Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Doing a Startup Involving Cryptography? Get Out of the U.S.
http://spectrum.ieee.org/view-from-the-valley/at-work/start-ups/doing-a-startup-involving-cryptography-get-out-of-the-us
“There’s no better place than Singapore to do a deep tech startup, particularly anything involving cryptography.” So says Brijesh Pande, founder and managing partner of the Tembusu ICT Fund, a Singapore-based software-focused venture capital fund.
Here in Singapore, Pande says, “We have no requirement for a security back door. The fact that the NSA [National Security Agency] requires U.S. companies to provide a back door makes technology developed in the U.S. less trusted around the world.”
Hughes, who before decamping to Singapore founded several companies, including U.S.-based Ciphertrust and Philippine-based Infoweapons, says it’s just too difficult to do cyber security products in the U.S. these days. “The NSA requires weakened algorithms and back doors, so you have to assume all IT products in the U.S. are compromised.” That, he says, makes it hard to market them around the world.
Tomi Engdahl says:
Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More
https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/
The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than we first thought—at least in terms of impact. It was accompanied by an even more dangerous threat: an Android malware that can take over the device.
Tomi Engdahl says:
Marissa Lang / San Francisco Chronicle:
Inside San Francisco’s KQED as it operates in low-tech mode after a June ransomware attack — The journalists at San Francisco’s public TV and radio station, KQED, have been stuck in a time warp. — All Internet-connected devices, tools and machinery have been cut off in an attempt …
Ransomware attack puts KQED in low-tech mode
http://www.sfchronicle.com/business/article/Ransomware-attack-puts-KQED-in-low-tech-mode-11295175.php
The journalists at San Francisco’s public TV and radio station, KQED, have been stuck in a time warp.
All Internet-connected devices, tools and machinery have been cut off in an attempt to isolate and contain a ransomware attack that infected the station’s computers June 15. More than a month later, many remain offline.
Though the stations’ broadcasts have been largely uninterrupted — minus a half-day loss of the online stream on the first day of the attack — KQED journalists said every day has brought new challenges and revealed the immeasurable ways the station, like many businesses today, has become dependent on Internet-connected devices.
“It’s like we’ve been bombed back to 20 years ago, technology-wise,” said Queena Kim, a senior editor at KQED. “You rely on technology for so many things, so when it doesn’t work, everything takes three to five times longer just to do the same job.”
Tomi Engdahl says:
Eva Dou / Wall Street Journal:
China’s censors ramp up filtering of photo and video messages, disrupting apps like WhatsApp and WeChat following the death of political dissident Liu Xiaobo
China’s Stopchat: Censors Can Now Erase Images Mid-Transmission
Internet police step up their ability to filter photos
https://www.wsj.com/articles/chinas-stopchat-censors-can-now-erase-images-mid-transmission-1500363950
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Google rolls out new security warnings for G Suite and Apps Script following May’s Google Docs phishing attacks
Google rolls out new warnings for G Suite and Apps Script
https://venturebeat.com/2017/07/18/google-rolls-out-new-warnings-for-g-suite-and-apps-script/
Google today started rolling out new warnings for G Suite and Apps Script to inform users about the potential dangers of new web apps. The company also plans to expand its verification process to existing apps “in the coming months.”
Although Google won’t say so explicitly, this is a response to the widespread “Google Docs” phishing email that affected many Google users in May. At the time, Google disabled the accounts responsible for abusing the OAuth authorization. A week later the company tightened the review process for web apps that request user data, and earlier this month it beefed up G Suite security with OAuth apps whitelisting. Now the company is preparing new warnings for unverified apps.
Tomi Engdahl says:
EternalSynergy-Based Exploit Targets Recent Windows Versions
http://www.securityweek.com/eternalsynergy-based-exploit-targets-recent-windows-versions
A security researcher has devised an EternalSynergy-based exploit that can compromise versions of Windows newer than Windows 8.
EternalSynergy is one of several exploits allegedly stolen by the hacker group calling themselves the Shadow Brokers from the National Security Agency (NSA)-linked Equation Group. The exploit was made public in April along with several other hacking tools, one month after Microsoft released patches for them.
Tomi Engdahl says:
Millions of Dow Jones Customer Records Exposed Online
http://www.securityweek.com/millions-dow-jones-customer-records-exposed-online
American news and financial information firm Dow Jones & Company inadvertently exposed the details of millions of its customers. The data was found online by researchers in an Amazon Web Services (AWS) S3 bucket that had not been configured correctly.
Chris Vickery of cyber resilience firm UpGuard discovered on May 30 an AWS data repository named “dj-skynet” that appeared to contain the details of 4.4 million Dow Jones customers. Dow Jones disabled access to the files only on June 6.
The files included names, customer IDs, physical addresses, subscription details, the last four digits of credit cards and, in some cases, phone numbers belonging to individuals who subscribed to Dow Jones publications such as The Wall Street Journal and Barron’s.
One of the exposed files stored 1.6 million entries for Dow Jones Risk and Compliance, a risk management and regulatory compliance service for financial institutions.
According to UpGuard, the data was accessible because Dow Jones employees had configured the repository’s permissions to allow access to anyone with an AWS account. There are over one million Amazon cloud users and anyone can register an account for free.
Dow Jones confirmed the data leak, but claimed only 2.2 million of its customers were affected, not 4.4 million as UpGuard claims. The security firm has admitted that there could be some duplicate entries.
It’s unclear if affected customers will be notified, but in a statement to The Wall Street Journal the company downplayed the incident, arguing that there is no evidence the data was taken by anyone else and the exposed information does not pose a significant risk to users.
Cloud Leak: WSJ Parent Company Dow Jones Exposed Customer Data
https://www.upguard.com/breaches/cloud-leak-dow-jones
The UpGuard Cyber Risk Team can now report that a cloud-based file repository owned by financial publishing firm Dow Jones & Company, that had been configured to allow semi-public access exposed the sensitive personal and financial details of millions of the company’s customers. While Dow Jones has confirmed that at least 2.2 million customers were affected, UpGuard calculations put the number closer to 4 million accounts.
Tomi Engdahl says:
Tens of Thousands of Internet-Exposed Memcached Servers Are Vulnerable to Attacks
http://www.securityweek.com/organizations-slow-patch-critical-memcached-flaws
Tens of thousands of servers running Memcached are exposed to the Internet and affected by several critical vulnerabilities disclosed last year by Cisco’s Talos intelligence and research group.
In late October 2016, Talos published an advisory describing three serious flaws affecting Memcached, an open source, high performance distributed memory caching system used to speed up dynamic web apps by reducing the database load.
The vulnerabilities, tracked as CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706, allow a remote attacker to execute arbitrary code on vulnerable systems by sending specially crafted Memcached commands. The flaws can also be leveraged to obtain sensitive data that could allow an attacker to bypass exploit mitigations.
The security holes were patched by Memcached developers before Talos disclosed its findings. A few months later, in late February and early March 2017, researchers conducted Internet scans to find out how many organizations had patched their installations.
http://blog.talosintelligence.com/2016/10/memcached-vulnerabilities.html
Tomi Engdahl says:
How to Reduce Risk While Saving on the Cost of Resolving Security Defects
http://www.securityweek.com/how-reduce-risk-while-saving-cost-resolving-security-defects
1. Shift Left.
2. Test earlier in the development cycle.
3. Catch flaws in design before they become vulnerabilities.
These are all maxims you hear frequently in the discussion surrounding software security. If this is not your first visit to one of my columns it is certainly not the first time you have heard it.
These maxims certainly make sense and seem logically sound, but where is the proof? Show me the “so what?” that proves their real worth to organizations. Unfortunately, there exists a paucity of empirical research on the true value of implementing these maxims. Until now.
Exploring the economics of software security
A recent article was posted by Jim Routh, CSO of Aetna, Meg McCarthy, COO and President of Aetna, and Dr. Gary McGraw, VP of Security Technology for Synopsys. The article, titled “The Economics of Software Security: What Car Makers Can Teach Enterprises,” analyzes the total cost of ownership of software and the effect of utilizing security controls early in the development process.
The Economics of Software Security: What Car Makers Can Teach Enterprises
http://www.darkreading.com/perimeter/the-economics-of-software-security-what-car-makers-can-teach-enterprises-/a/d-id/1329083
Embedding security controls early in the application development process will go a long way towards driving down the total cost of software ownership.
Tomi Engdahl says:
How to Overcome Cyber “Insecurities”
http://www.securityweek.com/how-overcome-cyber-insecurities
Being a CISO is not an easy job. It takes a certain type of person who has the right mix of passion, discipline, technical knowledge and business acumen to be able to lead their organization in the right direction. Whether they come from a technical, business or even military background, all CISOs experience a number of personal and professional roadblocks on a daily basis that challenge the ultimate success of their company’s security.
Five common cyber “insecurities” CISOs face include:
1. Staying on top of the latest threats
2. Needing to have and understand the technical sophistication for any threat
3. Fearing repercussions due to a security incident
4. Understanding the crucial basics – what data the organizations have and what is most important to protect
5. Stating their case to the board
CISOs can rest assured that their peers experience the same doubts. Some tips to stop worrying about your insecurities, and sleep better at night, are:
• Employing and managing great teams. This is definitely a must and probably something you are already doing.
• Having a high level of visibility into possible security threats. This allows you to make decisions proactively and reactively before needing to state your case to the board or prevent any negative repercussions over a security incident.
• Remembering to breathe! The role of CISO is tough, but you’re there for a reason. Have confidence in your teams and your technology.
Tomi Engdahl says:
New Research from OneLogin Finds over 50% of Ex-Employees Still Have Access to Corporate Applications
https://www.onelogin.com/company/press/press-releases/new-research-from-onelogin-finds-over-50-of-ex-employees-still-have-access-to-corporate-applications
Failure to deprovision employees has caused a data breach at 20 percent of the companies represented in the survey
San Francisco, Calif., July 13, 2017 – Despite businesses of all sizes becoming increasingly security conscious, a new study from OneLogin, the identity management provider bringing speed and integrity to the modern enterprise, reveals many businesses aren’t doing enough to guard against security threats brought on by ex-employees.
According to 20 percent of the respondents, failure to deprovision employees from corporate applications has contributed to a data breach at their organization. The research found that nearly half (48 percent) of respondents are aware of former employees who still have access to corporate applications, with 50 percent of IT decision-makers ex-employee’s accounts remaining active once they have left the company for longer than a day. A quarter (25 percent) of respondents take more than a week to deprovision a former employee and a quarter (25 percent) don’t know how long accounts remain active once the employee has left the company.
Tomi Engdahl says:
Hacker steals $7 Million in Ethereum from CoinDash in just 3 minutes
http://securityaffairs.co/wordpress/61126/cyber-crime/coindash-cyber-heist.html
Hacker steals $7 Million in Ethereum from CoinDash in just 3 minutes after the ICO launch. Attacker tricked investors into sending ETH to the wrong address.
Cybercrime could be a profitable business, crooks stole $7 Million worth of Ethereum in just 3 minutes. The cyber heist was possible due to a ‘a simple trick.‘
Hackers have stolen the money from the Israeli social-trading platform CoinDash.
Hackers were able to divert over $7 million worth of Ethereum by replacing the legitimate wallet address used for the ICO with their own.
In three minutes after the ICO launch, the attacker tricked CoinDash’s investors into sending 43438.455 Ether to the wrong address owned by the attacker.
“The CoinDash Token Sale secured $6.4 Million from our early contributors and whitelist participants and we are grateful for your support and contribution. CoinDash is responsible to all of its contributors and will send CDTs reflective of each contribution. Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly,” said the company.
However, CoinDash clarified that it would not compensate users who sent funds to the hacker’s address after the website was shut down by the company.
Tomi Engdahl says:
Jim Finkle / Reuters:
Cybersecurity startup StackRox raises $14M Series A led by Sequoia Capital, unveils first product that secures the contents of software containers
Cyber startup StackRox raises $14 million in round led by Sequoia
http://www.reuters.com/article/us-stackrox-funding-idUSKBN1A3189
Tomi Engdahl says:
Charlie Warzel / BuzzFeed:
As Twitter rolls out new products to tackle abuse from anonymous accounts, users find their reports are often overlooked or handled in an opaque way
Twitter Is Still Dismissing Harassment Reports And Frustrating Victims
https://www.buzzfeed.com/charliewarzel/twitter-is-still-dismissing-harassment-reports-and?utm_term=.avx6mAZ9q5#.wkEQnAJ24a
Even with a sharper focus on abuse in 2017, a concerning number of reports of clear-cut harassment still seem to slip through the cracks.
After a decade-long failure to effectively address harassment on its platform, Twitter has finally begun making efforts to curb its abuse problem. Last November it rolled out a keyword filter and a mute tool for conversation threads, as well as a “hateful conduct” report option. In February, the company made changes to its timeline and search designed to hide “potentially abusive or low-quality” tweets, and added a policy update intended to crack down on abusive accounts from repeat offenders. Just last week, Twitter rolled out a few more muting tools for users, including the ability to mute new (formerly known as egg) accounts, as well as accounts that don’t follow you.
And yet targeted harassment of the sort Maggie experienced continues. That may be because Twitter’s recent abuse prevention controls are a largely cosmetic solution to a systemic problem. And Twitter’s inconsistent enforcement of harassment reports suggest that perhaps the company’s algorithmic moderation systems simply aren’t as effective as the company would like to think.
Tomi Engdahl says:
Wall Street Journal:
EU’s top court set to decide if Google must apply “right to be forgotten” link removals globally, after French court refers the case
EU Court to Rule on ‘Right to Be Forgotten’ Outside Europe
Case could determine whether France can force Google to apply the right to be forgotten across the globe
https://www.wsj.com/articles/eu-court-to-rule-on-right-to-be-forgotten-outside-europe-1500470225?tesla=y&mod=e2tw
Tomi Engdahl says:
Wolfie Zhao / CoinDesk:
Ethereum startup Parity warns of flaw in v1.5+ of its wallet software, says three multi-sig wallets have been compromised and ~$30M of Ether have been stolen
$30 Million: Ether Reported Stolen Due to Parity Wallet Breach
http://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach/
Smart contract coding company Parity has issued a security alert, warning of a vulnerability in version 1.5 or later of its wallet software.
ADVERTISEMENT
So far, 150,000 ethers, worth $30 million, have been reported by the company as stolen, data confirmed by Etherscan.io. As reported by the startup, the issue is the result of a bug in a specific multi-sig contract known as wallet.sol. Data suggests the issue was mitigated, however, as 377,000 ethers that were potentially vulnerable to the issue were recovered by white hackers.
Parity ranked the severity of the bug as “critical” in its public remarks, urging “any user with funds in a multi-sig wallet” move their funds to a secure address.
According to Parity founder and CTO Gavin Wood, at least three ether addresses have been compromised as a result of the bug.
Tomi Engdahl says:
Paul Sawers / VentureBeat:
Avast acquires UK-based Piriform, maker of popular system cleaning program CCleaner, says it will continue to offer CCleaner as a standalone product
Avast acquires Piriform, maker of popular system cleaning program CCleaner
https://venturebeat.com/2017/07/19/avast-acquires-piriform-maker-of-popular-system-cleaning-program-ccleaner/
Tomi Engdahl says:
Jon Fingas / Engadget:
Google begins rollout of Google Play Protect, that scans apps for malware, to Android devices running Google Mobile Services 11 or later
Google’s safeguard against rogue Android apps is now available
Play Protect scans your apps to prevent malware from getting through.
https://www.engadget.com/2017/07/19/google-play-protect-rollout/
Google is acting on its promise to further guard your Android phone against rogue apps. The company tells us that it’s rolling out its Play Protect home screen to every Android device running Google Mobile Services 11 or newer. If you see it (it’s in in the Google section of your settings, under Security), you’ll know that your device has scanned apps to make sure they’re clean. You probably won’t need to look at this page very often, but it’s there if you’re ever wondering whether a sketchy-sounding Play Store app poses a threat.
Tomi Engdahl says:
Kate Brumback / AP News:
US court sentences Russian man who helped build Citadel malware, which infected ~11M computers and caused $500M+ in losses, to five years in prison
Russian man who helped develop Citadel malware gets 5 years
https://www.apnews.com/28eb79b9a9054b72b03395d5e8de6962/Russian-man-who-helped-develop-Citadel-malware-gets-5-years
A Russian man who helped develop and distribute malicious software designed to steal personal financial information was sentenced Wednesday in Atlanta to serve five years in prison.
Mark Vartanyan, also known as “Kolypto,” had pleaded guilty in March to a computer fraud charge after reaching a deal with prosecutors.
Starting in 2011, Citadel was marketed on invite-only, Russian-language internet forums used by cybercriminals, and users targeted the computer networks of major financial and government institutions around the world to steal financial account credentials and personally identifiable information, prosecutors have said. Industry estimates indicate it infected about 11 million computers worldwide and caused more than $500 million in losses.
Tomi Engdahl says:
Joseph Cox / Motherboard:
After DHS highlighted major SS7 protocol flaws, Verizon and AT&T lobbying group labelled the flaws “theoretical” in doc sent to Congress, which experts dispute
Telecom Lobbyists Downplayed ‘Theoretical’ Security Flaws in Mobile Data Backbone
https://motherboard.vice.com/en_us/article/7x9q8y/telecom-lobbyists-downplayed-theoretical-security-flaws-in-mobile-data-backbone
According to a confidential document obtained by Motherboard, wireless communications lobby group CTIA took issue with an in-depth report by the Department of Homeland Security on mobile device security, including flaws with the SS7 network.
In a white paper sent to members of Congress and the Department of Homeland Security, CTIA, a telecom lobbying group that represents Verizon, AT&T, and other wireless carriers, argued that “Congress and the Administration should reject the [DHS] Report’s call for greater regulation” while downplaying “theoretical” security vulnerabilities in a mobile data network that hackers may be able to use to monitor phones across the globe, according to the confidential document obtained by Motherboard. However, experts strongly disagree about the threat these vulnerabilities pose, saying the flaws should be taken seriously before criminals exploit them.
SS7, a network and protocol often used to route messages when a user is roaming outside their provider’s coverage, is exploited by criminals and surveillance companies to track targets, intercept phone calls or sweep up text messages. In some cases, criminals have used SS7 attacks to obtain bank account two-factor authentication tokens, and last year, California Rep. Ted Lieu said that, for hackers, “the applications for this vulnerability are seemingly limitless.”
In May, the DHS published an in-depth, 125-page report on government mobile device security, which noted that SS7 “vulnerabilities can be exploited by criminals, terrorists, and nation-state actors/foreign intelligence organizations.” DHS noted that it currently doesn’t have the authority to require carriers to perform security audits on their network infrastructure, or the authority to compel mobile carrier network owners to provide information to assess the security of these communication networks.
News Release: DHS Delivers Study on Government Mobile Device Security to Congress
https://www.dhs.gov/science-and-technology/news/2017/05/04/news-release-dhs-delivers-study-government-mobile-device
Tomi Engdahl says:
SHELLBIND IoT malware targets NAS devices exploiting SambaCry flaw
http://securityaffairs.co/wordpress/61142/malware/shellbind-iot-malware.html
The seven-year-old remote code execution vulnerability SambaCry was exploited by the SHELLBIND IoT malware to target NAS devices.
A new strain of malware dubbed SHELLBIND exploits the recently patched CVE-2017-7494 Samba vulnerability in attacks against Internet of Things devices.
SHELLBIND has infected most network-attached storage (NAS) appliances, it exploits the Samba vulnerability (also known as SambaCry and EternalRed) to upload a shared library to a writable share, and then cause the server to load that library.
This trick allows a remote attacker to execute arbitrary code on the targeted system.
Tomi Engdahl says:
Russell Brandom / The Verge:
Department of Justice and Europol announce takedown of dark web marketplaces AlphaBay and Hansa Market, both focused on drugs and fraudulent IDs — AlphaBay and Hansa Market are gone, dealing a major blow to the online drug trade — An international law enforcement effort has brought …
Feds have taken down two major dark web marketplaces
AlphaBay and Hansa Market are gone, dealing a major blow to the online drug trade
https://www.theverge.com/2017/7/20/16003046/alphabay-takedown-hansa-marketplace-fbi-europol-sessions
An international law enforcement effort has brought down two of the dark web’s largest marketplaces, AlphaBay and Hansa Market. According to a Europol announcement, AlphaBay hosted roughly $1 billion in transactions since its founding in 2014, primarily focused on drugs and fraudulent IDs. At the time of its takedown, it reached over 200,000 users and 40,000 vendors, with nearly $4 million in bitcoin stored in escrow wallets on the site.
“This is one of the most important criminal investigations of this entire year,” said Attorney General Sessions at a press briefing accompanying the announcement. “I believe that because of this operation, people around the world are safer from the threat of identity fraud and malware, and safer from deadly drugs.”
https://www.europol.europa.eu/newsroom/news/massive-blow-to-criminal-dark-web-activities-after-globally-coordinated-operation
Tomi Engdahl says:
Webcam Protection and Parental Advisor Boost Privacy in Bitdefender 2018
https://hotforsecurity.bitdefender.com/blog/webcam-protection-and-parental-advisor-boost-privacy-in-bitdefender-2018-18502.html?utm_source=SMGlobal&utm_medium=Facebook&utm_campaign=2018
From Facebook’s Mark Zuckerberg to former FBI Director James Comey, physically covering a laptop’s webcam has become the norm. That’s because hackers can tap webcams to peep inside your private life for extortion, or just because they just can.
Hackers wielding RAT (Remote Access Trojan) malware can use crafted pictures, documents and media files to trick users into downloading and installing the webcam-spying malware, letting them remotely enable or disable the webcam. Some seemingly legitimate applications may also have webcam-tapping capabilities that users are unaware of.
Recent reports released by Europol reveal that children as young as 7 years of age are targeted online for webcam blackmail and extortion.
Tomi Engdahl says:
DDoS Tools availability Online, a worrisome trend
http://securityaffairs.co/wordpress/61188/hacking/ddos-tools-online.html
Experts warn of an increased availability of DDoS tools online, many wannabe hackers download and use them without awareness on consequences.
We are all aware of the effects of a DDOS attack can have on a company not only rendering their website inaccessible, but also causing a loss in online revenue & sales.
With the release of such applications comes the added threat of users knowingly allowing backdoors to their computer systems to allow the creators access to your device to continue attacks in your absence.
Tomi Engdahl says:
Catherine Shu / TechCrunch:
Inside D-ID, an Israeli startup that’s working to make faces unrecognizable to face recognition technology while remaining true to the original image
D-ID’s tech protects your privacy by confounding face recognition algorithms
https://techcrunch.com/2017/07/20/d-ids-tech-protects-your-privacy-by-confounding-face-recognition-algorithms/
Unless you literally wear a mask all the time, it is almost impossible to completely avoid cameras and face recognition technology. Not only is this a privacy concern, but it also presents a potential liability for companies that need to protect personal data. D-ID, a startup currently taking part in Y Combinator, wants to solve the problem with tools that process images to make them unrecognizable to face recognition algorithms, but still look similar to the original picture.
Tomi Engdahl says:
No, the laws of Australia don’t override the laws of mathematics
https://www.brookings.edu/blog/techtank/2017/07/17/no-the-laws-of-australia-dont-override-the-laws-of-mathematics/?utm_medium=social&utm_source=twitter&utm_campaign=gs
attempt to force technology companies to break into end-to-end encrypted messages.”
Of course, there’s an irony in attempting to compel tech companies to compromise end-to-end encryption, which is designed to ensure that messages are encrypted at the sender’s device and remain in that state until they are decrypted at the recipient’s device. This means that even if a message is intercepted as it travels through servers controlled by the tech company that designed the messaging system, it is gibberish unless the interceptor can come up with the decryption key.
When a reporter asked Australian Prime Minister Malcolm Turnbull, “Won’t the laws of mathematics trump the laws of Australia?,” Mr. Turnbull reportedly responded “Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
Actually, the laws of mathematics, including the mathematical framework that enables strong cryptography, apply in Australia and in every other country.
Tomi Engdahl says:
http://blog.pentestbegins.com/2017/07/21/hacking-into-paypal-server-remote-code-execution-2017/
Tomi Engdahl says:
Kevin Poulsen / The Daily Beast:
Microsoft using a trademark suit to seize control of domain names like livemicrosoft.net, to cut off Fancy Bear’s malware-controlling servers from their victims — A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year’s election meddling …
Putin’s Hackers Now Under Attack—From Microsoft
http://www.thedailybeast.com/microsoft-pushes-to-take-over-russian-spies-network
Microsoft is going after Fancy Bear, the Russian hacking group that targeted the DNC, by wresting control of domain names controlled by the foreign spies.
A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year’s election meddling, identifying over 120 new targets of the Kremlin’s cyber spying, and control-alt-deleting segments of Putin’s hacking apparatus.
How are they doing it? It turns out Microsoft has something even more formidable than Moscow’s malware: Lawyers.
Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft’s trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls “the most vulnerable point” in Fancy Bear’s espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers.
Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company’s approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like “livemicrosoft[.]net” or “rsshotmail[.]com” that Fancy Bear registers under aliases for about $10 each.
“any time an infected computer attempts to contact a command-and-control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server.”
Tomi Engdahl says:
Satellites
Unhackable Quantum Networks Take to Space
http://spectrum.ieee.org/aerospace/satellites/unhackable-quantum-networks-take-to-space
The dream of a space-based, nigh-unhackable quantum Internet may now be closer to reality, thanks to new experiments with Chinese and European satellites.
Pan and his colleagues have set a new record for entanglement by using a satellite to connect sites on Earth separated by up to 1,203 km. The main advantage of a space-based approach is that most of the interference that entangled photons face occurs in the 10 km or so of atmosphere closest to Earth’s surface. Above that, the photons encounter virtually no problems, the researchers say.
The researchers launched the quantum science experiment satellite (nicknamed Micius) from Jiuquan, China, in 2016. It orbits the planet at a speed of roughly 28,800 kilometers per hour and an altitude of roughly 500 km.
The record distance involved photons beamed from Micius to stations in the cities of Delingha and Lijiang. The experiments transmitted entangled photons with a 10^17 greater efficiency than the best optical fibers can achieve.
Tomi Engdahl says:
Thuy Ong / The Verge:
Delta SkyMiles customers who are enrolled in CLEAR can now use fingerprint as boarding pass at Reagan Washington National Airport
Delta passengers can now use their fingerprints as a boarding pass
But only at DCA for now
https://www.theverge.com/2017/7/21/16007676/delta-fingerprint-boarding-pass
Tomi Engdahl says:
Chris Welch / The Verge:
YouTube collaborates with Jigsaw to launch Redirect Method, responding to certain keyword searches with videos that discredit extremist recruiting narratives
YouTube now responds to searches for terrorist videos with playlists that debunk extremism
https://www.theverge.com/2017/7/20/16003296/youtube-redirect-method-anti-terrorist-videos-search
YouTube is taking its next step in countering extremism and terrorist content on its platform. Today the company announced that effective immediately, YouTube will respond to certain English-language keyword searches by displaying playlists of pre-existing videos on the site that debunk and discredit “violent extremist recruiting narratives” from the Islamic State and other groups.
This strategy is called the Redirect Method, and the goal is to reach those people who might be feeling isolated and who are at risk of being radicalized through hours of absorbing violent extremist messaging and propaganda online. Jigsaw, a subsidiary of Alphabet, collaborated with Moonshot CVE to develop the counter-messaging approach as a means of applying technology to imperative global threats.
Tomi Engdahl says:
Security
No one still thinks iOS is invulnerable to malware, right? Well, knock it off
As platform’s popularity rose, so did its allure to miscreants
http://www.theregister.co.uk/2017/07/20/ios_security_skycure/
The comforting notion that iOS devices are immune to malicious code attacks has taken a knock following the release of a new study by mobile security firm Skycure.
Malicious mobile apps in Apple’s App Store are mercifully rare (XcodeGhost aside) compared to the comparative “Wild West” of the Google Play store, which has come to exist despite the Chocolate Factory’s best efforts to clamp down on the problem. However, hackers have found other ways to get malware installed, Skycure points out.
Tomi Engdahl says:
How fintech companies are trying to make cryptocurrency investments safer
https://thenextweb.com/finance/2017/07/17/how-fintech-companies-are-trying-to-make-cryptocurrency-investments-safer/?utm_source=facebook.com&utm_medium=cpc&utm_campaign=SP-Exante-How-fintech-companies-are-trying-to-make-cryptocurrency-investments-safer&utm_content=SP-Exante-How-fintech-companies-are-trying-to-make-cryptocurrency-investments-safer-TNW-Audience&utm_term=SP-Exante-How-fintech-companies-are-trying-to-make-cryptocurrency-investments-safer-TNW-Audience-Copy-1#.tnw_5QiZWDVD
Trading in cryptocurrencies like Ethereum, Ripple and Litecoin can be complicated and not without risk. Fintech companies are offering easier and safer methods.
Remember when cryptocurrencies used to be straightforward, revolutionary and weirdly romantic-capitalist? A bunch of cypherpunks were going to topple the monetary system from a subreddit and everything would be all sunshine and rainbows? It doesn’t seem that fun anymore. There’s infighting, hacks, distrust mixed with a pinch of pure greed.
What happened?
The main thing that happened is that these idealistic cypherpunks met cold capitalism in the form of well funded, hyper-organized cartels that weren’t interested in the culture behind the cryptocurrency movement, but just cold dead profit.
Tomi Engdahl says:
Haseeb Qureshi / freeCodeCamp:
Recent $30M+ hack of Parity wallets shows programmers need to rethink the “move fast and break things” mindset when it comes to blockchain and security
A hacker stole $31M of Ether — how it happened, and what it means for Ethereum
https://medium.freecodecamp.org/a-hacker-stole-31m-of-ether-how-it-happened-and-what-it-means-for-ethereum-9e5dc29e33ce
Yesterday, a hacker pulled off the second biggest heist in the history of digital currencies.
Around 12:00 PST, an unknown attacker exploited a critical flaw in the Parity multi-signature wallet on the Ethereum network, draining three massive wallets of over $31,000,000 worth of Ether in a matter of minutes. Given a couple more hours, the hacker could’ve made off with over $180,000,000 from vulnerable wallets.
But someone stopped them.
Having sounded the alarm bells, a group of benevolent white-hat hackers from the Ethereum community rapidly organized. They analyzed the attack and realized that there was no way to reverse the thefts, yet many more wallets were vulnerable. Time was of the essence, so they saw only one available option: hack the remaining wallets before the attacker did.
By exploiting the same vulnerability, the white-hats hacked all of the remaining at-risk wallets and drained their accounts, effectively preventing the attacker from reaching any of the remaining $150,000,000.
Yes, you read that right.
To prevent the hacker from robbing any more banks, the white-hats wrote software to rob all of the remaining banks in the world. Once the money was safely stolen, they began the process of returning the funds to their respective account holders. The people who had their money saved by this heroic feat are now in the process of retrieving their funds.
It’s an extraordinary story, and it has significant implications for the world of cryptocurrencies.
It’s important to understand that this exploit was not a vulnerability in Ethereum or in Parity itself. Rather, it was a vulnerability in the default smart contract code that the Parity client gives the user for deploying multi-signature wallets.
This is all pretty complicated
Tomi Engdahl says:
Millions of IoT devices hit by ‘Devil’s Ivy’ bug in open source code library
Devil’s Ivy is likely to remain unpatched for a long time: “code reuse is vulnerability reuse”.
http://www.zdnet.com/article/millions-of-iot-devices-hit-by-devils-ivy-bug-in-open-source-code-library/
A flaw in a widely-used code library known as gSOAP has exposed millions of IoT devices, such as security cameras, to a remote attack.
Researchers at IoT security firm Senrio discovered the Devil’s Ivy flaw, a stack buffer overflow bug, while probing the remote configuration services of the M3004 dome camera from Axis Communications. The bug occurs when sending a large XML file to a vulnerable system’s web server.
The flaw itself lies in gSOAP, an open source web services code library maintained by Genivia, which is imported by the Axis camera’s remote configuration service. Senrio researchers were able to use the flaw to continually reboot the camera or change network settings and block the owner from viewing the video feed.
They were also able to reset the camera to factory default, which will prompt the attacker to change the credentials, giving them exclusive access to the camera feed.
Axis Communications confirmed that 249 of its 251 surveillance camera models were affected by the flaw, tagged as CVE-2017-9765. It released a firmware update on July 10 to address the issue.
Axis Communications’ cameras are widely used by enterprise firms across the globe, including in healthcare, transport, government, retail, banking, and critical infrastructure.
But as the security firm notes, this bug “goes far beyond” Axis communications kit thanks to gSOAP’s widespread use and will likely remain exposed on devices for a long time. Genivia counts Adobe, IBM, Microsoft, and Xerox as customers and claims gSOAP has been downloaded more than a million times.
The bug also appears to affect several Linux distributions too, which since Senrio’s report, are now responding to Genivia’s patch from June 21.
Hack Brief: ‘Devil’s Ivy’ Vulnerability Could Afflict Millions of IoT Devices
https://www.wired.com/story/devils-ivy-iot-vulnerability/
The security woes of the internet of things stem from more than just connecting a bunch of cheap gadgets to a cruel and hacker-infested internet. Often dozens of different vendors run the same third-party code across an array of products. That means a single bug can impact a startling number of disparate devices. Or, as one security company’s researchers recently found, a vulnerability in a single internet-connected security camera can expose a flaw that leaves thousands of different models of device at risk.
On Tuesday, the internet-of-things-focused security firm Senrio revealed a hackable flaw it’s calling “Devil’s Ivy,” a vulnerability in a piece of code called gSOAP widely used in physical security products, potentially allowing faraway attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers. In all, the small company behind gSOAP, known as Genivia, says that at least 34 companies use the code in their IoT products.
While internet of things devices might be the most vulnerable to the Devil’s Ivy flaw, Tanji points out that companies including IBM and Microsoft are exposed as well
Not every security researcher shares quite that code-red sense of urgency. H.D. Moore, a well-known internet-of-things researcher for consulting firm Atredis Partners who reviewed Senrio’s findings, points out that the attack would have to be configured separately for each vulnerable device or application, and requires sending two full gigabytes of data to a target, what he describes as a “silly” amount of bandwidth. But he nonetheless sees it as a significant and widespread bug—and an illustration of the danger of reusing code from a small company across tens of millions of gadgets. “This vulnerability highlights how supply chain code is shared across the Internet of Things,” he writes. “With IoT, code reuse is vulnerability reuse.”
Senrio’s research began last month, when its researchers found a vulnerability known as a buffer overflow in the firmware of a single security camera from Swedish security camera maker Axis Communications. They say the bug would allow a hacker who can send a two-gig payload of malicious data to run any code they chose on that camera, potentially disabling it, installing malware on it or even intercepting or spoofing its video stream. And the attack, they soon discovered, worked for not just that one camera model, but any of the 249 Axis offers.
Axis quickly released a patch for the vulnerability.
gSOAP code is used—among other things—to implement a protocol called ONVIF, or Open Network Video Interface Forum, a networking language for security cameras and other physical security devices used by the ONVIF consortium, whose nearly 500 members include companies like Bosch, Canon, Cisco, D-Link, Fortinet, Hitachi, Honeywell, Huawei, Mitsubishi, Netgear, Panasonic, Sharp, Siemens, Sony, and Toshiba.
Just which of those hundreds of member companies use gSOAP—and might have left their products vulnerable as a result—isn’t clear. In a phone call with WIRED, Genivia founder and gSOAP creator Robert van Engelen said 34 ONVIF companies used gSOAP as paying customers, but declined to say which ones.
Van Engelen also noted that his software is open-source, so other companies may use it without his knowledge.
Bosch spokesperson said its products are not affected by the vulnerability. A Cisco spokesperson said the company is “aware of the matter and is monitoring” but declined to say—or perhaps didn’t yet know—whether its products are vulnerable.
Using the internet-scanning tool Shodan, Senrio found 14,700 of Axis’s cameras alone that were vulnerable to their attack—at least, before Axis patched it. And given that’s one of the dozens of ONVIF companies alone that use the gSOAP code, Senrio’s researchers estimate the total number of affected devices in the millions.
“I can’t tell for sure if they applied the patch,” he says of the 34 ONVIF equipment vendors. “That’s their responsibility.”
Whether devices are truly protected will depend on both the companies that use gSOAP making that patch available, and then on whether customers install it. Like most internet of things gadgets, the devices affected by Senrio’s bug don’t necessarily have automatic updates, or careful administrators maintaining them.
For the inevitable fraction of devices that aren’t patched, Devil’s Ivy may still not lend itself to a mass IoT meltdown. The majority of vulnerable devices that use the ONVIF protocol hide behind firewalls and other kinds of network segmentation, making them harder to find and exploit
And the need to send two full gigabytes of malicious data to target devices means a Devil’s Ivy attack tool can’t exactly be sprayed across the internet
Its importance may rest, Moore says, in its example of how broadly a single bug can permeate these kinds of devices. “IoT affects our lives far more intimately than desktops,” he says. “The prevalence of this vulnerability reminds us that without security for all the little computerized devices that we rely on, we’re standing on a house of cards.” That house’s stability depends not just on the company you bought your device from, but every unnamed vendor that wrote the obscure corners of its codebase.
Tomi Engdahl says:
FBI to parents: Beware, your kid’s smart toy could be a security risk
The FBI outlines the risks of giving your children a smart toy.
http://www.zdnet.com/article/fbi-to-parents-beware-your-kids-smart-toy-could-be-a-security-risk/
The FBI has warned parents that internet-connected toys could pose privacy and “contact concerns” for children.
The FBI on Monday released a public service announcement (PSA) warning that smart toy sensors such as microphones, cameras, and GPS raise a concern for the “privacy and physical safety” of children.
“These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed,” it warns.
Consumer Notice: Internet-Connected Toys Could Present Privacy and Contact Concerns for Children
https://www.ic3.gov/media/2017/170717.aspx
The FBI encourages consumers to consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments. Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions. These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options. These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.
Tomi Engdahl says:
Encryption: In the battle between maths and politics there is only one winner
End-to-end encryption is a reality, it’s better to deal with it than hope to ban it.
http://www.zdnet.com/article/encryption-in-the-battle-between-maths-and-politics-there-is-only-one-winner/
Here we go again: the Australian government is the latest to plan new laws that will require companies to be able to unscramble encrypted communications.
In particular, the government wants tech companies to be able to hand over communications currently protected by end-to-end encryption, which scrambles messages so they can only be read by the sender and the recipient, and not by the tech company itself.
“The laws of Australia prevail in Australia, I can assure you of that,” Australian Prime Minister Malcolm Turnbull told reporters. “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
The Australian stance is modelled on the one taken by the UK government, which last year passed the Investigatory Powers Act that aims to do something similar.
Here’s the problem. It’s not realistic to legislate encryption out of existence. You can’t outlaw the application of maths. Even 20 years ago, when it was relatively rare and harder to use, governments accepted that that the benefits of encryption — like privacy and security — vastly outweighed the genuine concerns that encryption could help bad people to do evil in secret.
And it’s worth remembering that many companies started to use end-to-end encryption recently to protect their customers’ data precisely because intelligence agencies around the world have been shown to have a tendency to scoop up as much data as they can, whenever they can.
The new UK law demonstrates these difficulties, and it’s worth looking at how it has played out. This law requires UK internet companies to be able to remove any encryption they apply to messages. That makes it hard for any UK company to offer an end-to-end encrypted service themselves, but there’s at least one major issue with this: UK law only extends so far, and the tech industry is a global one.
Few of the companies that offer the secure (end-to-end encrypted) services that worry the government are actually based in the UK.
Persuading companies to change the way they run their business just for the UK market is unlikely to succeed. And, even if the biggest companies could be forced to change their policies, which is deeply unlikely, then criminals could easily find another company, somewhere in the world, that will offer them an encrypted service. Or they could even build one themselves.
Banning end-to-end encryption would make it easier to snoop on some conversations, for sure. But it’s likely to have a bigger effect on disorganised crime — crooks that don’t know how to or care about covering their tracks.
There is a benefit in being able to tackle any crime, of course, but it’s worth being at least aware that any local — that is, national — ban on encryption is likely to have an extremely limited impact on organised criminals.
But what a ban will certainly do is weaken security for tens of millions of people.
Australia is now King Idiot of the internet
http://www.zdnet.com/article/australia-is-now-king-idiot-of-the-internet/
A middle-power nation thinking it can tell US-based multinationals which parts of mathematics they can and cannot use — we deserve to be sent to time out.
For a western democracy, Australia has certainly punched above its weight when it comes to trying to implement absolutely stupid ideas.
In the midst of a mandatory internet filter debate in 2012, Australia was placed on the Enemies of the Internet watch list, and deservedly so.
And last week, the Prime Minister of Australia Malcolm Turnbull told ZDNet that the laws produced in Canberra are able to trump the laws of mathematics.
“The laws of Australia prevail in Australia, I can assure you of that,” he said on Friday. “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
Australia has made the running for the Five Eyes nations — the United States, United Kingdom, Canada, Australia, and New Zealand — on the topic of encryption and the problems it poses for law enforcement.
At the heart of Australia’s push is the idea that there needs to be an online equivalent of a lawful phone tap, and the uptake of end-to-end encrypted messaging systems is making it hard for law enforcement. It’s not an unreasonable argument that there are a small number of people that need to be monitored by law enforcement, it has always been so, but the nation’s leaders have been completely vague and circumspect in detailing what it is that they want, and how the authorities go about it.
Taken together, it appears the Australian government is proposing one of the following: That providers of encrypted messaging services create a backdoor for themselves to allow decryption to occur whenever the cops or spies demand it, or the service providers are forced to man-in-the-middle their own protocols; as for handset makers, they have been warned they will need to co-operate with law enforcement and may entail having to push compromised operating systems or messaging applications onto suspects, or inform the government when they are notified of a 0-day bug, and give the government time to compromise their targets; or all of the above.
The core issue is that all these schemes boil down to putting a genie back in the bottle, and to mix analogies, not only has the encrypted messaging horse bolted, but it is three paddocks over and never coming back to the stable.
Australian culture has a particularly awful “love it or leave it” saying, and in the instance of Canberra trying to dictate to multinationals how their products should work, and what features they have, or demanding a new compromised update system, the “leave it” option could always be used.
The state of the metadata retention scheme is a good example of this
In the recent debate surrounding the collection of GST by online vendors such as eBay and Alibaba, the Australian Taxation Office said it was leaving the prospect of blocking auction sites that did not collect the tax on the table,
Tomi Engdahl says:
Russia Moves to Ban Tools Used to Surf Outlawed Websites
http://www.securityweek.com/russia-moves-ban-tools-used-surf-outlawed-websites
Russia’s parliament on Friday voted to outlaw web tools that allow internet users to sidestep official bans of certain websites, the nation’s latest effort to tighten controls of online services.
Members of the lower house, the Duma, passed the bill to prohibit the services from Russian territory if they were used to access blacklisted sites.
The bill instructs Russia’s telecommunications watchdog Roskomnadzor to compile a list of anonymizer services and prohibit any that fail to respect the bans issued in Russia on certain websites.
The proposed law still has to be approved by the upper chamber of parliament and then by President Vladimir Putin.
Several internet-based groups in Russia have condemned it as too vaguely formulated and too restrictive.
The Duma also approved moves Friday to oblige anyone using an online message service to identify themselves with a telephone number.
Tomi Engdahl says:
Network Spreading Capabilities Added to Emotet Trojan
http://www.securityweek.com/network-spreading-capabilities-added-emotet-trojan
Researchers at Fidelis Cybersecurity have spotted a variant of the Emotet Trojan that has what appears to be a feature designed to help the malware spread on internal networks.
The recent WannaCry and NotPetya incidents have demonstrated how efficient an attack can be if the malware includes a component that allows it to spread from one system to another. Given the success of these operations, other cybercriminals may also be looking to incorporate similar capabilities into their malware.
Emotet, also known as Geodo, is related to the Dridex and Feodo (Cridex, Bugat) malware families. Emotet has mainly served as a banking Trojan, helping cybercriminals steal banking credentials and other sensitive information from users in Europe and the United States.
Tomi Engdahl says:
Undetected For Years, Stantinko Malware Infected Half a Million Systems
http://www.securityweek.com/undetected-years-stantinko-malware-infected-half-million-systems
A massive botnet that remained under the radar for the past five years managed to infect around half a million computers and allows operators to “execute anything on the infected host,” ESET researchers warn.
Dubbed Stantinko, the botnet has powered a massive adware campaign active since 2012, mainly targeting Russia and Ukraine, but remained hidden courtesy of code encryption and the ability to rapidly adapt to avoid detection by anti-malware solutions.
Targeting users looking for pirated software, the actors behind the malware use an app called FileTour as the initial infection vector. The program installs a variety of programs on the victim’s machine, while also launching Stantinko in the background.
The massive botnet is used mainly to install browser extensions that in turn perform ad injections and click fraud, but malicious Windows services are used to execute a broad range of operations: backdoor activities, searches on Google, and brute-force attacks on Joomla and WordPress administrator panels, ESET reveals.
Stantinko: A massive adware campaign operating covertly since 2012
https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/
Tomi Engdahl says:
Symantec Tricked Into Revoking Certificates Using Fake Keys
http://www.securityweek.com/symantec-tricked-revoking-certificates-using-fake-keys
Researcher Hanno Böck has tricked Symantec into revoking TLS certificates by falsely claiming that their private keys had been compromised. Comodo was also targeted, but the company did not fall for the same ruse.
Certificate authorities (CAs) are required to revoke certificates whose private keys have been compromised within 24 hours. Keys are often inadvertently exposed by certificate owners and previous research by Böck showed that while it often takes companies more than 24 hours, ultimately they do revoke compromised certificates.
Böck then decided to check if CAs ensure that an allegedly compromised private key actually belongs to a certificate before revoking it.
Tomi Engdahl says:
Citadel Author Sentenced to Five Years in Prison
http://www.securityweek.com/citadel-author-sentenced-five-years-prison
A Russian man this week was sentenced to five years in prison for his involvement in the development and maintenance of the Citadel banking malware.
Known under the handle of “Kolypto,” Mark Vartanyan was arrested in Norway and extradited to the United States in December 2016. In March 2017, he pleaded guilty in court. Charged with one count of computer fraud, he will serve his sentence in federal prison.
Tomi Engdahl says:
U.S., European Police Say ‘Dark Web’ Markets Shut Down
http://www.securityweek.com/us-european-police-say-dark-web-markets-shut-down
Washington – US and European police on Thursday announced the shutdown of two huge “dark web” marketplaces that allowed the anonymous online trade of drugs, hacking software and guns.
Underground websites AlphaBay and Hansa Market had tens of thousands of sellers of deadly drugs like fentanyl and other illicit goods serving more than 200,000 customers worldwide.
AlphaBay, the largest dark web market, had been run out of Thailand by a 25-year-old Canadian, Alexandre Cazes, who was arrested two weeks ago.
Tomi Engdahl says:
Avast Acquires CCleaner Developer Piriform
http://www.securityweek.com/avast-acquires-ccleaner-developer-piriform
Antivirus firm Avast announced on Wednesday the acquisition of Piriform, a London, UK-based company that develops the popular cleaning and optimization tool CCleaner.
While the Piriform staff will join Avast’s consumer business unit, the antivirus company wants to keep Piriform products separate from its current system optimization offering, which includes Avast Cleanup and AVG TuneUp. Avast acquired AVG last year.
Tomi Engdahl says:
Apple Patches Vulnerabilities Across All Platforms
http://www.securityweek.com/apple-patches-vulnerabilities-across-all-platforms
Apple this week released security patches for all four of its operating systems to resolve tens of security bugs in each of them.
The tech giant addressed 37 vulnerabilities with the release of macOS Sierra 10.12.6 (and Security Update 2017-003 El Capitan and Security Update 2017-003 Yosemite). The vast majority of the issues could result in arbitrary code execution. Impacted components include audio, Bluetooth, contacts, Intel graphics driver, kernel, libarchive, and libxml2, Apple reveals.
The release of iOS 10.3.3 adressed 47 vulnerabilities, many allowing for arbitrary code execution and some for unexpected application termination or information disclosure. WebKit was the most affected component, with over 20 bugs squashed in it. Kernel, Safari, messages, contacts, libarchive, and libxml2 were also among the affected components.
Tracked as CVE-2017-9417 and affecting Broadcom’s BCM4354, 4358, and 4359 chips, one of the vulnerabilities could allow an attacker within range to execute arbitrary code on the Wi-Fi chip. Because said chips are used in various smartphones, including devices from HTC, LG, and Samsung, Google too addressed the issue with its latest Android patches.
Tomi Engdahl says:
Security Automation is About Trust, Not Technology
http://www.securityweek.com/security-automation-about-trust-not-technology
We Can Automate the Action, Without Automating the Decision…
One of the consistent feedback points has been that automation is highly desirable, at least by security teams. But this desire has been inhibited by doubt and fear. Doubt about the accuracy of the detection of threats, and fear of the consequences of automating the containment or mitigation responses and the prospect of detrimental impact and damage resulting from doing this wrong.
For those of us who have been active in cybersecurity for a long time, this is not a new phenomenon. We remember the promise of Antispam and Intrusion Prevention Systems, and the chaos these caused based on too much confidence in their ability to reliably identify anomalies and attacks.
Many organizations own an IPS, but run it in non-blocking mode, demoting them to Intrusion Detection Systems. This trend has not abated, with organizations that have automation capabilities built into existing technologies such as Security Information and Event Management, Endpoint Detection & Response and Security Automation & Orchestration solutions not trusting these to automate much beyond basic tasks such as sending out notifications or running a threat intelligence query.
This despite detection capabilities having dramatically improved, especially using behavioural modelling and machine-learning driven approaches. This really comes back to the adage that you should never try and solve a social problem through technology. Because the problem is not based on technology – it is based on trust, or rather the lack of it. The three basic principles involved in this are:
The SecOps team can assess the impact of the risk, but NOT the impact on production.
You can automate the actions, but not the decision
You can expand automation as trust and confidence increases
An automation may be safe in one business unit, but not acceptable in another. This process must support granularity, whether when gathering metrics or configuring the automations. Ideally, whatever automation technology you use must support this approach and provide the metrics that this requires. Technology can help to build trust, but when all is said and done, it’s going to require that it is experienced by the people you expect to trust you.
Tomi Engdahl says:
The Art of Measuring Security Success
http://www.securityweek.com/art-measuring-security-success
It’s Time to Stop Measuring Security Success by Only Internal, Readily-available Metrics
As the budget planning season approaches, discussions of how to measure security success to justify resource allocation or expansion return to the agenda. There are plenty of great articles that can help you identify security metrics to demonstrate the value of security programs, but before leaping to the selection of metrics, we must first define success. This can be more of an art rather than science.
Security tools are also good at telling us how many attacks we’ve thwarted, how many systems we have hardened or how many authentications require a second factor. We also get reports on how our controls measure up to our policies through compliance audits. While it’s easy to rely on metrics that are readily available, how does one determine which metrics are actually a measure of security success as it pertains to the overall business priorities?
Mature organizations tend to focus on measuring risks and how they are being mitigated, which is ultimately what IT security is all about. But even the best organizations can fall into the trap of evaluating themselves against the wrong criteria.
To really measure achievements in security programs, we must first define what success looks like.
Who defines success?
Measure for business health
Tomi Engdahl says:
Overcoming Appeasement: Think About Risk From the Business Out
http://www.securityweek.com/overcoming-appeasement-think-about-risk-business-out
For a couple of decades now, the career path of a cybersecurity professional has been evolving just like the rest of the tech industry. Years ago the top title was the dedicated “security officer,” who was generally also the CIO, the CFO, or some other officer of the company.
Of course all the IT security pros felt that role should reside with them, so eventually it did, and even more eventually we created a role called the CISO, the chief information security officer.
The problem with the CISO role today is that it holds a C-level title but may not always be at the C-level. In your typical organization, you might have the CEO, the COO, the CIO, and then the CISO — a C-level title that’s three steps down the chain.
That’s not the C-suite, folks—it’s appeasement. It’s title inflation meant to quiet an increasingly important group that wants a stronger seat at the table.
So how does our CISO profession continue to evolve and gain that seat?
First, we have to stop giving the security community a bad name by being the “no” people. For too long we’ve had a centralized view that security is of higher importance than the business itself. We can’t keep taking an adversarial approach.
The CISOs who have been highly successful are those who made themselves an integral part of the business. Maybe they have a couple dozen compliances, but they’re not simply demanding compliance reports. Your most successful CISO is usually one whose primary goal is to make the business successful.
Any time we’re dealing with a critical business process, first and foremost that process needs to sustain. The CISO needs to start there, and develop a control profile designed to mitigate risk while enabling business to continue seamlessly.
The way to do that is to truly understand every process that powers the company. Before we ever do a risk analysis, it’s critical to know the business inside and out. Today it is a key skill to truly understand the business organism and be able to articulate how it lives. That means the entire business process — from somebody creating an order, to distributing something from a warehouse, to understanding the value of every cog that exists.
Knowing the business inside and out makes it easy to articulate areas of weakness. The real differentiator for a CISO who has a true seat at the executive table lies in that ability to correlate a real understanding of the business to threats and risks, and then communicate those threats back to the company in business language. Only then will executives understand the implications and impact of those threats and the relative importance of any mitigations.
In this way we become partners who justify and enable business decisions — while maintaining the position and authority necessary to have difficult conversations about risk when necessary.
Tomi Engdahl says:
Defenders Gaining on Attackers, But Attacks Becoming More Destructive: Cisco
http://www.securityweek.com/defenders-gaining-attackers-attacks-becoming-more-destructive-cisco
Cisco Publishes 2017 Midyear Cybersecurity Report
Cisco’s just-released Midyear Cybersecurity Report (PDF) draws on the accumulated work of the Cisco Security Research members. The result shows some improvement in industry’s security posture, but warns about the accelerating pace of change and sophistication in the global cyber threat landscape.
Improvements can be demonstrated by the mean ‘time to detect.’ When monitoring first began in November 2015, this stood at 39 hours; but it narrowed to about 3.5 hours in the period from November 2016 to May 2017.
Against this, however, Cisco warns that the pace of technology is creating an ever-increasing threat surface that needs to be protected. “Lack of visibility into dynamic IT environments,” notes the report, “the risks presented by “shadow IT,” the constant barrage of security alerts, and the complexity of the IT security environment are just some reasons resource-strapped security teams struggle to stay on top of today’s evasive and increasingly potent cyber threats.”
The report analyzes existing threats, comments on evolving attack methodologies, and makes two worrying predictions about the increasing ruthlessness of attackers. The first prediction is that any apparent current lull in the use of IoT-based large-scale DDoS is no reason for optimism. “Botnet activity in the IoT space suggests some operators may be focused on laying the foundation for a wide-reaching, high-impact attack that could potentially disrupt the Internet itself,” says Cisco.
Cisco’s second concern is over the potential evolution of ransomware into a threat designed to lock down systems and destroy data as part of the attack process. It calls this threat, Destruction of Service (DeOS); and we may have already seen its nascence in NotPetya .
In financial value to the attacker, Cisco points out that ransomware is far less fruitful than the business email compromise (BEC) attack. “US$5.3 billion was stolen due to BEC fraud between October 2013 and December 2016. In comparison, ransomware exploits took in US$1 billion in 2016,” says the report.
http://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/1456403/Cisco_2017_Midyear_Cybersecurity_Report.pdf
Tomi Engdahl says:
IoT Thermostat Bug Allows Hackers to Turn Up the Heat
https://blog.newskysecurity.com/iot-thermostat-bug-allows-hackers-to-turn-up-the-heat-948e554e5e8b
The field of traditional computer security deals with a myriad of issues like data theft or sabotage. However, when it comes to IoT security, the consequences of a successful attack can be even more diverse. In this post, we discuss an IoT Smart Thermostat bug and how a hacker leveraged it to raise the control temperature by 12 C (~22 F) degrees.
Commodity IoT malware vs Targeted IoT attack
The most common purpose of IoT malware has been to form a botnet of zombie devices (such as routers or cameras) to launch denial of service attacks. Authors program such malware to look for default passwords and exploits for smart devices (which are abundant) so that their botnet army is huge. Smart thermostats on the other hand will not be as big a pool of devices
If such devices can be controlled, however, one can perform actions like changing and controlling temperature which have the potential to cause physical discomfort (or even harm in extreme cases) to the target environment.