Security trends 2017

Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.

Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.

There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.

There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.

The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.

Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.

Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.

Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.

Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.

Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.

The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.

In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.

In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.

Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.

In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.

Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.

Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.

Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.

 

Other prediction articles worth to look:

What Lies Ahead for Cybersecurity in 2017?

Network Infrastructure, Visibility and Security in 2017

DDoS in 2017: Strap yourself in for a bumpy ride

Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online

IBM’s Cybersecurity Predictions for 2017 – eForensics

https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/

Top 5 Cybersecurity Threats to Watch Out for in 2017

Experts Hopeful as Confidence in Risk Assessment Falls

 

 

3,151 Comments

  1. Tomi Engdahl says:

    Energy Management Systems Expose Devices to Attacks
    http://www.securityweek.com/energy-management-systems-expose-devices-attacks

    Researchers have demonstrated a new class of fault attacks possible due to the poor security design of energy management systems present in most modern computing devices.

    Energy management is an important feature of modern computers, particularly in the case of mobile devices, as it helps increase battery life, improve portability and reduce costs. However, since designing such systems is not an easy task, focus has been placed on efficiency and security has often been neglected.

    At the recent USENIX Security Symposium, a team of experts from Columbia University presented an attack method they have dubbed “CLKscrew.” They showed how a malicious actor could exploit the lack of security mechanisms in energy management systems to carry out a remote attack and obtain sensitive data.

    The research has focused on the ARMv7 architecture – a Nexus 6 smartphone was used in experiments – but the CLKscrew attack likely also works against other devices and architectures. The energy management system analyzed by the researchers is the widely used dynamic voltage and frequency scaling (DVFS).

    The CLKscrew attack shows how a remote hacker could use a malicious kernel driver loaded onto the targeted device to exploit security weaknesses in DVFS and breach the ARM Trustzone, a hardware-based security technology built into system-on-chips (SoCs).

    Experts demonstrated how an attacker can use the method to extract secret crypto keys from Trustzone, and escalate privileges by loading self-signed code into Trustzone.

    “CLKscrew is the tip of the iceberg: more security vulnerabilities are likely to surface in emerging energy optimization techniques, such as finer-grained controls, distributed control of voltage and frequency islands, and near/sub-threshold optimizations,” researchers said in their paper.

    https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-tang.pdf

    Reply
  2. Tomi Engdahl says:

    Facebook launched a dedicated tab for Safety Check
    https://www.theverge.com/2017/8/21/16179530/facebook-safety-check-feature-gets-own-tab

    Facebook has made a permanent page for Safety Check, its feature for letting others know that you’re safe during an emergency.

    The results are pretty eerie. A promotional photo shows the Safety Check page displaying what’s essentially a news feed of catastrophes — including a collapse, a fire, and a typhoon — and people marking themselves safe. You can even explore disasters “around the world.”

    It’s a little unsettling, but Facebook seems to have built it out in recognition of the terrorist attacks and extreme weather events that happen on an unfortunately regular basis.

    Still, while the intention might be good, the feature is far from perfect. It sometimes gets activated when there isn’t a real emergency, leading to stressed out friends and relatives prodding you with Safety Check requests.

    Reply
  3. Tomi Engdahl says:

    Malaysia sites hacked after blunder over Indonesian flag
    http://www.bbc.com/news/world-asia-40996126

    ndonesian hackers have claimed to have attacked several Malaysian websites, following a blunder which saw the Indonesian flag printed upside down in a regional sports event’s guidebook.

    The mistake prompted fury in Indonesia over the weekend and President Joko Widodo demanded an official apology.

    The book was printed for the Southeast Asian Games, which are being held in Kuala Lumpur.

    Malaysian organisers and officials have apologised profusely.

    The affected websites display a message in red and white – Indonesia’s flag colours – which says: “My national flag is not a toy!”

    At least 27 websites were affected, and were mostly for private businesses, according to Indonesian and Malaysian news outlets.

    A BBC check on Monday found that several of the sites have since been taken offline.

    Reply
  4. Tomi Engdahl says:

    If there’s a hole in your S3 bucket, data thieves will be sprayed by Macie
    Data loss prevention bot patrols Amazon’s cloud storage solution
    https://www.theregister.co.uk/2017/08/22/aws_amazon_macie_bot/

    Macie is an Amazon Web Services bot that safeguards the sensitive contents of S3 buckets. Amazon bought the company behind it, Harvest.ai, surreptitiously in January this year, paying a rumoured $19m.

    Amazon naturally wants its cloud to be watertight. Insecure S3 buckets are involved in embarrassing data leaks, such as one from Groupize, a hotel-booking service.

    Think of Macie as a data loss prevention agent, a DLPbot, that uses machine learning to understand a user’s pattern of access to data in S3 buckets. The buckets have permission levels and the data in a bucket can be ranked for sensitivity or risk, using items such as credit card numbers, and other sensitive personal information.

    The software monitors users’ behaviour and profiles it. If there are changes in the pattern of that behaviour and they are directed towards high-risk data then Macie can alert admin staff to a potential breach risk.

    For example, if a hacker successfully impersonates a valid user and then goes searching for data in unexpected places and/or from an unknown IP address then Macie can flag this unusual pattern of activity. The product could also identify a valid employee going rogue, say, generating a store of captured data ready to steal it.

    Open AWS S3 bucket leaked hotel booking service data
    Groupize denies report by researchers at Kromtech, but locks down repo anyway
    https://www.theregister.co.uk/2017/08/22/open_aws_s3_bucket_leaked_hotel_booking_service_data_says_kromtech/

    Reply
  5. Tomi Engdahl says:

    Watch Hackers Hijack Three Robots for Spying and Sabotage
    https://www.wired.com/story/watch-robot-hacks-spy-sabotage

    The entire corpus of science fiction has trained humanity to fear the day when helpful household and industrial robots turn against it, in a Skynet-style uprising. But a much more near-term threat lurks in the age of automation: not that anthropomorphic gadgets will develop minds of their own, but that a very human hacker will take control of them.

    At the Hack in the Box security conference later this week in Singapore, Argentinian security researchers Lucas Apa and Cesar Cerrudo plan to demonstrate hacker attacks they developed against three popular robots: the humanoid domestic robots known as the Alpha2 and NAO, as well as a larger, industrial-focused robotic arm sold by Universal Robots.

    Reply
  6. Tomi Engdahl says:

    The Great Tech Panic: What You Should (and Shouldn’t) Worry About
    https://www.wired.com/2017/08/dont-worry-be-happy

    Technology is transforming our lives so profoundly, so quickly, that it can be scary. We asked experts to weigh in on how much we should be stressed about self-driving cars, rogue nuke launches, evil AI, and more.

    Reply
  7. Tomi Engdahl says:

    Robert Hackett / Fortune:
    IBM announces collaboration with Walmart, Unilever, Nestlé, and other food giants, to apply blockchain tech to food supply chains and improve food safety

    Walmart and 9 Food Giants Team Up on IBM Blockchain Plans
    http://fortune.com/2017/08/22/walmart-blockchain-ibm-food-nestle-unilever-tyson-dole/

    Walmart and a group of food giants are teaming up with IBM to explore how to apply blockchain technology, also known as distributed ledger tech, to their food supply chains.

    The coalition includes retailers and food companies such as Unilever (ul, +0.57%), Nestlé , and Dole (dole). They will be aiming to use blockchains, a technology that made its name as the basis of the cryptocurrency Bitcoin, to maintain secure digital records and improve the traceability of their foodstuffs, like chicken, chocolate, and bananas.

    These companies see blockchains as an opportunity to revamp their data management processes across a complex network that includes farmers, brokers, distributors, processors, retailers, regulators, and consumers. One potential benefit: investigations into food-borne illnesses to take weeks (see this summer’s fatal Salmonella outbreak linked to papayas), but a blockchain-based system has the ability to reduce that time to seconds.

    Reply
  8. Tomi Engdahl says:

    5 Ways Businesses Are Already Using Blockchains
    http://fortune.com/2017/08/22/blockchain-walmart-maersk-banking/

    Amid the hype surrounding Bitcoin and Ethereum, it’s easy to overlook how blockchains—the technology behind those currencies—are already transforming major industries. For businesses, the opportunities to secure supply chains, eliminate middlemen, and cut costs are increasingly compelling. Here are five examples of blockchains in action.

    Shipping

    Maersk, the world’s largest shipping company, completed an inaugural test this spring of using a blockchain to track its cargo. The test involved not just Maersk but a series of third parties—the shipper, Dutch customs, and the U.S. Department of Homeland Security—with all of them tracking containers remotely.

    Banking

    Despite its sophistication, the banking industry is still bedeviled by sluggish systems that can take hours or days to confirm basic transactions such as stock sales or money transfers. But the ongoing adoption of blockchains by the likes of Barclays, which conducted a groundbreaking transaction (it involved butter exports) using the technology in 2016, means this is changing.

    Livestock

    You might not peg Walmart (wmt, +0.39%) as a blockchain pioneer. But the retail giant began using the technology in 2016 to track how pigs from China moved through the supply chain to the American table.

    Law

    All sorts of agreements—from home sales to business purchases to employee contracts—require lawyers and courts to enforce. Now, more firms are experimenting with “smart contracts” that execute themselves: A blockchain system can, for instance, release money from escrow once one party to a contract transfers a deed.

    Diamonds

    The diamond business is a tight-knit industry whose members and customers share common concerns over stones’ origins and authenticity. This helps explain the success of Everledger, a company that can record over 40 identifying features of a diamond, including color and clarity, and register them to a blockchain.

    Reply
  9. Tomi Engdahl says:

    Neptune Exploit Kit Used to Deliver Monero Miner
    http://www.securityweek.com/neptune-exploit-kit-used-deliver-monero-miner

    Cybercriminals have been using the Neptune exploit kit to deliver cryptocurrency miners via malvertising campaigns, FireEye reported on Tuesday.

    Neptune, whose arrival was detailed by researchers in January, is also known as Terror, Blaze and Eris. It was initially considered a variant of the Sundown exploit kit due to many code similarities.

    Exploit kit activity has been declining since the disappearance of Angler and Neutrino. Sundown also went silent and the infosec community managed to delivered a significant blow to the infrastructure used by RIG.

    Neptune has gained popularity and it continues to be used in malvertising campaigns, particularly ones that aim to deliver cryptocurrency miners. Several changes have been spotted recently by FireEye in Neptune attacks, including URI patterns, landing pages, malvertising campaigns and payloads.

    Reply
  10. Tomi Engdahl says:

    DDoS Threat Increases While Mirai Becomes ‘Pay-for-Play’
    http://www.securityweek.com/ddos-threat-increases-while-mirai-becomes-pay-play

    The DDoS threat is increasing again. Pbot can generate 75 Gbps from just 400 nodes and Mirai has been commoditized. However, despite the growing number of attacks, the overall trend seems to be for more frequent, smaller attacks. These are the primary takeaways from a new Q2 study into internet traffic.

    Akamai Technologies, a Cambridge, Mass.-based content delivery network (CDN) and cloud services provider with more than 233,000 servers in over 130 countries, has published its Q2 State of the Internet report (PDF). The report comprises analyses of attack data seen across this network. It shows that DDoS attacks have increased by a massive 28% over the previous quarter.

    Within this statistic, infrastructure layer (layers 3 and 4) attacks have risen by 27%; reflection-based attacks have risen 21%; and the average number of attacks per target has increased by 28%. Gaming sites are frequent targets, accounting for 81% of all volumetric DDoS attacks monitored by Akamai.

    [state of the internet] / security
    https://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/q2-2017-state-of-the-internet-security-report.pdf

    Reply
  11. Tomi Engdahl says:

    PlayStation Social Media Accounts Hacked
    http://www.securityweek.com/playstation-social-media-accounts-hacked

    A notorious hacking firm, probably best described as greyhats rather than white or blackhats, briefly breached the PlayStation Facebook and Twitter accounts on Sunday.

    OurMine, a Saudi-based security firm, specializes in breaching high-profile accounts in order to advertise its ‘prowess’ and sell its security services. Yesterday, it got into PlayStation’s Twitter and Facebook accounts, and claimed to have stolen ‘PlayStation Network Databases.’ All messages were quickly removed by Sony, but not before they had been seen, and not before PlayStation users’ concerns were raised.

    The messages left on Facebook were potentially the more worrying: “Playstation, contact us we got Playstation Network database leaked!” This immediately provoked memories of the massive 2011 breach which forced Sony to shut down the PlayStation Network and Store, and had the personal information of some 77 million PSN users stolen.

    Tweets posted by OurMine on PlayStation’s Twitter account were in the same vein, but added, “No, we aren’t going to share it, we are a security group, if you works at Playstation then please go to our website ourmine.org.”

    “It’s quite unlikely that the database is indeed stolen,” comments High-Tech Bridge CEO Ilia Kolochenko. “On the other hand, it can be a smart smoke screen to camouflage a large-scale data breach and distract attention of cybersecurity teams from the real problem. However, until Sony makes an official statement about their internal investigation, it’s too early to make any conclusions.”

    At this stage, it cannot even be guaranteed that the social media hacks were performed by OurMine. The most recent hack it acknowledges on its website is the April 2017 YouTube hack, which it describes as “the biggest hack in YouTube history!”

    Reply
  12. Tomi Engdahl says:

    How to Make Friends and Influence People (in InfoSec)
    http://www.securityweek.com/how-make-friends-and-influence-people-infosec

    After a particularly strange exchange with a new connection on LinkedIn I felt the need to write a post on my profile calling out bad behavior. I clearly struck a nerve, as I received several notes asking me how someone should make a connection request, and subsequent invitations to connect. After responding to a few of these inquiries, I realized others may be interested in this information.

    Offer something of value. First, and perhaps most important, always have something to offer someone to whom you want talk and build a relationship. In real life, the only time it may be even remotely appropriate to walk up to someone and say, “Hey, I have something to sell you I think you’ll want,” is if you’re on a used car lot. Even then, maybe not. So, if you’re going to connect with someone on a platform like LinkedIn, have something to offer them. Typically, this should have two qualifying attributes. It has to be something they actually want, and it shouldn’t require an up-front investment on their part.

    Cultivate your connections. This is the part where I personally need the most work. Cultivating relationships is difficult. There is a limit (I think it’s about 150 or so) to how many personal connections a human being can keep.

    Some people feel unapproachable. My advice to anyone who makes a real attempt at connecting while providing value and still gets shot down, don’t sweat it.

    We’re all selling something. I’m always amused by people who “refuse to talk to sales people” because they don’t even realize they’re selling something, too. Even if you’re the gal holding up the “Caution” sign as I pass by on the road that’s congested due to construction, you’re selling something. You’re selling your attitude, and at some point in the future you may be helping your kid sell Girl Scout Cookies when I pass by.

    I’ll close with this: follow the golden rule. Treat others like you’d want to be treated.

    Reply
  13. Tomi Engdahl says:

    Demystifying Machine Learning: How to Turn the Buzzword into Real Benefits for Endpoint Security
    http://www.securityweek.com/demystifying-machine-learning-how-turn-buzzword-real-benefits-endpoint-security

    Machine learning has become the most popular new theme in security. Seemingly every vendor is adopting this capability in an attempt to either keep up or to make their product stand out in a crowded market. This creates confusion, because the term itself is often misunderstood, and the implications of its use are varied.

    To help clear up some of the confusion, let’s start by clarifying what machine learning in security is NOT:

    1. It is not a form of protection. One of the biggest misconceptions is that machine learning is some kind of new product or feature that provides protection to keep companies safe. In fact, machine learning doesn’t actually provide protection, but rather informs how the protection operates by enabling faster, more accurate, broader and more in-depth analysis of threat data.

    2. It is not a quick fix for outdated approaches. Most AV solutions are using machine learning to analyze file attributes to determine whether a file is malicious. But this is basically what AV has been doing for years

    3. It is not necessarily always getting smarter. Like any analytics tool, machine learning-based security solutions are only as good as the data available—the proverbial “garbage in, garbage out.” Effective protection depends on high quantity, high quality and frequently updated data, and the right set of features, or attributes, to train on. The model must be regularly retrained using timely, relevant, high-fidelity data.

    While machine learning has certainly improved endpoint security, clearly we’re still not quite there yet.

    In order to be effective at stopping today’s most sophisticated malware, like fileless attacks, CPU-level exploits, and script and macro-based threats (as well as those threats yet to come), machine learning for endpoint security must be responsive to this current climate.

    There’s no doubt that machine learning has and will continue to revolutionize endpoint security. But it’s important to understand exactly how this technology actually works, including its limitations. Understanding this, companies can better protect themselves by asking the right questions

    Reply
  14. Tomi Engdahl says:

    Tech Leaders Warn Against “Pandora’s Box” of Robotic Weapons
    http://www.securityweek.com/tech-leaders-warn-against-pandoras-box-robotic-weapons

    Elon Musk is leading demands for a global ban on killer robots, warning technological advances could revolutionise warfare and create new “weapons of terror” that target innocent people.

    The CEO of Tesla and SpaceX joined more than 100 robotics and artificial intelligence entrepreneurs in signing a letter to the United Nations calling for action to prevent the development of autonomous weapons.

    “Lethal autonomous weapons threaten to become the third revolution in warfare,” warned the statement signed by 116 tech luminaries, also including Mustafa Suleyman, cofounder of Google’s DeepMind.

    Reply
  15. Tomi Engdahl says:

    Power/Performance Bits: Aug. 22
    USB data leakage; choosing the right battery; rechargeable zinc-air batteries.
    https://semiengineering.com/powerperformance-bits-aug-22/

    Researchers from the University of Adelaide found that USB connections are vulnerable to information leakage. In testing more than 50 different computers and external USB hubs, they found that over 90% of them leaked information to an external USB device.

    “USB-connected devices include keyboards, cardswipers and fingerprint readers which often send sensitive information to the computer,” said Yuval Yarom, Research Associate with the University of Adelaide’s School of Computer Science.

    The team used a modified cheap novelty plug-in lamp with a USB connector to read every key stroke from the adjacent keyboard USB interface. The data was sent via Bluetooth to another computer.

    “It has been thought that because that information is only sent along the direct communication path to the computer, it is protected from potentially compromised devices,” said Yarom. “But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen.”

    While those aware of security risks are wary of plugging in an unknown USB device, Yarom said other research has shown that if USB sticks are dropped on the ground, 75% of them are picked up and plugged into a computer.

    “The main take-home message is that people should not connect anything to USB unless they can fully trust it,” said Yarom.

    Reply
  16. Tomi Engdahl says:

    Researchers Demo Remote Hacking of Industrial Cobots
    http://www.securityweek.com/researchers-demo-remote-hacking-industrial-cobots

    Researchers at security firm IOActive have shown how a remote attacker can hack an industrial collaborative robot, or cobot, and modify its safety settings, which could result in physical harm to nearby human operators.

    A few months ago, IOActive published a brief report providing a high-level description of its research into robot cybersecurity. Researchers analyzed industrial and business robots from six vendors, including SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics and Asratec Corp.

    Reply
  17. Tomi Engdahl says:

    German AV-Test has put anti-virus software programs in a wide-ranging test. The Russian Kaspersky Lab, who recorded the full score in the test, became the number one.

    Kaspersky Lab’s Internet Security suite was the only tool that reached six points in all categories. More than 16-point performance was achieved by thirteen software

    Source: http://www.etn.fi/index.php/13-news/6711-venalaistutka-suojaa-windowsin-parhaiten

    Reply
  18. Tomi Engdahl says:

    Application Security – the Achilles heel in cyber defense?
    http://info.prqa.com/application-security-evaluation-lp?utm_campaign=Lead%20nurturing&utm_source=hs_automation&utm_medium=email&utm_content=53726316&_hsenc=p2ANqtz–rhL-NmO8ywBfKfEh8H980PftIcTgf2WBFR3Hh4MIQxv4LZBCWz4MX4YVnLvxPtXwI5K3nV50tP9vgcevuDemcxzqQZAjfq-5-atVtMgXC3hjs7_A&_hsmi=53726316

    It has become clear that secure software is not a choice any more – it is a mandatory part of the development process!

    Cyber attacks seem to be a daily occurrence and because modern society has become dependent on software-based technology – Security isn’t an option. Most security vulnerabilities are a result of coding errors that go undetected in the development stage, making secure software development imperative.

    Road to perfection: when is an application “secure enough”?

    The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features. Security is a real threat and makes secure software development imperative

    Reply
  19. Tomi Engdahl says:

    VPN: Proceed with caution
    http://www.edn.com/electronics-blogs/brians-brain/4458752/VPN–Proceed-with-caution

    Along with enjoying the significantly enhanced bandwidth of broadband Internet access versus the POTS-based dial-up modem precursor, consumers have also appreciated (and grown to expect) cable, DSL, and fiber’s always-on characteristics. Always-on is beneficial when you’re trying to access the WAN from your LAN, of course, since you don’t need to endure a lengthy log-on process each time you want to go online. But consumers quickly realized that always-on was also beneficial when they wanted to access something on their LAN (such as a networked printer, storage device, or webcam) from a WAN connection, i.e. from a Starbucks hotspot or any other time they were away from home.

    Only one problem: most consumer broadband service tiers are dynamic, versus static, i.e. each time your broadband modem reconnects to your ISP’s access servers (and sometimes even more frequently than this), it’s assigned a different WAN IP address.

    If you have an always-on computer on your LAN, for example, client-installed update utilities will sense each time your WAN IP address changes and send the new information to their servers. By accessing your WAN via a dynamic DNS service provider-assigned URL instead of an IP address string, you’re assured of always being able to find your router (and therefore what’s behind it) on the Internet.

    What’s this all got to do with VPN (virtual private network) services? Short answer; they’re becoming known to (and popular with) consumers, too.

    Recently, however, VPNs have gained more widespread awareness, even domestically within the United States. Why? Back in October 2016, at the tail-end of the Obama administration’s second term, the then-Democrat-dominated FCC issued a ruling that required ISPs to obtain opt-in consent from consumers before sharing their Web browsing data and other private information with advertisers and other third parties.

    Privacy advocates were up in arms about this turnabout of fortunes, despite the fact that the earlier FCC ruling they advocated hadn’t even gone into effect yet.

    So, like many consumers, I began researching VPN services, as a means of tunneling my traffic through a source-and-destination obscuring proxy service intermediary … and promptly ran into multiple roadblocks.

    For one thing, a proxy server can seriously clobber your effective bandwidth, especially when it’s heavily loaded. For another, who’s to say that the VPN provider won’t sell your traffic analytics, even if it promises not to (sure, you can build your own VPN server, but I daresay that’s beyond the reach of the masses)?

    In my particular case, after doing a bunch of research, I’d planned on going with Private Internet Access; this particular VPN provider seems to be highly regarded (NordVPN is another compelling option I found, by the way), and I could even set up the service on my Merlin firmware-based ASUS router. But the Netflix, etc. block was a deal-breaker, no matter that I could always log into my router and disable VPN whenever I wanted to watch a movie. I could do it; I wouldn’t think of asking my wife to jump through similar hoops.

    So at least for now, Comcast can still see (and profit from) everything we do online. And if you’re a network equipment provider who’s considering adding VPN support to your devices, following in the footsteps of the dynamic DNS support you’ve already added, consider yourself duly warned. While the concept of VPN sounds good, the content-access and other roadblocks I’ve mentioned here will likely be showstoppers for your customers, too.

    Reply
  20. Tomi Engdahl says:

    Spencer Ackerman / The Daily Beast:
    Senate intel committee bill would label WikiLeaks a “non-state hostile intelligence service”; Sen. Wyden opposed move, says label could be used on journalists

    Senators Try to Force Trump Admin to Declare WikiLeaks a ‘Hostile’ Spy Service
    It’s one of a number of ways the Senate Intelligence Committee is trying to box the White House in on Russia.
    http://www.thedailybeast.com/senators-try-to-force-trump-admin-to-declare-wikileaks-a-hostile-spy-service

    If the Senate intelligence committee gets its way, America’s spy agencies will have to release a flood of information about Russian threats to the U.S.—the kind of threats that Donald Trump may not want made public.

    The committee also wants Congress to declare WikiLeaks a “non-state hostile intelligence service,” which would open Julian Assange and the pro-transparency organization – which most of the U.S. government considers a handmaiden of Russian intelligence – to new levels of surveillance.

    Dan Coats, the director of national intelligence, would have to develop and disclose a strategy to prevent “Russian cyber threats to United States elections,”

    Other requirements of the bill include a ban on a “cybersecurity unit or other cyber agreement that is jointly established or otherwise implemented by the Government of the United States and the Government of Russia” unless Coats essentially vouches for it.

    Reply
  21. Tomi Engdahl says:

    Malachy Browne / New York Times:
    YouTube machine learning tech removed thousands of videos that may document atrocities in Syria, advocates say; some videos reinstated after creator objections
    http://www.nytimes.com/2017/08/22/world/middleeast/syria-youtube-videos-isis.html

    Reply
  22. Tomi Engdahl says:

    Ukraine cyber security firm warns of possible new attacks
    https://www.reuters.com/article/us-cyber-ukraine-attacks-idUSKCN1B222O

    Ukrainian cyber security firm ISSP said on Tuesday it may have detected a new computer virus distribution campaign, after security services said Ukraine could face cyber attacks similar to those which knocked out global systems in June.

    The June 27 attack, dubbed NotPetya, took down many Ukrainian government agencies and businesses, before spreading rapidly through corporate networks of multinationals with operations or suppliers in eastern Europe.

    ISPP said that, as with NotPetya, the new malware seemed to originate in accounting software and could be intended to take down networks when Ukraine celebrates its Independence Day on Aug. 24.

    Reply
  23. Tomi Engdahl says:

    DOJ gives up on getting all 1.3M IPs from anti-Trump website
    But it’s still seeking information from the website’s host.
    https://www.engadget.com/2017/08/23/doj-1-3-million-ip-anti-trump-website-dreamhost/

    The Department of Justice has given up on getting the IPs of 1.3 million visitors to disruptj20.org, a website that helped organize protests of the president’s inauguration. it originally asked the website’s host, Dreamhost, for all visitors’ personal info, including contact information, email and photos if available. The host refused to give in and pointed out the extreme scope of the request. Now, in its reply brief addressed to DC’s court, the agency responded that it had no idea that its warrant would be so broad, since it didn’t know how much data DreamHost has.

    US Attorney Channing Phillips wrote in the brief that they were only after a small group of individuals who coordinated and participated in “a premeditated riot.” He argued that the DOJ issued a lawful warrant, but reiterated that the additional facts Dreamhost presented “were unknown to the government at the time it applied for and obtained the Warrant…” Consequently, “the government could not exclude from the scope of the Warrant what it did not know existed.”

    As a result of Dreamhost’s opposition, the DOJ has narrowed down the types of information it’s requesting.

    EFF senior staff attorney Mark Rumol told Gizmodo that he expected the agency to narrow down the scope of its warrant from the start

    Reply
  24. Tomi Engdahl says:

    U.S. Warship Collisions Raise Cyberattack Fears
    http://www.securityweek.com/us-warship-collisions-raise-cyberattack-fears

    A spate of incidents involving US warships in Asia, including a deadly collision this week off Singapore, has forced the navy to consider whether cyberattackers might be to blame.

    While some experts believe that being able to engineer such a collision would be unlikely, given the security systems of the US Navy and the logistics of having two ships converge, others say putting the recent incidents down to human error and coincidence is an equally unsatisfactory explanation.

    The USS John S. McCain collided with a tanker early Monday as the warship was on its way for a routine stop in the city-state, tearing a huge hole in the hull and leaving 10 sailors missing and five injured.

    The Navy announced Tuesday that remains of some of the sailors were found by divers in flooded compartments on the ship.

    The Chief of US Naval Operations Admiral John Richardson said on Monday he could not rule out some kind of outside interference or a cyberattack being behind the latest collision, but said he did not want to prejudge the inquiry.

    Just two months earlier in June, the USS Fitzgerald and a Philippine-flagged cargo ship smashed into each other off Japan, leaving seven sailors dead and leading to several officers being disciplined.

    There were also two more, lesser-known incidents this year — in January USS Antietam ran aground near its base in Japan and in May, USS Lake Champlain collided with a South Korean fishing vessel. Neither caused any injury.

    - High tensions -

    Analysts are divided on the issue, with some believing US Navy crews may simply be overstretched as they try to tackle myriad threats in the region, and pointing to the difficulties of sailing through waterways crowded with merchant shipping.

    But others believe something more sinister may be going on.

    Itar Glick, head of Israeli-based international cybersecurity firm Votiro, said the spate of incidents suggested that US Navy ships’ GPS systems could have been tampered with by hackers, causing them to miscalculate their positions.

    - ‘Spoofing’ -

    Glick pointed to a recent incident in June of apparent large-scale GPS interference in the Black Sea to illustrate that such disruptions are possible.

    The interference — known as “spoofing”, which disrupts GPS signals so ships’ instruments show inaccurate locations — caused some 20 vessels to have their signals disrupted, according to reports.

    Jeffery Stutzman, chief of intelligence operations for US-based cybersecurity firm Wapack Labs, told AFP he thought the possibility of a cyberattack being behind the latest incident was “entirely possible”.

    “I would be very doubtful that it was human error, four times in a row,” he said, referring to the four recent incidents.

    Still, other observers believe such a scenario to be unlikely.

    “The collision only occurs if several other safety mechanisms fail,” he said.

    Ship Data Recorders Vulnerable to Hacker Attacks
    http://www.securityweek.com/ship-data-recorders-vulnerable-hacker-attacks

    The voyage data recorders used on ships are plagued by many serious vulnerabilities that expose the devices to hacker attacks, researchers have warned.

    A voyage data recorder, or VDR, is the equivalent of a black box on an airplane. The data recording system collects information from various sensors — including position, speed, radar, and audio recordings from the bridge — to help investigators identify the cause of maritime incidents.

    Just like the black boxes on airplanes, VDRs are designed to withstand extreme shock, pressure and heat to ensure that the data stored on them is not destroyed in case of an incident.

    However, there have been instances in which the data on a VDR from a ship involved in an incident had been tampered with. In an incident that took place in India, in which a cargo ship hit a smaller fishing vessel, the files on the cargo ship’s VDR were overwritten after crew members inserted a pen drive into the device. The press also reported that the ship’s main computer system was infected with malware.

    Reply
  25. Tomi Engdahl says:

    The Role of America’s New Unified Cyber Warfare Command
    http://www.securityweek.com/role-americas-new-unified-cyber-warfare-command

    U.S. President Donald Trump on Aug. 18 announced the elevation of the U.S. Cyber Command (USCYBERCOM/CyberCom) to a Unified Combatant Command. This brings American offensive and defensive cyber operations out of the implicit overview of the NSA and puts it on an equal footing — with major implications for the U.S. national cyber security posture.

    A Unified Command is a structure that acknowledges an inter-relationship with another authority — in this case, primarily the U.S. National Security Agency (NSA). However, Trump’s statement adds, “The Secretary of Defense is examining the possibility of separating United States Cyber Command from the National Security Agency.” For the time being at least, both the NSA and Cyber Command will continue under the same leadership, currently Admiral Michael Rogers.

    Reply
  26. Tomi Engdahl says:

    DMARC Adoption Low in Fortune 500, FTSE 100 Companies
    http://www.securityweek.com/dmarc-adoption-low-fortune-500-ftse-100-companies

    Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing and other email-based attacks, according to email security firm Agari.

    In a report titled “Global DMARC Adoption Report: Open Season for Phishers,” Agari, which in the past years has obtained tens of millions of dollars in funding, shared the results of its analysis into the adoption of DMARC.

    DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing.

    Organizations using DMARC can specify what happens to unauthenticated messages: they can be monitored but still delivered to the recipient’s inbox (none), they can be moved to the spam or junk folder (quarantine), or their delivery can be blocked completely (reject).

    Agari’s analysis of public DNS records showed that only five percent of Fortune 500 companies have implemented a reject policy and three percent use the quarantine policy. Roughly two-thirds of these organizations have not published any type of DMARC policy.

    Reply
  27. Tomi Engdahl says:

    Marketing Security Solutions: Is There a Better Way?
    http://www.securityweek.com/marketing-security-solutions-there-better-way

    In my previous piece, I discussed the difficulty vendors sometimes have in understanding what security buyers are really looking for. As I mentioned in that piece, this confusion is further compounded by the large volume of vendors and distinct markets that exist within the information security profession. The irony that my previous piece came out during the week of one of the largest security conferences wasn’t lost on me. Why is this ironic? I’ll elaborate.

    The volume of people that attend these conferences is simply hard to grasp until you see it with your own eyes, and even then, it can be a bit overwhelming.

    You know what else is overwhelming? The number of vendors exhibiting at these two conferences. Just how many vendors exhibited at these two conferences in 2017? Let’s take a look at the numbers:

    Las Vegas: 290 exhibitors across two floors of exhibition

    San Francisco: 687 exhibitors across two exhibition halls

    Not all conferences are quite this large, of course. Some of them are downright intimate. And there are also the various different meetups, networking events, and peer-to-peer organizations that try to bring security professionals together, including vendors and customers.

    I do understand the value that some of these different events bring to the security community and don’t mean to be critical of them in any way. I understand that event organizers need to support themselves financially. I also understand the need, or perhaps the perceived need, to be at some of these different events in order to be included in much of what goes on in the industry. Further, I do understand the networking opportunities that some of these events represent for so many people. I don’t argue with these points in any way. Rather, I am making another point entirely.

    At large conferences, vendors may find themselves amongst hundreds of exhibitors and thousands of attendees. How is it possible to stand out from the crowd in a sea of noise, gimmicks, buzzwords, and hype in order to grab the attention of those who are interested in our product or service?

    Although large conferences have many advantages, producing highly qualified leads as a return on the marketing budget invested is not among them.

    Alright you say, so what if I focus some of my marketing budget on smaller, more intimate events such as those put on by peer-to-peer organizations? Well, it is certainly considerably easier to stand out from the crowd in those types of environments. So what’s the downside? For starters, it can be extremely difficult for these smaller events to bring the right, most relevant crowd to their sponsors. Some are better than others.

    The company I worked for paid a fair bit of money to be one of three vendors in attendance at these events. In exchange for this sum, the event organizer promised 10-20 CISOs and explained that non-CISOs would not be permitted to participate in the breakfast events. With promises like those, who would say no?

    As you might have expected, the reality on the ground was quite different. There were very few, if any, CISOs in attendance at the overwhelming majority of the events. In fact, the attendees were mostly a mix of people looking for a free breakfast, people who were brought in by the event organizers to bring up the number of attendees to between 10-20, and occasionally someone who was legitimately interested in hearing what the sponsors had to say.

    Of course, mileage varies significantly with these smaller, more intimate events. Sometimes they can be quite good. But more often than not, sponsoring vendors walk away disappointed.

    Given the current state of affairs, perhaps the time has come for security vendors to rethink how they invest their marketing budgets? Security marketing seems to be stuck in a bit of a “spray and pray” rut.

    Reply
  28. Tomi Engdahl says:

    Testing With the Cloud: Keep Your Data Secure
    http://www.eetimes.com/author.asp?section_id=36&doc_id=1332085&

    By taking the right steps, you can calm security fears and move test data to the cloud.

    Today’s designs are so complex that testing is often the bottleneck in time-to-market schedules. The complexities of testing require collaboration, yet the collaboration is hampered because teams are no longer co-located. Mergers and acquisitions in the electronics industry over the past several years have created these distributed teams. Given the significant impact of a late product launch on business profits, anything that impacts a product’s time-to-market needs to be mitigated.

    Cloud-based IT services crossed a tipping point, mostly because of:

    The rise of the mobile worker. An estimated 75% of the U.S. workforce will be mobile by 2020, meaning that they spend at least part of the work week away from their desks.
    A Forbes article showed that the cloud offers wide-ranging benefits, such as improved innovation (48%), new product and service development (45%), and boosted sale efforts (38%), not to mention an average increase of 22% in profits.

    Capabilities that support distributed teams during verification test, product characterization, and production test need to evolve. Testing in the cloud is one option to get there.

    Common security fears:
    Our data is mission-critical, so we store it on encrypted servers right here in our facility. How can a cloud server be more secure than this?

    It turns out that the “insider threat” is a much bigger risk than most businesses recognize. Citing a 2017 Insider Threat Report, it can cost over $100,000, even $1M, to remediate breaches in IT security. Yet less than half of the incidents were caused by a disgruntled insider. An unknowing, well-meaning employee can cause just as much harm. In short, the risks of data theft are no greater in the cloud than they are on-site.

    My customer won’t allow us to move into the cloud because they think that it’s not safe.

    We hear this quite often, particularly from vendors that work for the government. Organizations such as the Department of Defense don’t explicitly say that you can’t go in the cloud. But they require that data used for government purposes be protected following their standards. The U.S. Department of Defense (DoD) has created a certification and accreditation process called FedRAMP, whereby the DoD works proactively with industry to set security standards rather than simply declare a “no-cloud” policy.

    What to look for
    The most efficient way to test a vendor’s security robustness is to check for participation with the most recognized standards:

    ISO 27001: The ISO 27001 certification shows that the cloud provider has a security program in place to monitor, manage, and mitigate risks associated with information security.
    Cloud Security Alliance Security, Trust & Assurance Registry (CSA STAR). STAR certification layers over ISO 27001 (having a certified ISO 27001 system is a prerequisite for obtaining STAR certification). The STAR certification shows a growing maturity of the cloud provider’s security system across multiple security domains.
    FedRAMP. Federal Risk and Authorization Management Program (FedRAMP). For organizations that work for the Federal Government, it is important to confirm that their cloud provider has a FedRAMP authority to operate (ATO). The FedRAMP ATO requires everything in ISO 27001, but with an amplified focus on security controls.

    In addition to security, you must also consider data availability. Key considerations are uptime promises, data redundancy, and ease of offloading data. A high percentage of cloud vendors deliver their services on cloud-hosting platforms such as Amazon Web Service (AWS) or Microsoft Azure. AWS, Azure, and others offer systems for redundancy, security, and availability. Don’t be surprised if a small business promises you world-class performance. It’s very likely that they’re offering you the benefits of a small, innovative service provider with the backing of the world’s best cloud hosts.

    Keep your data safe
    Some 46% of the security breaches that occurred in the cloud were because internal policies and procedures weren’t followed. Even if a cloud testing provider has an impenetrable fortress, your employee policies and procedures need to be in place, too.

    The key to success here is balance: balancing the need to secure critical assets while ensuring that employees are able to do their jobs without frustration. Here are some tips:

    Putting all of your data eggs into one, maybe two, iron-clad baskets in the cloud. Make it clear to employees that there is only one “approved” location to store data. In the absence of an easy-to-use official solution, employees tend to revert to ad hoc methods that are best for them but often poor for the business.
    Push security accountability down to the lowest levels possible. Businesses that have a handful of “security compliance officers” often fare poorly in actual security practice because employees tend to view them as someone to be avoided. Businesses that tie security compliance to performance reviews, or even group bonuses, are often able to turn lemons into lemonade.
    Integrate security into strategy. IP is so critical these days that businesses need to treat security as an executive role that encompasses all departments. Businesses that weave security into all aspects of the strategy process are turning security from a defensive reactive function into a proactive growth function.

    Reply
  29. Tomi Engdahl says:

    Can North Korean nukes hit US mainland? Maybe. But EMP blast threat is ‘highly credible’
    El Reg talks to experts on Kim’s capabilities
    http://www.theregister.co.uk/2017/08/22/nork_nukes_could_emp_us/

    When they said a week is a lifetime in politics, they weren’t kidding.

    One moment, President Donald Trump talks of “fire and fury,” the likes the world has never seen, in response to an increasingly aggressive North Korea, which is trying to menace the US with nuclear weapons.

    This week, the US and South Korea are carrying out military drills that North Korea claims could lead to “uncontrollable phase of a nuclear war.” The Kim Jong-Un-led hermit nation is also hell bent on building an arsenal of nukes despite international resistance, and even its ally China is urging it to calm down.

    So, what can the Norks actually achieve: do they have working nukes, and can they reach the US? Realistically, the chances of either North Korea or the US slinging missiles at each other are slim.

    China says it will retaliate if America launches a preemptive strike against North Korea, filling the skies with warheads aimed at US cities. So it’s, as we say around here, suboptimal even for Trump to wipe North Korea off the map.

    And whatever happens, if North Korea is going down, it’s taking South Korea with it. And no one wants the blood of Seoul on their hands.

    However, experts are still skeptical that North Korea has the ability to successfully lob a nuke all the way to the American mainland.

    So far, the answer to the question, can North Korea reach California with a rocket, is: probably possibly. Can it actually survive reentry and nuke the Golden State? maybe.

    But there is another option for the North Koreans, and one that could potentially do far more damage than a single nuclear strike. Before reentry temperatures kick in, the bomb could be detonated in the upper atmosphere – and the electromagnetic pulse (EMP) generated would do more damage than a single missile could ever manage. Emitting an EMP blast over the US West Coast, with Silicon Valley within its grasp, or further inland, would be extremely bad news for our future on this planet.

    In other words, Kim Jong-Un doesn’t have to strike America, setting off a cliched mushroom cloud: using EMP high in the skies to wreck our electronics and communications could be, potentially, enough to upturn society and put us on the path to global thermonuclear war.

    EMP, silent but deadly

    Testimony to the US Congressional EMP Commission stated that in the event of a massive EMP attack on the US using multiple high-yield warheads, around 90 per cent of the American population would be dead after 18 months due to famine, disease, and societal breakdown.

    Small bomb, big noise

    “EMP is the most asymmetric threat there is in terms of a single weapon taking out large categories of infrastructure,” Dr George Baker, former leader of the Defense Nuclear Agency’s EMP program, told The Register. “It’s a lot easier to achieve, since you don’t need reentry capabilities.”

    Baker said that a low-yield device such as that thought to be owned by North Korea, detonated at optimum height, would generate EMP over an area with a diameter of around 1,000 miles

    the consequences for power grids, computing centers and telecommunications systems could be catastrophic

    “A North Korean EMP attack is extremely credible,”

    “No reentry is required and a low-yield weapon could produce a significant impact on the electrical grid. The grid is designed to be resilient to single failures but not multiple simultaneous failures.”

    Most vulnerable would be the handful of massive transformers needed to keep power regulated through the grid. These enormously costly and complex pieces of equipment currently take around 22 months to build and deliver, so the power companies don’t keep many in reserve.

    The telecommunications cables that make up the communications backbone of the US, and the world, would also be extremely vulnerable. Signal amplifiers, switching stations and routers could all be burned out by a strong EMP pulse, and that would have a massive knock-on effect on the computing infrastructure of the nation.

    Some more alarmist scenarios depict an EMP pulse destroying all electronics completely, with modern cars, all electronics with chips, and anything with a current getting taken out. That’s unlikely, but we don’t really know because so little testing has been done on the matter.

    Protect and survive

    As the American military prepared to use EMP it also developed shielding against it. Ever since the 1960s military communications systems, control centers and missile bases have all had their systems hardened against attack. Even Air Force One has a measure of EMP shielding.

    But the civilian sector has very little in the way of protection.
    most of our infrastructure is totally unprotected

    “There is no single point of responsibility to develop and implement a national protection plan. Nobody is in charge,”

    “You can’t just build a Faraday cage around the data center and call it safe,”

    Putting these kinds of protection into an existing data center is almost prohibitively expensive, but applying them to a new-build unit only increases the cost by around eight per cent, he explained.

    “Most big data center infrastructure firms like Google and Amazon aren’t that interested,” Pressman said. “They think, ‘If we lose one or two facilities then so be it, we have 40 globally.’”

    He told The Register that the kind of 10 or 20-kiloton device that the North Koreans are supposed to have might cause damage, but it wouldn’t be the massive population killer that some have suggested.

    Reply
  30. Tomi Engdahl says:

    Mozilla Testing New Default Opt-Out Setting for Firefox Telemetry Collection
    https://www.bleepingcomputer.com/news/software/mozilla-testing-new-default-opt-out-setting-for-firefox-telemetry-collection/

    Mozilla engineers are discussing plans to change the way Firefox collects usage data (telemetry), and the organization is currently preparing to test an opt-out clause an opt-out clause so they could collect more data relevant to the browser’s usage.

    Reply
  31. Tomi Engdahl says:

    Fuzz Testing Maturity Model
    Mapping metrics and procedures to maturity levels.
    https://semiengineering.com/fuzz-testing-maturity-model/

    Fuzz testing is a highly effective technique for locating vulnerabilities in software. Malformed and unexpected inputs are delivered to the target software, and when failures occur, vulnerabilities have been located. Fuzzing is a widely recognized technique for improving the security, robustness, and safety of software. However, fuzzing is an open-ended pursuit—an infinite space problem. So, how do you know when you’ve fuzzed enough?

    https://www.synopsys.com/software-integrity/resources/white-papers/fuzz-testing-maturity-model.html

    Reply
  32. Tomi Engdahl says:

    Automated Logic Patches Flaws in Building Automation System
    http://www.securityweek.com/automated-logic-patches-flaws-building-automation-system

    Kennesaw, Georgia-based building automation systems provider Automated Logic has released updates for its WebCTRL product to address several vulnerabilities, including one rated high severity.

    WebCTRL is a building automation system used worldwide in commercial office buildings, mission-critical facilities, educational institutions, healthcare organizations, hotels, and government facilities.

    Gjoko Krstic of Macedonia-based Zero Science Lab discovered arbitrary file write, privilege escalation and remote code execution vulnerabilities in some 6.x and 5.x versions of WebCTRL, i-VU and SiteScan products.

    The security hole exists due to WebCTRL’s failure to verify add-on files (.addons and .war) uploaded via the uploadwarfile servlet. An attacker with access to the system, including as an anonymous user, can upload malicious add-on files, which are automatically executed.

    While Automated Logic does have a vulnerability disclosure program and encourages users to report flaws found in its products, Zero Science Lab claimed that the vendor did not respond after being contacted directly in late March. Researchers informed ICS-CERT about the security holes and the agency contacted Automated Logic, which only got in touch with the researchers in early August.

    Reply
  33. Tomi Engdahl says:

    Russia-Linked Hackers Leak Football Doping Files
    http://www.securityweek.com/russia-linked-hackers-leak-football-doping-files

    A group of hackers believed to be operating out of Russia has leaked emails and medical records related to football (soccer) players who used illegal substances.

    The group calls itself Fancy Bears and claims to be associated with the Anonymous hacktivist movement. They have set up a website, fancybears.net, where they leaked numerous files as part of a campaign dubbed “OpOlympics.”

    “Today Fancy Bears’ hack team is publishing the material leaked from various sources related to football,” the hackers said. “Football players and officials unanimously affirm that this kind of sport is free of doping. Our team perceived these numerous claims as a challenge and now we will prove they are lying.”

    Reply
  34. Tomi Engdahl says:

    Tom Schoenberg / Bloomberg:
    US judge rules DreamHost must hand over user data from anti-Trump website to DoJ, but imposes limits and will vet which information DoJ uses

    Government Prevails in Bid for Anti-Trump Website’s Subscriber Data
    https://www.bloomberg.com/news/articles/2017-08-24/u-s-prevails-in-bid-for-anti-trump-website-s-subscriber-data

    Information to be used for rioting cases, prosecutors say
    About 200 charged for violent protests during inauguration

    A judge in District of Columbia Superior Court on Thursday ordered DreamHost LLC, the host of the website disruptj20.org, to comply with a government warrant seeking information about the site’s subscribers. The government says the site was used to recruit and organize hundreds of people who rioted in the city on Jan. 20, the day President Donald Trump was sworn in, causing hundreds of thousands of dollars in damage over nearly two dozen city blocks.

    Chief Judge Robert Morin ruled that DreamHost was obligated to turn over subscriber data, but that prosecutors would have to tell the judge which data it intended to seize.

    “I’m trying to balance the First Amendment protections and the government’s need for this information,” Morin said. “My view here is that this best protects both legitimate interests.”

    Morin denied DreamHost’s request to put his ruling on hold until they could appeal his decision.

    The ruling on Thursday came after DreamHost refused to comply with the July 12 warrant, claiming the government’s request was overly broad and might expose the identities of 1.3 million people who had visited the site.

    On Tuesday, prosecutors amended their request, saying in part that while the government wants information on subscribers, it’s not interested in data logs containing information about visitors. Prosecutors also say they will set aside any information that doesn’t involve rioters and have it sealed.

    “We are sensitive to the idea that the website has a dual purpose,” Assistant U.S. Attorney John Borchert told Morin during Thursday’s hearing.

    The U.S. attorney’s office in Washington told Morin that the website, disruptj20.org, was used to recruit and organize hundreds of people who rioted on Inauguration Day.

    Reply
  35. Tomi Engdahl says:

    Fake Messages Rigged With Malware Are Spreading Via Facebook Messenger
    https://it.slashdot.org/story/17/08/24/223243/fake-messages-rigged-with-malware-are-spreading-via-facebook-messenger?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    According to recent warnings issued by Avira, CSIS Security Group, and Kaspersky Lab, a virulent spam campaign has hit Facebook Messenger during the past few days. “The Facebook spam messages contain a link to what appears to be a video,” reports Bleeping Computer. “The messages arrive from one of the user’s friends, suggesting that person’s account was also compromised.”

    Facebook Messenger Spam Leads to Adware, Malicious Chrome Extensions
    https://www.bleepingcomputer.com/news/security/facebook-messenger-spam-leads-to-adware-malicious-chrome-extensions/

    Reply
  36. Tomi Engdahl says:

    India’s Aadhaar national biometric ID scheme at risk after Supreme Court rules privacy is a right
    Facebook and Google also have reason to be worried
    https://www.theregister.co.uk/2017/08/25/india_right_to_privacy_aadhaar_facebook_google/

    India’s Supreme Court has ruled that the nation’s constitution gives its citizens a right to privacy, a decision that clouds the future of the country’s Aadhaar biometric identification scheme.

    Aadhaar will see every Indian citizen identified by a 12-digit number after a process that sees their faces photographed, along with a record taken of their irises and fingerprints. The scheme also requires that ID number to be provided to third parties like financial institutions. India’s already made use of Aadhaar compulsory for e-government services, part of the country’s modernisation drive.

    Privacy advocates worry that Aadhaar’s ubiquity will mean India’s government will know an awful lot about its citizens.

    Another issue the decision raises is whether data-slurping tech businesses will have to change their ways, as some of the judges call for India to create a comprehensive data protection regime covering government and private use of data.

    Reply
  37. Tomi Engdahl says:

    DreamHost smashed in DDoS attack: Who’s to blame? Take a guess…
    Is it the alt-right or anti-fascists? Most likely the latter
    https://www.theregister.co.uk/2017/08/24/dreamhost_massive_ddos/

    Web hosting biz DreamHost has been largely crippled today by a distributed denial of service attack, bringing down most of its services.

    The assault began at around 0920 PDT (1620 UTC) and quickly overwhelmed the company’s systems, particularly its DNS servers.

    DreamHost hit the headlines earlier this month when the US Department of Justice demanded 1.3 million IP addresses of people who visited disruptj20.org, a website organizing protests during President Trump’s inauguration that was hosted by the biz. The warrant also demanded the contact information, submitted comments, email content, and photos of thousands of people who used the site.

    So maybe DreamHost is under attack from the alt-right and their supporters, both in the US and overseas? Probably not. Instead the attack looks to have originated on the opposite side of the political spectrum and stems from another DreamHost customer.

    On Thursday, DreamHost began hosting a new website called Punished Stormer. This is a reboot of the neo-Nazi-slash-white-supremacist Daily Stormer website

    This makes it likely that the attack is coming from those trying to take the foul neo-Nazi site down, but they are out of luck because DreamHost no longer hosts the Punished Stormer site. Instead it’s now hosted by Canadian outfit BuyVM with some DDoS protection.

    Reply
  38. Tomi Engdahl says:

    All the Ways US Government Cybersecurity Falls Flat
    https://www.wired.com/story/us-government-cybersecurity

    Data breaches and hacks of US government networks, once novel and shocking, have become a problematic fact of life over the past few years. So it makes sense that a cybersecurity analysis released today placed the government at 16 out of 18 in a ranking of industries, ahead of only telecommunications and education. Health care, transportation, financial services, retail, and pretty much everything else ranked above it. The report goes beyond the truism of government cybersecurity shortcomings, though, to outline its weakest areas, potentially offering a roadmap to change.

    The analysis of 552 local, state, and federal organizations conducted by risk management firm SecurityScorecard found that the government particularly lags on replacing outdated software, patching current software, individual endpoint defense (particularly when it comes to exposed Internet of Things devices), and IP address reputation—meaning that many IP addresses designated for government use or associated with the government through a third party are blacklisted, or show suspicious activity indicating that they may be compromised. A wide range of issues plague government agencies—but they’re largely fixable.

    “There’s a lot of low-hanging fruit when it comes to the government sector overall,”

    “There’s a lot of low-hanging fruit when it comes to the government sector overall,”

    The report found that government agencies tend to struggle with basic security hygiene issues, like password reuse on administrative accounts, and management of devices exposed to the public internet, from laptops and smartphones to IoT units. “There were more IoT connections available from government networks than I would have expected,” Heid says. “Even things like emergency management systems platforms from the mid 2000s were available to the public.”

    When systems are unwittingly exposed online, hackers can find credentials to gain access, or use software vulnerabilities to break in. Sometimes this process takes attackers very little effort, because if an organization doesn’t realize that something is exposed online, it may not have made the effort to secure it.

    For government groups, the report found that digital security weaknesses and pain points track fairly consistently regardless of the size of an organization.

    Reply
  39. Tomi Engdahl says:

    WAP Billing Trojans Threaten Android Users
    http://www.securityweek.com/wap-billing-trojans-threaten-android-users

    Several of the pieces of malware targeting Android devices in the second quarter of 2017 abused WAP billing to help cybercriminals make money, Kaspersky reported on Thursday.

    Wireless Application Protocol (WAP) billing provides a mechanism for users to acquire content online and have it charged directly to their mobile phone bill so that they don’t have to provide any payment card information. The method is similar to premium SMS services, but it does not involve sending SMS messages and instead users have to click on a button displayed on a website to approve charges.

    Android malware abusing WAP billing was spotted in the past years, including on Google Play, and it now appears to be making a comeback.

    Several of the top 20 most common trojans detected by Kaspersky products in the second quarter abused WAP billing. While a majority of the infections were in Russia and India, victims were also seen in many other countries.

    Reply
  40. Tomi Engdahl says:

    Report Suggests ‘Fleeting Window’ to Prevent Major Cyber Attack on Critical Infrastructure
    http://www.securityweek.com/reports-suggests-fleeting-window-prevent-major-cyber-attack-critical-infrastructure

    The National Infrastructure Advisory Council (NIAC) published a draft report this week titled Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure (PDF). The report warns there is a narrow and fleeting window to prepare for and prevent “a 9/11-level cyber-attack” against the U.S. critical infrastructure.

    The purpose of NIAC is to advise the President on the cybersecurity of critical services, such as banking, finance, energy and transportation.

    The new report makes 11 recommendations to improve the security of the critical infrastructure. Overall, it presents a damning indictment on U.S. readiness. “We believe the U.S. government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber-attacks — provided they are properly organized, harnessed, and focused. Today, we’re falling short.”

    But there remains a potentially fatal flaw: NIAC’s recommendations are all voluntary, albeit with incentives. “The problem with voluntary measures and incentives for critical infrastructure owners,” he said, “is that the national consequences of a cyber attack on certain key pieces of critical infrastructure far outweigh the local impacts for that owner/operator. This mismatch between local risk and national risk for cyber-attacks on critical infrastructure is the type of market inefficiency that is typically best filled by regulation.”

    The lack of innovative ideas also concerns Chris Roberts, chief security architect at Acalvio. “Frankly, eleven key recommendations are about five too many,” he said. “Let’s face it, we’ve all been screaming about critical infrastructure for years, keeping the message very simple — and this 45-page report comes out, says the same thing and then, heaven forbid, puts the remit for action into the governments hands.”

    He has more specific concerns. Recommendation #3 states, “Identify best-in-class SCANNING TOOLS AND ASSESSMENT PRACTICES, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis;” and then calls for action from the National Security Council, the Department of Homeland Security, and Congress.

    Roberts’ opinion is scathing. “Seriously, we are going to let Congress work out what scanning tools we should use? What idiot came up with that one?”

    Perhaps the biggest disappointment is over critical infrastructure threat intelligence sharing. Recommendation #2 calls for a private-sector-led pilot “to test public-private and company-to-company information sharing of cyber threats at network speed.” This would be augmented by Recommendation #7: “Establish clear protocols to RAPIDLY DECLASSIFY CYBER THREAT INFORMATION and proactively share it with owners and operators of critical infrastructure.”

    In short, private industry needs to share threat information among itself better than it does, while government needs to share its intelligence with private industry.

    Reply
  41. Tomi Engdahl says:

    Why It’s Still A Bad Idea to Post or Trash Your Airline Boarding Pass
    https://krebsonsecurity.com/2017/08/why-its-still-a-bad-idea-to-post-or-trash-your-airline-boarding-pass/

    An October 2015 piece published here about the potential dangers of tossing out or posting online your airline boarding pass remains one of the most-read stories on this site. One reason may be that the advice remains timely and relevant: A talk recently given at a Czech security conference advances that research and offers several reminders of how being careless with your boarding pass could jeopardize your privacy or even cause trip disruptions down the road.

    In What’s In a Boarding Pass Barcode? A Lot, KrebsOnSecurity told the story of a reader whose friend posted a picture of a boarding pass on Facebook. The reader was able to use the airline’s Web site combined with data printed on the boarding pass to discover additional information about his friend. That data included details of future travel, the ability to alter or cancel upcoming flights, and a key component need to access the traveler’s frequent flyer account.

    Working from a British Airways boarding pass that a friend posted to Instagram, Špaček found he could log in to the airline’s passenger reservations page using the six-digit booking code (a.k.a. PNR or passenger name record) and the last name of the passenger (both are displayed on the front of the BA boarding pass).

    Once inside his friend’s account, Špaček saw he could cancel future flights, and view or edit his friend’s passport number, citizenship, expiration date and date of birth. In my 2015 story, I showed how this exact technique permitted access to the same information on Lufthansa customers (this still appears to be the case).

    Špaček also reminds readers about the dangers of posting boarding pass barcodes or QR codes online, noting there are several barcode scanning apps and Web sites that can extract text data stored in bar codes and QR codes.

    It’s crazy how many people post pictures of their boarding pass on various social networking sites, often before and/or during their existing trip. A search on Instagram for the term “boarding pass”, for example, returned more than 91,000 such images. Not all of those images include the full barcode or boarding record locator, but plenty enough do and that’s just one social network.

    My advice: Avoid the temptation to brag online about that upcoming trip or vacation. Thieves looking to rob someone in your area will be delighted to see this kind of information posted online.

    Reply
  42. Tomi Engdahl says:

    GTFO of there! Security researchers turn against HTTP public key pinning
    Sure, theoretically it offers a lot of protection, but get it wrong…
    https://www.theregister.co.uk/2017/08/25/hpkp_crypto_criticism/

    Security researchers have endorsed industry guru Scott Helme’s vote of no confidence in a next-generation web crypto technology.

    Helme said he was “giving up on HPKP” after experimenting with the tech and ultimately finding it too cumbersome for mainstream use even among security-conscious organisations.

    HTTP Public Key Pinning (HPKP) is a very powerful standard that allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. While HPKP can offer a lot of protection, it can also cause a lot of harm too, according to Helme.

    “The problem with HPKP is that it can be quite a complex idea to get your head around and requires a perfect deployment otherwise things can go wrong,” Helme argues in a blog post.

    Potential problems arising from use of the technology include a so-called RansomPKP attack. In this breach scenario an attacker would gain control of a targeted site via a server compromise or a domain hijack before enabling HPKP headers for malicious ends.

    I’m giving up on HPKP
    https://scotthelme.co.uk/im-giving-up-on-hpkp/

    HTTP Public Key Pinning is a very powerful standard that allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. Whilst HPKP can offer a lot of protection, it can also cause a lot of harm too.

    HPKP Suicide

    Sadly there is a term for this and all it involves is a site making a potentially simple error. You enable HPKP, tell the browser which keys you will always use and then you lose those keys. They could be accidentally deleted, stolen in a hack or whatever, it doesn’t matter. If you pin yourself to a set of keys and then no longer have the ability to use them, you’re in big trouble!

    I’m not alone in my view that HPKP can be dangerous and difficult, Ivan Ristic published an article on the Qualys blog titled Is HTTP Public Key Pinning Dead? with many of the same concerns

    “Fascinating thread from a leader in HTTPS ecosystem — providing HPKP capability to unvetted web developers was a mistake, in retrospect”

    Conclusion

    One of the biggest concerns I have with HPKP right now is sites trying to use it and getting it wrong, RansomPKP is much less of a concern. At present securityheaders.io requires the use of HPKP to acquire the highest grade, A+, and this results in sites trying to use it. The number of times I receive emails from those who have broken their site or can’t get a valid policy to be accepted by the browser is worryingly high.

    HPKP has a very low usage rate even in the top 1 million sites as you would expect, but there are still examples of it being deployed wrong.

    Reply
  43. Tomi Engdahl says:

    McAfee online scan used plain old HTTP to fetch screen elements
    38 lines of code later, you’re owned. Good thing the fix is in, eh?
    https://www.theregister.co.uk/2017/08/01/mcafee_online_scan_insecure/

    McAfee has moved to patch a bug that falls under the “didn’t you get the memo?” category: among other things, its free Security Scan Plus online tool retrieved information over HTTP – that is, in plain text.

    The potential man-in-the-middle vector exists not in the operation of the free online scan, but in the house ads and UI design elements it serves.

    Reply
  44. Tomi Engdahl says:

    Entire Kim Dotcom Spying Operation Was Illegal, High Court Rules
    By Andy on August 25, 2017
    https://torrentfreak.com/entire-kim-dotcom-spying-operation-was-illegal-high-court-rules-170825/

    The whole New Zealand-based spying operation against Kim Dotcom and his Megaupload co-defendants was illegal, the High Court has ruled. The revelation appears in a newly released decision, which shows the GCSB spy agency refusing to respond to questions about its activities on the basis that could jeopardize national security.

    Reply
  45. Tomi Engdahl says:

    Beware Online Hotel Booking Scams
    http://www.eetimes.com/author.asp?section_id=216&doc_id=1331984&

    When you set about booking a hotel online, make sure you are using the hotel’s own website and not an intermediary site with nefarious intentions.

    After a substantial amount of rooting around, multiple phone calls, and numerous trips to the hotel’s reception desk, it turned out that Reservation Counter had, in fact, made a reservation for us. However, since this is all done under-the-hood by computers, the reservation was in the name of ANDCLIVEMAXFIELD/GINA (Gina had booked us in as “Gina and Clive Maxfield”), and the hotel’s system wasn’t sophisticated enough to make the connection.

    Further investigation revealed that Reservation Counter actually made the booking using Priceline.com, which is a tad more reputable, and which doesn’t sound any alarms at the hotel.

    The bottom line is that Reservation Counter charged us a 25% surcharge — that’s 25% more than the price we would have paid going directly to the Courtyard Marriott’s website

    In fact, a quick Google search for “Reservation Counter Scam” makes you realize that this is a prevalent problem

    Reply
  46. Tomi Engdahl says:

    Fraud Forces WannaCry Hero’s Legal Fund To Refund All Donations
    https://www.buzzfeed.com/kevincollier/beset-by-fraud-wannacry-heros-legal-fund-refunds-all?utm_term=.mfzeMywq5J#.iwJDBr5Kyk

    The lawyer managing fundraising for Hutchins’ legal defense decided it was easier to refund all donations than figure out which ones were legitimate.

    The vast majority of money raised to pay for the legal defense of beloved British cybersecurity researcher Marcus Hutchins was donated with stolen or fake credit card numbers, and all donations, including legitimate ones, will be returned, the manager of the defense fund says.

    Lawyer Tor Ekeland, who managed the fund, said at least $150,000 of the money collected came from fraudulent sources, and that the prevalence of fraudulent donations effectively voided the entire fundraiser. He said he’d been able to identify only about $4,900 in legitimate donations, but that he couldn’t be certain even of those.

    “I don’t want to take the risk, so I just refunded everything,” he said.

    Hutchins, who pleaded not guilty to all six charges against him on Aug. 14, has retained Brian Klein, a Los Angeles-based trial lawyer, and Marcia Hofmann, an acclaimed expert on US hacking laws, as his attorneys.

    Reply
  47. Tomi Engdahl says:

    Stephanie Condon / ZDNet:
    FBI files charges against Yu Pingan, a Chinese malware broker, alleging he provided hackers with malware used in OPM data breach — The malware has been linked to both the data breach of the US Office of Personnel Management as well as the Anthem breach. — The FBI has filed charges …

    FBI charges Chinese national with distributing malware used in OPM hack
    http://www.zdnet.com/article/fbi-charges-chinese-national-with-distributing-sakula-malware/

    The malware has been linked to both the data breach of the US Office of Personnel Management as well as the Anthem breach.

    The FBI has filed charges against a Chinese malware broker named Yu Pingan, alleging that he provided hackers with malware, including the Sakula trojan, to breach multiple computer networks belonging to companies in the US.

    Yu was arrested on August 21 at Los Angeles International Airport,

    The rarely-used Sakula malware, which was cited in the complaint, has been linked to both the 2014 breach of the US Office of Personnel Management as well as the 2015 breach of the health insurance firm Anthem.

    he Anthem breach impacted 78.8 million current and former customers of the company,

    Reply
  48. Tomi Engdahl says:

    ‘US Intelligence Agencies Should Put Up Or Shut Up With Kaspersky Rumors’
    https://politics.slashdot.org/story/17/08/25/1523255/us-intelligence-agencies-should-put-up-or-shut-up-with-kaspersky-rumors?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    As previously reported on Slashdot, U.S. intelligence agencies have warned against using Kaspersky software amid swirling rumors of ties between Kaspersky Lab executives and the Russian government. White House cybersecurity coordinator Rob Joyce this week advised against consumer use of Kaspersky software. This may be good politics, but CSOonline’s Fahmida Rashid warns that it’s bad infosec. ‘If the government has any evidence — or even compelling reasons for being suspicious — it should be sharing that

    W.H. cybersecurity coordinator warns against using Kaspersky Lab software
    https://www.cbsnews.com/news/kasperksy-lab-software-suspected-ties-russian-intelligence-rob-joyce/

    Rob Joyce, the Trump administration’s cybersecurity coordinator, said Tuesday the U.S. is lacking 300,000 cybersecurity experts needed to defend the country.

    He also had a warning for the public about using software from Kaspersky Lab. U.S. officials believe the company has ties to the Kremlin — and the federal government has vowed not to use its products.

    CBS News has confirmed that FBI officials have met with private industry representatives to relay concerns about Kaspersky Lab, which is a Moscow-based cybersecurity company with suspected ties to Russian intelligence.

    FBI agents have also interviewed Kaspersky employees working in the U.S.

    The U.S. government already prohibits its use, but local and state governments make extensive use of the Russian software. In fact, there are more than 400 million users worldwide.

    Reply
  49. Tomi Engdahl says:

    Why We Need To Decentralize The Web
    https://tech.slashdot.org/story/17/08/25/1815209/why-we-need-to-decentralize-the-web?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    There’s a good research report that was just published. It’s called “Defending Internet Freedom through Decentralization: Back to the Future?” (That’s a PDF so watch yourself.) What is decentralization? Take the web: Anyone can set up a web page and link to any other web page. That’s decentralized. Anyone can make a search engine to find those web pages. That’s centralized. The search engine can add blogging. That’s Google + Blogger. Now it’s both a publisher and a search engine. It has more power. Decentralized things are harder to manage and use. Centralized things end up easy to use and make money for relatively few people. The web is inherently decentralized, which has made it much easier for large companies to create large, centralized platforms. It’s a paradox and very thorny.

    http://dci.mit.edu/assets/papers/decentralized_web.pdf

    Reply
  50. Tomi Engdahl says:

    Kashmir Hill / Gizmodo:
    Facebook’s “People You May Know” recommends a relative a reporter didn’t know she had, raising privacy questions; Facebook, citing privacy, won’t offer details

    Facebook Figured Out My Family Secrets, And It Won’t Tell Me How
    http://gizmodo.com/facebook-figured-out-my-family-secrets-and-it-wont-tel-1797696163

    The People You May Know feature is notorious for its uncanny ability to recognize who you associate with in real life. It has mystified and disconcerted Facebook users by showing them an old boss, a one-night-stand, or someone they just ran into on the street.

    These friend suggestions go far beyond mundane linking of schoolmates or colleagues. Over the years, I’d been told many weird stories about them, such as when a psychiatrist told me that her patients were being recommended to one another, indirectly outing their medical issues.

    What makes the results so unsettling is the range of data sources—location information, activity on other apps, facial recognition on photographs—that Facebook has at its disposal to cross-check its users against one another, in the hopes of keeping them more deeply attached to the site.

    I was grateful that Facebook had given me the chance to talk to an unknown relation, but awed and disconcerted by its apparent omniscience.

    How Facebook had linked us remained hard to fathom.

    Facebook is known to buy information from data brokers

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*