Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.
Here is a list of relevant cyber security terms for 2018s:
AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.
Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.
Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.
Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.
Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.
Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.
Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017, browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.
Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.
Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.
Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.
Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?”
GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.
Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.
HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.
HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2. Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.
HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.
ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.
Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.
IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).
Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.
IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.
Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.
Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.
Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.
Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.
PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.
Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.
Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.
Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.
Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.
Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?
Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.
Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.
Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.
Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.
Sources:
Firefox, Chrome start calling HTTP connections insecure
Alert (TA17-075A) HTTPS Interception Weakens TLS Security
Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead
Cybersecurity Dangers Will Spike in 2018
We’re hitting rock bottom in cyber — let’s do something | TechCrunch
Mirai-makers plead guilty, Hajime still lurks in shadows
DARPA Takes Chip Route to ‘Unhackable’ Computers
Another AI attack, this time against ‘black box’ machine learnings
General Data Protection Regulation (Wikipedia)
Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already
Miten GDPR pitää huomioida ohjelmistokehityksessä?
Seven Seas Cybersecurity: Captain, We Have a Problem
In the Words of President Ronald Reagan, “Trust but Verify”
Why You Should Question These Most Common Cloud Assumptions
It’s 2018. Do You Know Where Your Data Are?
Improved IoT Security Starts with Liability for Companies, Not Just Legislation
Smart Factory Connectivity for the Industrial IoT
The Race for a Universal IoT Security Standard
Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises
The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.
Resolve to Mitigate Your Business’ Digital Risk in 2018
Emerging Trends in Vulnerability Management
Research reveals customer-facing web and mobile apps as top security challenge
Open Source Vulnerabilities: Are You Prepared to Run the Race?
Device Security for the Industrial Internet of Things
GDPR and Open Source: Best Practices
Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC
ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good
Threat Modeling the Internet of Things: Modeling Reaper
Engineering for Privacy Requires Standards
How to Make Adversaries Work Harder, While We Work Smarter, in 2018
2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices
Facebook Releases New Certificate Transparency Tools
iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group
Open Source Vulnerabilities: Are You Prepared to Run the Race?
U.S. Military to Send Cyber Soldiers to the Battlefield
Machine Learning & Security: Making Users Part of the Equation
Security is Not a Technology Profession
Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018
636 Comments
Tomi Engdahl says:
Mozilla Restricts All New Firefox Features to HTTPS Only
https://www.bleepingcomputer.com/news/software/mozilla-restricts-all-new-firefox-features-to-https-only/
In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a “secure context”).
“Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” said Anne van Kesteren, a Mozilla engineer and author of several open web standards.
This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox.
Mozilla continues its push for HTTPS
The move comes after a continuous push from browser makers to force website owners and developers to adopt HTTPS as a default state for the Web.
Mozilla has been tremendously helpful in this manner via the Let’s Encrypt project, which it supported since the beginning.
Almost 65% of web pages loaded by Firefox in November used HTTPS, compared to 45% at the end of 2016, according to Let’s Encrypt numbers.
Tomi Engdahl says:
Real time attack map
https://www.threat-cloud.com/ThreatPortal/#/map
Tomi Engdahl says:
VirusTotal Launches Visualization Tool
http://www.securityweek.com/virustotal-launches-visualization-tool
VirusTotal this week announced the availability of a visualization tool designed to help with malware investigations.
Analyze suspicious files and URLs to detect types of malware including viruses, worms, and trojans.
https://www.virustotal.com/#/home/upload
Tomi Engdahl says:
Watching the Watchers: Are You The Star Of an Encrypted Drone Video Stream?
https://hackaday.com/2018/01/15/watching-the-watchers-are-you-the-star-of-an-encrypted-drone-video-stream/
Small aircraft with streaming video cameras are now widely available, for better or worse. Making eyes in the sky so accessible has resulted in interesting footage that would have been prohibitively expensive to capture a few years ago, but this new creative frontier also has a dark side when used to violate privacy. Those who are covering their tracks by encrypting their video transmission should know researchers at Ben-Gurion University of the Negev demonstrated such protection can be breached.
The BGU team proved that a side-channel analysis can be done against behavior common to video compression algorithms, as certain changes in video input would result in detectable bitrate changes to the output stream. By controlling a target’s visual appearance to trigger these changes, a correlating change in bandwidth consumption would reveal the target’s presence in an encrypted video stream.
Game of Drones – Detecting Streamed POI from Encrypted FPV Channel
https://arxiv.org/abs/1801.03074
Tomi Engdahl says:
Welcome to a world where users own the Internet.
The Orchid Protocol is the decentralized, open-source technology
for an Internet free from surveillance and censorship.
https://orchidprotocol.com
Tomi Engdahl says:
Algorithms take power – dominate people’s thoughts and feelings
The working group on the possibilities of online voting is not in favor of introducing online voting in Finland due to the associated security problems.
“Being influenced by various cyber means has become a new standard. The most important thing is to look at the whole, no matter what the vote. There may be many forms of influence, “says Professor Jarno Limnéll of Aalto University’s cyber safety. He participated in the work of the working group.
It is a good thing for a social discussion on this subject.
Elections are, according to Limnéll, a critical infrastructure for democracy and society. Therefore, we should try to prepare for a new kind of tools that have not yet been seen.
The growing influence of algorithms and their opacity are, according to Limnéll, a growing challenge. The digital environment can influence people’s opinions and behavior.
“I believe that, in the coming years, we will have a greater need for understanding the impact of our democracy on the security of society. I see that more and more algorithms use power. The one who controls them is increasingly dominating our thoughts and feelings. I believe that the most significant cyberattacks are happening to people’s minds. ”
Along with big data, Limnéll sees algorithms and profiling as the biggest threat to democracy, as they can unequal people in an unprecedented way. Particularly concerned is the growth in individually tailored content of social media. Especially effective, they seem to spread news that is untrue.
Source: https://www.tivi.fi/Kaikki_uutiset/algoritmit-ottavat-vallan-hallitsevat-ihmisten-ajatuksia-ja-tunteita-6697454
Tomi Engdahl says:
The Reg visits London Met Police’s digital and electronics forensics labs
Met lab tour throws up issues around storage, encryption and privacy versus security
https://www.theregister.co.uk/2018/01/22/digital_forensics/
More than 90 per cent of crime has “a digital element,” we were told as The Reg was welcomed into London Metropolitan Police’s Central Communications Command Centre, near Lambeth Bridge on the Thames.
Not only does that mean an exponential increase in the amount of data stored, with the increasing seizure of phones, it also raises questions over privacy and security, and the role of encryption.
Maximum capacity
Because the volume of work is so huge, there’s an emphasis on self-serve, he says. Most of the data retrieved from mobile phones occurs at station level.
“If it’s from a victim, they can hand the phone over, download it and hand it back. Around three years ago if you said to someone we need to take away your phone and hand it back in a month, they would not be happy about it. So we’ve enabled more reporting of crime, but flip side of that is we have opened up a lot more demand and there is a lot more data to manage.”
“At the moment we are working on a case with 200 computers we need to ingest data from. We don’t do that every day… so the cloud would make sense. We could ingest the data, index, review and analyse it, and when we are finished scale back down.”
Consequently, it is considering Google, AWS and Azure. “At the moment a number of those aren’t secure platforms in terms of the level of security policing requires, but they have moved into that space, offering secure cloud segmented away,” he says.
Legislating change
Currently the Met cannot access remotely stored data – for example, on the Dropbox service. In order to do so, it would have to go through a Regulation of Investigatory Powers Act (RIPA) – the controversial Act that regulates the powers of public bodies to carry out surveillance and investigation, and the interception of communications. This process can be lengthy, he says.
Under changes in select cases individuals could be forced to hand over their passwords or face jail. But Stokes stresses that the use of such powers would have to be proportionate.
Another contentious challenge is encryption. Although Stokes is sceptical that it can ever be completely cracked – leaving aside the question of whether doing so would be desirable.
“If they have used good encryption and good password, that is the end of the day. But the reality is… if you are clever enough and want to do the work you will know how to cover your tracks.”
He adds: “A lot of criminals are chaotic. You have your serious and organised criminals [who] will plan various things… but then you have the rest that is probably not even thought through properly. Digital systems leave traces… It would be very difficult to go into a house and not leave some kind of trace behind, and a digital system is exactly the same.”
But that is not to say detection doesn’t remain a challenge.
“At the moment, the encryption thing: we are concerned about it going forward. Security is getting harder… it is becoming more difficult. That is absolutely the case.
Facial recognition
Biometric passwords could help in this regard. “It is very easy for someone to say ‘I forgot my password’, whereas they can’t say ‘I forgot my face’!”
When it comes to the national biometrics database, he believes we are in the “relatively right space” because it is about people who have been convicted of crime. “If they are not, then the data is not retained.
Facial recognition technology is still in early days, he says, something he points out in when showing us some screen examples of facial recognition profiling. In fact, most of it is still done manually using software, rather than through automation.
“I think as you get higher and better resolutions it will improve, but if you take a lot of the products we get on CCTV.. you wouldn’t find anything because they are fuzzy blobs.”
Tomi Engdahl says:
Firms More Open to Receiving Vulnerability Reports: Ethical Hackers
http://www.securityweek.com/firms-more-open-receiving-vulnerability-reports-ethical-hackers
Companies have become more open in the past year to receiving vulnerability reports from security researchers, according to ethical hackers surveyed by bug bounty platform HackerOne.
According to HackerOne’s 2018 Hacker Report, which surveyed nearly 2,000 white hat hackers across 100 countries, companies are somewhat more open (38%) or far more open (34%) to receiving vulnerability reports. Only less than 10% of respondents said firms are less open.
https://www.hackerone.com/sites/default/files/2018-01/2018_Hacker_Report.pdf
Tomi Engdahl says:
Strong Incident Response Starts with Careful Preparation
http://www.securityweek.com/strong-incident-response-starts-careful-preparation
here are five steps that you should not overlook during preparation.
1. Conduct a Detailed Risk Assessment.
2. Establish Lines of Communication.
3. Define Roles.
4. Tailor Playbooks to Likely Threats.
5. Reinforce Employee Awareness. Not every employee is directly involved in security, but every employee can compromise security through simple mistakes.
Tomi Engdahl says:
Misconfigured Jenkins Servers Leak Sensitive Data
http://www.securityweek.com/misconfigured-jenkins-servers-leak-sensitive-data
A researcher has conducted an analysis of Jenkins servers and found that many of them leak sensitive information, including ones belonging to high-profile companies.
London-based researcher Mikail Tunç used the Shodan search engine to find Jenkins servers accessible from the Internet and discovered roughly 25,000 instances.
The expert analyzed approximately half of them and determined that 10-20% were misconfigured. He spent weeks manually validating the issues he discovered and notifying affected vendors.
Jenkins is an open source automation server used by software developers for continuous integration and delivery. Since the product is typically linked to a code repository such as GitHub and a cloud environment such as AWS or Azure, failure to configure the application correctly can pose a serious security risk.
Tomi Engdahl says:
451 Research: Top 4 Trends in Information Security for 2018
https://www.onelogin.com/blog/451-research-top-4-trends-in-information-security-for-2018?utm_campaign=blog&utm_medium=email&utm_source=ziff&utm_term=newsletter
1. Redefining “Secure Access”
The desire to connect to the enterprise from any device via any network continues to become more commonplace. As a result, says Crawford, the way we perceive and define “secure access” may be changing from a network focus to an identity focus.
2. Compliance Continues to Gain Traction
the upcoming GDPR enforcement deadline this coming May will have a significant impact across the globe
3. More Pervasive Security Analytics
Historically, the security market has been criticized for its apparent inability to detect and stop increasingly severe security threats. But according to Crawford, a data-driven approach to security has been reshaping the landscape, and will continue to enhance threat detection and prevention. Essentially, all security tools will also be analytics tools.
4. Increased Security Automation
Thankfully, Crawford expects the intelligence delivered by new analytic capabilities to have a powerful role in optimizing and automating security practices. This is a great relief, as security professionals are becoming increasingly difficult to find, train and retain.
the gathering of security information from external sources and internal monitoring. Then synthesizing that data into concrete, addressable concerns. Then finally translating that insight into direct action that can be optimized through automation.
Tomi Engdahl says:
Cybersecurity’s Marketing Dilemma
http://www.securityweek.com/cybersecuritys-marketing-dilemma
Cybersecurity has gone through many changes over the past decade. From being a niche sector, rarely taken seriously or understood, to underpinning national security, economic growth and the availability of financial infrastructures. In the process it has become a large, high growth and consequently overfunded market.
This evolution is based on cybersecurity’s newfound profile and responsibility for protecting against attacks that threaten the underpinnings of our digital way of life. Historically, the security threats put forth by the industry were largely hypothetical and didn’t impact the bottom line. Today, cyber threats have materialized to the point where they impact everything from data protection and privacy, to election results and how nation states conduct espionage.
So, while security has emerged as a darling industry, this success has come at a price – we’ve sacrificed our credibility, objectiveness and honesty.
This is evident in how cyber security is marketed. Fear Uncertainty and Doubt or FUD, have always played a part in convincing businesses and governments to invest in cybersecurity, especially in the days before cyber threats were mainstream Nevertheless, this FUD was balanced by full disclosure and a community that, dealing with risk, is sceptical by nature.
In recent years, however, FUD has escalated to a whole new level. Anyone who receives vendor emails or is active on LinkedIn can testify to being inundated with claims that every new vulnerability, threat or breach could have been prevented using product XYZ. In many cases, these are outright exaggerations, and often lies. Marketers and salespeople are incentivised not to miss out on what is perceived to be a good opportunity, regardless of the resulting blowback on social media.
Tomi Engdahl says:
Insurers, Nonprofits Most Likely to Fall for Phishing: Study
http://www.securityweek.com/insurers-nonprofits-most-likely-fall-phishing-study
The employees of insurance companies and non-profit organizations are most likely to fall for phishing attacks, according to a study conducted by security awareness training firm KnowBe4.
The average phish-prone percentage, represented by the percentage of employees that clicked on a link or opened an attachment during testing, was 27% across all industries and organizations of all sizes.
In the case of small and mid-size organizations (under 1,000 employees), insurance companies have the highest percentage of phish-prone employees, specifically 35% and 33%. In the case of large organizations, nonprofits are at the top of the list with roughly 31% of employees taking the bait during the baseline phishing tests conducted by KnowBe4.
The lowest phish-prone percentage was recorded in large business services organizations, where only 19% of employees took the bait.
Unsurprisingly, 90 days after undergoing initial training and simulated phishing, the percentage of employees that fell for phishing attacks dropped significantly across all sectors and organizations of all sizes.
Tomi Engdahl says:
IoT Devices Fuel Complex DDoS Attacks: Report
http://www.securityweek.com/iot-devices-fuel-complex-ddos-attacks-report
The continuous use of compromised Internet of Things (IoT) devices to launch distributed denial of service (DDoS) attacks has helped cybercriminals increase the complexity of their assaults, NETSCOUT Arbor says.
According to the company’s 13th Annual Worldwide Infrastructure Security Report (WISR), attackers focused on increasing complexity in 2017, and the exploitation of IoT devices helped them achieve this goal. The frequency of attacks has increased as well, following a trend seen for the past several years.
The report is based on 390 responses received from a mix of Tier 1, Tier 2 and Tier 3 service providers, hosting, mobile, enterprise and other types of network operators globally. More than half of respondents are headquartered and operate in North America.
Last year, 57% of enterprise, government and education (EGE) respondents and 45% of data center operators had their network resources depleted due to DDoS attacks. Arbor observed 7.5 million DDoS attacks in 2017.
Tomi Engdahl says:
DPI Solution For Security and Traffic Control of Critical Enterprise Cloud Applications
https://www.eeweb.com/profile/eeweb/news/dpi-solution-for-security-and-traffic-control-of-critical-enterprise-cloud-applications
Rohde & Schwarz Cybersecurity has delivered an embedded deep packet inspection (DPI) engine that serves as the core for Barracuda’s NextGen firewall F-series. The Barracuda F-series firewall is able to classify network applications up to Layer 7 in real-time, and can granularly control what applications are permitted, prioritized or de-prioritized for access. By embedding the R&S PACE 2 DPI software, the F-series firewall can identify services like Voice over IP (VoIP) while maintaining a high bandwidth, even if settings are being changed to reprioritize applica¬tions on the fly (dynamic Quality of Service (QoS) settings). This improves site-to-site connectivity and enables uninter¬rupted access to applications hosted in the cloud, all while simplifying the administration of network operations for enterprises and managed services providers. In addition, the firewall offers advanced protection for dispersed enterprise networks that rely on cloud computing, software as a service (SaaS) and an increasingly mobile workforce.
Tomi Engdahl says:
Tom Warren / The Verge:
Windows 10 Insiders to get Windows Diagnostic Data Viewer this week, providing an overview of data sent to Microsoft — A lot more transparency is on the way — Microsoft has faced continued concerns around its collection of data with Windows 10. France previously ordered Microsoft …
Microsoft tackles Windows 10 privacy concerns with new data collection viewer
https://www.theverge.com/2018/1/24/16927056/microsoft-windows-10-data-collection-viewer-privacy
A lot more transparency is on the way
Microsoft has faced continued concerns around its collection of data with Windows 10. France previously ordered Microsoft to stop tracking Windows 10 users, the EU has voiced its concerns, and the EFF has blasted Microsoft over its data collection. While the software giant revealed what data Windows 10 really collects last year, it’s going one step further with the next update to the operating system.
Starting this week, Windows 10 testers will be able to access a new Windows Diagnostic Data Viewer. The viewer includes an overview of data being sent to Microsoft’s servers by Windows 10. Microsoft collects a bunch of anonymous Windows 10 data from users to help improve the operating system and make product decisions. The new viewer is similar to something like Wireshark, and it lets Windows 10 users decrypt data that is sent encrypted to Microsoft’s servers.
The diagnostic data includes device connectivity, peripherals, configuration options, performance data, movie consumption, installed apps, and a lot more. Windows 10 users who want this granular level of detail will be able to filter it and inspect the contents. It’s a lot more transparent than Microsoft publishing documents and hoping to ease concerns.
Tomi Engdahl says:
AI in Cybersecurity: Where We Stand & Where We Need to Go
https://www.darkreading.com/threat-intelligence/ai-in-cybersecurity-where-we-stand-and-where-we-need-to-go/a/d-id/1330787
With the omnipresence of the term artificial intelligence (AI) and the increased popularity of deep learning, a lot of security practitioners are being lured into believing that these approaches are the magic silver bullet we have been waiting for to solve all of our security challenges. But deep learning — or any other machine learning (ML) approach — is just a tool. And it’s not a tool we should use on its own. We need to incorporate expert knowledge for the algorithms to reveal actual security insights.
Tomi Engdahl says:
Facebook to roll out global privacy settings hub — thanks to GDPR
https://techcrunch.com/2018/01/24/facebook-to-roll-out-global-privacy-settings-hub-thanks-to-gdpr/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
Facebook COO Sheryl Sandberg has said major privacy changes are coming to the platform later this year, as it prepares to comply with the European Union’s incoming data protection regulation.
Speaking at a Facebook event in Brussels yesterday, she said the company will be “rolling out a new privacy center globally that will put the core privacy settings for Facebook in one place and make it much easier for people to manage their data”
Tomi Engdahl says:
New Hide ‘N Seek IoT Botnet using custom-built Peer-to-Peer communication spotted in the wild
https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/?utm_source=SMGlobal&utm_medium=F&utm_campaign=Labs
The bot, dubbed HNS, was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service.
The bot was first spotted on Jan. 10 then faded away in the following days, only to re-emerge on Jan. 20 in a significantly improved form.
The botnet now counts more than 14K devices geographically distributed
What initially started as a 12-device network has become a phenomenon that spreads from Asia to the United States.
The HNS botnet communicates in a complex and decentralized manner and uses multiple anti-tampering techniques to prevent a third party from hijacking/poisoning it. The bot can perform web exploitation against a series of devices via the same exploit as Reaper (CVE-2016-10401 and other vulnerabilities against networking equipment).
The bot embeds a plurality of commands such as data exfiltration, code execution and interference with a device’s operation.
Operation
The bot features a worm-like spreading mechanism that randomly generates a list of IP addresses to get potential targets. It then initiates a raw socket SYN connection to each host in the list and continues communication with those that answer the request on specific destination ports (23 2323, 80, 8080). Once the connection has been established, the bot looks for a specific banner (“buildroot login:”) presented by the victim. If it gets this login banner, it attempts to log in with a set of predefined credentials. If that fails, the botnet attempts a dictionary attack using a hardcoded list.
Tomi Engdahl says:
How to Become (and Remain) a Malware Researcher
https://www.peerlyst.com/posts/how-to-become-and-remain-a-malware-researcher-todd-cullum
My take is that there are two most important ingredients to becoming a malware researcher:
1. Obsessive Passion to learn “how things work” no matter the time commitment and effort required; aka insatiable curiosity.
2. Ability to enjoy working at a solitary job where much of it is between you and the code
Tomi Engdahl says:
Why does APT not use HTTPS?
“It’s more secure…!”
https://whydoesaptnotusehttps.com
HTTPS is used to prevent intruders from being able to listen to communications between you and websites you visit, as well as to avoid data being modified without your knowledge.
However, files obtained by APT are accompanied by their own signature which allows your system to check they originated from your distribution.
HTTPS can not detect if malicious tampering has occurred on the disks of the server you are downloading from. There is little point “securely” transfering a compromised package.
But what about privacy?
HTTPS does not provide meaningful privacy for obtaining packages. As an eavesdropper can usually see which hosts you are contacting, if you connect to your distribution’s mirror network it would be fairly obvious that you are downloading updates.
Furthermore, even over an encrypted connection it is not difficult to figure out which files you are downloading based on the size of the transfer
CAs
There are over 400 “Certificate Authorities” who may issue certificates for any domain. Many have poor security records and some are even explicitly controlled by governments3.
This means that HTTPS provides little-to-no protection against a targeted attack on your distribution’s mirror network.
However, providing a huge worldwide mirror network available over SSL is not only a complicated engineering task (requiring the secure exchange and storage of private keys), it implies a misleading level of security and privacy to end-users as described above.
https://wiki.debian.org/SecureApt
Tomi Engdahl says:
Why DevSecOps matters to IT leaders
https://enterprisersproject.com/article/2018/1/why-devsecops-matters-it-leaders?sc_cid=7016000000127ECAAY
DevSecOps may not be an elegant term, but the results are attractive: Stronger security, earlier in the development cycle. Consider one IT leader’s tussle with Meltdown
Tomi Engdahl says:
According to TrendMicro Business Email Compromise (BEC) attacks could reach $ 9 billion in 2018
http://securityaffairs.co/wordpress/68132/cyber-crime/business-email-compromise.html
According to a report published by the security firm TrendMicro, Business Email Compromise (BEC) attacks could reach $ 9 billion in 2018.
The report states that the FBI released a public announcement revealing that BEC attacks had become a $ 5.3 billion industry in the past years.
The techniques are: Bogus invoice scheme, CEO fraud, Account compromise, Attorney impersonation and Data Theft. The report highlight that these attacks can be classified into two major groups: Credential grabbing and email only.
an increase in phishing HTML pages that are sent as spam attachments. Also, by employing malware campaign hackers target organizations
Tomi Engdahl says:
Jonathan Vanian / Fortune:
Alphabet announces a new “graduate” from its moonshot program, Chronicle, that uses big data to detect security vulnerabilities, run by a former Symantec COO
Alphabet’s Latest Moonshot Graduate Is Tackling Cybersecurity
http://fortune.com/2018/01/24/alphabet-google-moonshot-chronicle-cybersecurity/
The latest, announced on Wednesday, is Chronicle, a previously undisclosed moonshot in computer security that aims to simplify the lives of cybersecurity and IT professionals. It sifts through giant swaths of data to keep out hackers and detect security vulnerabilities.
However, Astro Teller, X’s leader, insists that cybersecurity has been on the backburner for several years at X. Creating research projects to tackle the planet’s biggest problems that can be spun into independent companies has always been the goal, not just creating out-of-this world technology for the sake of grabbing headlines.
The fact that so many big companies like Target, Sony Pictures Entertainment, and insurance giant Anthem are being hacked proves that “Cyber security is one of the biggest problems in the world,” Teller said.
Tomi Engdahl says:
Acronis: Ransomware protection! Get yer free ransomware protection!
Windows-only but sure, thanks
https://www.theregister.co.uk/2018/01/26/acronis_offers_free_ransomware_protection/
Acronis has released a free, standalone version of its Acronis Ransomware Protection with AI-based Active Protection tech.
It can be used alongside existing backup and antivirus products on Windows systems.
The lightweight (20MB) software runs in the background and is said to monitor system processes in real-time to automatically detect and stop any ransomware attacks. When one is detected, it blocks the malicious process and notifies the user with a pop-up. It also facilitates the instant recovery of affected files.
The models are directly incorporated into the free product; it doesn’t need an internet connection to run.
It comes with a a cloud backup capability and every user receives 5GB of free Acronis Cloud storage.
How to Find out If Your Computer Is Protected Against Ransomware
https://www.acronis.com/en-us/blog/posts/how-find-out-if-your-computer-protected-against-ransomware
Cyber criminals attack backups and disable backup software, so you need to choose your vendor wisely. Can your backup software withstand a ransomware attack?
We put Acronis True Image 2017 New Generation through the test. To compare our results, we used a popular free ransomware protection tool, only to find out that it failed all 10 tests! Seems like a free tool is not protecting against anything after all.
Tomi Engdahl says:
Matryoshki of news: Tech giants flash code to Russia, Dutch hack Kremlin spies, and more
It’s all kicking off
https://www.theregister.co.uk/2018/01/26/tech_russia_source_code_dnc_hack/
Technology companies can’t decide whether to take Russian money or run from it – not that they’ve ever been much good at turning down cash.
McAfee, SAP, and Symantec, which make software used by the US government, allowed Russian authorities to scan their source code for backdoors and other flaws, according to Reuters on Thursday, as has HPE.
Like China and other nations, the Russian government requires a look under the hood before it will consider spending cash on enterprise software as the applications could be compromised.
The fear is that foreign governments may stash backdoors in the code, effectively turning the apps into bugs – as in, spying bugs. Look no further than the US government, which refuses to run software from Moscow-based Kaspersky on its machines over concerns the antivirus tools can be abused to beam Uncle Sam’s secrets to the Kremlin. Kaspersky denies any impropriety.
Knowing that Russian officials have potentially glimpsed exploitable security bugs in applications used by US government departments will freak out American officials.
This is, don’t forget, the same Russian government implicated in the compromise of government agency networks, and the 2016 presidential election, in the US.
McAfee, SAP, and Symantec, along with Micro Focus which took over ArcSight, the HPE product audited, told Reuters that the code reviews were done under controlled conditions. No code was allowed to be copied, taken away, or altered by the Russians, we’re told.
Tomi Engdahl says:
EU bods up GDPR ante: Threatens legislative laggards with ‘infringement procedure’
Only 2 member states have adapted national legislation – SMEs, citizens still in dark
https://www.theregister.co.uk/2018/01/25/eu_bods_up_gdpr_ante_with_threat_of_infringement_procedure_for_legislative_laggards/
The European Commission has admitted readiness for incoming data protection rules is very varied across the bloc, with just two countries having adapted their national laws.
With just four months to go before the General Data Protection Regulation comes into effect, the Commission has pushed out a mass of information, online tools and guidance on the law.
It has also issued the European Parliament and the Council with an update on progress (PDF), which urges member states to “intensify” work on GDPR, revealing concerns about awareness among businesses and citizens.
“There is in particular a need to step up awareness and accompany compliance efforts for SMEs,” the Commission said. This echoes the results of a UK government survey published yesterday, which found only about half of businesses with less than 50 people had heard of the regulation.
https://ec.europa.eu/commission/sites/beta-political/files/data-protection-communication-com.2018.43.3_en.pdf
Tomi Engdahl says:
Spying devices run into homes – users do not understand
The internet of objects also brings scary threats, not just happiness and progress. Problems should be tackled now before it is too late, F-Secure’s research manager Mikko Hyppönen warns.
The number of devices connected to the network is estimated to already be higher than the population of the world and can no longer be avoided. One of the risks is the weak or non-existent security of the devices, which makes it possible to compile huge and really harmful botnets.
Mikko Hyppönen, who was interviewed in the report, warns about the risks of consumer equipment connected to the network. There are many such devices, for example, most of the new smart TVs are among the ones.
“Finally, almost every device in your home is online, but users do not mind them as smart devices. Stubborn devices do not provide consumers with any special features because they are online just to send information and analytics to the company they have manufactured, “says Hyppönen.
According to the report, consumers have to be informed about the risks of existing IoT equipment. In addition, governments should pay attention to the quality of the technology that comes to consumers’ hands and homes. Product manufacturers should be regulated and thus ensure that products that are on the market have adequate security and privacy features.
Source: https://www.tivi.fi/Kaikki_uutiset/hypponen-koteihin-vyoryy-vakoilulaitteita-kayttajat-eivat-ymmarra-6698170
Tomi Engdahl says:
Signal and Telegram are growing rapidly in countries with corruption problems
https://thenextweb.com/apps/2018/01/23/signal-and-telegram-are-growing-rapidly-in-countries-with-corruption-problems/
Although WhatsApp and Facebook Messenger are the two most popular messaging apps, ultra-secure encrypted alternatives like Signal and Telegram are both growing rapidly. They’re niche, but they offer privacy-oriented features that are attractive to those concerned about confidentiality, or living in regimes where surveilance is all-encompasing.
Tomi Engdahl says:
NSA quietly deletes ‘honesty’ and ‘openness’ from mission statement
https://thenextweb.com/insider/2018/01/24/nsa-quietly-deletes-honesty-and-openness-from-mission-statement/
Since at least May of 2016, the National Security Agency prominently displayed a mission statement with “honesty” atop its core values. It appears its priorities have changed.
On January 12, the NSA removed the mission statement before replacing it with a newer version. As The Intercept first noticed, the new “Mission & Values” statement not only removes “honesty” as its top priority, but strips any mention of “trust,” “honor,” and “openness” from the page.
Other core values remain, such as “integrity,” “transparency,” and “respect for the law.” Replacing “honesty,” is “commitment to service” and “respect for people.”
Tomi Engdahl says:
Disected Value from Cybersecurity Threat Intelligence
https://www.linkedin.com/pulse/disected-value-from-cybersecurity-threat-intelligence-vilius-benetis/?trackingId=0C4bue302seGPycQiDcWNA%3D%3D&lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BGWKv%2FbztSs%2BwOQcDMUG50w%3D%3D&licu=urn%3Ali%3Acontrol%3Ad_flagship3_feed-object
We increasingly need to focus on security due to increased threats. Especially this is clear in Cyber Security discipline, where Cyberspace becoming evermore dangerous place, full of criminals attacking.
It is obvious that by better understanding the threats, we can better secure ourselves and our systems. So a such threat analysis, otherwise known as Threat Intelligence (TI), and particularly – Cybersecurity Threat Intelligence (CTI) – for last few years was a hot topic on CISOs and Vendors agenda, however CTI did not deliver any break-though so far. Why?
Tomi Engdahl says:
What the Count of Monte Cristo Can Teach Us About Cybersecurity
https://spectrum.ieee.org/tech-talk/telecom/security/what-the-count-of-monte-cristo-can-teach-us-about-cybersecurity
What can a 174-year-old French novel possibly have to say about cybersecurity? Quite a lot, it turns out. Alexandre Dumas’s The Count of Monte Cristo was published in 1844, and so he of course knew nothing about the Internet and probably little about electricity. But the writer had a keen understanding of human nature and how people interact with technology, and he saw how technological attacks could by engineered by exploiting personal foibles.
Tomi Engdahl says:
James Vincent / The Verge:
AI advances are now making automated analysis of live surveillance video possible, presaging useful applications while raising serious questions about privacy
Artificial intelligence is going to supercharge surveillance
What happens when digital eyes get the brains to match?
https://www.theverge.com/2018/1/23/16907238/artificial-intelligence-surveillance-cameras-security
We usually think of surveillance cameras as digital eyes, watching over us or watching out for us, depending on your view. But really, they’re more like portholes: useful only when someone is looking through them. Sometimes that means a human watching live footage, usually from multiple video feeds. Most surveillance cameras are passive, however. They’re there as a deterrence, or to provide evidence if something goes wrong. Your car got stolen? Check the CCTV.
But this is changing — and fast. Artificial intelligence is giving surveillance cameras digital brains to match their eyes, letting them analyze live video with no humans necessary. This could be good news for public safety, helping police and first responders more easily spot crimes and accidents and have a range of scientific and industrial applications. But it also raises serious questions about the future of privacy and poses novel risks to social justice.
What happens when governments can track huge numbers of people using CCTV? When police can digitally tail you around a city just by uploading your mugshot into a database? Or when a biased algorithm is running on the cameras in your local mall, pinging the cops because it doesn’t like the look of a particular group of teens?
AI surveillance starts with searchable video
The biggest obstacle is pretty common: low-resolution video
Some AI surveillance tasks are already solved; others need work
“We want people to not just be free, but to feel free.”
When AI surveillance becomes common, who will regulate the algorithms?
Tomi Engdahl says:
Robert Draper / National Geographic:
A deep look at the evolution of visual surveillance technology, where it is headed, and what its continuing rise will mean for security, transparency, privacy
They Are Watching You—and Everything Else on the Planet
https://www.nationalgeographic.com/magazine/2018/02/surveillance-watching-you/
Technology and our increasing demand for security have put us all under surveillance. Is privacy becoming just a memory?
Tomi Engdahl says:
Sean Lyngaas / The Verge:
How governments and the nuclear energy industry are preparing for future cybersecurity threats using hands-on exercises and training laboratories
Hacking nuclear systems is the ultimate cyber threat. Are we prepared?
Nightmare scenario
https://www.theverge.com/2018/1/23/16920062/hacking-nuclear-systems-cyberattack
The nuclear plant employees stood in rain boots in a pool of water, sizing up the damage. Mopping up the floor would be straightforward, but cleaning up the digital mess would be far from it.
A hacker in an adjacent room had hijacked a simulated power plant, using the industrial controls against themselves to flood the cooling system.
It took officials from three different Swedish nuclear plants, who were brought in to defend against an array of cyberattacks, a couple of hours to disconnect the industrial computer (known as a programmable logic controller) running the system and coordinate its repair.
Tomi Engdahl says:
Move slow and break nothing
https://techcrunch.com/2018/01/27/move-slow-and-break-nothing/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
AdChoices
MenuTechCrunch
Move slow and break nothing
Posted 8 hours ago by Danny Crichton (@DannyCrichton)
Facebook Messenger was down for me for about an hour earlier this week. My MacBook Pro randomly kernel panics overnight and restarts. Slack was down, and Github, and AWS. A little more than a year ago, Dyn went down, throwing the DNS layer of the internet into a tailspin. Practically every chip made by Intel has serious security flaws. Equifax leaked 143 million accounts. Tokyo-based Coincheck lost over $400 million in tokens due to hackers.
If software is eating the world, then that might explain why everything seems so ridiculously broken these days.
What we have is a real crisis in reliability, not just across software, but across our entire society. Even the U.S. government had some serious downtime this week.
What’s going on is that we have greatly increased the magnitude of complexity of our society’s systems, even as we couple them more tightly together.
Complex systems are ones in which changes, even small ones, can have disproportionate effects on the outcome of a system.
On top of complexity, tight coupling means that various independent parts of a system are designed to work closely together. When S3 went down, it knocked out a bunch of major websites, because websites had no backup or redundancy in the event that Amazon’s services were not working.
Everything about our modern world has increased complexity and how tightly coupled our systems are.
This starts to get at the rot that is happening. Everything requires maintenance, practically all the time. It doesn’t have to be millions of man-hours, but it is also certainly not going to be zero either.
Ultimately though, we are all responsible for these outcomes, and we all need to take the opportunity to reduce complexity and increase reliability for any system we are a part of, whether software or not.
Reliable systems do exist. The United States has not had a casualty from an airplane crash since 2013, and on a domestic carrier since 2009.
For everyone, but particularly software engineers: let’s get back to basics. It’s better to have more reliable but less features than more features that are breaking every other day. Let’s move slow and break nothing. Reliability and resilience may just be the next major wave of technology
Tomi Engdahl says:
Effects of Biometrics Co-Used with Password
https://pentestmag.com/effects-biometrics-co-used-password/
It appears that, amazingly, many people are still trapped in a false sense of security that biometrics helps us for security in cyberspace, although it actually does the opposite.
On a number of tech media, we still see confused reports circulating so rampantly about the password and biometrics co-used in cyberspace. We could assume that the people who circulate the befuddled perception may well have mixed up the following two views.
A: Biometrics brings some security (better than nothing).
B: Biometrics brings the security better than a password.
A is correct but B is false. Logic tells us that biometrics deployed with a backup/fallback password brings down the security to the level lower than a password-only authentication
Tomi Engdahl says:
Phishing embraces HTTPS, hoping you’ll “check for the padlock”
https://nakedsecurity.sophos.com/2017/12/08/phishing-embraces-https-hoping-youll-check-for-the-padlock/
After a slow-burning romance, HTTPS has recently bloomed into one of security’s great love affairs.
Google is a long-time admirer, and in October started plastering “not secure” labels on many sites failing to use HTTPS by default in the Chrome address bar, a tactic meant to persuade more website owners to share its enthusiasm.
Facebook, Twitter and WordPress, meanwhile, have been keen for years, which helps explain EFF figures from early in 2017 estimating that an impressive half of all web traffic was being secured using HTTPS.
So alluring has HTTPS become that it has now acquired suitors it could do without – phishing websites.
acquiring an HTTPS certificate is an empty upgrade if other vulnerabilities are not addressed at the same time.
We’ll call this the ‘window-dressing theory’: cybercriminals believe that web users are lulled into a false sense of security by the presence of HTTPS even though their scams might work without it
The dream of an entirely encrypted internet is a noble one but its ubiquity will be a pyrrhic victory if cybercriminals can find easy ways to manipulate it from the inside.
A Quarter of Phishing Attacks are Now Hosted on HTTPS Domains: Why?
https://info.phishlabs.com/blog/quarter-phishing-attacks-hosted-https-domains
significant increase in the number of web pages using HTTPS. According to Let’s Encrypt, 65% of web pages loaded by Firefox in November used HTTPS, compared to 45% at the end of 2016.
In the third quarter of 2017, we observed nearly a quarter of all phishing sites hosted on HTTPS domains, nearly double the percentage we saw in the second quarter. A year ago, less than three percent of phish were hosted on websites using SSL certificates. Two years ago, this figure was less than one percent.
Tomi Engdahl says:
https://tools.ietf.org/id/draft-salgado-hxxp-01.html
This document describes the “hxxp” and “hxxps” URI schemes, which are widely used by the security community to obfuscate an http or https URI to avoid being accidentaly interpreted and loaded by a web browser or user-agent.
These schemes are used in case the resource is dangerous and there is security risks on being automatically processed by an application, such a pre-loading mechanism in web user agents. It also prevents the creation of “clickables” areas in user interfaces, which could detect http or https URIs automatically.
The resource that is referenced by a particular “hxxp” or “hxxps” URI is NOT meant to be interpreted or parsed in any way for applications, or any automated means. The resource MUST be interpreted and consumed by human security professionals.
The IANA is requested to register “hxxp” and “hxxps” URI schemes in the “Provisional URI Schemes” registry.
Scheme name: hxxp
Status: Provisional
Applications/protocols that use this scheme name: “hxxp” URIs are forbidden to be used by applications.
As stated in the Introduction, the “hxxp” and “hxxps” schemes are forbidden to be used or interpreted by applications. These schemes must be consumed only by humans.
Application developers are encouraged to forbid “hxxp” and “hxxps” schemes URIs inside HTML anchors or tags.
Tomi Engdahl says:
Data Privacy Concerns Cause Sales Delays: Cisco
http://www.securityweek.com/data-privacy-concerns-cause-sales-delays-cisco
Nearly two-thirds of businesses worldwide have experienced significant delays in sales due to customer data privacy concerns, according to Cisco’s 2018 Privacy Maturity Benchmark Study.
The study, based on the responses of roughly 3,000 cybersecurity professionals from 25 countries, shows that 65% of businesses reported sales cycle delays due to concerns over data privacy, with an average delay of nearly 8 weeks.
However, organizations with a mature privacy process are less affected compared to privacy-immature companies. Privacy-mature firms experienced delays of only 3.4 weeks, while immature businesses reported delays averaging nearly 17 weeks.
The report also shows that privacy-mature organizations suffer lower losses as a result of data breaches. According to Cisco, only 39% of privacy-mature organizations experienced losses exceeding $500,000, compared to 74% of companies that have an immature privacy process.
Tomi Engdahl says:
PCI Council Introduces New Standard for Mobile Card Payments
http://www.securityweek.com/pci-council-introduces-new-standard-mobile-card-payments
Responding to the market’s growing interest in, and use of, mobile payments, the PCI Security Standards Council (PCI SSC) has announced a new standard for software-based PIN entry on commercial off-the-shelf devices (COTS); such as smartphones and tablets.
“Mobile point-of-sale (MPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency,” explained said Aite Group senior analyst Ron van Wezel. “MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere.”
The problem is the cost of hardware-based chip-and-pin can be prohibitive for small merchants in mobile situations.
“With the new PIN entry standard,” van Wezel continued, “the PCI Council has responded to market need by specifying the security requirements for allowing PIN entry directly on the mobile touchscreen. This means that merchants can accept payments with just their mobile device and a small, cost efficient card reader connected to it along with a secure PIN entry application.”
The new standard has been in the pipeline since last summer.
Payment Card Industry (PCI)
Software-based PINEntry on COTS
https://www.pcisecuritystandards.org/documents/SPoC_Security__Requirements_v1.0.pdf
Tomi Engdahl says:
Are You Smarter Than A Web Scammer? Take This Test To Find Out
http://www.iflscience.com/technology/are-you-smarter-than-a-web-scammer-take-this-test-to-find-out/
Tomi Engdahl says:
Pro tip for 2018: treat the ransomware threat like an imminent hard drive failure
https://hotforsecurity.bitdefender.com/blog/pro-tip-for-2018-treat-the-ransomware-threat-like-an-imminent-hard-drive-failure-19507.html?utm_source=SMGlobal&utm_medium=Facebook&utm_campaign=H4S
With the General Data Protection Regulation knocking on everyone’s door, breaches will have to be taken more seriously than ever. At the same time, new data indicates that ransomware attacks are rising steeply, which means neither organizations nor regular users can afford to sit around with their arms crossed.
Ransomware attacks doubled in 2017, and were the primary driver of an overall increase in total incidents, according to the latest Cyber Incident & Breach Trends Report from the Online Trust Alliance.
Attacks seeking ransom accounted for half of all reported incidents. These included malware-laced phishing attacks, malvertising, drive-by malware, and even a new form of ransomware combined with denial of service (RDoS), where the attacker threatens to attack via denial-of-service if ransom is not paid.
In any case, ransomware has become a massive problem. From the massive WannaCry and Petya/GoldenEye contagions in 2017 to the more recent highly-targeted attacks hitting healthcare providers one after another, everyone is now a blip on cybercrooks’ radar.
Bitdefender predicts that ransomware will become more advanced and more sophisticated in 2018, potentially even using the GPU in your computer to speed up the encryption process. And ransomware-as-a-service platforms will make the threat even more accessible to one-off hackers
Why is ransomware so popular?
Ransomware is a highly efficient, highly lucrative form of malware.
How to mitigate risk?
According to the same report, some 93 percent of all breaches could have been avoided had simple steps been taken. These can include:
regularly update software
block fake email messages using email authentication
train people to recognize phishing attacks
use browser-based scanning for malware
limit administrative access to data to contain the spread of an infection
use DDoS protection services to limit the impact of an attack
most cybersecurity experts agree that victims should refrain from paying the ransom
At the same time, those same agencies (including the FBI) agree that sometimes the damage from lost data can be so large that it’s better to just pay and hope that the hackers stick to their end of the bargain – decrypt the data. But…
What if I don’t want to pay the ransom?
Since your data is inaccessible and unusable, getting infected with ransomware is the same as having your hard drive fail on you. And, make no mistake, hard drives do fail eventually!
“Viewing ransomware as an imminent hard drive failure points toward the simplest measure you can take: keep regular, offline backups of your important data,”
Tomi Engdahl says:
Containers and the question of trust
https://www.scmagazineuk.com/containers-and-the-question-of-trust/article/713060/?utm_campaign=Black%20Duck%20Press&utm_content=65294403&utm_medium=social&utm_source=facebook
The security risks associated with containerised software delivery has become a hot topic in the DevOps community, where operations teams are under pressure to identify security vulnerabilities in their production environments.
As the use of containers becomes standard practice, existing software development and security methodologies may need to be modified
patches to container images are made by rebuilding the Docker image with the appropriate patches, and then replacing the existing running containers with the updated image. This change in paradigm often requires enterprises reassess their patching processes.
Given the level of adoption of open source technologies in container infrastructure, a key to protecting your applications in production is maintaining visibility into your open source components and proactively patching vulnerabilities as they are disclosed.
Identification of risk is a crucial component of security, and risk is a function of the composition of a container image. Some key questions operations teams need to answer in order to minimise risk include:
What security risks might present in that base images used for your applications, and how often are they updated?
If a patch is issued for a base image, what is the risk associated with consuming the patch?
How many versions behind tip can a project or component be before it becomes too risky to consume?
Given my tooling, how quickly will I be informed of component updates for dependencies which directly impact my containers?
Given the structure of a component or project, do malicious actors have an easy way to gain an advantage when it comes to issues raised against the component?
Defining a container security strategy
You can’t rely on traditional security tools that aren’t designed to manage the security risks associated with hundreds—or thousands—of containers. Traditional tools are often unable to detect vulnerabilities within containers, leading to a false sense of safety.
One critical attribute of any container security solution is its ability to identify new containers within the cluster and automatically attest to the security state of the container. The desired security state will of course vary by application
Most enterprises operate under governance regulations requiring continuous monitoring of infrastructure. This requirement exists for containerised applications as well
finding and remediating every newly discovered vulnerability in each container can be a challenge
The bottom line is you need to be proactive about container security to prevent breaches before they happen.
Tomi Engdahl says:
UK Warns Critical Industries to Boost Cyber Defense or Face Hefty Fines
http://www.securityweek.com/uk-warns-critical-industries-boost-cyber-defense-or-face-hefty-fines
The UK government has warned that Britain’s most critical industries must boost their cybersecurity or face potentially hefty fines under the EU’s Networks and Information Systems Directive (NISD).
The warning comes less than four months before the deadline for the NISD, adopted by the EU on July 6, 2016, to be transposed into EU member states’ national laws (May 9, 2018, which aligns with the date for GDPR enforcement).
NISD is designed to ensure the security of network systems not already covered by the GDPR — but its primary purpose is to ensure the security of the industries that comprise the critical infrastructure (such as power and water, healthcare and transport). These companies, or covered entities, are defined within the directive as ‘operators of essential services’ (OES), and ‘digital service providers’ (DSPs).
Since it is a Directive rather than a Regulation, the NIS Directive has some national flexibility in its implementation. For example, the UK government had earlier proposed that maximum fines under the directive should be between €10 million and €20 million or 2% to 4% of annual global turnover. It has now settled on a maximum fine of €17 million.
The UK has made it clear that a breach of an OES will not automatically trigger a fine. This will depend on the judgment of separate industry sector regulators, or competent authorities. The primary factor will be whether the breached OES/DSP has made adequate cyber security provisions — in practice, this will probably depend upon how well the firm has implemented the ‘NIS Directive: Top-level objectives’ guidelines published by the National Cyber Security Centre (NCSC, part of GCHQ) Sunday. However, the government also states, “New regulators will be able to assess critical industries to make sure plans are as robust as possible.”
The key part of the EU’s NIS Directive is Article 14: Security requirements and incident notification. This specifies, “Member States shall ensure that operators of essential services take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems.”
Tomi Engdahl says:
U.S. Floats Idea Nationalizing High-Speed Networks, Drawing Rebukes
http://www.securityweek.com/us-floats-idea-nationalizing-high-speed-networks-drawing-rebukes
US officials have launched a debate on a proposal to nationalize the newest generation of high-speed wireless internet networks in the name of national security, provoking sharp criticism from across the political spectrum.
One official familiar with the proposal but not authorized to speak publicly told AFP the idea “has been discussed over the past couple of weeks” at the request of US national security officials.
The proposal was first reported by the news website Axios, citing a memo proposing government control of the newest and fastest part of the nation’s mobile network — the fifth generation, or 5G — to guard against China’s growing online capabilities.
Axios cited a memo by a senior official as contending that the US need to quickly deploy 5G because China is in a top position with the technology and “is the dominant malicious actor” online.
But the proposal — which would run counter to the longstanding US policy of relying on private telecom networks — drew immediate rebukes from the industry and even from US regulatory officials.
The official familiar with the proposal noted that “it’s not hard to find people who think it’s a dumb idea.”
Tomi Engdahl says:
Look Out: Chrome Extension Malware Has Evolved
https://www.wired.com/story/chrome-extension-malware
You already know to be wary of third-party Android apps, and even to watch your back in the Google Play Store. A flashlight app with only 12 reviews might be hiding some malware as well. But your hyper-vigilant download habits should extend beyond your smartphone. You need to keep an eye on your desktop Chrome extensions as well.
These handy little applets give you seamless access to services like Evernote or password managers, or put your Bitmoji just a click away. As with Android apps, though, Chrome extensions can sometimes hide malware or other scourges, even when you install them from the official Chrome Web Store.
“What we’re seeing is an increase in criminal use of extensions,” says William Peteroy, CEO of the security firm Icebrg. “And when we start to see criminal pickup on things it absolutely meets our bar that this is something we need to pay attention to, and something users need to start paying a lot more attention to than they are right now.”
Tomi Engdahl says:
The Security Savants Protecting the Winter Olympics
https://www.wired.com/story/winter-olympics-security
When the world’s attention swings to South Korea on February 9, the spectators and participants will be thinking about more than gold medals. The saber-rattling between the neighboring Koreas makes for an ominous backdrop to the XXIII Olympic Winter Games, a tension that seeing the countries’ athletes march under the same flag and skate on the same ice can’t quite erase.
The Korean situation is unique, but all modern Olympics face threats, including terrorism and the personal-security dangers that come with big international crowds. There are decidedly modern risks to manage, as well. Chief among them: drones and computers. “What’s different now from past Olympics is increased use of unmanned systems and the cyber domain to stage attacks,” says security analyst Peter Singer. “The attacker doesn’t even have to be onsite. They can do it from afar.”
For this reason, secreted in that tension-filled background will be the security forces of dozens of countries, led by the South Korean government’s own key agencies, all working to benefit from a collective expertise that rarely unifies
In terms of the most modern panoply of threats, analyst Singer says there are many tactics the security forces present might use to answer them. “Defenses against robotic aerial attacks, for instance, will first involve creating an airspace ban around the venues, then surveillance and detection technologies to track potential drones,” says Singer, the security analyst. “They’ll have technologies to shoot it down or disable it through jamming—hacking into it to hijack or block it, or just overwhelm it electronically.”
On the cyber front, the countermeasures will primarily be threat intelligence, which hinges on—you guessed it—sharing information with other agencies. “Simply tracking that will add to the resilience against an attack,” Singer says. “Good threat intelligence is not just saying that you see some type of malware, but learning that this group or that group is plotting something. If a threat is detected, knowing that groups used certain techniques in other situations helps identify them as suspects in a current one.”
Tomi Engdahl says:
Rapid, Secure Patching: Tools and Methods
http://www.linuxjournal.com/content/rapid-secure-patching-tools-and-methods
Generate enterprise-grade SSH keys and load them into an agent for control of all kinds of Linux hosts. Script the agent with the Parallel Distributed Shell (pdsh) to effect rapid changes over your server farm.
In any case, systems administrators of all architectures must be able to down vulnerable network servers and patch them quickly. There is often a need for speed and competence when working with a large collection of Linux servers. Whether this is due to security situations or other concerns is immaterial—the hour of greatest need is not the time to begin to build administration tools. Note that in the event of an active intrusion by hostile parties, forensic analysis may be a legal requirement, and no steps should be taken on the compromised server without a careful plan and documentation. Especially in this new era of the black hats, computer professionals must step up their game and be able to secure vulnerable systems quickly.
Secure SSH Keypairs
Tight control of a heterogeneous UNIX environment must begin with best-practice use of SSH authentication keys. I’m going to open this section with a simple requirement. SSH private keys must be one of three types: Ed25519, ECDSA using the E-521 curve or RSA keys of 3072 bits. Any key that does not meet those requirements should be retired (in particular, DSA keys must be removed from service immediately).
Scripting the SSH Agent
Modern OpenSSH distributions contain the ssh-copy-id shell script for easy key distribution.
pdsh
Many higher-level tools for the control of collections of servers exist that are much more sophisticated than the script I’ve presented here. The most famous is likely Puppet, which is a Ruby-based configuration management system for enterprise control. Puppet has a somewhat short list of supported operating systems. If you are looking for low-level control of Android, Tomato, Linux smart terminals or other “exotic” POSIX, Puppet is likely not the appropriate tool. Another popular Ruby-based tool is Chef, which is known for its complexity. Both Puppet and Chef require Ruby installations on both clients and servers, and they both will catalog any SSH keys that they find, so this key strength discussion is completely applicable to them.
There are several similar Python-based tools, including Ansible, Bcfg2, Fabric and SaltStack. Of these, only Ansible can run “agentless” over a bare SSH connection; the rest will require agents that run on target nodes (and this likely includes a Python runtime).
Another popular configuration management tool is CFEngine, which is coded in C and claims very high performance. Rudder has evolved from portions of CFEngine and has a small but growing user community.
Most of the previously mentioned packages are licensed commercially and some are closed source.
The closest low-level tool to the activities presented here is the Parallel Distributed Shell (pdsh), which can be found in the EPEL repository. The pdsh utilities grew out of an IBM-developed package named dsh designed for the control of compute clusters.
An SSH agent must be running while using pdsh with encrypted keys, and there is no obvious way to control the destination port on a per-host basis
Even a low-level utility like pdsh lacks some flexibility that is available by scripting OpenSSH, so prepare to feel even greater constraints as more complicated tools are introduced.
Conclusion
In a security emergency, simple, open and well understood tools are best. As tool complexity increases, platform portability certainly declines, the number of competent administrators also falls, and this likely impacts speed of execution. This may be a reasonable trade in many other aspects, but in a security context, it demands a much more careful analysis. Emergency measures must be documented and understood by a wider audience than is required for normal operations, and using more general tools facilitates that discussion.
Tomi Engdahl says:
Been bugging the boss for a raise? Now’s the time to go into infosec
Security specialists to command 7% salary hikes, survey finds
https://www.theregister.co.uk/2018/01/31/it_salary_survey/
Cybersecurity specialists will enjoy the highest salary increases among IT professionals with rises of 7 per cent – compared to 2 per cent for devs and 3 per cent for infrastructure experts – according to a survey by recruitment consultancy Robert Walters.
Infosec bods have become ever more highly sought in the wake of high-profile data leaks and cyber attacks. Developers have been in demand to support digitalisation projects.
“At this point, salaries for IT professionals are highly inflated, with employers having to compete to secure top talent. In this context, the increases for cybersecurity specialists are particularly noteworthy.”
Companies want more than technical know-how, Iqbal added.
“Employers are keen to secure professionals who can demonstrate communication and project management skills as they look to more closely integrate their IT function into the wider business.”