We’re hitting rock bottom in cyber — let’s do something | TechCrunch

https://techcrunch.com/2017/11/29/were-hitting-rock-bottom-in-cyber-lets-do-something/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

When it comes to the cybersecurity problem, where is rock bottom?

Was it WannaCry, a ransomware attack. Or similar and perhaps even worse attack that hit just weeks later? Was it the Yahoo breaches? Or Equifax and Uber? Intel and Apple leaving our computer management accounts wide open? Banking computer systems hacked and many millions stolen? Or critical infrastructure hackers going after water, power and utility grids? Or Russian interference in the U.S. election? 

It is clear that Internet security is in a state of crisis. Reeling from one attack after another, we sometimes appear dazed and confused rather than handling it as a crisis. The world will spend $90 billion this year on information security, but it does not seem to help much in stopping hacks and human errors (like leaving default passwords and storing secrets to wide open public cloud accounts). 

The rhetoric in this article says that internet’s very existence as we know it now is at stake. It tells that we need fresh, practical approaches to protecting an internet, but it does not provide any new working ideas for solutions. 

 

28 Comments

  1. Tomi Engdahl says:

    MACOS UPDATE ACCIDENTALLY UNDOES APPLE’S “ROOT” BUG PATCH
    https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/?mbid=social_fb

    WHEN A COMPANY like Apple rushes out a software patch for a critical security bug, it deserves praise for protecting its customers quickly. Except, perhaps, when that patch is so rushed that it’s nearly as buggy as the code it was designed to fix.

    Earlier this week, Apple scrambled to push out a software update for macOS High Sierra, to sew up a glaring hole in the operating system’s security measures: When any person or malicious program tried to log into a Mac computer, install software, or change settings, and thus hit a prompt for a username and password, they could simply enter “root” as a username, no password, and bypass the prompt to gain full access to the computer.

    Reply
  2. Tomi Engdahl says:

    As you may know, Intel ME is terrible for everyone including Windows/Linux/*BSD users.

    https://twitter.com/nixcraft/status/936888226274406402 Thanks!

    Reply
  3. Tomi Engdahl says:

    Event the most secure organizations can’t keep their secrets inside:

    New York Times:
    Former NSA employee Nghia H. Pho pleads guilty to taking classified files home, where, officials say, Russian hackers stole the files via Kaspersky software

    Former N.S.A. Employee Pleads Guilty to Taking Classified Information
    https://www.nytimes.com/2017/12/01/us/politics/nsa-nghia-pho-classified-information-stolen-guilty.html

    A former National Security Agency employee admitted on Friday that he had illegally taken from the agency classified documents believed to have subsequently been stolen from his home computer by hackers working for Russian intelligence.

    Nghia H. Pho, 67, of Ellicott City, Md., pleaded guilty to one count of willful retention of national defense information, an offense that carries a possible 10-year sentence.

    But in court documents, prosecutors did disclose that he worked from 2006 to 2016 for the N.S.A.’s “Tailored Access Operations.” The unit, whose name has now been changed to Computer Network Operations, is the N.S.A.’s fastest-growing component.

    He kept those materials, some in digital form, at his home in Maryland, according to prosecutors.

    Mr. Pho is one of three N.S.A. workers to be charged in the past two years with mishandling classified information, a dismal record for an agency that is responsible for some of the government’s most carefully guarded secrets.

    Mr. Pho took the classified documents home to help him rewrite his resume. But he had installed on his home computer antivirus software made by Kaspersky Lab, a top Russian software company, and Russian hackers are believed to have exploited the software to steal the documents, the officials said.

    Reply
  4. Tomi Engdahl says:

    Even Highly Skilled Cyber-Thieves Make Stupid Mistakes, or Do They?
    https://www.bleepingcomputer.com/news/security/even-highly-skilled-cyber-thieves-make-stupid-mistakes-or-do-they/

    Cobalt, a highly-skilled group of hackers who target banks and financial institutions, may have committed a mistake and accidentally leaked a list of all their current targets, according to Yonathan Klijnsma, a security researcher with RiskIQ.

    The error occurred in a spear-phishing campaign that took place last week, on November 21.

    Reply
  5. Tomi Engdahl says:

    Unfortunately, all it takes is one missed patch to present system vulnerabilities to cybercriminals.

    Reply
  6. Tomi Engdahl says:

    Security
    NSA employee pleads guilty after stolen classified data landed in Russian hands

    NSA employee pleads guilty after stolen classified data landed in Russian hands
    http://www.zdnet.com/article/former-nsa-staffer-pleads-guilty-after-classified-data-theft/
    The classified data was later collected by Kaspersky software running on the staffer’s home computer.

    Eugene Kaspersky: We would quit Moscow if Russia asked us to spy
    http://www.zdnet.com/article/eugene-kaspersky-we-would-quit-moscow-if-russia-asked-us-to-spy/

    Kaspersky Lab founder hits back at espionage claims.

    Reply
  7. Tomi Engdahl says:

    Security News This Week: A New Bill Wants Jail Time for Execs Who Hide Data Breaches
    https://www.wired.com/story/a-new-bill-wants-jail-time-for-execs-who-hide-data-breaches/

    It’s been a rough week for a lot of people, but particularly for Apple. On Tuesday, a security researcher tweeted information about a dire bug in the company’s macOS High Sierra operating system that allowed anyone being prompted for system user credentials to bypass the authentication by simply typing “root” as the username and leaving the password blank. Apple rushed to push out a necessary update on Wednesday, but botched it a bit; if you hadn’t yet updated to macOS 10.13.1, but had gotten the patch, your eventual jump to 10.13.1 would reintroduce the “root” bug. Not ideal!

    Reply
  8. Tomi Engdahl says:

    It’s a Wonderful Time of the Year…for Hackers
    http://www.securityweek.com/its-wonderful-time-yearfor-hackers

    The holiday season is in full swing and once again we can expect to see a surge in cyber attacks targeting retailers and consumers. Research from the National Retail Federation shows that spending during the winter holidays outstrips retail sales during all other holidays throughout the year – combined! From Black Friday to sales in January, this is the most wonderful time of the year for retailers, and this trend will likely continue. A survey by RetailMeNot (PDF) shows that consumers are expected to spend an average of $743 holiday shopping between Black Friday and Cyber Monday this year, a 47 percent increase from 2016’s average of $505.

    Unfortunately, increased spending also makes this a wonderful time of the year for cybercriminals seeking a share of the action. But the good news is that by understanding the tactics, techniques and procedures (TTPs) of cybercriminals, there’s a lot retailers and consumers can do to remediate risk.

    Reply
  9. Tomi Engdahl says:

    The Evolution of Data Leaks
    https://www.wired.com/story/evolution-of-data-leaks/

    To the certainties of life that are death and taxes, add data breaches. And the ways that bad guys take our digital stuff are constantly changing: Companies have gotten smarter about how they secure information, but hacking and phishing are rising—fast. “It’s easier to fool people than technology,” says Adam Levin, founder of Cyberscout, which has been analyzing US data breaches for more than a decade. “No system is more secure than the weakest link, and the weakest link is always people.” Based on data from CyberScout and the Identity Theft Resource Center

    Reply
  10. Tomi Engdahl says:

    Should Social Media be Considered Part of Critical Infrastructure?
    http://www.securityweek.com/should-social-media-be-considered-part-critical-infrastructure

    Russia interfered in the U.S. 2016 election, but did not materially affect it. That is the public belief of the U.S. intelligence community. It is a serious accusation and has prompted calls for additions to the official 16 critical infrastructure categories. One idea is that ‘national elections’ should be included. A second, less obviously, is that social media should be categorized as a critical industry.

    The reason for the latter is relatively simple: social media as a communications platform is being widely used by adversary organizations and nations to disseminate their own propaganda. This ranges from ISIS using it as a recruitment platform, to armies of Russian state-sponsored trolls manipulating public opinion via Twitter.

    Russian interference, or opinion manipulation, has not been limited to the U.S. Both France and Germany worried about it prior to their own national elections.

    The DHS introduces its definition of the critical infrastructure with, “There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” These include ‘energy’, ‘finance’, ‘transport’, ‘communications’ and ‘IT’. Maintaining the availability and continued operation of all of these sectors is clearly critical to the well-being of the nation. Maintaining the availability of social media does not seem so critical.

    Harkins’ argument, however, is that the world has changed since the origins of the critical infrastructure classification.

    Reply
  11. Tomi Engdahl says:

    Cyber-attacks are actions that target computers and network systems designed to disrupt the normal operations of the system. These actions can be initiated locally (from within the physical facility) or remotely (from outside). These attacks are normally intentional, but in fact could be unintentional due to poor security threat prevention. Cybersecurity is protection of assets against these attacks

    Reply
  12. Tomi Engdahl says:

    US credit repair biz damages own security: 111GB of personal info exposed in S3 blunder
    Oh look, another AWS misconfiguration spillage
    https://www.theregister.co.uk/2017/12/02/national_credit_federation_aws_leak/

    The National Credit Federation, a US credit repair biz, left 111GB of thousands of folks’ highly sensitive personal details exposed to the public internet, according to security researchers.

    In yet another AWS S3 configuration cockup, Americans’ names, addresses, dates of birth, photos of driver licenses and social security cards, credit reports from Equifax, Experian, and TransUnion, detailed financial histories, and credit card and bank account numbers, were all left sitting out in the open for miscreants to find, it is claimed.

    Credit Crunch: Detailed Financial Histories Exposed for Thousands
    https://www.upguard.com/breaches/credit-crunch-national-credit-federation

    Reply
  13. Tomi Engdahl says:

    Expert gives Congress solution to vote machine cyber-security fears: Keep a paper backup
    Hot take from crypto-guru Prof Matt Blaze
    https://www.theregister.co.uk/2017/12/01/us_voting_machine_security_hearing/

    With too many electronic voting systems buggy, insecure and vulnerable to attacks, US election officials would be well advised to keep paper trails handy.

    This is according to Dr Matt Blaze, a University of Pennsylvania computer science professor and top cryptographer, who spoke to Congress this week about cyber-threats facing voting machines and election infrastructure.

    Among Blaze’s recommendations is that rather than rely on purely electronic voting machines to log votes, officials use optical scan machines that retain a paper copy of each voter’s ballot that can be consulted if anyone grows concerned about counting errors or tampering. In other words, due to the fact that everything has bugs and flaws, truly paperless voting systems should be a no-no.

    Reply
  14. Tomi Engdahl says:

    Senators Propose New Breach Notification Law
    http://www.securityweek.com/senators-propose-new-breach-notification-law

    Senators Propose New Data Protection Bill Following Equifax and Uber Breaches

    Following the Equifax breach and the hidden Uber breach, three U.S. senators have introduced the Data Security and Breach Notification Act. Its purpose is to ensure better protection of personal information, and to provide a nationwide standard breach notification requirement. It is effectively a re-introduction of the 2015 bill of the same name.

    “The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage,” said Senator Baldwin.

    “We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” said Nelson. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”

    There are three noteworthy aspects to this bill: 30 days to disclose following a breach; up to five years in prison for failure to do so; and the FTC with NIST to draw up recommendations on the technology or methodologies necessary to avoid such sanctions.

    Reply
  15. Tomi Engdahl says:

    The potential for regulatory confusion can be seen in a comparison between this data ‘privacy’ requirement and that of Europe’s General Data Protection Regulation (GDPR).

    Reply
  16. Tomi Engdahl says:

    Is this a good or terribly bad idea?

    Facebook asks users for nude photos in project to combat revenge porn
    https://www.theguardian.com/technology/2017/nov/07/facebook-revenge-porn-nude-photos

    In Australia pilot effort, company will ‘hash’ images, converting them into digital fingerprints that prevent any other attempts to upload the same pictures

    Reply
  17. Tomi Engdahl says:

    The Cumulative Effect of Major Breaches: The Collective Risk of Yahoo & Equifax
    http://www.securityweek.com/cumulative-effect-major-breaches-collective-risk-yahoo-equifax

    Until quite recently, people believed that a dizzying one billion accounts were compromised in the 2013 Yahoo! breach… and then it was revealed that the real number is about three billion accounts.

    That raises the question: so what? Isn’t all the damage from a four-year-old breach already done?

    The answer: not at all. For those who have taken control of the compromised accounts, or who possess confidential information about a billion or more individuals, the Yahoo! breach is the gift that will keep on giving.

    First of all, the consequences of the breach are not yet fully realized. Criminals have only recently started using compromised email accounts to spread ransomware and spam. As email service providers increasingly use the age of the sending account as an indicator of risk, the value to criminals of long-established but compromised accounts has started to increase. These accounts become a circumvention strategy for criminals wishing to reliably deliver malicious emails. As the value of an established account goes up, the damage that can be done by using the compromised accounts does, too.

    Second, criminals have only recently started to mine the contents of compromised accounts to identify promising opportunities – but that is increasingly happening now, and is becoming another source of value to the Yahoo! attackers (and anybody who has already purchased compromised accounts from them.) To a large extent, we are still in the “manual effort” phase of this type of attack, wherein attackers have not yet understood exactly what they are looking for, and therefore, have not yet written scripts to automate the task. Once their understanding matures and they automate the process, the vast volumes of compromised accounts will turn into new criminal opportunities

    Reply
  18. Tomi Engdahl says:

    The Worst Password Offenders of 2017
    http://www.securityweek.com/worst-password-offenders-2017

    Password management firm Dashlane has published a list of what it believes are the top ten password offenders for 2017. It comprises six ‘government’ entries (including the President of the United States and the entire UK Government), and four organizations. Topping the list is Donald Trump, joined by Paul Manafort at #9 and Sean Spicer at #10.

    To be fair, it is as much Trump the administration as it is Trump the person that is being called out. Dashlane points to a Channel 4 News investigation in January 2017 that said “Passwords used by Donald Trump’s incoming cyber security advisor Rudy Giuliani and 13 other top staff members have been leaked in mass hacks.”

    In reality, the majority of people have had at least one password exposed by the many mass hacks that have plagued the internet this decade, so the biggest problem is not whether a password appears in the dark web listings, but whether it is still being used by the user of that password. Dashlane comments, “many of the top staff members Trump handpicked, including multiple cabinet secretaries, senior policy directors — even cybersecurity advisor Rudy Giuliani — were reusing insecure, simple passwords.”

    Reply
  19. Tomi Engdahl says:

    Why everything is hackable
    Computer security is broken from top to bottom
    https://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security?etear=sponsor-openandsecure

    As the consequences pile up, things are starting to improve

    Reply
  20. Tomi Engdahl says:

    Modern computer chips are typically designed by one company, manufactured by another and then mounted on circuit boards built by third parties next to other chips from yet more firms. A further firm writes the lowest-level software necessary for the computer to function at all. The operating system that lets the machine run particular programs comes from someone else. The programs themselves from someone else again. A mistake at any stage, or in the links between any two stages, can leave the entire system faulty—or vulnerable to attack.

    It is not always easy to tell the difference.

    Source: https://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security?etear=sponsor-openandsecure

    Reply
  21. Tomi Engdahl says:

    What happened in 2017 from http://www.darkreading.com/drdigital/20171212td?cid=DRTD01A_20171212&_mc=DRTD01A_20171212&elq_mid=82029&elq_cid=14916437

    ‘WannaCry’ Rapidly Moving Ransomware Attack Spreads to 74 Countries
    A wave of ransomware infections took down a wide swath of UK hospitals and is rapidly moving across the globe.
    Equifax Data Breach Prompts Calls for Tougher Security Requirements on Data Aggregators
    Credit report bureau discloses breach that exposed data on 143 million US consumers.
    DEF CON Rocks the Vote with Live Machine Hacking
    Jeff Moss, founder of the hacker conference, is planning to host a full-blown election and voting system for hacking in 2018 at DEF CON, complete with a simulated presidential race.
    Putin Directed Cyberattack, Propaganda Operation to Influence US Election
    US Office of the Director of National Intelligence releases unclassified version of intel community’s findings on Russia’s attempts to influence US presidential race via cyberattacks, leaks, and pure propaganda.
    Adobe’s Move to Kill Flash Is Good for Security
    In recent years, Flash became one of the buggiest widely used apps out there.
    DoJ Indicts Russian FSB Officers and Cybercriminals in Yahoo Breach
    Russian intelligence officials hired renowned cybercriminals to do their bidding in massive hacks that compromised Yahoo, Gmail, and other email accounts of millions of people in the US, Russia, and elsewhere.
    Cybersecurity Faces 1.8 Million Worker Shortfall by 2022 (ISC)2 report shows the skills shortage is getting worse.

    Reply
  22. Tomi Engdahl says:

    U.S. Prosecutors Confirm Uber Target of Criminal Probe
    http://www.securityweek.com/us-prosecutors-confirm-uber-target-criminal-probe

    A letter made public Wednesday in Waymo’s civil suit against Uber over swiped self-driving car secrets confirmed the ride-share service is the target of a US criminal investigation.

    Uber is also a target of investigations and lawsuits over the cover-up of a hack that compromised personal information of 57 million users and drivers.

    Uber purportedly paid data thieves $100,000 to destroy the swiped information — and remained quiet about the breach for a year.

    Reply
  23. Tomi Engdahl says:

    Three Plead Guilty in Mirai Botnet Attacks
    http://www.securityweek.com/three-plead-guilty-mirai-botnet-attacks

    US officials unveiled criminal charges Wednesday against a former university student and two others in the Mirai botnet attacks which shut down parts of the internet in several countries starting in mid-2016.

    The Justice Department announced plea agreements for Paras Jha, 21 — a former Rutgers University computer science student who acknowledged writing the malware code — and Josiah White, 20, and Dalton Norman, 21, who helped profit from the attacks.

    In documents unsealed Wednesday, Jha admitted writing the code for the botnet which harnessed more than 100,000 “internet of things” (IoT) devices such as cameras, light bulbs and appliances to launch the attacks.

    By commanding an army of bots — or computers under control of the attackers — the malware shut down networks and websites in the United States, Germany, Liberia and elsewhere.

    The malware was used to make money through “click fraud,” a scheme that makes it appear that a real user has clicked on an advertisement for the purpose of artificially generating revenue, according to officials.

    The three generated some $180,000 from the scheme in bitcoin, Justice officials added.

    Reply
  24. Tomi Engdahl says:

    Traffic to Major Tech Firms Rerouted to Russia
    http://www.securityweek.com/traffic-major-tech-firms-rerouted-russia

    Internet traffic for some of the world’s largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack.

    OpenDNS-owned Internet monitoring service BGPmon reported the incident on Tuesday. BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS).

    It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*