Security trends 2017

3,151 Comments

1. June 19, 2017 at 8:57 am

   Tomi Engdahl says:

   Backdoor backlash: European Parliament wants better privacy
   Less trackiung, more consent, and stronger encryption says privacy committee
   https://www.theregister.co.uk/2017/06/19/backdoor_backlash_european_parliament_wants_better_privacy/

   A committee of the European Parliament is pushing back against the anti-encryption sentiment infesting governments around the world, with a report saying citizens need more protection, not less.

   In a draft report that landed last week, the parliament’s Committee on Civil Liberties, Justice and Home Affairs says data protection in the European Union hasn’t kept pace with the threats, and needs modernisation.

   New technologies have led to inconsistent privacy protection under the 2002 Regulation on Privacy and Electronic Communications, the committee’s paper (PDF) explains: for example, new over-the-top (OTT) services offer substitutes for existing services, but aren’t subject to the same regulations.

   http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-606.011%2b01%2bDOC%2bPDF%2bV0%2f%2fEN

   Reply
2. June 19, 2017 at 7:39 pm

   Tomi Engdahl says:

   Personal details of nearly 200 million US citizens exposed
   http://www.bbc.com/news/technology-40331215

   The personal details and political biases of almost 200 million US citizens have been leaked online
   Sensitive personal details relating to almost 200 million US citizens have been accidentally exposed by a marketing firm contracted by the Republican National Committee.
   The 1.1 terabytes of data includes birthdates, home addresses, telephone numbers and political views of nearly 62% of the entire US population.
   The data was available on a publicly accessible Amazon cloud server.
   Anyone could access the data as long as they had a link to it.

   The huge cache of data was discovered last week by Chris Vickery, a cyber-risk analyst with security firm UpGuard. The information seems to have been collected from a wide range of sources – from posts on controversial banned threads on the social network Reddit, to committees that raised funds for the Republican Party.
   The information was stored in spreadsheets uploaded to a server owned by Deep Root Analytics.

   “The ability to collect such information and store it insecurely further calls into question the responsibilities owed by private corporations and political campaigns to those citizens targeted by increasingly high-powered data analytics operations.”

   Reply
3. June 19, 2017 at 9:24 pm

   Tomi Engdahl says:

   New York Times:
   How Mexican activists, journalists, lawyers have been targeted with NSO Group’s Pegasus spyware, likely by their own gov’t, which spent ~$80M on the tools — MEXICO CITY — Mexico’s most prominent human rights lawyers, journalists and anti-corruption activists have been targeted …

   Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families
   https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html

   MEXICO CITY — Mexico’s most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government on the condition that it be used only to investigate criminals and terrorists.

   Since 2011, at least three Mexican federal agencies have purchased about $80 million worth of spyware created by an Israeli cyberarms manufacturer. The software, known as Pegasus, infiltrates smartphones to monitor every detail of a person’s cellular life — calls, texts, email, contacts and calendars. It can even use the microphone and camera on phones for surveillance, turning a target’s smartphone into a personal bug.

   The company that makes the software, the NSO Group, says it sells the tool exclusively to governments, with an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans.

   But according to dozens of messages examined by The New York Times and independent forensic analysts, the software has been used against some of the government’s most outspoken critics and their families

   But cyberexperts can verify when the software has been used on a target’s phone, leaving them with few doubts that the Mexican government, or some rogue actor within it, was involved.

   Moreover, it is extremely unlikely that cybercriminals somehow got their hands on the software, the NSO Group says, because the technology can be used only by the government agency where it is installed.

   The company is part of a growing number of digital spying businesses that operate in a loosely regulated space. The market has picked up in recent years, particularly as companies like Apple and Facebook start encrypting their customers’ communications, making it harder for government agencies to conduct surveillance.

   Increasingly, governments have found that the only way to monitor mobile phones is by using private businesses like the NSO Group that exploit little-known vulnerabilities in smartphone software. The company has, at times, operated its businesses under different names.

   The company simply bills governments based on the total number of surveillance targets. To spy on 10 iPhone users, for example, the company charges $650,000 on top of a flat $500,000 installation fee, according to NSO marketing proposals reviewed by The New York Times.

   “When you’re selling AK-47s, you can’t control how they’ll be used once they leave the loading docks,” said Kevin Mahaffey, chief technology officer at Lookout, a mobile security company.

   Journalists, human rights defenders and anti-corruption campaigners have long faced enormous risks in Mexico.

   Reply
4. June 19, 2017 at 9:29 pm

   Tomi Engdahl says:

   Stephen Vladeck / Motherboard:
   SCOTUS to hear case on the legality of warrantless access to historical cell-site location information this year

   The Supreme Court Phone Location Case Will Decide the Future of Privacy
   Jun 16 2017, 4:00pm
   https://motherboard.vice.com/en_us/article/scotus-cell-location-privacy-op-ed
   Later this year, the Supreme Court will decide if police can track a person’s cell phone location without a warrant. It’s the most important privacy case in a generation.

   Reply
5. June 20, 2017 at 5:05 am

   Tomi Engdahl says:

   Exposed GOP database demonstrates the risks of data-hungry political campaigns
   https://techcrunch.com/2017/06/19/deep-root-gop-data-leak-upguard/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

   As discovered by Chris Vickery, a cyber risk analyst at UpGuard, and reported by Gizmodo, an analytics firm hired by the Republican National Committee left the data of 198 million U.S. voters sitting out in the open on a public server. The more than a terabyte of data, owned by Deep Root Analytics, included personal identifying information like birth dates, home addresses and phone numbers as well as demographic info like ethnicity and religion.

   UpGuard’s blog explains how the firm came across the unprotected data:

   “In the early evening of June 12th, UpGuard Cyber Risk Analyst Chris Vickery discovered an open cloud repository while searching for misconfigured data sources on behalf of the Cyber Risk Team, a research unit of UpGuard devoted to finding, securing, and raising public awareness of such exposures.”

   Reply
6. June 20, 2017 at 5:43 am

   Tomi Engdahl says:

   GOP Data Firm Accidentally Leaks Personal Details of Nearly 200 Million American Voters
   http://gizmodo.com/gop-data-firm-accidentally-leaks-personal-details-of-ne-1796211612

   Political data gathered on more than 198 million US citizens was exposed this month after a marketing firm contracted by the Republican National Committee stored internal documents on a publicly accessible Amazon server.

   The data leak contains a wealth of personal information on roughly 61 percent of the US population. Along with home addresses, birthdates, and phone numbers, the records include advanced sentiment analyses used by political groups to predict where individual voters fall on hot-button issues such as gun ownership, stem cell research, and the right to abortion, as well as suspected religious affiliation and ethnicity.

   Although files possessed by Deep Root would be typical in any campaign, Republican or Democratic, experts say its exposure in a single open database raises significant privacy concerns. “This is valuable for people who have nefarious purposes,” Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology, said of the data.

   The RNC paid Deep Root $983,000 last year, according to Federal Election Commission reports, but its server contained records from a variety of other conservative sources paid millions more

   Spreadsheets acquired from TargetPoint, which partnered with Deep Root and GOP Data Trust during the 2016 election, include the home addresses, birthdates, and party affiliations of nearly 200 million registered voters in the 2008 and 2012 presidential elections, as well as some 2016 voters. TargetPoint’s data seeks to resolve questions about where individual voters stand on dozens of political issues. For example: Is the voter eco-friendly? Do they favor lowering taxes? Do they believe the Democrats should stand up to Trump? Do they agree with Trump’s “America First” economic stance? Pharmaceutical companies do great damage: Agree or Disagree?

   In a statement, Deep Root founder Alex Lundry told Gizmodo, “We take full responsibility for this situation.” He said the data included proprietary information as well as publicly available voter data provided by state government officials. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access,” Lundry said.

   Deep Root’s data was exposed after the company updated its security settings on June 1, Lundry said.

   Reply
7. June 20, 2017 at 8:42 am

   Tomi Engdahl says:

   Workforce development, partnerships cited as key to securing wireless cybersecurity
   http://www.cablinginstall.com/articles/pt/2017/06/workforce-development-partnerships-cited-as-key-to-securing-wireless-cybersecurity.html?cmpid=enl_cim_cimdatacenternewsletter_2017-06-19

   As reported by Virginia’s Augusta Free Press, “Charles Clancy, professor of electrical and computer engineering and director of the Hume Center at Virginia Tech, testified Tuesday that, in order to address the growing security threats securely and reliably to wireless devices, we must focus on workforce development initiatives and public-private partnerships to foster innovation, information threat sharing, and risk mitigation. An internationally recognized expert in wireless technology, Clancy was one of four witnesses at a hearing on “Promoting Security in Wireless Technologies.” Rep. Marsha Blackburn of Tennessee, chair of the U.S. House Energy and Commerce committee’s subcommittee on Communications and Technology, called the hearing to examine a variety of cybersecurity issues and challenges that face the mobile industry, as well as potential solutions.”

   Reply
8. June 20, 2017 at 8:43 am

   Tomi Engdahl says:

   Workforce development and partnerships key to securing wireless technology
   http://augustafreepress.com/workforce-development-partnerships-key-securing-wireless-technology/

   One of the biggest challenges, Clancy told the subcommittee, stems from complex, interlinked ecosystems of device manufacturers, software and app developers, cloud infrastructure providers, and platforms for media and services.

   No one entity controls enough of the ecosystem to guarantee unilaterally the needed security, he said.

   “Another side effect is that regulatory authority is distributed across the Department of Homeland Security, Federal Communications Commission, Federal Trade Commission, and various other sector-specific regulators. Without a single ’belly button,’ top-down approaches to achieving objective levels of security are infeasible,” according to Clancy.

   “Consequently it is imperative that we develop mechanisms to foster continued collaboration,” he said.

   Clancy explained that there are wireless systems, like cell phones, which operate over a licensed spectrum and services like WiFi, which operate over an unlicensed spectrum.

   “Cellular systems have the advantage of being centrally managed which helps ensure that security safeguards are implemented,” Clancy said, but cautions that security may be undermined when there is a need to continue supporting backward-compatible legacy technologies.

   “Our new 4G-LTE systems are secure, but the 2G networks are vulnerable to a wide range of attacks that can compromise subscribers’ security and privacy,” he said. “Meanwhile as we look forward from 4G to 5G, a range of new technologies are under development that offer the opportunity to close current cybersecurity gaps while potentially opening up new ones in ways we cannot yet anticipate.”

   Examples include software-defined networking, cloud-based radio access networks, and edge computing, all of which fuel applications for the Internet of Things — which connects everything from home appliances to industrial infrastructure to the cloud.

   In the case of unlicensed technologies, Clancy pointed out that these have their own challenges.

   Reply
9. June 20, 2017 at 12:30 pm

   Tomi Engdahl says:

   New Phishing Tactic Targeting Facebook Users Relies on Padding URLs with Hyphens
   https://www.bleepingcomputer.com/news/security/new-phishing-tactic-targeting-facebook-users-relies-on-padding-urls-with-hyphens/

   Security researchers from PhishLabs have come across a new phishing trend that’s targeting mobile device owners exclusively, with “the highest proportion of attacks” aimed at Facebook users.

   This new tactic relies on the fact that mobile browsers have very narrow URL address bars, which prevents users from viewing the entire contents of a link. Phishers are taking advantage of this UI inconvenience to pad URLs with subdomains and hyphens, making some links look authentic on mobile devices.

   Reply
10. June 20, 2017 at 4:45 pm

    Tomi Engdahl says:

    Serious privilege escalation bug in Unix OSes imperils servers everywhere
    “Stack Clash” poses threat to Linux, FreeBSD, OpenBSD, and other OSes.
    https://arstechnica.com/security/2017/06/12-year-old-security-hole-in-unix-based-oses-isnt-plugged-after-all/

    A raft of Unix-based operating systems—including Linux, OpenBSD, and FreeBSD—contain flaws that let attackers elevate low-level access on a vulnerable computer to unfettered root. Security experts are advising administrators to install patches or take other protective actions as soon as possible.

    Stack Clash, as the vulnerability is being called, is most likely to be chained to other vulnerabilities to make them more effectively execute malicious code, researchers from Qualys, the security firm that discovered the bugs, said in a blog post published Monday.

    Developers of affected OSes are in the process of releasing patches now. An advisory published Monday morning by Linux distributor Red Hat said the mitigations may cause performance issues in the form of “overlapping values in /proc/meminfo,” but they’re not likely to affect normal operations. Developers may release a fix for these problems later.

    Stack Guard Page Circumvention Affecting Multiple Packages
    https://access.redhat.com/security/vulnerabilities/stackguard

    Reply
11. June 20, 2017 at 4:48 pm

    Tomi Engdahl says:

    The data center is selected based on security

    In April, data center company Equinix commissioned a survey asking about the decision-making of Finnish companies over 100 people. According to the results, the information resource is the most important criterion when choosing a web site. Its name is 63 per cent of the nearly 100 respondents.

    Finnish companies and government organizations rely heavily on outsourced data center services and clouds in their IT operations. Only under a fifth uses only their own data base as a platform for their data and applications.

    Based on the answers, the services are most commonly used in a decentralized way between data center services, the cloud and their own computers. Every fourth company uses all three, and as many have their own machine room filled with clouds.

    The most important reason for the purchase of data center services is the cost savings from the efficiency improvement, compared to their own machine room (27% of the respondents). Second, the main reason is the need to run business-critical applications (24%). Third, the majority is supposed to supplement its own network of accounts (18%), which also involves the trend of server outsourcing.

    When selecting a data center service provider, the most important selection criteria are data security (63%) and service price (59%).

    Source: http://www.etn.fi/index.php/13-news/6505-konesali-valitaan-turvallisuuden-perusteella

    Reply
12. June 20, 2017 at 4:51 pm

    Tomi Engdahl says:

    Mikko Hyppönen is not afraid of the Internet of Things

    F-Secure’s research director Mikko Hyppönen was one of the key speakers at the Reboot event today at Nokia’s premises in Espoo. Hyppönen reminded that the Internet of Things (IoT) is already another revolution that we are experiencing in our lifetime. Nor should you be afraid.

    The first revolution is of course the Internet.

    According to Hyppönen, the online evocation contained many risks, the mapping of which was actually his main job for a short time of 25 years. – It is clear that the Internet has brought more benefits than disadvantages. The business has moved to the net, as well as entertainment. In Finland, before the Internet, there was no need for worry about cybercriminals in Brazil. The Internet, however, removed borders and geography. Now cybercriminals are looking for victims everywhere.

    Now the next revolution is in the face. With the Internet of Things (IoT), everyone else moves to the net. – The same risks emerge in this revolution as well, but you are optimistic. After ten years we can say that the benefits of IoT were far greater than the disadvantages, Hyppönen said.

    Hyppönen believes that many of us live through three major revolutions. After the net and the IoT, there is a revolution in the AI, that is, the making of artificial intelligence everywhere.

    Source: http://www.etn.fi/index.php/13-news/6504-mikko-hypponen-ei-pelkaa-esineiden-internetia

    Reply
13. June 20, 2017 at 4:53 pm

    Tomi Engdahl says:

    F-Secure Hyppönen speaks of “the hellish scary revolution”: If we do it wrong, follow Terminator 2

    “The first revolution was on the internet, and now is the iot revolution, and if we are lucky enough to see the Third Revolution: an AI, if the first two are scary, the Third Revolution is hellish scary, the most fearsome is that we only have one chance to do it. That’s right, good! If we do it wrong, follow Terminator 2, “Hyppönen told reporters.

    Hyppönen, meanwhile, said he was optimistic about the development of technology, despite the fact that he constantly runs into the darker side of the Internet.

    “Despite the disadvantages of the Internet, I can see the beauty on the Internet, which is the best thing that has been happening for me.” I love the Internet, “Hyppönen said.

    “Many people say that they will never buy iot devices, and that they will not be able to do so, and soon they will be selling iot devices,” she says. “The toasters are also online, but the consumer may not even know it.”

    “If all devices are computers, they have to be maintained and systems need to be repaired, how long will we get upgrades to cars, what about equipment if companies do not pay their AWS bills, and the background system crashes?”

    Source: http://www.tivi.fi/Kaikki_uutiset/f-securen-hypponen-puhuu-helvetin-pelottavasta-vallankumouksesta-jos-teemme-sen-vaarin-seuraa-terminator-2-6658835

    Reply
14. June 20, 2017 at 4:56 pm

    Tomi Engdahl says:

    “Security must not be part of the problem but part of the solution”

    Siem project and the EU Data Protection Regulation now employ Olavi Mannista. The importance of communications has been emphasized in the work of the head of security at the University of Eastern Finland over the years.

    What did you do during your work day yesterday?

    “The first hour went through the security bulletins, reports and emails, which is quite normal. This was followed by a network meeting of the University Security Network Managers Network. Right after that, I liked security training at some facility. After lunch, we had an initial planning meeting on operational implementation of operational security, after which our organization’s security team met. The last hour worked when meeting memories and reading e-mails.”

    What is your most important security project at the moment?

    “There are actually two of them. We have just started a Siem system project aimed at getting a better view of the overall security situation. Another major project is to familiarize and respond to the requirements of the EU’s new IT security regulation.”

    How to ensure the success of a security project?

    “Normally, the rules of project work will also apply to security projects. With regard to security, I would emphasize the importance of project outputs. For example, if information security solutions or guidelines are not adequately informed to users, the benefits of the project will largely fail to be realized. ”

    “Electrification of business, mobile devices, cloud services, and the Internet of Things are part of the vast array of digitalisation. From the point of view of security, it is essential that many services are available more widely, regardless of time and place, as well as the user’s own devices. It increases the user’s freedom and responsibility even further. One needs to think about what services can be opened up and how to ensure security in such an environment.”

    What is the worst nightmare of the security chief?

    “Thinking about different scenarios of time and risk management is an important part of my job. A widespread breakdown of information would be one of the worst real risks. Corrupting data on a centralized disk system or losing important data would be particularly damaging.”

    What is your motto?

    “Security must not be part of the problem, but part of the solution. Previously in the name of security, it was possible to deny things to the user. However, such a pattern is no longer feasible.”

    Source: http://www.tivi.fi/Kaikki_uutiset/tietoturvan-ei-tule-olla-osa-ongelmaa-vaan-osa-ratkaisua-6658742

    Reply
15. June 20, 2017 at 9:07 pm

    Tomi Engdahl says:

    Security
    Stack Clash flaws blow local root holes in loads of top Linux programs
    https://www.theregister.co.uk/2017/06/20/stack_clash_linux_local_root_holes/

    We knew about this in 2005. And 2010. And people are still building without -fstack-check

    Essentially, it’s possible to pull off a “Stack Clash” attack in various tools and applications to hijack the whole system, a situation that should have been prevented long ago.

    How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364
    http://www.epanorama.net/newepa/2017/06/20/how-to-patch-and-protect-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/comment-page-1/#comment-1551920

    Reply
16. June 20, 2017 at 9:11 pm

    Tomi Engdahl says:

    Alfred Ng / CNET:
    South Korean web host Nayana agrees to $1M extortion fee after 153 servers hit by ransomware, after negotiating the sum down from ~$1.6M — WannaCry only demanded $300 from each victim. These hackers extorted $1 million from one South Korean company. — Hackers appear to have pulled off …

    South Korean web host pays largest ransomware demand ever
    https://www.cnet.com/news/largest-ransomware-ever-demand-south-korea-web-host/

    WannaCry only demanded $300 from each victim. These hackers extorted $1 million from one South Korean company.

    Hackers appear to have pulled off a $1 million heist with ransomware in South Korea.

    The ransomware attacked more than 153 Linux servers that South Korean web provider Nayana hosted, locking up more than 3,400 websites on June 10. In Nayana’s first announcement a few days later, it said the hackers demanded 550 bitcoins to free up all the servers — about $1.62 million.

    Four days later, Nayana said it’d negotiated with the attackers and got the payment reduced to 397 bitcoins, or about $1 million. This is the single largest-known payout for a ransomware attack, and it was an attack on one company. For comparison, the WannaCry ransomware attacked 200,000 computers across 150 countries, and has only pooled $127,142 in bitcoins since it surfaced.

    Ransomware demands have risen rapidly over the past year, tripling in price from 2015 to 2016. But even then, the highest cost of a single ransomware attack was $28,730.

    Nayana agreed to pay the ransomware in three installments, and said Saturday it’s already paid two-thirds of the $1 million demand.

    “It is very frustrating and difficult, but I am really doing my best and I will do my best to make sure all servers are normalized,” a Nayana administrator said, according to a Google translation of the blog post.

    The company is expected to make the final payment once all the servers from the first and second payouts have been restored.

    Trend Micro, a cybersecurity research firm, identified the ransomware as Erebus, which targets Linux servers for attacks.

    Reply
17. June 20, 2017 at 9:16 pm

    Tomi Engdahl says:

    Andy Greenberg / Wired:
    Experts warn that repeated cyberattacks on Ukraine, including mass power outages in Kiev, are evidence of Russia testing its offensive cyber capabilities

    How An Entire Nation Became Russia’s Test Lab for Cyberwar
    https://www.wired.com/story/russian-hackers-attack-ukraine

    Noting the precise time and the date, almost exactly a year since the December 2015 grid attack, Yasinsky felt sure that this was no normal blackout. He thought of the cold outside—close to zero degrees Fahrenheit—the slowly sinking temperatures in thousands of homes, and the countdown until dead water pumps led to frozen pipes.

    That’s when another paranoid thought began to work its way through his mind: For the past 14 months, Yasinsky had found himself at the center of an enveloping crisis. A growing roster of Ukrainian companies and government agencies had come to him to analyze a plague of cyberattacks that were hitting them in rapid, remorseless succession. A single group of hackers seemed to be behind all of it. Now he couldn’t suppress the sense that those same phantoms, whose fingerprints he had traced for more than a year, had reached back, out through the internet’s ether, into his home.

    The Cyber-Cassandras said this would happen. For decades they warned that hackers would soon make the leap beyond purely digital mayhem and start to cause real, physical damage to the world. In 2009, when the NSA’s Stuxnet malware silently accelerated a few hundred Iranian nuclear centrifuges until they destroyed themselves, it seemed to offer a preview of this new era. “This has a whiff of August 1945,” Michael Hayden, former director of the NSA and the CIA, said in a speech. “Somebody just used a new weapon, and this weapon will not be put back in the box.”

    Now, in Ukraine, the quintessential cyberwar scenario has come to life. Twice. On separate occasions, invisible saboteurs have turned off the electricity to hundreds of thousands of people. Each blackout lasted a matter of hours, only as long as it took for scrambling engineers to manually switch the power on again. But as proofs of concept, the attacks set a new precedent: In Russia’s shadow, the decades-old nightmare of hackers stopping the gears of modern society has become a reality.

    And the blackouts weren’t just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyber­assault unlike any the world has ever seen.

    Reply
18. June 20, 2017 at 9:19 pm

    Tomi Engdahl says:

    Gizmodo:
    Analysis of NaviStone code on Acurian medical sites shows use of keystroke logging-like tech that captures data as soon as users type into forms for targeting

    How a Company You’ve Never Heard of Sends You Letters about Your Medical Condition
    http://gizmodo.com/how-a-company-you-ve-never-heard-of-sends-you-letters-a-1795643539

    In the summer of 2015, Alexandra Franco got a letter in the mail from a company she had never heard of called AcurianHealth. The letter, addressed to Franco personally, invited her to participate in a study of people with psoriasis, a condition that causes dry, itchy patches on the skin.

    Franco did not have psoriasis. But the year before, she remembered, she had searched for information about it online, when a friend was dealing with the condition. And a few months prior to getting the letter, she had also turned to the internet with a question about a skin fungus. It was the sort of browsing anyone might do, on the assumption it was private and anonymous.

    Now there was a letter, with her name and home address on it, targeting her as a potential skin-disease patient. Acurian is in the business of recruiting people to take part in clinical trials for drug companies. How had it identified her?

    When she Googled the company, she found lots of people who shared her bewilderment, complaining that they had been contacted by Acurian about their various medical conditions.

    Acurian has attributed its uncanny insights to powerful guesswork, based on sophisticated analysis of public information and “lifestyle data” purchased from data brokers. What may appear intrusive, by the company’s account, is merely testimony to the power of patterns revealed by big data.

    “We are now at a point where, based on your credit-card history, and whether you drive an American automobile and several other lifestyle factors, we can get a very, very close bead on whether or not you have the disease state we’re looking at,” Acurian’s senior vice president of operations told the Wall Street Journal in 2013.

    Yet there’s some medical information that Acurian doesn’t have to guess about: The company pays Walgreens, which uses a privacy exemption for research, to send recruitment letters to its pharmacy customers on Acurian’s behalf, based on the medications they’re using. Under this arrangement, Acurian notes that it doesn’t access the medical information directly; the customers’ identities remain private until they respond to the invitations.

    Reply
19. June 20, 2017 at 10:11 pm

    Tomi Engdahl says:

    Wall Street Journal:
    Cisco announces service it claims can detect malware in encrypted traffic, amid fierce competition in its switching biz, 6 straight quarters of falling revenue

    Cisco Bets on Security to Drive Switch Sales
    Networking giant reveals security service it says can identify and stamp out malicious software cloaked by encryption
    https://www.wsj.com/articles/cisco-bets-on-security-to-drive-switch-sales-1497981600?mod=e2twd

    Reply
20. June 20, 2017 at 10:13 pm

    Tomi Engdahl says:

    William Turton / The Outline:
    Leaked recording reveals how Apple’s Global Security team uses investigators, rigorous screening, and embeds security members in product teams to prevent leaks — SECRECY AT APPLE — Former NSA agents, secrecy members on product teams, and a screening apparatus bigger than the TSA.

    Leaked recording: Inside Apple’s global war on leakers
    https://theoutline.com/post/1766/leaked-recording-inside-apple-s-global-war-on-leakers

    Former NSA agents, secrecy members on product teams, and a screening apparatus bigger than the TSA.

    A recording of an internal briefing at Apple earlier this month obtained by The Outline sheds new light on how far the most valuable company in the world will go to prevent leaks about new products.

    The briefing, titled “Stopping Leakers – Keeping Confidential at Apple,” was led by Director of Global Security David Rice, Director of Worldwide Investigations Lee Freedman, and Jenny Hubbert, who works on the Global Security communications and training team.

    According to the hour-long presentation, Apple’s Global Security team employs an undisclosed number of investigators around the world to prevent information from reaching competitors, counterfeiters, and the press, as well as hunt down the source when leaks do occur. Some of these investigators have previously worked at U.S. intelligence agencies like the National Security Agency (NSA), law enforcement agencies like the FBI and the U.S. Secret Service, and in the U.S. military.

    The briefing, which offers a revealing window into the company’s obsession with secrecy

    Reply
21. June 21, 2017 at 9:11 am

    Tomi Engdahl says:

    Microsoft Office Zero-Day: Detecting the HTA Handler Vulnerability
    https://www.linkedin.com/pulse/microsoft-office-zero-day-detecting-hta-handler-kevin-douglas?trk=v-feed&lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3B0kkpzGNoDi2pIAPgHRwnOg%3D%3D

    RTF (Rich Text Format) files have been around since 1987 and are often times overlooked and underestimated as being a viable attack vector. Although the RTF version has not been updated since 1.9.1 was released in March 2008, most document processing applications (e.g., Microsoft Office) still support the format.

    This ongoing support of an aging file format has led to a recent surge of attacks exploiting a weakness in Microsoft Office (CVE-2017-0199). Attackers have discovered the ability to execute malicious code on a victim machine, without any prompting or warning to the user. On April 7, 2017, Haifei Li from McAfee Labs first reported about the attack in a blog posting.

    On April 11 2017, Microsoft released the patch for Microsoft Office for this zero-day vulnerability. The patch prevents attackers from targeting the HTA handling logic of OLE autolinks within RTF files. On an unpatched system, as a victim opens an infected RTF, an embedded OLE autolink causes Microsoft Word to download a malicious HTA file and execute it prior to prompting the user. Prior to the user seeing any prompt, the infection has already occurred. The malware ensures this by terminating Microsoft Word prior to the prompt being displayed at all. Instead, a new instance of Word is started with a decoy document displayed. The victim is clueless they have been compromised.

    Microsoft’s Rich Text Format (RTF) specification appears to leave very little room for exploitation. This misconception is largely due to RTF’s lack of support for an embedded scripting language. Without scripting language support, RTFs have been wrongly mistaken as being less likely candidates for malware infection.

    Reply
22. June 21, 2017 at 9:46 am

    Tomi Engdahl says:

    WHAT SHOULD (AND SHOULDN’T) WORRY YOU IN THAT VOTER DATA BREACH
    https://www.wired.com/story/voter-data-breach-impact/

    THE RECENT NEWS that a conservative data analytics firm left 198 million voter records unsecured online for nearly two weeks should give every American pause, particularly at a time when intelligence officials say the Russian government actively seeks to undermine American elections.
    This particular breach, discovered by researcher Chris Vickery, exposed 1.1 terabytes of personal information compiled by Deep Root Analytics, a company that analyzes not just basic data like names and addresses, but also scores how particular voters feel about a range of political issues, from gun control to offshoring in the auto industry. Vickery’s discovery illustrates how poorly organizations safeguard sensitive information. But it also shows just how much information those groups have access to–and raises serious questions about what a nefarious actor could do with it. Perhaps the scariest part though is how much of this information already exists in the public domain.

    Since November, suspicion has mounted about whether the Trump campaign somehow colluded with Russian actors to influence American voters. More recently, members of the House and Senate have wondered aloud and in secret whether the Trump data operation, run by the firm Cambridge Analytica, somehow fed information on which voters were most persuadable to the Russians.

    These questions have not amounted to anything beyond speculation. And yet, Vickery’s discovery serves as a sober reminder that deeply personal information on the American electorate is already all too easy to find. In this particular case, Deep Root Analytics says a change in its security settings made the database publicly accessible for 12 days, beginning June 1.

    It sounds scary, and it’s certainly not ideal. But surprisingly enough, much of that data already lives in the public domain, making it relatively simple for anyone with bad intentions to weaponize it, exposed database or not.

    “For an outside actor, with a big list of names and addresses and political scores? You could act like a super PAC and target their voters with messaging and misinformation,”

    In some states, like Ohio, you can, right at this very moment, download the names and addresses of every voter at the state, county, and congressional-district level.

    That’s not to say you shouldn’t find Deep Root’s breach deeply troubling. Several Republican data operatives who agreed to speak on the condition of anonymity described the breach as alternatively “baffling,” “bullshit,” and “everybody’s worst nightmare.” Yes, the treasure trove of information Vickery unearthed included the most basic details, compiled by the Republican vendor Data Trust. But it also revealed what data experts consider their special sauce: the scores they assign each voter based on that person’s feelings about a given political issue. In this case, those scores were generated by another vendor working with the Republican National Committee called TargetPoint.

    THE SCARILY COMMON SCREW-UP THAT EXPOSED 198 MILLION VOTER RECORDS
    https://www.wired.com/story/voter-records-exposed-database/

    A NUMBER OF voter-data exposures have cropped up this year, in locations as disparate as Mexico, the Philippines, and the state of Georgia. But the one that dwarfs them all came to light on Monday: a publicly accessible database containing personal information for 198 million US voters—possibly every American voter going back more than 10 years.
    A conservative data firm called Deep Root Analytics owns the database, and stores it on an Amazon S3 server. As Chris Vickery, cyber-risk analyst with security firm UpGuard, discovered earlier this month, all of that data was open to anyone who found it not because of clever hacking or complicated internet forces, but because of a simple misconfiguration. Think of it as leaving your valuables in a high-end safe with the door propped open.

    It happens all the time, despite repeated, and repeatedly damaging, exposures of personal information. Even though it’s not a hack, server misconfiguration constitutes one of the biggest cybersecurity risks for institutions and individuals alike.

    Reply
23. June 21, 2017 at 7:55 pm

    Tomi Engdahl says:

    Saheli Roy Choudhury / CNBC:
    SoftBank invests $100M in Boston-based cybersecurity firm Cybereason, which uses behavioral analytics to detect threats — Cybereason, a Boston-based cybersecurity firm specializing in end-point detection and response to digital security breaches, on Wednesday announced it secured …
    SoftBank Corp invests $100 million into cybersecurity start-up Cybereason
    http://www.cnbc.com/2017/06/21/softbank-corp-invests-100-million-into-cybersecurity-start-up-cybereason.html

    SoftBank Corp invests $100 million into Cybereason
    The Boston-based cybersecurity firm uses behavioral analytics to detect threats
    The start-up has raised $189 million in funding
    It counts SoftBank, Lockheed Martin and Spark Capital among its backers

    Cyberattacks on companies have increased in frequency, forcing businesses to think, and invest, in more advanced means of protection against intruders. Last month, a ransomware attack hit 200,000 computers around the world.

    Div said ransomware is one of the biggest threats facing companies today. “The problem the industry faces is that the technology is often not keeping up.”

    Cybereason’s technology does behavioral analytics on every single digital action and interaction happening within a company’s network. It processes information in real-time to provide visibility into the security landscape within the network and pulls together related elements of a cyberattack. This way IT specialists in companies can detect and proactively respond against threats.

    “(Our) focus on behavioral data means that we look beyond just the ones and zeros of what the data is — we constantly correlate data to understand what the attacker is doing, and their motives,” said Div. “We know how to spot potential attacker activities and we can accurately distinguish between good and bad behavior.”

    Reply
24. June 22, 2017 at 6:55 am

    Tomi Engdahl says:

    How Hollywood Got Hacked: Studio at Center of Netflix Leak Breaks Silence (EXCLUSIVE)
    http://variety.com/2017/digital/features/netflix-orange-is-the-new-black-leak-dark-overlord-larson-studios-1202471400/

    Larson Studios president Rick Larson and his wife and business partner, Jill Larson, didn’t recognize the number that sent them these two short text messages via their personal cell phones two days before Christmas last year, so they simply ignored them. “We didn’t really think much of them,” said Jill Larson.

    Little did they know that the messages were part of Hollywood’s biggest security breach since the Sony Pictures hack of 2014. But in an exclusive interview with Variety, the Larson Studios principals are breaking their silence on an incident that threatened the existence of their family-owned audio post-production business. An incident that led them to quietly wire more than $50,000 in extortion money to a group of hackers, only to see some of the most valuable works of their clients, including 10 unreleased episodes of Netflix drama series “Orange Is the New Black,” leak online.

    Larson Studios chief engineer David Dondorf and director of digital systems Chris Unthank left their families on Christmas morning and rushed to the studio to examine the hackers’ claims. “Once I was able to look at our server, my hands started shaking, and I almost threw up,” Unthank remembered. The hackers had stolen and deleted all of the data, just as they had threatened in their letter. They demanded ransom payments via the crypto-currency Bitcoin to return what they had stolen. Unthank and Dondorf unplugged everything, and Dondorf immediately called the FBI.

    But the authorities weren’t much help on Christmas morning. “They were, I think, sympathetic, a bit overwhelmed,”

    Larson Studios hired private data security experts to find out what had happened — and what to do next.

    They eventually pieced together how the attack had unfolded. The Dark Overlord had been scanning the internet for PCs running older versions of Windows that it could easily break into, and happened to stumble across an old computer at Larson Studios that was still running Windows 7. “They were basically just trolling around to see if they could find a computer that they could open,” Dondorf explained. “It wasn’t aimed at us.”

    Next, the company significantly beefed up its security, and also closely examined what had been stolen. “We took a large part of January trying to figure out what exactly they had,” Jill Larson said. This involved extensive communication with the hackers entirely via email. “Before we were willing to pay any kind of extortion, we wanted some proof.”

    The Larsons didn’t immediately decide to pay the ransom. “It was an evolutionary process,” Jill Larson said. “The Dark Overlord had given us a very short window to respond. They were threatening us with actually releasing ‘Orange Is the New Black’ before New Year’s. So the feeling was that we needed to at least initially agree to cooperate and buy time.”

    Meanwhile, the security company hired by Larson was looking into the Dark Overlord’s past attacks. The hacking group had targeted a number of healthcare facilities and other businesses in the previous months. “

    When the hackers finally delivered proof, at the end of January, of what they’d stolen, including dozens of titles from major studios such as Netflix, ABC, CBS and Disney, Larson did two things: It filed an official police report, and it decided to pay. “We had a trust from our clients to protect their intellectual property, and the best way to do that with these people was to pay them,” or so the thinking was at the time, Rick Larson recalled.

    The hackers had demanded a payment of 50 Bitcoin, which equaled a little more than $50,000 at the time. “Buying and sending Bitcoin is not the easiest thing in the world, we found out,” explained Jill Larson. First, she had to wire the money to Coinbase, a kind of internet bank for Bitcoin transactions. That led alarm bells to go off at Larson’s regular bank, which urged the company to talk to the FBI one more time.

    Palmieri advised them against paying, and told them that the FBI’s recommendation is to not communicate with extortionists. “But they also understand that individual businesses make what is their best decision for their business,”

    Coinbase didn’t let Jill Larson pay the entire ransom all at once, so she spent about a week in February buying Bitcoins and sending them to the Dark Overlord, 19 transactions in all.

    “That obviously is not what played out,” Rick Larson said.

    A few quiet weeks ensued. Then, on March 31 came a phone call from the FBI with information that the hackers were using the shows stolen in December to blackmail various Hollywood studios. A few days later, the phones at Larson started to ring, with the security departments of various studios on the other end of the line.

    And with that, some hard conversations began. Larson Studios previously hadn’t told any of its clients of the breach. “We were very much under a heavy threat from the Dark Overlord,”

    Now, the studios wanted to know the whole story, and the Larsons told them everything that had happened. Upon hearing the news, some studios decided to take their business elsewhere. But the majority stuck with the company, and instead helped to further beef up its security. “We work closely with the studios,” said Rick Larson. “Some have just been very supportive.”

    News of the hack broke in April, when the Dark Overlord publicly tried to pressure Netflix. The hackers first leaked one unreleased episode of “Orange Is the New Black,” and when Netflix didn’t pay, followed up with nine more episodes a month and a half before the show was scheduled to premiere on the service. Netflix declined comment for this story.

    Reply
25. June 22, 2017 at 6:59 am

    Tomi Engdahl says:

    Microsoft Admits Disabling Anti-Virus Software For Windows 10 Users
    https://it.slashdot.org/story/17/06/21/2217213/microsoft-admits-disabling-anti-virus-software-for-windows-10-users

    Microsoft has admitted that it does temporarily disable anti-virus software on Windows PCs, following an competition complaint to the European Commission by a security company. In early June, Kaspersky Lab filed the complaint against Microsoft. The security company claims the software giant is abusing its market dominance by steering users to its own anti-virus software.

    Microsoft admits disabling anti-virus software for Windows 10 users
    http://www.bbc.com/news/technology-40356889

    Microsoft has admitted that it does temporarily disable anti-virus software on Windows PCs, following an competition complaint to the European Commission by a security company.

    In early June, Kaspersky Lab filed the complaint against Microsoft.

    The security company claims the software giant is abusing its market dominance by steering users to its own anti-virus software.

    Microsoft says it implemented defences to keep Windows 10 users secure.

    In an extensive blog post that does not directly address Kaspersky or its claims, Microsoft says it bundles the Windows Defender Antivirus with Windows 10 to ensure that every single device is protected from viruses and malware.

    Temporarily disabled

    To combat the 300,000 new malware samples being created and spread every day, Microsoft says that it works together with external anti-virus partners.

    The technology giant estimates that about 95% of Windows 10 PCs were using anti-virus software that was already compatible with the latest Windows 10 Creators Update.

    For the applications that were not compatible, Microsoft built a feature that lets users update their PCs and then reinstall a new version of the anti-virus software.

    “To do this, we first temporarily disabled some parts of the AV software when the update began. We did this work in partnership with the AV partner to specify which versions of their software are compatible and where to direct customers after updating,” Mr Lefferts writes.

    Reply
26. June 22, 2017 at 7:01 am

    Tomi Engdahl says:

    Cybereason snags $100m from Softbank to mount distribution, tech offensive
    ‘This deal is the coming of age of the offensive security model’
    https://www.theregister.co.uk/2017/06/21/cybereason_funding/

    Cybersecurity startup Cybereason is looking to go to the next level after securing $100m in funding from SoftBank.

    Cybereason, with headquarters in Boston, Massachusetts and Tel Aviv, Israel, offers a range of endpoint detection and response, next-generation antivirus, and managed monitoring services. These are crowded segments already staked out by the likes of Symantec, McAfee, Cylance, CrowdStrike and others. Some of these vendors are cash rich, but few can boast of the war chest now at Cybereason’s disposal.

    SoftBank is Cybereason’s biggest investor and one of its largest customers and distribution partners.

    “We’re seeing more companies get funding around the $100m mark – seems to be an increasingly favored exit for infosec firms,”

    “We’ve seen [that] companies like CrowdStrike, Tanium, Netskope, and Illumio have raised funding rounds in the region of $100m – demonstrating these are looking for an exit door to Wall Street, as opposed to pursuing a sale of the business. No VC-backed security vendors have been sold where they’ve been valued at over $1bn,” Malik‏ added.

    Reply
27. June 22, 2017 at 1:03 pm

    Tomi Engdahl says:

    Cisco’s ‘encrypted traffic fingerprinting’ turned into a product
    Borg’s boxen can now figure out of there’s malware lurking in encrypted traffic
    https://www.theregister.co.uk/2017/06/22/ciscos_encrypted_traffic_fingerprinting_turned_into_product/

    Cisco has turned research published nearly a year ago into a product it hopes will protect enterprises against malware hidden in encrypted traffic.

    As The Register reported in July 2016, a group of Cisco researchers have been working on how to spot dangers entering networks through TLS.

    Since you can’t see inside encrypted packets (unless you proxy the connection for decryption, a solution troubling both from privacy and security viewpoints), the paper’s authors (Blake Anderson, Subharthi Paul and David McGrew) looked for malware signatures in those parts of the traffic that’s not encrypted – TLS negotiation packets like clientHello and serverHello among them.

    Flow metadata, the sequences of packet length and time, and byte distribution also contributed to malware fingerprinting.

    Reply
28. June 22, 2017 at 1:04 pm

    Tomi Engdahl says:

    ITU thinks Blockchain and pals need interoperability
    Calls for standards-setting conference to consider security, privacy, whatever other regs distributed ledger types want
    https://www.theregister.co.uk/2017/06/22/itu_focus_group_on_application_of_distributed_ledger_technology/

    The International Telecommunications Union (ITU) has decided the time is ripe to start talking about what standards might be developed for distributed ledgers, aka Blockchain and fellow-travellers.

    The august body will therefore convene the The ITU-T Focus Group on Application of Distributed Ledger Technology (FG DLT) for the first time in October, for a three-day gabfest with the aim of “identifying the standardized frameworks needed to support the scaling up of applications and services based on DLT globally.”

    Among the “specific tasks and deliverables” for the meeting is to “study and analyse the implications of mandating interoperability and interconnection of services based on DLT. This will include the development of a standardization roadmap for interoperable services based on DLT taking into consideration the interoperability challenges and best practices.

    Reply
29. June 22, 2017 at 1:08 pm

    Tomi Engdahl says:

    Hacker exposed bank loophole to buy luxury cars and a face tattoo
    ♪ I’m gonna wait… til the midnight hour, when there’s no one else around
    https://www.theregister.co.uk/2017/06/20/face_tattoo_bank_hacker/

    A UK hacker who stole £100,000 from his bank after spotting a loophole in its systems has been jailed for 16 months.

    Unemployed James Ejankowski, 24, of Bridlington, squandered his ill-gotten gains by splurging on a BMW and a Range Rover, and getting his face tattooed

    He lied to some members of his family, claiming he’d won the money on a scratchcard while attempting to hide his criminality by funnelling the money through his partner’s account.

    Ejankowski had reportedly discovered that if he used software to transfer notional funds between his current account and his savings account between midnight and 1:00am in the morning, the transaction would go through even though he didn’t have adequate funds and without prompt reconciliation.

    Dryden told the court: “For one hour there was a credit balance in his account even though he did not have any money.”

    Ejankowski used the loophole to fraudulently rack up funds which he subsequently transferred to his partner Charlotte Slater’s Natwest account.

    Banking officials have recovered £34,000, leaving losses approaching £100K.

    Reply
30. June 22, 2017 at 1:09 pm

    Tomi Engdahl says:

    Microsoft admits to disabling third-party antivirus code if Win 10 doesn’t like it
    Redmond readies the ground for Kaspersky’s EU antitrust suit
    https://www.theregister.co.uk/2017/06/20/microsoft_disabling_thirdparty_antivirus/

    Windows 10 does disable some third-party security software, Microsoft has admitted, but because of compatibility – not competitive – issues.

    Redmond is currently being sued by security house Kaspersky Lab in the EU, Germany and Russia over alleged anti-competitive behavior because it bundles the Windows Defender security suite into its latest operating system. Kaspersky (and others) claim Microsoft is up to its Internet Explorer shenanigans again, but that’s not so, said the operating system giant.

    “Microsoft’s application compatibility teams found that roughly 95 per cent of Windows 10 PCs had an antivirus application installed that was already compatible with Windows 10 Creators Update,” said Rob Lefferts, director of security in the Windows and Devices group.

    Reply
31. June 22, 2017 at 1:46 pm

    Tomi Engdahl says:

    Mozilla Launches Privacy-Minded ‘Firefox Focus’ Browser For Android
    https://yro.slashdot.org/story/17/06/20/1946223/mozilla-launches-privacy-minded-firefox-focus-browser-for-android?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Reply
32. June 22, 2017 at 6:37 pm

    Tomi Engdahl says:

    Massimo Calabresi / TIME:
    Sources: US election hacking was more extensive than previously known, including theft of voter records and at least one successful alteration of voter data — The hacking of state and local election databases in 2016 was more extensive than previously reported, including at least …

    Election Hackers Altered Voter Rolls, Stole Private Data, Officials Say
    http://time.com/4828306/russian-hacking-election-widespread-private-data/

    The hacking of state and local election databases in 2016 was more extensive than previously reported, including at least one successful attempt to alter voter information, and the theft of thousands of voter records that contain private information like partial Social Security numbers, current and former officials tell TIME.

    In one case, investigators found there had been a manipulation of voter data in a county database but the alterations were discovered and rectified, two sources familiar with the matter tell TIME. Investigators have not identified whether the hackers in that case were Russian agents.

    The fact that private data was stolen from states is separately providing investigators a previously unreported line of inquiry in the probes into Russian attempts to influence the election. In Illinois, more than 90% of the nearly 90,000 records stolen by Russian state actors contained drivers license numbers, and a quarter contained the last four digits of voters’ Social Security numbers

    Congressional investigators are probing whether any of this stolen private information made its way to the Trump campaign

    “If any campaign, Trump or otherwise, used inappropriate data the questions are, How did they get it? From whom? And with what level of knowledge?”

    Both intelligence committees are looking at whether and how the intrusions could have furthered Russia’s larger strategic goals of undermining U.S. democracy, hurting Hillary Clinton and helping Donald Trump. During the run up to the vote, Obama Administration cyber-security officials took steps to prepare for widespread voter registration manipulation, fearing Russia might seek to cause chaos at polling places to undermine the credibility of the election. Current and former law enforcement and intelligence officials say Russia could also have tried to use stolen voter data to gain leverage over witting or unwitting accomplices in the Trump camp, by involving them in a broader conspiracy.

    “There’s no evidence they were able to affect the counting within the machines,” says the top Democrat on the House Intelligence committee, Congressman Adam Schiff of California. But, he added, “the effect on the election is quite a different matter.”

    The Russian efforts against state and local databases were so widespread that top Obama administration cyber-security officials assumed that by Election Day Moscow’s agents had probed all 50 states.

    Many hackers, including state-sponsored ones, use automated programs to target hundreds or even thousands of computers to check for vulnerabilities. But confirming intrusions is hard. As far as officials have been able to determine, the number of actual successful intrusions, where Russian agents gained sufficient access to attempt to alter, delete or download any information, was “less than a dozen,” current and former officials say. But that wasn’t the only worry.

    “In addition to the threat to the vote we were also very concerned about the public confidence in the integrity of the electoral system,” says Ferrante.

    “The integrity of the entire system is in question,”

    Reply
33. June 22, 2017 at 8:31 pm

    Tomi Engdahl says:

    Nicole Perlroth / New York Times:
    How Golan Ben-Oni, CIO of US telecom firm IDT Corporation, discovered and is drawing attention to NSA-made DoublePulsar, a more potent sister tool to WannaCry

    A Cyberattack ‘the World Isn’t Ready For’
    https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-cyberweapons.html

    There have been times over the last two months when Golan Ben-Oni has felt like a voice in the wilderness.

    On April 29, someone hit his employer, IDT Corporation, with two cyberweapons that had been stolen from the National Security Agency. Mr. Ben-Oni, the global chief information officer at IDT, was able to fend them off, but the attack left him distraught.

    In 22 years of dealing with hackers of every sort, he had never seen anything like it. Who was behind it? How did they evade all of his defenses? How many others had been attacked but did not know it?

    Since then, Mr. Ben-Oni has been sounding alarm bells, calling anyone who will listen at the White House, the Federal Bureau of Investigation, the New Jersey attorney general’s office and the top cybersecurity companies in the country to warn them about an attack that may still be invisibly striking victims undetected around the world.

    “I don’t pursue every attacker, just the ones that piss me off,” Mr. Ben-Oni told

    Two weeks after IDT was hit, the cyberattack known as WannaCry ravaged computers at hospitals in England, universities in China, rail systems in Germany, even auto plants in Japan. No doubt it was destructive. But what Mr. Ben-Oni had witnessed was much worse, and with all eyes on the WannaCry destruction, few seemed to be paying attention to the attack on IDT’s systems — and most likely others around the world.

    The strike on IDT, a conglomerate with headquarters in a nondescript gray building here with views of the Manhattan skyline 15 miles away, was similar to WannaCry in one way: Hackers locked up IDT data and demanded a ransom to unlock it.

    But the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines.

    Worse, the assault, which has never been reported before, was not spotted by some of the nation’s leading cybersecurity products, the top security engineers at its biggest tech companies, government intelligence analysts or the F.B.I., which remains consumed with the WannaCry attack.

    Scans for the two hacking tools used against IDT indicate that the company is not alone. In fact, tens of thousands of computer systems all over the world have been “backdoored” by the same N.S.A. weapons. Mr. Ben-Oni and other security researchers worry that many of those other infected computers are connected to transportation networks, hospitals, water treatment plants and other utilities.

    An attack on those systems, they warn, could put lives at risk.

    “The world is burning about WannaCry, but this is a nuclear bomb compared to WannaCry,” Mr. Ben-Oni said. “This is different. It’s a lot worse. It steals credentials. You can’t catch it, and it’s happening right under our noses.”

    And, he added, “The world isn’t ready for this.”

    By Mr. Ben-Oni’s estimate, IDT experiences hundreds of attacks a day on its businesses, but perhaps only four each year that give him pause.

    Nothing compared to the attack that struck in April. Like the WannaCry attack in May, the assault on IDT relied on cyberweapons developed by the N.S.A. that were leaked online in April by a mysterious group of hackers calling themselves the Shadow Brokers — alternately believed to be Russia-backed cybercriminals, an N.S.A. mole, or both.

    The WannaCry attack — which the N.S.A. and security researchers have tied to North Korea — employed one N.S.A. cyberweapon; the IDT assault used two.

    Both WannaCry and the IDT attack used a hacking tool the agency had code-named EternalBlue.

    The attack on IDT went a step further with another stolen N.S.A. cyberweapon, called DoublePulsar. The N.S.A. used DoublePulsar to penetrate computer systems without tripping security alarms. It allowed N.S.A. spies to inject their tools into the nerve center of a target’s computer system, called the kernel, which manages communications between a computer’s hardware and its software.

    Mr. Ben-Oni learned of the attack only when a contractor, working from home, switched on her computer to find that all her data had been encrypted and that attackers were demanding a ransom to unlock it. He might have assumed that this was a simple case of ransomware.

    But the attack struck Mr. Ben-Oni as unique.

    The black box of sorts, a network recording device made by the Israeli security company Secdo, shows that the ransomware was installed after the attackers had made off with the contractor’s credentials. And they managed to bypass every major security detection mechanism along the way. Finally, before they left, they encrypted her computer with ransomware, demanding $130 to unlock it, to cover up the more invasive attack on her computer.

    “I started to get the sense that we were the canary,” he said. “But we recorded it.”

    Since IDT was hit, Mr. Ben-Oni has contacted everyone in his Rolodex to warn them of an attack that could still be worming its way, undetected, through victims’ systems.

    “Time is burning,” Mr. Ben-Oni said. “Understand, this is really a war — with offense on one side, and institutions, organizations and schools on the other, defending against an unknown adversary.”

    Reply
34. June 22, 2017 at 8:46 pm

    Tomi Engdahl says:

    After three days, Skype’s outage is resolved
    https://techcrunch.com/2017/06/22/after-three-days-skypes-outage-is-resolved/

    After three days of connectivity issues which prevented some Skype users from being able to log in, make calls, or send and receive messages, the company says it has now fully resolved the problem. What it isn’t saying – at least not yet – is what exactly happened.

    Microsoft’s decision to stay silent on an incident of this length and scale – the outage impacted users across Europe and elsewhere – lends further credence to reports that a hacker group may be to blame.

    Skype, however, has said nothing all week – even as reports that a hacking group has claimed responsibility for the matter. As the BBC and others have noted, a group called CyberTeam has taken credit for the outage in a tweet.

    There has also been chatter that a DDoS attack could have caused this. That seems possible,

    Skype’s outage largely impacted European users, according to traffic monitoring service DownDetector. But users in other regions may have felt the effects, as well.

    For a service as large as Skype, with some 300 million users, and a plan to reinvent itself for the social age, users are frustrated with the lack of an explanation.

    As many rightly point out, Skype isn’t just a “fun” app – it’s a service they rely on for work, for connecting with clients and colleagues, and for communication. They want to know if Skype screwed up, or if it was hacked or attacked. And they have a right to get an answer

    Reply
35. June 23, 2017 at 4:44 am

    Tomi Engdahl says:

    Technology Helps the Lawless Find Digital Safe Spaces
    https://worldview.stratfor.com/article/how-technology-helps-lawless-find-digital-safe-spaces

    In the physical world, there has never been absolute privacy. Even under governments created to protect personal liberties and privacy rights, those rights were never intended to be absolute.

    It’s clear that the Constitution permits the government to search an individual’s body, home or correspondence if the threshold of probable cause is met. Since the Constitution was ratified in 1788, a tremendous amount of case law has been developed to define exactly what are reasonable — and unreasonable

    There was essentially no place I could not search if I was able to develop probable cause that a crime had been committed and that I believed a specific piece of evidence pertaining to that crime was in the particular place I sought to search.

    To me, pen registers and mail covers are physical analogs to the metadata on electronic communications.

    In the physical world, there’s never been any absolute guarantee of privacy. There’s no place the government couldn’t go or monitor electronically in search of evidence of a crime if it had the proper warrant. But this is changing.

    Criminals and Technology
    Since my days as a special agent, new digital encryption technologies have been developed that permit terrorists and criminals to construct internet black holes where the government is unable to search. These are the safe spaces Prime Minister May is talking about.

    In my experience, some of the worst offenders were among the first to embrace technology.

    Terrorists and criminals have also long recognized the ability of the United States and its partners to monitor internet communications, and over the years they have adopted a wide variety of countermeasures to protect their internet communications.

    Today terrorists and criminals are using encrypted messaging applications such as Telegram and WhatsApp to communicate and encryption to protect their data.

    When figures such as Prime Minister May or former FBI Director James Comey discuss the challenges that encryption poses for law enforcement, they are frequently criticized in the press by people who embrace the concept that there is now an absolute right to privacy in the digital world. It’s a strange paradox that while people are posting more private information than ever in plain view via social media and other technology platforms, they are demanding total privacy in their communications and digital files, which never existed before encryption.

    With end-to-end encryption, digital communications cannot be monitored, either.

    The demand for encryption, of course, is quite understandable. A single hacker can attack targets across the globe. National intelligence services are sucking up huge amounts of data on seemingly everyone as well.

    making it more difficult for governments to monitor communications and break robust coding.

    there is no way in practical terms to stop the advancement and adoption of digital encryption.

    Reply
36. June 23, 2017 at 4:49 am

    Tomi Engdahl says:

    Mark Bergen / Bloomberg:
    Google starts removing “confidential, personal medical records of private people” from search results

    Google Now Scrubbing Private Medical Records From Search Results
    https://www.bloomberg.com/news/articles/2017-06-23/google-now-scrubbing-private-medical-records-from-search-results

    Alphabet Inc.’s Google has quietly decided to scrub an entire category of online content — personal medical records — from its search results, a departure from its typically hands-off approach to policing the web.

    Google lists the information it removes from its search results on its policy page. On Thursday, the website added the line: “confidential, personal medical records of private people.” A Google spokeswoman confirmed the changes do not affect search advertising but declined to comment further.

    Previously, Google had only removed webpages with identifying financial information, such as credit card numbers, and with content that violates copyright laws. In 2015, Google bent its longstanding laissez-faire policy by adding “revenge porn” to its removal list — sexually explicit images uploaded without consent.

    Health records can also appear online without consent. In December, a pathology lab in India mistakenly uploaded the records of over 43,000 patients containing sensitive information, including names and blood tests for HIV. The records were indexed in Google’s search results.

    Reply
37. June 23, 2017 at 5:04 am

    Tomi Engdahl says:

    Kent Walker / Google:
    Google says current laws underpinning digital evidence gathering are outdated, proposes new legal framework for cross-border data handling — Editor’s note: This is an abbreviated version of a speech Kent delivered today at The Heritage Foundation in Washington, D.C.

    https://www.blog.google/topics/public-policy/digital-security-and-due-process-new-legal-framework-cloud-era/

    Reply
38. June 23, 2017 at 8:54 am

    Tomi Engdahl says:

    How the CIA infects air-gapped networks
    Sprawling “Brutal Kangaroo“ spreads malware using booby-trapped USB drives.
    https://arstechnica.com/security/2017/06/leaked-documents-reveal-secret-cia-operation-for-infecting-air-gapped-pcs/

    Documents published Thursday purport to show how the Central Intelligence Agency has used USB drives to infiltrate computers so sensitive they are severed from the Internet to prevent them from being infected.

    More than 150 pages of materials published by WikiLeaks describe a platform code-named Brutal Kangaroo that includes a sprawling collection of components to target computers and networks that aren’t connected to the Internet. Drifting Deadline was a tool that was installed on computers of interest. It, in turn, would infect any USB drive that was connected. When the drive was later plugged into air-gapped machines, the drive would infect them with one or more pieces of malware suited to the mission at hand. A Microsoft representative said none of the exploits described work on supported versions of Windows.

    The infected USB drives were at least sometimes able to infect computers even when users didn’t open any files. The so-called EZCheese exploit, which was neutralized by a patch Microsoft appears to have released in 2015, worked anytime a malicious file icon was displayed by the Windows explorer.

    Microsoft didn’t say when it patched the vulnerabilities exploited by Lachesis and RiverJack. Interestingly, Microsoft earlier this month patched a critical vulnerability that allowed so-called .LNK files stored on removable drives and remote shares to execute malicious code. Microsoft said in its advisory that the vulnerability was being actively exploited but didn’t elaborate.

    Brutal Kangaroo
    https://wikileaks.org/vault7/#Brutal%20Kangaroo

    Reply
39. June 23, 2017 at 9:03 am

    Tomi Engdahl says:

    Cade Metz / New York Times:
    Department of Homeland Security and Google partner on $1.5M contest for algorithm that identifies concealed items in images captured by body scanners

    Uncle Sam Wants Your Deep Neural Networks
    https://www.nytimes.com/2017/06/22/technology/homeland-security-artificial-intelligence-neural-network.html

    The Department of Homeland Security is turning to data scientists to improve screening techniques at airports.

    On Thursday, the department, working with Google, will introduce a $1.5 million contest to build computer algorithms that can automatically identify concealed items in images captured by checkpoint body scanners.

    The government is putting up the money, and the six-month contest will be run by Kaggle, a site that hosts more than a million data scientists that was recently acquired by Google.

    Reply
40. June 23, 2017 at 9:07 am

    Tomi Engdahl says:

    Russia Targeted Election-Related Networks in 21 States: DHS
    http://www.securityweek.com/russia-targeted-election-related-networks-21-states-dhs

    Hackers believed to be working for the Russian government targeted election-related networks in 21 U.S. states, representatives of the Department of Homeland Security (DHS) told the Senate Intelligence Committee on Wednesday in a hearing on threats to election infrastructure.

    DHS officials revealed that the agency’s Office of Intelligence and Analysis (I&A) published a report in October claiming that cyber actors possibly connected to the Russian government had targeted websites and other election-related systems in 21 states. The states have not been named, but some news organizations previously reported that the list includes Arizona and Illinois.

    The DHS said only a “small number” of networks were compromised, but it did not find any evidence that vote tallies had been altered. In many cases, only attempts to scan election infrastructure were detected.

    The DHS has admitted that cyberattack attribution is difficult, but the agency appears confident that the Russian government was involved in these operations.

    Reply
41. June 23, 2017 at 9:08 am

    Tomi Engdahl says:

    Configuration Error Embarrasses UK’s Cyber Essentials
    http://www.securityweek.com/configuration-error-embarrasses-uks-cyber-essentials

    The UK government’s Cyber Essentials scheme has suffered an embarrassing incident; but one that can hardly be called a breach and certainly not a cyber-attack. A configuration error in the underlying software platform exposed the email addresses of consultancies registered with the scheme — nothing more.

    Cyber Essentials is a UK government-backed certification scheme designed to encourage the adoption of good security practice. It includes five primary technical controls: boundary firewalls and internet gateways; secure configuration (ironically); access control; malware protection; and patch management.

    Certification is provided by one of a number of certifying bodies licensed by an accreditation body (currently APMG, CREST, IASME, IRM security and QG).

    “Since October 2014 Cyber Essentials has been mandatory for suppliers of Government contracts which involve handling personal information and providing some ICT products and services,” explains the Cyber Essentials website. “Holding a Cyber Essentials badge enables you to bid for these contracts.”

    It seems that the configuration error briefly exposed the email addresses of registered consultancies seeking certification to allow bidding for such government contracts. This error has been fixed by the provider concerned, Pervade Software.

    Reply
42. June 23, 2017 at 9:11 am

    Tomi Engdahl says:

    OpenVPN Patches Remotely Exploitable Vulnerabilities
    http://www.securityweek.com/openvpn-patches-remotely-exploitable-vulnerabilities

    OpenVPN this week patched several vulnerabilities impacting various branches, including flaws that could be exploited remotely.

    Four of the bugs were found by researcher Guido Vranken through fuzzing, after recent audits found a single severe bug in OpenVPN. While analyzing OpenVPN 2.4.2, the researcher found and reported four security issues that were addressed in the OpenVPN 2.4.3 and OpenVPN 2.3.17 releases this week.

    The most important of the four issues is a Remotely-triggerable ASSERT() on malformed IPv6 packet bug that can be exploited to remotely shutdown an OpenVPN server or client. Tracked as CVE-2017-7508, the bug can be triggered if IPv6 and –mssfix are enabled and only if the IPv6 networks used inside the VPN are known.

    Tracked as CVE-2017-7521, a second vulnerability involves remote-triggerable memory leaks.

    The third vulnerability Guido Vranken discovered was a potential double-free in –x509-alt-username, tracked as CVE-2017-7521. The bug can be triggered only on configurations that use the –x509-alt-username option with an x509 extension

    The fourth issue found by Vranken was a post-authentication remote DoS when using the –x509-track option. Tracked as CVE-2017-7522

    Another security bug resolved in OpenVPN this week was a pre-authentication remote crash/information disclosure for clients. Tracked as CVE-2017-7520

    OpenVPN also resolved a null-pointer dereference in establish_http_proxy_passthru(), where the client could crash

    Reply
43. June 23, 2017 at 9:14 am

    Tomi Engdahl says:

    Testing in an Agile and DevOps World
    http://www.securityweek.com/testing-agile-and-devops-world

    We live in a software-defined world. Software touches just about everything we do. Any business trying to maintain their competitive advantages, or gain market momentum, has had to reintegrate their software somehow. This has resulted in fast-paced development methods, like Agile and DevOps, which facilitate continuous product improvements. On the downside, these new methods of development can minimize testing and, in turn, potentially compromise performance and security.

    Forcing a Test Evolution

    The new pace of development poses a distinct issue for testers that have to respond as quickly as plans change with no clear road map to plan around. If the product development team is brought together for an updated timeline that is the plan until the release date is changed again. This often results in a blurred line for performance, as solutions are shipped with unknown flaws and vulnerabilities.

    Fostering a Changing Culture

    As development moves faster there needs to be a shift in the mindset across an organization and its customers. The culture that inspires faster development also needs to advocate agile testing methods.

    This begins with testing models and training. Developers, testers and release managers need to buy into a continuous testing mindset. More specifically, they need to be trained in the process and tools available to them when testing in a rapid development cycle. Cross-team communication is also crucial, especially between QA engineers and developers. When this is done, code will be more stable and bugs will get resolved faster. The right tools can effectively emulate real-world scenarios, provide shared test data environments, and always be available and capable of integrating with master codebase frameworks.

    When done successfully, continuous testing and training prevents bugs and performance issues from going out the door, while enabling developers to better spot problems in the future. Identifying suspicious activity and what action to take becomes easier with enough exposure.

    The temptation to leverage limited-scale test environments, like internally developed attacks or crowd-sourced probes, should be avoided. It can create a false sense of security.

    Ultimately, the key is to not take shortcuts in testing just to meet aggressive timelines. Iterative development does mean that problems cannot be fixed as they arise. We all have limited time and a desire to get to market faster.

    Reply
44. June 23, 2017 at 12:14 pm

    Tomi Engdahl says:

    How To Rob An Airbnb
    How a flaw in Airbnb’s privacy technology could put 1.2 million homes at risk
    https://medium.com/@aronszanto/how-to-rob-an-airbnb-252e7e7eda44

    Airbnb claims that its hosts are anonymous. But Neel Mehta, Emily Houlihan, and I found a way to figure out the real names and addresses of 1.2 million of them.

    Ever wanted to rob a house?

    We discovered that, with nothing more than publicly-available data, you can figure out the real names and addresses of 40% of houses listed on Airbnb. We’ll show you how anyone could use this method to rob their choice of 1.2 million houses — and other ways this could hurt Airbnb’s bottom line.

    Airbnb’s “privacy guarantee”

    Over three million houses are listed on Airbnb, the popular house-sharing platform that many travelers use as an alternative to hotels. Because hosts are offering up their actual houses to strangers, Airbnb reassures hosts that their privacy is totally protected.

    Before you book a room on Airbnb, you can only see the host’s first name and the rough location of their house

    But we found a way for anyone to figure out a host’s full name, address, and other personal information without booking a room, a method that has surprisingly high accuracy. All it takes is some ingenuity and publicly-available data.

    All 50 states are legally required to make their voter files public. This means that anyone can get the name, address, date of birth, and voting registration history of any voter in a state- over 200 million individuals nationwide.

    The next step was to write an algorithm that would match each Airbnb host with a voter in the voter file.

    Our hypothesis was that the closest Douglas to the listing was the most likely to be the host. If we were right, we’d immediately know the host’s full name, address, phone number, and all the other information on them in the voter file!

    To test our method, we ran the algorithm on 84 Airbnb listings in Wisconsin. Then, each of us independently of the others manually determined the identity of each of the Airbnb hosts we tested to see if our algorithm’s prediction was correct. We had a bag of tricks we used to identify people. For one, we could visually compare people’s houses on Google Maps Street View to the pictures available in the Airbnb listing

    Other tricks involved looking up the host on LinkedIn (sometimes their Airbnb profile would tell you their alma mater), using Google’s reverse image search on the host’s profile picture, or using reviews to triangulate their location (one review said the house was “past three mailboxes, up the road, and the second house on the right.”)

    It turns out that our algorithm figured out the correct host for 34 of the 84 properties we tested — that’s a 40% success rate. If our sample was representative, that means that you could find the full name and address of 1.2 million of the 3 million Airbnb hosts out there.

    If you wanted to rob a house using Airbnb, you could just book the house, find the address, and ransack it once the owners leave. But that’s not such a hot idea, because Airbnb makes you provide your government-issued ID and connect your social media profiles before you book a room.

    They could find Airbnb listings in their area that were available for tonight — especially the “instantly bookable” ones
    Then they could use this algorithm to figure out the address of a target house. Since no one will be home, the bad guy can rob the house without anyone knowing it was them.

    Or, how to scam Airbnb out of $360 million a year

    We hear you cynics out there: “Airbnb doesn’t care if people’s homes get robbed! All companies care about are their profits.” And you might be right. But even if the company doesn’t care that hosts are in danger, you can bet that Airbnb would care if their bottom line were in danger. As it turns out, their cash flow is anything but safe.

    Airbnb charges hosts a 3–5% commission and guests a 6–12% fee on every booking.
    But what if guests and hosts could connect outside the platform?
    This would save both money and leave Airbnb holding the bag.

    Sound good? Here’s why Airbnb should take note: forty percent of the company’s revenue comes from these service fees. Since Airbnb made $900 million in 2015, Airbnb’s faulty privacy guarantee could cost them $360 million a year.

    How regulators can stick it to Airbnb

    What can Airbnb do about this?

    Airbnb’s faulty privacy guarantee could cause the company a world of pain, not to mention the negative effects on the hosts. So what could they do? Think back to how Airbnb provides an approximate latitude and longitude for each listing — or, as it appears on the map, a fuzzy blue circle.

    Airbnb could increase the radius of the blue circle to make our kind of reidentification algorithm less accurate. The tradeoff is that this would make Airbnb less useful to potential renters, since location is so important to travelers.

    Our advice? Airbnb might need to adjust their fuzzing radius based on the local population density. Denser areas would be fine with a smaller radius, since there are lots of people in even a small circle, but sparsely-populated rural areas would need much more fuzzing to protect privacy.

    Reply
45. June 23, 2017 at 12:37 pm

    Tomi Engdahl says:

    German police raided 36 homes over hateful Facebook posts
    https://www.theverge.com/2017/6/21/15847262/german-facebook-raid-hate-incitement

    German police are cracking down on what they perceive to be threats, coercion, and incitement to hatred in online posts. Yesterday, police raided 36 people’s homes over social media posts that allegedly contained hateful content, according to a press release from the Federal Criminal Police Office of Germany.

    The police say that most of the accused posted politically motivated content, but one incident involved someone attacking the sexual orientation of a victim. The raid was arranged as a specific day against internet hate posts, which the force apparently participated in last year, too. German social media users are subject to punishment if they post illegal content, and incitement to hatred is illegal in Germany.

    https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2017/Presse2017/170620_Hasspostings.html?nn=67356

    Reply
46. June 23, 2017 at 6:45 pm

    Tomi Engdahl says:

    Mark Bergen / Bloomberg:
    Google to stop scanning Gmail email content to target ads, will use other user info it has for ad targeting

    Google Will Stop Reading Your Emails for Gmail Ads
    https://www.bloomberg.com/news/articles/2017-06-23/google-will-stop-reading-your-emails-for-gmail-ads

    The move is designed to ease concerns of enterprise customers
    Diane Greene pushes ad change to chase Microsoft in enterprise

    Google is stopping one of the most controversial advertising formats: ads inside Gmail that scan users’ email contents. The decision didn’t come from Google’s ad team, but from its cloud unit, which is angling to sign up more corporate customers.

    Alphabet Inc.’s Google Cloud sells a package of office software, called G Suite, that competes with market leader Microsoft Corp. Paying Gmail users never received the email-scanning ads like the free version of the program, but some business customers were confused by the distinction and its privacy implications, said Diane Greene, Google’s senior vice president of cloud. “What we’re going to do is make it unambiguous,” she said.

    Ads will continue to appear inside the free version of Gmail, as promoted messages. But instead of scanning a user’s email, the ads will now be targeted with other personal information Google already pulls from sources such as search and YouTube. Ads based on scanned email messages drew lawsuits and some of the most strident criticism

    Reply
47. June 23, 2017 at 6:49 pm

    Tomi Engdahl says:

    Reuters:
    Firms like Cisco, IBM are acceding to Russia’s demands to review source code of security products, raising fears knowledge gained can be used for cyberattacks

    Under pressure, Western tech firms bow to Russian demands to share cyber secrets
    http://www.reuters.com/article/us-usa-russia-tech-idUSKBN19E0XB

    Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found.

    Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any “backdoors” that would allow them to burrow into Russian systems.

    But those inspections also provide the Russians an opportunity to find vulnerabilities in the products’ source code

    U.S. officials say they have warned firms about the risks of allowing the Russians to review their products’ source code, because of fears it could be used in cyber attacks.

    From their side, companies say they are under pressure to acquiesce to the demands from Russian regulators or risk being shut out of a lucrative market.

    “Some companies do refuse,” he said. “Others look at the potential market and take the risk.”

    Reply
48. June 24, 2017 at 8:18 pm

    Tomi Engdahl says:

    The Guardian:
    Cyberattack on UK parliament email accounts forces security team to disable remote access; investigation is ongoing

    Cyber-attack on parliament leaves MPs unable to access emails
    https://www.theguardian.com/politics/2017/jun/24/cyber-attack-parliament-email-access

    House of Commons spokesperson says it is investigating after unauthorised attempts were made to access user accounts

    Parliament has been hit by a “sustained and determined” cyber-attack by hackers attempting to gain access to MPs’ and their staffers’ email accounts. Both houses of parliament were targeted on Friday in an attack that sought to gain access to accounts protected by weak passwords. MPs said they were unable to access their emails after the attack began.

    The estate’s digital services team said they had made changes to accounts to block out the hackers, and that the changes could mean staff were unable to access their emails.

    “These attempts specifically were trying to gain access to our emails. We have been working closely with the National Cyber Security Centre to identify the method of the attack and have made changes to prevent the attackers gaining access, however our investigation continues.”

    The Liberal Democrat peer Chris Rennard said a “cybersecurity attack on Westminster parliamentary emails” meant that access to accounts may be restricted.

    “We know that there are regular attacks by hackers attempting to get passwords. We have seen reports in the last few days of even Cabinet ministers’ passwords being for sale online. We know that our public services are attacked, so it is not at all surprising that there should be an attempt to hack into parliamentary emails.”

    Reply
49. June 25, 2017 at 5:15 am

    Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    Researcher gains full system-wide access on Windows 10 S, despite the operating system’s strict security measures, by exploiting Microsoft Word macros

    Microsoft says ‘no known ransomware’ runs on Windows 10 S — so we tried to hack it
    http://www.zdnet.com/article/microsoft-no-known-ransomware-windows-we-tried-to-hack-it/

    We enlisted a leading security researcher to test if Microsoft’s newest, locked-down version of Windows 10 is protected against all “known” kinds of ransomware, as the company claims.

    Microsoft claims “no known ransomware” runs on Windows 10 S, its newest, security-focused operating system.

    The software giant announced the version of Windows earlier this year as the flagship student-focused operating system to ship with its newest Surface Laptop. Microsoft touted the operating system as being less susceptible to ransomware because of its locked-down configuration — to the point where you can’t run any apps outside the protective walled garden of its app store. In order to get an app approved, it has to go through rigorous testing to ensure its integrity. That’s one of several mitigations that helps to protect the operating system to known file-encrypting malware.

    We wanted to see if such a bold claim could hold up.

    Spoiler alert: It didn’t.

    And that’s when we asked Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, a simple enough question: Will ransomware install on this operating system?

    It took him a little over three hours to bust the operating system’s various layers of security, but he got there.

    “I’m honestly surprised it was this easy,” he said in a call after his attack.

    But Windows 10 S presents a few hurdles. Not only is it limited to store-only apps, but it doesn’t allow the user to run anything that isn’t necessary. That means there’s no command prompt, no access to scripting tools, and no access to PowerShell, a powerful tool often used (and abused) by hackers. If a user tries to open a forbidden app, Windows promptly tells the user that it’s off-limits. Bottom line: If it’s not in the app store, it won’t run.

    Hickey was able to exploit how Microsoft Word, available to download from the Windows app store, handles and processes macros.

    Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process.

    Once macros are enabled, the code runs and gives him access to a shell with administrator privileges.

    From there, he was able to download a payload using Metasploit, a common penetration testing software, which connects the operating system to his own cloud-based command and control server, effectively enabling him to remotely control the computer. From there, he was able to get the highest level of access, “system” privileges, by accessing a “system”-level process and using the same DLL injection method.

    By gaining “system” privileges, he had unfettered, remote access to the entire computer.

    “If I wanted to install ransomware, that could be loaded on,” he said. “It’s game over.”

    From popping the shell, which took him “a matter of minutes,” he was able to gain full system-wide access to the operating system in a few hours.

    For its part, Microsoft rejected the claims.

    “In early June, we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true,”

    In the end, Microsoft said that “no known ransomware” works on the operating system

    Reply
50. June 25, 2017 at 5:23 am

    Tomi Engdahl says:

    CIA Knew in August that Putin Sought to Boost Trump: Report
    http://www.securityweek.com/cia-knew-august-putin-sought-boost-trump-report

    The CIA had top-level intelligence last August that Russian President Vladimir Putin personally ordered an operation to help Donald Trump win the US presidential race, the Washington Post reported Friday.

    The intelligence shocked the White House and put US security chiefs on a top-secret crisis footing to figure out how to react.

    But amid confidence that Democrat Hillary Clinton still had the election in the bag and worries over president Barack Obama himself being seen as manipulating the election, the administration delivered warnings to Moscow but left countermeasures until after the vote, the Post reported.

    After Trump’s shock victory, there were strong regrets among administration officials that they had shied from tough action.

    “From national security people there was a sense of immediate introspection, of, ‘Wow, did we mishandle this,’” a former administration official told the newspaper.

    The Post said that as soon as the intelligence on Putin came in, the White House viewed it as a deep national security threat. A secret intelligence task force was created to firm up the information and come up with possible responses.

    They couldn’t do anything about embarrassing WikiLeaks revelations from hacked Clinton emails. The focus turned to whether Moscow could disrupt the November 8 vote itself by hacking voter registration lists or voting machines, undermining confidence in the vote tally itself.

    Trump on Friday questioned Obama’s response to the Russian hacking crisis.

    “Just out: The Obama Administration knew far in advance of November 8th about election meddling by Russia. Did nothing about it. WHY?” he posted on Twitter.

    Reply