Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Chinese crime group targets database servers for mining cryptocurrency
http://securityaffairs.co/wordpress/67006/cyber-crime/database-servers.html
Security researchers discovered multiple hacking campaigns conducted by a Chinese criminal gang targeting database servers.
The researchers from the security firm GuardiCore Labs Security have discovered multiple hacking campaigns conducted by a Chinese criminal gang targeting database servers. The attackers targeted systems worldwide for mining cryptocurrencies, exfiltrating sensitive data and building a DDoS botnet.
The experts observed thousands of cyber attacks in recent months and identified at least three attack scheme, Hex, Hanako, and Taylor, targeting MS SQL and MySQL servers running on both Windows and Linux machines.
Tomi Engdahl says:
Washington Post:
Sources: years after FBI began tracking Russian disinformation efforts and US intelligence agencies drew up counter operations, the US still equivocates — The first email arrived in the inbox of CounterPunch, a left-leaning American news and opinion website, at 3:26 a.m. — the middle of the day in Moscow.
Kremlin trolls burned across the Internet as Washington debated options
https://www.washingtonpost.com/world/national-security/kremlin-trolls-burned-across-the-internet-as-washington-debated-options/2017/12/23/e7b9dc92-e403-11e7-ab50-621fe0588340_story.html?utm_term=.e22e28888e3e
The first email arrived in the inbox of CounterPunch, a left-leaning American news and opinion website, at 3:26 a.m. — the middle of the day in Moscow.
“Hello, my name is Alice Donovan and I’m a beginner freelance journalist,” read the Feb. 26, 2016, message.
The FBI was tracking Donovan as part of a months-long counterintelligence operation code-named “NorthernNight.” Internal bureau reports described her as a pseudonymous foot soldier in an army of Kremlin-led trolls seeking to undermine America’s democratic institutions.
Her first articles as a freelancer for CounterPunch and at least 10 other online publications weren’t especially political. As the 2016 presidential election heated up, Donovan’s message shifted. Increasingly, she seemed to be doing the Kremlin’s bidding by stoking discontent toward Democratic front-runner Hillary Clinton and touting WikiLeaks, which U.S. officials say was a tool of Russia’s broad influence operation to affect the presidential race.
Tomi Engdahl says:
Reuters:
Vietnam unveils new, 10K-strong cyber warfare unit to counter “wrong” views online, a month after blogger was sentenced to 7yrs for propaganda against the state
Vietnam unveils 10,000-strong cyber unit to combat ‘wrong views’
https://www.reuters.com/article/us-vietnam-security-cyber/vietnam-unveils-10000-strong-cyber-unit-to-combat-wrong-views-idUSKBN1EK0XN
Vietnam has unveiled a new, 10,000-strong military cyber warfare unit to counter “wrong” views on the Internet, media reported, amid a widening crackdown on critics of the one-party state.
Tomi Engdahl says:
Robert McMillan / Wall Street Journal:
An informal band of researchers is working over Christmas to prevent hackers from disrupting online services, following PlayStation and Xbox incidents in 2014
Link copied…
Tech
As Videogame Hackers Try to Ruin Christmas, Watchdogs Are on Patrol
Merry band of security buffs spend holidays on alert to make sure cyber-Grinches don’t spoil the fun
https://www.wsj.com/articles/web-warriors-hunt-hacker-grinches-to-save-christmas-1513938603
Earlier this month, three men pleaded guilty to writing software, called Mirai, that is used in many of these attacks. Last year, the men released Mirai’s source code, federal prosecutors say. And that action ushered in a new era of extremely large botnet attacks.
In October 2016, Mirai was used to flood internet service provider Dyn with unwanted network traffic, an event that ground the internet to a standstill for many Americans.
“Mirai scared us to death,” said Dale Drew, chief security strategist with CenturyLink Inc., who is among Ms. Nixon’s fellow botnet fighters.
The battle against such botnets is a year-round effort, but it heats up during the holidays. Last year, just before Christmas, a group calling itself R.I.U. Star Patrol claimed on Twitter to have launched an online attack against Yahoo’s Tumblr Service and, in a YouTube video, threatened to repeat the event on Christmas Day.
However, the researchers disrupted Star Patrol before it could launch the Christmas Day attack.
Researchers believe they may have thwarted a similar plan about two weeks ago. That was when another massive 650,000-unit botnet called Satori—which used code from Mirai—was taken down hours after the security firm Akamai Technologies Inc. published a report identifying its command-and-control server. Ms. Nixon and Mr. Drew said fellow researchers then reached out to the internet service provider asking it to take the server offline.
That takedown seems to have disrupted Satori for now.
Tomi Engdahl says:
Sarah Jeong / The Verge:
The infosec community has undergone a post-Weinstein cultural shift, as evidenced by the soul-searching following allegations against Morgan Marquis-Boire
Vulnerabilities and exploits
What happened when the infosec community outed its own sexual predators
https://www.theverge.com/2017/12/21/16807116/infosec-community-sexual-predators-weinstein-assault
Tomi Engdahl says:
Experts discovered a flaw in GoAhead that affects hundreds of thousands IoT devices
http://securityaffairs.co/wordpress/67113/iot/goahead-flaws.html
Experts from Elttam discovered a flaw in GoAhead tiny web server that affects hundreds of thousands IoT devices, it could be exploited to remotely execute malicious code on affected devices.
A vulnerability in the GoAhead tiny web server package, tracked as CVE-2017-17562, affects hundreds of thousands of IoT devices. The GoAhead solution is widely adopted by tech giants, including Comcast, IBM, Boeing, Oracle, D-Link, ZTE, HP, Siemens, and Canon. It is easy to find the tiny web server in almost any IoT device, including printers and routers.
Attackers can exploit the vulnerability if the CGI support is enabled with dynamically linked CGI program. Unfortunately, this configuration is quite common.
Elttam reported the vulnerability to Embedthis, the company who developed the web server, that promptly released an update that addresses the flaw.
Now it is important that hardware manufacturers will include the patch in the instances of the GoAhead running into their products, but this process could take a lot of time.
Elttam also released a proof-of-concept code that could be used to test if IoT devices are vulnerable to the CVE-2017-17562 flaw.
Such kind of flaws are exploited by IoT malware like BrickerBot, Mirai, Hajime, and Persirai.
https://github.com/elttam/advisories/blob/master/CVE-2017-17562/makemyday.py
Tomi Engdahl says:
Beware the Holiday Hack
https://www.securerf.com/beware-holiday-hack/?utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=59645269&_hsenc=p2ANqtz-91DaJ1owbCdhy3JOt8HrQsP6cQEMLsK7TF4rIJc6bIGlCAdBI2WpXaQWgEXpMOv0NugtTEIADXXHVetpf_02mNMmMXgw0jjnTrFPo-GmQlAkd-wPM&_hsmi=59645269
Most online 2017 holiday gift guides have one thing in common: IoT gadgets. Wi-Fi video doorbells, wearable health monitors, phone-controlled toy robots, and “smart” ovens are just a few of the thousands of Internet-connected products being offered this holiday season. Such gifts might seem like safe products to give or receive, but reports about recent IoT hacks have shown us that most, if not all, Internet-connected devices are potential targets for hackers.
A few notable 2017 security hacks, breaches, and threats:
Smartwatch Eavesdropping: In November, a German regulator banned the sale of a kids’ smartwatch
IoTroop: Qihoo 360 and Check Point Research recently reported that the IoTroop botnet, also known as “Reaper,” was hijacking IoT devices, such as routers and IP cameras, around the globe at an extremely rapid rate.
Pacemaker Recall: The FDA announced in August that Abbott’s RF-enabled implantable pacemakers contain embedded devices that are vulnerable to wireless attack.
CAN Bus Hack: In August 2017, TrendMicro reported that security research team found that it is possible to turn off a vehicle’s key automated components
Casino Fish Tank Hack: In July, we learned that attackers tried to steal data from a Las Vegas casino by hacking into one of its “smart” fish tanks.
As you will notice by reading through the articles we posted, too many of today’s IoT devices were designed with limited or no security, making those devices vulnerable.
Tomi Engdahl says:
Chris Hamby / BuzzFeed:
Sources: Safran, which sells fingerprint-analysis software used by FBI, 18K+ US law enforcement agencies, didn’t disclose some code was from Kremlin-linked firm — In a secret deal, a French company purchased code from a Kremlin-connected firm, incorporated it into its own software …
FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say
https://www.buzzfeed.com/chrishamby/fbi-software-contains-russian-made-code-that-could-open-a
In a secret deal, a French company purchased code from a Kremlin-connected firm, incorporated it into its own software, and hid its existence from the FBI, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could compromise law enforcement computer systems.
The fingerprint-analysis software used by the FBI and more than 18,000 other US law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems.
The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm — then a subsidiary of the massive Paris-based conglomerate Safran — deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said.
Tomi Engdahl says:
Washington Post:
Sources: years after FBI began tracking Russian disinformation efforts and US intelligence agencies drew up counter operations, the US still equivocates — The first email arrived in the inbox of CounterPunch, a left-leaning American news and opinion website, at 3:26 a.m. — the middle of the day in Moscow.
Kremlin trolls burned across the Internet as Washington debated options
https://www.washingtonpost.com/world/national-security/kremlin-trolls-burned-across-the-internet-as-washington-debated-options/2017/12/23/e7b9dc92-e403-11e7-ab50-621fe0588340_story.html
Tomi Engdahl says:
Ben Blanchard / Reuters:
Xinhua state news agency: China has closed 13K+ websites for breaking the law since 2015, suspended 10M+ telecom accounts lacking real names over last 5 years
China closes more than 13,000 websites in past three years
https://www.reuters.com/article/us-china-internet/china-closes-more-than-13000-websites-in-past-three-years-idUSKBN1EI05M
China has closed more than 13,000 websites since the beginning of 2015 for breaking the law or other rules and the vast majority of people support government efforts to clean up cyberspace, state news agency Xinhua said on Sunday.
The government has stepped up already tight controls over the internet since President Xi Jinping took power five years ago, in what critics say is an effort to restrict freedom of speech and prevent criticism of the ruling Communist Party.
Tomi Engdahl says:
Reuters:
Vietnam unveils new, 10K-strong cyber warfare unit to counter “wrong” views online, a month after blogger was sentenced to 7yrs for propaganda against the state
https://www.reuters.com/article/us-vietnam-security-cyber/vietnam-unveils-10000-strong-cyber-unit-to-combat-wrong-views-idUSKBN1EK0XN
Tomi Engdahl says:
WeChat To Become China’s Official Electronic ID System
https://mobile.slashdot.org/story/17/12/27/018241/wechat-to-become-chinas-official-electronic-id-system?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The popular mobile application WeChat is poised to become China’s official electronic personal identification system. “The government of Guangzhou, capital of the southern coastal province of Guangdong, started on Monday a pilot program that creates a virtual ID card, which serves the same purpose as the traditional state-issued ID cards, through the WeChat accounts of registered users in the city’s Nansha district,” reports South China Morning Post.
WeChat poised to become China’s official electronic ID system
http://www.scmp.com/tech/social-gadgets/article/2125736/wechat-poised-become-chinas-official-electronic-id-system
The WeChat ID pilot programme in Guangzhou will be extended to the whole of Guangdong province and further across China from January next year.
The government of Guangzhou, capital of the southern coastal province of Guangdong, started on Monday a pilot programme that creates a virtual ID card, which serves the same purpose as the traditional state-issued ID cards, through the WeChat accounts of registered users in the city’s Nansha district, according to a report by state news agency Xinhua.
Shenzhen-based Tencent has estimated that WeChat, marketed as Weixin on the mainland, recorded 980 million monthly active users in the quarter ended September 30.
Tomi Engdahl says:
Judge rm -rf Grsecurity’s defamation sue-ball against Bruce Perens
Linux code fortifier is told people are entitled to opinions
https://www.theregister.co.uk/2017/12/22/grsecurity_defamation_perens_dismissed/
Linux kernel security biz Grsecurity’s defamation lawsuit against open-source stalwart Bruce Perens has been dismissed, although the door remains open for a revised claim.
In June, Perens opined in a blog post that advised companies to avoid Grsecurity’s Linux kernel security patches because it might expose them to claims of contributory infringement under the Linux kernel license, GPLv2.
Grsecurity then accused Perens of fearmongering to harm the firm’s business, and sued him in July.
On Thursday, the judge hearing the case, San Francisco magistrate judge Laurel Beeler, granted Peren’s motion to dismiss the complaint
“The court holds that Mr Perens’s statements are opinions that are not actionable libel, dismisses the complaint with leave to amend, denies the anti-SLAPP motion without prejudice, and denies the motion for summary judgment,” Judge Beeler ruled.
The judge found that Perens, who is not a lawyer, voiced his opinion about whether the Grsecurity licensing terms violated the GPLv2 and no court has established whether this is so.
“Thus, his ‘opinion’ is not a ‘fact’ that can be proven provably false and thus is not actionable as defamation,” Judge Beeler said in her order.
She also found Grsecurity’s business interference claim lacking because its defamation claim fails. In other words, expressing an opinion alone does not amount to intentional commerce disruption.
“Mr Perens’s statements were made in a public forum and concern issues of public interest, and the plaintiffs have not shown a probability of prevailing on their claims.”
Tomi Engdahl says:
Chinese Hackers Target Servers With Three Types of Malware
http://www.securityweek.com/chinese-hackers-target-servers-three-types-malware
Tomi Engdahl says:
Schneider Electric Patches Flaws in Pelco Video Management System
http://www.securityweek.com/schneider-electric-patches-flaws-pelco-video-management-system
Schneider Electric recently developed a firmware update for its Pelco VideoXpert Enterprise product to address several vulnerabilities, including a high severity code execution flaw.
Pelco VideoXpert Enterprise is a video management system used in commercial facilities worldwide. Researcher Gjoko Krstic discovered that the product is affected by two directory traversal bugs and an improper access control issue that can allow arbitrary code execution.
The most serious of the flaws is CVE-2017-9966, which allows an attacker to replace certain files and execute malicious code with system privileges, Schneider Electric and ICS-CERT said in their advisories.
Tomi Engdahl says:
US Intel Chiefs Sound Alarm on Overseas Web Spying Law
http://www.securityweek.com/us-intel-chiefs-sound-alarm-overseas-web-spying-law
US intelligence chiefs on Thursday sounded the alarm about the imminent expiration of a law that allows them to spy on overseas web users, and called on Congress to renew it immediately.
“If Congress fails to reauthorize this authority, the Intelligence Community will lose valuable foreign intelligence information, and the resulting intelligence gaps will make it easier for terrorists, weapons proliferators, malicious cyber actors, and other foreign adversaries to plan attacks against our citizens and allies without detection,” the intelligence chiefs said in an open letter to Congress.
The law they want extended, known as Article 702 of the Foreign Intelligence Surveillance Act (FISA), is set to expire at the end of the year, and Congress is preparing a temporary extension until January 19 as part of a short-term budget bill which will fund the federal government.
Tomi Engdahl says:
Facial recognition at US airports becoming routine, researchers warn
Prof asks: “We’re wondering if this is the best use of a billion dollars?”
https://arstechnica.com/tech-policy/2017/12/facial-recognition-at-us-airports-becoming-routine-researchers-warn/
Georgetown University researchers have released yet another report warning of the potential dangers and ineffectiveness of the beginnings of routine facial recognition scanning by certain airlines at a handful of airports nationwide.
The new report, which was released Thursday, comes on the heels of a related 2016 report showing that half of Americans’ faces are already in a facial recognition database.
“As currently envisioned, the program represents a serious escalation of biometric scanning of Americans, and there are no codified rules that constrain it,” the report concludes.
In July 2017, Ars reported that facial-scanning pilot programs are already underway in international departure airports at six American airports—Boston, Chicago, Houston, Atlanta, New York City, and Washington, DC. More are set to expand next year. In a recent privacy assessment issued one month earlier, DHS noted that the “only way for an individual to ensure he or she is not subject to collection of biometric information when traveling internationally is to refrain from traveling.”
Not Ready for Takeoff
Face Scans at Airport Departure Gates
December 21, 2017
https://www.airportfacescans.com/
Tomi Engdahl says:
Samuel Axon / Ars Technica:
iPhone X’s Face ID can’t approve family purchases as Touch ID could, possibly due to family resemblance, requiring users to enter their passwords
The iPhone X’s Face ID can’t approve family purchases, and no one knows why
https://arstechnica.com/gadgets/2017/12/parents-cant-use-the-iphone-xs-face-id-to-approve-family-purchases/
Touch ID could be used before, but iPhone X owners must enter their passwords.
iPhone X owners have found that Face ID isn’t available as an authentication method for the “Ask to Buy” feature, which allows parents to approve their kids’ iOS purchases and downloads. Instead, the parent (or any other “family organizer,” as Apple terms it) must enter their entire Apple account password to approve each individual purchase attempt.
Users are frustrated because equivalent functionality was available on Touch ID devices, and that functionality has been lost in the transition to the iPhone X. Face ID can be used as an authentication method for other purchases, just like Touch ID before it—but Touch ID also worked for “Ask to Buy,” and Face ID doesn’t.
Tomi Engdahl says:
Gabriel Wildau / Financial Times:
Pilot program in Guangzhou, one of China’s largest cities, allows residents to link their national ID cards to Tencent’s WeChat, may roll out nationwide in Jan.
https://t.co/r4eDKa8THq
Tomi Engdahl says:
Why You Should Question These Most Common Cloud Assumptions
http://www.securityweek.com/why-you-should-question-these-most-common-cloud-assumptions
Common Cloud Assumptions
1. The Cloud Is All About Quick Application and Service Deployments
The cloud has completely changed how new applications and services are developed and, in turn, delivered to their customers.
2. The Cloud Is More Secure
Public cloud providers typically offer some form of native security, which many individuals often assume is enough, but this couldn’t be further from the truth.
3. Cloud Security Is Different From Network or Endpoint Security
Although organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. This assumption results in deploying different solutions to secure the cloud, leaving security teams with complicated environments to manage and products that cannot speak to one another, especially for organizations with multiple cloud infrastructure providers.
The reality is that, even though the consumption of cloud security differs from the automation thereof, the approach to cloud security should be no different from the approach to network or endpoint security.
Tomi Engdahl says:
US Intel Chiefs Sound Alarm on Overseas Web Spying Law
http://www.securityweek.com/us-intel-chiefs-sound-alarm-overseas-web-spying-law
US intelligence chiefs on Thursday sounded the alarm about the imminent expiration of a law that allows them to spy on overseas web users, and called on Congress to renew it immediately.
“If Congress fails to reauthorize this authority, the Intelligence Community will lose valuable foreign intelligence information, and the resulting intelligence gaps will make it easier for terrorists, weapons proliferators, malicious cyber actors, and other foreign adversaries to plan attacks against our citizens and allies without detection,” the intelligence chiefs said in an open letter to Congress.
Tomi Engdahl says:
FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say
https://tech.slashdot.org/story/17/12/27/226202/fbi-software-for-analyzing-fingerprints-contains-russian-made-code-whistleblowers-say?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The fingerprint-analysis software used by the FBI and more than 18,000 other U.S. law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems. The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm — then a subsidiary of the massive Paris-based conglomerate Safran — deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said.”
FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say
https://www.buzzfeed.com/chrishamby/fbi-software-contains-russian-made-code-that-could-open-a?utm_term=.miq8mgxx09#.bsxy85AAQ4
In a secret deal, a French company purchased code from a Kremlin-connected firm, incorporated it into its own software, and hid its existence from the FBI, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could compromise law enforcement computer systems.
Tomi Engdahl says:
Acoustic Attacks on HDDs Can Sabotage PCs, CCTV Systems, ATMs, More
https://it.slashdot.org/story/17/12/27/1555221/acoustic-attacks-on-hdds-can-sabotage-pcs-cctv-systems-atms-more?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Attackers can use sound waves to interfere with a hard drive’s normal mode of operation, creating a temporary or permanent denial of state (DoS) that could be used to prevent CCTV systems from recording video footage or freeze computers dealing with critical operations. The basic principle behind this attack is that sound waves introduce mechanical vibrations into an HDD’s data-storage platters. If the sound is played at a specific frequency, it creates a resonance effect that amplifies the vibration effect
Acoustic Attacks on HDDs Can Sabotage PCs, CCTV Systems, ATMs, More
https://www.bleepingcomputer.com/news/security/acoustic-attacks-on-hdds-can-sabotage-pcs-cctv-systems-atms-more/
Attackers can use sound waves to interfere with a hard drive’s normal mode of operation, creating a temporary or permanent denial of state (DoS) that could be used to prevent CCTV systems from recording video footage or freeze computers dealing with critical operations.
The basic principle behind this attack is that sound waves introduce mechanical vibrations into an HDD’s data-storage platters. If the sound is played at a specific frequency, it creates a resonance effect that amplifies the vibration effect.
Back in 2008, current Joyent CTO Brandon Gregg showed how loud sounds induce read/write errors for a data center’s hard drives, in the now infamous “Shouting in a datacenter” video. Earlier this year, an Argentinian researcher demoed how he made a hard drive temporarily stop responding to OS commands by playing a 130Hz tone.
New research shows practicality of HDD acoustic attacks
Last week, scientists from the Princeton and Purdue universities published new research into the topic, expanding on the previous findings with the results of additional practical tests.
The research team used a specially crafted test rig to blast audio waves at a hard drive from different angles, recording results to determine the sound frequency, attack time, distance from the hard drive, and sound wave angle at which the HDD stopped working.
Researchers didn’t have any difficulties in determining the optimum attack frequency ranges for the four Western Digital hard drives they used for their experiments.
Researchers say that any attacker that can generate acoustic signals within the vicinity of HDD storage systems has a simple attack venue at his disposal for sabotaging companies or lone individuals.
Acoustic attacks can be delivered in multiple ways
The attacker can either apply the signal by using an external speaker or exploit a speaker near the target. Toward this end, the attacker may potentially take advantage of remote software exploitation (for example, remotely controlling the multimedia software in a vehicle or personal device), deceive the user to play a malicious sound attached to an email or a web page, or embed the malicious sound in a widespread multimedia (for example, a TV advertisement).
Once an attacker finds a method of delivering the acoustic attack, its results will vary based on a series of conditions.
Tomi Engdahl says:
Piracy Notices Can Mess With Your Thermostat, ISP Warns
https://yro.slashdot.org/story/17/12/27/172203/piracy-notices-can-mess-with-your-thermostat-isp-warns?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Our attention was caught by a recent letter the company sent to one of its users. The ISP points out that it received multiple copyright infringement notices, urging the customer to stop, or else. [...] While reduced Internet speeds are bad enough, there’s another scary prospect. The reduced service level may also prevent subscribers from controlling their thermostat remotely. Not ideal during the winter.
https://torrentfreak.com/piracy-notices-can-mess-with-your-thermostat-isp-warns-171224/
Tomi Engdahl says:
Microsoft just sued an IP address over Windows, Office piracy claims
https://www.geekwire.com/2017/microsoft-just-sued-ip-address-windows-office-piracy-claims/
Microsoft filed a lawsuit late Friday against an IP address, alleging that an individual or group of individuals has been using that IP address to illegally activate copies of Windows, Office, and other products without the proper license.
A traditional holiday news dump, the complaint filed in Western Washington District Court says that someone used an IP address to attempt to activate pirated or unlicensed copies of Microsoft’s flagship software products. A WhoIs search of the IP address (73.21.204.220) leads to a Comcast office in suburban New Jersey, but it’s unclear who is really on the receiving end of the complaint, filed against “John Does 1-10.”
The case appears to be very similar to a separate lawsuit filed by Microsoft in March 2016 that court records indicate was dismissed later that year after an undisclosed settlement was reached.
Microsoft Goes After IP Address Trying to Activate Pirated Windows, Office
Redmond files lawsuit against IP address
http://news.softpedia.com/news/microsoft-goes-after-ip-address-trying-to-activate-pirated-windows-office-519138.shtml
Microsoft has filed a lawsuit against an IP that allegedly attempted to activate pirated copies of Windows and Office, claiming both copyright and trademark infringement.
The company explains in the court documents that this particular IP address has been used by an unnamed individual or group of persons, referred to as “John Does 1-10,” to activate no less than 1,000 copies of unlicensed software.
As GeekWire notes, the IP address mentioned in the lawsuit, namely 73.21.204.220, appears to be used by a Comcast office in New Jersey, though the name of the defendant is not available at this point.
Tomi Engdahl says:
Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises
https://www.abiresearch.com/press/security-policy-orchestration-and-automation-lead-/
Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security policy orchestration sits at the core of the transition from static defense to agile and adaptive response, with ABI Research forecasting it to hit $1 billion in its global revenues by 2020.
“Orchestration is an evolutionary step toward organizational cyber resiliency, a conceptual architecture for maintaining business functions and operations despite adverse cyber conditions,” says Michela Menting, Research Director at ABI Research. “While orchestration platforms are relatively new in the market, their focus on automating management and change is crucial for the future enterprise faced with myriads of expanding digital opportunities: BYOD, cloud adoption and the IoT.”
Tomi Engdahl says:
Web Trackers Exploit Flaw In Browser Login Managers To Steal Usernames
https://it.slashdot.org/story/17/12/28/0124233/web-trackers-exploit-flaw-in-browser-login-managers-to-steal-usernames
Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain. This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers. Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user’s login information, such as username and passwords.
Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames
https://www.bleepingcomputer.com/news/security/web-trackers-exploit-flaw-in-browser-login-managers-to-steal-usernames/
Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain.
This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers, login managers that allow browsers to remember a user’s username and password for specific sites and auto-insert it in login fields when the user visits that site again.
Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user’s login information, such as username and passwords.
The trick is an old one, known for more than a decade [1, 2, 3, 4, 5], but until now it’s only been used by hackers trying to collect login information during XSS (cross-site scripting) attacks.
Princeton researchers say they recently found two web tracking services that utilize hidden login forms to collect login information.
Fortunately, none of the two services collected password information, but only the user’s username or email address —depending on what each domain uses for the login process.
The two services are Adthink and OnAudience
In this particular case, the two companies were extracting the username/email from the login field, creating a hash, and tieing that hash with the site visitor’s existing advertising profile.
Tomi Engdahl says:
The Cryptocurrency Mining Malware So Powerful It Deformed A Phone
http://www.iflscience.com/technology/the-cryptocurrency-mining-malware-so-powerful-it-deformed-a-phone/
A group of Russian security researchers working at the Kaspersky Lab have analyzed a piece of malware that can hijack a person’s phone and perform a wide range of malicious activities, among which is cryptocurrency mining. The software is so powerful that the constant load caused the battery in a test device to bulge after just two days.
The malware, known as Trojan.AndroidOS.Loapi, has been described as a “jack of all trades”. Beyond the crypto-mining, it also bombards users with ads, can launch Distributed Denial of Service (DDoS) campaigns, subscribes the user to paid SMS services, and even fights off attempts to remove it.
Tomi Engdahl says:
Cross-Platform Post-Exploitation HTTP/2 Command & Control Server: Merlin
https://n0where.net/cross-platform-post-exploitation-http-2-command-control-server-merlin
Merlin is a cross-platform post-exploitation framework that leverages HTTP/2 communications to evade inspection. HTTP/2 is a relatively new protocol that requests Perfect Forward Secrecy (PFS) encryption cipher suites are used. The use of these cipher suites makes it incredibly difficult to capture all of the keying material required to decrypt traffic for inspection. Additionally, many security technologies are not equipped with HTTP/2 protocol dissectors and are therefore not able to evaluate traffic even if keying material is provided. The magic of Merlin is found in its HTTP/2 protocol coupled with the use of the Go programming language and its easy to use cross-compiling capabilities.
Tomi Engdahl says:
Hacking the Hackers: Leveraging an SSRF in HackerTarget
http://www.sxcurity.pro/2017/12/17/hackertarget/
Tomi Engdahl says:
Financially motivated attacks reveal the interests of the Lazarus APT Group
http://securityaffairs.co/wordpress/67090/apt/lazarus-apt-interest-cryptocurrencies.html
Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies, the group’s arsenal of tools, implants, and exploits is extensive and under constant development.
Tomi Engdahl says:
Hackers Can Rickroll Thousands of Sonos and Bose Speakers Over the Internet
https://www.wired.com/story/hackers-can-rickroll-sonos-bose-speakers-over-internet/
Perhaps you’ve been hearing strange sounds in your home—ghostly creaks and moans, random Rick Astley tunes, Alexa commands issued in someone else’s voice. If so, you haven’t necessarily lost your mind. Instead, if you own one of a few models of internet-connected speaker and you’ve been careless with your network settings, you might be one of thousands of people whose Sonos or Bose devices have been left wide open to audio hijacking by hackers around the world.
Researchers at Trend Micro have found that some models of Sonos and Bose speakers—including the Sonos Play:1, the newer Sonos One, and Bose SoundTouch systems—can be pinpointed online with simple internet scans, accessed remotely, and then commandeered with straightforward tricks to play any audio file that a hacker chooses. Only a small fraction of the total number of Bose and Sonos speakers were found to be accessible in their scans.
“The unfortunate reality is that these devices assume the network they’re sitting on is trusted, and we all should know better than that at this point,” says Mark Nunnikhoven, a Trend Micro research director. “Anyone can go in and start controlling your speaker sounds,” if you have a compromised devices, or even just a carelessly configured network.
Trend’s researchers found that scanning tools like NMap and Shodan can easily spot those exposed speakers. They identified between 2,000 and 5,000 Sonos devices online, depending on the timing of their scans, and between 400 and 500 Bose devices.
The researchers note that audio attack could even be used to speak commands from someone’s Sonos or Bose speaker to their nearby Amazon Echo or Google Home.
Given that those voice assistant devices often control smart home features from lighting to door locks, Trend Micro’s Nunnikhoven argues that they could be exploited for attacks that go beyond mere pranks. “Now I can start to run through more devious scenarios and really start to access the smart devices in your home,” he says.
Given the complexity of those voice assistant attacks, however, pranks are far more likely.
Beyond merely playing sounds through a victim’s device, a hacker could also determine information like what file a vulnerable speaker is currently playing, the name of someone’s accounts on services like Spotify and Pandora, and the name of their Wi-Fi network.
After Trend Micro warned Sonos about its findings, the company pushed out an update to reduce that information leakage. But Bose has yet to respond to Trend Micro’s warnings about its security vulnerabilities, and both companies’ speakers remain vulnerable to the audio API attack when their speakers are left accessible on the internet.
Tomi Engdahl says:
Two Romanians charged with infecting US Capital Police cameras with ransomware early this year
https://securityaffairs.co/wordpress/67207/cyber-crime/us-capital-police-cameras-ransomware.html
Two Romanian people have been arrested and charged with hacking into US Capital Police cameras ahead of the inauguration of President Trump.
Two Romanian people have been arrested and charged with hacking into control systems of the surveillance cameras for the Metropolitan Police Department in the US. The two suspects, Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28, hacked the US Capital Police cameras earlier this year.
A ransomware infected 70 percent of storage devices used by the Washington DC CCTV systems just eight days before the inauguration of President Donald Trump.
The attack occurred between 12 and 15 January, the ransomware infected 123 of 187 network video recorders, each controlling up to four CCTVs.
IT staff was forced to wipe the infected systems in order to restore the situation, fortunately, the ransomware did not affect other components of the Washington DC network.
The duo was arrested in Bucharest on December 15 and charged with conspiracy and various forms of computer fraud.
According to an affidavit dated December 11, the two criminals acted in an effort “to extort money” in exchange for unlocking the surveillance system.
Prosecutors collected evidence that revealed a scheme to distribute ransomware by email to at least 179,000 email addresses.
Tomi Engdahl says:
Britain’s spy agency can’t stop losing cyber talent to major tech companies
https://techcrunch.com/2017/12/28/gchq-parliament-intelligence-report-cyber-recruitment-problems/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
The NSA isn’t the only secretive national intelligence agency having trouble keeping its tech-savvy recruits. In a new document from the Intelligence and Security Committee of Parliament, Britain’s spy agency describes its difficulty in fending off tech companies keen to poach its workers.
In the annual report, GCHQ highlights the growing international cyber threat and its need to scale up its own cyber operations accordingly, while noting that hiring and keeping cyber specialists in its ranks poses a strategic challenge.
Tomi Engdahl says:
Police shoot man dead after alleged Call of Duty ‘swatting’ hoax
http://www.bbc.com/news/world-us-canada-42523045
A man has been arrested after an alleged “swatting” prank call led to police shooting dead a 28-year-old man.
Andrew Finch was shot at his front door on 28 December in Wichita, Kansas.
Police surrounded the home after receiving a hoax emergency call from a man claiming to have shot dead his father and taken his family hostage.
The call stemmed from a row between two gamers playing Call of Duty online, US media say, although the address raided was apparently unconnected to either.
Police have said they believe the report was an act of “swatting” where a person makes a false report to send police to another person or fake address.
‘Innocent victim’
Tomi Engdahl says:
The Times of Israel:
Reports say Iranian authorities temporarily cut off internet access to mobile phones as anti-government protests spread across the country
Iran blocks internet, may shut down Telegram app as protests spread
http://www.timesofisrael.com/iran-blocks-internet-may-shut-down-telegram-app-as-protests-spread/
Anti-regime demonstrators attack town hall in Tehran, burn Iranian flag; 3 said shot dead in central Iran by Revolutionary Guards
Demonstrators attacked a town hall in the Iranian capital Saturday as protests spilled into a third night despite government warnings against any further “illegal gatherings” and moves to cut off the internet on mobile phones.
problems, in the capital Tehran on December 30, 2017. (AFP PHOTO / STR)
Demonstrators attacked a town hall in the Iranian capital Saturday as protests spilled into a third night despite government warnings against any further “illegal gatherings” and moves to cut off the internet on mobile phones.
Unverified videos on social media appeared to show thousands marching
A swirl of rumors, combined with travel restrictions and a near-total media blackout from official agencies, made it difficult to confirm the reports.
problems, in the capital Tehran on December 30, 2017. (AFP PHOTO / STR)
Demonstrators attacked a town hall in the Iranian capital Saturday as protests spilled into a third night despite government warnings against any further “illegal gatherings” and moves to cut off the internet on mobile phones.
Unverified videos on social media appeared to show thousands marching through the western cities of Khorramabad, Zanjan and Ahvaz, while reports spread rapidly that several people had been shot dead by police in the town of Dorud. According to Al-Arabiya, three Iranian protesters were killed by the Revolutionary Guards in the central Iran town.
Get The Times of Israel’s Daily Edition by email and never miss our top stories
Free Sign Up
A swirl of rumors, combined with travel restrictions and a near-total media blackout from official agencies, made it difficult to confirm the reports.
The authorities appeared to respond by cutting internet access to mobile phones, with the main networks interrupted at least in Tehran shortly before midnight, AFP reporters said.
Several Iranian news agencies warned Telegram, the most popular social media service in the country, might soon be shut down after communications minister Mohammad-Javad Azari Jahromi accused one popular channel, Amadnews, of encouraging an “armed uprising.”
Tomi Engdahl says:
Theodore Schleifer / Recode:
Telegram, citing ToS, suspends public channel that incited violent anti-government protests in Iran; Telegram is a major platform with ~40M users in Iran — “There are lines one shouldn’t cross,” says the CEO of the popular messaging app. — The executives of Telegram …
Telegram is shutting down a channel that called for violent protests against Iran’s government
“There are lines one shouldn’t cross,” says the CEO of the popular messaging app.
https://www.recode.net/2017/12/30/16833542/telegram-iran-demostrations-messaging-protests-pavel-durov
The executives of Telegram, the widely used messaging app in Iran, are heeding calls from Iranian government officials to better police Telegram’s users as rallies in support and protest of the government sweep the country.
Telegram is a major platform for information in Iran and counts more than 40 million users among the country’s 80 million people. And it has played an especially key role in this week’s anti-government protests against Ayatollah Khamenei. Counter-rallies supporting the government also emerged on Saturday.
Tomi Engdahl says:
Kansas Man Killed In ‘SWATting’ Attack
https://krebsonsecurity.com/2017/12/kansas-man-killed-in-swatting-attack/
A 28-year-old Kansas man was shot and killed by police officers on the evening of Dec. 28 after someone fraudulently reported a hostage situation ongoing at his home. The false report was the latest in a dangerous hoax known as “swatting,” wherein the perpetrator falsely reports a dangerous situation at an address with the goal of prompting authorities to respond to that address with deadly force. This particular swatting reportedly originated over a $1.50 wagered match in the online game Call of Duty. Compounding the tragedy is that the man killed was an innocent party who had no part in the dispute.
Not long after that, Swautistic was back on Twitter saying he could see on television that the police had fallen for his swatting attack.
Among the recent hoaxes he’s taken credit for include a false report of a bomb threat at the U.S. Federal Communications Commission (FCC) that disrupted a high-profile public meeting on the net neutrality debate. Swautistic also has claimed responsibility for a hoax bomb threat that forced the evacuation of the Dallas Convention Center, and another bomb threat at a high school in Panama City, Fla, among others.
“Bomb threats are more fun and cooler than swats in my opinion and I should have just stuck to that,” he wrote. “But I began making $ doing some swat requests.”
Asked whether he feels remorse about the Kansas man’s death, he responded “of course I do.”
ANALYSIS
As a victim of my own swatting attack back in 2013, I’ve been horrified to watch these crimes only increase in frequency ever since — usually with little or no repercussions for the person or persons involved in setting the schemes in motion. Given that the apparent perpetrator of this crime seems eager for media attention, it seems likely he will be apprehended soon.
Meanwhile, knowingly and falsely making a police report that results in a SWAT unit or else heavily armed police response at an address is an invitation for someone to get badly hurt or killed. These are high-pressure situations and in most cases — as in this incident — the person opening the door has no idea what’s going on. Heaven protect everyone at the scene if the object of the swatting attack is someone who is already heavily armed and confused enough about the situation to shoot anything that comes near his door.
Tomi Engdahl says:
Gunes Acar / Freedom to Tinker:
How third-party scripts on websites exploit a flaw in browsers’ built-in password managers to identify and track users — In this second installment of the No Boundaries series, we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites.
No boundaries for user identities: Web trackers exploit browser login managers
http://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking.
The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.
We found two scripts using this technique to extract email addresses from login managers on the websites which embed them. These addresses are then hashed and sent to one or more third-party servers. These scripts were present on 1110 of the Alexa top 1 million sites. The process of detecting these scripts is described in our measurement methodology in the Appendix 1. We provide a brief analysis of each script in the sections below.
Why does the attack work? All major browsers have built-in login managers that save and automatically fill in username and password data to make the login experience more seamless. The set of heuristics used to determine which login forms will be autofilled varies by browser, but the basic requirement is that a username and password field be available.
Login form autofilling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form. Chrome doesn’t autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested [2] don’t require user interaction to autofill password fields.
Tomi Engdahl says:
Exmo Bitcoin exchange manager kidnapped in Kiev
http://www.bbc.com/news/business-42505261
A manager of the Exmo Bitcoin exchange has been kidnapped in Ukraine.
According to Russian and Ukrainian media reports Pavel Lerner, 40, was kidnapped while leaving his office in Kiev’s Obolon district on 26 December.
Mr Lerner is a prominent Russian blockchain expert and the news of his kidnapping has stunned many in the international cryptocurrency community.
Exmo Finance is registered with Companies House in the UK, but has its main operations in Ukraine.
Tomi Engdahl says:
Software
Judge rm -rf Grsecurity’s defamation sue-ball against Bruce Perens
Linux code fortifier is told people are entitled to opinions
https://www.theregister.co.uk/2017/12/22/grsecurity_defamation_perens_dismissed/
Linux kernel security biz Grsecurity’s defamation lawsuit against open-source stalwart Bruce Perens has been dismissed, although the door remains open for a revised claim.
In June, Perens opined in a blog post that advised companies to avoid Grsecurity’s Linux kernel security patches because it might expose them to claims of contributory infringement under the Linux kernel license, GPLv2.
“The court holds that Mr Perens’s statements are opinions that are not actionable libel, dismisses the complaint with leave to amend, denies the anti-SLAPP motion without prejudice, and denies the motion for summary judgment,” Judge Beeler ruled.
The judge found that Perens, who is not a lawyer, voiced his opinion about whether the Grsecurity licensing terms violated the GPLv2 and no court has established whether this is so.
“Thus, his ‘opinion’ is not a ‘fact’ that can be proven provably false and thus is not actionable as defamation,” Judge Beeler said in her order.
https://regmedia.co.uk/2017/12/22/grsecurity_ruling.pdf
Tomi Engdahl says:
Los Angeles man arrested in ‘swatting’ call that preceded fatal police shooting in Kansas
https://www.nbcnews.com/news/us-news/police-arrest-man-suspected-swatting-preceded-deadly-police-shooting-n833576
Los Angeles police arrested a 25-year-old man in a suspected “swatting” hoax 911 call in Kansas that ended in the fatal police shooting of an unarmed man.
The LAPD took Tyler Barriss of Los Angeles into custody in that city on Friday afternoon, on a fugitive warrant stemming from the Thursday evening incident in Kansas, a spokesman for the Los Angeles Police Department said.
Police in Wichita fatally shot a man identified by family members as Andrew Finch, 28, after officers responded to a hoax 911 call, police in Kansas said.
Barriss allegedly made the false report after getting into some kind of dispute with another person in connection with online gaming
But instead the address was for the home of Finch, who was not involved in the dispute, the sources said.
The caller claimed his father had been shot in the head, and that he was holding his mother and a sibling at gunpoint
“What gives the cops the right to open fire?” she asked. “That cop murdered my son over a false report in the first place.”
Dexerto, an online news service focused on gaming, reported that the series of events began with an online argument over a $1 or $2 wager in a “Call of Duty” game on UMG Gaming,
The FBI estimates that roughly 400 cases of swatting occur annually, with some using caller ID spoofing to disguise their number.
Tomi Engdahl says:
Necurs Botnet Fuels Massive Year-End Ransomware Attacks
http://www.securityweek.com/necurs-botnet-fuels-massive-year-end-ransomware-attacks
The Necurs botnet started 2017 with a four-month vacation, but ended the year sending tens of millions of spam emails daily as part of massive ransomware distribution campaigns.
Tomi Engdahl says:
For a thing like meltdown the real foundation was laid with the work on cache side channels sometime back around 2005. THere are many papers from this time
Border Agents’ Searches of Travelers’ Phones Skyrocketed, Agency Says
Customs and Border Protection also unveils new policy for searching and seizing electronic devices
https://www.wsj.com/articles/border-agents-searches-of-travelers-phones-skyrocketed-agency-says-1515179058
Tomi Engdahl says:
It is so weird – bitcoin price jumped sky-high since May….June 2017 when information about Intel Management Engine and Speculative Fetch/Execution/cache modifiers started to surface – at the same time with first coordinated ransomware cyber-attacks.
Tomi Engdahl says:
Facebook Paid $880,000 in Bug Bounties in 2017
http://www.securityweek.com/facebook-paid-880000-bug-bounties-2017
Facebook received over 12,000 vulnerability submissions in 2017 and ended up paying $880,000 in bug bounties to security researchers.
Of the large number of received submissions, however, just over 400 reports were found valid during the bug bounty program’s sixth year. Last year, Facebook also paid larger bounties to the submitting researchers, as the average reward per submission increased to almost $1,900, up from $1,675 in 2016.
Tomi Engdahl says:
CRUNCH NETWORK
The state of Israel’s cybersecurity market
https://techcrunch.com/2018/01/14/the-state-of-israels-cybersecurity-market/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
The Equifax breach, WannaCry, NotPetya, the NSA leak, and many more cyber incidents – 2017 was certainly a busy year for hackers, illustrating yet again just how vital innovative cybersecurity solutions are in the fight against cyber threats.
Second only to the U.S., in terms of cybersecurity investment 2017 was another excellent year for Israeli cybersecurity startups
Tomi Engdahl says:
North Korea linked to new cryptocurrency attacks
http://money.cnn.com/2018/01/17/technology/north-korea-cryptocurrency-attacks/
North Korea-linked hackers targeted cryptocurrency investors and exchanges just as bitcoin started to soar to record highs, according to a new report.
Cybersecurity firm Recorded Future said malware used in the attacks was similar to that used in the Sony Pictures hack, the global WannaCry ransomware attack and the major cyberheist that hit Bangladesh’s central bank.
North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign
https://www.recordedfuture.com/north-korea-cryptocurrency-campaign/
Tomi Engdahl says:
Google Paid $2.9 Million in Vulnerability Rewards in 2017
http://www.securityweek.com/google-paid-29-million-vulnerability-rewards-2017
Google paid nearly $3 million to security researchers in 2017 who reported valid vulnerabilities in its products.
The internet giant said that it paid out $1.1 million in rewards for vulnerabilities discovered in Google products, and roughly the same amount to the researchers who reported security bugs in Android. With the bug bounties awarded for Chrome flaws added to the mix, a total of $2.9 million was paid throughout the year.
In the seven years since Google’s Vulnerability Reward Program was launched, the search giant has paid almost $12 million in rewards.
Last year, 274 researchers received rewards for their vulnerability reports, and a total of 1,230 individual rewards were paid, Google says.
Engine Sensors says:
Thanks for the good writeup. It in truth was a entertainment account it.
Look complex to far brought agreeable from you! However, how could we be in contact?