Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Moxa NPort Devices Vulnerable to Remote Attacks
http://www.securityweek.com/moxa-nport-devices-vulnerable-remote-attacks
Hundreds of Moxa Devices Similar to Ones Targeted in Ukraine Power Grid Hack Vulnerable to Remote Attacks
Firmware updates released by Moxa for some of its NPort serial device servers patch several high severity vulnerabilities that can be exploited remotely. These types of devices were targeted in the 2015 attack on Ukraine’s energy sector.
According to an advisory published by ICS-CERT, the flaws affect NPort 5110 versions 2.2, 2.4, 2.6 and 2.7, NPort 5130 version 3.7 and prior, and NPort 5150 version 3.7 and prior. The security holes have been patched with the release of version 2.9 for NPort 5110 and version 3.8 for NPort 5130 and 5150.
ICS-CERT said one of the vulnerabilities, CVE-2017-16719, allows an attacker to inject packets and disrupt the availability of the device. Another flaw, CVE-2017-16715, is related to the handling of Ethernet frame padding and it could lead to information disclosure, while the last issue, CVE-2017-14028, can be leveraged to cause memory exhaustion by sending a large amount of TCP SYN packets.
Adamsky pointed out that in the 2015 attack on Ukraine’s power grid, which caused significant blackouts, the hackers targeted these types of devices in an effort to make them inoperable. A detailed research paper describing the vulnerabilities will be published at some point in the future.
Tomi Engdahl says:
Drone Maker DJI, Researcher Quarrel Over Bug Bounty Program
http://www.securityweek.com/drone-maker-dji-researcher-quarrel-over-bug-bounty-program
China-based Da-Jiang Innovations (DJI), one of the world’s largest drone makers, has accused a researcher of accessing sensitive information without authorization after the expert bashed the company’s bug bounty program.
DJI announced the launch of a bug bounty program in late August and offered between $100 and $30,000 for vulnerabilities that allow the creation of backdoors, and ones that expose sensitive customer information, source code or encryption keys.
Bug bounty hunters started analyzing the company’s systems for vulnerabilities, but didn’t know exactly where to look for them as DJI had failed to clarify exactly which of its assets were in scope.
Tomi Engdahl says:
Terdot Banking Trojan Could Act as Cyber-Espionage Tool
http://www.securityweek.com/terdot-banking-trojan-could-act-cyber-espionage-tool
The Terdot banking Trojan packs information-stealing capabilities that could easily turn it into a cyber-espionage tool, Bitdefender says in a new report.
Highly customized and sophisticated, Terdot is based on the source code of ZeuS, which leaked online in 2011. The banking Trojan resurfaced in October last year and Bitdefender has been tracking its whereabouts ever since, the security company notes in a technical paper (PDF).
https://www.bitdefender.com/files/News/CaseStudies/study/180/Bitdefender-Whitepaper-TERDOT-crea2079-A4-en-EN-print.pdf
Tomi Engdahl says:
We Need More Girl Scouts and Analytics
http://www.securityweek.com/we-need-more-girl-scouts-and-analytics
New Strategies Must be Put Into Action to Deal With the Imbalance of Cybersecurity Resources
Globally, two-thirds of organizations admit to a lack of cybersecurity expertise. ISACA predicts a 2 million cybersecurity worker shortfall by 2019. While this has created tremendous growth in cybersecurity training, the growth in attacks seems to always outpace our ability to defend. The cybersecurity community needs to identify where untapped resources exist in order to move beyond traditional industry practices and contend with this imbalance.
Strategy #1 – Recruit more women
Strategy #2 – Expand the use of security analytics
Tomi Engdahl says:
“A new back door” – attacked by every company’s mobile device
“Mobile attacks have overtaken the number of attacks on pc machines in number and number of financial losses this year. Mobile devices are new security doors for cyber criminals, “said Michael Shaulov, mobile security and cloud security officer at Check Point.
Check Point followed over 850 major companies phone security for a year. During that time, each of them was subjected to some sort of attack.
During the year, 54 mobile security threats were detected on average by businesses. These are referred to as man-in-the-middle attacks in which a mobile device was accessed via a wireless local area network. Perhaps 89 per cent of the attempts were at least one such attack.
Source: http://www.tivi.fi/Kaikki_uutiset/uusi-takaovi-jokaisen-yrityksen-mobiililaitteisiin-hyokatty-6688073
Tomi Engdahl says:
Iot is growing rapidly: specialization, clouds and bigger cyber risks
The pace of rapid growth will move from next year’s experimental stage to the scale of genuine business. The Internet of Things specializes, utilizes more clouds – and suffers from bigger cybersprints.
The research house Forrester tries to answer many of the interesting questions about the future of the Internet of Things in the short term. In the Predictions 2018: IoT Moves From Experimentation To Business Scale published last week, Forrester raises a number of important and interesting issues alongside the huge growth rate and growing importance of the iot
Iot specializes ever further
In the coming year, iot will develop towards the specialty areas developed for different industries. Such’design and operate ‘activities allow developers to focus on the different needs of industries and users.
As iot grows as an industry at an explosive rate, the benefits of the magnitude are also achieved more quickly in narrow sectors. Besides, iot services customers want products that fit their needs, so specializing in the Internet of Things
The information monsters are always in the wake
Integrating the objects into the public cloud raises concerns about security at increasingly new levels. This is also foretold by Forrester, according to which more and more disastrous cybercaps will increase as iot grows. Next year, information holes will be reported more than the end of the year.
In general, a very pessimistic view is that more successful cybercrime is implemented through both combined devices and data networks. In its second projection, the cybercrime report, Forrester expects the money to ignore all the other causes of iot attacks. Thus, companies should be protected, especially from tightening programs.
All in all, the future of iot is associated with myriad controversies that all run around connected devices, networks, and security.
Experts warn that companies will swoop on the Internet of things too quickly and without thinking at all about the security of their networks and the deep vulnerabilities of their systems.
Source: http://www.tivi.fi/CIO/iot-kasvaa-vauhdilla-erikoistumista-pilvea-ja-entista-isommat-kyberriskit-6688212
Tomi Engdahl says:
Nokia has released its Threat Intelligence Report describing vulnerabilities in the network for the first three quarters of the year. Two findings emerge: first, kyberuhat move to fixed mobile networks, and second, Android’s share of malware is significant.
On the basis of a network analysis, 0.68 percent of the mobile devices connected to the operators in the network are somewhat polluted. Smartphones account for 72 percent of these devices, the rest are moped or shared PCs connected to the network through a shared Internet connection.
The majority of smartphones are Android devices. According to Nokia, this is not the case with Google, which has done a great deal of work in cleaning the Play Store applications. On the other hand, many apps are downloading loads of apps that involve the disadvantages. For example, users download apps mostly from other stores: Google Play is the tenth most popular application store.
Even at the beginning of 2013, Windows accounted for 65% of Nokia’s report. Now it has fallen slightly below a third.
According to Nokia, this is explained by the fact that cyberbands are increasingly focusing on smart phones and IoT devices. Traditional PCs lose their mark all the time, as their number does not really grow.
Source: http://www.etn.fi/index.php/13-news/7189-nokia-android-pahin-saastuttaja
Tomi Engdahl says:
Avast bundles CCleaner with Avast Free Antivirus
https://www.ghacks.net/2017/11/19/avast-bundles-ccleaner-with-avast-free-antivirus/
Avast acquired Piriform, the maker of CCleaner and other popular programs in July 2017. The Czech security company is known for its line of free and commercial security products for Windows and other operating system, and for acquiring the security company AVG in a billion Dollar deal.
Piriform released CCleaner more than a decade ago, and the program grew quickly to become one of the most popular cleaning programs for Windows. The company’s infrastructure was compromised in September, and a malicious version of CCleaner was distributed from company servers for about a month as a consequence.
Avast did hint at synergies however in the acquisition announcement but did not reveal more than that back then.
If you have downloaded and installed CCleaner on Windows recently — the free version of the program that comes with an installer will do — you may have identified one of the synergies already.
Tomi Engdahl says:
Intel Chip Flaws Leave Millions of Devices Exposed
https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot/
Security researchers have raised the alarm for years about the Intel remote administration feature known as the Management Engine. The platform has a lot of useful features for IT managers, but it requires deep system access that offers a tempting target for attackers; compromising the Management Engine could lead to full control of a given computer. Now, after several research groups have uncovered ME bugs, Intel has confirmed that those worst-case fears may be possible.
On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research.
Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets
Bugs can be exploited to extract info, potentially insert rootkits
https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/
Intel today admitted its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) are vulnerable to multiple worrying security flaws, based on the findings of external security experts.
The firmware-level bugs allow logged-in administrators, and malicious or hijacked high-privilege processes, to run code beneath the operating system to spy on or meddle with the computer completely out of sight of other users and admins. The holes can also be exploited by network administrators, or people masquerading as admins, to remotely infect machines with spyware and invisible rootkits, potentially.
In short, a huge amount of Intel silicon is secretly running code that is buggy and exploitable by attackers and malware to fully and silently compromise computers. The processor chipsets affected by the flaws are as follows:
6th, 7th and 8th Generation Intel Core processors
Intel Xeon E3-1200 v5 and v6 processors
Intel Xeon Scalable processors
Intel Xeon W processors
Intel Atom C3000 processors
Apollo Lake Intel Atom E3900 series
Apollo Lake Intel Pentiums
Celeron N and J series processors
The Management Engine is a barely documented black box. it has its own CPU and its own operating system – recently, an x86 Quark core and MINIX – that has complete control over the machine, and it functions below and out of sight of the installed operating system and any hypervisors or antivirus tools present.
It is designed to allow network administrators to remotely or locally log into a server or workstation, and fix up any errors, reinstall the OS, take over the desktop, and so on, which is handy if the box is so messed up it can’t even boot properly.
The flaws, according to Intel, could allow an attacker to impersonate the ME, SPS or TXE mechanisms, thereby invalidating local security features; “load and execute arbitrary code outside the visibility of the user and operating system”; and crash affected systems. The severity of the vulnerabilities is mitigated by the fact that most of them require local access, either as an administrator or less privileged user; the rest require you to access the management features as an authenticated sysadmin.
Intel advises Microsoft and Linux users to download and run the Intel-SA-00086 detection tool to determine whether their systems are vulnerable to the above bugs. If you are at risk, you must obtain and install firmware updates from your computer’s manufacturer, if and when they become available. The new code was developed by Intel, but it needs to be cryptographically signed by individual hardware vendors in order for it to be accepted and installed by the engine.
Tomi Engdahl says:
Over 400 of the World’s Most Popular Websites Record Your Every Keystroke
https://yro.slashdot.org/story/17/11/20/2235241/over-400-of-the-worlds-most-popular-websites-record-your-every-keystroke
The idea of websites tracking users isn’t new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled “No Boundaries,” three researchers from Princeton’s Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world’s most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers’ findings. If you accidentally paste something into a form that was copied to your clipboard, it’s also recorded. These scripts, or bits of code that websites run, are called “session replay” scripts.
Over 400 of the World’s Most Popular Websites Record Your Every Keystroke, Princeton Researchers Find
https://motherboard.vice.com/en_us/article/59yexk/princeton-study-session-replay-scripts-tracking-you
“Session replay scripts” can be used to log (and then playback) everything you typed or clicked on a website.
It’s difficult for the user to understand what’s happening “unless you dug deep into the privacy policy,” Steve Englehardt, one of the researchers behind the study, told me over the phone. “I’m just happy that users will be made aware of it.”
Tomi Engdahl says:
Why hackers reuse malware
https://www.helpnetsecurity.com/2017/11/20/hackers-reuse-malware/
Software developers love to reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publically released vulnerabilities and tools).
This approach makes sense. Why reinvent the wheel when another author already created a working solution? While code reuse in malware can make signature-based detection methods more effective in certain cases, more often than not it frees up time for attackers to do additional work on detection avoidance and attack efficacy – which can create a more dangerous final product.
There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer.
Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.
Tomi Engdahl says:
Another Tor Browser Feature Makes It Into Firefox: First-Party Isolation
https://www.bleepingcomputer.com/news/software/another-tor-browser-feature-makes-it-into-firefox-first-party-isolation/
Unbeknown to most users, Mozilla added a privacy-enhancing feature to the Firefox browser over the summer that can help users block online advertisers from tracking them across the Internet.
The feature is named First-Party Isolation (FPI) and was silently added to the Firefox browser in August, with the release of Firefox 55.
What is First-Party Isolation
FPI works by separating cookies on a per-domain basis. This is important because most online advertisers drop a cookie on the user’s computer for each site the user visits and the advertisers loads an ad.
With FPI enabled, the ad tracker won’t be able to see all the cookies it dropped on that user’s PC, but only the cookie created for the domain the user is currently viewing.
This will force the ad tracker to create a new user profile for each site the user visits and the advertiser won’t be able to aggregate these cookies and the user’s browsing history into one big fat profile.
Feature borrowed from the Tor Browser
This feature was first implemented in the Tor Browser, a privacy-focused fork of the Firefox browser managed by the Tor Project, where it is known as Cross-Origin Identifier Unlinkability.
Tomi Engdahl says:
Be careful in Amazon S3 service or…
Amazone’s S3-related data leaks have been growing in public. S3 is a data warehouse service that is by default closed and requires login. However, it can be easily opened so that it works as a regular web server. In this case, the content uploaded to the repository will be visible to everyone who can guess the correct url address.
These cases give you a glimpse into how security issues are changing to something different than before. Challenges no longer relate to installing and updating operating systems, but to cloud computing configurations. There is nothing wrong with the S3 service, but it needs to be configured correctly.
Pilot applications are now being built by multifolders and not everyone has the long experience of security. In a hurry, quick solutions can be made, which may come later. For example, you can open the S3-exported content to the world, making it easy to make links to files, but forgetting the other consequences.
It is difficult to secure the security of the customer’s role. However, at least you can always ask the system vendor for an explanation of how security has been taken into account. Amazon and other cloud computing providers will publish their own guidelines on best practices in information security. A qualified provider knows them and can answer whether the built-in system complies with them.
Cloud computing itself has some functionality to ensure security but does not cover all needs. Third party services are also needed.
For example, there would be a need for a service that would scan through micro services and avoid the obsolete components used in them. Nowadays, micro services are easily left in the cloud to rotate forever and component versions are never upgraded. For devops, it is natural to react reactive. Troubleshooting and alarms are being investigated, but active updating of old services may be forgotten when no one is notified.
The management of new server-free cloud systems is fortunately many orders of magnitude simpler than before.
A kind of egg-chicken challenge is that automated security security systems themselves must be allowed to access a bit everywhere. If someone succeeds in hacking such a system, he can access it everywhere. Surveillance systems must therefore be able to control themselves and rely on them.
Fortunately, the data protection regulation of the EU has made it increasingly possible to protect data stored in cloud services on a separate encryption layer. The cryptographic layer reminds us that good information security is always based on multi-layer.
Everything about concealing information is one of the big trends in the coming years. So far, it has been customary to take care of the encryption of passwords and web traffic. In the future, encryption will extend to all data both in motion and at rest. If possible, encryption must already take place in the end-user terminal, but at the latest it will be done in the cloud.
Source: http://www.tivi.fi/blogit/s3-palvelun-kanssa-saa-olla-tarkkana-tai-voi-kayda-huonosti-6688294
Tomi Engdahl says:
Nokia Threat Intelligence Report 2017
https://pages.nokia.com/18259.threat.intelligence.report.lp.html
Cybercriminals unleash ransomware worms and shift focus to smartphones and IoT devices
The Nokia Threat Intelligence Report examines malware infections found in mobile and fixed networks worldwide. It provides analysis of data gathered from more than 100 million devices by the Nokia NetGuard Endpoint Security solution.
Tomi Engdahl says:
Four Hidden Costs and Risks of Sudo Can Lead to Cybersecurity Risks and Compliance Problems on Unix and Linux Servers
http://www.linuxjournal.com/content/four-hidden-costs-and-risks-sudo-can-lead-cybersecurity-risks-and-compliance-problems-unix-a
solution.
Administrative Costs
There are several hidden administrative costs is using sudo for Unix and Linux privilege management. For example, with sudo, you also need to run a third-party automation management system (like CFEngine or Puppet) plus third party authentication modules on the box. And, if you plan to externalize the box at all, you’re going to have to replace sudo with that supplier’s version of sudo. So, you end up maintaining sudo, a third-party management system, a third-party automation system, and may have to replace it all if you want to authenticate against something external to the box. A commercial solution would help to consolidate this functionality and simplify the overall management of Unix and Linux servers.
Another complexity with sudo is that everything is local, meaning it can be extremely time-consuming to manage as environments grow.
Unix and Linux systems by their very nature are decentralized, so managing each host separately leads to administrative costs and inefficiencies which in turn leads to risks. A commercial solution centralizes management and policy development across all hosts, introducing enterprise level consistency and best practices to a privileged access management program.
Forensics & Audit Risks
Administrative costs aside, let’s look at the risks associated with not being able to produce log data for forensic investigations. Why is this a challenge for sudo? The sudo package is installed locally on individual servers, and configuration files are maintained on each server individually. There are some tools such as Puppet or Chef that can monitor these files for changes, and replace files with known good copies when a change is detected, but those tools only work after a change takes place. These tools usually operate on a schedule, often checking once or twice per day, so if a system is compromised, or authorization files are changed, it may be several hours before the system is restored to a known good state. The question is, what can happen in those hours?
There is currently no keystroke logging within sudo, and since any logs of sudo activity are stored locally on servers, they can be tampered with by savvy administrators. Event logs are typically collected with normal system logs, but once again, this requires additional configuration and management of these tools.
With sudo, there is no log integrity – no chain of custody on logs – meaning logs can’t be non-repudiated and therefore can’t be used in legal proceedings in most jurisdictions. This is a significant risk to organizations, especially in criminal prosecution, termination, or other disciplinary actions. Third-party commercial solutions’ logs are tamper-proof, which is just not possible with sudo.
Large organizations typically collect a tremendous amount of data, including system logs, access information, and other system information from all their systems. This data is then sent to a SIEM for analytics, and reporting. SIEM tools do not usually deliver real-time alerting when uncharacteristic events happen on systems, and often configuration of events is difficult and time consuming.
Correlating log activity with other data to determine a broader pattern of abuse is also impossible with sudo. Commercial solutions gather logs into one place with searchable indices. Some commercial solutions even correlate this log data against other sources to identify uncharacteristic behavior that could be a warning that a serious security issue is afoot. Commercial solutions therefore provide greater forensic benefits than sudo.
Business Continuity Risks
Sudo is open source. There is no indemnification if there is a critical error. Also, there is no rollback with sudo, so there is always the chance that mistakes will bring and entire system down with no one to call for support. Sure, it is possible to centralize sudo through a third-party tool such as Puppet or CFEngine, but you still end up managing multiple files across multiple groups of systems manually (or managed as one huge policy).
Lack of Enterprise Support
Since sudo is an open source package, there is no official service level for when packages must be updated to respond to identified security flaws, or vulnerabilities. By mid-2017, there have already been two vulnerabilities identified in sudo with a CVSS score greater than six (CVE Sudo Vulnerabilities). Over the past several years, there have been a number of vulnerabilities discovered in sudo that took as many as three years to patch (CVE-2013-2776, CVE-2013-2777, CVE-2013-1776). The question here is, what exploits have been used in the past several months or years? A commercial solution that replaces sudo would eliminate this problem.
Ten Questions to Measure Risk in Your Unix and Linux Environment
In balancing costs vs. an acceptable level of risk to your Unix and Linux environment, consider these 10 questions:
1. How much time are Unix/Linux admins spending just trying to keep up? Can your organization benefit from automation?
2. Are you able to keep up with the different platform and version changes to your Unix/Linux systems?
3. As you grow and more hosts are added, how much more time will admins need to keep up with policy? Is adding personnel an option?
4. What about consistency across systems? Modifying individual sudoers files with multiple admins makes that very difficult. Wouldn’t systems become siloed if not consistently managed?
5. What happens when you bring in new or different Linux or Unix platforms? How will that complicate the management of the environment?
6. How critical is it for compliance or legal purposes to know whether a policy file or log has been tampered with?
7. Do you have a way to verify that the sudoers file hasn’t been modified without permission?
8. How do you know what admins actually did once they became root? Do you have a command history for their activity?
9. What would it cost the business if a mission-critical Unix/Linux host goes down? With sudo, how quickly could the team troubleshoot and fix the problem?
10. Can you demonstrate to the board that you have a backup if there is a significant outage?
Benefits of Using a Commercial Solution
Although they come at a higher cost than free open source solutions, commercial solutions provide an effective way to mitigate the general issues related to sudo. Solutions that offer centralized management ease the pressure on monitoring and maintaining remote systems, centralized logging of events, and keystroke recording are the cornerstone of audit expectations for most enterprises.
Tomi Engdahl says:
EXCLUSIVE
Google collects Android users’ locations even when location services are disabled
https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/
Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?
Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.
Tomi Engdahl says:
BEHAVIORS AND PATTERNS OF BULLETPROOF AND ANONYMOUS HOSTING PROVIDERS
https://www.usenix.org/node/200387
Bulletproof and anonymous hosting providers are key enabling factors of ransomware, phishing, and other cybercrime operations. Bulletproof hosters shield criminal content from abuse complaints and takedowns, whereas anonymous offshore hosters preserve privacy and free speech for their customers. Despite being conceptually different, the distinction between both classes tends to blur in practice.
Tomi Engdahl says:
HTTP Attacks
https://blog.radware.com/security/2017/11/http-attacks/?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3B2JSGJa%2FKTDmyMryv%2BKFhvw%3D%3D
Tomi Engdahl says:
Uber data breach from 2016 affected 57 million riders and drivers
https://techcrunch.com/2017/11/21/uber-data-breach-from-2016-affected-57-million-riders-and-drivers/?utm_source=tcfbpage&sr_share=facebook
Uber faced a data breach in 2016 that affected some 57 million customers, including both riders and drivers, revealing their names, email address and phone numbers. That affected group included 50 million riders and 7 million drivers; around 600,000 driver license numbers for U.S. drivers were also included in the breach, according to a new report from Bloomberg.
Uber did not report the incident to regulators or to affected customers, but instead paid $100,000 to “hackers” to get rid of the data in order to keep the breach under wraps, according to the report.
https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
Tomi Engdahl says:
Android devices seen covertly sending location data to Google
https://techcrunch.com/2017/11/21/android-devices-seen-covertly-sending-location-data-to-google/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
An investigation by Quartz has revealed that Android devices send cell tower location data to Google even if the user has disabled location services for apps in their device settings.
https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/
Tomi Engdahl says:
Black Friday 2016: Third of online shoppers put themselves at risk of fraud chasing bargains, research finds
http://www.independent.co.uk/money/spend-save/black-friday-deals-2016-fraud-shoppers-at-risk-bargains-a7429786.html
People aged between 16 and 34 are most at risk, the research suggests, with almost half saying they are more likely to take a chance
Tomi Engdahl says:
Tips to avoid scams on Black Friday
http://www.techradar.com/how-to/tips-to-avoid-scams-on-black-friday
Tomi Engdahl says:
National Cyber Security Centre boss: For the love of $DEITY, use 2FA on your emails, peeps
Brit biz bosses, improve your infosec. We’ll handle Russia
https://www.theregister.co.uk/2017/11/21/national_cyber_security_centre_says_put_2fa_on_your_emails/
The chief exec of the National Cyber Security Centre – a branch of the UK’s spy nerve-centre GCHQ – has called on everyone to enable two-factor authentication for their emails. This follows revelations that almost the entire population’s details are available for sale on the dark web.
Speaking at the Parliament and Internet Conference, Ciaran Martin said nearly everyone’s email addresses are available on the dark web, but added that more personal data sets, including national insurance numbers, were much less commonly available.
“We recommend that everyone puts 2FA on their emails,” he said. “That will hopefully continue to be significant improvement [in combating] that sort of stolen data.”
Martin last week revealed that hackers acting on behalf of Russia had targeted the UK’s telecommunications, media and energy sectors.
Tomi Engdahl says:
Don’t sweat Brexit, big biz told: Your shiny data protection sticker will remain intact
Survey reveals GDPR training and investment is on the rise
https://www.theregister.co.uk/2017/11/21/brexit_wont_affect_ico_ability_to_signoff_on_firms_data_protection_compliance/
Multinationals whose data protection compliance was rubberstamped by the UK’s privacy regulator have been assured they won’t be stripped of the authorisation after Brexit.
Firms that wish to move personal data out of the European Economic Area have to demonstrate that they abide by EU data protection rules.
They can do this by setting binding corporate rules (BCRs) on data protection safeguards and having them approved by an EU data protection authority.
According to the European Commission, the UK’s Information Commissioner’s Office has approved about a quarter of all BCRs to date, and there was some concern about their continued status after the UK leaves the bloc.
Tomi Engdahl says:
Container ship loading plans are ‘easily hackable’
Look! A pic that’s not a metaphor
https://www.theregister.co.uk/2017/11/20/container_ship_loading_software_mischief/
Security researchers have warned that it might be possible to destabilise a container ship by manipulating the vessel stowage plan or “Bay Plan”.
The issue stems from the absence of security in BAPLIE EDIFACT, a messaging system used to create ship loading and container stowage plans – for example which locations are occupied and which are empty – from the numerous electronic messages exchanged between shipping lines, port authorities, terminals and ships.
The messaging standard is developed and maintained by the Shipping Message Development Group (SMDG).
Criminals less interested in destabilising ships but perhaps instead stealing goods by rerouting containers, would use “COPRAR / COPARN / CODECO / COARRI” messages instead. These deal with shipping line to terminal messaging and vice versa.
Evidence suggests that ship and terminal messaging systems have been abused at times in order to either conceal or re-route drugs or steal valuables. “We believe this was done using front end GUIs in port rather than manipulating the data itself,” according to Ken Munro, a security researcher at Pen Test Partners.
BAPLIE messages, once their syntax is understood, might potentially be manipulated to change the destinations of cargo, money and more. Pen Test Partners was more interested in message subsets that are found in “LIN” line items about contents and handling for individual containers.
Most straightforwardly it’s possible to manipulate container weight and thus the ship’s balance.
A potential hacker would simply search the message for VGM (Verified Gross Mass). The trailing value is the weight, so changing this value to make it either lighter or heavier would mean that the vessel load-planning software would place the container in the wrong place for stability.
Researchers explained that it might be possible, using similar trickery, to place a mislabelled heavy container at the top of the stack, moving the centre of gravity too high.
“Already there is evidence of theft of valuable items from containers in port, potentially through insider access by criminals to load information. It doesn’t take much imagination to see some far more serious attacks,” Munro concluded.
Making prawn espressos, or hacking ships by deciphering BAPLIE EDIFACT messaging
https://www.pentestpartners.com/security-blog/making-prawn-espressos-or-hacking-ships-by-deciphering-baplie-edifact-messaging/
In a separate blog , I discuss the consequence of- and methods to destabilise a container ship as a result of vessel stowage plan or ‘Bay Plan’ manipulation.
However, in order to actually modify the load plan, you need to understand the intricacies of the BAPLIE EDIFACT messaging system that is used to create ship loading and container stowage plans from the numerous electronic messages exchanged between shipping lines, port authorities, terminals and ships.
Tomi Engdahl says:
Iranian ‘Game of Thrones’ Hacker Demanded $6 Million Bitcoin Ransom From HBO, Feds Say
https://it.slashdot.org/story/17/11/21/1753215/iranian-game-of-thrones-hacker-demanded-6-million-bitcoin-ransom-from-hbo-feds-say?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The Department of Justice on Tuesday charged an Iranian national with allegedly hacking into HBO, dumping a selection stolen files, and attempting to extort the company by ransoming a treasure trove of the company’s content. This summer, hackers released a bevy of internal HBO files, included scripts for Game of Thrones and full, unaired episodes of other shows.
Iranian ‘Game of Thrones’ Hacker Demanded $6 Million Bitcoin Ransom From HBO, Feds Say
https://www.thedailybeast.com/iranian-game-of-thrones-hacker-demanded-dollar6-million-bitcoin-ransom-from-hbo-feds-say
The Justice Department says a former black hat for Tehran’s military dumped scripts of the show in an apparent effort to prove his bona fides and shake down the media giant.
Tomi Engdahl says:
Uber: Hackers stole 57m passengers, drivers’ info. We also bribed the thieves $100k to STFU
And it happened a year ago, hoped you wouldn’t find out
https://www.theregister.co.uk/2017/11/22/uber_2016_data_breach/
Uber’s CEO Dara Khosrowshahi today revealed hackers broke into the ride-hailing app’s databases and stole personal information on 57 million passengers and drivers – information including names, email addresses, and phone numbers.
And the cyber-thieves made off with 600,000 US driver records that included their license numbers.
And the hack happened in 2016 – yet, biz executives hushed up the break-in rather than alert the public.
2016 Data Security Incident
https://www.uber.com/newsroom/2016-data-incident/
As Uber’s CEO, it’s my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of. For that to happen, we have to be honest and transparent as we work to repair our past mistakes.
I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.
However, the individuals were able to download files containing a significant amount of other information, including:
The names and driver’s license numbers of around 600,000 drivers in the United States. Drivers can learn more here.
Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers.
Tomi Engdahl says:
$31 Million In Tokens Stolen From Dollar-Pegged Cryptocurrency Tether
https://yro.slashdot.org/story/17/11/21/2150231/31-million-in-tokens-stolen-from-dollar-pegged-cryptocurrency-tether?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
All eyes may be on the meteoric rise of Bitcoin at the moment, but it’s far from being the only cryptocurrency on the block. Startup Tether issued a critical announcement after it was discovered that “malicious action by an external attacker” had led to the theft of nearly $31 million worth of tokens. Tether is a dollar-pegged cryptocurrency formerly known as Realcoin, and it says that $30,950,010 was stolen from a treasury wallet.
$31 million in tokens stolen from dollar-pegged cryptocurrency Tether
https://betanews.com/2017/11/21/tether-cryptocurrency-token-theft/
Tether is a dollar-pegged cryptocurrency formerly known as Realcoin, and it says that $30,950,010 was stolen from a treasury wallet. The company says it is doing what it can to ensure exchanges do not process these tokens, including temporarily suspending its backend wallet service.
Tether knows the address used by the attacker to make the theft, but is not aware of either who the attacker is, or how the attack took place. The company is releasing a new version of its Omni Core software client in what it says is “effectively a temporary hard fork to the Omni Layer.”
Tomi Engdahl says:
Breaches of the public cloud are becoming more commonplace, what should you do if it happens to your organisation?
http://www.cloudpro.co.uk/leadership/risks/7175/what-to-do-if-your-public-cloud-is-breached
It’s tempting to think that public cloud services are immune to data breaches, but unfortunately this isn’t the case. Whether it’s a large-scale hack affecting multiple customers or a targeted attack on your business, attackers can get at your data no matter where it is.
Averting this sort of incident means having good security in place is a must. But if the worst should happen and a breach occurs, what should an organisation do in the immediate aftermath?
The initial breach
The first thing is to figure out what was actually compromised. Was it the systems or applications which hold critical information and is that information company critical (for example, intellectual property) or sensitive/regulated information (personally identifiable information, payment card information and so on).
“If it’s PII or PCI information, then you need to work out who (which individuals) are impacted and which categories of individual, such as employees, customers or partners. Depending on the outcome of the initial investigation, this determines who should be notified,” says Guy Bunker, senior vice president of products at Clearswift. He adds that companies should have a cyber breach plan in place which lays out the steps required to deal with a cyber breach, including the all-important communication plan.
Notification
If you believe your public cloud has been hacked, the first port of call should be the cloud provider, they may well have protective monitoring capabilities that will be invaluable moving forward.
The incoming General Data Protection Regulation (GDPR) makes it quite clear that the “Data controllers are required to report a personal data breach to the competent Supervisory Authority (SA) without undue delay and, where feasible, not later than 72 hours after becoming aware of it.”
“Depending on the nature of hack / breach, the police should also be contacted,” says Lawrence Munro, worldwide VP at Trustwave SpiderLabs.
As far as initial notification, senior leadership of the organisation should be notified immediately as well as legal counsel, says John Bambenek, manager of threat systems at Fidelis Cybersecurity. “They should have already established contacts with the cloud provider so they can begin working with them, as necessary, to help remediate the breach.”
Tomi Engdahl says:
Limelight: Internet Use up 64%
http://www.broadbandtechreport.com/articles/2017/11/limelight-internet-use-up-64.html?cmpid=enl_btr_weekly_2017-11-21
According to Limelight Networks’ (NASDAQ:LLNW) latest “State of User Experience” report, 45% of consumers worldwide spend more than 15 hours (outside of work) on the Internet each week, a 64% increase in the last year. In the United States, 54% of consumers spend more than 15 hours online each week.
Looking at the main online activities and behaviors:
U.S. consumers spend the most time each week on social media sites (4 hours, 44 minutes), followed by watching videos (4 hours, 12 minutes) and reading the news (3 hours, 24 minutes). Online shopping was fourth on the list at 3 hours, 22 minutes.
Laptops are the main device for online activities in the United States, followed closely by smartphones. Smartphones are the primary choice for women and people age 18-45, and laptops are preferred by men and people 46 and older.
When it comes to consumers’ demands for online experiences, the expectations are high, and security is a major concern. One in four U.S. consumers said they would not continue to make purchases on a website that has experienced a security breach. The survey also indicated that 39% of U.S. consumers will leave a website that’s taking too long to load and go on to make purchases with a competitor.
Tomi Engdahl says:
You can not steal a key that is not there
According to surveys, cybercrime will grow to $ 6 trillion in annual business by 2021. Nevertheless, the safety of design will only be considered afterwards. Maxim Integrated is a frustrated solution that protects your device against hacking and IP scams.
It’s a DS28E38 DeepCover circuit. This encryption is based on the physical, random features of the MOSFET circuit. When an encryption key is needed, it is generated with these extraordinary features. When the key is no longer needed, it disappears.
This is called a physically unclonable function (PUF). In practice, the encryption circuit has no key that could be cloned for decryption. At the same time, the need for a complex encryption key management system disappears.
Maxim promises the DS28E38 circuit with a 5ppb security for time, temperature, and voltage. This means that one billion of the chip five may be opened. In practice, the protection is unbreakable.
Source: http://www.etn.fi/index.php/13-news/7194-et-voi-varastaa-avainta-jota-ei-ole
DS28E38
DeepCover Secure ECDSA Authenticator with ChipDNA PUF Protection
Protect Your Design Using Crypto-Strong Authentication Secured with a Physically Unclonable Function
https://www.maximintegrated.com/en/products/power/protection-control/protection-ics/DS28E38.html
The DS28E38 is an ECDSA public key-based secure authenticator that incorporates Maxim’s patented ChipDNA™ PUF technology. ChipDNA technology involves a physically unclonable function (PUF) that enables the DS28E38 to deliver cost-effective protection against invasive physical attacks. Using the random variation of semiconductor device characteristics that naturally occur during wafer fabrication, the ChipDNA circuit generates a unique output value that is repeatable over time, temperature, and operating voltage. Attempts to probe or observe ChipDNA operation modifies the underlying circuit characteristics, preventing discovery of the unique value used by the chip cryptographic functions. The DS28E38 utilizes the ChipDNA output as key content to cryptographically secure all device stored data and optionally, under user control, as the private key for the ECDSA signing operation. With ChipDNA capability, the device provides a core set of cryptographic tools derived from integrated blocks including an asymmetric (ECC-P256) hardware engine, a FIPS/NIST-compliant true random number generator (TRNG), 2Kb of secured EEPROM, a decrement-only counter and a unique 64-bit ROM identification number (ROM ID).
Tomi Engdahl says:
Loake Shoes admits: We’ve fallen victim to cybercrims
Hold on to your laces, email server was compromised
https://www.theregister.co.uk/2017/11/22/loake_shoes_email_accounts_compromised/
Miscreants, hackers – call ‘em what you will – have pilfered email addresses from an unknown number of Loake Shoes customers.
In a letter sent to punters on its database – seen by The Register – the premium footwear maker said it has been “the victim of a cyber attack”.
“Despite having stringent security measures in place, this has resulted in our email server being compromised,” the missive stated.
Tomi Engdahl says:
Sacramento Regional Transit Systems Hit By Hacker
https://tech.slashdot.org/story/17/11/21/2121240/sacramento-regional-transit-systems-hit-by-hacker
Sacramento Regional Transit is the one being taken for a ride on this night, by a computer hacker. That hacker forced RT to halt its operating systems that take credit card payments, and assigns buses and trains to their routes. The local transit agency alerted federal agents following an attack on their computers that riders may not have noticed Monday. “We actually had the hackers get into our system, and systematically start erasing programs and data,”
Sacramento Regional Transit Systems Hit By Hacker
http://sacramento.cbslocal.com/2017/11/20/sacramento-regional-transit-systems-hit-by-hacker/
Sacramento Regional Transit is the one being taken for a ride on this night, by a computer hacker.
That hacker forced RT to halt its operating systems that take credit card payments, and assigns buses and trains to their routes.
The local transit agency alerted federal agents following an attack on their computers that riders may not have noticed Monday.
“We actually had the hackers get into our system, and systematically start erasing programs and data,” Deputy General Manager Mark Lonergan.
Tomi Engdahl says:
Eric Newcomer / Bloomberg:
Uber fires CSO, says in Oct ’16 personal info of 50M riders, 7M drivers, including 600K driver’s license numbers, stolen; Uber paid hackers $100K to delete data — Company paid hackers $100,000 to delete info, keep quiet — Chief Security Officer Joe Sullivan and another exec ousted
Uber Paid Hackers to Delete Stolen Data on 57 Million People
https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers.
“None of this should have happened, and I will not make excuses for it.”
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.
After Uber’s disclosure Tuesday, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick said. The company was also sued for negligence over the breach by a customer seeking class-action status.
Tomi Engdahl says:
Hackers have successfully infiltrated numerous companies in recent years. The Uber breach, while large, is dwarfed by those at Yahoo, MySpace, Target Corp., Anthem Inc. and Equifax Inc. What’s more alarming are the extreme measures Uber took to hide the attack. The breach is the latest scandal Khosrowshahi inherits from his predecessor, Travis Kalanick.
New York Times:
Sources: Kalanick and CSO Joe Sullivan ordered $100K ransom to be paid; Uber tracked the hackers, pushed them to sign NDAs, disguised the payment as bug bounty — SAN FRANCISCO — In November 2016, Uber executives faced an expensive — and risky — decision.
Uber Hid 2016 Breach, Paying Hackers to Delete Stolen Data
https://www.nytimes.com/2017/11/21/technology/uber-hack.html
SAN FRANCISCO — Uber disclosed Tuesday that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom.
The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to several current and former employees who spoke on the condition of anonymity because the details were private.
The security officer, Joe Sullivan, has been fired. Mr. Kalanick was forced out in June, although he remains on Uber’s board.
The two hackers stole data about the company’s riders and drivers — including phone numbers, email addresses and names — from a third-party server and then approached Uber and demanded $100,000 to delete their copy of the data, the employees said.
Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.
Tomi Engdahl says:
New York attorney general launches investigation of Uber’s $100,000 hack cover-up
https://techcrunch.com/2017/11/21/ny-ag-schneiderman-uber-hack-cover-up/
The revelation that Uber concealed a major 2016 data breach affecting 57 million users and paid hackers to destroy the evidence is yet another PR nightmare from Uber’s darkest era, but it’s also a major problem when it comes to state laws around data breach disclosure practices. In light of Bloomberg’s report, the office of New York State Attorney General Eric Schneiderman confirmed to TechCrunch that it has opened an investigation into the incident.
Tomi Engdahl says:
U.S. government warns businesses about cyber bug in Intel chips
https://www.reuters.com/article/us-intel-cyber-vulnerability/u-s-government-warns-businesses-about-cyber-bug-in-intel-chips-idUSKBN1DM01R
The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability.
The Department of Homeland Security gave the guidance a day after Intel said it had identified security vulnerabilities in remote-management software known as “Management Engine” that shipped with eight types of processors used in business computers sold by Dell Technologies Inc, Lenovo Group Ltd, HP Inc, Hewlett Packard Enterprise Co and other manufacturers.
Security experts said that it was not clear how difficult it would be to exploit the vulnerabilities to launch attacks, though they found the disclosure troubling because the affected chips were widely used.
Tomi Engdahl says:
26% of Execs Say Security Impedes IoT Implementation
https://www.securerf.com/26-execs-say-security-impedes-iot-implementation/?utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=58721854&_hsenc=p2ANqtz-_yNb17rKAk6TtB1eW9Rlveq7FM3gI0zENzGh_l6iI2Hc8NjSOvwpKz4YVeF943BITGIFZzltFQwiDonETkcLCGwrbTwpISvdmQYSRZ4_ZDTHCQmKQ&_hsmi=58721854
The IoT presents exciting new opportunities for companies to develop innovative products and services. However, despite the benefits associated with IoT technology, such as system monitoring and inventory control, many business leaders continue to cite IoT security-related challenges as obstacles to more rapid IoT adoption.
According to a recent Economist Intelligence Unit (EIU) report, sponsored by ARM and IBM, 26% of senior business leaders consider security to be a chief impediment to IoT implementation. Only the high cost associated with investing in IoT infrastructure is considered a bigger obstacle to IoT adoption.
The EIU surveyed 825 business executives from 10 industries for the report. The top chief obstacles to IoT adoption were: the high cost of IoT infrastructure (29%); concerns about security and privacy (26%); a lack of senior management knowledge or commitment (23%); and weakness in an organization’s technology infrastructure (16%).
“The survey tells us that most respondents feel their companies would have been further down the path to significant IoT rollouts by now. The survey gives us a clue as to why that is; emphasizing concerns over security and privacy, and the perception that IoT infrastructure is expensive to deploy and manage.”
Tomi Engdahl says:
Television’s Most Infamous Hack Is Still a Mystery 30 Years Later
https://entertainment.slashdot.org/story/17/11/22/1756241/televisions-most-infamous-hack-is-still-a-mystery-30-years-later?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
It has been 30 years since the Max Headroom hack, arguably the creepiest hack in the television history took place. Caroline Haskins, writes about the incident for Motherboard:
The Mystery of the Creepiest Television Hack
https://motherboard.vice.com/en_us/article/pgay3n/headroom-hacker
It was like any other Sunday night at Chicago’s WGN-TV. And then the signal flickered into darkness.
A squat, suited figure sputtered into being, and bounced around maniacally. Wearing a ghoulish rubbery mask with sunglasses and a frozen grin, the mysterious intruder looked like a cross between Richard Nixon and the Joker. Static hissed through the signal; behind him, a slab of corrugated metal spun hypnotically. This was not part of the regularly scheduled broadcast.
“Well, if you’re wondering what’s happened,” he said, chuckling nervously, “so am I.”
Tomi Engdahl says:
Austria: Bitcoins stolen over public wireless network
http://abcnews.go.com/Technology/wireStory/austria-bitcoins-stolen-public-wireless-network-51319364
Austrian police say cyber thieves transferred bitcoins worth more than 100,000 euros ($117,000) from a man’s account while he was logged in on a restaurant’s public wireless network.
A police statement Wednesday says the bitcoins were moved to an “unknown, non-traceable account”
it remains unclear whether the victim’s account was already hacked before he logged on to the unsecured network.
Tomi Engdahl says:
Pentagon contractor leaves social media spy archive wide open on Amazon
Trove included more than 1.8 billion posts spanning eight years, many from US people.
https://arstechnica.com/information-technology/2017/11/vast-archive-from-pentagon-intel-gathering-operation-left-open-on-amazon/?platform=hootsuite
Tomi Engdahl says:
Experts observed a new wave of wp-vcd malware attacks targeting WordPress sites
http://securityaffairs.co/wordpress/65800/malware/wordpress-wp-vcd-malware.html
Experts from the firm Sucuri observed a new wave of wp-vcd malware attacks that is targeting WordPress sites leveraging flaws in outdated plugins and themes
A new malware campaign is threatening WordPress installs, the malicious code tracked as wp-vcd hides in legitimate WordPress files and is used by attackers to add a secret admin user and gain full control over infected websites.
Recently researchers from Sucuri firm discovered a new strain of this malware that injected malicious code in the legitimate files of the two the default themes “twentyfifteen” and “twentysixteen”included in the WordPress CMS in 2015 and 2016.
This is an old tactics that leverage themes files (active or not) files to hide malicious code, in the specific case the malware creates a new “100010010” admin user with the intent to establish a backdoor into the target installation.
Tomi Engdahl says:
Using Unsecured IoT Devices, DDoS Attacks Doubled in the First Half of 2017
http://securityaffairs.co/wordpress/65827/hacking/iot-devices-ddos-attacks.html
According to a report recently published by the security firm Corero the number of DDoS Attacks doubled in the First Half of 2017 due to unsecured IoT.
Denial of Service (DoS) attacks have been around as long as computers have been networked. But if your business relies on the Internet to sell products or collaborate, a DoS attack is more than a nuisance, it can be critical.
Over the past few years, the number of DoS attacks has continued to slowly grow in a “cat and mouse” evolution — bad actors get a slightly stronger attack, and network vendors come up with slightly more resilient equipment to defend. Generally the attacks came from botnets comprised of infected computers and servers. The cost of acquiring and keeping these systems in the botnet was relatively expensive, so there was an economic limiter on how fast the attacks would grow. Then Mirai happened in 2016 and everything changed.
Tomi Engdahl says:
Giles Turner / Bloomberg:
UK Digital Minister Matt Hancock says Uber’s October 2016 hack affected UK citizens and the government plans to publish a report in the coming days — Digital Minister Matt Hancock speaks in U.K. parliament — Hackers stole the personal data of 57 million individuals
Uber Hack Involves U.K. Data, Government to Publish Report
https://www.bloomberg.com/news/articles/2017-11-23/uber-hack-involves-u-k-data-government-to-publish-report
Digital Minister Matt Hancock speaks in U.K. parliament
Hackers stole the personal data of 57 million individuals
The data breach at Uber Technologies Inc. disclosed this week includes information on British users, a U.K. lawmaker said Thursday, adding that the government is set to publish a report into the scale of the attack in the coming days.
Hackers stole the personal data of 57 million customers and drivers from Uber, a breach that the company concealed for more than a year.
Bloomberg first reported that Uber paid hackers $100,000 to keep the hack under wraps.
Tomi Engdahl says:
New Uber CEO Knew of Hack for Months
https://news.slashdot.org/story/17/11/24/0727223/new-uber-ceo-knew-of-hack-for-months?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
While the massive data breach at Uber didn’t happen under the watch of its new chief executive, more than two months elapsed before he notified affected customers and drivers of the incident (Editor’s note: the link may be paywalled), people familiar with the matter said. CEO Dara Khosrowshahi learned of the breach, which Uber said happened in October 2016 and affected some 57 million accounts,
New Uber CEO Knew of Hack for Months
https://www.wsj.com/articles/ubers-hack-disclosure-raises-questions-about-timing-1511462671
Dara Khosrowshahi learned of 2016 breach two weeks after taking post in September, but customers weren’t told until this week
Tomi Engdahl says:
Firefox Security The Internet
Firefox Will Warn Users When Visiting Sites That Suffered a Data Breach
https://news.slashdot.org/story/17/11/23/1451219/firefox-will-warn-users-when-visiting-sites-that-suffered-a-data-breach?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Mozilla engineers are working on a notifications system for Firefox that shows a security warning to users visiting sites that have suffered data breaches. The notifications system will use data provided by Have I Been Pwned?, a website that indexes public data breaches and allows users to search and see if their details have been compromised in any of these incidents. Work on this project has only recently started.
Firefox Will Warn Users When Visiting Sites That Suffered a Data Breach
https://www.bleepingcomputer.com/news/security/firefox-will-warn-users-when-visiting-sites-that-suffered-a-data-breach/
Mozilla engineers are working on a notifications system for Firefox that shows a security warning to users visiting sites that have suffered data breaches.
The notifications system will use data provided by Have I Been Pwned?, a website that indexes public data breaches and allows users to search and see if their details have been compromised in any of these incidents.
Code for this feature currently available as an add-on
Tomi Engdahl says:
Linus Torvalds on security: ‘Do no harm, don’t break users’
Fixing for the sake of security alone means ‘all your work was just masturbation’
https://www.theregister.co.uk/2017/11/24/linus_torvalds_approach_to_security/
Linus Torvalds has offered a lengthy explanation of his thoughts on security, in which he explained a calmer and more detailed version of his expletive-laden thoughts on the topic earlier this week.
Torvalds was angry that developers wanted to kill dangerous processes in Linux, a measure that would have removed potential problems but done so in ways that users may not have enjoyed.
His long post on the matter suggested to security practitioners that “’Do no harm’ should be your mantra for any new hardening work.”
https://lkml.org/lkml/2017/11/21/356
Tomi Engdahl says:
Security
‘Data is the new oil’: F-Secure man on cartels, disinformation and IoT
An unlikely trio? Not according to Mikko Hyppone
https://www.theregister.co.uk/2017/11/23/hypponen_interview/
Questions about cyber influence continue to cloud last year’s US presidential elections and recently similar allegations have been levelled against the Brexit vote.
Mexican armed forces are apprehensive about upcoming elections in that country but it’s not the US or the Russians they are worried about – it’s the cartels. Mikko Hypponen, chief research officer at Finnish security company F-Secure, relayed the anecdote during a discussion about geopolitics and IoT.
Election campaigning on social media should be banned, said Hypponen, pointing out that Japan does this already. As a result, Facebook doesn’t sell in the Asian country. F-Secure found this from Google ad guidelines.
Sean Sullivan, a security advisor at F-Secure, saw the same issue differently: “Disinformation exists on Twitter, it’s how it is packaged and exposed on cable news that’s the bigger problem. Bait is put out there and cable news picks it up.”
Sullivan, a political science graduate, added that combatting disinformation is more a matter of media literacy and critical thinking than rooting out trolls and Russian bots on social media.
Internet of insecure Things
Hypponen argued IoT is a bigger revolution than mobile because it will transform workforces.
“IoT is not about users wanting internet access on appliances,” Hypponen said, “it’s about vendors wanting to connect them to the internet so that they can collect data.”
Vendors have not quite worked out how to monetise this data as yet. They do know that they’ll need a record of historic data to turn it into something useful in future hence the desire to capture it now. “Data is the new oil,” Hypponen concluded.
Meanwhile, the security of IoT devices remains lamentably poor. Mirai failed to act as a wake-up call, with a few honourable exceptions. “Ikea take IoT security seriously because they don’t want a product recall,”
Tomi Engdahl says:
EU Lawmakers Back Exports Control on Spying Technology
https://yro.slashdot.org/story/17/11/24/0739213/eu-lawmakers-back-exports-control-on-spying-technology?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
EU lawmakers overwhelmingly backed plans on Thursday to control exports of devices to intercept mobile phone calls, hack computers or circumvent passwords that could be used by foreign states to suppress political opponents or activists. Members of the European Parliament’s trade committee voted by 34 votes to one in favor of a planned update to export controls on “dual use” products or technologies. The EU has had export controls since 2009 on such dual use products including toxins, laser and technology for navigation or nuclear power, which can have a civilian or military applications but also be used to make weapons of mass destruction.
EU lawmakers back exports control on spying technology
https://www.reuters.com/article/us-eu-trade-torture/eu-lawmakers-back-exports-control-on-spying-technology-idUSKBN1DN1R6
Tomi Engdahl says:
More Industrial Products at Risk of KRACK Attacks
http://www.securityweek.com/more-industrial-products-risk-krack-attacks
An increasing number of vendors have warned customers over the past weeks that their industrial networking products are vulnerable to the recently disclosed Wi-Fi attack method known as KRACK.
The KRACK (Key Reinstallation Attack) flaws affect the WPA and WPA2 protocols and they allow a hacker within range of the targeted device to launch a man-in-the-middle (MitM) attack and decrypt or inject data. A total of ten CVE identifiers have been assigned to these security bugs.
The vulnerabilities impact many products, including devices designed for use in industrial environments. The first industrial solutions providers to warn customers about the KRACK attack were Cisco, Rockwell Automation and Sierra Wireless.
Siemens said the KRACK vulnerabilities affect some of its SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS products.