Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Crunch Report | Facebook admits Russian meddling in Brexit
https://techcrunch.com/2017/11/14/crunch-report-facebook-admits-russian-meddling-in-brexit/?utm_source=tcfbpage&sr_share=facebook
Here’s the first evidence Russia used Twitter to influence Brexit
http://www.wired.co.uk/article/brexit-russia-influence-twitter-bots-internet-research-agency
Russia-based Twitter accounts that targeted the US presidential election also used divisive and racist rhetoric in an attempt to disrupt politics in the UK and Europe
Tomi Engdahl says:
Strangers can talk to your child through ‘connected’ toys, investigation finds
https://www.theguardian.com/technology/2017/nov/14/retailers-urged-to-withdraw-toys-that-allow-hackers-to-talk-to-children
Which? investigation finds security flaws in ‘intelligent’ toys such as CloudPets and Hasbro’s Furby Connect
A consumer group is urging major retailers to withdraw a number of “connected” or “intelligent” toys
Tests carried out by Which? with the German consumer group Stiftung Warentest, and other security research experts, found flaws in Bluetooth and wifi-enabled toys that could enable a stranger to talk to a child.
The investigation found that four out of seven of the tested toys could be used to communicate with the children playing with them. Security failures were discovered in the Furby Connect, i-Que Intelligent Robot, Toy-Fi Teddy and CloudPets.
With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin or any other authentication to gain access.
Tomi Engdahl says:
Muslim activists hack Isis mailing list hours after terrorists claimed it was unhackable
http://www.independent.co.uk/news/world/middle-east/isis-hacked-propaganda-amaq-mailing-list-emails-subscribers-published-islamic-state-online-caliphate-a8049771.html
Like its physical idea of an ‘Islamic State’, analysts say the online caliphate is starting to crumble
Muslim hackers have attacked Isis’s propaganda network and published a list of almost 2,000 subscribers’ email addresses in the latest blow to the online “caliphate”.
After numerous cyber attacks and official takedowns targeting its Amaq “news agency”, Isis issued a message on Friday night claiming it had increased security.
Tomi Engdahl says:
The Disconnect Between Security Perception and Security Reality
http://www.securityweek.com/disconnect-between-security-perception-and-security-reality
A new global survey highlights the disconnect between security expectations and security reality for many IT/security professionals.
There is an awareness of the likelihood of security attacks (45% of respondents expect one within the next 12 months). There is ongoing empirical evidence of the failure of security professionals to stop these attacks — most recently with Equifax. Despite this, 89% of survey respondent believe they are in a good position to protect themselves from attack.
SecurityWeek asked Matt Lock, director of sales engineers at Varonis, why there should be this difference between expectation and reality. One often-quoted possibility is the Optimism Bias (Wikipedia) — the hard-coded biological instinct that bad things happen to other people, not to me.
Lock doesn’t feel that the survey sheds any light on the reasons for the disconnect, merely that it exists. From a personal stand-point he points to over-confidence and possibly a lack of visibility into their own networks. On the former, he commented, “Some really do feel they are completely prepared and have figured out how to keep their organizations safe. In 2017, many well-respected organizations, which would seem to have the resources to ward off cyberattacks, fell victim to breaches and ransomware. Was over-confidence to blame?”
For the latter, he wonders if track-record might be a contributing factor: professionals who don’t believe they have been breached might believe “that what they’re doing must be working. The reality, however, might be that they have been breached but just don’t know it.”
Nevertheless, despite the confidence in their ability to resist future attacks, around 25% of the respondents confirmed that their organization had experienced data loss, data theft or ransomware during the last two years. This was highest in Germany, where 34% of respondents reported that their organization had been a victim of ransomware.
The perceived ability to resist attacks is not the only surprising detail to come from the survey. Given the relative imminence of GDPR next year, and the common perception that many companies are still not GDPR-compliant, it would be unsurprising to see ‘compliance’ as an issue of concern.
One possibility is that organizations believe that 2018 will be a bedding-in period for the regulations, and they won’t be enforced before 2019.
The survey report (PDF), ‘Security Practices and Expectations Following the World’s Biggest Breach’ (Equifax) was published on Monday by Varonis.
https://info.varonis.com/hubfs/Research%20Report%20-%20After%20Equifax.pdf
Tomi Engdahl says:
Microsoft Patches 20 Critical Browser Vulnerabilities
http://www.securityweek.com/microsoft-patches-20-critical-browser-vulnerabilities
Microsoft’s Patch Tuesday updates for November address more than 50 vulnerabilities, including 20 critical flaws affecting the company’s web browsers.
A total of 53 CVE identifiers have been assigned to the security bugs addressed by Microsoft this month. None of them appear to have been exploited in attacks before the company released the patches.
Three of the flaws have already been publicly disclosed. These are a browser memory corruption that can lead to code execution (CVE-2017-11827), an information disclosure issue in ASP.NET (CVE-2017-8700), and an information disclosure bug in Internet Explorer (CVE-2017-11848).
Tomi Engdahl says:
U.S. Government Shares Details of FALLCHILL Malware Used by North Korea
http://www.securityweek.com/us-government-shares-details-north-korea-cyber-attacks
FALLCHILL Malware Used by North Korean Government Hackers is a Fully Functional RAT, DHS Says
The United States Department of Homeland Security (DHS) shared details of a hacking tool they say is being used by a threat group linked to the North Korean government known as “Hidden Cobra.”
The threat actor dubbed by the U.S. government “Hidden Cobra” is better known in the cybersecurity community as Lazarus Group, which is believed to be behind several high-profile attacks, including the ones targeting Sony Pictures, Bangladesh’s central bank, and financial organizations in Poland. Links have also been found between the threat actor and the recent WannaCry ransomware attacks, but some experts are skeptical.
A joint alert issued by the DHS and FBI said a remote administration tool (RAT) known as FALLCHILL was used by the North Korean government to hack into companies in the aerospace, telecommunications, and finance sectors. The alert describes FALLCHILL as a “fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies.”
Tomi Engdahl says:
10 cloud mistakes that can sink your business
https://www.cio.com/article/3237168/cloud-computing/10-cloud-mistakes-that-can-sink-your-business.html
The cloud offers a wide range of tangible business benefits, but don’t let these common blunders cast a shadow on your company’s success.
“The sun always shines above the clouds,” optimists enjoy telling us. What they fail to mention is that beneath the clouds there’s often high winds, torrential downpours, lightning and the occasional golf-ball-size hail bombardment.
Tomi Engdahl says:
What do Vegas hookers, Colombian government, and 30,000 other sites have in common? Crypto-jacking miners
Someone’s potentially getting rich – and it isn’t you
https://www.theregister.co.uk/2017/11/15/coin_mining_30000_sites_cryptojacking/
Over the past few months there has been an alarming rise in the number of websites running code that silently joyrides computers and secretly makes them mine digital currency for miscreants.
The latest count suggests more than 30,000 sites are quietly running JavaScript miners on people’s PCs and handhelds – way more than previously thought.
An analysis, published this month by infosec guru Troy Mursch, revealed that the vast majority of currency-mining software came from Coin Hive, the freely available JavaScript code developed to mine Monero.
Cryptojacking malware Coinhive found on 30,000+ websites
https://badpackets.net/cryptojacking-malware-coinhive-found-on-30000-websites/
Tomi Engdahl says:
“Instant Replay” for Computer Systems Shows Cyber Attack Details
http://www.news.gatech.edu/2017/10/30/instant-replay-computer-systems-shows-cyber-attack-details
Until now, assessing the extent and impact of network or computer system attacks has been largely a time-consuming manual process. A new software system being developed by cybersecurity researchers at the Georgia Institute of Technology will largely automate that process, allowing investigators to quickly and accurately pinpoint how intruders entered the network, what data they took and which computer systems were compromised.
Known as Refinable Attack INvestigation (RAIN), the system will provide forensic investigators a detailed record of an intrusion, even if the attackers attempted to cover their tracks. The system provides multiple levels of detail, facilitating automated searches through information at a high level to identify the specific events for which more detailed data is reproduced and analyzed.
The research, supported largely by the Defense Advanced Research Projects Agency (DARPA) and also by the National Science Foundation and Office of Naval Research, is scheduled to be reported October 31 at the 2017 ACM Conference on Computer and Communications Security (CCS).
Even with RAIN’s selectivity, storing the relevant information requires significant capacity, but the advent of inexpensive storage makes that practical, said Kim. For instance, an average desktop computer might generate four gigabytes of system data per day, less than two terabytes per year. That amount of storage can now be purchased for as little as $50 per year.
“I think we are getting into an affordable range of storage cost,” Kim said.
Assessing the damage done by intruders now often takes weeks or months. Beyond accelerating that process, RAIN could help the operators of high-value military or commercial computer networks continually improve their security by providing a level of visibility that is impossible today, Lee said.
“When this is deployed, organizations can have complete transparency, or visibility, about what went wrong,” he explained. “The operators of any network housing important data would want to have something like this to replace a manual process with a much more precise and automated technique.”
Tomi Engdahl says:
Sysadmin 101: Patch Management
http://www.linuxjournal.com/content/sysadmin-101-patch-management
Some organizations have a purely manual patch management system. With such a system, when a security patch comes along, the sysadmin figures out which servers are running the software, generally by relying on memory and by logging in to servers and checking. Then the sysadmin uses the server’s built-in package management tool to update the software with the latest from the distribution. Then the sysadmin moves on to the next server, and the next, until all of the servers are patched.
There are many problems with manual patch management. First is the fact that it makes patching a laborious chore. The more work patching is, the more likely a sysadmin will put it off or skip doing it entirely. The second problem is that manual patch management relies too much on the sysadmin’s ability to remember and recall all of the servers he or she is responsible for and keep track of which are patched and which aren’t. This makes it easy for servers to be forgotten and sit unpatched.
The faster and easier patch management is, the more likely you are to do it. You should have a system in place that quickly can tell you which servers are running a particular piece of software at which version. Ideally, that system also can push out updates. Personally, I prefer orchestration tools like MCollective for this task, but Red Hat provides Satellite, and Canonical provides Landscape as central tools that let you view software versions across your fleet of servers and apply patches all from a central place.
Patching should be fault-tolerant as well. You should be able to patch a service and restart it without any overall down time. The same idea goes for kernel patches that require a reboot. My approach is to divide my servers into different high availability groups so that lb1, app1, rabbitmq1 and db1 would all be in one group, and lb2, app2, rabbitmq2 and db2 are in another. Then, I know I can patch one group at a time without it causing downtime anywhere else.
When patching requires a reboot, such as in the case of kernel patches, it might take a bit more time, but again, automation and orchestration tools can make this go much faster than you might imagine. I can patch and reboot the servers in an environment in a fault-tolerant way within an hour or two, and it would be much faster than that if I didn’t need to wait for clusters to sync back up in between reboots.
Unfortunately, many sysadmins still hold on to the outdated notion that uptime is a badge of pride—given that serious kernel patches tend to come out at least once a year if not more often, to me, it’s proof you don’t take security seriously.
Many organizations also still have that single point of failure server that can never go down, and as a result, it never gets patched or rebooted.
Tomi Engdahl says:
U.S. Government issues alerts about malware and IP addresses linked to North Korean cyber attacks
https://techcrunch.com/2017/11/14/u-s-government-issues-alerts-about-malware-and-ip-addresses-linked-to-north-korean-cyber-attacks/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
US-CERT, the Department of Homeland Security team responsible for analyzing cybersecurity threats, has posted a warning about cyber attacks by the North Korean government, which it collectively refers to as “Hidden Cobra.” The technical alert from the FBI and Department of Homeland Security says a remote administration tool (RAT) called FALLCHILL has been deployed by Hidden Cobra since 2016 to target the aerospace, telecommunications and finance industries.
Tomi Engdahl says:
Jordan Pearson / Motherboard:
Ethereum startup Parity says it knew about flaw in multi-signature wallets for months but didn’t address it, leading to $150M+ in lost ether
Ethereum Wallet Company Knew About Critical Flaw That Let a User Lock Up Millions
https://motherboard.vice.com/en_us/article/d3djwj/ethereum-wallet-parity-knew-about-critical-flaw-that-let-user-devops199-lock-up-millions
Parity released its postmortem of the incident on Wednesday.
After someone going by “Devops199” managed to permanently lock up millions of dollars worth of other people’s Ethereum funds last week, the company that created the vulnerable code published a postmortem on the incident on Wednesday. It doesn’t look good.
According to Parity’s breakdown of the fiasco, the digital wallet company knew about the critical flaw since August and did not address it for months, until it was too late.
This much we already knew: Parity suffered a massive hack due to a critical vulnerability in mid-July, prompting it to push out new code on July 20th.
That wallet was actually a code library for Parity multi-signature wallets, making them instantly useless and permanently freezing the funds inside.
At the moment, there is still no fix to free the locked funds.
That’s because it happened before. After an Ethereum project called the DAO lost more than $50 million to a hacker in 2016, the funds were recovered via a hard fork network split, a move that spurred part of the Ethereum community to rebel and work on their own version of Ethereum, now called Ethereum Classic.
Tomi Engdahl says:
Dustin Volz / Reuters:
Trump administration publishes inter-agency rules for disclosing or keeping secret cyber security flaws, with decisions to retain flaws being revisited annually — WASHINGTON (Reuters) – The Trump administration publicly released on Wednesday its rules for deciding whether …
Trump administration releases rules on disclosing cyber flaws
http://www.reuters.com/article/us-usa-cyber-rules/trump-administration-releases-rules-on-disclosing-cyber-flaws-idUSKBN1DF0A0
WASHINGTON (Reuters) – The Trump administration publicly released on Wednesday its rules for deciding whether to disclose cyber security flaws or keep them secret, in an effort to bring more transparency to a process that has long been cloaked in mystery.
The NSA is listed as the “executive secretariat” of the inter-agency group, tasked with coordinating debate over flaws submitted by the various agencies if there is disagreement about whether to disclose them. If disagreements are not reconciled the group will vote on whether to disclose or retain the flaw.
Tomi Engdahl says:
UK Cyber Security Chief Blames Russia for Hacker Attacks
http://www.securityweek.com/uk-cyber-security-chief-blames-russia-hacker-attacks
Russia has launched cyber attacks on the UK media, telecoms and energy sectors in the past year, Britain’s cyber security chief said Wednesday amid reports of Russian interference in the Brexit referendum.
“Russia is seeking to undermine the international system. That much is clear,” Ciaran Martin, head of Britain’s National Cyber Security Centre (NCSC) said at a London tech conference, according to his office.
“Russian interference, seen by the NCSC over the past year, has included attacks on the UK media, telecommunications and energy sectors,” Martin said.
The centre has coordinated the government’s response to 590 significant incidents since its launch in 2016, although the government agency has not detailed which were linked to Russia.
Tomi Engdahl says:
Windows 10 Detects Reflective DLL Loading: Microsoft
http://www.securityweek.com/windows-10-detects-reflective-dll-loading-microsoft
Windows 10 Creators Update can detect reflective Dynamic-Link Library (DLL) loading in a variety of high-risk processes, including browsers and productivity software, Microsoft says.
This is possible because of function calls (VirtualAlloc and VirtualProtect) related to procuring executable memory, which generate signals for Windows Defender Advanced Threat Protection (Windows Defender ATP).
Reflective DLL loading, the software giant explains, relies on loading a DLL into a process memory without using the Windows loader. First described in 2008, the method allows for the loading of a DLL into a process even if the DLL isn’t registered with the process.
The technique is employed by modern attacks to avoid detection, although the operation is not trivial, as it requires the use of a custom loader that can write the DLL into memory and then resolve its imports and/or its relocation.
Tomi Engdahl says:
Fileless Attacks Ten Times More Likely to Succeed: Report
http://www.securityweek.com/fileless-attacks-ten-times-more-likely-succeed-report
A new report from the Ponemon Institute confirms, but quantifies, what most people know: protecting endpoints is becoming more difficult, more complex and more time-consuming — but not necessarily more successful.
Commissioned by endpoint protection firm Barkly, the report (PDF) confirms that defenders are increasingly moving away from primarily signature-based malware detection by replacing or supplementing existing defenses with additional protection or response capabilities. One third of respondents have replaced their existing AV product, while half of the respondents have retained their existing product but supplemented them with additional protections.
To combat both old and new defenses, attackers are responding with a new attack methodology — the fileless attack. Ponemon notes that 29% of attacks in 2017 have been fileless. This is up from 20% in 2016, and is expected to increase to 35% in 2018.
Tomi Engdahl says:
Microsoft Patches 17 Year-Old Vulnerability in Office
http://www.securityweek.com/microsoft-patches-17-year-old-vulnerability-office
Microsoft on Tuesday released its November 2017 security updates to resolve 53 vulnerabilities across products, including a security bug that has impacted all versions of its Microsoft Office suite over the past 17 years.
Tracked as CVE-2017-11882, the vulnerability resides in the Microsoft Equation Editor (EQNEDT32.EXE), a tool that provides users with the ability to insert and edit mathematical equations inside Office documents.
The bug was discovered by Embedi security researchers as part of very old code in Microsoft Office. The vulnerable version of EQNEDT32.EXE was compiled on November 9, 2000, “without essential protective measures,” the researchers say.
Although the component was replaced in Office 2007 with new methods of displaying and editing equations, Microsoft kept the vulnerable file up and running in the suite, most likely to ensure compatibility with older documents.
Tomi Engdahl says:
Amazon Echo, Google Home Vulnerable to BlueBorne Attacks
http://www.securityweek.com/amazon-echo-google-home-vulnerable-blueborne-attacks
Amazon Echo and Google Home devices are vulnerable to attacks exploiting a series of recently disclosed Bluetooth flaws dubbed “BlueBorne.”
IoT security firm Armis reported in September that billions of Android, iOS, Windows and Linux devices using Bluetooth had been exposed to a new attack that can be carried out remotely without any user interaction.
A total of eight Bluetooth implementation vulnerabilities allow a hacker who is in range of the targeted device to execute arbitrary code, obtain sensitive information, and launch man-in-the-middle (MitM) attacks. There is no need for the victim to click on a link or open the file in order to trigger the exploit, and most security products would likely not detect an attack.
Google patched the vulnerabilities affecting Android in September and Microsoft released fixes for Windows in July. Apple had already addressed the issue in iOS one year prior to disclosure, and Linux distributions released updates shortly after disclosure.
Tomi Engdahl says:
Multi-Stage Android Malware Evades Google Play Detection
http://www.securityweek.com/multi-stage-android-malware-evades-google-play-detection
A newly discovered multi-stage Android malware that managed to sneak into Google Play is using advanced anti-detection features, ESET security researchers reveal.
Eight malicious applications hiding the new threat were found in the official application store, all legitimate-looking but delaying the malicious activity to hide their true intent. Google has removed all eight programs after being alerted of the threat.
Detected as Android/TrojanDropper.Agent.BKY, the applications form a new family of multi-stage Android malware, ESET says. Although the most popular of these apps reached only several hundred downloads, the use of advanced anti-detection features makes this malware family interesting.
Tomi Engdahl says:
Risky Business: Understand Your Assets and Align Security With the Business
http://www.securityweek.com/risky-business-understand-your-assets-and-align-security-business
For years I wondered why business groups would move forward with technology initiatives before fully understanding their risk exposure. Focused on the business outcome, teams always wanted to implement first and figure out the risks later.
Problem is, risks are intrinsic to business outcomes. A solution is only as valuable as the information flowing through it. Compromise the information, bring down the solution, and the business outcome cannot be realized.
Too often this dawns on the business after implementation, when risk treatment options are limited. Often the only choice is to put a wrapper around the solution, a compensating mitigation with a tendency to make users less happy and the technology less appealing — which also diminishes the desired outcome.
Understand your assets
First it’s important to understand the value of the information and the technology in terms of its impact to the business. Business groups need to understand not only what their assets are, but also how the security team classifies those assets in terms of business impact.
For sensitive information, the military uses four categories: Top Secret, Secret, Confidential, and Unclassified. They describe the consequences of unintended release of Top Secret information with one word: grave.
A similar model within corporations etc. In the corporate world a similar model etc. Most companies use a three-tiered classification of high, medium or low business impact. And in terms of high-impact business data, I would argue that the term grave still applies.
Transfer
The same thing could be said about risk transfer. Risk transfer can involve non-technology solutions, such as buying an insurance policy to help compensate the business in the event of an exploit or other compromise to the system. It can also involve contracts that literally transfer the risk to another party.
Acceptance
And then there’s risk acceptance, which may actually be the most important tool that exists for security. This is when you go to an officer of the company, educate her on the risk in question, and ask her to accept it and document the acceptance.
Mitigation
Of course, there will always be mitigation, and that’s really about controls. If you’re doing things right and the security team is brought in at the beginning, you minimize the need to perform compensating controls later. This results in a much stronger system.
But mitigation isn’t the only game in town, and business owners don’t always understand these additional options — because they’re not being taught. The solution is to work with them to understand the value of the assets and what the risk treatment options are, then build a risk treatment plan that truly reflects your priorities, risk tolerance and resources.
Tomi Engdahl says:
What Sort of Testing Do My Applications Need?
http://www.securityweek.com/what-sort-testing-do-my-applications-need
As you start to get an idea of what your application portfolio looks like, you then need to start determining the specific risks that applications can expose your organization to. This is typically done through application security testing – identifying vulnerabilities in an application so that you can make risk-based decisions about mitigation and resolution.
The challenge lies in the fact that there is no “one size fits all” approach to application security testing. You cannot constantly perform exhausting testing on all applications – you simply will not have the resources. And, you will be limited in the types of testing you can do based on the type, language, and framework of the application, as well as the availability of source code. To most effectively begin the application security testing process, you need to determine the depth of testing you want to accomplish.
The risk associated with the specific application is typically where you go to determine the necessary depth of testing. Determining risk means asking questions such as: What data does the application manage? How much would a breach cost? What sort of service level agreements do you have with stakeholders? When planning for the depth of testing, it can be helpful to look at the specific assurances you would like to have about the application. Does it properly handle inputs that are passed to database SQL queries? Does it perform sufficient authorization checking in situations where the application accesses sensitive resources?
Tomi Engdahl says:
Category:OWASP Application Security Verification Standard Project
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard.
Tomi Engdahl says:
Some examples that can provide insight into possible thought processes when evaluating testing strategies for specific applications are included below:
• High-risk web application developed in house: Because you have access to the source code and both SAST and DAST tools that are well-suited to testing the application, use a combination of static and dynamic testing with both manual and automated components. Also consider annual 3rd party manual assessments to get an external opinion and access to testing techniques your in-house team might not have mastery of.
• Lower-risk applications developed in house: Again, because you have access to both the source code and running environments, use either automated static or dynamic testing prior to each new release.
• Mid-risk applications developed by third party: Due to the fact that you don’t have access to source code, but do have an internal pre-production environment, rely on vendor maturity representation and an annual dynamic assessment performed by a trusted 3rd party.
• Developed by large packaged software vendor: Given that you currently have no budget to do independent in-depth research, rely on vendor vulnerability reports and use patch management practices to address risk.
Source: http://www.securityweek.com/what-sort-testing-do-my-applications-need
Tomi Engdahl says:
SAST and DAST: Part of a Balanced Software Security Initiative
http://www.securityweek.com/sast-and-dast-part-balanced-software-security-initiative
The truth is that, aside from tools, there are many types of application security testing (AST) that can be used to determine the vulnerabilities in software. Static (SAST) and dynamic (DAST) testing are the most established and widely used, but there are others. An accepted truth is that different types of tests will find different things. Business logic testing adds human security expertise to the process, finding vulnerabilities that automated scans may miss. So real accuracy – the balanced breakfast – is found in a combination of tools and human expertise.
There’s more. You will also need training to educate the developers how to integrate security into their software development lifecycle (SDLC). You will likely want to put structure around your SSI activities. You will want metrics that show management progress and return on your software security spend.
Like I said: there is no easy button. No neat box to rip open and pour out good software security. Your organization must make the commitment to taking your software security initiative (SSI) – a balanced breakfast – seriously.
Tomi Engdahl says:
WordPress Sites Exposed to Attacks by ‘Formidable Forms’ Flaws
http://www.securityweek.com/wordpress-sites-exposed-attacks-formidable-forms-flaws
Vulnerabilities found by a researcher in a popular WordPress plugin can be exploited by malicious actors to gain access to sensitive data and take control of affected websites.
Formidable Forms, available both for free and as a paid version that provides additional features, is a plugin that allows users to easily create contact pages, polls and surveys, and other types of forms. The plugin has more than 200,000 active installations.
Jouko Pynnönen of Finland-based company Klikki Oy has analyzed the plugin and discovered several vulnerabilities, including ones that introduce serious security risks for the websites using it.
The flaw with the highest severity is a blind SQL injection that can allow attackers to enumerate a website’s databases and obtain their content. Exposed data includes WordPress user credentials and data submitted to a website via Formidable forms.
Tomi Engdahl says:
OnePlus responds to privacy fears after hacker mode found on its phones
https://www.digitaltrends.com/mobile/oneplus-engineermode-news/
A special app has been discovered installed on OnePlus smartphones that, in the hands of a skilled hacker, could allow unauthorized access to the entire device. The app, which is produced by Qualcomm, is known as EngineerMode, and is designed to assist with tests, fault finding, and other prerelease checks while the phone is at the factory. With some code and a password, however, hackers could treat EngineerMode as a “backdoor,” to your phone, making it a serious security problem.
EngineerMode has been found on the OnePlus 3, OnePlus 3T, and OnePlus 5 phones. Since the app became widely known, threads have appeared about it on OnePlus’s community forums.
OnePlus responds to fears
It’s not just OnePlus owners that may have phones with EngineerMode installed, as the Qualcomm tool is likely used by many manufacturers, and has already been found on smartphones produced by Xiaomi and Asus, according to Alderson’s Twitter feed. However, should you be concerned? Does EngineerMode pose a serious security risk?
OnePlus has responded to the situation in a post on its community forums. A member of the OxygenOS — the name given to OnePlus’s version of Android — team wrote:
“Yesterday, we received a lot of questions regarding an apk found in several devices, including our own, named EngineerMode, and we would like to explain what it is. EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support.
While we don’t see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA.”
Tomi Engdahl says:
Jack Dorsey saddened by Japan’s ‘Twitter killer’
http://www.bbc.com/news/technology-41997268
Twitter’s chief executive has said a case in which an alleged serial killer is said to have lured victims by searching the social network for suicidal thoughts is “extremely sad”.
Local reports claim Takahiro Shiraishi contacted his victims – the youngest of whom was 15 – via the social network by telling them he could help them die and in some cases claiming he would kill himself alongside them.
Four days after his arrest, Twitter amended its rules to state members should not “promote or encourage suicide or self-harm”.
Tomi Engdahl says:
High demand for Windows Movie Maker leads to a new scam
https://mspoweruser.com/high-demand-for-windows-movie-maker-leads-to-a-new-scam/
Microsoft launched Windows Movie Maker back in 2012 as a part of Windows Essentials package. The software has been helping amateur editors make videos since then. With the introduction of Story Remix and Movie Moments in Windows 10, Microsoft finally took out the download link for Windows Movie Maker from the official website.
Unfortunate for Microsoft, users are still interested in the old simple but powerful editing application and don’t want to use the new apps.
Seeing this, someone decided to take undue advantage and make a scam application which looks exactly like Windows Movie Maker but will ask you to pay $30 once you go and save the video. It has an official download website windows-movie-maker.org which appears on the top of the Google search results when users enter “movie maker” keywords.
Anti-virus company ESET says Windows Movie Maker is the third biggest threat worldwide. Although the software doesn’t inject any code to hijack or encrypt the computer, it does strip the user of $30.
Tomi Engdahl says:
Hardware-driven security in the hybrid cloud
Chips to the rescue
https://www.theregister.co.uk/2017/11/16/hardwaredriven_security_in_the_hybrid_cloud/
Public cloud in particular presents a number of challenges for keeping data secure, largely because an organisation is effectively choosing to run workloads on infrastructure that it does not own or control. While an organisation can take steps to lock down its own systems and deploy tools to detect or prevent intrusion, there are limits on what a customer can do to the cloud provider’s infrastructure.
Encryption of sensitive data is now routine both in the cloud and on-premise, but this largely protects data only when it is at rest, stored on disk. In order to be processed, it still has to be “in the clear” while in memory so that any required operation can be performed on it, whereupon it is vulnerable to being accessed by an attacker that may have compromised the system.
In any case, industry experts have long realised that software only solutions simply will not cut the mustard, since they can ultimately be compromised or bypassed in some way. Instead, security needs to be rooted in hardware capabilities that cannot be altered or disabled by malicious code.
There have already been attempts at building security into silicon. Intel platforms have had Trusted Execution Technology (TXT) for some time, while chips based on the ARM architecture have had its TrustZone technology for over a decade. Oracle also added Silicon Secured Memory (SSM) into it SPARC processors when the M7 was introduced.
The main purpose of Intel TXT was and is to ensure a secure startup, verifying that low-level code such as an operating system kernel or hypervisor has not been compromised. But this is not a complete solution as it does not prevent malware or an attacker from compromising the system once it is up and running.
No single security technology can ever be totally bulletproof.
Tomi Engdahl says:
Feds Explain Their Software Bug Stash—But Don’t Erase Concerns
https://www.wired.com/story/vulnerability-equity-process-charter-transparency-concerns/
Governments rely on flaws in software, hardware, and encryption protocols for espionage and assorted intelligence gathering. And what makes that cyber-sneaking are technical flaws that governments find and keep to themselves. But in the United States, the practice of withholding vulnerabilities such that they can’t be fixed has drawn increasing controversy—especially because of real-world situations where secret government hacking tools have leaked and spread to devastating effect.
Tomi Engdahl says:
Consumers Are Holding Off On Buying Smart-Home Gadgets Due To Security, Privacy Fears
https://yro.slashdot.org/story/17/11/16/0125255/consumers-are-holding-off-on-buying-smart-home-gadgets-due-to-security-privacy-fears
According to a new survey from consulting firm Deloitte, consumers are uneasy about being watched, listened to, or tracked by devices they place in their homes. The firm found that consumer interest in connected home technology lags behind their interest in other types of IoT devices. Business Insider reports
“Consumers are more open to, and interested in, the connected world,” the firm said in its report. Noting the concerns about smart home devices, it added: “But not all IoT is created equal.” Nearly 40% of those who participated in the survey said they were concerned about connected-home devices tracking their usage. More than 40% said they were worried that such gadgets would expose too much about their daily lives. Meanwhile, the vast majority of consumers think gadget makers weren’t doing a good job of telling them about security risks. Fewer than 20% of survey respondents said they were very well informed about such risks and almost 40% said they weren’t informed at all.
Consumers are holding off on buying smart-home gadgets thanks to security and privacy fears
http://nordic.businessinsider.com/consumers-holding-off-on-smart-home-gadgets-thanks-to-privacy-fears-2017-11?r=US&IR=T
Consumers are more cautious about smart-home devices than other Internet of Things gadgets, a new survey found.
Consumers’ hesitation about connected-home devices stems from concerns about privacy and security.
Few of those surveyed felt gadget makers were doing a good job of informing them about the security risks posed by the devices.
Tomi Engdahl says:
Kaspersky: Yes, we obtained NSA secrets. No, we didn’t help steal them
Moscow-based AV provider challenges claims it helped Russian spies.
https://arstechnica.com/information-technology/2017/11/kaspersky-yes-we-obtained-nsa-secrets-no-we-didnt-help-steal-them/
For almost two months in 2014, servers belonging to Moscow-based Kaspersky Lab received confidential National Security Agency materials from a poorly secured computer located in the United States that stored the files, most likely in violation of US laws, company officials said.
The classified source code, documents, and executable binaries were stored on a computer that used an IP address reserved for Verizon FIOS customers in Baltimore, about 20 miles from the NSA’s Fort Meade, Maryland, headquarters, Kaspersky Lab said in an investigation report it published early Thursday morning. Starting on September 11, 2014 and running until November 9 of that year, Kaspersky Lab servers downloaded the confidential files multiple times after the company’s antivirus software, which was installed on the machine, found they contained malicious code from Equation Group, an NSA-linked hacking group that operated for at least 14 years before Kaspersky exposed it in 2015.
The downloads—which, like other AV software, the Kaspersky program automatically initiated when it encountered suspicious software that warranted further inspection—included a 45MB 7-Zip archive that contained source code, malicious executables, and four documents bearing US government classification markings. A company analyst who manually reviewed the archive quickly determined it contained confidential material. Within a few days and at the direction of CEO and founder Eugene Kaspersky, the company deleted all materials except for the malicious binaries. The company then created a special software tweak to prevent the 7-Zip file from being downloaded again.
“The reason we deleted those files and will delete similar ones in the future is two-fold,” Kaspersky Lab officials wrote in Thursday’s report. “We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions.”
Tomi Engdahl says:
The Brutal Fight to Mine Your Data and Sell It to Your Boss
https://www.bloomberg.com/news/features/2017-11-15/the-brutal-fight-to-mine-your-data-and-sell-it-to-your-boss
Silicon Valley makes billions of dollars peddling personal information, supported by an ecosystem of bit players. One of them, an upstart called HiQ, is going up against LinkedIn in a battle for your lucrative professional identity.
Tomi Engdahl says:
There is already one billion older insecure Android phones
It is well known that new updates will come to Android phones with a very varied schedule. At the same time, there is a very wide range of devices on different versions. This has resulted in up to 1 billion of an insecure Android smartphone being used.
The big problem with development is that Google is forced to extend the upgrade support for the devices. This has been a big problem since the Android versions are well adapted to the specific rage that manufacturers drive operators do not want to develop ongoing up-to-date updates. Manufacturers and operators want users to buy a new phone.
The latest Android version is 8.0 or Oreo. Its share of Android devices is currently 0.3 percent. The Nougat 7 version has been upgraded to every fifth Android phone on the market.
Source: http://etn.fi/index.php?option=com_content&view=article&id=7173&via=n&datum=2017-11-16_15:01:34&mottagare=31202
More: https://danluu.com/android-updates/
Tomi Engdahl says:
The new MSc Security and Cloud Computing (SECCLO) security and cloud services at Aalto University has received funding from the European Commission for EUR 2.9 million. It provides 61 double-year scholarships for Master’s students.
Next year, SECCLO is the only Master Program co-ordinated by the Finnish university, which was funded in 2017. The program submitted a total of 122 programs across Europe, and funding was allocated to 38 programs.
The SECCLO program prepares students to two challenges of modern information systems: cloud services and security. Cloud services are data-centered data processing, which enables the use of various services over the internet. Data security, in turn, is inseparably linked to all data processing, communication in data networks, and the storage and protection of data from unauthorized or criminal use.
Source: http://etn.fi/index.php?option=com_content&view=article&id=7174&via=n&datum=2017-11-16_15:01:34&mottagare=31202
Tomi Engdahl says:
The EU has estimated that the security industry will employ 350 thousand people in 2020. Finland would therefore need some 20,000 security professionals.
Source: http://etn.fi/index.php?option=com_content&view=article&id=7174&via=n&datum=2017-11-16_15:01:34&mottagare=31202
Tomi Engdahl says:
Lethal Microdrones, Dystopian Futures, and the Autonomous Weapons Debate
https://spectrum.ieee.org/automaton/robotics/military-robots/lethal-microdrones-dystopian-futures-and-the-autonomous-weapons-debate
Tomi Engdahl says:
The Chinese MantisDek has some cool, flashing and customizable keyboards. Unfortunately, some analysts say that too many features have been added to the keyboard: it saves keystrokes to the user and sends them to the server.
According to the Reddit site, the GK2 keyboard software code contains a component that stores keystrokes and sends data to the Alibaba server. Data is also sent unencrypted
Source: http://www.etn.fi/index.php/13-news/7180-kiinalaisnaeppaeimistoe-tallentaa-naeppaeilyt
More:
MantisTek GK2′s Keylogger Is A Warning Against Cheap Gadgets (Updated)
http://www.tomshardware.com/news/mantistek-gk2-collects-typed-keys,35850.html
Updated, 11/7/2017, 8:40am PT: An earlier version of the article stated that the keyboard’s software was sending key presses. However, in a closer look, it seems that the Cloud Driver software doesn’t send the key presses to the Alibaba server but only how many times each key has been pressed.
Assuming no malicious intent, it’s possible that the keyboard maker wanted this sort of data in order to see the lifetime of its keyboard’s keys or see which keys it needs to make more durable. However, doing this sort of tracking without user permission still seems like a violation of user trust. It could also be a violation of privacy laws in the European Union, where such consent needs to be explicit.
Tomi Engdahl says:
Security companies are looking for experts in an exceptional way – would you stop hackers in 48 hours?
Cyber security needs much more expertise. Cisco estimates that there will be jobs available for up to one million experts in the world, according to Symantec, the figure is 1.5 million by 2019.
As the need for information security workers grows, companies have developed a new way to find people who understand how cyber-security plays.
Bloomberg reports that the non-profit organization Cyber Security Challenge UK, set up by the British state and supported by a number of companies, is hosting a number of online games that give amateur-like cyber-looking and white-haired players a look at their ability.
The annual event is held for the first time in 2010 and has been a success. Cyber Security Challenges Subordinate and Temporary CEO Nigel Harrison says that 70 percent of the finals have been gained in the security industry over the next year.
For example, Bloomberg provides the latest Cyber Security Challenges, which ran the first week of this week.
42 players had 48 hours to find out how the hackers came in and kicked the labels into the field before they got caught up in Fast Freight’s business and economy.
Source: http://www.tivi.fi/Kaikki_uutiset/kyberturvayhtiot-etsivat-osaajia-poikkeuksellisella-tavalla-saisitko-sina-pysaytettya-hakkerit-48-tunnissa-6687823
More:
Companies Turn to War Games to Spot Scarce Cybersecurity Talent
Realistic scenarios help wannabe cybersecurity experts strut their stuff
https://www.bloomberg.com/news/articles/2017-11-15/companies-turn-to-war-games-to-spot-scarce-cybersecurity-talent
A major shipping company is under attack. With help from a corrupt executive, an international hacking syndicate called Scorpius, has penetrated the computer networks of Fast Freight Ltd. The hackers have taken control of servers and compromised the systems that control Fast Freight’s vessels and its portside machinery. The company’s cybersecurity consultants have 48 hours to uncover the breach and repulse the attackers before they cripple Fast Freight’s business and cause serious economic damage.
It sounds like the plot to a blockbuster thriller. But this was the fictional scenario 42 budding computer security experts faced at the annual U.K. Cyber Security Challenge competition earlier this week in London. With demand for cybersecurity expertise exploding, but qualified people in short supply, war-gaming competitions like this have become key recruiting grounds for companies and government security agencies.
“We want to find untapped talent to fill roles in our own operation and in the industry as a whole,”
Tomi Engdahl says:
New “Quad9” DNS service blocks malicious domains for everyone
https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/
Set DNS server to 9.9.9.9, and (known) malware and phishes won’t be able to phone home.
Tomi Engdahl says:
Germany bans smartwatches for kids over spying concerns
https://techcrunch.com/2017/11/17/germany-bans-smartwatches-for-kids-over-spying-concerns/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
AdChoices
MenuTechCrunch
Germany bans smartwatches for kids over spying concerns
Posted 9 hours ago by Brian Heater (@bheater)
Germany’s Federal Network Agency (Bundesnetzagentur) issued a blanket ban on smartwatches aimed at children this week — and asked parents who’d already purchased such a device to destroy them, for good measure. The aggressive move is a response to growing privacy concerns surrounding devices aimed at minors.
“Via an app, parents can use such children’s watches to listen unnoticed to the child’s environment and they are to be regarded as an unauthorized transmitting system,”
Germany bans children’s smartwatches
http://www.bbc.com/news/technology-42030109
A German regulator has banned the sale of smartwatches aimed at children, describing them as spying devices.
It had previously banned an internet-connected doll called, My Friend Cayla, for similar reasons.
Telecoms regulator the Federal Network Agency urged parents who had such watches to destroy them.
One expert said the decision could be a “game-changer” for internet-connected devices.
“Poorly secured smart devices often allow for privacy invasion. That is really concerning when it comes to kids’ GPS tracking watches – the very watches that are supposed to help keep them safe,” said Ken Munro, a security expert at Pen Test Partners.
Tomi Engdahl says:
Mike Masnick / Techdirt:
US Defense Department’s Centcom found hosting at least 1.8B posts of scraped internet content from last 8 years on open AWS server — There are two big WTFs in this story. First, the Defense Departments Central Command (Centcom) was collecting tons of data on social media posts …
Defense Department Spied On Social Media, Left All Its Collected Data Exposed To Anyone
https://www.techdirt.com/articles/20171117/10330438637/defense-department-spied-social-media-left-all-collected-data-exposed-to-anyone.shtml
There are two big WTFs in this story. First, the Defense Departments Central Command (Centcom) was collecting tons of data on social media posts… and then the bigger one, they somehow left all the data they collected open on an Amazon AWS server. This was discovered — as so many examples of careless data exposure on Amazon servers — by Chris Vickery and UpGuard, who have their own post about the mess. You may recall Vickery from such previous stories as when the GOP left personal data on 200 million voters on an open Amazon server. Or when Verizon left private data available on millions of customers. Or when a terrorist watch list was left (you guessed it) on an open server.
Pentagon exposed some of its data on Amazon server
http://money.cnn.com/2017/11/17/technology/centcom-data-exposed/index.html
A researcher says the Pentagon exposed huge amounts of web-monitoring data in a security failure.
Anyone with a free Amazon Web Services account could have looked at the hoard of information stored in the cloud by the U.S. Defense Department, according to Chris Vickery, a researcher at cybersecurity firm UpGuard who discovered the exposure.
Amazon Web Services is a cloud platform that individuals, businesses and the government use for things like storing data and boosting computing power. Amazon said on its website it is best practice to restrict access to information stored in the cloud to “people that absolutely need it.”
The military databases hold at least 1.8 billion internet posts scraped from social media, news sites, forums and other publicly available websites, Vickery told CNN Tech. The posts are in multiple languages and originate from countries across the world, including the United States.
Tomi Engdahl says:
Dark Cloud: Inside The Pentagon’s Leaked Internet Surveillance Archive
https://www.upguard.com/breaches/cloud-leak-centcom
The UpGuard Cyber Risk Team can now disclose that three publicly downloadable cloud-based storage servers exposed a massive amount of data collected in apparent Department of Defense intelligence-gathering operations. The repositories appear to contain billions of public internet posts and news commentary scraped from the writings of many individuals from a broad array of countries, including the United States, by CENTCOM and PACOM, two Pentagon unified combatant commands charged with US military operations across the Middle East, Asia, and the South Pacific.
The data exposed in one of the three buckets is estimated to contain at least 1.8 billion posts of scraped internet content over the past 8 years, including content captured from news sites, comment sections, web forums, and social media sites like Facebook, featuring multiple languages and originating from countries around the world. Among those are many apparently benign public internet and social media posts by Americans, collected in an apparent Pentagon intelligence-gathering operation, raising serious questions of privacy and civil liberties.
as well as the origination of many of them from within the US, raises serious concerns about the extent and legality of known Pentagon surveillance against US citizens. In addition, it remains unclear why and for what reasons the data was accumulated, presenting the overwhelming likelihood that the majority of posts captured originate from law-abiding civilians across the world.
With evidence that the software employed to create these data stores was built and operated by an apparently defunct private-sector government contractor named VendorX, this cloud leak is a striking illustration of just how damaging third-party vendor risk can be, capable of affecting even the highest echelons of the Pentagon. The poor CSTAR cyber risk scores of CENTCOM and PACOM – 542 and 409, respectively, out of a maximum of 950 – is a further indication that even the most sensitive intelligence organizations are not immune to sizable cyber risk. Finally, the collection of billions of internet posts in several unsecured data repositories raises further questions about online privacy, as well as regarding the right to freely express your beliefs online.
On September 6th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered three Amazon Web Services S3 cloud storage buckets configured to allow any AWS global authenticated user to browse and download the contents; AWS accounts of this type can be acquired with a free sign-up.
Taken together, this disparate collection of data appears to constitute an ingestion engine for the bulk collection of internet posts – organizing a mass quantity of data into a searchable form. The former employee’s reference to “high-risk youth in unstable regions of the world” is further corroborated by an examination of another folder within “centcom- backup.”
The Significance
The collection methods used to build these data stores remains somewhat murky, even as the general purpose of the mass collection seems clear, mirroring known US defense efforts to monitor the internet for violent radicalism. Why, for instance, were each of these posts collected? What triggered their inclusion in these repositories?
Massive in scale, it is difficult to state exactly how or why these particular posts were collected over the course of almost a decade. Given the enormous size of these data stores, a cursory search reveals a number of foreign-sourced posts that either appear entirely benign, with no apparent ties to areas of concern for US intelligence agencies, or ones that originate from American citizens, including a vast quantity of Facebook and Twitter posts, some stating political opinions. Among the details collected are the web addresses of targeted posts, as well as other background details on the authors which provide further confirmation of their origins from American citizens.
US: New Evidence Suggests Monitoring of Americans
Documents Point to Warrantless Surveillance
https://www.hrw.org/news/2017/10/25/us-new-evidence-suggests-monitoring-americans
(New York) – Newly released documents reveal a US Defense Department policy that appears to authorize warrantless monitoring of US citizens and green-card holders whom the executive branch regards as “homegrown violent extremists,” Human Rights Watch said today. Separately, the documents also reinforce concerns that the government may be gathering very large amounts of data about US citizens and others without warrants. Both issues relate to a longstanding executive order that is shrouded in secrecy and should be a focus of congressional inquiry.
Tomi Engdahl says:
Sean Gallagher / Ars Technica:
Global Cyber Alliance, IBM, and Packet Clearing House launch free Quad9 DNS service that blocks malicious domains using consolidated threat intelligence
New “Quad9” DNS service blocks malicious domains for everyone
Set DNS server to 9.9.9.9, and (known) malware and phishes won’t be able to phone home.
https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/
Tomi Engdahl says:
Some ‘security people are f*cking morons’ says Linus Torvalds
Linux Lord fires up over proposal to secure Linux by shutting down wonky processes
https://www.theregister.co.uk/2017/11/20/security_people_are_morons_says_linus_torvalds/
Linux overlord Linus Torvalds has offered some very choice words about different approaches security, during a discussion about whitelisting features proposed for version 4.15 of the Linux kernel.
Torvalds’ ire was directed at open software aficionado and member of Google’s Pixel security team Kees Cook, who he has previously accused of idiocy.
Torvalds’ response expressed his doubts that Kees’ contribution would be useful or had been well-tested. He therefore said “This merge window is not going to be one where I can take a leisurely look at something like this.”
Torvalds then exploded.
“So honestly, this is the kind of completely unacceptable ‘security person’ behavior that we had with the original user access hardening too, and made that much more painful than it ever should have been,” he opened.
“IT IS NOT ACCEPTABLE when security people set magical new rules, and then make the kernel panic when those new rules are violated.”
That was just Torvalds warming up, as next came “That is pure and utter bullshit. We’ve had more than a quarter century _without_ those rules, you don’t then suddenly walz [sic] in and say ‘oh, everbody [sic] must do this, and if you haven’t, we will kill the kernel’.”
“The fact that you ‘introduced the fallback mode’ late in that series just shows HOW INCREDIBLY BROKEN the series started out.”
Torvalds post explained his attitude to security, namely that “security problems are just bugs” rather than opportunities to change the way the kernel behaves.
“The important part about ‘just bugs’ is that you need to understand that the patches you then introduce for things like hardening are primarly [sic] for DEBUGGING.”
“I’m not at all interested in killing processes. The only process I’m interested in is the _development_ process, where we find bugs and fix them.”
“Some security people have scoffed at me when I say that security problems are primarily ‘just bugs’.”
“Those security people are f*cking morons.”
He added that “I think the hardening project needs to really take a good look at itself in the mirror” and abandon a “kill on sight, ask questions later” mentality in favour of the following approach:
Let’s warn about what looks dangerous, and maybe in a _year_ when we’ve warned for a long time, and we are confident that we’ve actually caught all the normal cases, _then_ we can start taking more drastic measures
Tomi Engdahl says:
Shamed TLS/SSL cert authority StartCom to shut up shop
Chairman tells El Reg nobody will even notice its passing
https://www.theregister.co.uk/2017/11/17/battered_certificate_authority_startcom_shutters_the_doors/
Controversial certificate authority StartCom is going out of business.
Startcom board chairman Xiaosheng Tan told The Register the business will close its doors on January 1, 2018, at which point new certificates will no longer be issued.
CRL and OCSP service will continue for two years from then, when StartCom’s three key root pairs will end.
Startcom and Wosign certificates have been put on untrusted lists by the big browser firms including Mozilla, Apple, Google and Microsoft.
Tan said the closing of certificates “would not have a major impact” because “the major browsers” already don’t trust StartCom certificates, and the two-year roll-out should “limit” any disturbance to certificate owners.
Tomi Engdahl says:
Android Bug Lets Attackers Record Audio & Screen Activity on 3 of 4 Smartphones
https://www.bleepingcomputer.com/news/security/android-bug-lets-attackers-record-audio-and-screen-activity-on-3-of-4-smartphones/
Android smartphones running Lolipop, Marshmallow, and Nougat, are vulnerable to an attack that exploits the MediaProjection service to capture the user’s screen and record system audio
Based on the market share of these distributions, around 77.5% of all Android devices are affected by this vulnerability.
Vulnerability resides in Android MediaProjection service
To blame is MediaProjection, an Android service that is capable of capturing screen contents and record system audio.
This service existed in Android since its inception, but to use it, apps needed root access, and they had to be signed with the device’s release keys. This restricted the use of MediaProjection only to system-level apps deployed by Android OEMs.
With the release of Android Lolipop (5.0), Google opened this service to anyone. The problem is that Google didn’t put this service behind a permission that apps could require from users.
Sometime last winter, security researchers from MWR Labs discovered that an attacker could detect when this SystemUI popup would appear. By knowing when this popup appears, attackers could then trigger an arbitrary popup that showed on top of it and disguised its text with another message.
The technique is called tap-jacking and has been used by Android malware devs for years.
“The primary cause of this vulnerability is due to the fact that affected Android versions are unable to detect a partially obscured SystemUI pop-ups,”
Google patched bug in Android Oreo only
Google has patched this vulnerability in the Android OS this fall, with the release of Android Oreo (8.0). Older Android versions remain vulnerable.
However, researchers said the attack is not 100% silent, as the screencast icon will appear in the user’s notification bar whenever an attacker would be recording audio or capturing the screen.
Tomi Engdahl says:
Huawei forcibly installed GoPro bloatware on unsuspecting users’ phones
https://thenextweb.com/apps/2017/11/17/huawei-gopro-quik-user-phones/
Huawei has been busted secretly installing bloatware on users’ phones without ever notifying them or asking for their consent. A number of Huawei customers have reported their phones have suddenly been equipped with GoPro’s Quik video editing app, Dutch outlet Android Planet reports.
According to miffed users, Quik showed up on their handsets out of nowhere earlier this week.
A spokesperson for Huawei Netherlands has confirmed the issue to Android Planet, claiming “the installation is the result of an internal error.” The company has since apologized for the inconvenience and says its developers are looking into the matter.
A solution is already in the works, but users can also remove the app manually.
Tomi Engdahl says:
Unprotected Pentagon Database Stored 1.8 Billion Internet Posts
http://www.securityweek.com/unprotected-pentagon-database-stored-18-billion-internet-posts
Researchers have found an unprotected database storing 1.8 billion posts collected from social media services, news websites and forums by a contractor for the U.S. Department of Defense.
The data was discovered on September 6 by Chris Vickery, director of risk research at cyber resilience firm UpGuard, inside an AWS S3 storage bucket that was accessible to any user with an AWS account.
Based on the names of the subdomains storing it, the information appears to have been collected for the U.S. Central Command (CENTCOM) and the U.S. Pacific Command (PACOM), unified combatant commands of the Department of Defense.
Tomi Engdahl says:
GitHub Warns Developers When Using Vulnerable Libraries
http://www.securityweek.com/github-warns-developers-when-using-vulnerable-libraries
Code hosting service GitHub now warns developers if certain software libraries used by their projects contain any known vulnerabilities and provides advice on how to address the issue.
GitHub recently introduced the Dependency Graph, a feature in the Insights section that lists the libraries used by a project. The feature currently supports JavaScript and Ruby, and the company plans on adding support for Python next year.
The new security feature added by GitHub is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.
Introducing security alerts on GitHub
https://github.com/blog/2470-introducing-security-alerts-on-github
Last month, we made it easier for you to keep track of the projects your code depends on with the dependency graph, currently supported in Javascript and Ruby. Today, for the over 75 percent of GitHub projects that have dependencies, we’re helping you do more than see those important projects. With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.