Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Uber in Legal Crosshairs Over Hack Cover-up
http://www.securityweek.com/uber-legal-crosshairs-over-hack-cover
Two US states on Wednesday confirmed they are investigating Uber’s cover-up of a hack at the ride-sharing giant that compromised the personal information of 57 million users and drivers.
Uber purportedly paid data thieves $100,000 to destroy the swiped information — and remained quiet about the breach for a year.
That decision evidently came despite a promise by the firm to “adopt leading data security protection practices” in a settlement with New York attorney general Eric Schneiderman.
Schneiderman and his counterpart in Connecticut, George Jepsen, on Wednesday told AFP that Uber is the target of probes in their states over the hidden hack.
“None of this should have happened, and I will not make excuses for it,” Uber chief executive Dara Khosrowshahi, who took over at the company in August, said Tuesday.
Tomi Engdahl says:
‘Advanced’ Cyber Attack Targets Saudi Arabia
http://www.securityweek.com/advanced-cyber-attack-targets-saudi-arabia
Saudi authorities said Monday they had detected an “advanced” cyber attack targeting the kingdom, in a fresh attempt by hackers to disrupt government computers.
The government’s National Cyber Security Centre said the attack involved the use of “Powershell”, but it did not comment on the source of the attack or which government bodies were targeted.
“The NCSC has detected a new Advanced Persistent Threat (APT) that is targeting Saudi Arabia,” the agency said in a statement, adding the attack sought to infiltrate computers using email phishing techniques.
Tomi Engdahl says:
Should Uber Users be Worried About Data Hack?
http://www.securityweek.com/should-uber-users-be-worried-about-data-hack
How did hackers do it?
The stolen data are thought to have been stored on an external server of Amazon Web Services — a division of Amazon offering cloud data storage facilities. Two hackers gained access to it using the log-ins of Uber employees taken from an account at the software development platform, GitHub.
What did Uber do wrong?
Aside from the problem of safeguarding the data, Uber sought to keep the breach quiet.
CEO Khosrowshahi — who took over at the end of August — has acknowledged wondering why it took Uber a year to make the breach public.
He also admitted that the company failed in not immediately informing the users affected or the authorities. His predecessor, Uber’s co-founder Travis Kalanick, was advised of the breach shortly after it was discovered, according to a source familiar with the situation.
Uber paid the hackers $100,000 to destroy the data, not telling riders or drivers whose information was at risk, the source said.
Who is affected?
A lot of people.
What are the consequences for users?
For the moment, not a lot, even if the volume of the data would represent a sizeable market value for cybercriminals. Users may perhaps receive a lot of spam or ads on their mobile phone.
Experts quizzed by AFP pointed out, however, that with the names, email addresses and telephone numbers, hackers could orchestrate phishing campaigns by creating fake Uber accounts, asking users to “confirm” their banking details or to click on links that would allow viruses into their devices.
What can you do?
“Not a lot,” said Jerome Robert, marketing chief at EclecticIQ, a Dutch company specialising in cyber threats. Users could try to protect their identity by providing the wrong date of birth, or a false telephone number. But “in the end, that won’t work because there are verifications,” he said.
It may just be a matter of crossing your fingers and hoping for the best. We all more or less have to trust the apps we download. But don’t provide personal data to apps that aren’t trusted. At the very least, use an alternative email address for these sorts of services, not your main address.
What are the consequences for Uber?
Fines, certainly, especially as Uber sought to hide the breach.
In the United States, Donald Trump’s administration might be more lenient than that of his predecessor Barack Obama, said Sean Sullivan of F-Secure.
Tomi Engdahl says:
The Year 2017 of Kybert Safety is remembered, especially from the point of view of ethical hackers. Companies have also learned to make use of it in Finland the ability of active security enthusiasts to improve their own security by using bug bounty programs, meaning vulnerability bids.
Source: http://www.tivi.fi/Kaikki_uutiset/bug-bounty-ohjelmat-palkittiin-vuoden-kybertekona-6689055
Tomi Engdahl says:
‘Treat infosec fails like plane crashes’ – but hopefully with less death and twisted metal
We never learn from incidents, says Europol security adviser
https://www.theregister.co.uk/2017/11/24/infosec_disasters_learning_op/
The world has never been so dependent on computers, networks and software so ensuring the security and availability of those systems is critical.
Despite this, major security events resulting in loss of data, services, or financial loss are becoming increasingly commonplace.
Brian Honan, founder and head of Ireland’s first CSIRT and special adviser on internet security to Europol, argued that failures in cybersecurity should be viewed as an opportunity to learn lessons and prevent them happening again.
He made the remarks during a keynote presentation at the #IRISSCERT conference in Dublin on Thursday.
He used commercial airlines as an analogy. Fatal accidents per one million flights have decreased from four in 1978 to less than one in 2016. A similar, more disciplined approach has the potential to push down infosec failures too.
We need to learn from incidents rather than making the same mistakes, Honan said, adding that victim blaming – commonplace in infosec – isn’t helpful. In addition, cybercrime ought to be reported to the police. A business wouldn’t hesitate to report that someone had broken into its office but they won’t report malware – an attitude Honan said needs to change.
Tomi Engdahl says:
Hackers abusing digital certs smuggle malware past security scanners
No longer just a spy game
https://www.theregister.co.uk/2017/11/01/digital_cert_abuse/
Malware writers are widely abusing stolen digital code-signing certificates, according to new research.
Malware that is signed with compromised certificates creates a means for hackers to bypass system protection mechanisms based on code signing. The tactic extends far beyond high profile cyber-spying ops, such as the Stuxnet attack against Iranian nuclear processing facilities or the recent CCleaner-tainted downloads infection.
Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. “Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors,” Tudor Dumitras, one of the researchers, told El Reg.
Tomi Engdahl says:
Treasury Department Concludes Fraud Investigation into ComputerCOP “Internet Safety” Software
https://www.eff.org/deeplinks/2017/11/treasury-inspector-general-concludes-fraud-investigation-computercop-internet
Three years ago, EFF exposed how hundreds of law enforcement agencies were putting families at risk by distributing free ComputerCOP “Internet safety” software that actually transmitted keystrokes unencrypted to a third-party server. Our report also raised serious questions about whether the company was deceiving government agencies by circulating a bogus letter of endorsement from a top official in the U.S. Treasury Department.
Tomi Engdahl says:
Imgur confirms email addresses, passwords stolen in 2014 hack
The hackers stole email addresses and passwords.
http://www.zdnet.com/article/imgur-reveals-hackers-stole-login-data/
Imgur, one of the world’s most visited websites, has confirmed a hack dating back to 2014
The company told ZDNet that hackers stole 1.7 million email addresses and passwords, scrambled with the SHA-256 algorithm, which has been passed over in recent years in favor of stronger password scramblers.
The hack went unnoticed for four years until the stolen data was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned.
Hunt praised the company’s efforts for its quick response.
It’s the latest historical hack from a long list of companies that have this year revealed security breaches dating back to the turn of the decade, including Disqus, LinkedIn, MySpace, and Yahoo.
The company said it has changed its password hashing to bcrypt, a much stronger password scrambler, last year.
60 percent of email addresses were already in Have I Been Pwned’s database of more than 4.8 billion records.
Tomi Engdahl says:
Fake news ‘as a service’ booming among cybercrooks
https://www.theregister.co.uk/2017/11/17/fake_news_as_a_service/
Fake sites spread fake stories to fuel pump and dump or other foul ends
Criminals are exploiting “fake news” for commercial gain, according to new research.
Fake news is widely assumed to be political or ideological propaganda published to sway public opinion, but new research conducted by threat intel firm Digital Shadows and released on Thursday suggested fake news generation services are now aimed at causing financial and reputational damage for companies through disinformation campaigns.
The firm’s research stated that these services are often associated with “Pump and Dump” scams, schemes that aggressively promote penny stocks to inflate their prices before the inevitable crash and burn.
A cryptocurrency variant of the same schemes has evolved and involves gradually purchasing major shares in altcoin (cryptocurrencies other than Bitcoin) and drumming up interest in the coin through posts on social media.
Unsurprisingly, media organisations are a frequent target for purveyors of fake news.
Simply by altering characters on a domain (e.g. a “m” may have changed to an “rn”) and by using cloning services it is possible to create a convincing fake of a legitimate news site. Miscreants then link to and otherwise promote fake stories at these bogus sites for their own nefarious ends.
Tomi Engdahl says:
Amazon Key Lets Delivery People into Your House—and It Just Got Hacked
https://www.technologyreview.com/the-download/609508/amazon-key-lets-delivery-people-into-your-house-and-it-just-got-hacked/?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BBz0PVMaSTHCoz4rZMnsqig%3D%3D
A hardware safeguard in Amazon’s recently launched while-you’re-out delivery service turns out to have a big hole. And, well—let’s just say you probably should have seen this coming.
Tomi Engdahl says:
Technologies>IoT
Securing IoT Medical Devices—Are We There Yet?
http://www.electronicdesign.com/iot/securing-iot-medical-devices-are-we-there-yet?code=UM_Classics11317&utm_rid=CPG05000002750211&utm_campaign=14199&utm_medium=email&elq2=060c2b070bea400d88c39b50c75fa434
To ensure secure communications in a given design, developers must consider integrating key security- and safety-related features that help to harden a medical device against any malicious activity.
As the internet of medical devices grows exponentially, much of the attention has been given to the safety aspect, with less time devoted to protecting the private information transmitted and stored on these devices. However, that imbalance is shifting, as protecting patient data has become a critical concern. In fact, a KPMG 2015 healthcare and cybersecurity survey found that more than 80% of health plans and healthcare providers acknowledged that patient data had been compromised—even after making significant cyber-related investments.
Tomi Engdahl says:
Exim-ergency! Unix mailer has RCE, DoS vulnerabilities
Patch imminent, for now please turn off email attachment chunking
https://www.theregister.co.uk/2017/11/26/exim_rce_vulnerability/
Sysadmins who tend Exim servers have been advised to kick off their working weeks with the joy of patching.
The popular (if relatively low-profile) Internet mail message transfer agent (MTA) advised of flaws in a Black Friday post to its public bugtracker, which as contributor Phil Pennock said in this message came without any prior notice.
The bug tracker post explained that when parsing the BDAT data header, Exim scans for the ‘.’ character to signify the end of an email. BDAT is a server verb associated with the MTA’s ability to handle large attachments in chunks (see RFC 1830, for example).
The advisory included a proof-of-concept (less than 30 lines, below). The poster explained that because a function pointer, receive_getc is not reset, the PoC makes Exim run out of stack and crash.
The announcement for CVE-2017-16944 identified the slip as existing in the “receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89”.
Tomi Engdahl says:
EU’s data protection bods join the party to investigate Uber breach
UK.gov told to sever ties with ‘grubby, unethical’ company
https://www.theregister.co.uk/2017/11/24/eu_data_protection_watchdogs_to_investigate_uber_data_breach/
The massive Uber data breach will be discussed by the European Union’s data protection authorities next week.
The group, known as the Article 29 Working Party, is meeting on November 28-29 and has put the hack, which affected 57 million users, high on its agenda.
This might include writing to Uber’s CEO to push for full information to be released – as it did for the Yahoo data breach – or to launch a full taskforce.
The spokeswoman noted that the group had already formed taskforces for Google, Facebook and Microsoft in the past.
Elsewhere in its meeting, the group will consider the first annual review of the Privacy Shield agreement that governs transatlantic data flows.
Uber has, as yet, failed to offer authorities any further information about those affected by the breach, which happened in October 2016 but was only revealed this week.
A spokeswoman for the biz said that this information would not be released until it completes the process of notifying regulators and government authorities, and “expect to have ongoing discussions with them”.
Tomi Engdahl says:
OSX.Proton spreading through fake Symantec blog
https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/
Tomi Engdahl says:
Wait, did Oracle tip off world to Google’s creepy always-on location tracking in Android?
War over Java spills into mobile privacy world
https://www.theregister.co.uk/2017/11/22/google_oracle_location_privacy/
Analysis Having evidently forgotten about that Street View Wi-Fi-harvesting debacle, Google has admitted constantly collecting the whereabouts of Android devices regardless of whether or not they have location tracking enabled.
Between 2007 and 2010, during the debut of its Street View service, Google gathered all the Wi-Fi network names and router MAC addresses it could find from wireless networks encountered by its cars as they drove around snapping photos of buildings and roads. It also captured some network traffic from open Wi-Fi networks and, in the years that followed, was pilloried and fined some measly millions by privacy authorities around the world for doing so.
On Tuesday, Google said since the beginning of 2017, it has been collecting the locations of cell towers near Android phones. But having not found much use for the info, the practice is supposedly on its way out.
Essentially, when an Android handheld passes a phone mast, it quietly contacts Google’s servers to report the location of the tower, even if the user has disabled location services – allowing the ad giant to potentially figure out folks’ whereabouts as they wander about town.
The admission came in response to a Quartz report, one that security researcher Ashkan Soltani, via Twitter, said had been shopped around the press by Oracle…
Oracle has been antagonistic toward Google for years as a result of the success of Android.
Oracle also helped fund a nonprofit advocacy group formed last year called the Campaign for Accountability. The group’s ostensible mission is to hold the powerful accountable, through its Google Transparency Project has a very specific focus.
Google, unsurprisingly, has been critical of the group’s claims.
Google slurped the data regardless of whether or not location services was enabled because, according to an unnamed source cited by Quartz, the data was tied to Google’s Firebase Cloud Messaging service.
The internet billboard’s explanation is that its push notification and messaging infrastructure is distinct from Android’s location services, which provide location data to apps.
Google’s privacy policy disclosure on location data discusses cell tower data collection, but does so in the context of location services. It says: “We use various technologies to determine location, including IP address, GPS, and other sensors that may, for example, provide Google with information on nearby devices, Wi-Fi access points and cell towers.”
Google collects Android users’ locations even when location services are disabled
https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/
Tomi Engdahl says:
McAfee acquires cloud security startup Skyhigh Networks, last valued at $400M
https://techcrunch.com/2017/11/27/mcafee-skyhigh-networks/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook
Tomi Engdahl says:
No boundaries: Exfiltration of personal data by session-replay scripts
https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/
reveal how third-party scripts on websites have been extracting personal information in increasingly intrusive ways.
Tomi Engdahl says:
Huge security flaw lets anyone log into a High Sierra Mac
https://techcrunch.com/2017/11/28/astonishing-os-x-bug-lets-anyone-log-into-a-high-sierra-machine/?utm_source=tcfbpage&sr_share=facebook
Apple has acknowledged the issue and is working on it.
Wow, this is a bad one. On Macs running the latest version of High Sierra — 10.13.1 (17B48) — it appears that anyone can log in just by putting “root” in the user name field. This is a huge, huge problem. Apple will fix it probably within hours, but holy moly. Do not leave your Mac unattended until this is resolved.
Apple offered the following statement:
We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac.
Tomi Engdahl says:
What Sort of Testing Do My Applications Need?
http://www.securityweek.com/what-sort-testing-do-my-applications-need
As you start to get an idea of what your application portfolio looks like, you then need to start determining the specific risks that applications can expose your organization to. This is typically done through application security testing – identifying vulnerabilities in an application so that you can make risk-based decisions about mitigation and resolution.
The challenge lies in the fact that there is no “one size fits all” approach to application security testing. You cannot constantly perform exhausting testing on all applications – you simply will not have the resources. And, you will be limited in the types of testing you can do based on the type, language, and framework of the application, as well as the availability of source code. To most effectively begin the application security testing process, you need to determine the depth of testing you want to accomplish.
A valuable resource in looking at enumerating these concerns is the OWASP Application Security Verification Standard (ASVS). The OWASP ASVS provides three levels of assurance that can be applied to an application – Opportunistic, Standard, and Advanced – and provides specific guidelines of what analysis should be performed for verifications at each level.
Some examples that can provide insight into possible thought processes when evaluating testing strategies for specific applications are included below:
• High-risk web application developed in house: Because you have access to the source code and both SAST and DAST tools that are well-suited to testing the application, use a combination of static and dynamic testing with both manual and automated components. Also consider annual 3rd party manual assessments to get an external opinion and access to testing techniques your in-house team might not have mastery of.
• Lower-risk applications developed in house: Again, because you have access to both the source code and running environments, use either automated static or dynamic testing prior to each new release.
• Mid-risk applications developed by third party: Due to the fact that you don’t have access to source code, but do have an internal pre-production environment, rely on vendor maturity representation and an annual dynamic assessment performed by a trusted 3rd party.
• Developed by large packaged software vendor: Given that you currently have no budget to do independent in-depth research, rely on vendor vulnerability reports and use patch management practices to address risk.
Category:OWASP Application Security Verification Standard Project
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
Tomi Engdahl says:
Classified U.S. Army Data Found on Unprotected Server
http://www.securityweek.com/classified-us-army-data-found-unprotected-server
Tens of gigabytes of files apparently belonging to the United States Army Intelligence and Security Command (INSCOM), including classified information, were stored in an unprotected AWS S3 bucket, cyber resilience firm UpGuard reported on Tuesday.
According to the company, its director of cyber risk research, Chris Vickery, discovered the data on an AWS subdomain named “inscom” in late September.
Fort Belvoir, Virginia-based INSCOM is an intelligence command operated by both the U.S. Army and the National Security Agency (NSA).
The AWS storage container found by UpGuard included, among others, a virtual machine image that may have been used to send, receive and handle classified data. Some of the files contained in the VM were marked as “Top Secret” and “NOFORN,” which indicates that the information cannot be shared with foreign nationals.
Metadata found by researchers indicated that a now-defunct defense contractor named Invertix had worked in some capacity on the data stored in the virtual machine. The files in the bucket also included Invertix private keys and other data that could have provided access to the contractor’s internal systems, UpGuard said.
The exposed files also included information on a failed Army program named “Red Disk.” The $93 million program, designed to allow troops to exchange information in real time, was a cloud computing component of the Distributed Common Ground System–Army (DCGS-A) intelligence platform. The misconfigured container also stored details on the DCGS-A itself.
“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” said UpGuard’s Dan O’Sullivan.
Tomi Engdahl says:
What Can The Philosophy of Unix Teach Us About Security?
http://www.securityweek.com/what-can-philosophy-unix-teach-us-about-security
For security vendors, this shift in philosophy has a number of consequences:
● Don’t expect to be the center of the universe. I’ve actually seen vendors try to position themselves as the center of the security workflow on many occasions. Give it up. No security team is going to rip up their existing workflow and make you the center of the universe.
● If your solution is not open, keep on walking. As I described above, the concept of pipes is thriving in the security world. If you’re not familiar with the philosophy of Unix, becoming familiar with it would likely help you understand the evolving role of vendors in the eyes of security teams. If your solution can’t be dropped in behind one of the pipes I need a solution for, it just isn’t going to be an easy sell.
● Do your part to end swivel chair. Of course, every solution needs to come with its own console and easy-to-use GUI. But don’t expect it to get much use – at least not by security analysts. Security teams already have too much to do, even if they are working out of a single, unified work queue. If your solution can’t log to and integrate with the unified work queue, it just isn’t going to work.
● Understand where you add value. One of the most important things a security vendor can do is to learn what life is like day to day inside a security program. Only by learning how security practitioners work and where their pain points and needs are can you truly understand where you add value.
Tomi Engdahl says:
New Mirai Variant Emerges
http://www.securityweek.com/new-mirai-variant-emerges
A new variant of the Mirai malware has been observed over the past week targeting new sets of default credentials specific to ZyXEL devices, Qihoo 360 Netlab researchers warn.
Mirai became widely known about a year ago, when it started ensnaring insecure Internet of Things (IoT) devices into a botnet capable of launching massive distributed denial-of-service (DDoS) attacks. With its source code made public in early October 2016, Mirai had already infected devices in 164 countries by the end of that month.
To spread, Mirai scans the Internet for open ports associated with Telnet access on Internet-facing IoT products and attempts to connect to the discovered devices using a set of default username/password combinations.
“At least one botnet operator was offering access to the systems under its control for rent,” Akamai revealed.
Starting with last week, Netlab observed an increase in port 2323 and 23 scan traffic and “confidently” associated it with a new Mirai variant. The researchers also discovered that this new malware version is specifically searching for insecure ZyXEL devices.
According to the security researchers, the scanner was attempting to exploit two new default login credentials, namely admin/CentryL1nk and admin/QwestM0dem. The former, they explain, was first spotted less than a month ago in exploit-db, as part of an exploit targeting the ZyXEL PK5001Z modem.
most of the scanner IPs appear to be located in Argentina, with nearly 100,000 unique scanners
Last year, the Mirai worm was involved in a similar attack where nearly 1 million of Deutsche Telekom’s fixed-line network customers experienced Internet disruptions.
Tomi Engdahl says:
Critical Code Execution Flaw Found in Exim
http://www.securityweek.com/critical-code-execution-flaw-found-exim
Serious vulnerabilities that can be exploited for remote code execution and denial-of-service (DoS) attacks have been found in the popular mail transfer agent (MTA) software Exim.
Exim is an open source MTA for Unix systems created at the University of Cambridge. An analysis of more than one million mail servers conducted back in March showed that over 56 percent of them had been running Exim.
Tomi Engdahl says:
McAfee to Acquire CASB Firm Skyhigh Networks
http://www.securityweek.com/mcafee-acquire-casb-firm-skyhigh-networks
McAfee announced on Monday that it has agreed to acquire cloud access security broker (CASB) Skyhigh Networks for an undisclosed amount.
CASBs are the go-to solution for corporate cloud security. By controlling access to the corporate cloud they can apply visibility and security to what is within that cloud. But it is such a good solution that big security firms are rapidly buying up all the independent CASBs (such as Microsoft, Symantec, Forcepoint, Oracle, and Cisco).
It’s reaching the stage where no large security firm can be without a CASB, and no CASB can survive and prosper without the support of a major security vendor.
Tomi Engdahl says:
Thoma Bravo Acquires Barracuda Networks for $1.6 Billion
http://www.securityweek.com/thoma-bravo-acquires-barracuda-networks-16-billion
Private equity investment firm Thoma Bravo has entered an agreement to acquire security company Barracuda Networks for $1.6 billion in cash.
The news comes just weeks after Barracuda announced the acquisition of public cloud archiving and business insights provider Sonian in an effort to enhance the company’s email security and management capabilities.
Tomi Engdahl says:
Cobalt Hackers Exploit 17-Year-Old Vulnerability in Microsoft Office
http://www.securityweek.com/cobalt-hackers-exploit-17-year-old-vulnerability-microsoft-office
The notorious Cobalt hacking group has started to exploit a 17-year-old vulnerability in Microsoft Office that was addressed earlier this month, security researchers claim.
Fixed in Microsoft’s November 2017 Patch Tuesday security updates and found by Embedi security researchers in the Microsoft Equation Editor (EQNEDT32.EXE), the bug is identified as CVE-2017-11882.
The issue was found in a component that remained unchanged in Microsoft’s Office suite since November 9, 2000, and appears to have been patched manually instead of being corrected directly in the source code, an analysis 0patch published last week reveals.
Tomi Engdahl says:
Dealing With Data Loss Your Firewall Can’t Stop
http://www.securityweek.com/dealing-data-loss-your-firewall-cant-stop
Information security is built on the pillars of confidentiality, integrity, and availability. Confidentiality is about making sure your secrets stay secret.
There are four ways that sensitive information can make its way out of your network: 1) malware or an intruder can find the information and exfiltrate it; 2) insiders can intentionally transmit the information or physically carry it outside the facility; 3) the information can be accidently revealed to unauthorized parties; and 4) a user’s behavior and patterns of activity can reveal confidential information and plans. The fourth example is called Passive Information Leakage (PIL), and it is one of the least known and most difficult forms of data lost to prevent.
The main approaches to ensuring confidentiality are preventing unauthorized access to the information, and stopping attempts to exfiltrate it from organizational networks. Data Loss Prevention (DLP) solutions are designed to stop the exfiltration by trying to recognize sensitive information and prevent it from leaving the network, but are ineffective at stopping passive information leakage.
Two key factors create PIL: patterns and identity. The things you do online, particularly the web pages you visit, are a reflection of your real world interests and intents. Your web browsing history reflects many of the projects you are engaged with, and it is visible to exactly the wrong people. By itself, it could be useful to the operators of a website to know that someone is visiting their website with a particular purpose. Combine that with knowing who you are, and they have real actionable intelligence about you. You have just suffered Passive Information Leakage.
In the case of criminal or intelligence investigations, the consequences of PIL have included loss of life. The fact that a police department is investigating a child pornography site, a financial institution is investigating an online fraud, or the national security community is investigating terrorist networks, is of great interest to those targets. Criminals can see who is watching them online and what aspects of their activity are being scrutinized. Knowing this, they can easily change plans, switch identities, or try to counter-attack.
The problem with trying to stop PIL is that the valuable information you are trying to protect never directly crosses your network. Rather, it is an emergent property of your identity markers combined with the accumulation of your activities.
Tomi Engdahl says:
Majority of Android Apps Contain Embedded User-Tracking: Report
http://www.securityweek.com/majority-android-apps-contain-embedded-user-tracking-report
Seventy-five percent of 300 Android apps tested by Exodus Privacy and analyzed by the Yale Privacy Lab contain embedded trackers, including Uber, Tinder, Skype, Twitter, Spotify and Snapchat. The trackers are primarily used for targeted advertising, behavioral analytics and location tracking. They come as part of the app, and their presence and operation is likely unknown to the user at the time of installation.
Details are published in an analysis by the Yale Privacy Lab. It looked at 25 of the 44 trackers known to the French non-profit Exodus Privacy. Exodus analyzed 300 apps using its app scanning platform. According to its own research, the five most common embedded trackers are CrashLytics, DoubleClick, Localytics, Flurry and HockeyApp.
Tomi Engdahl says:
How Not to Get Fired For Someone Else’s Failure
http://www.securityweek.com/how-not-get-fired-someone-elses-failure
Are You Accountable for Projects You Have No Authority Over?
If you’re a chief information security officer (CISO), or other-titled security leader, the world is awash with fantastic opportunities for career growth and learning. That is, until you start digging into some of the opportunities. If you’re investigating the future for yourself, I would like to offer you a short post about one of the most common pitfalls out there. I’ve had friends, colleagues and those I advise fall into situations where they get a raw deal based on two very simple words: accountability and authority.
First, let’s define these words.
Accountability refers to being ultimately responsible for the success or failure of something—whether it’s a General Data Protection Regulation (GDPR) project or a patch being applied. If you’re accountable, the buck stops with you. If the thing succeeds, it’s your win. If it fails, it’s yours to own.
Authority refers to your ability to enact change and mandate (force) things to happen. If you have authority over a team, you can make them do things with consequences for failure to comply. If you don’t have authority, you can simply ask nicely and hope that your sparkling personality is enough.
Here’s where it gets tricky. The CISO often is accountable to at least one executive leader in the company and often times to the board. Meaning, if there are security failures the CISO is the person called to stand before the board and explain. Accountability is a funny thing, though. Alone, without authority, you may be in serious trouble. Allow me to give you an example.
Tomi Engdahl says:
Victimized Twice: Cyber Criminals Target Natural Disasters
http://www.securityweek.com/victimized-twice-cyber-criminals-target-natural-disasters
In the aftermath of recent fires in California, Spain and Portugal, hurricanes in Texas, Florida, and Puerto Rico, and recent earthquakes in Mexico and on the Iran-Iraq border, there has been a global uptick in the number of phishing scams aimed at stealing personal data and money. Unfortunately, when disaster strikes cyber criminals are always right behind, ready to apply social engineering techniques to take advantage of both the victims and people wishing to help.
Broken Routines and Urgency Lay the Foundation
In these devastating situations, victims are obviously out of their routines and under pressure. Donors may be viewing the disaster’s impact live on television or on the internet, or even be in communication with friends and family in the area. Both victims and donors have their defenses down.
Using social media, email and even web browser searches, criminals can focus their attacks through every possible channel.
Disaster Warnings — Before and After
Nothing Is Sacred
Basically, you need to assume that every natural disaster or public tragedy is being leveraged in a phishing scam somewhere. Phishing is on a dramatic upswing
Tomi Engdahl says:
Curing The Security Sickness in Medical Devices
http://www.securityweek.com/curing-security-sickness-medical-devices
Just as the rapid development of the Internet of Things (IoT) has transformed traditional industries and service sectors, it is also having a great impact in the world of healthcare. It’s easy to argue, in fact, that no area is being transformed by digital technologies as rapidly or with as many benefits for society as new medical technologies.
But the understandable desire to press ahead and unlock those benefits has led to a lack of scrutiny on the subject of digital security in devices for treatment and monitoring, and a spate of high profile problems in the area has begun to concern many. In the US, the Food and Drug Agency (FDA) has issued formal warnings about cybersecurity vulnerabilities in four separate products in the last 18 months. It has also hosted an array of consultations and workshops focussing on the cybersecurity of medical devices. The most recent product notice from the FDA, regarding an exploitable flaw in connected cardiac pacemakers, seems to be finally waking the industry up to the threats that connected technologies bring.
Fortunately, there are solutions which can allow healthcare innovation to continue unimpeded, and plenty of lessons that can be learned from experiences in other areas. The rulebook for minimizing the risk of unauthorised access, and limiting potential damage in the event of a device being compromised, is broadly the same as protecting other connected and operational technologies: better collaboration, lifecycle management, network monitoring and a “secure by design” ethos to new products.
What we don’t have is time: securing medical devices is a life and death issue, and most in the field fear that a new major attack is imminent. Vendors, practitioners and security experts must all work closely together to combat the well-funded actors who pose a threat.
Connected healthcare
The benefits of connected medical devices are unquestionable, with much progress being made in terms of treatments and cures. For example, we’ve already seen low cost blood sugar monitoring implants that can synchronize with a smartphone to help diabetics manage their condition. Networked X-ray and ultrasound machines that can deliver instant images to a practitioner’s desktop are also speeding up diagnosis and treatments in emergency rooms from Seattle to Singapore.
The problem is as medical devices have become increasingly connected, they have also become exposed to an array of potential security flaws. This connectivity and the benefits it has bestowed upon us, such as remote monitoring and data gathering and analysis, has brought with it new risks.
When the WannaCry ransomware shut down large sections of the UK National Health Service’s IT systems earlier this year, it was aiming to disrupt services in order to achieve ransom payments on behalf of its creators.
The diagnosis
Healthcare providers should be well aware of these dangers as security experts have been warning of them for many years. At the very least, medical device manufacturers need to be conscious of the legislative work around the world that is aimed at enforcing better protection of networks and systems. Close reading of new data privacy and breach disclosure laws will help encourage good practice, and in the US the FDA has strict requirements around public safety and is acutely aware of the issues, as demonstrated by the recent pacemaker recall.
We know that bad actors will always find new exploits and methods of attack, so part of the Secure SDLC process includes future vigilance for unexpected behaviors which could indicate a novel threat has been found.
In terms of the infrastructure for connected medical devices, more care needs to be taken with proper network segmentation. This will help reduce the risk of unauthorized access or cross-infection from IT systems, and will further secure new devices and help protect the many legacy devices out there. Done correctly, this doesn’t mean any less convenience – those X-rays will still make it to the GP’s desk at speed – but the extra steps of protection must be in place.
Tomi Engdahl says:
IoT, Android Botnets Emerge as Powerful DDoS Tools: Akamai
http://www.securityweek.com/iot-android-botnets-emerge-powerful-ddos-tools-akamai
Distributed denial of service (DDoS) attacks observed during the third quarter employed familiar vectors, but a newcomer that made headlines for abusing Android devices is expected to evolve, a new Akamai report suggests.
This new threat is the Android-based WireX botnet, which managed to infect 150,000 devices within a matter of weeks, the company’s Third Quarter, 2017 State of the Internet / Security Report (PDF), points out. Distributed through legitimate-looking infected apps in Google Play, the botnet managed to spread fast and might have grown even bigger if it wasn’t for the joint effort of several tech companies.
Akamai, which was involved in the botnet’s takedown, expects WireX to persist, evolve, and flourish, the same as the infamous Mirai Internet of Things (IoT) botnet did. Highly active last year, Mirai had a much lower presence on the threat landscape during Q3, with the largest attack powered by it only peaking at 109 Gbps (gigabit per second).
Tomi Engdahl says:
U.S. Indicts Chinese For Hacking Siemens, Moody’s
http://www.securityweek.com/us-indicts-chinese-hacking-siemens-moody
U.S. authorities filed charges Monday against three China-based hackers for stealing sensitive information from U.S. based companies, including data from Siemens industrial groups and accessing a high-profile email account at Moody’s.
Wu Yingzhuo, Dong Hao and Xia Lei, who the Department of Justice (DOJ) says are Chinese nationals and residents of China, were indicted by a grand jury for a series of cyber-attacks against three corporate victims in the financial, engineering and technology industries between 2011 and May 2017.
Victims named in the indictment include Moody’s Analytics, Siemens, and GPS technology firm Trimble.
According to the indictment, the hackers:
• Stole approximately 407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.
• Accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee, and set it to forward all emails to and from the account to web-based email accounts controlled by the attackers.
• Stole at least 275 megabytes of data, including compressed data, which included hundreds of files that would have assisted a Trimble competitor in developing, providing and marketing a similar product without incurring millions of dollars in research and development costs.
“The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems,” the DOJ said. “For the three victim entities listed in the Indictment, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.”
Tomi Engdahl says:
Sound-Off: Can Executives Make or Break Your Cybersecurity Program?
https://www.techbriefs.com/component/content/article/1198-tb/news/news/27923-sound-off-can-executives-make-or-break-your-cybersecurity-program?utm_source=TBnewsletter&utm_medium=email&utm_campaign=20171128_Main_INSIDER&eid=376641819&bid=1935502
As vehicles become increasingly connected, OEMs must develop cybersecurity programs to address new risks. In a presentation titled, “Connected Vehicles & Cybersecurity: How Government and Industry Are Responding to New IoT Tech & Emerging Threats,” a Tech Briefs reader asked our expert:
“How important are C-suite support and resources for a cybersecurity program?”
Tomi Engdahl says:
Anyone Can Hack MacOS High Sierra Just by Typing “Root”
https://www.wired.com/story/macos-high-sierra-hack-root/
There are hackable security flaws in software. And then there are those that don’t even require hacking at all—just a knock on the door, and asking to be let in. Apple’s macOS High Sierra has the second kind.
On Tuesday, security researchers disclosed a bug that allows anyone a blindingly easy method of breaking that operating system’s security protections. Anyone who hits a prompt in High Sierra asking for a username and password before logging into a machine with multiple users, they can simply type “root” as a username, leave the password field blank, click “unlock” twice, and immediately gain full access.
In other words, the bug allows any rogue user that gets the slightest foothold on a target computer to gain the deepest level of access to a computer, known as “root” privileges. Malware designed to exploit the trick could also fully install itself deep within the computer, no password required.
“We always see malware trying to escalate privileges and get root access,” says Patrick Wardle, a security researcher with Synack. “This is best, easiest way ever to get root, and Apple has handed it to them on a silver platter.”
https://www.express.co.uk/life-style/science-technology/885661/Apple-MacOS-High-Sierra-root-bug-fix-how-to-stop-simple-hack
Apple MacOS High Sierra root bug – How to protect your Mac from serious security flaw
APPLE Mac users warned as serious macOS High Sierra root bug is discovered. A fix is being worked on but here’s how to protect your iMac and MacBook right now
Tomi Engdahl says:
Canadian hacker pleads guilty in huge Yahoo hack case
https://techcrunch.com/2017/11/28/karim-baratov-guilty-plea-yahoo-hack/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
A Canadian citizen has pleaded guilty to aiding Russian intelligence officers in a 2014 hack of Yahoo that exposed as many as 500 million accounts. The defendant, 22-year-old Karim Baratov, is the only arrest to come out of the Yahoo hack as the three other individuals facing charges live in Russia, which obviously has no interest in extraditing them to the United States.
Tomi Engdahl says:
77% of 433,000 Sites Use Vulnerable JavaScript Libraries
https://snyk.io/blog/77-percent-of-sites-still-vulnerable/?utm_content=bufferb630e&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer
analysis of around 433,000 sites found that 77% of them use at least one front-end JavaScript library with a known security vulnerability. This number mirrors the one we reported back in March
study back in March: 77.3% (323,132) of those sites failed the audit. In other words, 77.3% of those sites contain at least one client-side JavaScript library with a known security vulnerability.
It turns out, that if you carry at least one known vulnerability, you likely carry more. 51.8% of vulnerable sites carry more than one known security vulnerability.
we can query to see which libraries are detected most often—whether they are vulnerable or not
Unsurprisingly, jQuery tops the list.
No library yet has come close to reaching jQuery’s universal appeal. One caveat here: React is currently being underreported.
Looking at the percentages doesn’t paint a rosy picture. 92.5% of jQuery versions, the most popular library on the web by far, in production carry a known security vulnerability. In fact, of the ten libraries most commonly found to be carrying a known vulnerability, six of them are vulnerable in the majority of versions found in production.
Tomi Engdahl says:
That’s 77% of sites that are one developer making one method call away from being vulnerable
Tomi Engdahl says:
Open source’s big weak spot? Flawed libraries lurking in key apps
http://www.zdnet.com/article/open-sources-big-weak-spot-flawed-libraries-lurking-in-key-apps/
To avoid becoming the next Equifax, it could be a good idea to scan your apps for vulnerable open-source libraries.
This week GitHub launched a new service to help developers ferret out and fix vulnerable dependencies in projects hosted on the code repository.
The service could be a major improvement for developers who don’t, for a variety of reasons, stay abreast of known flaws in popular libraries for Ruby, JavaScript, and Java applications.
Equifax’s recent breach, affecting 145 million US consumers and several hundred thousand Brits, was a prime example of what can happen when you fail to discover and patch a flaw in open-source software, which for Equifax was Apache Struts, a popular Java library.
http://www.zdnet.com/article/github-to-devs-now-youll-get-security-alerts-on-flaws-in-popular-software-libraries/
Tomi Engdahl says:
Patch for macOS Root Access Flaw Breaks File Sharing
http://www.securityweek.com/patch-macos-root-access-flaw-breaks-file-sharing
The patch released by Apple on Wednesday for a critical root access vulnerability affecting macOS High Sierra appears to break the operating system’s file sharing functionality in some cases. The company has provided an easy fix for affected users.
The flaw, tracked as CVE-2017-13872, allows an attacker to gain privileged access to a device running macOS High Sierra by logging in to the root account via the graphical user interface with the username “root” and any password. Apple has disabled the root account by default and when users attempt to log in to this account, the password they enter is set as its password. If the password field is left blank, there will be no password on the root account.
The vulnerability can be exploited locally, but remote attacks are also possible if sharing services are enabled on the targeted machine.
While the issue was mentioned on Apple developer forums on November 13, the tech giant only learned about it on November 28, when a Turkish developer posted a message on Twitter. A patch was released within 24 hours, but since Apple did not have enough time to test the fix, it appears to introduce other problems.
Tomi Engdahl says:
Almost all of the crypto-wallet applications are leaking
The use of cryptographic currencies is becoming more and more common, and recently, for example, Bitcoin’s value has risen rapidly. According to an analysis by the American security company, most of the most popular mobile apps for cryptographic currencies downloaded on Google Play were insecure.
The analysis of High-Tech Bridge had more than 2000 cryptographic swapping applications. The most popular, or more than half a million downloads of applications by as much as 94 percent contained at least three medium-level vulnerability. 77% of applications had at least three serious vulnerabilities.
The most common security issues associated with data are unprotected storage. Another important vulnerability is inadequate data encryption.
Source: http://www.etn.fi/index.php/13-news/7243-lahes-kaikki-kryptovaluuttasovellukset-vuotavat
Tomi Engdahl says:
How secure are the most popular crypto currencies mobile apps?
https://www.htbridge.com/news/security-cryptocurrency-mobile-apps.html
We tested the most popular crypto currency mobile apps from Google Play for common vulnerabilities and weaknesses. Over 90% may be in trouble.
Over 1300 crypto currencies exist today with over $328,331,711,597 market capitalization (at the moment of this post publication). One of the most popular and oldest cryptocurrency – Bitcoin has reached $10,000 price after several months of fluctuation, but continuous and steady growth.
A wide spectrum of mobile applications for crypto currencies were released during the last few years by various startups, independent digital experts and even licensed banking institutions. The total number of crypto currency applications in Google Play designed to store, process or trade crypto currencies has exceeded two thousand and continues to grow.
Obviously, cybercriminals could not pass on such an outstanding opportunity and are aggressively targeting all possible stakeholders of the emerging digital currency market.
Tomi Engdahl says:
AWS Launches New Cybersecurity Services
http://www.securityweek.com/aws-launches-new-cybersecurity-services
Amazon Web Services (AWS) announced this week at its AWS re:Invent conference the launch of several new cybersecurity services, including for threat detection, IoT security, and secure communications for Virtual Private Cloud.
Amazon GuardDuty
One of the new products is Amazon GuardDuty, an intelligent threat detection service that helps customers protect their AWS accounts and workloads by continuously looking for unauthorized and malicious activity.
Amazon GuardDuty, which can be enabled from the AWS Management Console, creates a baseline for normal account activity, and uses machine learning to identify any irregular behavior. If suspicious activity is detected, the AWS account owner is immediately notified.
The new service obtains threat intelligence from both AWS itself and third-party sources such as CrowdStrike and Proofpoint, it does not require any new hardware or software, and it can be integrated with products from Alert Logic, Evident.io, Palo Alto Networks, RedLock, Rapid7, Sumo Logic, Splunk and Trend Micro.
Another new product launched this week is AWS PrivateLink, a managed service that allows developers to securely access third-party SaaS applications from their Virtual Private Cloud (VPC).
A majority of Amazon EC2 cloud instances run in VPCs these days, but using third-party SaaS applications can introduce security risks.
IoT Services
AWS also announced the launch of several new services designed for managing, protecting and monitoring Internet of Things (IoT) devices. These are AWS IoT 1-Click, IoT Device Management, IoT Device Defender, IoT Analytics, Amazon FreeRTOS, and Greengrass ML Inference.
Three of the new IoT services help improve security. AWS IoT Device Management, which is available immediately, allows organizations to securely onboard, manage and monitor IoT devices, including to apply patches and software updates.
Tomi Engdahl says:
Should Social Media be Considered Part of Critical Infrastructure?
http://www.securityweek.com/should-social-media-be-considered-part-critical-infrastructure
Russia interfered in the U.S. 2016 election, but did not materially affect it. That is the public belief of the U.S. intelligence community. It is a serious accusation and has prompted calls for additions to the official 16 critical infrastructure categories. One idea is that ‘national elections’ should be included. A second, less obviously, is that social media should be categorized as a critical industry.
The reason for the latter is relatively simple: social media as a communications platform is being widely used by adversary organizations and nations to disseminate their own propaganda. This ranges from ISIS using it as a recruitment platform, to armies of Russian state-sponsored trolls manipulating public opinion via Twitter.
Russian interference, or opinion manipulation, has not been limited to the U.S. Both France and Germany worried about it prior to their own national elections.
The DHS introduces its definition of the critical infrastructure with, “There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” These include ‘energy’, ‘finance’, ‘transport’, ‘communications’ and ‘IT’. Maintaining the availability and continued operation of all of these sectors is clearly critical to the well-being of the nation. Maintaining the availability of social media does not seem so critical.
Harkins’ argument, however, is that the world has changed since the origins of the critical infrastructure classification.
Business and society have gone through, and are still going through, a dramatic ‘digitization’ of their operations. The internet and all things cyber have become fundamental to the operation of the economy and society.
“Where cyber is concerned,” Harkins told SecurityWeek, “the ‘A’ of ‘CIA’ is not enough. The Availability of the critical infrastructure must now be bolstered by the Integrity of the critical infrastructure.”
“The world today,” he continued, “is based on information with headlong digitization of both business and society. With everything now based on our reaction to and use of information, the integrity of that information has never been more vital.”
The availability of the Communications and IT sectors is already considered critical, and social media is the most important and widespread platform that unites the communications and IT sectors. If the concept of the critical infrastructure is widened from availability to include integrity, then social media is already, de facto, part of the critical infrastructure. “At what point,” asks Harkins, “does the integrity of the information flowing through the IT sector or the communications sector hit a significant and material risk that will force us to consider it critical?”
Tomi Engdahl says:
Start with the Threat to Prioritize Patching
http://www.securityweek.com/start-threat-prioritize-patching
By Starting With the Threat You Can Easily Prioritize Vulnerabilities and “Embrace the Grey”
For years the security industry has been talking about the importance of patching as a basic security measure to prevent attacks. The Equifax breach is the latest reminder of what happens when organizations lag in this effort. It’s a safe bet that Equifax isn’t alone.
Research by Enterprise Strategy Group (ESG) finds that improving the ability to discover, prioritize and remediate software vulnerabilities is a top priority for cybersecurity professionals – second only to detecting, containing and remediating actual attacks. On the flip side, the research also points to patching as among the most time-consuming security operations tasks.
A lack of skilled cyber security professionals is often behind our inability to patch in a timely manner. It is not just the number of vulnerabilities; it is the process needed to patch – testing, deploying, verifying, planning for downtime, etc. We simply don’t have the people, infrastructure, tools and, ultimately, time available. But what we often fail to recognize, is that this isn’t an all or nothing scenario. In fact, nothing is when it comes to cybersecurity.
Tomi Engdahl says:
Trust Your Security Vendor, ‘They Have Access to Everything You Do,’ Says F-Secure Research Chief
http://www.securityweek.com/trust-your-security-vendor-they-have-access-everything-you-do-says-f-secure-research-chief
The DHS ban on government agencies using Kaspersky Lab’s security products has reverberated around the security industry. The concern is not simply whether the Moscow-based security firm has colluded with Russian intelligence, but how many other security firms could, through their own products, potentially collude with their own national intelligence agencies.
The DHS statement bans government agencies from using Kaspersky Lab products, saying, “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
Herein lies the problem. Before developing anti-virus software and forming Kaspersky Lab, Eugene Kaspersky studied cryptology at a KGB and defense-funded school, and later worked at Russia’s Ministry of Defense as a cryptologist. So the link — and therefore the risk — exists. At the same time, however, any glance through LinkedIn’s staff profiles for U.S. security firms will return a large number of senior employees with an NSA, CIA, FBI or State Department background, with many U.S. security firms boasting about their former government and military hires. Connections alone do not necessarily imply collusion.
However, if the Kaspersky-Russian intelligence link is a concern, then by implication users should consider the potential for a McAfee and Symantec link with the NSA, and a Sophos link with GCHQ. In an attempt to counter any potentially growing lack of trust in security products in general, F-Secure’s Chief Research Officer, Mikko Hypponen, has talked today about how his own company handles confidential user information.
https://www.f-secure.com/en/web/business_global/our-approach/cyber-security-sauna
Tomi Engdahl says:
Russia Wants To Launch Backup DNS System By August 1, 2018
https://tech.slashdot.org/story/17/11/30/2325233/russia-wants-to-launch-backup-dns-system-by-august-1-2018?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The Russian government plans to build its own “independent internet infrastructure” that will be used by BRICS member states — Brazil, Russia, India, China, and South Africa. The plan was part of the topic list at the October meeting of the Russian Security Council, and President Vladimir Putin approved the initiative with a completion deadline of August 1, 2018, according to Russian news agency RT. The Russian Security Council has today formally asked the country’s government to start the building of a backup global DNS system that Russia and fellow BRICS member states could use.
Russia Wants to Launch Backup DNS System by August 1, 2018
https://www.bleepingcomputer.com/news/government/russia-wants-to-launch-backup-dns-system-by-august-1-2018/
Russia to build its own DNS system backup
The Russian Security Council has today formally asked the country’s government to start the building of a backup global DNS system that Russia and fellow BRICS member states could use.
The Russian Security Council cited the “increased capabilities of western nations to conduct offensive operations in the informational space.”
Russia and fellow BRICS nations would like the option to flip a switch and move Internet traffic from today’s main DNS system to their own private backup.
Tomi Engdahl says:
Once again: If you carry a sensor of any kind, you must assume it to be active and collecting data, you can’t trust pinky promises
https://www.privateinternetaccess.com/blog/2017/11/once-again-if-you-carry-a-sensor-of-any-kind-you-must-assume-it-to-be-active-you-cant-trust-pinky-promises/
As Quartz revealed, Google has been tracking your location since the start of 2017. At this point, the story should not be about why Google did this, but why, with all the experience at hand, anybody expected otherwise. Privacy is your own responsibility today.
Tomi Engdahl says:
Badass alert: 1 in 5 Brits don’t give a damn about webpage crypto-miners
More sensible users would like regulation or permission first
https://www.theregister.co.uk/2017/12/01/1_in_5_brits_not_bothered_by_webpage_bitcoin_miners/
More than 20 per cent of Britons don’t mind letting websites hijack their CPUs to mine cryptocurrency, a slightly stale survey has found.
The data also shows that da yoofs are more in favour of crypto miners than greybeards – 20 per cent of 18-24s are happy for websites to mine alt-coin, against 4 per cent of over-50s.
Tomi Engdahl says:
The future: Hacker AI and IoT ransomware?
https://www.htbridge.com/blog/the-future-hacker-ai-and-iot-ransomware.html
The future could be about to get a lot nastier, as ransomware evolves to incorporate new business models, according to researchers looking ahead to 2018.