Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Phwning the boardroom: hacking an Android conference phone
https://www.contextis.com/resources/blog/phwning-boardroom-hacking-android-conference-phone/
At Context we’re always on the lookout for interesting devices to play with. Sat in a meeting room one day, we noticed that the menus on the conference phone, a Mitel MiVoice Conference/Video Phone, had a very familiar Android style. We’re doing more and more product security evaluations on devices just like this device, and Android is a topic of interest for me, so this looked like the perfect device to investigate further.
Conference phones are ubiquitous in modern offices, and they present an interesting attack surface. The devices are often in less secure areas of the building, places like meeting rooms where guests are allowed, and they’re often privy to very sensitive discussions, whether hosting a call or just sat on the table. They’re also the kind of device that may be missed when security testing; they often present very few listening services and may be placed in segregated VLANs that aren’t visible to an infrastructure penetration test.
This blog post will go through some of the issues we discovered with the Mitel MiVoice Conference/Video Phone. We didn’t perform a full security review of the device; instead, we thought it would be interesting to see what could be achieved by someone sat briefly in a meeting room with the device. Ultimately, we discovered that under these circumstances it would be possible to gain full control of the device
Tomi Engdahl says:
Cyber Warriors See Politics Muddying Security Efforts
http://www.securityweek.com/cyber-warriors-see-politics-muddying-security-efforts
San Francisco – President Donald Trump has vowed to improve cyber attack defense, but security experts meeting this week say a fractious domestic and international political landscape could hamstring efforts to improve internet security.
As the White House mulls an executive order on cybersecurity to combat an epidemic of data breaches and hacks, participants at the annual RSA Conference voiced concern that dwindling political unity will challenge efforts to improve defense.
“The core of the problem hasn’t changed; defenders have to win every time whereas attackers only have to win once,” Forrester Research vice president and group director Laura Koetzle told AFP, while discussing the current state of online threats.
“What is different now is that the geopolitical situation is more unstable than it has been in quite a while.”
Anti-globalization rhetoric that has been inflamed by Trump’s rise and the United Kingdom’s Brexit have shaken faith in the “globally interconnected world order”
If alliances for thwarting online assaults weaken, Koetzle said, “greater testing from Russia, North Korea, China” and others can be expected, as countries test how far limits can be pushed.
The issue of cyber defense was brought to the forefront after US intelligence officials concluded Russia had carried out a series of attacks aimed at disrupting the election, possibly helping Trump’s campaign.
Microsoft chief legal officer Brad Smith used the RSA stage to call for a “Digital Geneva Convention” that would set lines that should not be crossed in cyber war, with an independent oversight body to identify offenders.
Cyber policy task force co-chair Karen Evans had advised the administration to consider data as belonging to the user — an approach that could bolster arguments against weakening encryption or building in back doors to access people’s data.
Tomi Engdahl says:
Easy-to-Use Remcos RAT Spotted in Live Attacks
http://www.securityweek.com/easy-use-remcos-rat-spotted-live-attacks
After receiving numerous improvements, a Remote Administration Tool (RAT) that emerged last year on hacking forums was recently observed in live attacks, Fortinet security researchers reveal.
Dubbed Remcos, the RAT was put up for sale during the second half of 2016 and is currently available starting at $58 and going up to $389, depending on the selected license period and number of “masters” or clients. Available as version 1.7.3 at the moment, the malware is distributed via malicious Office documents named Quotation.xls or Quotation.doc, supposedly delivered via email.
Tomi Engdahl says:
Russian Black Hat Hacks 60 Universities, Government Agencies
http://www.securityweek.com/russian-black-hat-hacks-60-universities-government-agencies
A Russian-speaking black hat hacker has breached the systems of more than 60 universities and U.S. government agencies, according to threat intelligence firm Recorded Future.
The hacker, tracked by the company as “Rasputin,” typically exploits SQL injection vulnerabilities to gain access to sensitive information that he can sell on cybercrime marketplaces.
Rasputin is the hacker who last year breached the systems of the U.S. Election Assistance Commission (EAC) and attempted to sell more than 100 access credentials, including ones providing administrator privileges.
Recorded Future has been monitoring the hacker’s activities and identified many of his victims, including over two dozen universities in the United States, ten universities in the United Kingdom, and many U.S. government agencies.
There are plenty of free tools that can be used to find and exploit SQL injection vulnerabilities, including Havij, Ashiyane SQL Scanner, SQL Exploiter Pro, SQLI Hunter, SQL Inject Me, SQLmap and SQLSentinel. However, Rasputin has been using a SQL injection tool that he developed himself.
“Financial profits motivate actors like Rasputin, who have technical skills to create their own tools to outperform the competition in both identifying and exploiting vulnerable databases,”
Tomi Engdahl says:
Cyber Skills Shortage May Require Employers to Change Course: Report
http://www.securityweek.com/cyber-skills-shortage-may-require-employers-change-course-report
The cyber security skills gap is known and documented, and empirically understood by all enterprise security leaders. It was recently quantified by job site Indeed.com, which measured the difference between available positions and market interest in them. A new report from ISACA titled Current Trends in Workforce Development (PDF) now seeks to understand the shortcomings in the available applicants, and what can be done by enterprises to minimize the effect of skills shortage.
The effect of the skills shortage is severe, with more than 25% of enterprises taking more than 6 months to fill a security vacancy. Only 59 percent of the organizations say they receive at least five applications for each cyber security opening, and only 13 percent receive 20 or more. This compares to the 60 to 250 applications for the majority of non-security job openings.
The survey finds that the “main problem of obtaining key talent in the realm of cyber security stems from a lack of qualified applicants.” This is a serious issue that goes beyond the trivial chicken and egg explanation. Cyber security is such a rapidly evolving area that new skills are required almost as soon as schools and colleges begin to train for old requirements.
Threat hunting analysts are a prime example. All security technologies generate huge logs. Those logs contain, somewhere, the subtle indications of system compromise. But it requires a human analyst with a particular set of skills to be able to hunt through a myriad of log alerts to be able to detect the few genuine issues from a mass of false positives.
This is a relatively new development in cyber security. It stems from the rapidly growing use AI and machine-learning algorithms designed to detect anomalies.
more than half (55%) of the respondents report that practical, hands-on experience is the most important cyber security qualification. Employers are simply demanding the impossible: anybody already possessing both qualifications and experience has got that experience by being in employment.
Even within the low number of applicants, 25% of respondents say today’s cyber security candidates are lacking in technical skills; while 45% do not believe most applicants understand the business of cyber security.
Tomi Engdahl says:
Sometimes It’s Best to Avoid “Cupid’s” Arrow
http://www.securityweek.com/sometimes-its-best-avoid-cupid%E2%80%99s-arrow
Organizations need to understand their threat model and apply security processes as appropriate. For example, here are 10 things to do to mitigate the risk of extortion-based attacks.
1. Address vulnerabilities. Patching and proper configuration is an important part of your defense strategy.
2. Educate users. Provide awareness and training on the threat of extortion-based attacks, how they may be delivered, how to avoid becoming a victim, and how to report suspected phishing attempts. This training also should include the risks associated with password reuse.
3. Regularly backup data. Use cloud-based or physical backups and verify their integrity.
4. Separate data. Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions.
5. Manage the use of privileged accounts. Ensure the principal of least privilege is implemented not just for data but also for file, directory and network share permissions.
6. Manage passwords. Implement an enterprise password management solution – not only for secure storage and sharing but also strong password creation and diversity.
7. Authenticate users. Implement multi-factor authentication for external facing corporate services
8. Develop a response playbook.
9. Build out your threat model. Understand the threat actors targeting your industry and geography and monitor which tools they are using.
10. Prioritize the services that must be available and confirm executive buy-in for protection/mitigations. Gain this buy-in by communicating the losses incurred for downtime. How much will one hour of downtime cost you?
Tomi Engdahl says:
Glenn Greenwald / The Intercept:
Intelligence officials who leaked information about Flynn to the press committed felonies, but they were justified in doing so — President Trump’s National Security Advisor, Gen. Michael Flynn, was forced to resign on Monday night as a result of getting caught lying about whether …
The Leakers Who Exposed Gen. Flynn’s Lie Committed Serious — and Wholly Justified — Felonies
https://theintercept.com/2017/02/14/the-leakers-who-exposed-gen-flynns-lie-committed-serious-and-wholly-justified-felonies/
President Trump’s national security adviser, Gen. Michael Flynn, was forced to resign on Monday night as a result of getting caught lying about whether he discussed sanctions in a December telephone call with a Russian diplomat. The only reason the public learned about Flynn’s lie is because someone inside the U.S. government violated the criminal law by leaking the contents of Flynn’s intercepted communications.
In the spectrum of crimes involving the leaking of classified information, publicly revealing the contents of SIGINT — signals intelligence — is one of the most serious felonies. Journalists (and all other nongovernmental citizens) can be prosecuted under federal law for disclosing classified information only under the narrowest circumstances; reflecting how serious SIGINT is considered to be, one of those circumstances includes leaking the contents of intercepted communications, as defined this way by 18 § 798 of the U.S. Code
That “senior U.S. government official” committed a serious felony by leaking to Ignatius the communication activities of Flynn. Similar and even more extreme crimes were committed by what the Washington Post called “nine current and former officials, who were in senior positions at multiple agencies at the time of the calls,”
That all of these officials committed major crimes can hardly be disputed.
Yet very few people are calling for a criminal investigation or the prosecution of these leakers, nor demanding the leakers step forward and “face the music” — for very good reason: The officials leaking this information acted justifiably, despite the fact that they violated the law. That’s because the leaks revealed that a high government official, Gen. Flynn, blatantly lied to the public about a material matter — his conversations with Russian diplomats — and the public has the absolute right to know this.
This episode underscores a critical point: The mere fact that an act is illegal does not mean it is unjust or even deserving of punishment. Oftentimes, the most just acts are precisely the ones that the law prohibits.
That’s particularly true of whistleblowers — i.e., those who reveal information the law makes it a crime to reveal, when doing so is the only way to demonstrate to the public that powerful officials are acting wrongfully or deceitfully. In those cases, we should cheer those who do it even though they are undertaking exactly those actions that the criminal law prohibits.
Any leak that results in the exposure of high-level wrongdoing — as this one did — should be praised, not scorned and punished.
Tomi Engdahl says:
RSA Conference 2017 attendees hacked with rogue access points – Security Affairs
http://www.epanorama.net/newepa/2017/02/21/rsa-conference-2017-attendees-hacked-with-rogue-access-points-security-affairs/
http://securityaffairs.co/wordpress/56445/hacking/rsa-conference-attendees-hacked.html
You are not safe from hacking even is security conference.
Tomi Engdahl says:
Former Sysadmin Sentenced to Prison for Hacking Industrial Facility
http://www.securityweek.com/former-sysadmin-sentenced-prison-hacking-industrial-facility
A man has been sentenced to 34 months in prison and three years of supervised release for hacking into the systems of pulp and paper company Georgia-Pacific, the Department of Justice announced on Friday.
Johnson then remotely accessed the facility’s computers and caused system failures over the course of several days. When the FBI searched the man’s home in late February 2014, agents noticed a VPN connection to Georgia-Pacific’s systems on his computer.
The damage caused by the disgruntled employee has been estimated at more than $1.1 million, which Johnson will have to pay in restitution to Georgia-Pacific. He has also been ordered to pay $100 to the government and forfeit the devices used to commit the crime.
Tomi Engdahl says:
Germany Bans Internet-connected ‘Spy’ Doll Cayla
http://www.securityweek.com/germany-bans-internet-connected-spy-doll-cayla
German regulators have banned an internet-connected doll called “My Friend Cayla” that can chat with children, warning Friday that it was a de facto “spying device”.
Parents were urged to disable the interactive toy by the Federal Network Agency which enforces bans on surveillance devices.
“Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people’s privacy,” said the agency’s head, Jochen Homann.
“This applies in particular to children’s toys. The Cayla doll has been banned in Germany. This is also to protect the most vulnerable in our society.”
The doll works by sending a child’s audio question wirelessly to an app on a digital device, which translates it into text and searches the internet for an answer, then sends back a response that is voiced by the doll.
The German regulators in a statement warned that anything a child says, or other people’s conversations, could be recorded and transmitted without parents’ knowledge.
“A company could also use the toy to advertise directly to the child or the parents,”
Tomi Engdahl says:
Taking Mature Security Operations to the Masses
http://www.securityweek.com/taking-mature-security-operations-masses
All Organizations Deserve a Mature Security Operations Function
In one of my recent SecurityWeek columns, I discussed how the days of mature security operations being restricted to an elite few organizations are over, or at least they should be. I also noted that the time had come to bring security to the masses, including even those organizations without large enterprise sized budgets. But how exactly can that be accomplished?
I am not an elitist. I believe that all organizations deserve a mature security operations function. The security operations platform and Security-as-a-Service approaches offer tremendous potential to the vast majority of organizations. As with any buying decision of course, organizations should push their vendors to ensure that they truly understand the actual capabilities of any proposed solution. Only then will a mature security posture truly come to the masses.
Tomi Engdahl says:
Microsoft Calls for Cyber Geneva Convention
http://www.securityweek.com/microsoft-calls-cyber-geneva-convention
The modern digital world is as much characterized by nation-sponsored cyber-attacks as it is by criminal cyber-attacks – and Microsoft is calling for an international cyber Geneva Convention to protect business, users and critical infrastructure before it spirals out of control.
In a blog post this week, President and Chief Legal Officer Brad Smith describes The need for a Digital Geneva Convention “that will commit governments to protecting civilians from nation-state attacks in times of peace.” Within this model, he sees the tech industry as ‘a neutral Digital Switzerland’ occupying the role of the Red Cross. It is a popularized re-working of arguments presented By Scott Charney’s June 2016 paper, An organizing model for cybersecurity norms development.
Smith also spoke on the topic at this week’s RSA Conference in San Francisco.
Smith believes that the time is right.
Key to this idea will be an international adoption of norms; that is, shared expectations of appropriate behavior. Various organizations have been working on such norms. “UN GGE, G20, US-Sino bilateral agreement all have worked toward shaping the appropriate and mutually agreed-upon behavior in the digital domain,”
“Are we at the beginning of a sea change in what the international community decides is acceptable behavior?” asked Jeff Moss, founder of Black Hat and DEF CON in September, 2016. “It doesn’t have to be a treaty; it can just be a norm. The next administration is going to have to drive those norms of behavior.”
But Brad Smith goes to the next step. He is arguing for just such an international treaty loosely modelled on the Fourth Geneva Convention. Is such a treaty feasible? It would require the international adoption of norms of behavior, coupled with the ability to definitively attribute wrongdoing.
Smith explains that the norms underpinning his convention “should commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property.
The first two elements are uncontroversial: governments should not attack other nations, and governments should assist the private sector in recovering from such attacks. The third, however, is difficult: it commits governments to effective cyber weapon disarmament.
The US/China bilateral agreement in late 2015 is cited as the green shoots of norms development
“Nation states have invested too much time, attention and money into cyber warfare and espionage machines to turn back the dial,” warns Eric O’Neill
Accurate attribution is essential for the effective operation of norms. Without it, there would be nothing to stop individual nations flouting them with impunity. “Cyberespionage,” says O’Neill, “relies on the difficulty of attribution, anonymity, and ease of access from anywhere in the world. When the U.S. has caught Russia, North Korea, Iran and China spying, probing our critical infrastructure, attacking our business, and stealing our data, each country staunchly denied the acts.”
Put simply, irrefutable technical attribution is impossible. ‘
one nation’s intelligence community can definitively attribute attackers – but only to its own government
Smith’s, and indeed, Charney’s, solution is an independent international committee of experts.
” For an organization like this to be successful, accurate proof which all parties involved can agree is correct would be the key. But the very nature of technology today would make that difficult at best. And even if you can monitor all traffic accurately, there would still be difficulty in getting the political factions involved to agree with the findings.”
A cyber Geneva Convention (that is, the formalization of agreed norms and accurate attribution into a binding international treaty) seems unlikely.
A treaty would require teeth. “Any plausible Cyber Geneva Convention would require agreement on sanctions for a nation member that violates the convention,” says O’Neill. “Because attribution is extraordinarily difficult, these penalties may lack teeth if the convention cannot enforce them.”
The balkanization of the internet is already in progress. It will be a problem and a difficulty for individuals; but it could prove a disaster for the large international companies currently operating across national boundaries – such as Microsoft.
Microsoft Proposes Independent Body to Attribute Cyber Attacks
http://www.securityweek.com/microsoft-proposes-independent-body-attribute-cyber-attacks
The Role of Attribution in Developing Cybersecurity Norms of Behavior
Microsoft has published a paper that proposes a series of recommended ‘norms’ of good industry behavior in cyberspace, and also a route towards implementing and achieving those norms. Most of the norms are uncontentious and self-evident – but one in particular (which is a form of ‘responsible disclosure’) is less so. Furthermore, the key feature in implementing these norms (the attribution of attacks to attackers) is particularly troublesome.
Tomi Engdahl says:
http://abcnews.go.com/International/wireStory/russian-military-continues-massive-upgrade-45652381
Along with a steady flow of new missiles, planes and tanks, Russia’s defense minister said Wednesday his nation also has built up its muscle by forming a new branch of the military — information warfare troops.
Tomi Engdahl says:
http://abcnews.go.com/topics/news/us/russian-hacking.htm?page=2
Tomi Engdahl says:
http://securityaffairs.co/wordpress/56517/intelligence/operation-bugdrop-ukraine.html
Operation BugDrop – Hackers siphoned 600GB taking control of PC microphones
Researchers at Security firm CyberX have discovered a cyber espionage campaign that siphoned more than 600 gigabytes from about 70 targets in several industries, including critical infrastructure and news media.
Tomi Engdahl says:
Major Cloudflare bug leaked sensitive data from customers’ websites
https://techcrunch.com/2017/02/23/major-cloudflare-bug-leaked-sensitive-data-from-customers-websites/
Tomi Engdahl says:
A team of Israeli researchers has devised a new technique to exfiltrate data from a machine by using a malware that controls hard drive LEDs.
http://securityaffairs.co/wordpress/56583/breaking-news/data-exfiltration-hdd-leds.html
Tomi Engdahl says:
Google Online Security Blog:
Google unveils “practical” SHA-1 collision using nine quintillion computations, releases two different PDFs with identical hashes, urges sunsetting of protocol
Announcing the first SHA1 collision
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Tomi Engdahl says:
Mobile API Security Techniques
Part 2 — API Tokens, Oauth2, and Disappearing Secrets
https://hackernoon.com/mobile-api-security-techniques-fc1f577840ab#.yxwlso3mt
Mobile apps commonly use APIs to interact with back-end services and information. In 2016, time spent in mobile apps grew an impressive 69% year to year, reinforcing most companies’ mobile-first strategies, while also providing fresh and attractive targets for cybercriminals. As an API provider, protecting your business assets against information scraping, malicious activity, and denial of service attacks is critical in maintaining a reputable brand and maximizing profits.
Properly used, API keys and tokens play an important role in application security, efficiency, and usage tracking. Though simple in concept, API keys and tokens have a fair number of gotchas to watch out for.
Tomi Engdahl says:
Create a Custom Domain for Cloudant Using Cloudflare
What’s in a name? Proxy to get speed and protection too.
https://medium.com/ibm-watson-data-lab/create-a-custom-domain-for-cloudant-using-cloudflare-e32f11b33967#.yzg55re4t
Tomi Engdahl says:
$170 Smartphone Spyware that Anyone Can Buy
https://motherboard.vice.com/en_us/article/i-tracked-myself-with-dollar170-smartphone-spyware-that-anyone-can-buy
Tomi Engdahl says:
Survey: Most Attackers Need Less Than 12 Hours To Break In
http://www.darkreading.com/threat-intelligence/survey-most-attackers-need-less-than-12-hours-to-break-in/d/d-id/1328256
A Nuix study of DEFCON pen testers shows that the usual security controls are of little use against a determined intruder
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Misconfigured backup drive at New York’s Stewart International Airport exposed highly sensitive data to the public internet for almost a year
Security lapse exposed New York airport’s critical servers for a year
http://www.zdnet.com/article/unsecured-servers-at-new-york-airport-left-exposed-for-a-year/
Exclusive: The files included gigabytes of emails, sensitive government files, and a password list, which researchers say could give hackers “full access” to the airport’s systems.
A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found.
The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents.
The airport is known for accommodating charter flights of high-profile guests, including foreign dignitaries.
But since April last year, the airport had been inadvertently leaking its own highly sensitive files as a result of the drive’s misconfiguration.
Chris Vickery, lead security researcher of the MacKeeper Security Center, who helped to analyze the exposed data and posted his findings, said the drive “was, in essence, acting as a public web server” because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist.
When contacted Thursday, the contractor dismissed the claims and would not comment further.
Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured.
“You cannot expect one person to maintain an airport network infrastructure. Doing so is a recipe for security lapses,” said Vickery.
Extensive Breach at Intl Airport
https://mackeeper.com/blog/post/334-extensive-breach-at-intl-airport
In what should be considered a complete compromise of network integrity, New York’s Stewart International Airport was recently found exposing 760 gigs of backup data to the public internet. No password. No username. No authentication whatsoever.
The leaky data set includes everything from sensitive TSA letters of investigation to employee social security numbers, network passwords, and 107 gigabytes of email correspondence. Until I notified the facility’s management this past Tuesday, there existed a real risk to the security and safety of this US airport.
Tomi Engdahl says:
EFF: Half of web traffic is now encrypted
https://techcrunch.com/2017/02/22/eff-half-the-web-is-now-encrypted/
Half of the web’s traffic is now encrypted, according to a new report from the EFF released this week. The rights organization noted the milestone was attributable to a number of efforts, including recent moves from major tech companies to implement HTTPS on their own properties. Over the years, these efforts have included pushes from Facebook and Twitter, back in 2013 and 2012 respectively, as well as those from other sizable sites like Google, Wikipedia, Bing, Reddit and more.
Google played a significant role, having put pressure on websites to adopt HTTPS by beginning to use HTTPS as a signal in its search ranking algorithms. This year, it also ramped up the push towards HTTPS by marking websites that use HTTP connections for transmitting passwords and credit data as insecure.
HTTPS, which encrypts data in transit and helps prevent a site from being modified by a malicious user on the network, has gained increased attention in recent years as users have woken up to how much of their web usage is tracked, and even spied on by their own government. Large-scale hacks have also generally made people more security-minded as well.
A number of larger players on the web also switched on HTTPS in 2016, like WordPress.com
Tomi Engdahl says:
FCC to halt rule that protects your private data from security breaches
FCC chair plans to halt security rule and set up vote to kill privacy regime.
https://arstechnica.com/tech-policy/2017/02/isps-wont-have-to-follow-new-rule-that-protects-your-data-from-theft/
Tomi Engdahl says:
https://www.techworm.net/2017/02/system-admin-used-vpn-hack-cause-1-1-million-loss-ex-employer-caught.html
This system admin used VPN to hack into & cause $1.1 million loss to his ex-employer before being caught.
Tomi Engdahl says:
Hard Drive LED Allows Data Theft From Air-Gapped PCs
http://www.securityweek.com/hard-drive-led-allows-data-theft-air-gapped-pcs
Researchers at Ben-Gurion University of the Negev in Israel have disclosed yet another method that can be used to exfiltrate data from air-gapped computers, and this time it involves the activity LED of hard disk drives (HDDs).
Many desktop and laptop computers have an HDD activity indicator, which blinks when data is being read from or written to the disk. The blinking frequency and duration depend on the type and intensity of the operation being performed.
According to researchers, a piece of malware can indirectly control the LED using specific read/write operations. More precisely, the size of the buffer being written or read is proportional to the amount of time the LED stays on, while sleeping causes the LED to be turned off. Experts have determined that these LEDs can blink up to 6,000 times per second, which allows for high data transmission rates.
The state of the LED can be translated into “0” or “1” bits. The data can be encoded using several methods
A piece of malware that is installed on the targeted air-gapped device can harvest data and exfiltrate it using one of these encoding systems.
The team at Ben-Gurion University of the Negev has published a video showing how such an attack can be carried out with the aid of a drone:
https://www.youtube.com/watch?v=4vIu8ld68fc
Tomi Engdahl says:
USBee: Jumping the air-gap with USB
https://www.youtube.com/watch?v=E28V1t-k8Hk
USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB. By Mordechai Guri, Matan Monitz and Yuval Elovici
Research at http://arxiv.org/abs/1608.08397
Tomi Engdahl says:
This What Hackers Think of Your Defenses
http://www.securityweek.com/what-hackers-think-your-defenses
Billions of dollars are spent every year on cyber security products; and yet those products continually fail to protect businesses. Thousands of reports analyze breaches and provide reams of data on what happened; but still the picture worsens. A new study takes a different approach; instead of trying to prevent hacking based on what hacking has achieved, it asks real hackers, how do you do it?
The hackers in question are the legal pentesters attending last Summer’s DEFCON conference. Seventy were asked about what they do, how they do it, and why they do it — and the responses are sobering. The resulting report, The Black Report by Nuix, is a fascinating read. It includes sections on the psycho-social origins of cybercrime and a view from law enforcement: but nothing is as valuable as the views from the hackers themselves. These views directly threaten many of the sacred cows of cyber security. They are worth considering: “The only difference between me and a terrorist is a piece of paper [a statement of work] making what I do legal. The attacks, the tools, the methodology; it’s all the same.”
What they do is surprisingly easy and frighteningly successful.
Take sacred cow #1: it takes 250-300 days for the average organization to detect a breach, and the earlier it is detected, the less damage will be done. But there is less time than you think. Eighty-eight percent of the pentesters claim that it takes less than 12 hours to compromise a target; and 80% say it then takes less than another 12 hours to find and steal the data.
Sacred cow #2 could affect the cyber security skills gap. A recent ISACA survey shows that 70% of employers require a security certification before employing new staff. The people they are defending against, however, place little value in those certifications. “Over 75% did not believe technical certifications were an accurate indicator of ability,” notes the report.
Sacred cow #3 is that anti-virus and a firewall equates to security. Only 10% of the pentesters admitted to being troubled by firewalls, and a mere 2% by anti-virus.
sacred cow #4 remains a sacred cow: “For security decision-makers,” says the report, “this result clearly demonstrates the importance of defense in depth rather than relying on any single control. Any individual security control can be defeated by an attacker with enough time and motivation. However, when an organization uses a combination of controls along with security training, education, and processes, the failure of any single control does not automatically lead to data compromise.”
When asked what companies should buy to improve their security posture, 37% suggested intrusion detection/prevention systems. Only 6% suggested perimeter defenses.
data hygiene/information governance at 42% is seen as less effective than perimeter defenses at 21%.
One of the biggest surprises of the survey is that while companies may go to the expense of a penetration test, they will not necessarily act upon the results. “Only 10% of respondents indicated that they saw full remediation of all identified vulnerabilities, and subsequent retesting,” notes the report.
“While ‘fix the biggest problems’ appears to be a logical approach to remediation, it misrepresents the true nature of vulnerabilities and provides a false sense of security for decision makers,” warns the report.
Tomi Engdahl says:
What can we learn about cybersecurity from the Russian hacks?
https://news.northeastern.edu/2017/01/what-can-we-learn-about-cybersecurity-from-the-russian-hacks/
What do these break-ins tell us about the state of cybersecurity in the U.S.?
Oprea: Rather than informing us about the state of cybersecurity in the U.S. only, these attacks provide a picture on the state of cybersecurity on the global scale. They demonstrate that attackers are becoming increasingly sophisticated in developing new ways to gain remote access to critical systems. For instance, using various sources of reconnaissance, such as social networks and news reports, attackers are able to craft so-called spear-phishing emails that impersonate legitimate senders and look credible to human users. In the recent Russian campaigns, the attackers sent emails that were very similar to emails automatically sent by Google when suspicious activity in users’ Gmail accounts is detected. Users were asked to change their Gmail passwords and redirected to a site controlled by attackers.
The “watering-hole attack” is another infection vector hackers are increasingly adopting. Here they silently inject lists of malicious commands, called “scripts,” or pieces of software called “exploits” that take advantage of a vulnerability in legitimate websites. Similar to how predators in the natural world wait for their desired prey near watering holes, these attackers wait for their victims at “water-holed” websites.
Why is it so difficult to protect against computer hacks and other cybercrimes?
Nita-Rotaru: One of the principles of computer and network security is that a system is as secure as the weakest link. Most of the time humans are the weakest link. This is not to say that computers do not have vulnerabilities, but even if all the technical problems are addressed, the human in the loop remains a crucial element.
Another comment you often hear about security is “Security is an add-on.” The beauty of computing systems and software is that the pace of innovation keeps up with the services we as customers like. Security is not one of the services; it is an add-on and often perceived as a cost.
The American Enterprise Institute’s report, “An American Strategy for Cyberspace,” notes that cyberspace “permeates every element of modern societies.” How would you describe that all-encompassing network?
Nita-Rotaru: A joke in computer security is “If you want a secure system, lock it in a safe.” Today everything is connected: Even devices that you might not consider part of a system, such as appliances (refrigerators, coffee machines, etc.), are connected to the internet. We want them to be connected because then we can control them remotely, but that also makes them vulnerable.
Tomi Engdahl says:
Own a Vizio TV? It May Have Spied on You
Vizio secretly collected viewing data from 11 million TVs, according to an FTC complaint.
http://www.pcmag.com/news/351582/own-a-vizio-tv-it-may-have-spied-on-you
Vizio has been watching you watch TV. The flat-panel display maker, which was acquired last year by Chinese giant LeEco, will pay $2.2 million to settle claims that it collected viewing data from 11 million TVs without their owners’ consent.
According to a complaint from the Federal Trade Commission, Vizio was able to capture second-by-second information about what its TVs were displaying. The monitoring wasn’t limited to built-in smart TV apps, either. It included video from cable set-top boxes, DVD players, and over-the-air broadcasts. Vizio also recorded and tracked the TVs’ IP addresses, according to the FTC complaint.
“The data generated when you watch television can reveal a lot about you and your household,” FTC Division of Privacy and Identity Protection attorney Kevin Moriarty wrote in a blog post. “So, before a company pulls up a chair next to you and starts taking careful notes on everything you watch (and then shares it with its partners), it should ask if that’s O.K. with you. Vizio wasn’t doing that, and the FTC stepped in.”
“Today, the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and Vizio now is leading the way.”
Tomi Engdahl says:
20 Cybersecurity Startups To Watch In 2017
http://www.darkreading.com/careers-and-people/20-cybersecurity-startups-to-watch-in-2017/d/d-id/1328251
VC money flowed plentifully into the security market last year, fueling a new crop of innovative companies.
Tomi Engdahl says:
Google Discloses Unpatched Flaw in Edge, Internet Explorer
http://www.securityweek.com/google-discloses-unpatched-flaw-edge-internet-explorer
Google Project Zero has disclosed a potentially serious vulnerability in Microsoft’s Edge and Internet Explorer web browsers before the tech giant could release patches.
The details of the flaw and proof-of-concept (PoC) code were made public last week by Google Project Zero researcher Ivan Fratric after Microsoft failed to meet the 90-day disclosure deadline.
The security hole, tracked as CVE-2017-0037, has been described as a high severity type confusion. The vulnerability can be exploited to cause the web browsers to crash, but arbitrary code execution could also be possible.
Tomi Engdahl says:
MySQL Databases Targeted in New Ransom Attacks
http://www.securityweek.com/mysql-databases-targeted-new-ransom-attacks
Thousands of MySQL databases are potential victims to a ransom attack that appears to be an evolution of the MongoDB ransack campaign observed a couple months ago, GuardiCore warns.
As part of the attack, unknown actors are brute forcing poorly secured MySQL servers, enumerate existing databases and their tables, stealing them, and creating a new table to instruct owners to pay a 0.2 Bitcoin (around $200) ransom. Paying, the attackers claim, would provide owners with access to their data, but that’s not entirely true, as some databases are deleted without being stolen.
A similar attack came to light in early January, when Victor Gevers, co-founder of GDI Foundation, revealed that thousands of unsecured MongoDB databases were being hijacked, with actors demanding 0.2 Bitcoin for the stolen data. Soon after, other threat actors began hijacking insecure databases, and over 30,000 MongoDB instances fell to the attackers.
Tomi Engdahl says:
It Takes a Village to Manage Cyber Risk
http://www.securityweek.com/it-takes-village-manage-cyber-risk
Regulators from the New York State Department of Financial Services should be applauded for their update to their upcoming cyber security regulation (if you are not in NYS or financial services, stay tuned, something similar is certainly coming to your state and industry soon).
While there were numerous adjustments made based on feedback during the comment period, most importantly, there was a shift in mindset from one standard for all systems and situations to a philosophy of risk based security.
Throughout the updated regulation, requirements are defined in the context of “the covered entity’s risk assessment” vs. absolute requirements for all systems and data. This is a critical shift that I hope other regulators will follow because it allows covered entities to modulate what measures are required based on the risk to each system and data set. It provides covered entities an alternative to applying the most stringent requirements equally to all systems, for example, applying two factor authentication selectively to internal applications based on accessibility and exposure.
New York State Imposes New Cybersecurity Regulation for Financial Services
http://www.securityweek.com/new-york-state-imposes-new-cybersecurity-regulation-financial-services
New York State Department of Financial Services (DFS) has published its revised proposal for what it calls a ‘first-in-the-nation cybersecurity regulation’ for New York regulated financial services. Publication was delayed by approximately one week following significant pushback from affected organizations on Dec. 22 2016.
Tomi Engdahl says:
Windows 10 Option to Block Installation of Win32 Apps
http://www.securityweek.com/windows-10-option-block-installation-win32-apps
Windows 10 could soon allow users to block the installation of applications coming from other sources than the Microsoft Store, a feature that would likely help prevent the installation of malware.
The feature, which would essentially prevent users from installing Win32 applications, is said to be currently tested as part of the latest build to have been pushed to users in the Insider Preview program (which is Windows 10 build 15042).
Win32 is the core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems and is often referred to as the Windows API. In addition to Win32 apps, however, Windows 10 users can also install software built using Microsoft’s Universal Windows Platform, or UWP.
With millions of Win32 applications available out there, it might take a while before all developers switch to the new framework, especially if users aren’t in a hurry to embrace UWP applications.
Tomi Engdahl says:
The AI is Always Watching
http://hackaday.com/2017/02/27/the-ai-is-always-watching/
My phone can now understand me but it’s still an idiot when it comes to understanding what I want. We have both the hardware capacity and the software capacity to solve this right now. What we lack is the social capacity.
We are currently in a dumb state of personal automation.
The correct term for this level of personal automation is “weak AI”.
How to Look at Someone Without Creeping Them Out
In many cultures there is a social norm that you don’t stare at people. That is to say, there are times when it is and isn’t appropriate to look at people; there is a maximum amount of time you can continue gazing upon them; and the rules that make this work are a game of moving goal posts.
A much easier method is to watch absolutely everything the user does. This makes a lot more data available but it’s super creepy and raises a ton of ethical concerns. Being observed the majority of the time is unprecedented — there’s no human-to-human paradigm for this type of watchfulness. And the early technology paradigms have not been going well.
Just last week authorities in Germany recommended that owners of a doll called “Cayla” destroy the microphones housed within. The doll’s microphone is always listening, routing what is heard through a voice recognition service with servers outside of the country.
Creepiness aside, privacy is a major issue with allowing an system to watch everything you do. If that information is somehow breached it would be an identity theft goldmine. Would your AI need to know to shut itself down anytime you walk into a public restroom, hospital, or other sensitive environment? How could you trust that it had done so on every occasion?
Machine learning is the key to doing amazing things. But gain a bit of understanding of how it works and you immediately see where the problem lies. A machine can learn to play video games at a very high level, but it must be allowed to see all aspects of the game play and requires concrete success metrics like a high score or rare/valuable collected items.
Yes, for a personal AI to be truly useful it must have nearly unrestricted access to collect data by watching you in daily life.
Tomi Engdahl says:
Is Your Child A Hacker?
http://hackaday.com/2017/02/27/is-your-child-a-hacker/
Parents in Liverpool, UK, are being prepared to spot the signs that their children might be hackers. The Liverpool Echo reports on the launch of a “Hackers To Heroes” scheme targeting youngsters at risk of donning a black hat, and has an expert on hand, one [Vince Warrington], to come up with a handy cut-out-and-keep list. Because you never know when you’re going to need one, and he’s helped the Government so should know what he’s talking about.
Of course, they’re talking about “Hacker” (cybercriminal) while for us the word has much more positive connotations.
Signs your child is a computer hacker
Cyber criminals can be as young as 8
http://www.liverpoolecho.co.uk/news/liverpool-news/signs-your-child-computer-hacker-12626527
Tomi Engdahl says:
Mehedi Hassan / MSPoweruser:
Windows 10 Creators Update will include a feature, disabled by default, that prevents apps that are not from the Windows Store from installing
Microsoft just added the best way of preventing installation of bloatware in Windows 10
https://mspoweruser.com/microsoft-just-added-the-best-way-of-preventing-installation-of-bloatware-in-windows-10/
With the upcoming Windows 10 Creators Update, Microsoft is adding a brand new feature to Windows that will help prevent installation of bloatware in Windows 10. Microsoft is currently testing a new feature which will allow Windows 10 users to only install apps from the Windows Store — preventing them from installing the classic Win32 apps. Once enabled, users will see a warning whenever they try to install a Win32 app — they will get a dialog saying apps from the Windows Store helps to keep their PC “safe and reliable.”
This feature is obviously disabled by default, but users can enable it really easily if they want. I will repeat in case you didn’t understand it the first time: this feature is completely disabled by default in Windows 10.
Microsoft offers two different options for the feature: you can completely prevent installation of Win32 apps, or you can allow users to install them anyway from the dialog
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Google discloses “high-severity” type-confusion bug in IE 11 and Edge after privately reporting the flaw to Microsoft on November 25, 2016; no patch available
Google reports “high-severity” bug in Edge/IE, no patch available
String of unpatched security flaws comes after February Patch Tuesday was canceled.
https://arstechnica.com/security/2017/02/high-severity-vulnerability-in-edgeie-is-third-unpatched-msft-bug-this-month/
A member of Google’s Project Zero security research team has disclosed a high-severity vulnerability in Microsoft’s Edge and Internet Explorer browsers that reportedly allows attackers to execute malicious code in some instances.
The vulnerability stems from what’s known as a type-confusion bug in Internet Explorer 11 and Microsoft Edge, Project Zero researcher Ivan Fratric said in a report that he sent to Microsoft on November 25 and publicly disclosed on Monday. The disclosure is in line with Google’s policy of publishing vulnerability details 90 days after being privately reported. A proof-of-concept exploit Fratric developed points to data stored in memory that he said “can be controlled by an attacker (with some limitations).”
Meanwhile, the National Vulnerability Database entry for the bug, which is indexed as CVE-2017-0037, warned that it “allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a [table-header] element.”
Monday’s disclosure is the second time in a week that Project Zero researchers have disclosed an unpatched security vulnerability in a Microsoft product. Last Monday, Project Zero researcher Mateusz Jurczyk published details of a flaw in Windows that exposes potentially sensitive data stored in computer memory. The two disclosures come after Microsoft canceled February’s regularly scheduled batch of patches for reasons officials have yet to explain. Microsoft officials said they planned to resume the normal Patch Tuesday release cycle in March.
Tomi Engdahl says:
Insecure CloudPets Database Exposed Credentials, Private Data
http://www.securityweek.com/insecure-cloudpets-database-exposed-credentials-private-data
A public-facing, insecure CloudPets MongoDB database was found to have leaked the login credentials of over 800,000 users, researchers warn.
CloudPets is a company that sells internet-connected teddy bears, allowing children and parents to exchange audio messages over the web. The company also claims that its toys provide children with access to “an ever-expanding collection of fun and games.”
The underlying issue was related to the MongoDB ransack campaign that made headlines early this year, and which recently moved to MySQL databases. Customer data was stored in a MongoDB database that wasn’t properly secured, and, because it was exposed to the Internet, it allowed anyone to access it, steal its content, and even modify it.
Tomi Engdahl says:
Google Hands Over Email Encryption App to Community
http://www.securityweek.com/google-hands-over-email-encryption-app-community
Google announced last week that it has decided to hand over its E2EMail email encryption app to the community.
The tech giant first announced its End-to-End email encryption project in June 2014 and released its source code a few months later. The goal was to create a Chrome extension that would make it easier for less tech savvy people to encrypt their emails using the OpenPGP standard.
The End-to-End crypto library has been used for several projects, including E2EMail, a Gmail client that runs independently of the normal Gmail interface and allows users to send and receive encrypted emails.
Since a long time has passed and a Chrome extension is still not ready for general use, some believe this may actually be Google’s way of saying that it has abandoned the project, especially since no changes have been made to the code in the past months.
Tomi Engdahl says:
Adwind RAT Campaign Hits Organizations Worldwide: Kaspersky
http://www.securityweek.com/adwind-rat-campaign-hits-organizations-worldwide-kaspersky
A recently observed massive campaign using the Adwind Remote Access Tool (RAT) has hit over 1,500 organizations in over 100 countries and territories, a recent report from Kaspersky Lab warns.
The attacks were spread across industries, Kaspersky says, though the retail and distribution sector was hit the most (20.1%), followed by architecture and construction (9.5%), shipping and logistics (5.5%), insurance and legal services (5%), and consulting (5%).
Tomi Engdahl says:
AWS’s S3 outage was so bad Amazon couldn’t get into its own dashboard to warn the world
Websites, apps, security cams, IoT gear knackered
https://www.theregister.co.uk/2017/03/01/aws_s3_outage/
Tuesday’s Amazon Web Services mega-outage knocked offline not only websites big and small, by yanking away their backend storage, but also knackered apps and Internet of Things gadgets relying on the technology.
In fact, the five-hour breakdown was so bad, Amazon couldn’t even update its own AWS status dashboard: its red warning icons were stranded, hosted on the broken-down side of the cloud.
Essentially, S3 buckets in the US-East-1 region in northern Virginia, US, became inaccessible at about 0945 PST (1745 UTC). Software, from web apps to smartphone applications, relying on this cloud-based storage quickly broke, taking out a sizable chunk of the internet as we know it.
AWS has many regions, and US-East-1 is just one of them. Developers are supposed to spread their applications over different data centers so when one region goes TITSUP, it doesn’t take your whole platform down. For various reasons – from the fact that programmers find distributed computing hard to the costs involved – this redundancy isn’t always coded in.
Tomi Engdahl says:
Cybersecurity: The Key is Making it Easy
http://www.btreport.net/articles/2017/02/cybersecurity-the-tough-task-of-making-it-easy.html?cmpid=enl_btr_weekly_2017-02-28&[email protected]&eid=289644432&bid=1677363
Home Internet Cybersecurity: The Key is Making it Easy
Cybersecurity: The Key is Making it Easy
February 28, 2017
By Monta Monaco Hernon
Contributing Writer
Cybersecurity is often looked at as a necessary evil and a burden to be endured, but instead it should be considered an opportunity to improve customer experience.
“No one wants to pay for different security products unless they have to or if they were affected by an incident. What they will pay for is a better user experience,” said Michael Glenn, VP of cybersecurity at CableLabs.
What businesses should take into account is that a security breach degrades the customer experience, Glenn wrote in a recent blog. For cable operators, an attack could affect the infrastructure, operator-supplied equipment or third-party purchased equipment. One infected computer could impact all the devices on a network and lead to increased truck rolls and customer dissatisfaction.
“The (most) common passwords are ‘password’ or ’123456′,” Glenn said. “This clearly says it’s not a matter of education around consumer behavior. We have to change the experience for users so they don’t have to remember those passwords.”
Public key infrastructure (PKI) certificates use a protected private key stored on a device and a public key. In the cable industry, the certificate is able to validate device identity and authenticate onto the network, with authorization level and modem identity.
The revamping of the process begins with getting people to think differently about security. “Complexity is the enemy of security,” Glenn said. “If you make procedures for employees too complicated, they will ignore it or bypass it …. If you make processes too hard, you get a lower level of security than if you had simplified processes.”
It is similar in a way to designing a good, simple-to-use, user interface, which can be difficult to do. “It takes a lot of work.”
Tomi Engdahl says:
Amazon’s AWS S3 cloud storage evaporates: Top websites, Docker stung
‘Increased error rates’ is the new ‘outage’, according to Bezos’ bit-barn bods
https://www.theregister.co.uk/2017/02/28/aws_is_awol_as_s3_goes_haywire/
Amazon Web Services is scrambling to recover from a cockup at its facility in Virginia, US, that is causing its S3 cloud storage to fail.
The internet giant has yet to reveal the cause of the breakdown, which is plaguing storage buckets hosted in the US-East-1 region. The malady kicked off around 0944 Pacific Time (1744 UTC) today.
It has led to major websites and services – including Imgur, Medium and the Docker Registry Hub – falling offline, losing images, or left running like treacle. We’re also hearing loads of media titles that use S3 to serve pictures, plus Runkeeper, Trello, and Yahoo webmail, are all suffering: basically, this outage has knackered half the internet, it seems, because it all relies on S3 to store data online.
Just to stress: this is one S3 region that has become inaccessible, yet web apps are tripping up and vanishing as their backend evaporates away.
AWS, for some reason, insists this isn’t an “outage” but rather a case of “increased error rates” for its most popular cloud service. Infuriatingly, the status dashboard for AWS shows all green ticks at time of writing, despite what feels like a chunk of the internet going missing as a result of the downtime.
Tomi Engdahl says:
Google Chrome 56′s crypto tweak ‘borked thousands of computers’ using Blue Coat security
TLS 1.3 takes down Chromebooks, PCs
https://www.theregister.co.uk/2017/02/27/blue_coat_chokes_on_chrome_encryption_update/
The availability of Transport Layer Security protocol version 1.3 was supposed to make network encryption faster and more secure.
TLS 1.3 dispenses with a number of older cryptographic functions that no longer offer adequate protection, and reduces the amount of time required to negotiate “handshakes” between devices.
Google introduced support for TLS 1.3 in Chrome 56, which began rolling out for Linux, macOS, and Windows in late January, and reached Android and iOS devices a few days later.
The specification is still being finalized, but Google has been open about its plan to implement it. Now it seems at least one security vendor ignored the memo. Chromium’s bug tracker indicates that Symantec’s Blue Coat 6.5 security software can’t handle TLS 1.3.
Benjamin mentions “a list of buggy products.”
The Chromium team considered a rollback, but appears to have decided against it because TLS, when properly implemented, should be backwards compatible. “That these products broke is an indication of defects in their TLS implementations,” wrote Benjamin.
Tomi Engdahl says:
Amazon AWS S3 outage is breaking things for a lot of websites and apps
https://techcrunch.com/2017/02/28/amazon-aws-s3-outage-is-breaking-things-for-a-lot-of-websites-and-apps/
Amazon’s S3 web-based storage service is experiencing widespread issues, leading to service that’s either partially or fully broken on websites, apps and devices upon which it relies. The AWS offering provides hosting for images for a lot of sites, and also hosts entire websites, and app backends including Nest.
The S3 outage is due to “high error rates with S3 in US-EAST-1,” according to Amazon’s AWS service health dashboard, which is where the company also says it’s working on “remediating the issue,” without initially revealing any further details.
Affected websites and services include Quora, newsletter provider Sailthru, Business Insider, Giphy, image hosting at a number of publisher websites, filesharing in Slack, and many more. Connected lightbulbs, thermostats and other IoT hardware is also being impacted, with many unable to control these devices as a result of the outage.
Amazon S3 is used by around 148,213 websites, and 121,761 unique domains, according to data tracked by SimilarTech, and its popularity as a content host concentrates specifically in the U.S. It’s used by 0.8 percent of the top 1 million websites, which is actually quite a bit smaller than CloudFlare, which is used by 6.2 percent of the top 1 million websites globally – and yet it’s still having this much of an effect.
Tomi Engdahl says:
SQL Injection Vulnerability in NextGEN Gallery for WordPress
https://blog.sucuri.net/2017/02/sql-injection-vulnerability-nextgen-gallery-wordpress.html
As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on the WordPress plugin NextGEN Gallery, we discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.
Are You at Risk?
This vulnerability can be exploited by attackers in at least two different scenarios:
If you use a NextGEN Basic TagCloud Gallery on your site, or
If you allow your users to submit posts to be reviewed (contributors).
If you fit into any of these two cases, you’re definitely at risk.
This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query
Never trust the input – that is the golden rule. This leads to better security and safe customers. In every scenario we must ask ourselves a few simple questions:
Is this input safe enough?
Is it sanitized?
Do we follow any framework-specific rules and best practices?
Sucuri Firewall
Protect Your Website From Hackers, Attacks and DDoS With the Sucuri Firewall
https://sucuri.net/website-firewall/
Tomi Engdahl says:
Survey finds 25% of healthcare organizations put patient data at risk in the public cloud
http://www.cablinginstall.com/articles/2017/02/hytrust-healthcare-survey.html?cmpid=enl_cim_cimdatacenternewsletter_2017-02-28
HyTrust Inc., a provider of technology that automates security controls for software-defined computing, networking and storage workloads, has announced its latest Cloud Survey report, analyzing healthcare organizations use of the public cloud, the utilization of public cloud implementations, and how data is protected in these cloud environments. The survey of 51 healthcare and biotech organizations found that 25 percent of healthcare organizations using the public cloud do not encrypt their data.
HyTrust — whose stated mission is “to make private, public and hybrid cloud infrastructure more trustworthy for enterprises, service providers and government agencies” — says the survey also found that 63 percent of healthcare organizations say they intend to use multiple cloud vendors. “Multi-cloud adoption continues to gain momentum among leading healthcare organizations,”
“choosing a flexible cloud security solution that is effective across multiple cloud environments is not only critical to securing patient data, but to remaining HIPAA-compliant. What is troubling, is that 38 percent of organizations that have data deployed in a multi-cloud environment that included Amazon Web Service (AWS) and [Microsoft] Azure are not using any form of encryption. This vulnerability comes as 82 percent of healthcare organizations believe security is their top concern, followed by cost.”
Key findings of the survey also included the following bullet points: 63 percent of healthcare organizations are currently using the public cloud; 25 percent of healthcare organizations using the public cloud are not encrypting their data; 63 percent of healthcare IT decision makers intend to use multiple cloud vendors.