Security trends 2017

3,151 Comments

1. August 17, 2017 at 2:17 pm

   Tomi Engdahl says:

   Information Security Spending to Reach $93 Billion in 2018: Gartner
   http://www.securityweek.com/information-security-spending-reach-93-billion-2018-gartner

   Gartner has predicted that worldwide information security spending will reach $86.4 billion in 2017; a seven percent growth over the year. Spending is expected to increase to $93 billion in 2018.

   The fastest growing sector is security services; especially in IT outsourcing, consulting and implementation services. The only area where growth is likely to slow down is hardware support services, which are becoming less necessary with the continuing adoption of virtual appliances, public cloud and Security as a Service (SaaS) solutions.

   Much of the growth is thus expected to come from upgrading the IT infrastructure to a perceived more secure posture than by simply buying additional security products.

   “Improving security is not just about spending on new technologies,” said Sid Deshpande, principal research analyst at Gartner. “As seen in the recent spate of global security incidents, doing the basics right has never been more important. Organizations can improve their security posture significantly just by addressing basic security and risk related hygiene elements like threat centric vulnerability management, centralized log management, internal network segmentation, backups and system hardening,” he said.

   Faster growth is likely to come from the security testing market, particularly in relation to application security testing as part of DevOps.

   “Thycotic research on DevOps security practices,” he told SecurityWeek, “has shown that more than 60% of DevOps organizations are not managing credentials in scripts in any way. This is a major security problem that needs to be addressed immediately, especially as more breaches are making the news, and people realize that the way into an organization is to find the department with the weakest security practice and get to work infiltrating.”

   Reply
2. August 17, 2017 at 2:18 pm

   Tomi Engdahl says:

   Pulse Wave DDoS Attacks Disrupt Hybrid Defenses
   http://www.securityweek.com/pulse-wave-ddos-attacks-disrupt-hybrid-defenses

   A new method of launching distributed denial-of-service (DDoS) attacks dubbed “pulse wave” can be highly effective against organizations using “appliance first, cloud second” hybrid mitigation solutions, Imperva Incapsula warned on Wednesday.

   The cloud-based security services provider has seen pulse wave DDoS attacks being launched over the past few months, some of them lasting for days and reaching as much as 350 gigabits per second (Gbps).

   Typical DDoS attacks show a sawtooth pattern when visualized on a graph due to the ramp-up time needed for cybercriminals to mobilize botnets and reach their maximum potential.

   In the case of pulse wave attacks, there is no ramp-up period — the DDoS traffic peaks almost immediately and drops shortly after. The process is repeated at regular intervals, which indicates that the attackers have precise control over their botnets.

   Experts believe the malicious actors are capable of switching targets on-the-fly. A web resource can often be disrupted quickly with a powerful DDoS attack, but it can take hours for it to recover. That is why threat groups can launch an attack on one target, then quickly move to a different target, and then return to the initial target. During the time when there is no activity on the graph, the attack is likely aimed at another victim.

   According to Imperva Incapsula, the peak capacity is reached within a few seconds and a new pulse is launched roughly every 10 minutes. Assaults last for at least one hour, but in most cases they can go on for several hours and even days.

   Reply
3. August 17, 2017 at 2:20 pm

   Tomi Engdahl says:

   Independence Now and Forever: How to Grow Blockchain Securely
   http://www.securityweek.com/independence-now-and-forever-how-grow-blockchain-securely

   Any technological innovation these days – whether it’s IoT, artificial intelligence or another trend that impacts users’ lives on a broad scale – comes with its own inherent security risks and considerations. Take, for example, blockchain, the digital ledger that provides a record of transactions, most notably those made in bitcoin or another cryptocurrency.

   Once thought of as a fringe currency used by hackers and coders, cryptocurrencies like bitcoin have steadily gained prominence to the point where they are considered legitimate financial resources. Blockchain as a technology has also grown beyond cryptocurrency usage into transaction verification and identity management use cases. But with this new prominence comes a responsibility to consider the security implications as blockchain continues to grow.

   One of the crucial benefits of blockchain is its distributed capabilities, which mean there isn’t one centralized target to hack. This aspect led many to once consider blockchain virtually “unhackable;” however, several incidents over the past few years have proven that that is far from the case. Numerous incidents, most famously the Mt. Gox catastrophe in 2014, have led to the loss of millions of dollars as a result of hackers stealing bitcoin in a variety of ways.

   As blockchain continues to become more mainstream, significantly more attention must be paid to its security requirements and implications.

   Below are a few areas that need to be considered to ensure blockchain continues to grow in a secure way.

   As in all security issues, you are only as safe as your weakest link
   Hardware vulnerability and dependency despite software strength
   Trust and transparency

   Reply
4. August 17, 2017 at 3:18 pm

   Tomi Engdahl says:

   Powerful backdoor found in software used by >100 banks and energy cos.
   https://arstechnica.com/information-technology/2017/08/powerful-backdoor-found-in-software-used-by-100-banks-and-energy-cos/

   Advanced ShadowPad malware lurked in digitally signed products sold by NetSarang.

   Reply
5. August 18, 2017 at 8:55 am

   Tomi Engdahl says:

   How to conduct an IoT pen test
   Security experts explain the nuances
   http://www.networkworld.com/article/3198495/internet-of-things/how-to-conduct-an-iot-pen-test.html

   Penetration testing was much like taking a battering ram to the door of the fortress. Keep pounding away and maybe find a secret backdoor to enter through. But what happens if pieces of the network are outside of the fortress? With the flurry of Internet of Things devices, is it harder to conduct a pen test with that many devices and end points?

   Claud Xiao, principal security researcher, Unit 42 at Palo Alto Networks, said for just testing some network services on IoT devices in a black box way, the difficulty level and the steps are similar with regular pen testing. But if you’re discovering vulnerabilities via analyzing firmware or via analyzing wireless communications (e.g., Bluetooth or ZigBee), that’s much harder.

   “Every step above may fail due to diversity existing everywhere during IoT devices’ and embedded Linux system’s design and implementation. Even if a security flaw was discovered, some additional knowledge may be required in order to write a workable exploit code,” Xiao said.

   The benefits to pen testing Iot include strengthening device security, protecting against unauthorized usage, avoiding Elevation of Privileges, Lowerreducing the risk of compromise, better user and data privacy, and settrong Encryptionencryption to avoid man-in-the-middle (MTM) attacks.

   Reply
6. August 18, 2017 at 9:00 am

   Tomi Engdahl says:

   Facebook anti-terrorism job
   https://www.theregister.co.uk/2016/10/13/facebook_antiterrorism_job/

   Facebook is looking to hire a counterterrorism expert.

   Somewhat unusually for that sort of role, the social media giant also wants them to be able to work their way around a command line and code, listing SQL and Python as necessary skill sets alongside knowledge of terrorists and “contemporary militant groups.”

   The job will be based in Washington DC in America – pointing to the fact that the hire is a political one, with Facebook increasingly under pressure from the authorities to assist in identifying and shutting down the social media posts of organization like ISIS and Al-Qaeda.

   Reply
7. August 18, 2017 at 9:07 am

   Tomi Engdahl says:

   First-day-on-the-job dev: I accidentally nuked production database, was instantly fired
   Um. Who put production credentials in onboarding doc?
   https://www.theregister.co.uk/2017/06/05/dev_accidentally_nuked_production_database_was_allegedly_instantly_fired/

   “How screwed am I?” a new starter asked Reddit after claiming they’d been marched out of their job by their employer’s CTO after “destroying” the production DB – and had been told “legal” would soon get stuck in.

   Accidentally destroyed production database on first day of a job, and was told to leave, on top of this i was told by the CTO that they need to get legal involved, how screwed am i?
   https://np.reddit.com/r/cscareerquestions/comments/6ez8ag/accidentally_destroyed_production_database_on/

   There was a great /r/askreddit thread a while back about work screw ups in which a guy described how he broke a brand new piece of $250K equipment as an intern, and crestfallently offered his resignation as a show of contrition. The CEO replied something to the effect of “You just learned a quarter million dollar lesson, there’s no way in hell I’m letting you go.”

   I think the exact line started with “I just spent a quarter million dollars training you” – the point being that nobody makes a mistake like that twice.

   Best practice? My god. They gave an unsupervised day one junior the information and tools to wipe their prod database without even having a backup. This is probably the worst practise I’ve ever heard of.

   Hi, guy here who accidentally nuked GitLab.com’s database earlier this year. Fortunately we did have a backup, though it was 6 hours old at that point.

   This is not your fault. Yes, you did use the wrong credentials and ended up removing the database but there are so many red flags from the company side of things such as:

   - Sharing production credentials in an onboarding document
   - Apparently having a super user in said onboarding document, instead of a read-only user (you really don’t need write access to clone a DB)
   - Setting up development environments based directly on the production database, instead of using a backup for this (removing the need for the above)
   - CTO being an ass. He should know everybody makes mistakes, especially juniors. Instead of making sure you never make the mistake again he decides to throw you out
   - The tools used in the process make no attempt to check if they’re operating on the right thing
   - Nobody apparently sat down with you on your first day to guide you through the process (or at least offer feedback), instead they threw you into the depths of hell
   - Their backups aren’t working, meaning they weren’t tested (same problem we ran into with GitLab, at least that’s working now)

   Legal wise I don’t think you have that much to worry about, but I’m not a lawyer. If you have the money for it I’d contact a lawyer to go through your contract just in case it mentions something about this, but otherwise I’d just wait it out. I doubt a case like this would stand a chance in court, if it ever gets there.

   My advice is:

   1. Document whatever happened somewhere
   2. Document any response they send you (e.g. export the Emails somewhere)
   3. If they threaten you, hire a lawyer or find some free advice line (we have these in The Netherlands for basic advice, but this may differ from country to country)
   4. Don’t blame yourself, this could have happened to anybody; you were just the first one
   5. Don’t pay any damage fees they might demand unless your employment contract states you are required to do so

   Hey man, I just wanna say, thank you. I can’t imagine the amount of suck that must have been like, but I reference you, Digital Ocean and AWS when talking about having working PROD backups due to seemingly impossible scenarios (bad config file). People are much more inclined to listen when you can point to real world examples.

   For a lot of companies something doesn’t matter until it becomes a problem, which is unfortunate (as we can see with stories such as the one told by OP). I personally think the startup culture reinforces this: it’s more important to build an MVP, sell sell sell, etc than it is to build something sustainable.

   I don’t remember where I read it, but a few years back I came across a quote along the lines of “If an intern can break production on their first day you as a company have failed”. It’s a bit ironic since this is exactly what happened to OP.

   Exactly. If you’re database can be wiped by a new employee it will be wiped. This is not your fault and you shouldn’t shit your pants.

   At my workplace (mixpanel), we have a script to auto create a dev sandbox that reads from a prod (read only) slave. Only very senior devs have permissions for db admin access

   First month you can’t even deploy to master by yourself, you need your mentor’s supervision. You can stage all you like.

   We also take regular backups and test restore.

   Humans are just apes with bigger computers. It’s the system’s fault.

   Reply
8. August 18, 2017 at 9:10 am

   Tomi Engdahl says:

   New NIST draft embeds privacy into US govt security for the first time
   Federal agency addresses the new world of Alexa, smart cameras and IoT
   https://www.theregister.co.uk/2017/08/18/new_nist_draft_embeds_privacy_into_security_for_the_first_time/

   A draft of new IT security measures by the US National Institute of Standards and Technology (NIST) has for the first time pulled privacy into its core text as well as expanded its scope to include the internet of things and smart home technology.

   The proposed “Security and Privacy Controls for Information Systems and Organizations” will be the go-to set of standards and guidelines for US federal agencies and acts as a baseline for broader industry. As such, it has a huge impact on how technology is used and implemented across America.

   This version of the document – its fifth draft – concerns itself with edge computing: the rapidly expanding world of interconnected systems and devices that continue to be added to IT systems and the broader internet.

   Draft NIST Special Publication 800-53
   Security and Privacy Controls for Information Systems and Organizations
   https://regmedia.co.uk/2017/08/17/nist-sec-drft5.pdf

   Reply
9. August 18, 2017 at 9:18 am

   Tomi Engdahl says:

   Unpatchable ‘Flaw’ Affects Most of Today’s Modern Cars
   https://tech.slashdot.org/story/17/08/17/1825227/unpatchable-flaw-affects-most-of-todays-modern-cars

   A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others. The vulnerability affects the CAN (Controller Area Network) protocol that’s deployed in modern cars and used to manage communications between a vehicle’s internal components.

   Unpatchable Flaw Affects Most of Today’s Modern Cars
   https://www.bleepingcomputer.com/news/security/unpatchable-flaw-affects-most-of-todays-modern-cars/

   A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others.

   The vulnerability affects the CAN (Controller Area Network) protocol that’s deployed in modern cars and used to manage communications between a vehicle’s internal components.
   It will take a new generation of cars to patch the flaw

   The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro’s Forward-looking Threat Research (FTR) team.

   Reply
10. August 18, 2017 at 9:18 am

    Tomi Engdahl says:

    Alert (ICS-ALERT-17-209-01)
    CAN Bus Standard Vulnerability
    https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-209-01

    SUMMARY

    NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard with proof-of-concept (PoC) exploit code affecting CAN Bus, a broadcast based network standard. According to the public report, which was coordinated with ICS-CERT prior to its public release, researchers Andrea Palanca, Eric Evenchick, Federico Maggi, and Stefano Zanero identified a vulnerability exploiting a weakness in the CAN protocol that allows an attacker to perform a denial-of-service (DoS) attack.

    ICS-CERT has notified some affected vendors, primarily auto manufacturers and entities within the healthcare industry, about the report to confirm the vulnerability and to identify mitigations. ICS-CERT is issuing this alert to provide notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

    The report included vulnerability details and PoC exploit code for the following vulnerability:

    Vulnerability Type Remotely Exploitable Impact
    Resource Exhaustion Automobile exploit; requires physical access Denial of Service

    CAN is widely used throughout the Critical Manufacturing, Healthcare and Public Health, and Transportation Systems sectors.

    Successful exploitation of the vulnerability on an automobile may allow an attacker with physical access and extensive knowledge of CAN to reverse engineer network traffic to perform a DoS attack disrupting the availability of arbitrary functions of the targeted device.

    The severity of the attack varies depending on how the CAN is implemented on a system and how easily an input port (typically OBD-II) can be accessed by a potential attacker. This attack differs from previously reported frame-based attacks, which are typically detected by IDS/IPS systems. The exploit focuses on recessive and dominant bits to cause malfunctions in CAN nodes rather than complete frames.

    The only current recommendation for protecting against this exploit is to limit access to input ports (specifically OBD-II) on automobiles. ICS-CERT is currently coordinating with vendors and security researchers to identify mitigations.

    Reply
11. August 18, 2017 at 9:22 am

    Tomi Engdahl says:

    Bank IT fella accused of masterminding multimillion-dollar insider-trading scam
    Consultant was all too app-y to break law, claim investigators
    http://www.theregister.co.uk/2017/08/17/it_bank_worker_insider_trading_charges/

    A banking IT expert orchestrated an insider-trading caper that raked in millions of dollars for him and his pals, it was claimed on Wednesday.

    Between August 2013 and April 2017, Daniel Rivas, 32, worked for an unnamed New York bank in its capital markets technology division. He was hired as a consultant for a new banking application and, according to US authorities, he allegedly used his privileged access to servers and email systems to run an insider-trading ring.

    It’s claimed Rivas had access to, and exploited, highly confidential details on hundreds of pending business deals, giving him an edge on announcements yet to be made public.

    Reply
12. August 18, 2017 at 9:25 am

    Tomi Engdahl says:

    Leaked Exploits Fueled Millions of Attacks in Q2: Kaspersky
    http://www.securityweek.com/leaked-exploits-fueled-millions-attacks-q2-kaspersky

    The public availability of new exploit packages has fueled millions of new attacks on popular applications during the second quarter of 2017, a recent report from Kaspersky Lab reveals.

    The Moscow-based security company said that it blocked more than five million attacks involving in-the-wild exploits during the three-month period, but the actual number of incidents should be significantly higher. Highly effective as they don’t usually require user interaction, attacks leveraging exploits can result in malicious code being delivered to the targeted machines without the user suspecting anything.

    According to Kaspersky’s IT threat evolution Q2 2017 report, the publication by the Shadow Brokers hacker group of several tools and exploits supposedly associated with the National Security Agency had grave consequences during the quarter. Included in the leak were exploits such as EternalBlue and EternalRomance, which fueled a large wave of malicious attacks.

    IT threat evolution Q2 2017. Statistics
    By Roman Unuchek, Fedor Sinitsyn, Denis Parinov, Alexander Liskin on August 15, 2017. 9:00 am
    https://securelist.com/it-threat-evolution-q2-2017-statistics/79432/

    Reply
13. August 18, 2017 at 11:33 am

    Tomi Engdahl says:

    Electronic Frontier Foundation:
    When internet intermediaries like GoDaddy, Google, and CloudFlare bar neo-Nazis, dangerous precedent is set for silencing legitimate voices

    Fighting Neo-Nazis and the Future of Free Expression
    https://www.eff.org/deeplinks/2017/08/fighting-neo-nazis-future-free-expression

    In the wake of Charlottesville, both GoDaddy and Google have refused to manage the domain registration for the Daily Stormer, a neo-Nazi website that, in the words of the Southern Poverty Law Center, is “dedicated to spreading anti-Semitism, neo-Nazism, and white nationalism.” Subsequently Cloudflare, whose service was used to protect the site from denial-of-service attacks, has also dropped them as a customer, with a telling quote from Cloudflare’s CEO: “Literally, I woke up in a bad mood and decided someone shouldn’t be allowed on the Internet. No one should have that power.”

    We agree. Even for free speech advocates, this situation is deeply fraught with emotional, logistical, and legal twists and turns. All fair-minded people must stand against the hateful violence and aggression that seems to be growing across our country. But we must also recognize that on the Internet, any tactic used now to silence neo-Nazis will soon be used against others, including people whose opinions we agree with.

    Protecting free speech is not something we do because we agree with all of the speech that gets protected. We do it because we believe that no one—not the government and not private commercial enterprises—should decide who gets to speak and who doesn’t.

    Content Removal At the Very Top of The Internet

    Domain registrars are one of many types of companies in the chain of online content distribution—the Internet intermediaries positioned between the writer or poster of speech and the reader of that speech. Other intermediaries include the ISP that delivers a website’s content to end users, the certificate authority (such as EFF’s Let’s Encrypt) that issues an SSL certificate to the website, the content delivery network that optimizes the availability and performance of the website, the web hosting company that provides server space for the website, and even communications platforms—such as email providers and social media companies—that allow the website’s URLs to be easily shared. EFF has a handy chart of some of those key links between speakers and their audience here.

    Domain name companies also have little claim to be publishers, or speakers in their own right, with respect to the contents of websites.

    If the entities that run the domain name system started choosing who could access or add to them based on political considerations, we might well face a world where every government and powerful body would see itself as an equal or more legitimate invoker of that power. That makes the domain name system unsuitable as a mechanism for taking down specific illegal content as the law sometimes requires, and a perennially attractive central location for nation-states and others to exercise much broader takedown powers.

    Another lever that states and malicious actors often reach for when seeking to censor legitimate voices is through denial-of-service attacks. States and criminals alike use this to silence voices, and the Net’s defenses against such actions are not well-developed. Services like Cloudflare can protect against these attacks, but not if they also face direct pressure from governments and other actors to pick and choose their clients. Content delivery networks are not wired into the infrastructure of the Net in the way that the domain name system is, but at this point, they may as well be.

    These are parts of the Net that are most sensitive to pervasive censorship: they are free speech’s weakest links. It’s the reason why millions of net neutrality advocates are concerned about ISPs censoring their feeds.

    The firmest, most consistent, defense these potential weak links can take is to simply decline all attempts to use them as a control point. They can act to defend their role as a conduit, rather than a publisher.

    Have A Process, Don’t Act on the Headlines

    It might seem unlikely now that Internet companies would turn against sites supporting racial justice or other controversial issues. But if there is a single reason why so many individuals and companies are acting together now to unite against neo-Nazis, it is because a future that seemed unlikely a few years ago—that white nationalists and Nazis now have significant power and influence in our society—now seems possible. We would be making a mistake if we assumed that these sorts of censorship decisions would never turn against causes we love.

    Reply
14. August 18, 2017 at 11:48 am

    Tomi Engdahl says:

    USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs
    https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/su

    The Universal Serial Bus (USB) is the most prominent interface for connecting peripheral devices to computers. USB-connected input devices, such as keyboards, card-swipers and fingerprint readers, often send sensitive information to the computer. As such information is only sent along the communication path from the device to the computer, it was hitherto thought to be protected from potentially compromised devices outside this path.

    We have tested over 50 different computers and external hubs and found that over 90% of them suffer from a crosstalk leakage effect that allows malicious peripheral devices located off the communication path to capture and observe sensitive USB traffic. We also show that in many cases this crosstalk leakage can be observed on the USB power lines, thus defeating a common USB isolation countermeasure of using a charge-only USB cable which physically disconnects the USB data lines.

    Demonstrating the attack’s low costs and ease of concealment, we modify a novelty USB lamp to implement an off-path attack which captures and exfiltrates USB traffic when connected to a vulnerable internal or a external USB hub.

    https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-su.pdf

    Reply
15. August 18, 2017 at 11:50 am

    Tomi Engdahl says:

    USB connections exposed as ‘leaky’ and vulnerable
    http://theleadsouthaustralia.com.au/industries/education/usb-connections-exposed-as-leaky-and-vulnerable/

    TESTS on USB connections have shown they are highly susceptible to information “leakage”, making them less secure than previously thought.

    He said USB-connected devices were the most common interface used globally to connect external devices to computers and included keyboards, cardswipers and fingerprint readers, which often sent sensitive information.

    “But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen,” Dr Yarom said.

    Dr Yarom said this “channel-to-channel crosstalk leakage” was analogous with water leaking from pipes.

    “Electricity flows like water along pipes – and it can leak out,” he says. “In our project, we showed that voltage fluctuations of the USB port’s data lines could be monitored from the adjacent ports on the USB hub.”

    The team used a modified cheap novelty plug-in lamp with a USB connector to “read” every keystroke from the adjacent keyboard USB interface. The data was sent via Bluetooth to another computer.

    Dr Yarom said other research had shown that 75 per cent of USB sticks dropped on the ground were picked up and plugged into a computer. But they could have been tampered with to send a message via Bluetooth or SMS to a computer anywhere in the world.

    He said Bluetooth was a more secure way of transferring information.

    Reply
16. August 18, 2017 at 12:47 pm

    Tomi Engdahl says:

    Ukraine hacker cooperating with FBI in Russia probe: report
    http://thehill.com/policy/cybersecurity/346864-ukrainian-hacker-cooperating-with-fbi-in-russian-hacking-probe-report

    A hacker in Ukraine who goes by the online alias “Profexer” is cooperating with the FBI in its investigation of Russian interference in the U.S. presidential election, The New York Times is reporting.

    Profexer, whose real identity is unknown, wrote and sold malware on the dark web. The intelligence community publicly identified code he had written as a tool used in the hacking of the Democratic National Committee ahead of last year’s presidential election.

    The hacker’s activity on the web came to a halt shortly after the malware was identified.

    Reply
17. August 18, 2017 at 12:48 pm

    Tomi Engdahl says:

    Why does the market care so much about Cisco’s security biz?
    In the land of decline, sustainable growth is king
    https://www.theregister.co.uk/2017/08/18/cisco_security_strategy/

    Like many enterprise tech dinosaurs, Cisco has clutched at new lines of revenue for some time, positioning its security arm as the centrepiece of a long-talked-about reinvention as a software biz.

    So when Switchzilla reported lacklustre growth in security of 3 per cent to $558m (£433m) for its fourth quarter results this week, the stock market was quick to punish the business by wiping 2.5 per cent off its market capitalisation.

    Security had been one of the few major sustained growth areas, with the full-year result for that side of the portfolio up 9 per cent overall to $2.1bn.

    Reply
18. August 18, 2017 at 12:59 pm

    Tomi Engdahl says:

    Joe Palazzolo / Wall Street Journal:
    Executive director Anthony Romero says ACLU will no longer defend groups seeking to march with firearms, deciding case by case, screening for possible violence

    ACLU Will No Longer Defend Hate Groups Protesting With Firearms
    Executive director says violence and guns at Charlottesville rally spurred new stance
    https://www.wsj.com/articles/aclu-changes-policy-on-defending-hate-groups-protesting-with-firearms-1503010167?mod=e2tw

    The American Civil Liberties Union, taking a tougher stance on armed protests, will no longer defend hate groups seeking to march with firearms, the group’s executive director said.

    Reply
19. August 18, 2017 at 6:34 pm

    Tomi Engdahl says:

    Cloudflare CEO calls for a system to regulate hateful internet content
    https://techcrunch.com/2017/08/17/cloudflare-ceo-calls-for-a-system-to-regulate-hateful-internet-content/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Cloudflare CEO Matthew Prince has called for the implementation of a framework to govern how the internet’s gatekeepers deal with cases like The Daily Stormer. This comes after a number of tech companies have revoked support for the neo-Nazi website for its close association with the violent far-right demonstrations in Charlottesville.

    Seven-year-old Cloudflare took the step of cutting support for The Daily Stormer website on Thursday, which is notable as it’s the first time it has ever removed a customer from its service.

    Reply
20. August 18, 2017 at 7:11 pm

    Tomi Engdahl says:

    Jordan Fabian / The Hill:
    Donald Trump authorizes elevation of US Cyber Command to the status of Unified Combatant Command, triggering a review of whether it should be separated from NSA

    Trump boosts US Cyber Command
    http://thehill.com/policy/cybersecurity/347085-trump-boosts-us-cyber-command

    President Trump announced Friday he is boosting U.S. Cyber Command to a full combatant command, triggering a review of whether it should separate from the National Security Agency.

    Speculation has swirled for months that Trump could elevate the command, a move that was also considered by the Obama administration.

    It’s a sign of the organization’s growing significance in an era when cyber warfare has become the norm.

    The decision comes before Trump travels to Camp David later Friday to meet with his national security team.

    Reply
21. August 18, 2017 at 7:16 pm

    Tomi Engdahl says:

    Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More
    http://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/

    The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than we first thought—at least in terms of impact. It was accompanied by an even more dangerous threat: an Android malware that can take over the device.

    Detected by Trend Micro as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, we’ve named this Android backdoor GhostCtrl as it can stealthily control many of the infected device’s functionalities.

    GhostCtrl was hosted in RETADUP’s C&C infrastructure, and the samples we analyzed masqueraded as a legitimate or popular app that uses the names App, MMS, whatsapp, and even Pokemon GO. Socially engineered phishing emails were also attack vectors; they had malicious URLs that led would-be victims to download these apps.

    GhostCtrl is literally a ghost of itself
    GhostCtrl is also actually a variant (or at least based on) of the commercially sold, multiplatform OmniRAT that made headlines in November 2015. It touts that it can remotely take control of Windows, Linux, and Mac systems at the touch of an Android device’s button—and vice versa. A lifetime license for an OmniRAT package costs between US $25 and $75. Predictably OmniRAT cracking tutorials abound in various underground forums, and some its members even provide patchers for it.

    Reply
22. August 18, 2017 at 7:41 pm

    Tomi Engdahl says:

    BBC:
    China launches a court to handle Internet-related disputes; first civil case handled in 20 minutes, with parties communicating with judge online

    Chinese ‘cyber-court’ launched for online cases
    http://www.bbc.com/news/technology-40980004?ocid=socialflow_twitter

    China has launched a digital “cyber-court” to help deal with a rise in the number of internet-related claims, according to state media.

    The Hangzhou Internet Court opened on Friday and heard its first case – a copyright infringement dispute between an online writer and a web company.

    Legal agents in Hangzhou and Beijing accessed the court via their computers and the trial lasted 20 minutes.

    The court’s focus will be civil cases, including online shopping disputes.

    Judges were sworn in and the first case was presented on a large screen in the courtroom.

    ‘Saves time’

    Defendants and plaintiffs appear before the judge not in person, but via video-chat.

    “The internet court breaks geographic boundaries and greatly saves time in traditional hearings,” said Wang Jiangqiao, the court’s vice-president, via state media.

    Reply
23. August 18, 2017 at 7:49 pm

    Tomi Engdahl says:

    How we helped keep an alleged “hacker” out of 70 years in prison
    https://cqureacademy.com/blog/identity-theft-protection/fabio-gasperini-case

    So what went down?
    Thanks to the great work of the case attorney Simone Bertollini and CQURE’s team and our pretty amazing know-how this is the first hacking case in history that was WON by the defenders!

    “The CQURE Team identified serious flaws in the government’s investigation. They helped me do justice for Gasperini” – stated Simone Bertollini.

    Just to put things into perspective, prior to this, no one has ever won a hacking case in the United States.

    “The reason why we decided to take on this case is very straightforward: we cannot allow federal investigators and prosecutors (FBI) to think that one or two search warrants are enough to put someone to jail.“

    Paula Januszkiewicz (CEO, Cybersecurity expert, CQURE) adds:

    “We will never allow assumptions to be converted to facts. We promote collection of evidence that is done right. We do not allow guesses and incomplete analysis to be treated as evidence to convict a human being. Our mantra is: we want to see the job done right.”

    Fabio Gasperini’s case – why did FBI fail this time?
    From what we see, it’s mainly because they ignored certain evidence collection paths by using materials that did not come from the attacked systems as evidence — we have no idea why they chose to do this.

    Some of the evidence seems to have been incorrectly collected

    Reply
24. August 19, 2017 at 1:05 pm

    Tomi Engdahl says:

    1.8 million Chicago voter records exposed online
    http://money.cnn.com/2017/08/17/technology/business/chicago-voter-records-exposed-upguard/index.html

    A voting machine company exposed 1.8 million Chicago voter records after misconfiguring a security setting on the server that stored them.

    Election Systems & Software (ES&S), the Nebraska-based voting software and election management company, confirmed the leak on Thursday.

    In a blog post, the company said the voter data leak contained names, addresses, birthdates, partial social security numbers and some driver’s license and state ID numbers stored in backup files on a server. Authorities alerted ES&S to the leak on Aug. 12, and the data was secured.

    A security researcher from UpGuard discovered the breach.

    The data did not contain any voting information, like the results of how someone voted.

    ES&S Confirms Discovery of Backup Data by Security Researcher
    http://www.essvote.com/blog/106/

    Reply
25. August 19, 2017 at 1:06 pm

    Tomi Engdahl says:

    US Voting Machine Supplier Leaks 1.8 Million Chicago Voter Records [Updated]
    http://gizmodo.com/us-voting-machine-supplier-leaks-1-8-million-chicago-vo-1797947510

    A leading US supplier of voting machines confirmed on Thursday that it exposed the personal information of more than 1.8 million Illinois residents.

    State authorities and the Federal Bureau of Investigation were alerted this week to a major data leak exposing the names, addresses, dates of birth, partial Social Security numbers, and party affiliations of over a million Chicago residents. Some driver’s license and state ID numbers were also exposed.

    Jon Hendren, who works for the cyber resilience firm UpGuard, discovered the breach on an Amazon Web Services (AWS) device that was not secured by a password. The voter data was then downloaded by cyber risk analyst Chris Vickery who determined Election Systems & Software (ES&S) controlled the data. ES&S provides voting machines and services in at least 42 states.

    ES&S was notified this week by the FBI and began its own “full investigation” with UpGuard’s assistance, “to perform thorough forensic analyses of the AWS server,” the company said in a statement, adding that the investigation is still ongoing.

    ES&S said the AWS server did not include “any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems.” The company stressed that the leak had “no impact on the results of any election.”

    https://www.upguard.com/

    Reply
26. August 19, 2017 at 1:08 pm

    Tomi Engdahl says:

    Drone makes mysterious delivery to French prison
    https://www.thelocal.fr/20170816/drone-makes-mysterious-delivery-to-french-prison

    Inmates at a French prison received a mysterious parcel delivery on Tuesday, with the unknown item arriving by drone.

    The drone, equipped with a camera, was able to navigate its way into the prison and pass through the helicopter net above the courtyard, according to a report by France Bleu.

    The drone has been confiscated by police who are working to identify the sender and recipient.

    Reply
27. August 19, 2017 at 1:10 pm

    Tomi Engdahl says:

    How Hackers Can Use Pop Songs To ‘Watch’ You
    https://yro.slashdot.org/story/17/08/18/2216225/how-hackers-can-use-pop-songs-to-watch-you?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Forget your classic listening device: Researchers at the University of Washington have demonstrated that phones, smart TVs, Amazon Echo-like assistants, and other devices equipped with speakers and microphones could be used by hackers as clandestine sonar “bugs” capable of tracking your location in a room. Their system, called CovertBand, emits high-pitched sonar signals hidden within popular songs — their examples include songs by Michael Jackson and Justin Timberlake — then records them with the machine’s microphone to detect people’s activities.

    How A Pop Song Could “Watch” You Through Your TV
    https://www.fastcompany.com/40455626/hack-music-can-watch-you-through-your-devices

    Your phone, TV, or connected device could become a sonar spy, as white hat hackers at the University of Washington give new meaning to bad music.

    Forget your classic listening device: Researchers at the University of Washington have demonstrated that phones, smart TVs, Amazon Echo-like assistants, and other devices equipped with speakers and microphones could be used by hackers as clandestine sonar “bugs” capable of tracking your location in a room.

    Their system, called CovertBand, emits high-pitched sonar signals hidden within popular songs—their examples include songs by Michael Jackson, Justin Timberlake, and 2Pac—then records them with the machine’s microphone to detect people’s activities. Jumping, walking, and “supine pelvic tilts” all produce distinguishable patterns, they say in a paper.

    Reply
28. August 19, 2017 at 1:11 pm

    Tomi Engdahl says:

    What is CovertBand?
    http://musicattacks.cs.washington.edu/#CovertBand

    We create CovertBand which transforms commodity devices with microphones and speakers into active sonar systems to simultaneously track multiple users through barriers like walls, doors and windows. In addition to tracking, it can also distinguish linear and rhythmic class of motions. CovertBand expertly conceals this attack by hiding the high frequency sonar pulses within the beats of popular songs making it indistinguishable. This means that the attacker can implement the attack even remotely by using music apps that play the modified versions of popular songs.

    87
    CovertBand: Activity Information Leakage using Music
    http://musicattacks.cs.washington.edu/activity-information-leakage.pdf

    Reply
29. August 19, 2017 at 1:15 pm

    Tomi Engdahl says:

    Experts: The future of IoT will be fascinating and also potentially catastrophic
    Insecurity of IoT is a top concern
    http://www.networkworld.com/article/3199966/internet-of-things/experts-the-future-of-iot-will-be-fascinating-and-also-potentially-catastrophic.html

    The Internet of Things is going to be inescapable, pervasive, and riddled with insecurity, but it’s at least going to be interesting, according to a raft of prominent technologists surveyed by the Pew Research Center.

    Unsurprisingly, IoT security was the name of the game, the experts agreed, but it’s the effect of the present insecurity in IoT and the possible future effects that have them fascinated. The security breaches that have happened already were clearly on the minds of the respondents. Not only has IoT contributed to general online chaos via the Mirai botnet and other incidents, the trend of integrating connected devices ever more deeply into vital infrastructure reveals the potential for even more destructive attacks.

    “Right now, losing a credit card record costs a firm something like $0.35, plus a six-month gift certificate for a credit-monitoring service. But the data from those breaches, combined with other breach data by crooks, can be used to pull off breathtaking identity theft crimes,” Doctorow said. “If firms had to pay the entire likely lifetime losses from breaches … then no insurer would underwrite companies that were as sloppy as today’s – data collection and retention would be priced accordingly by insurers, at a much higher price than today’s.”

    “There are many risks that reliability and safety will suffer unless the makers are diligent about protecting user interests. It could be impossible to escape increased connectivity. Look at present dependence on Google Maps or generally on mobiles and apps in the last 10 years. Reliability will be key. If such systems prove to be unreliable, people will leave in droves.”

    Reply
30. August 19, 2017 at 4:19 pm

    Tomi Engdahl says:

    Greg Bensinger / Wall Street Journal:
    US court of appeals rules online ToS are binding irrespective of whether users read them, no matter how long or hard to read companies like Uber make them

    Uber Wins Ruling on ’Terms of Service’ Agreements
    Federal court finds online agreements are binding, regardless of whether customers read or understand them
    https://www.wsj.com/articles/uber-wins-ruling-on-terms-of-service-agreements-1503000236?mod=e2twd

    Reply
31. August 19, 2017 at 6:12 pm

    Tomi Engdahl says:

    Can the security community grow up?
    https://techcrunch.com/2017/08/17/can-the-security-community-grow-up/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    We live in an imperfect world, as Alex Stamos, Chief Information Security Officer of Facebook pointed out in his recent BlackHat 2017 keynote address. Instead of trying to punish each other, hackers and innovators need to work closely to ensure a higher order.

    Amit Yoran, former President of RSA and now CEO of Tenable Networks says, “Fear just doesn’t cut it. We need to be adults and earn trust.”

    . “The security sector is evolving rapidly and we are still developing a common nomenclature, a lingua franca for our business. Visibility into systems, managing patches, vulnerabilities and security workflows are still being accomplished with rudimentary tools,” Lu said.

    Calling BS on the marketing hype, several presenters at BlackHat offer an unvarnished view of the state of technology.

    Caveat Emptor: Do not believe the ML hype unless you have seen the results on your own data sets. Each vendor will train their models on different data sets, which may not be relevant to your environment. And then as new malware data is discovered, stuff gets stale. Chances are that the model may need to be trained or else could start to behave erratically. We live in an imperfect word indeed.

    In another presentation aptly titled, “Lies and Damn Lies” Lidia Guiliano and Mike Spaulding presented an analysis of various endpoint marketing claims and debunked these systematically.

    While endpoint solutions are better than signature based detection, they are no silver bullets.

    Reply
32. August 19, 2017 at 6:56 pm

    Tomi Engdahl says:

    Apple’s Secure Enclave Processor (SEP) Firmware Decrypted
    http://hackaday.com/2017/08/18/apples-secure-enclave-processor-sep-firmware-decyrpted/

    The decryption key for Apple’s Secure Enclave Processor (SEP) firmware Posted Online by self-described “ARM64 pornstar” [xerub]. SEP is the security co-processor introduced with the iPhone 5s which is when touch ID was introduced. It’s a black box that we’re not supposed to know anything about but [xerub] has now pulled back the curtain on that.

    The secure enclave handles the processing of fingerprint data from the touch ID sensor and determines if it is a match or not while it also enables access for purchases for the user. The SEP is a gatekeeper which prevents the main processor from accessing sensitive data.

    Hacker Decrypts Apple’s Secure Enclave Processor (SEP) Firmware
    http://www.iclarified.com/62025/hacker-decrypts-apples-secure-enclave-processor-sep-firmware

    Hacker xerub has posted the decryption key for Apple’s Secure Enclave Processor (SEP) firmware.

    The security coprocessor was introduced alongside the iPhone 5s and Touch ID. It performs secure services for the rest of the SOC and prevents the main processor from getting direct access to sensitive data. It runs its own operating system (SEPOS) which includes a kernel, drivers, services, and applications.

    Today, xerub announced the decryption key ‘is fully grown’. You can use img4lib to decrypt the firmware and xerub’s SEP firmware split tool to process.

    Decryption of the SEP Firmware will make it easier for hackers and security researchers to comb through the SEP for vulnerabilities.

    Reply
33. August 20, 2017 at 8:28 pm

    Tomi Engdahl says:

    Sorry, but those huge walls of terms and conditions you never read are legally binding
    And what finer company than Uber to make that clear
    https://www.theregister.co.uk/2017/08/18/eula_tos_legally_binding_us/

    You may never read those lengthy terms and conditions attached to every digital download or app but, in America at least, they are legally binding. Sorry.

    That’s the conclusion of a panel of appeal judges earlier this week when shining beacon of corporate responsibility Uber insisted its users had agreed not to sue the company somewhere in its long list of lengthy legal locutions.

    On Thursday, the US Second Court of Appeals decided [PDF] that when customers installed Uber’s ride-hailing app and agreed to the terms and conditions – even though virtually none of them actually read the details – they were obliged to go through arbitration if they had a dispute with the company.

    Reply
34. August 20, 2017 at 8:40 pm

    Tomi Engdahl says:

    US DoD, Brit ISP BT reverse proxies can be abused to frisk internal systems – researcher
    And how to avoid making the same mistakes
    https://www.theregister.co.uk/2017/08/19/reverse_proxy_war/

    Minor blunders in reverse web proxies can result in critical security vulnerabilities on internal networks, the infosec world was warned this week.

    James Kettle of PortSwigger, the biz behind the popular Burp Suite, has taken the lid off an “almost invisible attack surface” he argues has been largely “overlooked for years.” Kettle took a close look at reverse proxies, load balancers, and backend analytics systems, and on Thursday revealed his findings. For the unfamiliar, when browsers visit a webpage they may well connect to a reverse proxy, which fetches the content behind the scenes from other servers, and then passes it all back to the client as a normal web server.

    Malformed requests and esoteric headers in HTTP fetches can potentially coax some of these systems into revealing sensitive information and opening gateways into our victim’s networks, Kettle discovered. Using these techniques, Kettle was able to perforate US Department of Defense networks, and trivially earn more than $30k in bug bounties in the process, as well as accidentally exploiting his ISP in the UK.

    Further digging by the researcher revealed that the system he’d stumbled upon was primarily being used to block access to stuff like child sex abuse material and pirated copyrighted material. Essentially, these were the boxes inspecting and filtering Brits’ internet traffic. “For years I and many other British pentesters have been hacking through an exploitable proxy without even noticing it existed,” according to Kettle.

    Crucially, Kettle said he could reach BT’s internal control panels for its snooping tech via these proxy servers. “I initially assumed that these companies must collectively be using the same cloud web application firewall solution, and noted that I could trick them into misrouting my request to their internal administration interface,” he said.

    Kettle added that, as well as this worrying security vulnerability, putting subscribers behind proxies is bad because if one of the boxes ends up on a black list, every gets blocked:

    All BT users share the same tiny pool of IP addresses. This has resulted in BT’s proxy IPs landing on abuse blacklists and being banned from a number of websites, affecting all BT users.
    Also, if I had used the aforementioned admin access vulnerability to compromise the proxy’s administration panels, I could could potentially reconfigure the proxies to inject content into the traffic of millions of BT customers.

    Kettle reported the ability to access the internal admin panel to a personal contact at BT, who made sure it was quickly protected.

    Later in his research, Kettle discovered that US Department of Defense proxies whitelist access to internal services using the Host header in HTTP requests, but forget that the hostname in the GET request takes precedence over the Host header.

    Reply
35. August 21, 2017 at 9:08 am

    Tomi Engdahl says:

    Decryption Key for Apple’s SEP Firmware Posted Online
    http://www.securityweek.com/decryption-key-apples-sep-firmware-posted-online

    What appears to be the decryption key for Apple’s Secure Enclave Processor (SEP) firmware was posted online by a hacker going by the name of xerub.

    A coprocessor fabricated in the Apple S2, Apple A7, and later A-series CPUs, SEP uses encrypted memory, has a hardware random number generator and “provides all cryptographic operations for Data Protection key management and maintains the integrity of Data Protection even if the kernel has been compromised,” Apple explains in the iOS Security Guide.

    At startup, the device creates an ephemeral key entangled with the UID (Unique ID), and uses it to encrypt the Secure Enclave’s portion of memory space. The key is also used to authenticate the Secure Enclave (except on Apple A7). Apple also explains that data “saved to the file system by the Secure Enclave is encrypted with a key entangled with the UID and an anti-replay counter.”

    SEP uses its own secure boot and securely generates the UID on A9 or later A-series processors. Because SEP handles Touch ID transactions, password verification, and other security processes, along with the generation of the device’s UID, it is critical to iOS’ security and the public availability of the decryption key could spell disaster.

    Reply
36. August 21, 2017 at 9:31 am

    Tomi Engdahl says:

    Elon Musk Backs Call For A Global Ban On Killer Robots
    https://hardware.slashdot.org/story/17/08/21/0435203/elon-musk-backs-call-for-a-global-ban-on-killer-robots

    Tesla boss Elon Musk is among a group of 116 founders of robotics and artificial intelligence companies who are calling on the United Nations to ban autonomous weapons. “Lethal autonomous weapons threaten to become the third revolution in warfare. Once developed, they will permit armed conflict to be fought at a scale greater than ever, and at timescales faster than humans can comprehend,” the experts warn in an open letter released Monday…

    “Unlike other potential manifestations of AI, which still remain in the realm of science fiction, autonomous weapons systems are on the cusp of development right now and have a very real potential to cause significant harm to innocent people along with global instability,”

    Elon Musk backs call for global ban on killer robots
    http://money.cnn.com/2017/08/21/technology/elon-musk-killer-robot-un-ban/index.html

    The world’s leading artificial intelligence experts are sounding the alarm on killer robots.

    Tesla (TSLA) boss Elon Musk is among a group of 116 founders of robotics and artificial intelligence companies who are calling on the United Nations to ban autonomous weapons.

    “Lethal autonomous weapons threaten to become the third revolution in warfare. Once developed, they will permit armed conflict to be fought at a scale greater than ever, and at timescales faster than humans can comprehend,” the experts warn in an open letter released Monday.

    “These can be weapons of terror, weapons that despots and terrorists use against innocent populations, and weapons hacked to behave in undesirable ways,” the letter says.

    Its signatories are from companies spread across North America, Europe, Africa and Asia, including Mustafa Suleyman, an artificial intelligence specialist at Google (GOOGL, Tech30)

    “Unlike other potential manifestations of AI, which still remain in the realm of science fiction, autonomous weapons systems are on the cusp of development right now and have a very real potential to cause significant harm to innocent people along with global instability,” said Ryan Gariepy, the founder of Clearpath Robotics and the first person to sign the letter.

    Reply
37. August 21, 2017 at 9:39 am

    Tomi Engdahl says:

    Patching Against the Next WannaCry Vulnerability (CVE-2017-8620)
    http://www.securityweek.com/patching-against-next-wannacry-vulnerability-cve-2017-8620

    This month’s Microsoft patch updates include one particular vulnerability that is raising concerns: CVE-2017-8620, which affects all versions of Windows from 7 onwards. Microsoft explained, “in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.”

    In short, this is a wormable bug affecting all supported versions of Windows. The parallels with the WannaCry and NotPetya vulnerabilities are clear — indeed, Check Point described CVE-2017-8620 as ‘The Next WannaCry Vulnerability’. All that is currently missing is full disclosure of the vulnerability and a usable exploit (WannaCry and NotPetya exploited the leaked NSA exploit known as EternalBlue).

    Noticeably, SANS describes this vulnerability as ‘more likely’ to be both disclosed and exploited in the future. Once this happens, the situation could precisely parallel WannaCry/NotPetya. Microsoft has done what it can (or as much as it is willing to do); it has patched the vulnerability. The earlier WannaCry vulnerability had also been patched; but WannaCry (and NotPetya) still happened (and the effects continue to be felt).

    “The importance of patching systems cannot be underestimated,” says David Kennerley, director of threat research at Webroot. “There will always be zero-day vulnerabilities, but it’s worth noting that the vast majority of exploit attacks seen in the wild involve cybercriminals targeting known vulnerabilities. These vulnerabilities have already been fixed by the vendor, but the fix has not been deployed and installed by the end user. With any vulnerability that can result in remote code execution, there is always concern until users deploy and install patches. There is without doubt a window of opportunity for cybercriminals to take advantage.”

    One concern for the CVE-2017-8620 vulnerability is that it could be adopted by nation-state actors.

    The current concern is that since many users did not patch against WannaCry/NotPetya, they might not patch CVE-2017-8620 before it is exploited. The question becomes, why is industry apparently lax in its patch procedures? This is a complex issue with no easy answer.

    “Patching will break stuff,” F-Secure security advisor Sean Sullivan explains. “And so you can’t just roll out patches into a live production environment without testing. It’s a matter of time and resources. There’s no escaping the need to test.”

    Reply
38. August 21, 2017 at 9:40 am

    Tomi Engdahl says:

    Turla Cyberspies Use New Dropper in G20 Attacks
    http://www.securityweek.com/turla-cyberspies-use-new-dropper-g20-attacks

    The Russia-linked cyber espionage group known as Turla has been using a new malware dropper in attacks apparently aimed at entities interested in G20, security firm Proofpoint reported last week.

    G20 is an international forum for governments and central banks from all continents. The G20 Summit was held last month in Hamburg, Germany, and other events are scheduled to take place in the same city later this year, including the Task Force “Digital Economy” meeting in October 23 – 24.

    A document announcing the Digital Economy meeting has apparently been used by Turla as a decoy to deliver a new .NET/MSIL dropper, which deploys a recently discovered JavaScript backdoor tracked as KopiLuwak.

    The decoy document appears to come from Germany’s Federal Ministry for Economic Affairs and Energy, and researchers believe the file is likely legitimate. The document does not appear to be publicly available, which indicates that it may have been obtained by the attackers from an entity that received the file.

    Reply
39. August 21, 2017 at 1:04 pm

    Tomi Engdahl says:

    Foxit PDF Reader is well and truly foxed up, but vendor won’t patch
    We’ve got Safe Mode and that’s safe enough, vendor tells ~400m users
    https://www.theregister.co.uk/2017/08/21/foxit_reader_vulnerabilities/

    The Zero Day Initiative (ZDI) has gone public with a Foxit PDF Reader vulnerability without a fix, because the vendor resisted patching.

    The ZDI made the decision last week that the two vulns, CVE-2017-10951 and CVE-2017-10952, warranted release so at least some of Foxit’s 400 million users could protect themselves.

    In both cases, the only chance at mitigation is to use the software’s “Secure Mode” when opening files, something that users might skip in normal circumstances.

    Reply
40. August 21, 2017 at 1:04 pm

    Tomi Engdahl says:

    Bitcoin-accepting sites leave cookie trail that crumbles anonymity
    Merchants share too much tracking information? Colour us un-surprised
    https://www.theregister.co.uk/2017/08/20/bitcoins_anonymity_easy_to_penetrate/

    Bitcoin transactions might be anonymous, but on the Internet, its users aren’t – and according to research out of Princeton University, linking the two together is trivial on the modern, much-tracked Internet.

    In fact, linking a user’s cookies to their Bitcoin transactions is so straightforward, it’s almost surprising it took this long for a paper like this to be published.

    The paper sees privacy researcher Dillon Reisman and Princeton’s Steven Goldfeder, Harry Kalodner and Arvind Narayanan demonstrate just how straightforward it can be to link cookies to cryptocurrency transactions:

    When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies
    https://arxiv.org/abs/1708.04748

    Reply
41. August 21, 2017 at 1:47 pm

    Tomi Engdahl says:

    Making Visible Watermarks More Effective
    https://research.googleblog.com/2017/08/making-visible-watermarks-more-effective.html

    Whether you are a photographer, a marketing manager, or a regular Internet user, chances are you have encountered visible watermarks many times. Visible watermarks are those logos and patterns that are often overlaid on digital images provided by stock photography websites, marking the image owners while allowing viewers to perceive the underlying content so that they could license the images that fit their needs. It is the most common mechanism for protecting the copyrights of hundreds of millions of photographs and stock images that are offered online daily.

    It’s standard practice to use watermarks on the assumption that they prevent consumers from accessing the clean images, ensuring there will be no unauthorized or unlicensed use. However, in “On The Effectiveness Of Visible Watermarks” recently presented at the 2017 Computer Vision and Pattern Recognition Conference (CVPR 2017), we show that a computer algorithm can get past this protection and remove watermarks automatically, giving users unobstructed access to the clean images the watermarks are intended to protect.

    The Vulnerability of Visible Watermarks
    Visible watermarks are often designed to contain complex structures such as thin lines and shadows in order to make them harder to remove. Indeed, given a single image, for a computer to detect automatically which visual structures belong to the watermark and which structures belong to the underlying image is extremely difficult. Manually, the task of removing a watermark from an image is tedious, and even with state-of-the-art editing tools it may take a Photoshop expert several minutes to remove a watermark from one image.

    However, a fact that has been overlooked so far is that watermarks are typically added in a consistent manner to many images. We show that this consistency can be used to invert the watermarking process

    The first step of this process is identifying which image structures are repeating in the collection. If a similar watermark is embedded in many images, the watermark becomes the signal in the collection and the images become the noise, and simple image operations can be used to pull out a rough estimation of the watermark pattern.

    To actually recover the image underneath the watermark, we need to know the watermark’s decomposition into its image and alpha matte components.

    The vulnerability of current watermarking techniques lies in the consistency in watermarks across image collections. Therefore, to counter it, we need to introduce inconsistencies when embedding the watermark in each image.

    In a nutshell, the reason this works is because removing the randomly-warped watermark from any single image requires to additionally estimate the warp field that was applied to the watermark for that image — a task that is inherently more difficult.

    http://openaccess.thecvf.com/content_cvpr_2017/papers/Dekel_On_the_Effectiveness_CVPR_2017_paper.pdf

    Reply
42. August 21, 2017 at 2:47 pm

    Tomi Engdahl says:

    British snoops at GCHQ knew FBI was going to arrest Marcus Hutchins
    WannaCry killer had been working with the spy agency
    https://www.theregister.co.uk/2017/08/21/gchq_knew_marcus_hutchins_risked_arrest_fbi/

    Secretive electronic spy agency GCHQ was aware that accused malware author Marcus Hutchins, aka MalwareTechBlog, was due to be arrested by US authorities when he travelled to United States for the DEF CON hacker conference, according to reports.

    The Sunday Times – the newspaper where the Brit government of the day usually floats potentially contentious ideas – reported that GCHQ was aware that Hutchins was under surveillance by the American FBI before he set off to Las Vegas.

    Government sources told The Sunday Times that Hutchins’ arrest in the US had freed the British government from the “headache of an extradition battle” with the Americans. This is a clear reference to the cases of alleged NASA hacker Gary McKinnon, whose attempted extradition to the US failed in 2012, and accused hacker Lauri Love, who is currently fighting an extradition battle along much the same lines as McKinnon.

    One person familiar with the matter told the paper: “Our US partners aren’t impressed that some people who they believe to have cases against [them] for computer-related offences have managed to avoid extradition.”

    Reply
43. August 21, 2017 at 2:52 pm

    Tomi Engdahl says:

    The Daily Stormer was back online for a quick second
    https://techcrunch.com/2017/08/20/the-daily-stormer-was-back-online-for-a-quick-second/

    Neo-Nazi site The Daily Stormer is running out of options to stay online. There has been a public outcry against tech companies helping websites, such as The Daily Stormer. On August 18th, the team behind The Daily Stormer found a way to put the website back online. But now that NameCheap has taken down the website’s new domain name, it is back offline for most people.

    If you want to host a controversial website, you need a server to host your website, a protection service against denial-of-service attacks and a domain name to make your site reachable.

    While The Daily Stormer used to rely on DigitalOcean and DreamHost (at least until 2014) to run its server, both companies have stopped working with the website. DigitalOcean cited a violation of the company’s terms of service.

    But it’s not that hard to host a website in your attic without doing business with anyone. All you need is a computer and an internet connection. The only issue is that you need a content delivery network to cache your website around the world so that people can actually load pages.

    That’s why The Daily Stormer had been using Cloudflare’s CDN. But Cloudflare CEO Matthew Prince bowed to public pressure and terminated Cloudflare’s relationship with The Daily Stormer.

    Prince also says that this is an exception and there should be a clear framework to address similar issues in the future. The Electronic Frontier Foundation also agrees with this point of view.

    So The Daily Stormer is back online then? Not exactly.

    A server and a CDN isn’t enough if you don’t have a domain name.

    The Daily Stormer had been using GoDaddy to register its original domain name. GoDaddy quickly terminated The Daily Stormer’s account

    Google Domains and Tucows (the company behind Hover.com) also both refused to help The Daily Stormer. Even the Russian media watchdog Roskomnadzor asked Ru-Center to cancel dailystormer.ru after the website tried to relocate to Russia.

    And yet, the team successfully registered dailystormer.lol using Namecheap.
    But it didn’t last long.

    You can still access it through the Tor network

    Reply
44. August 21, 2017 at 2:55 pm

    Tomi Engdahl says:

    50,000 Users Test New Anti-Censorship Tool TapDance
    https://yro.slashdot.org/story/17/08/20/2222205/50000-users-test-new-anti-censorship-tool-tapdance?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    What if circumventing censorship didn’t rely on some app or service provider that would eventually get blocked but was built into the very core of the internet itself? What if the routers and servers that underpin the internet — infrastructure so important that it would be impractical to block — could also double as one big anti-censorship tool…? After six years in development, three research groups have joined forces to conduct real-world tests.

    In fight for free speech, researchers test anti-censorship tool built into the internet’s core
    Researchers tested a way to get into blocked websites using the networks of two ISPs
    http://www.cbc.ca/news/technology/tapdance-refraction-networking-decoy-routing-test-usenix-1.4249177

    When the Chinese government wanted to keep its users off Facebook and Google, it blocked the entire country’s access to the U.S. companies’ apps and sites. And when citizens started using third-party workarounds — like Tor, proxies and VPNs — to get around those blocks, it moved to quash those, too.

    So a handful of researchers came up with a crazy idea: What if circumventing censorship didn’t rely on some app or service provider that would eventually get blocked but was built into the very core of the internet itself? What if the routers and servers that underpin the internet — infrastructure so important that it would be impractical to block — could also double as one big anti-censorship tool?

    It turns out, the idea isn’t as crazy as it might seem. After six years in development, three research groups have joined forces to conduct real-world tests of an experimental new technique called “refraction networking.” They call their particular implementation TapDance, and it’s designed to sit within the internet’s core.

    The researchers announced the test in a paper presented at the annual USENIX Security conference earlier this week.

    “In the long run, we absolutely do want to see refraction networking deployed at as many ISPs that are as deep in the network as possible,”

    A secret flag the censor can’t see

    The concept of refraction networking — which has also been called decoy routing — has been around since at least 2011

    The technique works like this: A user in a country where internet filtering exists uses a special piece of software — in this case, a special test version of the app Psiphon — to browse the web. To access a site that’s otherwise blocked, the software first sends a request to an unblocked site that’s likely to be routed through TapDance along the way.

    The user’s circumvention software tags this innocuous request with a little extra data — basically a secret flag the censor can’t see that says “Hey, I actually want this request to go somewhere else.” The TapDance software in an ISP’s infrastructure keeps watch for this secret flag and, when detected, re-routes the user’s connection to the blocked site instead.

    The user gets to where they want to go, everything’s taken care of behind the scenes, and the censor is none the wiser — in theory.

    “We believe that it is within the capabilities of more powerful censors to detect and block TapDance traffic in its current form,” wrote Bocovich in an email, but nonetheless called the deployment “really exciting news.”

    Reply
45. August 21, 2017 at 3:06 pm

    Tomi Engdahl says:

    Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas
    http://www.techrepublic.com/article/cyberweapons-are-now-in-play-from-us-sabotage-of-a-north-korean-missile-test-to-hacked-emergency/

    Cyberwarfare has begun. Unlike nuclear weapons, cyberweapons can be proliferated more quickly and the threat from accidentally setting them off is even greater.

    On April 7, 2017, a radio frequency trigger hack caused 156 emergency sirens in Dallas, a city of 1.2 million people, to wail concurrently for 81 minutes. The incident serves as a clarion call to organizations everywhere that cyberweapons could be used against your infrastructure in order to make a statement.

    “Technically, each siren went off for 90 seconds, 15 times. There was a lot of confusion,” said Dallas public information officer Richard Hill, because there were no storms in the region. “We had close to 4,000 calls to 911. The system was nearly overwhelmed.”

    As a show-of-force in December 2015, cyberattacks by Russian-linked hackers took down a large portion of the Ukraine power grid. “The initial breach of the Ukraine power grid was—as so often in cyberattacks—down to the human factor,” wrote ZDNet’s Charles McLellan. “Spearphishing and social engineering were used to gain entry to the network. Once inside, the attackers exploited the fact that operational systems—the ones that controlled the power grid—were connected to regular IT systems.”

    Dallas’ outdoor warning system, like most municipalities in the United States, is radio controlled and triggered when a storm is imminent by a signal sent from the National Weather Service. For security reasons, the city of Dallas would not discuss the details of how the system was compromised. But the city’s senior public information officer, Monica Cordova, said, “we believe [the attack] came from the Dallas area.”

    It could take the city’s leaders months to reveal what many security experts already know: Cyberattacks against outdated critical infrastructure are as easy to execute as the stakes are high. And the arsenal of cyberweapons—malware that is designed to inflict disruption, damage, and destruction—is growing rapidly.

    “As technology is increasingly integrated into the manner in which our society operates,” said Chris Pogue, CISO of cybersecurity firm Nuix, “the potential of cyberattacks that have a kinetic impact also increases.”

    “Code proliferates very quickly and is easy to build or steal. Anyone with a laptop, some coding skills, and a few free hours can create a ‘cyberweapon.’”
    Sergio Caltagirone, director of threat intelligence and analytics at Dragos

    Pogue can rattle off a long list of attacks against critical infrastructure that portend a future where companies, government agencies, and consumers are all victims of cyberweapons.

    When everything becomes a cyberweapon

    One week after the Dallas incident—at 11:21 am UTC, 10,895 kilometers away—a North Korean ballistic missile fired and exploded moments after launch. The April 2017 test was the latest in a series of recent North Korean missile misfires.

    Reporting by CBS News and The New York Times indicates that American-made cyberweapons may have been responsible for the floundering rockets. “Presuming the missile batteries run on a computer-based launch control system, which they do,” Pogue speculated, “an attacker could do anything the system allows: change fuel mixtures, time on launchpad after engine fire but before launch, destination of target, trajectory, and payload arming and disarming.”

    “The public, companies, or governments should be less concerned about these weapons and more concerned with everything else that’s out there, including malware, hackers, and the government.”
    Jack Rice, former CIA case officer

    Reply
46. August 21, 2017 at 3:14 pm

    Tomi Engdahl says:

    Banking with your 4g phone. Is it safe?
    http://www.electropages.com/2017/08/banking-with-your-4g-phone/?utm_campaign=&utm_source=newsletter&utm_medium=email&utm_term=article&utm_content=Banking+with+your+4g+phone.++Is+it+safe%3F

    Some of you film buffs out there may remember Laurence Olivier asking Dustin Hoffman that same question in the film Marathon Man. Now whereas the wrong answer from Hoffman resulted in considerable pain at the hands of Olivier’s mad dentist character, users of the smart phones for personal banking could find it an equally painful experience of a financial nature because of 4G security loopholes.

    An interesting report about this landed on my desk which says 4G networks still retain some worrying vulnerabilities despite all the investment poured into implementing the Diameter communications security protocol which replaced the weaker RADIUS protocol. What this means in simple terms is hackers can intercept and divert SMS messages, eavesdrop on conversations and locate users via GPS. It could even help DoS attacks on operator equipment that would case network failures.

    And when it comes to your money, one incidence that demonstrates this 4G cyber weakness was when money was stolen from bank accounts by hackers redirecting One Time Pass codes that had actually been sent out by the banks as text messages.

    The report goes into some detail explaining the network vulnerabilities and was researched and produced by Positive Technologies, specialists in communication security.

    One of the important aspects of 4G vulnerability pointed out by Positive Technologies at the start of its investigative report may surprise a lot of 4G smart phone owners who think theirs is a state-of-the-art-gizmo. In most respects they are right, but what many don’t know is their snazzy 4G handsets also use old-generation networks as well. It’s called CSF, (circuit-switched fallback). Here’s how that happens. While some mobile operators can provide data transfer over LTE, making phone calls and exchanging SMS messages may require a temporarily fall back to older networks, hence the term CSF.

    What this means is 4G subscribers are still susceptible to tried-and-tested hacks associated with older generation networks.

    The Positive Technology report goes into considerable detail regarding the fraudulent vulnerabilities of SMS messaging, particularly when it comes to financial transactions and also how fraudulent attacks can be made that facilitate the redirection of billing information to already hacked billing services.

    Reply
47. August 22, 2017 at 4:46 am

    Tomi Engdahl says:

    Too easy to to cut anyone out for any reason?

    One Statistics Professor Was Just Banned By Google: Here Is His Story
    http://www.zerohedge.com/news/2017-08-21/one-statistics-professor-was-just-banned-google-here-his-story

    Statistics professor Salil Mehta, adjunct professor at Columbia and Georgetown who teaches probability and data science and whose work has appeared on this website on numerous prior occasions, was banned by Google on Friday.

    What did Salil do to provoke Google? It is not entirely clear, however what is clear is that his repeated attempts at restoring his email, blog and other Google-linked accounts have so far been rejected with a blanket and uniform statement from the search giant.

    This doesn’t look good. Now instead of mathematics, reporters have turned to this latest circus nightmare from Google as an example of how they are compounding bad decisions on good people anywhere and at any time.

    Can they not differentiate me from an evil person? Can they not see the large and reputable people and institutions that have relied on my work?

    There is a lot of energy being spent right now thinking about how this happens to your best customers, just like that. Fear is running wild about who is next and on what other social media platforms.

    I have many students, family, coworkers, etc who typically send me e-mails each day and all of it is vanishing with a kicked-back “user doesn’t exist” error. And that’s totally unacceptable.

    Again, a math site. An academic site

    These are applications of formulas and shouldn’t be subject of limitations of free speech. A lot of great people like it.

    Just more of a reflection of how cold a company can treat someone very poorly: without any information, and lack of ability to move forward in their life

    We are going to be looking back on this time in Google’s history and those of other social media and know that they have done some very immoral and confusing things, and it has hurt their public reputation with decent people who wanted to grow into the next future with them

    Reply
48. August 22, 2017 at 4:48 am

    Tomi Engdahl says:

    Covertband: Activity Information Leakage using Music
    http://musicattacks.cs.washington.edu/#CovertBand

    What is CovertBand?
    Smart devices and appliances are becoming increasingly prevalent, but as a consequence of adding these connected devices such as smart TVs, phones, and hubs like the Amazon Echo to our homes, there are an increased number of connected speakers and microphones with access to our private environment. In this work, we show that in the case of microphones and speakers there are privacy leaks possible with today’s off-the-shelf devices that go beyond the ability to simply record conversations in the home.

    We create CovertBand which transforms commodity devices with microphones and speakers into active sonar systems to simultaneously track multiple users through barriers like walls, doors and windows. In addition to tracking, it can also distinguish linear and rhythmic class of motions. CovertBand expertly conceals this attack by hiding the high frequency sonar pulses within the beats of popular songs making it indistinguishable. This means that the attacker can implement the attack even remotely by using music apps that play the modified versions of popular songs.

    Reply
49. August 22, 2017 at 1:09 pm

    Tomi Engdahl says:

    Code Linked to MalwareTech and Kronos Published in 2009
    http://www.securityweek.com/code-linked-malwaretech-and-kronos-published-2009

    A piece of code linked to both the British researcher Marcus Hutchins, known online as MalwareTech, and the banking Trojan named Kronos was first published in 2009.

    Hutchins became famous and was named a “hero” after he helped stop the WannaCry ransomware attack by registering a domain that acted as a kill switch for the malware.

    The researcher was arrested in early August in the United States as he had been preparing to return to the U.K. and was charged for his alleged role in creating and selling Kronos. He has pleaded not guilty to the charges brought against him and released on bail during his trial. He cannot leave the U.S. and will be tracked via GPS, but authorities have allowed him to access the Internet – except for the domain used to stop the WannaCry outbreak.

    The only information provided so far by authorities regarding the case they have against Hutchins is that he and an unnamed partner allegedly created and sold the Kronos malware in 2014 and 2015.

    While it’s unclear what evidence these accusations are based on, some believe it may have something to do with a tweet posted by MalwareTech in February 2015, when he claimed a hooking engine he made had been abused by malware developers.

    However, as a Greece-based experts noted, the hooking technique found in both Kronos and MalwareTech’s GitHub account was first described in 2009.

    MalwareTech is not allowed to discuss his case with anyone, but he pointed out on Twitter that none of the code found on his GitHub account implements new techniques and instead represents proof-of-concept (PoC) code for existing methods.

    It’s unclear at this point if investigators used these similarities to link Hutchins to Kronos and if the code that the researcher claimed was stolen from him in 2015 was used in this banking Trojan or different malware.

    While many have named Hutchins a hero for his role in stopping the WannaCry outbreak, some, including Immunity founder Dave Aitel, believe he may have actually been involved in the WannaCry attack.

    Reply
50. August 22, 2017 at 1:09 pm

    Tomi Engdahl says:

    Underwriters Laboratories Releases Cybersecurity Standards for Industrial Control
    https://www.designnews.com/automation-motion-control/underwriters-laboratories-releases-cybersecurity-standards-industrial-control/132202681657313?cid=nl.x.dn14.edt.aud.dn.20170822.tst004t

    UL have developed cybersecurity standards in association with the Department of Homeland Security and the Defense Advanced Research Projects Agency.

    As more than most software applications available today are comprised of open-source components, organizations must be especially vigilant to implement rigorous software supply chain management systems and procedures to mitigate the potential risk from third-party applications. Thus, Underwriters Laboratories (UL) has developed a set of cybersecurity standards – UL 2900-2-2 – specifically designed for industrial control systems (ICS).

    The standards were developed to offer testable cybersecurity criteria for third-party software and to validate the security claims of software vendors.

    In addition, UL has ongoing research partnerships with the Department of Homeland Security ( DHS ICS-CERT) and the Defense Advanced Research Projects Agency ( DARPA ICS ) to help mitigate industrial IoT cyber risks.

    Cybersecurity is always a moving target. UL built this into the standards, so they will be updated as changes in the security environment change. “We’re in a continuous feedback mode for continuous improvement. There is no silver bullet or magic way to solve the problem,” said Modeste.

    UL created standards that are designed to adapt to developments in the security environment, a function that is consistent with updates that software vendors provide. “The standards are continually updated. Vendors are producing products, but those products are not static. They make revisions and updates,” said Modeste. “The vendor adapts, so they roll out any new changes. We take that into consideration. We look at how to ensure your vendor is doing the due diligence.”

    Ongoing UL Cybersecurity Standards

    UL began publishing standards for the ICS providers last year. “We published a series of standards in 2016. We published more this past summer. We started three years ago as we worked is an advisory the Obama Administration,” said Modeste. “We met with several agencies with the government, DHS being the biggest one. We partnered with various agencies, including DARPA. We also include several consultants and utilities.”

    The standards come out of UL’s Cybersecurity Assurance Program) UL CAP, which offers third party support to allow users to evaluate both the security of network-connectable products and systems, as well as the vendor processes for developing and maintaining products and systems for security.

    “The standards are focused on the manufacturing community, to help them build good design into their products,”

    Reply