benefits ranging from an amorphous “agility” to reducing the time to deploy new workloads. I have an argument for infrastructure as code that boils down to “cover your ass”, and have discovered it’s not quite so difficult as we might think.
Recently, a client of mine went through an ownership change. The new owners, appalled at how much was being spent on IT, decided that the best path forward was an external audit. The client in question, of course, is an SMB who had been massively under-spending on IT for 15 years, and there no way they were ready for – or would pass – an audit.
Trying to cram eight months’ worth of migrations, consolidations, R&D, application replacement and so forth into four frantic, sleepless nights of panic ended how you might imagine it ending. The techies focused on making sure their asses were covered when the audit landed. Overall network performance slowed to a crawl and everyone went home angry.
Why desired state configurations matter
None of this is particularly surprising. When you have an environment where each workload is a pet, change is slow, difficult, and requires a lot of testing. Reverting changes is equally tedious, and so a lot of planning goes into making sure than any given change won’t cascade and cause knock-on effects elsewhere.
Automated defences
Having the ability to centralize some or all of your IT configuration is only the start of covering your backside. Desired state config tools, on their own, only tell you that your workloads are behaving according to the configs supplied. They don’t explain why your configs are what they are.
Infrastructure as code
Full blown infrastructure as code moves beyond this. Data storage gets separated from the environment and applications. In many cases one no longer has to wrap applications up in a protective VM shield, but can let them operate in lightweight and feature-poor containers.
More importantly, a proper infrastructure as code implementation could spin up a complete copy of a data centre from only the original installers and backups of the data. Trigger a script, and a VM or container is provisioned. An operating system, agents, applications and configurations are injected into the new environment. Data storage is provisioned and attached. A workload is born!
Tomi Engdahl says:
PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes
https://it.slashdot.org/story/17/05/15/0354230/pcs-connected-to-the-internet-will-get-infected-with-wanadecrypt0r-in-minutes?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
“The Wana Decrypt0r ransomware — also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r — infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow,” reports BleepingComputer. “During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware’s scanning module, which helps it spread to new victims… Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches.”
Honeypot Server Gets Infected with WannaCry Ransomware 6 Times in 90 Minutes
https://www.bleepingcomputer.com/news/security/honeypot-server-gets-infected-with-wannacry-ransomware-6-times-in-90-minutes/
The WannaCry ransomware — also known as WCry, Wana Decrypt0r, WannaCrypt, and WanaCrypt0r — infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow.
During one of those infections, WannaCry infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware’s scanning module, which helps it spread to new victims. Remind you that the ransomware was defanged via a kill-switch researchers found in its code, but this test shows how quickly new infections will be made if this kill switch wouldn’t have been discovered.
Furthermore, three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches.
We all know the huge problems caused by IoT malware and IoT botnets, and Benkow’s experiment shows how widespread the WannaCry problem is.
https://benkowlab.blogspot.fi/
Tomi Engdahl says:
HP Removes Keylogger Functionality From Audio Drivers
http://www.securityweek.com/hp-removes-keylogger-functionality-audio-drivers
HP informed users on Friday that it has updated audio drivers for some of its laptops and tablet PCs to remove keylogger functionality discovered by security researchers.
Swiss security firm Modzero warned on Thursday that an application installed on many HP devices with Conexant audio drivers logged keystrokes in a file and transmitted them to a debugging API, allowing a local user or process to easily access passwords and other potentially sensitive data typed by users.
The vulnerability, identified as CVE-2017-8360, has been found to affect 28 HP laptops and tablet PCs, including EliteBook, ProBook, Elite X2 and ZBook models. Devices from other vendors that use hardware and drivers from Conexant could be affected as well, but the audio chip maker has yet to provide any information.
Tomi Engdahl says:
Industry Reactions to Trump’s Cybersecurity Executive Order
http://www.securityweek.com/industry-reactions-trumps-cybersecurity-executive-order
U.S. President Donald Trump signed an executive order on Thursday in an effort to improve the protection of federal networks and critical infrastructure against cyberattacks.
The executive order states that the heads of departments and agencies will be held accountable for managing cybersecurity risk. They are required to use NIST’s Framework for Improving Critical Infrastructure Cybersecurity to manage risk, and they must submit reports to Homeland Security and the Office of Management and Budget (OMB) within 90 days.
The White House also wants authorities to support the risk management efforts of critical infrastructure operators, help improve resilience against botnets, and assess capabilities for responding to electricity disruptions. The Department of Defense, the FBI and the DHS have been instructed to provide a report on the cybersecurity risks facing the defense industrial base and military systems.
Industry professionals contacted by SecurityWeek have shared thoughts on the implications of the executive order, its impact, and difficulties related to its implementation.
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal
Tomi Engdahl says:
U.S. Intelligence Community Highlights Cyber Risks in Worldwide Threat Assessment
http://www.securityweek.com/us-intelligence-community-highlights-cyber-threats-worldwide-threat-assessment
AI, IoT and Fake News Highlighted as On-going Cyber Threats
In its statement to the Senate Select Committee on Intelligence on Wednesday, The Intelligence Community combined current and future cyber threats with its overview of kinetic and political threats to America.
Cyber adversaries, warns the Worldwide Threat Assessment of the US Intelligence Community (PDF), “are becoming more adept at using cyberspace to threaten our interests and advance their own, and despite improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years.”
Russia, China, Iran and North Korea are given special reference as cyber threat actors. Russia’s “cyber operations will continue to target the United States and its allies to gather intelligence, support Russian decision-making, conduct influence operations to support Russian military and political objectives, and prepare the cyber environment for future contingencies.”
Cyber activity from China has declined since the bilateral Chinese-US cyber commitments of September 2015, but cyber espionage continues. China also selectively targets individuals or organizations it believes might threaten its domestic regime.
Iran, which the statement describes as “the foremost state sponsor of terrorism”, has already used its cyber capabilities against the US
Cyber criminals are “developing and using sophisticated cyber tools for a variety of purposes including theft, extortion, and facilitation of other criminal activities.” Ransomware is given special mention.
Emerging threats come from artificial intelligence (AI), the internet of things (IoT), and perhaps surprisingly, the decline of Moore’s Law.
The IoT offers a new attack vector for adversaries. “In the future,” warns the Intelligence Community, “state and non-state actors will likely use IoT devices to support intelligence operations or domestic security or to access or attack targeted computer networks.”
https://www.intelligence.senate.gov/sites/default/files/documents/os-coats-051117.pdf
Tomi Engdahl says:
Sobering Thoughts When a Connected Medical Device Is Connected to You
http://www.securityweek.com/sobering-thoughts-when-connected-medical-device-connected-you
I recently had reason to spend an overnight visit in the hospital. When friends and family left me late in the evening I was confronted with a subject that I had considered professionally but never had to face personally: the connected medical device.
When software security gets personal
Injecting privacy and safety into the security-quality conversation
When enhanced functionality poses a life-threatening risk
The Equation: Privacy, Safety, Quality and Security
Taking privacy, safety, quality, and security all into the equation, the innocuous-looking box beeping and flashing by my bed suddenly demands a whole new level of consideration. Connecting such a device makes great sense regarding sharing medical data and providing software updates to improve functionality. However, as in all things, there are two edges to the sword.
All too often the theme of patient privacy dominates the conversation around connected medical devices. However, as security researchers like Billy Rios and Dr. Marie Moe so adroitly remind us, there is often much more at stake than the exposure of personal medical data. I can assure you that in the quiet of my hospital room late in the evening, I was far more worried about what medicine was coming out of the pump than what data was coming out of it.
Tomi Engdahl says:
Mobile Ecosystem Vulnerable Despite Security Improvements: DHS
http://www.securityweek.com/mobile-ecosystem-vulnerable-despite-security-improvements-dhs
Mobile security is improving, but unprotected communication paths leave the ecosystem vulnerable, according to recent report from the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST).
The study details five primary components of the mobile ecosystem (mobile device technology stack, mobile applications, mobile network protocols and services, physical access to the device, and enterprise mobile infrastructure), as well as the attack surface for each of them. The report provides Congress with a view of the mobile security threats government workers face, while noting that defenses must cover the entire threat surface, not only the categories these threats fall into.
According to DHS’ Study on Mobile Device Security (PDF), mobile operating system providers have made advances, mobile device management and enterprise mobility management systems offer scrutiny and security configuration management, and best practices guides issued both by NIST and private industry further improve the landscape. Despite that, communication paths that remain unprotected create vulnerabilities, and further new fifth generation network protocols require additional hardening, and research still needs to be done, the report says.
https://www.dhs.gov/sites/default/files/publications/DHS%20Study%20on%20Mobile%20Device%20Security%20-%20April%202017-FINAL.pdf
Tomi Engdahl says:
Microsoft Wants To Monitor Your Workplace With AI, Computer Vision and the Cloud
https://yro.slashdot.org/story/17/05/14/0440228/microsoft-wants-to-monitor-your-workplace-with-ai-computer-vision-and-the-cloud
Gizmodo reports on a Microsoft Workplace Monitoring demo where CCTV cameras watch a workplace — like a construction site — on 24/7 basis, and AI algorithms constantly oversee and evaluate what is happening in that workplace. The system can track where employees are, where physical equipment and tools are at what time, who does what at what time in this workplace and apparently use Cloud-based AI of some sort to evaluate what is happening in the workplace being monitored.
Microsoft’s Latest Workplace Tech Demos Creep Me Out
http://gizmodo.com/microsoft-s-latest-workplace-tech-demos-creep-me-out-1795093452
Tomi Engdahl says:
Microsoft Blasts Spy Agencies For Leaked Exploits Used By WanaDecrypt0r
https://yro.slashdot.org/story/17/05/15/0137215/microsoft-blasts-spy-agencies-for-leaked-exploits-used-by-wanadecrypt0r
Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There’s an “emerging pattern” of these stockpiles leaking out, he says, and they cause “widespread damage” when that happens. He goes so far as to liken it to a physical weapons leak — it’s as if the US military had “some of its Tomahawk missiles stolen”…
Microsoft blasts spy agencies for hoarding security exploits
It likens ‘WannaCry’ to someone stealing Tomahawk missiles.
https://www.engadget.com/2017/05/14/microsoft-blasts-spy-agency-exploit-hoarding/
Microsoft is hopping mad that leaked NSA exploits led to the “WannaCry” (aka “WannaCrypt”) ransomware wreaking havoc on computers worldwide. Company President Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There’s an “emerging pattern” of these stockpiles leaking out, he says, and they cause “widespread damage” when that happens. He goes so far as to liken it to a physical weapons leak — it’s as if the US military had “some of its Tomahawk missiles stolen.”
To Smith, this is a “wake-up call.” Officials ought to treat a mass of exploits with the same caution that they would a real-world weapons cache, he argues. Microsoft had already floated the concept of a “Digital Geneva Convention” that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos. Will the NSA and other agencies listen? Probably not — but Microsoft at least some has some evidence to back up its claims.
Tomi Engdahl says:
The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack
https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0001m8ckub1q8f2stke29h7mp846d
All of this provides the broadest example yet of so-called “ransomware,” which is only one type of cyberattack. Unfortunately, consumers and business leaders have become familiar with terms like “zero day” and “phishing” that are part of the broad array of tools used to attack individuals and infrastructure. We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported. Clearly, responding to this attack and helping those affected needs to be our most immediate priority.
Tomi Engdahl says:
New Fileless Attack Targets North Korea
http://www.securityweek.com/new-fileless-attack-targets-north-korea
Baijiu is a newly detected stealthy threat that currently targets North Korea, and seems to have Chinese provenance. It is delivered by phishing, and comprises a downloader that is being called Typhoon together with a set of backdoors being called Lionrock.
The campaign was discovered by Cylance, and it is thought to be hitherto unknown. “Three distinctive elements of Baijiu drew and held our attention,” writes Cylance in an analysis published today: “the unusual complexity of the attack; the appropriation of web hosting service GeoCities (of 1990s fame); and the use of multiple methods of obfuscation.”
The LNK file executes a Windows command that fetches and runs javascript code. The javascript downloads two DLLs also hosted on GeoCities. “Both DLLs functioned as elaborate launchers for a PowerShell script encoded within their resource sections,” comments Cylance; and both used an expired certificate belonging to mywellnessmatters.com.
Tomi Engdahl says:
Microsoft Warns Governments Against Exploit Stockpiling
http://www.securityweek.com/microsoft-warns-governments-against-exploit-stockpiling
Microsoft Says WannaCry Ransomware Outbreak Should be a Wake Up Call for Governments
Microsoft president and chief legal officer Brad Smith has renewed his call for an international ‘Digital Geneva Convention’ following the global WannaCrypt ransomware attack that started on Friday.
In ‘The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack’, Smith wrote Sunday, “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”
Some estimates now suggest that WannaCrypt has affected more than 200,000 users in 200 different countries. But if Smith’s proposals were already standard practice, it need never have happened. Earlier this year he called for a digital Geneva Convention that “should mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them.”
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” he wrote yesterday. “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
The current worldwide ‘incident’, which could be described as ‘a perfect storm’, happened (and is continuing) through the convergence of three primary threats: the continued use of unsupported operating systems (more specifically, Windows XP); the continuing success of phishing; and the availability of 0-day exploits.
Tomi Engdahl says:
Sean Gallagher / Ars Technica:
Two experts say Gizmodo’s phishing test for members of Trump’s team may invite prosecution under CFAA
Gizmodo went phishing with the Trump team—will they catch a charge?
“Security test” sent to 15 officials, advisors, others skirts the edges of CFAA.
https://arstechnica.com/tech-policy/2017/05/gizmodo-went-phishing-with-the-trump-team-will-they-catch-a-charge/
Earlier this week, the team at Gizmodo’s Special Projects Desk published a report on how they “phished” members of the administration and campaign teams of President Donald Trump. Gizmodo identified 15 prominent figures on Trump’s team and sent e-mails to each posing as friends, family members, or associates containing a faked Google Docs link.
“This was a test of how public officials in an administration whose president has been highly critical of the security failures of the DNC stand up to the sort of techniques that hackers use to penetrate networks,” said John Cook, executive editor of Gizmodo’s Special Projects Desk, in an e-mail conversation with Ars. Gizmodo targeted some marquee names connected to the Trump administration
Hold my beer
To violate the CFAA, Gizmodo would have to have intentionally accessed a computer without authorization or exceeded “authorized access” to obtain information from a “protected computer.” The definition of “access” (and even “computer”) is much broader than how most people would typically think of them under the law, so conceivably anything that returned information from a computer—a webpage with scripts that run in the computer’s Web browser, for example—could be considered “access” under some circumstances.
Gizmodo took some steps to stay within the law. “The system we devised for this project disclosed to the subjects that it was a Gizmodo Media Group test at every stage,” said Cook. “The initial e-mail and the log-in page that the e-mail linked to both contained disclosures. We designed the log-in page so that, if a subject entered any credentials, no passwords could be viewed, accessed, intercepted, or retained in any way. We would know if they entered any characters in the password field, but not which characters. In the [test], no subjects entered any credentials.”
The test itself consisted of the targeted e-mail
Here’s How Easy It Is to Get Trump Officials to Click on a Fake Link in Email
https://gizmodo.com/heres-how-easy-it-is-to-get-trump-officials-to-click-on-1794963635
Even technology experts can be insecure on the internet, as last week’s “Google Docs” phishing attack demonstrated. An array of Gmail users, including BuzzFeed tech reporter Joe Bernstein, readily handed over access to their email to a bogus app. Politicians should be especially wary of suspicious emails given recent events, yet a security test run by the Special Projects Desk found that a selection of key Trump Administration members and associates would click on a link from a fake address.
The Trump camp has talked a lot about cybersecurity—or “the cyber”
So, three weeks ago, Gizmodo Media Group’s Special Projects Desk launched a security preparedness test directed at Giuliani and 14 other people associated with the Trump Administration. We sent them an email that mimicked an invitation to view a spreadsheet in Google Docs.
The link in the document would take them to what looked like a Google sign-in page, asking them to submit their Google credentials. The url of the page included the word “test.” The page was not set up to actually record or retain the text of their passwords, just to register who had attempted to submit login information.
Some of the Trump Administration people completely ignored our email, the right move. But it appears that more than half the recipients clicked the link: Eight different unique devices visited the site, one of them multiple times. There’s no way to tell for sure if the recipients themselves did all the clicking (as opposed to, say, an IT specialist they’d forwarded it to), but seven of the connections occurred within 10 minutes of the emails being sent.
Tomi Engdahl says:
United: Cockpit door access codes accidentally made public
http://www.upi.com/Top_News/US/2017/05/14/United-Cockpit-door-access-codes-accidentally-made-public/2641494766586/
Access codes to the cockpit doors on United planes were made public, the airline announced, but United promised it has procedures in place to keep the deck secure.
In an emailed statement to NBC Los Angeles, Maddie King said Saturday that “the information was inadvertently made public.”
But she said, “I can confirm it was not a breach.”
Access codes for United cockpit doors accidentally posted online
https://techcrunch.com/2017/05/14/access-codes-for-united-cockpit-doors-accidentally-posted-online/
United Continental Holdings alerted pilots that access codes to cockpit doors were accidentally posted on a public website by a flight attendant, reports the Wall Street Journal. The company, which owns United Airlines and United Express, asked pilots to follow security procedures already in use, including visually confirming someone’s identity before they are allowed onto the flight deck even if they enter the correct security code into the cockpit door’s keypad.
The Air Line Pilots Association, a union that represents 55,000 pilots in the U.S. and Canada, told the WSJ on Sunday that the problem had been fixed.
The notable thing about this security breach is that it was caused by human error, not a hack, and illustrates how vulnerable cockpits are to intruders despite existing safety procedures.
Tomi Engdahl says:
Android Permission Security Flaw
http://blog.checkpoint.com/2017/05/09/android-permission-security-flaw/
Check Point researchers spotted a flaw in one of Android’s security mechanisms. Based on Google’s policy which grants extensive permissions to apps installed directly from Google Play, this flaw exposes Android users to several types of attacks, including ransomware, banking malware and adware. Check Point reported this flaw to Google, which responded that this issue is already being dealt with in the upcoming version of Android, currently dubbed “Android O”.
Based on Check Point research, nearly 45% of the applications using the SYSTEM_ALERT_WINDOW permission are apps from Google Play.
With the granting of SYSTEM_ALERT_WINDOW permission to apps installed from the app store, Google effectively bypasses the security mechanism introduced in the previous version.
Google is working on a fix
After Check Point reported this flaw, Google responded it has already set plans to protect users against this threat in the upcoming version “Android O”.
Tomi Engdahl says:
Slashdot Asks: In the Wake Of Ransomware Attacks, Should Tech Companies Change Policies To Support Older OSs Indefinitely?
https://ask.slashdot.org/story/17/05/15/0739227/slashdot-asks-in-the-wake-of-ransomware-attacks-should-tech-companies-change-policies-to-support-older-oss-indefinitely
In the aftermath of ransomware spread over the weekend, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, writes an opinion piece for The New York Times:
At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra. Indeed, “pay extra money to us or we will withhold critical security updates” can be seen as its own form of ransomware. In its defense, Microsoft probably could point out that its operating systems have come a long way in security since Windows XP, and it has spent a lot of money updating old software, even above industry norms. However, industry norms are lousy to horrible
The World Is Getting Hacked. Why Don’t We Do More to Stop It?
https://www.nytimes.com/2017/05/13/opinion/the-world-is-getting-hacked-why-dont-we-do-more-to-stop-it.html
The path to a global outbreak on Friday of a ransom-demanding computer software (“ransomware”) that crippled hospitals in Britain — forcing the rerouting of ambulances, delays in surgeries and the shutdown of diagnostic equipment — started, as it often does, with a defect in software, a bug. This is perhaps the first salvo of a global crisis that has been brewing for decades. Fixing this is possible, but it will be expensive and require a complete overhaul of how technology companies, governments and institutions operate and handle software. The alternative should be unthinkable.
Just this March, Microsoft released a patch to fix vulnerabilities in its operating systems, which run on about 80 percent of desktop computers globally. Shortly after that, a group called “Shadow Brokers” released hacking tools that took advantage of vulnerabilities that had already been fixed in these patches.
It seemed that Shadow Brokers had acquired tools the National Security Agency had used to break into computers. Realizing these tools were stolen, the N.S.A. had warned affected companies like Microsoft and Cisco so they could fix the vulnerabilities. Users were protected if they had applied the patches that were released, but with a catch: If an institution still used an older Microsoft operating system, it did not receive this patch unless it paid for an expensive “custom” support agreement.
The cash-strapped National Health Service in Britain, which provides health care to more than 50 million people, and whose hospitals still use Windows XP widely, was not among those that signed up to purchase the custom support from Microsoft.
Continue reading the main story
They were out in the cold.
On May 12, a massive “ransomware” attack using one of those vulnerabilities hit hospitals in Britain, telecommunication companies in Spain, FedEx in the United States, the Russian Interior Ministry and many other institutions around the world. They had either not applied these patches to systems where it was available for free, or had not paid the extra money for older ones.
Computer after computer froze, their files inaccessible, with an ominous onscreen message asking for about $300 worth of “bitcoin”
But the crisis is far from over. This particular vulnerability still lives in unpatched systems, and the next one may not have a convenient kill switch.
While it is inevitable that software will have bugs, there are ways to make operating systems much more secure — but that costs real money. While this particular bug affected both new and old versions of Microsoft’s operating systems, the older ones like XP have more critical vulnerabilities. This is partly because our understanding of how to make secure software has advanced over the years, and partly because of the incentives in the software business. Since most software is sold with an “as is” license, meaning the company is not legally liable for any issues with it even on day one, it has not made much sense to spend the extra money and time required to make software more secure quickly.
This isn’t all Microsoft’s fault though. Its newer operating systems, like Windows 10, are much more secure. There are many more players and dimensions to this ticking bomb.
During this latest ransomware crisis, it became clear there were many institutions that could have patched or upgraded their systems, but they had not. This isn’t just because their information technology departments are incompetent (though there are surely cases of that, too). Upgrades come with many downsides that make people reluctant to install them.
As an added complication, the ways companies communicate about upgrades and unilaterally change the user interface make people vulnerable to phishing, since one is never sure what is a real login or upgrade message and what is a bogus one, linking to a fake website trying to steal a login.
The problem is even worse for institutions like hospitals which run a lot of software provided by a variety of different vendors, often embedded in expensive medical equipment.
The next crisis facing us is the so-called “internet of things”: devices like baby monitors, refrigerators and lighting now come with networked software. Many such devices are terribly insecure and, worse, don’t even have a mechanism for receiving updates. In the current regulatory environment, the people who write the insecure software and the companies who sold the “things” bear no liability.
First, companies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn’t expired; neither has their responsibility to fix defects
At a minimum, Microsoft clearly should have provided the critical update in March to all its users, not just those paying extra.
The United States government has resources and institutions to help fix this. N.S.A.’s charter gives it a dual role: both offensive and defensive.
In other words, we can’t eliminate bugs, but with careful design, we can make it so that they cannot easily wreak havoc like this.
It is time to consider whether the current regulatory setup, which allows all software vendors to externalize the costs of all defects and problems to their customers with zero liability, needs re-examination.
Tomi Engdahl says:
Report: Hackers ‘aligned’ with Vietnam government attacked international firms and media
https://techcrunch.com/2017/05/14/fireeye-vietnam-aligned-hackers/
A hacker group “aligned with Vietnamese government interests” carried out attacks on corporate companies, journalists and overseas governments over the past three years, according to a report from cyber security firm FireEye.
FireEye, which works with large companies to secure their assets from cyber threats, said it has tracked at least 10 separate attacks from the group — referred to as OceanLotus, or APT32 — since 2014. Targets included members of the media, and private and public sector organizations from across Germany, China, the U.S., the Philippines, the UK and Vietnam itself, according to the report.
Tomi Engdahl says:
All the world’s a context: Targeted ads go offline
https://blog.kaspersky.com/offline-tracking-ads/16510/
Targeted ads are all over the Internet nowadays. One minute you’re searching for information about hair loss, the next you’re seeing offers for a remedy. Click the Like button on an article about genetic tests and you’ll see discounts for that kind of test. Advertisements on the Internet reflect the collected knowledge of everything the target — you! — have liked, searched for, and seen online, and this “diary” of your online life paints a pretty candid picture of you, too.
At this point, seeing ads based on your online history is hardly a surprise — at least, not while you’re online. So here’s something new to get used to: targeted ads on the street, in stores, and in our cars
You’re easy to target
First of all, you should know that you are being counted. The owners of stores and shopping centers want to know how many people walk past a store and how many go inside. Those who pass by are counted by cameras, motion sensors, and floor-pressure sensors. People who stand in check-out lines are counted separately to help stores optimize the number of employees.
Second, your movements are tracked. Your own smartphone is used as a radio beacon. By measuring the signal strength to several access points, marketers can pinpoint your location to within several feet (the best algorithms are accurate to a few dozen inches). In online marketing parlance, it’s called the customer journey — and it’s important data for marketing purposes. Offline you can call it the same — but literally.
Third, salespeople are trying to find out as much as possible about you. General information about a person and their habits and interests can be acquired by studying their purchase history and social-network profile data (we’ll talk later in this article about how they access the profile). Modern image-recognition systems can guess the gender and approximate age of a visitor simply by taking a look at them through a camera lens.
How marketers track and sell
One of the most popular and effective methods for tracking potential and existing customers uses wireless (Wi-Fi) networks.
The list of data collected includes:
Information from a social media account and the credentials (for example, an e-mail address) used to connect to the network;
A history of websites visited over the wireless network;
The technical specifications of the visitor’s smartphone, including IMEI number and phone number;
The location of the visitor within the shopping center.
Tomi Engdahl says:
Good news, OpenVPN fans: Your software’s only a little bit buggy
Two code reviews give crypto client nearly clean bill of health
https://www.theregister.co.uk/2017/05/16/openvpn_security_audit/
The venerable OpenVPN client has been given a mostly clean bill of health.
Between December and February, a team led by Johns Hopkins University crypto-boffin Dr Matthew Green has been auditing OpenVPN 2.4′s code.
The review, paid for by Private Internet Access (which uses the software), has been published.
While all software has bugs, the most important part of the verdict is that the review found “no major vulnerabilities”.
OpenVPN 2.4 Evaluation Summary and Report
https://www.privateinternetaccess.com/blog/2017/05/openvpn-2-4-evaluation-summary-report/
Tomi Engdahl says:
Traditionally, malware has spread through email attachments and other links. Thousands of emails have been sent by malicious advertisers to pretty much search and the spread of malware is slow, as few people click suspicious links open.
The WannaCry wrap program works in another way. Instead of sending a malicious code to random email addresses, the developers started by scanning vulnerable devices in advance.
“After this, the perpetrators attacked at the same time thousands of vulnerable devices attacked, and those of malware started to spread from the surrounding devices”, Nixu leading security consultant Antti Nuopponen describes the events.
A significant change to the previous one is that several machines are contaminated at one time instead of one machine. Especially in companies, malicious malware spreads widely, and managing the situation quickly becomes difficult.
According to Nuopposen, malware is becoming more common every year. Last year, the crash gain from malware was over one billion dollars.
Nuopponen believes that while security is constantly being upgraded and prepared for attacks, the perpetrators always go one step ahead
“The worst scenario is that malware paralyzes the critical infrastructure of society. Large-scale infrastructure crashes can even cause deaths. ”
Source: http://www.tivi.fi/Kaikki_uutiset/wannacry-on-vasta-alkua-pahimmassa-skenaariossa-jopa-kuolonuhreja-6649440
Tomi Engdahl says:
Ransom Tracker
https://twitter.com/ransomtracker
A bot live-tweeting Bitcoin ransom payments by victims of ransomware. Maybe using a public immutable ledger was not such a good idea. Run by
Tomi Engdahl says:
Access codes for United cockpit doors accidentally posted online
https://techcrunch.com/2017/05/14/access-codes-for-united-cockpit-doors-accidentally-posted-online/
United Continental Holdings alerted pilots that access codes to cockpit doors were accidentally posted on a public website by a flight attendant, reports the Wall Street Journal. The company, which owns United Airlines and United Express, asked pilots to follow security procedures already in use, including visually confirming someone’s identity before they are allowed onto the flight deck even if they enter the correct security code into the cockpit door’s keypad.
The Air Line Pilots Association, a union that represents 55,000 pilots in the U.S. and Canada, told the WSJ on Sunday that the problem had been fixed.
In an emailed statement, a United Continental spokesperson said, “We have learned that some cockpit door access information may have been made public.”
United’s Cockpit Door Security Codes Inadvertently Revealed
Pilots union says problem was resolved; airline had told pilots to take extra precautions
https://www.wsj.com/articles/uniteds-cockpit-door-security-codes-inadvertently-revealed-1494794444
Tomi Engdahl says:
‘Don’t Tell People To Turn Off Windows Update, Just Don’t’
https://yro.slashdot.org/story/17/05/15/1210245/dont-tell-people-to-turn-off-windows-update-just-dont
Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as “MS17-010″ pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched.
Don’t tell people to turn off Windows Update, just don’t
https://www.troyhunt.com/dont-tell-people-to-turn-off-windows-update-just-dont/
Why is malware effective? Because of idiotic advice like this: “Stop Windows 10 from automatically updating your PC”
- Troy Hunt (@troyhunt) May 13, 2017
When you position this article from a year ago next to the hundreds of thousands of machines that have just had their files encrypted, it’s hard to conclude that it in any way constitutes good advice. I had the author of this post ping me and suggest that people should just manually update their things if they disabled Windows Update. That’s fine in, say, a managed desktop environment such as many organisations run and let’s be clear – disabling Windows Update isn’t the issue in that situation because there are professionals managing the rollout of patches (with the obvious exception of the organisations that just got hit by WannaCry). But your average person is simply not going to keep on top of these things which is why auto-updaters are built into so many software products these days. Obviously they’re in Windows, same with Mac OS and iOS, same with browsers like Chrome and Firefox and same again with the apps themselves on a device like your iPhone by virtue of the App Store automatically keeping them current.
Leave your automatic updates on
The frustrating part of the debate that ensued after that tweet is not that people weren’t proactive in protecting themselves, rather that they were proactively putting themselves at risk by disabling security features. Windows Update is the default position; you install the operating system (or receive it pre-installed from your hardware vendor of choice)
Sometimes, updates will annoy you
I’ve had Windows Update make me lose unsaved work. I’ve had it sitting there pending while waiting to rush out the door. I’ve had it install drivers that caused all manner of problems. I’ve had it change features so that they work differently and left me confused. I’ve had it consume bandwidth, eat up storage capacity and do any number of unexplainable things to my machines.
Those of us who’ve felt Windows Update-inflicted pain will all agree on this:
Microsoft needs to make Windows Update better.
Last year US-CERT wrote about ransomware and one of their recommendations was as follows:
Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
And in the wake of WannaCry, Microsoft’s President and Chief Legal Officer wrote about the need for urgent collective action:
This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.
Tomi Engdahl says:
DARPA Seeks Protection from Cyber Attacks
http://www.mwrf.com/software/darpa-seeks-protection-cyber-attacks?NL=MWRF-001&Issue=MWRF-001_20170516_MWRF-001_107&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000002750211&utm_campaign=11105&utm_medium=email&elq2=4737540964c241c1bdcf5e47bdd88d4c
Rockwell Collins has been awarded a DARPA contract to develop software protection against cyber attacks.
As part of a contract that runs through 2018, the Defense Advanced Research Projects Agency (DARPA) has selected Rockwell Collins to protect new land, sea, and air platforms from cyber attacks. Mathematics-based methods developed by Rockwell Collins and its partners in DARPA’s High Assurance Cyber Military Systems (HACMS) program will be employed to eliminate vulnerabilities in these platforms in the war against cyber criminals.
“In today’s highly connected world, land, air, and sea platforms can fall victim to cyber attack,” explained John Borghese, vice president of Rockwell Collins’ Advanced Technology Center, “HACMS provides peace of mind and high assurance that these systems are resistant to a cyberattack.” The HACMS methods involve architectural modeling and analysis, a secure microkernel, and automatic generation of application code. Each uses mathematical reasoning to ensure the absence of vulnerabilities that can be exploited in a cyberattack, improving the safety and security of critical electronic systems in military and commercial platforms.
Tomi Engdahl says:
The Battle Over V2V Wireless Technologies
The DSRC standard was expected to have been named the official wireless technology for V2V communications, but now that decision’s up in the air.
http://www.mwrf.com/systems/battle-over-v2v-wireless-technologies
Tomi Engdahl says:
Five Must-Ask Questions for Successful 5G Design
Design teams involved with 5G technology must bear much in mind in order to obtain a winning formula.
http://www.mwrf.com/systems/five-must-ask-questions-successful-5g-design
1. Do you have the right background and expertise?
2. Do you have the right tools?
3. Are you properly connected to your key customers?
4. Is your timing consistent with theirs?
5. Do you have the support you need from your organization?
Conclusion
Talk to your team and find out what they think would make the difference. They and you will not get everything you ask for, but this process will likely clear a few roadblocks. And the innovation associated with a well-prepared, customer-connected, and motivated team will help you overcome the other challenges.
Tomi Engdahl says:
An Act of Congress to Bolster Cybersecurity
Senator Edward Markey of Massachusetts has proposed the Cyber Shield Act to help support cybersecurity.
https://www.designnews.com/cyber-security/act-congress-bolster-cybersecurity/142343548256798?cid=nl.x.dn14.edt.aud.dn.20170516.tst004t
The time may have come for a Consumer Reports style rating system that can identify the security level of connected devices and services. Industry experts and federal agencies such as NSA, NASA ,and NIST have repeatedly pushed for standardization on the bare essentials of cybersecurity. A new bill heading to Congress may address the problem.
Senator Edward J. Markey of Massachusetts has proposed the Cyber Shield Act that seeks to give the consumers of Internet-connected products clear and accurate information on security. The bill proposes a ratings system for cybersecurity. Markey is working with the Institute for Critical Infrastructure Technology (ICIT) to test these ideas, identify problems, and seek solutions.
Shining the Light on Cyber Threats
The ICIT has produced an analysis of the proposed act in the document, The Cyber Shield Act: Is the Legislative Community Finally Listening to Cybersecurity Experts? The report discusses how the act has the potential to impact cyber resiliency. The analysis includes specific recommendations and considerations including a discussion on meaningful criteria for security ratings and the importance of requiring security-by-design throughout the development lifecycle of devices.
http://icitech.org/wp-content/uploads/2017/04/ICIT-Analysis-The-Cyber-Shield-Act.pdf
Tomi Engdahl says:
Authorities drop plan to block Facebook
http://www.bangkokpost.com/news/general/1250634/authorities-drop-plan-to-block-facebook
The Digital Economy and Society Ministry has agreed to drop the plan to block Facebook access in Thailand after the social media network agreed to block more of the illicit posts requested by the ministry.
Tomi Engdahl says:
Ukraine’s Poroshenko to block Russian social networks
http://www.bbc.com/news/world-europe-39934666
Ukraine’s President Petro Poroshenko has imposed a ban on Russia’s biggest social media networks and internet services popular with millions.
His decision is a significant ramping up of sanctions on Ukraine’s neighbour for its annexation of Crimea and the continuing conflict in eastern Ukraine.
Those targeted include social networks VK.com and Odnoklassniki, search engine Yandex and the Mail.ru email service.
Tomi Engdahl says:
Google DeepMind’s 1.6m UK medical record slurp ‘legally inappropriate’
Privacy watchdog scolds hospital for using unproven AI app to diagnose Brits
https://www.theregister.co.uk/2017/05/16/google_deepmind_using_uk_medical_records/
Google’s use of Brits’ medical records to train an AI and treat people was legally “inappropriate,” says Dame Fiona Caldicott, the National Data Guardian at the UK’s Department of Health.
In April 2016 it was revealed the web giant had signed a deal with the Royal Free Hospital in London to build an artificially intelligent application called Streams, which would analyze patients’ records and identify those who had acute kidney damage.
As part of the agreement, the hospital handed over 1.6 million sets of NHS medical files to DeepMind, Google’s highly secretive machine-learning nerve center. However, not every patient was aware that their data was being given to Google to train the Streams AI model.
“It is my view, and that of my panel, that purpose for the transfer of 1.6 million identifiable patient records to Google DeepMind was for the testing of the Streams application, and not for the provision of direct care to patients,” she wrote in a letter dated February, which was leaked to Sky News on Monday.
Tomi Engdahl says:
Hackers threaten to leak ‘Pirates 5′ unless Disney pays up
Disney CEO Bob Iger doesn’t plan to give in to demands, according to The Hollywood Reporter.
https://www.cnet.com/news/disney-ceo-bob-iger-reportedly-says-hackers-are-threatening-to-leak-an-upcoming-movie/
Disney appears to be the latest target of hackers demanding a ransom.
Walt Disney CEO Bob Iger reportedly told ABC employees Monday that hackers are threatening to leak an upcoming movie unless the company pays up a “large sum” in Bitcoin, according to sources speaking to The Hollywood Reporter. Disney won’t pay the ransom and is waiting to see if the leak indeed occurs, Iger reportedly said.
Iger didn’t disclose what the film in question was, though Deadline reports it’s ” Pirates of the Caribbean: Dead Men Tell No Tales.”
Disney isn’t the only studio similarly threatened by hackers in recent weeks. A hacking group allegedly leaked 10 episodes of the upcoming season of “Orange is the New Black” in April after Netflix failed to fulfill a ransom demand. The same group named several other networks in that threat, including the Disney-owned ABC network.
Tomi Engdahl says:
Breach at DocuSign Led To Targeted Email Malware Campaign
https://it.slashdot.org/story/17/05/16/1357236/breach-at-docusign-led-to-targeted-email-malware-campaign
Digital signature service DocuSign said Monday that an unnamed third-party had got access to email addresses of its users after hacking into its systems.
DocuSign, a major provider of electronic signature technology, acknowledged today that a series of recent malware phishing attacks targeting its customers and users was the result of a data breach at one of its computer systems. The company stresses that the data stolen was limited to customer and user email addresses, but the incident is especially dangerous because it allows attackers to target users who may already be expecting to click on links in emails from DocuSign.
May 17
Breach at DocuSign Led to Targeted Email Malware Campaign
https://krebsonsecurity.com/2017/05/breach-at-docusign-led-to-targeted-email-malware-campaign/
On San Francisco-based DocuSign warned on May 9 that it was tracking a malicious email campaign where the subject line reads, “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature.” The missives contained a link to a downloadable Microsoft Word document that harbored malware.
Tomi Engdahl says:
Lucinda Shen / Fortune:
Cybersecurity stocks rise on WannaCrypt news, with the five biggest firms cumulatively adding nearly $6B in market cap on Monday
These Cybersecurity Stocks Are Beating the WannaCry Ransomware Hackers
http://fortune.com/2017/05/15/ransomware-wanna-cry-stock-market/
Despite the global scale of the ransomware attack dubbed “WannaCry,” its creators have reportedly collected just $50,000 in bitcoin from the hack as of early Monday.
Meanwhile, the cybersecurity industry’s valuation rose billions over the weekend, as investors bet on an increase in cyber attacks driving business to those who know how to defend against it.
Tomi Engdahl says:
Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry
Campaign that flew under the radar used hacked computers to mine Monero currency.
https://arstechnica.com/security/2017/05/massive-cryptocurrency-botnet-used-leaked-nsa-exploits-weeks-before-wcry/
On Friday, ransomware called WannaCry used leaked hacking tools stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries. On Monday, researchers said the same weapons-grade attack kit was used in a much-earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency.
Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid April by a group calling itself Shadow Brokers. But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz.
Kafeine, a well-known researcher at security firm Proofpoint, said the attack started no later than May 2 and may have begun as early as April 24. He said the campaign was surprisingly effective at compromising Internet-connected computers that have yet to install updates Microsoft released in early March
The attack is launched from several virtual private servers which are massively scanning the Internet on TCP port 445 for potential targets.
Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download[s] the mining instructions, cryptominer, and cleanup tools.
Symptoms of the attack include a loss of access to networked resources and system sluggishness. Kafeine said that some people who thought their systems were infected in the WannaCry outbreak were in fact hit by the Adylkuzz attack. The researcher went on to say this overlooked attack may have limited the spread of WannaCry by shutting down SMB networking to prevent the compromised machines from falling into the hands of competing botnets.
Assembling a botnet the size of the one that managed WannaCry and keeping it under wraps for two to three weeks is a major coup. Monday’s revelation raises the possibility that other botnets have been built on the shoulders of the NSA but have yet to be identified.
Tomi Engdahl says:
Anonymous warns world to ‘prepare’ for World War III
http://www.news.com.au/technology/online/hacking/anonymous-warns-world-to-prepare-for-world-war-iii/news-story/85fcedd4537bdc5d30ce5fd5b6184c41
THE infamous hacker group Anonymous has released a chilling new video — urging people across the globe to “prepare” for World War 3.
THE infamous hacktivist group Anonymous has released a chilling new video — urging people across the globe to “prepare” for World War 3 — as the US and North Korea continue to move “strategic pieces into place” for battle.
“All the signs of a looming war on the Korean peninsula are surfacing,” the group says in the ominous six-minute clip, posted on Youtube over the weekend.
“Watching as each country moves strategic pieces into place,”
“This is a real war with real global consequences,” the group explains. “With three superpowers drawn into the mix,”
“Prepare for what comes next,” they say
Tomi Engdahl says:
2017 Internet Security Threat Report
https://www.symantec.com/security-center/threat-report
The 2017 Internet Security Threat Report (ISTR) details how simple tactics and innovative cyber criminals led to unprecedented outcomes in global threat activity.
Innovation, Sophistication, Organization – Producing Ominous Results
International bank heists, disrupted elections, and state-sponsored attacks define the threat landscape
Cyber criminals revealed new levels of ambition in 2016 – a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and overt attempts to disrupt the U.S. electoral process by state-sponsored groups.
New sophistication and innovation marked seismic shifts in the focus of attacks. Zero-day vulnerabilities and sophisticated malware were used less as nation states devolved from espionage to straight sabotage.
Meanwhile, cyber criminals caused unprecedented levels of disruption with relatively simple IT tools and cloud services.
Tomi Engdahl says:
World Close to ‘Serious Digital Sabotage’: Dutch Spy Chief
http://www.securityweek.com/world-close-serious-digital-sabotage-dutch-spy-chief
The world may be close to a “serious act of digital sabotage” which could trigger unrest, “chaos and disorder,” Dutch spy chief Rob Bertholee warned Tuesday.
Sabotage of critical infrastructure “is the kind of thing that might keep you awake at night,” Bertholee told a timely cyber security conference in The Hague, as global experts grapple with the fallout of a massive cyberattack over the past days.
Digital threats “are not imaginary, they are everywhere around us,” the head of the country’s intelligence services (AIVD) told the conference organised by the Dutch government.
“In my opinion, we might be closer to a serious act of digital sabotage than a lot of people can imagine,” he told hundreds of experts and officials.
The world’s infrastructure was heavily interconnected, which had huge benefits, but also “vulnerabilities”.
“Imagine what would happen if the entire banking system were sabotaged for a day, two days, for a week,” he asked.
“Or if there was a breakdown in our transportation network. Or if air traffic controllers faced cyberattacks while directing flights. The consequences could be catastrophic.”
Added Bertholee: “Sabotage on one of these sectors could have major public repercussions, causing unrest, chaos and disorder.”
The threat of “cyber terrorism” from terror groups such as the so-called Islamic State jihadist and Al-Qaeda was still limited, he said, but “jihadist-inspired terrorism is the number one priority” of the Dutch intelligence services.
“The level of technical expertise available to a jihadist group is still insufficient to inflict significant damage or personal injury through digital sabotage,” Bertholee said.
“They may not yet have the capability but they definitely have the intent,” he warned.
Tomi Engdahl says:
People the New Perimeter as Hackers Target Users to Infiltrate Enterprises
http://www.securityweek.com/people-new-perimeter-hackers-target-users-infiltrate-enterprises
Identity Governance is Key to Improving Security and Compliance
Getting breached is becoming part of doing business. More than half of respondents to a Market Pulse Survey reported that they had suffered two or more breaches during 2016; and 60% expect to be breached in 2017. The average material cost of each breach now stands at more than $4 million.
Identity firm SailPoint commissioned Vanson Bourne to interview 600 senior IT decision-makers at organizations with at least 1,000 employees across Australia, France, Germany, Italy, the United Kingdom and the United States. The key finding is that a lack of visibility into staff actions and access capabilities remains a major problem.
Tomi Engdahl says:
ICS Environments: Insecure by Design
http://www.securityweek.com/ics-environments-insecure-design
ndustrial Control System Design Flaws Have a Profound Impact on Security Posture of Operational Networks
It’s a generally known fact that most Industrial Control System (ICS) environments were not built with cyber security in mind because they were designed before the cyber threat existed. For decades these networks were protected by an air-gap, disconnected from the outside world. With the introduction of commercial off the shelf (COTS) technology in the 1990s (which replaced proprietary, purpose-built industrial hardware and software) and the increasing connectivity to corporate networks and the Internet, these systems have become more exposed to cyber threats and the risk of compromise.
The impact of vulnerabilities and design flaws
Like IT networks, ICS environments are susceptible to software and hardware vulnerabilities. In recent years there has been a significant increase in the number of ICS vulnerabilities reported.
ICS networks have become easy targets because they lack basic security controls such as authentication, and do not support encrypted communication. In IT security terms, this represents a major design flaw that adversely impacts the overall security of the ICS environment. This means that anyone with network access can make changes to controller logic and configuration which can severely affect operations and have a catastrophic impact on plant safety and reliability.
Visibility and control in ICS networks
ICS networks suffer from a lack of visibility which prevents engineering and security staff from identifying a malicious actor compromising critical assets, or a contractor that may be making an unauthorized change to the configuration of a controller. Not knowing with certainty what’s happening in these networks severely impacts the staff’s ability to detect and respond to incidents, whether caused by cyber threats or human error.
As long as security controls aren’t available to prevent unauthorized/malicious changes, the design flaws of ICS will continue to affect their security posture and put them at a high risk of compromise. No amount of vulnerability remediation can prevent access to the controllers on ICS networks or mitigate the risk of compromise resulting from a lack of security controls.
Tomi Engdahl says:
Wear Camouflage While Hunting Threats
http://www.securityweek.com/wear-camouflage-while-hunting-threats
The practice of threat hunting is rapidly becoming a critical function for security operations teams. In fact, the practice has evolved from being used by only the most sophisticated security teams and is now becoming standard practice in most SOCs. Going out to find threats and attackers is a great complement to existing detection based security.
While conventional hunters gear up with rifles, bows, or other weapons, cyber threat hunters flush out their prey with a different set of tools; scanners, sniffers, and detectors that can find threats inside their networks that may have snuck past the first line of defense. Finding these attackers is key, but the game starts to change when the hunter goes outside the perimeter in search of threats in the wild.
Hunting in the wild is important for developing broader threat intelligence.
Investigating nefarious actors online can be dangerous, as the places hunters go are likely to be full of malware and people actively monitoring for outsiders. Hunters also face new kinds of threats once outside their home territory. As a result, hunting in this environment requires some additional tools: camouflage and body armor.
There is also the more subtle danger of being seen and identified while hunting in the wild. When that happens, the hunted may try to turn the tables on the hunters. The first response upon detecting a hunter in their territory is to ban them. It is easy to boot people from chat rooms, block them from websites, or cancel accounts. Once this has been done, the hunter loses access to the threat information they needed, and must start again to regain access to these locations.
More aggressive responses can involve counter-attacks. The attackers may try to ‘hack back’ directly against the hunter, or worse, they may uncover enough about the hunter to punish their organization by launching a DDOS against their website, sending phishing emails to everyone in an organization, or collecting and releasing embarrassing documents. However, if the hunter is properly camouflaged, they will avoid being detected as a hunter at all, and can prevent retaliation against their organization.
Tomi Engdahl says:
Serious vulnerability in Google Chrome on Windows could expose user credentials
https://siliconangle.com/blog/2017/05/16/serious-google-chrome-vulnerability-give-hackers-access-user-credentials/
A serious vulnerability in the Windows version of Google’s Chrome web browser has been discovered that could allow hackers to steal user credentials.
Spotted by Bosko Stankovic, an information security engineer at DefenseCode LLC, the vulnerability in the default configuration of the latest version of Chrome allows malicious websites to trick users into downloading a .scf (Shell Command File format) file without prompting the user as it would typically do with other types of downloads. By bypassing this option, the malicious .scf file lies dormant in the downloads directory until a victim opens the directory, at which point the file automatically runs without the user having to click on it.
Once up and running, the file allows the attacker to gain access to a victim’s username and Microsoft LAN Manager password hash. That leaves the victim open to attacks, including a so-called Server Message Block relay attack that allows the hacker to use the credentials to authenticate to a personal computer or network resource.
Stealing Windows Credentials Using Google Chrome
http://defensecode.com/news_article.php?id=21
Tomi Engdahl says:
Is Your Security Testing Soft and Fuzzy?
http://www.electronicdesign.com/test-measurement/your-security-testing-soft-and-fuzzy
The latest spate of ransomware highlights the need for security testing. One technique for doing this is called fuzz testing.
The latest spate of ransomware highlights the need for security testing. One technique for doing this is called fuzz testing, or fuzzing. It is an automated test methodology that uses large amounts of invalid or random data for the input to the application. The application is tested in the usual fashion for errors such as memory leaks and invalid pointers. This approach works best with applications that have structured inputs, such as packets for a protocol or file formats.
Automatically generating test vectors is not a new approach, and has been used in other test environments—including unit testing. The trick is to generate examples that are semi-valid so as to expose corner cases, parsing errors, and errors in general. It can also be used to test security to see if trust boundaries are breached.
There are toolchains available to generate the test cases.
Delta debugging is an approach that can reduce a test case to a minimal failure-inducing case.
Fuzzing can also be used to detect differential bugs, or bugs detected by comparing results using the same inputs with different application implementations. This might be an incrementally improved application or two different applications that perform the same function, such as an encryption algorithm or a communication protocol stack. Different results using the same input indicate a case that should be investigated.
Google’s OSS-Fuzz program found more than 1,000 bugs in 47 open-source projects.
https://github.com/google/oss-fuzz/tree/master/projects
Tomi Engdahl says:
What’s the Difference Between Ransomware and Malware?
http://www.electronicdesign.com/industrial-automation/what-s-difference-between-ransomware-and-malware
The number of systems being attacked using ransomware is on the rise. But is there a difference between ransomware and malware?
As evidenced by a worldwide attack on hospital and industrial systems that’s currently getting a lot of press, the number of systems being attacked using ransomware is on the rise. The attack in question uses the WannaCrypt ransomware based on WannaCry. And it brings up a good question: Is there a difference between ransomware and malware?
Simply put, ransomware is a subset of malware. Malware attacks usually come in the form of a computer virus or worm. A virus piggybacks on something like a document, spreadsheet or e-mail, whereas a worm is a more active attack. It starts on a networked computer system and attempts to subvert one or more computers on the network. This used to be difficult when networked computers were limited in number and connectivity. These days, of course, the internet effectively links billions of devices.
Present-day malware typically consists of a combination of one or more viruses and worms.
Ransomware differs primarily in its approach after a successful attack. Non-ransomware malware may simply be annoying or slightly malicious, deleting files or changing the system configuration (e.g, a screen background). More malicious malware may reformat a disk or corrupt files on the system. It may also remain hidden and communicate with a control system so it can be part of a distributed denial of service (DDOS) attack. In addition, malware may try to capture information from passwords and keystrokes to documents, and then forward this information to a control system.
Ransomware comes into play when the malware notifies the system’s user that it has been attacked, but after it has done something to the computer such as encrypt the disk or files. The notification normally demands some sort of payment to restore the computer to its prior state.
In theory, the attacker who manages the ransomware will remotely readjust the computer once payment has been made. Of course, just like in a traditional ransom situation, they may not.
Tomi Engdahl says:
MasterCard Serbia asked ladies to share FB photos of, among other things, their credit card
http://svedic.org/programming/mastercard-serbia-asked-ladies-to-share-fb-photos-of-among-other-things-their-credit-card
Credit card companies should know all about phishing, right? McCain should know all about marketing, right? Combine the two in Serbia and you will get a marketing campaign that just went viral, although for the wrong reasons.
Mastercard Serbia organised a prize contest that asks female customers to share contents of their purse on Facebook. Their announcement post clearly shows the credit card details of a fictive customer
Lured by prizes, many customers did just what Mastercard asked them to do. They publicly posted the photos of their private stuff, together with credit card details
This is the first phishing campaign that I know that was organised by credit company itself!
The funny thing that is that nobody in Mastercard, McCain agency or legal team didn’t notice the problem.
That document is signed by Mastercard Europe SA and McCann Ltd Belgrade, so it seems it has passed multiple levels of corporate approval.
In my modest opinion, the lesson of this story is to be careful how you hire.
https://www.facebook.com/MastercardSrbija/photos/a.433512996819585.1073741828.429505897220295/783575618479986/?type=3&theater&_fb_noscript=1
Tomi Engdahl says:
Aporeto raises $11.2 million to help build a more secure cloud
https://venturebeat.com/2017/05/18/aporeto-raises-11-2-million-to-help-build-a-more-secure-cloud/
Aporeto scored an $11.2 million Series A round to help it build security natively into the cloud.
New cloud architectures like microservices deploy apps in modular, self-contained units that work differently from traditional technologies. Aporeto’s security relies on the new models, protecting the individual app rather than securing an entire system.
“The problem of security is becoming a household story,” Stiliadis told VentureBeat in an interview. “I don’t want to sound alarmist, but I think we’re just seeing the tip of the iceberg. The number of cyber security incidents in coming years is going to multiply. And the root cause is, if you think about how businesses develop software, security is often the last thing they want to think about because it’s not a revenue-generating function.”
Aporeto’s goal is to simplify software security to the point that developers don’t consider it a burden. The less complexity involved in security, the more likely it is to be deployed.
Tomi Engdahl says:
Intel’s Matthew Rosenquist argues that it’s time for the cybersecurity community to begin discussing the risks and opportunities of artificial intelligence, which could open a Pandora’s box for malicious attackers.
Cybersecurity in the World of AI
https://software.intel.com/en-us/blogs/2017/05/11/cybersecurity-in-the-world-of-ai
Artificial Intelligence (AI) is coming. It could contribute to a more secure and rational world or it may unravel our trust in technology. AI holds a strong promise of changing our world and extending compute functions to a more dominant role of directly manipulating physical world activities.
Tomi Engdahl says:
Lithuania court delays extradition ruling in phishing case
AP News
http://goo.gl/Crb0wV
A court in Lithuania on Thursday requested more information from the United States before ruling on the extradition of a local businessman suspected of tricking Google and Facebook out of more than $100 million in an elaborate cybercrime case.