Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Robbie Gonzalez / Wired:
Las Vegas resort tests Patscan CMR, a hidden weapon-sensing device that combines short-range radar with machine learning to scan guests for guns, knives, bombs
The Las Vegas Resort Using Microwaves to Keep Guns Out of its Casino
https://www.wired.com/story/the-las-vegas-resort-using-microwaves-to-keep-guns-out-of-its-casino/
Activate satellite view in Google Maps and head to the Las Vegas strip, and you’ll see it: a strange smattering of Y-shaped buildings. Mandalay Bay. Monte Carlo. Treasure Island. The Mirage. Their blueprints put gambling at the center of everything, funneling visitors past slot machines and card tables whether they’re en route to a show, their room, a restaurant, or a retail shop. For years, the casino floor was where Vegas resorts made most of their money, and the Y was devilishly good at monetizing it.
Y-shaped buildings have their issues, after all. For one thing, gambling isn’t the moneymaker it used to be; revenues from other extravagances—hotels, food, booze, shopping—outstripped gaming in the late ’80s. For another: Y-shaped buildings pose a unique security challenge. “The bulk of your guests are in this highly concentrated area, just lingering,” Waltrip says. Ensuring their safety— and the safety of the resort’s assets—requires more than a few cameras and guards.
That fact has prompted Westgate to be an early adopter of not just architectural features but surveillance tactics. And it’s why, this week, the resort began testing a discreet weapon-sensing device called the Patscan Cognitive Microwave Radar. Marketed by Canadian security outfit PatriotOne, the Patscan CMR combines short-range radar with machine learning algorithms to scan individual guests for guns, knives, and bombs in real time—without forcing them to line up and walk through metal detectors. And unlike the giant, whole-body scanners you see in places like airports, Patscan units are small enough to hide inside existing infrastructure, from walls and doorways to turnstiles and elevator banks. Most people will never realize they’re there—and that’s exactly how Westgate wants it.
Creepy? Sure. But a system like PatriotOne’s could be the ideal security solution for a destination like Las Vegas, where resorts find themselves in the unenviable position of ensuring the safety of their guests, while also stoking an ambiance of freedom, excess, and—as the city so famously advertises—unaccountability.
“People come to Vegas because it’s the fun capital of the world. They’re there to let loose, rock and roll, and do things they’d never do,”
For Vegas resorts and casinos, screening for concealed weapons has become more critical than ever, but most would prefer to do it without metal detectors, wands, pat-downs, and other buzzkill tactics.
That’s where Patscan comes in. Each radar unit consists of a service box and two antennae (the combined footprint is about the size of a movie poster). The first antenna emits 1,000 pulses of electromagnetic radiation per second, at frequencies between 500 MHz and 5 Ghz.
The second antenna monitors for electromagnetic patterns inside that two-meter range. When you hit an object with electromagnetic radiation, it resonates according to its shape and material composition, not unlike a bell or a guitar string. Pistols, grenades, rifles, knives, machetes, machine guns, pressure-cooker bombs—they all resonate in the frequency range that Patscan emits.
PatriotOne maintains a growing database of known radar signatures, which Patscan’s onboard computer uses to distinguish weapons from benign objects and notify security personnel. “The best analogy is antivirus software,”
Tomi Engdahl says:
‘Suspicious’ BGP event routed big traffic sites through Russia
Google, Facebook and Microsoft routed through PutinGrad, for no good reason
https://www.theregister.co.uk/2017/12/13/suspicious_bgp_event_routed_big_traffic_sites_through_russia/
A Border Gateway Protocol (BGP) routing incident saw a bunch of high-profile Internet destinations mis-routed through Russia on Tuesday, US time.
In what BGPMon called a “suspicious” event, “Starting at 04:43 (UTC) 80 prefixes normally announced by organisations such Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.”
The glitch happened twice, the monitoring organisation reported: Once between 04:43 and 04:46 UTC on December 12, and then between 07:07 and 07:10.
Peers that accepted the announcements and made them reachable included Hurricane Electric and Zayo in the US, Scandinavian international collaboration Nordunet, and Telstra in Australia.
The autonomous system (AS) that made the announcements had been largely dormant for years.
“This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent the attract traffic”, BPGMon’s Andree Toonk wrote.
Tomi Engdahl says:
Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web
https://developers.slashdot.org/story/17/12/12/2047222/searchable-database-of-14-billion-stolen-credentials-found-on-dark-web?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Tomi Engdahl says:
Return Of Bleichenbacher’s Oracle Threat
https://robotattack.org/
ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.
In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.
We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet.
ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.
By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.
How is it possible that a 19-year-old vulnerability is still present?
After Bleichenbacher’s original attack the designers of TLS decided that the best course of action was to keep the vulnerable encryption modes and add countermeasures. Later research showed that these countermeasures were incomplete leading the TLS designers to add more complicated countermeasures.
Is this only a problem for TLS?
No. Bleichenbacher-style vulnerabilities have been found in XML Encryption, PKCS#11 interfaces, Javascript Object Signing and Encryption (JOSE), or Cryptographic Message Syntax / S/MIME.
Every protocol that uses RSA PKCS #1 v1.5 encryption is at risk of exposing similar vulnerabilities.
So… ROBOT doesn’t add a whole lot, right?
That’s correct. The surprising fact is that our research was very straightforward. We used minor variations of the original attack and were successful. This issue was hiding in plain sight.
Tomi Engdahl says:
1998 attack that messes with sites’ secret crypto keys is back in a big way
Sites vulnerable to newly revived ROBOT exploit included Facebook and PayPal.
https://arstechnica.com/information-technology/2017/12/a-worrying-number-of-sites-remain-open-to-major-crypto-flaw-from-1998/
Tomi Engdahl says:
The Ethics of AI for Suicide Prevention
https://www.eetimes.com/author.asp?section_id=36&doc_id=1332723&
Facebook is using artificial intelligence to signal deviations from normal posting behavior to provide warning of possible suicidal tendencies. Is that okay?
In today’s hyperconnected world, we are generating and collecting so much data that it is beyond human capability to sift through it all. Indeed, one application of artificial intelligence is identifying patterns and deviations that signal intent on posts. Facebook is using AI in this way to extract value from its own Big Data trove. While that may be applied to a good purpose, it also raises ethical concerns.
Where might one get insight into this issue? In my own search, I found an organization called PERVADE (Pervasive Data Ethics for Computational Research). With the cooperation of six universities and the funding it received this September, it is working to frame the questions and move toward the answers.
Tomi Engdahl says:
I, Robot? Aiiiee, ROBOT! RSA TLS crypto attack pwns Facebook, PayPal, 27 of 100 top domains
Two-decade-old hole lets hackers unlock encrypted data
https://www.theregister.co.uk/2017/12/13/robot_tls_rsa_flaw/
A 19-year-old vulnerability in the TLS network security protocol has been found in the software of at least eight IT vendors and open-source projects – and the bug could allow an attacker to decrypt encrypted communications.
Identified by security researchers Hanno Böck, Juraj Somorovsky of Ruhr-Universität Bochum/Hackmanit, and Craig Young of Tripwire VERT, the flaw – specifically in RSA PKCS #1 v1.5 encryption – affects the servers of 27 of the top 100 web domains, including Facebook and PayPal.
The vulnerability, however, is overrepresented among the top 100 websites. According to Young, only 2.8 per cent of the top million websites, as measured by Alexa, are affected.
The issue isn’t confined to TLS. The researchers say similar problems exist in XML Encryption, PKCS#11 interfaces, Javascript Object Signing and Encryption (JOSE), and Cryptographic Message Syntax / S/MIME.
As a proof-of-concept exploit, the researchers managed to sign a message with the private key of the facebook.com HTTPS certificate.
Facebook has since patched its servers. As described in a paper on the flaw that was published Tuesday, Facebook was using a patched version of OpenSSL for its vulnerable hosts and said the bug hailed from one of the company’s custom patches.
https://eprint.iacr.org/2017/1189.pdf
Tomi Engdahl says:
New Ruski hacker clan exposed: They’re called MoneyTaker, and they’re gonna take your money
Subtly named group has gone largely unnoticed until now
https://www.theregister.co.uk/2017/12/11/russian_bank_hackers_moneytaker/
Security researchers have lifted the lid on a gang of Russian-speaking cybercrooks, dubbed MoneyTaker.
The group has conducted more than 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia in the last two months alone, according to Russian incident response firm Group-IB. MoneyTaker has primarily targeted card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US).
In addition to banks, MoneyTaker has attacked law firms and financial software vendors. In total, Group-IB has confirmed 20 companies as MoneyTaker victims, with 16 attacks on US organisations, three on Russian banks and one against a Brit IT company.
Tomi Engdahl says:
Critical Flaws Found in Palo Alto Networks Security Platform
http://www.securityweek.com/critical-flaws-found-palo-alto-networks-security-platform
Updates released by Palo Alto Networks for the company’s PAN-OS security platform patch critical and high severity vulnerabilities that can be exploited for remote code execution and command injection.
The issue classified by the company as “critical” is actually a combination of vulnerabilities in the management interface that can be exploited by a remote and unauthenticated attacker to execute arbitrary code on affected firewalls.
Tomi Engdahl says:
Philippine Bank Accuses Bangladesh of Heist ‘Cover-Up’
http://www.securityweek.com/philippine-bank-accuses-bangladesh-heist-cover
A Philippine bank on Tuesday accused Bangladesh’s central bank of a “massive cover-up” over an $81-million cyber-heist last year, as it rejected allegations it was mostly to blame.
Unidentified hackers shifted $81 million in February last year from the Bangladesh central bank’s account with the US Federal Reserve in New York to a Manila branch of the Rizal Commercial Banking Corp (RCBC).
The money was quickly withdrawn and laundered through Manila casinos.
Tomi Engdahl says:
Trump Signs Bill Banning Kaspersky Products
http://www.securityweek.com/trump-signs-bill-banning-kaspersky-products
U.S. President Donald Trump on Tuesday signed a bill that prohibits the use of Kaspersky Lab products and services in federal agencies.
The National Defense Authorization Act for FY2018 (H.R. 2810) focuses on Department of Defense and Department of Energy programs, authorizes recruitment and retention bonuses for the Armed Forces, and makes changes to national security and foreign affairs programs.
Section 1634 of the bill bans the use of products and services provided by Russia-based cybersecurity firm Kaspersky Lab. The prohibition will go into effect on October 1, 2018.
“No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by (1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership,” the bill reads.
Tomi Engdahl says:
Tech Support Scammers Invade Spotify Forums to Rank in Search Engines
https://www.bleepingcomputer.com/news/security/tech-support-scammers-invade-spotify-forums-to-rank-in-search-engines/
Over the past few months, Tech Support scammers have been using the Spotify forums to inject their phone numbers into the first page of the Google & Bing search results. They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google.
While this behavior causes the Spotify forums to become harder to use for those who have valid questions, the bigger problem is that it allows tech support scammers to rank extremely well and trick unknowing callers into purchasing unnecessary services and software.
Tomi Engdahl says:
New Spider Ransomware Emerges
http://www.securityweek.com/new-spider-ransomware-emerges
A new ransomware family discovered when analyzing a mid-scale campaign that started over the weekend uses decoy documents auto-synced to enterprise cloud storage and collaborations apps, security researchers have say.
Dubbed Spider, the new threat was observed being distributed via an Office document supposedly targeting users in Bosnia and Herzegovina, Serbia, and Croatia. The spam emails suggest the sender is looking to collect some debt from the recipient in attempt to trick the user into opening the attached file.
Obfuscated macro code embedded in the Office document, however, launches a Base64 encrypted PowerShell script to download the malicious payload, Netskope’s Amit Malik says.
If the malware is able to successfully infect a system, it starts encrypting user’s files and adds the ‘.spider’ extension the affected files.
Tomi Engdahl says:
Traffic to Major Tech Firms Rerouted to Russia
http://www.securityweek.com/traffic-major-tech-firms-rerouted-russia
Internet traffic for some of the world’s largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack.
OpenDNS-owned Internet monitoring service BGPmon reported the incident on Tuesday. BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS).
It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC.
Tomi Engdahl says:
Security is Not a Technology Profession
http://www.securityweek.com/security-not-technology-profession
Security is not a technology profession. Or at least it shouldn’t be, I would argue. If this sounds like a provocative statement to you, then I am doing my job well. In the end, though, once I’ve argued my position, I hope you’ll come to agree with me.
Perhaps it makes sense to begin by drawing a parallel to another profession, namely computer science. There is a famous quote that is sometimes attributed to Edsger Dijkstra, one of the pioneers of the computer science field: “Computer Science is no more about computers than astronomy is about telescopes.” Whether or not Dr. Dijkstra actually made this statement does not take away from the insight it brings. It is my belief that we in the information security profession can learn a lot from this quote.
GDPR
Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. This conversation is happening for good reason. The regulation is set to go into effect in May 2018, and many organizations are still struggling with it.
What is the essence of GDPR? What is the regulation going after? In my opinion, the regulation focuses on a strategic point that is too often overlooked in security. It focuses on the personal and private data and mandates that organizations take steps to protect that data.
Risk Mitigation
Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly.
Once again, we see that all roads lead back to protecting data. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data.
Don’t get me wrong – technology is an extremely important component of a security program. As has been discussed many times, people, process, and technology all need to work together to secure an organization. Rather, what I am getting at here is that many organizations still seem to focus almost entirely on technological solutions to tactical problems, rather than on strategically addressing how they can best and most efficiently protect the data they are entrusted with. In other words, many organizations focus on the symptoms, rather than the actual disease.
Tomi Engdahl says:
Threat Modeling the Internet of Things: Modeling Reaper
http://www.securityweek.com/threat-modeling-internet-things-modeling-reaper
Part 1 of this series put forth the premise that if we want to make a safer Internet of Things
Recall that a simple threat model consists of three steps:
1. Cataloging the assets at play.
2. Brainstorming the threats to those assets.
3. Scoring (prioritizing) those threats to create a mitigation strategy.
In Part 2, we mentioned that the OWASP IoT Project page contains a typical list of IoT project assets
Recall from Part 3 of this series that you can use the STRIDE acronym to help you brainstorm threats to the asset list. STRIDE stands for:
• (S)poofing of user identity
• (T)ampering
• (R)epudiation
• (I)nformation disclosure
• (D)enial of service
• (E)scalation of privilege
Reaper is fascinating because it doesn’t just contain one infection threat vector; it contains at least nine! If we take those nine vulnerabilities that Reaper is using to infect IoT devices and put them in a table
Tomi Engdahl says:
Machine Learning & Security: Making Users Part of the Equation
http://www.securityweek.com/machine-learning-security-making-users-part-equation
The Best Security Doesn’t Exclude Users, it Empowers Them
If you’ve been watching, we’ve now entered the age of artificial intelligence, machine learning, and expanding automation. The capacity of modern computing to recognize patterns and make decisions based on boggling amounts of data has created new solutions and increasing customer expectations. Too many car accidents and mind-rending traffic? Self-driving cars might be the answer. Can’t get to the bank before it closes? There’s an app for that. Newspapers struggling to make ends meet? AI-based news bots churn out formulaic stories to reduce the cost of labor.
Cybersecurity is no different. Always an area of rapid advancement, the threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.
The downside of this expanding support is that we may become too dependent on our machines.
Tomi Engdahl says:
China’s CCTV surveillance network took just 7 minutes to capture BBC reporter
https://techcrunch.com/2017/12/13/china-cctv-bbc-reporter/?utm_source=tcfbpage&sr_share=facebook
It took Chinese authorities just seven minutes to locate and apprehend BBC reporter John Sudworth using its powerful network of CCTV camera and facial recognition technology.
This wasn’t a case of a member of the media being forcibly removed from the country. The chase was a stunt set up to illustrate just how powerful and effective the Chinese government’s surveillance system can be. It’s a stark example of the type of monitoring that China has invested heavily in over recent years with the aim of helping police do their job more efficiently.
Tomi Engdahl says:
Jim Finkle / Reuters:
“Triton” malware, likely the work of a nation-state, found in Schneider Electric industrial safety systems often used in nuclear, oil and gas plants
Hackers halt plant operations in watershed cyber attack
https://www.reuters.com/article/us-cyber-infrastructure-attack/hackers-halt-plant-operations-in-watershed-cyber-attack-idUSKBN1E8271
Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted.
FireEye Inc (FEYE.O) disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE (SCHN.PA).
Schneider confirmed that the incident had occurred and that it had issued a security alert to users of Triconex, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants.
Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks, they said.
Safety systems “could be fooled to indicate that everything is okay,” even as hackers damage a plant
“This is a watershed,” said Sergio Caltagirone, head of threat intelligence with Dragos. “Others will eventually catch up and try to copy this kind of attack.”
The U.S. government and private cyber-security firms have issued public warnings over the past few years about attempts by hackers from nations including Iran, North Korea and Russia and others to attack companies that run critical infrastructure plants in what they say are primarily reconnaissance operations.
Tomi Engdahl says:
UK Spy Chiefs Peel Back Secrecy — to Fight Cybercrime
http://www.securityweek.com/uk-spy-chiefs-peel-back-secrecy-fight-cybercrime
Britain’s cyber-spooks are reaching out from behind their veil of secrecy with the aim of cultivating the nation’s next generation of high-tech sentries — a move not without security risks.
With recruiting initiatives levelled at tech-savvy hipsters, start-ups pitching ideas and even Christmas puzzles, the top-secret Government Communications Headquarters (GCHQ) is letting the public in, ever so slightly.
The latest move was this month’s “Cyber Accelerator” event at the National Cyber Security Centre (NCSC) — part of GCHQ — when investors, journalists and entrepreneurs were offered a rare glimpse behind the scenes.
The Accelerator project connects tech entrepreneurs with GCHQ experts and information, aiming to help the budding companies turn their ideas into ready-for-market cyber-defence products.
The move is the latest in a series of initiatives by the security services to open their doors to young tech wizards — a subtle effort to recruit the best and brightest as Britain’s future cyber-sentries.
Tomi Engdahl says:
Avast Open Sources Machine-Code Decompiler in Battle Against Malware
http://www.securityweek.com/avast-open-sources-machine-code-decompiler-battle-against-malware
In an effort to boost the fight against malicious software, anti-malware company Avast this week announced the release of its retargetable machine-code decompiler as open source.
Dubbed RetDec, short for Retargetable Decompiler, the software utility is the result of seven years of development and was originally created as a joint project by the Faculty of Information Technology of the Brno University of Technology in the Czech Republic, and AVG Technologies. Avast acquired AVG Technologies in 2016.
The tool allows the security community to perform platform-independent analysis of executable files. With its source code published to GitHub under the MIT license, RetDec is now available for anyone to freely use it, study its source code, modify it, and redistribute it.
By open-sourcing the decompiler, Avast aims to provide “a generic tool to transform platform-specific code, such as x86/PE executable files, into a higher form of representation, such as C source code.”
https://github.com/avast-tl/retdec
Tomi Engdahl says:
New Cisco App Helps Organizations Secure iOS Devices
http://www.securityweek.com/new-cisco-app-helps-organizations-secure-ios-devices
Cisco on Thursday announced the availability of Security Connector, an iOS application designed to provide organizations visibility and control for mobile devices running Apple’s operating system.
Security Connector for iOS, the result of a partnership between Apple and Cisco, is an application that combines functionality from the Cisco Umbrella secure internet gateway and the Cisco Advanced Malware Protection (AMP) endpoint security product, specifically its Clarity component.
Enterprises can download the application from the Apple App Store – the app itself is free but requires a license from Cisco – and deploy it on devices running iOS 11 via mobile device management (MDM) solutions such as Cisco’s Meraki Systems Manager. Once installed, the app provides deep visibility to ensure compliance, establish risk exposure, and aid incident response.
Tomi Engdahl says:
Google Details How It Protects Data Within Its Infrastructure
http://www.securityweek.com/google-details-how-it-protects-data-within-its-infrastructure
Google has decided to share detailed information on how it protects service-to-service communications within its infrastructure at the application layer and the the system it uses for data protection.
Called Application Layer Transport Security (ALTS), the technology was designed to authenticate communication between Google services and keep data protected while in transit. When sent to Google, data is protected using secure communication protocols such as TLS (Transport Layer Security).
According to the Web search giant, it started development of ALTS in 2007, when TLS was bundled with support protocols that did not satisfy the company’s minimum security standards. Thus, the company found it more suitable to design its own security solution than patch an existing system.
Application Layer Transport Security
https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security/
CIO-level summary
Google’s Application Layer Transport Security (ALTS) is a mutual authentication and transport encryption system developed by Google and typically used for securing Remote Procedure Call (RPC) communications within Google’s infrastructure. ALTS is similar in concept to mutually authenticated TLS but has been designed and optimized to meet the needs of Google’s datacenter environments.
The ALTS trust model has been tailored for cloud-like containerized applications. Identities are bound to entities instead of to a specific server name or host. This trust model facilitates seamless microservice replication, load balancing, and rescheduling across hosts.
ALTS relies on two protocols: the Handshake protocol (with session resumption) and the Record protocol. These protocols govern how sessions are established, authenticated, encrypted, and resumed.
ALTS is a custom transport layer security solution that we use at Google. We have tailored ALTS to our production environment, so there are some tradeoffs between ALTS and the industry standard, TLS. More details can be found in the Tradeoffs section.
Tomi Engdahl says:
Xen Project says new version 4.10 has found balance between security and novelty
Splendid isolation for VMs, and a hand for ARM servers
https://www.theregister.co.uk/2017/12/15/xen_4_10/
The Xen Project has released version 4.10 of its hypervisor.
Maintainer boss Julien Grail wrote that “As in Xen 4.9, we took a security-first approach for Xen 4.10 and spent a lot of energy to improve code quality and harden security.”
“This inevitably slowed down the acceptance of new features somewhat and also delayed the release. However, we believe that we reached a meaningful balance between mature security practices and innovation.”
Tomi Engdahl says:
Gemalto spurns €4.3bn proposal. So we’re in with a chance then, says Atos
You say you’re not into us. Let’s ‘dialogue’ over dinner
https://www.theregister.co.uk/2017/12/14/gemalto_turns_down_atos/
Dutch security biz Gemalto has spurned outsourcing giant Atos’ unsolicited offer of a €4.3bn (£3.79bn) buyout describing the proposal as “opportunistic”.
The proposed deal was announced publicly on Monday, with the card-security and SIM-flinger having until tomorrow to respond.
Sharing its reply to Atos boss Thierry Breton, Gemalto said Atos’ proposal was “opportunistic”, and “significantly undervalue[d] the company”
According to the missive, Atos had indicated that they were filing papers with the Authority for the Financial Markets (the Dutch equivalent of the UK Financial Conduct Authority or the US Securities and Exchange Commission) in preparation, whether or not Gemalto had agreed to the deal, which Atos has confirmed to us.
Tomi Engdahl says:
Fortinet VPN Client Exposes VPN Creds; Palo Alto Firewalls Allow Remote Attacks
https://it.slashdot.org/story/17/12/14/140216/fortinet-vpn-client-exposes-vpn-creds-palo-alto-firewalls-allow-remote-attacks?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
It’s been a bad week for two of the world’s biggest vendors of enterprise hardware and software — Fortinet and Palo Alto Networks. The worst of the bunch is a credentials leak affecting Fortinet’s FortiClient, an antivirus product provided by Fortinet for both home and enterprise-level clients.
Fortinet VPN Client Exposes VPN Creds, Palo Alto Firewalls Allow Remote Attacks
https://www.bleepingcomputer.com/news/security/fortinet-vpn-client-exposes-vpn-creds-palo-alto-firewalls-allow-remote-attacks/
FortiClient exposes VPN credentials
The worst of the bunch is a credentials leak affecting Fortinet’s FortiClient, an antivirus product provided by Fortinet for both home and enterprise-level clients.
Researchers from SEC Consult said in an advisory released this week that they’ve discovered a security issue that allows attackers to extract credentials for this VPN client.
Palo Alto Networks firewalls vulnerable to root-level RCE
The second major security issue disclosed this week affects firewall products manufactured by Palo Alto Networks and running PAN-OS, the company’s in-house operating system.
The vulnerability can only be exploited if companies leave the management interface of their Palo Alto firewall exposed to WAN connections (via the Internet), instead of limiting access to the local area network (LAN) only.
Tomi Engdahl says:
EFF: Accessing Publicly Available Information On the Internet Is Not a Crime
https://yro.slashdot.org/story/17/12/14/2055231/eff-accessing-publicly-available-information-on-the-internet-is-not-a-crime?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
EFF is fighting another attempt by a giant corporation to take advantage of our poorly drafted federal computer crime statute for commercial advantage — without any regard for the impact on the rest of us. This time the culprit is LinkedIn. The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony “hacking” under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information.
EFF, together with our friends DuckDuckGo and the Internet Archive, have urged the Ninth Circuit Court of Appeals to reject LinkedIn’s request to transform the CFAA from a law meant to target “hacking” into a tool for enforcing its computer use policies. Using automated scripts to access publicly available data is not “hacking,” and neither is violating a website’s terms of use.
EFF to Court: Accessing Publicly Available Information on the Internet Is Not a Crime
https://www.eff.org/deeplinks/2017/12/eff-court-accessing-publicly-available-information-internet-not-crime
EFF is fighting another attempt by a giant corporation to take advantage of our poorly drafted federal computer crime statute for commercial advantage—without any regard for the impact on the rest of us. This time the culprit is LinkedIn. The social networking giant wants violations of its corporate policy against using automated scripts to access public information on its website to count as felony “hacking” under the Computer Fraud and Abuse Act, a 1986 federal law meant to criminalize breaking into private computer systems to access non-public information.
LinkedIn’s position would undermine open access to information online, a hallmark of today’s Internet, and threaten socially valuable bots that journalists, researchers, and Internet users around the world rely on every day—all in the name of preserving LinkedIn’s advantage over a competing service. The Ninth Circuit should make sure that doesn’t happen.
Background: Bad Court Decisions Open Door to Abuse
The CFAA makes it illegal to engage in “unauthorized access” to a computer connected to the Internet, but the statute doesn’t tells us what “authorization” or “without authorization” means. This vague language might have seemed innocuous to some back in 1986 when the statute was passed, but in today’s networked world, where we all regularly connect to and use computers owned by others, this pre-Web law is causing serious problems.
In some jurisdictions, the CFAA has metastasized into a tool for companies and websites to enforce their computer use policies, like terms of service (which no one reads) or corporate computer policies. But other courts—including the Ninth Circuit back in 2012—have rejected turning the CFAA “into a sweeping Internet-policing mandate.”
One company targeted by LinkedIn was hiQ Labs, which provides analysis of data on LinkedIn users’ publicly available profiles.
Old Laws Can’t Do New Tricks
The CFAA is an old, blunt instrument, and trying to use it to solve a modern, complicated dispute between two companies will undermine open access to information on the Internet for everyone.
LinkedIn’s Position Won’t Actually Protect Privacy
LinkedIn argues that imposing criminal liability for automated access of publicly available LinkedIn data would protect the privacy interests of LinkedIn users who decide to publish their information publicly, but that’s just not true. LinkedIn still wouldn’t have any meaningful control over who accesses the data and how they use it, because the data will still be freely available on the open Internet for malicious actors and anyone not within the jurisdiction of the United States to access and use however they wish.
LinkedIn knows this. Its privacy policy acknowledges the inherent lack of privacy in data posted publicly and makes no promises to users about LinkedIn’s ability to protect it: “Please do not post or add personal data to your profile that you would not want to be publicly available.”
Tomi Engdahl says:
While you’re watching streaming video, your browser is secretly mining cryptocurrency
https://betanews.com/2017/12/13/while-youre-watching-streaming-video-your-browser-is-secretly-mining-cryptocurrency/
There’s a cryptocurrency goldrush on at the moment. People are investing insane sums, and also making good money — Bitcoin, Ethereum and Litecoin are all doing phenomenally well.
However, some sites are turning to mining cryptocurrency as a way to supplement falling ad revenue, and a new report from security firm Adguard has found that almost a billion monthly visitors to four popular streaming sites have unknowingly been mining Monero currency while watching videos.
Crypto-jacking — secretly using your device to mine cryptocurrency in the background — is a growing problem, and one that often bypasses adblockers.
Adguard found four video sites, with a combined total of 992 million monthly visits, were mining for Monero without their user’s knowledge. These sites are Openload — one of the most popular streaming sites in the world — Streamango, Rapidvideo and OnlineVideoConverter.
According to Adguard, OnlineVideoConverter “holds the absolute record among crypto-jackers at the moment” as the site is ranked 119th in the world, with almost 490 million visits a month.
Tomi Engdahl says:
Engineering for Privacy Requires Standards
https://www.eetimes.com/author.asp?section_id=36&doc_id=1332727
Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.
Companies across all industries are dealing with the General Data Protection Regulation (GDPR), which comes into force in May, giving enhanced privacy protection to personal data. The related EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent.
Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. The Kantara Initiative is working to address this challenge with its recently launched Consent Management Solutions Work Group.
iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group
https://kantarainitiative.org/iwelcome-and-digi-me-launch-kantara-initiative-consent-management-solutions-work-group/
Tomi Engdahl says:
Security robots are being used to ward off San Francisco’s homeless population
https://techcrunch.com/2017/12/13/security-robots-are-being-used-to-ward-off-san-franciscos-homeless-population/
Is it worse if a robot instead of a human is used to deter the homeless from setting up camp outside places of business?
One such bot cop recently took over the outside of the San Francisco SPCA, an animal advocacy and pet adoption clinic in the city’s Mission district, to deter homeless people from hanging out there — causing some people to get very upset.
The S.F. SPCA rolled out the use of a robot unit dubbed K9 from security startup Knightscope a month ago, citing these same safety concerns.
The K9 units are also cheaper than humans. One robot costs $6 an hour to use vs. paying a security guard the average $16 an hour.
And, according to both the S.F. SPCA and Knightscope, crime dropped after deploying the bot.
However, the K9 unit had its own share of hardships.
It’s worth mentioning many robots have been targeted by humans in the past.
Last week the city ordered the S.F. SPCA to stop using these security robots altogether or face a fine of $1,000 per day for operating in a public right of way without a permit.
It could keep an eye on the surrounding area and report crimes, yes, but it could also possibly be used to alert police and social workers to areas where homelessness seems to have increased or look for anyone who may be facing violence or a psychotic episode and in need of intervention.
Tomi Engdahl says:
TRITON Malware Targeting Critical Infrastructure Could Cause Physical Damage
https://thehackernews.com/2017/12/triton-ics-scada-malware.html?m=1
Dubbed Triton, also known as Trisis, the ICS malware has been designed to target Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric—an autonomous control system that independently monitors the performance of critical systems and takes immediate actions automatically, if a dangerous state is detected.
Researchers from the Mandiant division of security firm FireEye published a report on Thursday, suggesting state-sponsored attackers used the Triton malware to cause physical damage to an organization.
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
Tomi Engdahl says:
Using IPv6 with Linux? You’ve likely been visited by Shodan and other scanners
https://arstechnica.com/information-technology/2016/02/using-ipv6-with-linux-youve-likely-been-visited-by-shodan-and-other-scanners/
Shodan caught using time-keeping servers to quietly harvest IP addresses.
One of the benefits of the next-generation Internet protocol known as IPv6 is the enhanced privacy it offers over its IPv4 predecessor. With a staggering 2128 (or about 3.4×1038) theoretical addresses available, its IP pool is immune to the types of systematic scans that criminal hackers and researchers routinely perform to locate vulnerable devices and networks with IPv4 addresses. What’s more, IPv6 addresses can contain regularly changing, partially randomized extensions. Together, the IPv6 features cloak devices in a quasi anonymity that’s not possible with IPv4.
Now, network administrators have discovered a clever way that scanners are piercing the IPv6 cloak of obscurity. By setting up an IPv6-based network time protocol service most Internet-connected devices rely on to keep their internal clocks accurate, the operators can harvest huge numbers of IPv6 addresses
Shodan—the vulnerability search engine that indexes Internet-connected devices—has been quietly contributing NTP services for months to the cluster of volunteer time servers known as the NTP Pool Project.
Within seconds of one of the Shodan’s NTP servers receiving a query from an IPv6 device, Shodan’s main scanning engine would scan more than 100 ports belonging to the device. The Shodan scanner would then revisit the device roughly once a day.
Shodan’s harvesting scheme came to an abrupt end on Thursday, when NTP Pool Project maintainers ejected the Shodan time-keeping servers from the cluster.
“Choose the websites you visit carefully”
“I might just be too cynical, but [harvesting] also feels like something we should come to expect,” Ask Bjørn Hansen, an NTP Pool Project maintainer
IPv6 accounts for only a small portion of today’s Internet traffic, but there’s little doubt that it’s growing rapidly. About 10 percent of people accessing Google use the next-generation protocol, up from 6 percent last year and just 1 percent in 2013. Virtually all desktop, server, and mobile operating systems released over the past decade offer IPv6 connectivity by default.
Virtually all distributions of Linux by default use IPv6 to query servers in the NTP pool.
The v6 adoption has presented a quandary for researchers and criminal hackers alike. The entire IPv4 address space can be scanned in a matter of minutes or hours, depending on the equipment used and how thorough the probes are. What’s more, v4 addresses assigned to servers, computers, and routers often stay active for months or years.
“The obscurity is really good with IPv6,” Rob Graham, CEO of security firm Errata Security, told Ars. “That’s what we’re relying on. People are assuming it provides a lot of security.”
The added security seems to have lulled some administrators and hardware manufacturers into thinking v6 devices don’t need the same types of defenses that are standard for their v4 counterparts. The Buffalo WZR-HP-G300NH wireless router, for instance, supports IPv6 routing but omits IPv6 firewall capabilities that are typical with IPv4. Many v4 devices rely on network address translation, which assigns devices inside a home or corporate network an address that’s not reachable on the open Internet. In large part, it becomes the firewall for v4 devices.
IPv6, by contrast, gives devices inside a private network a globally reachable IP address
One of the benefits of the next-generation Internet protocol known as IPv6 is the enhanced privacy it offers over its IPv4 predecessor. With a staggering 2128 (or about 3.4×1038) theoretical addresses available, its IP pool is immune to the types of systematic scans that criminal hackers and researchers routinely perform to locate vulnerable devices and networks with IPv4 addresses. What’s more, IPv6 addresses can contain regularly changing, partially randomized extensions. Together, the IPv6 features cloak devices in a quasi anonymity that’s not possible with IPv4.
Now, network administrators have discovered a clever way that scanners are piercing the IPv6 cloak of obscurity. By setting up an IPv6-based network time protocol service most Internet-connected devices rely on to keep their internal clocks accurate, the operators can harvest huge numbers of IPv6 addresses that would otherwise remain unknown. The server operators can then scan hundreds or thousands of ports attached to each address to identify publicly available surveillance cameras, unpatched servers, and similar vulnerabilities.
The added security seems to have lulled some administrators and hardware manufacturers into thinking v6 devices don’t need the same types of defenses that are standard for their v4 counterparts. The Buffalo WZR-HP-G300NH wireless router, for instance, supports IPv6 routing but omits IPv6 firewall capabilities that are typical with IPv4. Many v4 devices rely on network address translation, which assigns devices inside a home or corporate network an address that’s not reachable on the open Internet. In large part, it becomes the firewall for v4 devices.
IPv6, by contrast, gives devices inside a private network a globally reachable IP address, a design that works in opposition to the entire objective of network address translation. Shodan’s harvesting of addresses from the NTP Pool Project puts such security-through-obscurity approaches to rest.
Resistance is (mostly) futile
Some of the forum participants have proposed remedies such as using a secondary v6 address to make NTP queries or even for all outgoing connections. It’s not clear how much meaningful protection would come from such approaches given the five-second turnaround time from outgoing NTP query to incoming scan. The proposed fix would also do little to prevent abuse by other services, such as websites, messaging, DNS, and e-mail that also receive incoming connections from IPv6 devices. Hein said he supports using IPv6 addresses once per connection and limiting the lifespan of an IPv6 address to a single connection. Once the connection is closed, the IPv6 address would be deallocated.
“This would generate a huge volume of IPv6 addresses for routers and network systems to have to keep track of, but it would be the most secure,”
Ultimately, at least for the foreseeable future, people would do better to accept that some amount of harvesting will unavoidable and that admins will have to apply the same stringent firewall regimens to IPv6 devices that have long been required to keep v4 devices safe.
“I (too) might just be too cynical, or in this business too long, but I feel that if you communicate on the global Internet, you should expect to be probed,”
Tomi Engdahl says:
Ransomware: A cheat sheet for professionals
https://www.techrepublic.com/article/ransomware-the-smart-persons-guide/?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BKq7r37wJQw2qlC9HRvsmHA%3D%3D
This guide covers Locky, WannaCry, Petya, and other ransomware attacks, the systems hackers target, and how to avoid becoming a victim and paying cybercriminals a ransom in the event of an infection.
Tomi Engdahl says:
Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online
https://thehackernews.com/2017/12/data-breach-password-list.html?m=1
Online users habit of reusing the same password across multiple services gives hackers opportunity to use the credentials gathered from a data breach to break into their other online accounts.
Researchers from security firm 4iQ have now discovered a new collective database on the dark web (released on Torrent as well) that contains a whopping 1.4 billion usernames and passwords in clear text.
The aggregate database, found on 5 December in an underground community forum, has been said to be the largest ever aggregation of various leaks found in the dark web to date
Though links to download the collection were already circulating online over dark-web sites from last few weeks, it took more exposure when someone posted it on Reddit a few days ago, from where we also downloaded a copy and can now verify its authenticity.
Researchers said the 41GB massive archive, as shown below, contains 1.4 billion usernames, email, and password combinations—properly fragmented and sorted into two and three level directories.
The archive had been last updated at the end of November and didn’t come from a new breach—but from a collection of 252 previous data breaches and credential lists.
The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.
“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of the have been verified to be true,” Casal said. “The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records.”
For example, a simple search for “admin,” “administrator” and “root,” returned 226,631 passwords used by administrators in a few seconds.
Tomi Engdahl says:
California computer scientists develop simple data breach detection tool
by Ellen Tannam
https://www.siliconrepublic.com/enterprise/data-breach-detection-tool-ucs?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BKq7r37wJQw2qlC9HRvsmHA%3D%3D
With data breaches on the increase, this new tool could be useful for companies and organisations.
Computer scientists at the University of California (UC) San Diego have built and successfully tested a tool designed to detect when websites have fallen victim to a data breach, by monitoring the activity of email accounts associated with them.
A data breach is a case of when, not if
Alex C Snoeren, a professor of computer science at the Jacobs School of Engineering at UC San Diego and the paper’s senior author, said: “No one is above this – companies or nation states – it’s going to happen, it’s just a question of when.”
Researchers found that popular sites were just as likely to be hacked as unpopular ones, which translates to 10 out of the top 1,000 most visited sites on the internet potentially falling victim to a data breach.
DeBlasio created a bot that registers and creates accounts on a large number of websites (approximately 2,300 were included in this study). Each account is associated with a unique email address.
The tool was designed to use the same password for both the email account and the website account associated with each email. Researchers then bided their time to see if an outside party used the password to access the email account, which would indicate the website’s account information had been leaked.
Researchers also had to ensure the breach was related to hacked websites and not the email provider or their own infrastructure, so a control group was set up
19 websites were determined to have been hacked, including a well-known US start-up with more than 45m active customers. Once the accounts had been breached, the security teams of the affected sites were warned, and emails and phone calls were exchanged.
Snoeren said he was “heartened” by the serious response from the large sites that had been affected, but was surprised that none of the affected sites acted on the results of the study by disclosing their respective breaches to customers.
Tomi Engdahl says:
Threat Modeling in Agile World – Part 2 of 3
https://omoolchandani.com/2017/12/13/threat-modeling-in-agile-world-part-2-of-3/?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BiXx1IgFtS4m39VbqfRAsaw%3D%3D
“Clear understanding about asset definition is the stepping stone for successful cyber security program.”
Threat, Threat Agent, Attack and Attack Vector
“Threat is a phenomenon or situation that is adversarial in nature and realization of which can cause damage or adversarial impact to the target.” Ex: Tampering, data leak, privacy breach.
“Threat agent is an entity that possesses skill, intent and motivation and capability to project threats in order to eventualize the attack”. Ex: External Internet Based, Malicious Operator, Malicious Cloud Admin etc.
“Attack is an event which is triggered using attack vector in order to realize threat and cause impact”. Ex: Uber Data Breach Attack, Equifax Attack etc.
“Attack Vector is the mechanism used to trigger attack” Ex: Remote Code Execution, Local File Inclusion, Cross Site Scripting, DLL Injection, API hooking, ARP Poisoning, Brute Forcing etc.
“Attacker is an entity who owns up to the attack” Ex: Anonymous, Lizard Squad, Ourmine, Computer Chaos Club etc.
Tomi Engdahl says:
Avast releases open sources Machine-Code Decompiler (RetDec) to fight malware
http://securityaffairs.co/wordpress/66747/malware/avast-decompiler-retdec-malware.html
Malware Decompiler Tool Goes Open Source
https://www.darkreading.com/attacks-breaches/malware-decompiler-tool-goes-open-source/d/d-id/1330639
Anti-malware vendor Avast has donated its homegrown malware decompiler tool to the open-source community.
Avast’s RetDec basically converts a piece of malware into a higher-level programming language and helps malware analysts unmask the inner workings and functions of its code. “It turns it into something that looks like the original source code,” says Jakub Kroustek, threat lab team lead at Avast. “It’s much easier” and more efficient to sleuth just what the malware can do when it’s decompiled, he notes.
Tomi Engdahl says:
The promise of managing identity on the blockchain
https://techcrunch.com/2017/09/10/the-promise-of-managing-identity-on-the-blockchain/
Blockchain, the secure distributed ledger technology first created to track bitcoin ownership, has taken on a number of new roles in recent years tracking anything of value from diamonds to real estate deeds to contracts. The blockchain offers the promise of a trusted record that can reduce fraud. Some industry experts say that over the coming years, it could be used to control identity information in a more secure fashion.
Tomi Engdahl says:
Critical: Massive Microsoft Vulnerability
https://www.cloudmanagementsuite.com/microsoft-vulnerability
An update has been released by Microsoft to fix a major vulnerability in the remote code execution (RCE) of its Malware Protection Engine.
According to the CVE-2017-11937 security update, Microsoft believes that the MPE could be tricked into scanning a specially crafted file that would lead to a memory corruption bug. Any hacker who used this exploit could execute code to take total control of the system.
Tomi Engdahl says:
Brian Merchant / Wired:
Email intelligence firm OMC says 19% of “conversational” email, sent by people like friends, spouses, and business partners, is subject to email open tracking
How Email Open Tracking Quietly Took Over the Web
https://www.wired.com/story/how-email-open-tracking-quietly-took-over-the-web/
“I just came across this email,” began the message, a long overdue reply. But I knew the sender was lying. He’d opened my email nearly six months ago. On a Mac. In Palo Alto. At night.
I knew this because I was running the email tracking service Streak, which notified me as soon as my message had been opened. It told me where, when, and on what kind of device it was read. With Streak enabled, I felt like an inside trader whenever I glanced at my inbox, privy to details that gave me maybe a little too much information. And I certainly wasn’t alone.
There are some 269 billion emails sent and received daily. That’s roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an “email intelligence” company that also builds anti-tracking tools.
The tech is pretty simple. Tracking clients embed a line of code in the body of an email—usually in a 1×1 pixel image, so tiny it’s invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online.
But lately, a surprising—and growing—number of tracked emails are being sent not from corporations, but acquaintances. “We have been in touch with users that were tracked by their spouses, business partners, competitors,” says Florian Seroussi, the founder of OMC. “It’s the wild, wild west out there.”
Tomi Engdahl says:
Kate Conger / Gizmodo:
After slipping an unexplained promotional plugin for the TV show Mr. Robot into Firefox and angering users, Mozilla will move the extension to its add-on store — This week, Mozilla slipped a browser extension that promoted Mr. Robot into Firefox. The goal was to give Firefox users access …
After Blowback, Firefox Will Move Mr. Robot Extension to Store
https://gizmodo.com/after-blowback-firefox-will-move-mr-robot-extension-t-1821354314
This week, Mozilla slipped a browser extension that promoted Mr. Robot into Firefox. The goal was to give Firefox users access to an alternate reality game tied to the end of the show’s third season, but because Firefox didn’t initially offer any explanation for the sudden appearance of the extension, nicknamed Looking Glass, many users worried that spyware had been installed in their browsers.
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Gemalto, which makes SIM and smart cards and provides IT security, agrees to ~$5.4B buyout by French conglomerate Thales, a 57% premium over 12/8 closing price
Thales agrees to buy Gemalto in digital security deal worth ~$5.43BN
https://techcrunch.com/2017/12/17/thales-agrees-to-buy-gemalto-in-digital-security-deal-worth-5-43bn/
Digital security solutions provider Gemalto has agreed to a €51 per share acquisition offer from French aerospace and defense group Thales — in a deal worth around $5.43BN.
The unanimously board approved all-cash offer represents a premium of 57% over the closing price of Gemalto stock as of 8 December 2017.
In a statement today recommending Thales’ offer, CEO Philippe Vallée said: “I am convinced that the combination with Thales is the best and the most promising option for Gemalto and the most positive outcome for our company, employees, clients, shareholders and other stakeholders,” adding that it would enable Gemalto to “accelerate its development and deliver its digital security vision”.
Last week the Gemalto board rejected a €46 per share offer from French IT services company Atos, saying it significantly undervalued the company.
Gemalto is a major producer of SIM cards and NFC for mobile phones but also provides secure transaction solutions to banks, including EMV chip cards, payment terminals and user authentication systems for online banking, such as one-time token generating hardware devices for 2FA. It also sells identity and access control solutions to the public sector, including biometric authentication technologies for government-issued ID documents such as passports.
Tomi Engdahl says:
Rachel Abrams / New York Times:
Journalist documents her frustrating quest to fix an error in the Knowledge Graph panel appearing on Google searches for her name, which claimed she was dead
Google Thinks I’m Dead
(I know otherwise.)
https://www.nytimes.com/2017/12/16/business/google-thinks-im-dead.html
I’m not dead yet.
But try telling that to Google.
For much of the last week, I have been trying to persuade the world’s most powerful search engine to remove my photo from biographical details that belong to someone else. A search for “Rachel Abrams” revealed that Google had mashed my picture from The New York Times’s website with the Wikipedia entry for a better-known writer with the same name, who died in 2013.
My father pointed this out in a quizzical text message, but the error seemed like an inconsequential annoyance best ignored indefinitely. To anyone who knows me, it is clearly not me — I am not married, my mother’s name is not Midge, and I was not born in 1951.
But when an acquaintance said she was alarmed to read that I had passed away, it seemed like an error worth correcting.
Plenty of people try to remove negative or inaccurate information about themselves from the internet. There are entire companies that will do this for you. But often, the misinformation appears on websites other than Google, which Google doesn’t really see as its problem.
“I think they probably do have some phone number somewhere, but they do push everyone heavily through the web and online channels,” said Rich Matta, the chief executive of ReputationDefender, a company that people pay to correct inaccurate or misleading information about themselves on the internet. “It’s probably part of their ethos that everything can be done well or better online.”
As information streams at us, it can be difficult to distinguish between fact and fiction. “Search results these days are your first impression,’’ Mr. Matta said.
And when things go wrong online, we’re often at the mercy of faceless technology companies that prefer to interact with us through the web.
“In my experience, it is very difficult to submit correction requests to Google for situations that aren’t clear violations of policies or laws,” Mr. Matta said. “Most individuals are overwhelmed with the difficulty of the problem, and don’t even know where to start.”
The Knowledge Graph panel typically appears for some commonly searched terms, like “Macy’s” or “Brad Pitt.” These cards also appear for local businesses and other less prominent people, often pulling from Wikipedia.
This allows Googlers to get basic information, like a phone number or address, without visiting another website.
Tomi Engdahl says:
Synaptics to Remove “Keylogger” Functionality From Drivers
http://www.securityweek.com/synaptics-remove-keylogger-functionality-drivers
Synaptics says recent reports inaccurately characterized a debugging tool found in its touchpad drivers as a keylogger, but the company has decided to remove the functionality from its products.
Earlier this month, a researcher reported finding what appeared to be keylogger functionality in a Synaptics touchpad driver shipped with hundreds of HP laptops. The functionality is disabled by default, but a user with administrator privileges can enable it and abuse it to log keystrokes.
The vulnerability, tracked as CVE-2017-17556, was reported to HP and patched by the company in November.
HP classified the vulnerability as medium severity (CVSS score of 6.1), and Synaptics has assigned it a low severity rating (CVSS score of 2.0). Some people agree that the flaw is not serious, arguing that an attacker with administrator privileges can install a proper keylogger and other types of malware.
Synaptics said the functionality was added to some of its drivers for diagnosing, tuning and debugging touchpads, but it was disabled before being shipped to customers. The same drivers are provided to other PC manufacturers, not just HP, but no other company has been named to date.
Tomi Engdahl says:
Synopsys finalized its acquisition of Black Duck Software, which provides software for managing and securing open source software in projects, adding to Synopsys’ burgeoning software analysis and security business. The cash deal was approximately $547 million net of cash acquired.
Source: https://semiengineering.com/the-week-in-review-design-109/
Tomi Engdahl says:
keeper: privileged ui injected into pages (again)
https://bugs.chromium.org/p/project-zero/issues/detail?id=1481&desc=3
I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called “Keeper” is now installed by default.
I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). I checked and, they’re doing the same thing again with this version.
Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:
https://lock.cmpxchg8b.com/keepertest.html
Please consider adding regression tests before releasing an update for this issue.
Tomi Engdahl says:
Google Researcher Finds Critical Flaw in Keeper Password Manager
http://www.securityweek.com/google-researcher-finds-critical-flaw-keeper-password-manager
Google Project Zero researcher Tavis Ormandy recently discovered that the Keeper password manager had been affected by a critical flaw similar to one he identified just over one year ago in the same application.
Ormandy found the security hole after noticing that Keeper is now installed by default in Windows 10. He remembered a vulnerability he reported last year and managed to reproduce the same attack with only a few minor modifications.
“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” the researcher said. “I checked and, they’re doing the same thing again with this version.”
The vulnerability affects the Keeper browser extensions, which, unless users opt out, are installed alongside the Keeper desktop application. The security hole allows attackers to steal passwords stored by the app if they can convince an authenticated user to access a specially crafted website.
Keeper released a patch within 24 hours of being notified by Ormandy.
“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension,” Keeper said in a blog post informing customers of the vulnerability and the patch.
https://blog.keepersecurity.com/2017/12/15/update-for-keeper-browser-extension-v11-4/
Tomi Engdahl says:
Iran Used “Triton” Malware to Target Saudi Arabia: Researchers
http://www.securityweek.com/iran-used-triton-malware-target-saudi-arabia-researchers
The recently uncovered malware known as “Triton” and “Trisis” was likely developed by Iran and used to target an organization in Saudi Arabia, according to industrial cybersecurity and threat intelligence firm CyberX.
FireEye and Dragos reported on Thursday that a new piece of malware designed to target industrial control systems (ICS) had caused a shutdown at a critical infrastructure organization somewhere in the Middle East.
CyberX has also obtained samples of the malware and based on its threat intelligence team’s investigation, Triton/Trisis was likely created by Iran and the victim was likely an organization in Saudi Arabia.
“It’s widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary,” Phil Neray, VP of Industrial Cybersecurity for CyberX, told SecurityWeek.
“Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be simply an evolution of those approaches,” Neray added.
FireEye and Dragos would not comment on CyberX’s theory about Triton being developed and used by Iran. FireEye did however note in its report that the methods used were consistent with attacks previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.
http://www.securityweek.com/new-ics-malware-triton-used-critical-infrastructure-attack
Tomi Engdahl says:
New “PRILEX” ATM Malware Used in Targeted Attacks
http://www.securityweek.com/new-prilex-atm-malware-used-targeted-attacks
Trend Micro security researchers recently discovered a highly targeted piece of malware designed to steal information from automated teller machines (ATMs).
Dubbed PRILEX and written in Visual Basic 6.0 (VB6), the threat was designed to hijack a banking application and steal information from ATM users. The malware was spotted in Brazil, but similar threats could prove as harmful anywhere around the world, the security researchers say.
First reported in October 2017, PRILEX was designed to hook certain dynamic-link libraries (DLLs) and replace them with its own application screens. The targeted DLLs (P32disp0.dll, P32mmd.dll, and P32afd.dll) belong to the ATM application of a bank in Brazil.
Tomi Engdahl says:
Hackers Target Security Firm Fox-IT
http://www.securityweek.com/hackers-target-security-firm-fox-it
Fox-IT, the Netherlands-based cybersecurity firm owned by NCC Group, revealed on Thursday that it had been the victim of a man-in-the-middle (MitM) attack made possible by DNS records getting changed at its third-party domain registrar.
The incident took place back in September and Fox-IT decided to disclose it now after conducting a detailed analysis. A law enforcement investigation is ongoing so the company has not shared any information on who might be behind the attack.