Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.
Here is a list of relevant cyber security terms for 2018s:
AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.
Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.
Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.
Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.
Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.
Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.
Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017, browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.
Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.
Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.
Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.
Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?”
GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.
Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.
HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.
HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2. Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.
HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.
ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.
Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.
IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).
Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.
IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.
Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.
Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.
Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.
Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.
Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.
PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.
Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.
Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.
Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.
Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.
Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?
Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.
Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.
Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.
Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.
Sources:
Firefox, Chrome start calling HTTP connections insecure
Alert (TA17-075A) HTTPS Interception Weakens TLS Security
Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead
Cybersecurity Dangers Will Spike in 2018
We’re hitting rock bottom in cyber — let’s do something | TechCrunch
Mirai-makers plead guilty, Hajime still lurks in shadows
DARPA Takes Chip Route to ‘Unhackable’ Computers
Another AI attack, this time against ‘black box’ machine learnings
General Data Protection Regulation (Wikipedia)
Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already
Miten GDPR pitää huomioida ohjelmistokehityksessä?
Seven Seas Cybersecurity: Captain, We Have a Problem
In the Words of President Ronald Reagan, “Trust but Verify”
Why You Should Question These Most Common Cloud Assumptions
It’s 2018. Do You Know Where Your Data Are?
Improved IoT Security Starts with Liability for Companies, Not Just Legislation
Smart Factory Connectivity for the Industrial IoT
The Race for a Universal IoT Security Standard
Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises
The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.
Resolve to Mitigate Your Business’ Digital Risk in 2018
Emerging Trends in Vulnerability Management
Research reveals customer-facing web and mobile apps as top security challenge
Open Source Vulnerabilities: Are You Prepared to Run the Race?
Device Security for the Industrial Internet of Things
GDPR and Open Source: Best Practices
Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC
ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good
Threat Modeling the Internet of Things: Modeling Reaper
Engineering for Privacy Requires Standards
How to Make Adversaries Work Harder, While We Work Smarter, in 2018
2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices
Facebook Releases New Certificate Transparency Tools
iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group
Open Source Vulnerabilities: Are You Prepared to Run the Race?
U.S. Military to Send Cyber Soldiers to the Battlefield
Machine Learning & Security: Making Users Part of the Equation
Security is Not a Technology Profession
Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018
636 Comments
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Google says it removed 700,000+ apps from the Play Store last year for policy violations, up 70% YoY, credits new machine learning techniques for the increase — Google today shared details of Google Play’s efforts to protect Android users with its teams of engineers, policy experts …
Google Play removed 700,000 bad apps in 2017, 70% more than in 2016
https://venturebeat.com/2018/01/30/google-play-removed-700000-bad-apps-in-2017-70-more-than-in-2016/
Google today shared details of Google Play’s efforts to protect Android users with its teams of engineers, policy experts, product managers, and operations professionals that monitor the store for misleading, inappropriate, or harmful apps. In 2017, Google removed more than 700,000 apps that violated Google Play’s policies, or 70 percent more apps than the year before.
Google does not share total Google Play app numbers anymore, so we have to rely on third-party estimates to put this 70 percent figure into perspective.
Tomi Engdahl says:
Android: 2000 malicious apps per day
The status of the Android application field is told by a lot of Google Developers blogs, which tells that 700,000 bad or malicious apps were removed from Play Store last year. So this is almost 2000 applications per day.
Apps are those that violate Google Play policies and policies. The number of deleted applications grew by 70 per cent on the previous year.
Source: http://www.etn.fi/index.php/13-news/7481-android-2000-haitallista-sovellusta-paivassa
Tomi Engdahl says:
FBI Pushes for Small Business Information Sharing
http://www.securityweek.com/fbi-pushes-small-business-information-sharing
Howard S. Marshall, Deputy Assistant Director of the Cyber Division of the FBI, spoke Tuesday before the House Small Business Committee on the subject of ‘Small Business Information Sharing: Combating Foreign Cyber Threats.’ The purpose was to outline the FBI’s role in helping small businesses defend against cyber threats.
“Some of the more prevalent or rising cyber threats to small businesses,” he said, include business e-mail compromise (BEC); ransomware; criminal data breach activity; and the internet of things (IoT). He did not provide any statistics on these cybercrimes, but instead concentrated on a high-level description of the threats with a brief explanation of FBI advice on countering them.
The FBI’s advice for BEC is that companies should require a second, independent verification on payment requests; that e-mail accounts should have regularly changed strong passwords and two-factor authentication; and that companies should use their own domain-based email rather than free web-based email. Wherever possible, the last recommendation should be supported a filter system that flags emails with look-alike domain names.
The primary advice against ransomware, which the FBI expects “to remain a significant threat to businesses in the U.S. and worldwide”, is that businesses should schedule regular backups to drives not connected to their network. “These drives can be used to restore a system to the backup version without paying the ransom to the perpetrator.”
Tomi Engdahl says:
Unvirtuous Relationship
https://www.cio.com/article/3239745/security/data-security-a-most-unvirtuous-relationship.html
Data is stored in more places than ever before, and it contains more personal information than ever before. Protecting that data is more complex than it has ever been.
Week after week, we’ve gotten used to news media reports about ever-more jaw-dropping data breaches. The breach at the credit reporting firm Equifax is just the latest, and so far highest-profile reminder that more than 5 million personal records are lost or stolen every day. Each breach costs companies on average $3.6 million. CEOs have lost their jobs and reputations, and CSOs wake up each morning dreading the news that personal customer data is in the hands of hackers.
It wasn’t always like this. Twenty years ago, cyber-related threats barely cracked the top 10 security threats facing U.S. companies, let alone data-specific threats. And historically, a company’s primary concern about its data related to governance and compliance, not security.
VP of IT security for a Fortune 1000 company what his approach to data security was, his response was simply “I wish I knew; it’s not my job. It’s critically important for us to be engaged, but I only get informed after the fact.”
Such responses are depressingly common in an industry
The Growing Value of Data
In today’s software economy, data has become one of a company’s most important assets. Consumers expect personalized experiences that businesses can only deliver by gathering, analyzing, and managing data at scale. That data can be used to drive new insights, decisions, and strategies throughout the business.
Data is stored in more places than ever before, and it contains more personal information than ever before.
Tomi Engdahl says:
Is it legal to swap someone’s face into porn without consent?
Yes, no, maybe
https://www.theverge.com/2018/1/30/16945494/deepfakes-porn-face-swap-legal
For victims of revenge porn and other explicit material shared without consent, legal remedies have arrived only within the last decade. But thanks to AI-assisted technology, anyone with an online presence could now end up starring in pornography against their will — and there’s little that the law can do about it.
For the past several weeks, a subreddit called “deepfakes” has been saturated with doctored images that depict famous figures, mostly women, engaging in sexual acts, where their faces are believably mapped onto pornographic pictures, GIFs, or videos
In December 2017, Motherboard broke the news that a Redditor by the name of “deepfakes” had figured out how to create this kind of face-swapped fake porn, and the AI-assisted tech advanced quickly. By January, not only was there a subreddit dedicated to “deepfakes,” but there was an app designed to make creating them as easy as possible.
Although there are benign applications of this technology — it’s harmless to swap in actor Nicolas Cage for a bunch of goofy cameos — it’s a lot less cute in the hands of someone with more malicious goals, like placing unwilling participants in explicit sex videos. Photoshopped pornography is already a common harassment tool deployed against women on the internet; a video makes the violation far more active, and harder to identify as forged.
As deepfakes become more refined and easier to create, they also highlight the inadequacy of the law to protect would-be victims of this new technology. What, if anything, can you do if you’re inserted into pornographic images or videos against your will? Is it against the law to create, share, and spread falsified pornography with someone else’s face?
The answer is complicated.
“It’s almost impossible to erase a video once it’s been published to the internet,” Goldman says. “… If you’re looking for the magic wand that can erase that video permanently, it probably doesn’t exist.”
A defamation claim could potentially be effective because the person depicted in the video isn’t actually in it, Goldman explains. It’s a false statement of fact about the victim’s presence
However, a defamation claim is hard to win.
“You can’t sue someone for exposing the intimate details of your life when it’s not your life they’re exposing.”
Getting the content removed could be a possible First Amendment violation. “All content is presumptively protected by the First Amendment,” Goldman says. The exceptions to free speech are narrowly defined
It could also be possible to get a video removed with a copyright claim.
In other words, while a website has no obligation to remove a video for defamation, it would need to pull a video that infringes on copyright — or face liability equal to the person who posted the video. However, this isn’t much help to the specific victim featured in the video, as it’s likely they don’t own that copyright.
But again, each video depicts at minimum two people: the person whose body is truthfully being represented, and the person whose face has falsely been added.
“[Celebrities are] going to have possibly fewer privacy rights,”
Deepfakes could also expand to problematic areas beyond pornography and use the technology to create “fake news” involving politicians and other public figures — or just about anyone. Although legislators could attempt to craft new laws that address face-swapped porn in the context of the First Amendment, Goldman thinks the solution will need to go beyond just a legal one. “I think we have to prepare for a world where we are routinely exposed to a mix of truthful and fake photos and videos,” he says.
“The proliferation of tools to make fake photos and fake videos that are indistinguishable from real photos and videos is going to test that basic, human capacity.”
Tomi Engdahl says:
FYI: That Hawaii missile alert was no UI blunder. Someone really thought the islands were toast
False text probe reveals screw up after screw up
https://www.theregister.co.uk/2018/01/30/hawaii_missile_drill_attack_real/
The individual who sent an emergency text to everyone in Hawaii warning them of an imminent missile attack did not hit the wrong button as first claimed – and was actually convinced a real attack was happening.
That’s according to a report published Tuesday by America’s comms watchdog, the Federal Communications Commission (FCC).
Previous to the report, the assumption was that the alert had been sent in error, and focus turned on the Hawaii Emergency Management Agency’s terrible user interface on its computer systems.
It was claimed an official clicked on the wrong item in a drop-down menu. Rather than perform a test of the software without warning citizens, the agency worker accidentally selected the option to emit a real missile alert.
Now it turns out there was no accidental user-interface blunder. Now we’re told confusion arose when conflicting messages were sent in a test of the system during a shift change. The person at the controls thought Hawaii really was going to be wiped off the map.
One more thing…
For one, there was no system in place for dealing with a false alarm. Which seems pretty shortsighted considering the enormous importance of a ballistic warning system.
There was also a critical miscommunication between supervisors when they took over from one another at 8am on that fateful day.
Also noteworthy is the fact that the organization’s policy and related checklist for the alert system had only be finalized one week earlier, on January 5.
Not only was the system new but managers decided to push it to its limits – simulating a live ballistic missile defense drill, with no notice, specifically as the shift changed at 8am. It was a worst-case scenario test – and it failed, resulting in over a million people believing that they would shortly be hit by a nuke.
It took 38 minutes for another alert to be sent telling Hawaiians it was a false alarm.
he or she heard the phrase “this is not a drill,” but did not hear “exercise, exercise, exercise.” As such, the staffer thought it was a real event.
On their computer, they selected the template for a live alert – which offers a drop-down menu that includes the option for both a live alert and a test alert; a design that people have been quick to point out is less than optimal.
Is that right?
However, it is also possible that this version of events is also untrue, and the warning officer simply screwed up first by choosing the wrong option, and then refused to pause when given the warning prompt. He or she could simply be protecting their job and reputation.
The report goes with the official version – of a misunderstanding – although it inserts a few skeptical notes.
As for the long delay in announcing it was a false alarm, that is another series of cockups. The warning officers realized almost instantly that they had wrongly sent a real message telling Hawaiians they were about to be bombed.
just sixty seconds later, the mobile phone of the warning officer went off – “distinct audible tones that announce a wireless emergency alert.”
That was when the rest of the team realized a live alert has actually gone out beyond their internal network.
The first thing they did – within the next 60 seconds – was call the governor of Hawaii to tell him it was a false alert. As we now know, he tried to send out a tweet telling people not to panic but he didn’t know his Twitter password.
Then, at 8.10am, they called Pacific Command and the Honolulu police to tell them there was no missile launch. At 8.12am a cancellation is run through the system but that isn’t able to recall messages or warn people that the original message was false and by then everything is already in meltdown – the Emergency Management Agency (EMA) starts calling TV and radio stations to get the message out but its phone lines become clogged as the public try to find out what is going on.
It’s not until 8.27am – 20 minutes after the false alarm was issued – that the EMA decides it has to put out an alert using the same system it used to issue the warning –text messages to everyone’s phones.
A supervisor logs into the system, but there is no template for a false alarm correction so he has to create one, get everyone’s agreement that it is crystal clear, and then hit send. It finally goes out at 8.45am.
Overall “a combination of human error and inadequate safeguards contributed to this false alert,” the report concludes.
The report slams the fact that the software “did not differentiate between the testing environment and the live alert production environment” – the height of poor UI design.
The report notes: “Common industry practice is to host the live alert production environment on a separate, user-selectable domain at the log-in screen, or through a separate application. Other alert origination software also appears to provide clear visual cues that distinguish the test environment from the live production environment, including the use of watermarks, color coding, and unique numbering.”
And then, of course, the fact that there was no way to quickly backtrack only made the situation worse. “The Hawaii Emergency Management Agency had not anticipated the possibility of issuing a false alert and, as such, had failed to develop standard procedures for its response,” notes the report.
Presentation on Preliminary Report on Hawaii False Emergency Alert
https://www.fcc.gov/document/presentation-preliminary-report-hawaii-false-emergency-alert
Tomi Engdahl says:
Microsoft Drops the Hammer on Coercive Registry Cleaners & System Optimizers
https://www.bleepingcomputer.com/news/microsoft/microsoft-drops-the-hammer-on-coercive-registry-cleaners-and-system-optimizers/
Starting March 1st 2018, Windows Defender and other Microsoft products will begin to remove programs that display coercive behavior designed to pressure a user into purchasing their software. This includes registry cleaners and system optimizers that offer free scans, detect issues with alarming messages, and then require the user to purchase the product before fixing anything.
Protecting customers from being intimidated into making an unnecessary purchase
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/30/protecting-customers-from-being-intimidated-into-making-an-unnecessary-purchase/
There has been an increase in free versions of programs that purport to scan computers for various errors, and then use alarming, coercive messages to scare customers into buying a premium version of the same program. The paid version of these programs, usually called cleaner or optimizer applications, purportedly fixes the problems discovered by the free version. We find this practice problematic because it can pressure customers into making unnecessary purchase decisions.
To help protect customers from receiving such coercive messaging, we are updating our evaluation criteria to specify that programs must not use alarming or coercive messaging that can put pressure on customers into making a purchase or performing other actions. We use the evaluation criteria to determine what programs are identified as malware and unwanted software. In the future, programs that display coercive messaging will be classified as unwanted software, detected, and removed.
Tomi Engdahl says:
Security
Windows Defender will strap pushy scareware to its ass-kicker machine
Doomed: Junkware claiming it can rid PCs of viruses, clean up the Registry, etc
https://www.theregister.co.uk/2018/01/31/microsoft_windows_defender_scareware/
Think applications that offer to scan your Windows PC for free, and then – conveniently – claim your computer is under attack by viruses, or has serious defects, and that the only way to save your files is to fork out fifty bucks for a magic cleanup tool.
That kind of crap – the junkware you strip from relatives and friends’ desktops at the weekends – is soon going to be nuked on sight by Windows Defender.
Tomi Engdahl says:
New click-to-hack tool: One script to exploit them all and in the darkness TCP bind them
Auto-pwn code glues device search engine Shodan to Metasploit weapons cache
https://www.theregister.co.uk/2018/01/31/auto_hacking_tool/
Python code has emerged that automatically searches for vulnerable devices online using Shodan.io – and then uses Metasploit’s database of exploits to potentially hijack the computers and gadgets.
You set this script running, it crawls the internet looking for machines that are possibly vulnerable to attack – typically due to unpatched security bugs – and automatically takes over them for you. No super-l33t skills required.
We’re surprised it took this long.
The software, posted publicly on GitHub this week by someone calling themselves Vector, is called AutoSploit. It makes mass hacking exceedingly easy. After collecting targets via the Shodan search engine – an API key is required – the Python 2.7 script attempts to run Metasploit modules against them.
Metasploit is an open-source penetration testing tool: it is a database of snippets of code that exploit security flaws in software and other products to extract information from systems, or open a remote control panel to the devices so they can be commanded from afar. Shodan allows you to search for public-internet-facing computers, servers, industrial equipment, webcams, and other devices, revealing their open ports and potentially exploitable services.
Automated Mass Exploiter
AutoSploit
https://github.com/NullArray/AutoSploit
As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets are collected automatically as well by employing the Shodan.io API. The program allows the user to enter their platform specific search query such as; Apache, IIS, etc, upon which a list of candidates will be retrieved.
After this operation has been completed the ‘Exploit’ component of the program will go about the business of attempting to exploit these targets by running a series of Metasploit modules against them.
Tomi Engdahl says:
Bypassing Encryption With Side-Channel Attacks
https://semiengineering.com/bypassing-encryption-with-side-channel-attacks/
A brief history of attacking cryptography through indirect means.
Tomi Engdahl says:
WANTED: Actionable Information, Practical Advice
http://www.securityweek.com/wanted-actionable-information-practical-advice
After High Profile Cyber Incidents, Actionable Information is Often Buried in an Avalanche of Hype, Buzz, and Misinformation
Sometimes, usually after a high profile event in the security world, I can’t help but think of the famous Bonnie Raitt song, “Something to Talk About”. The response to the recent “Meltdown” and “Spectre” bugs was not atypical in the sense that it also caused me to think about this song. Unfortunately, whether or not you like the song, I’m not sure that is something that we as a community should take pride in.
As is typical after a high profile security event, pundits, experts, and thought leaders showed up everywhere. Television. Print media. Twitter. LinkedIn. You name it.
I watched a few interviews and read a few articles that were making the rounds. I saw a lot of people trying to grab attention for their particular company or agenda. There was a lot of shouting over the next person. There was plenty of spin as well. At one point, I nearly spit out my coffee when I saw one person tweet that “The internet is on fire again”. Seriously?
You know what I saw too little of? Actionable information on the topic. Practical advice that organizations and individuals could take and implement to reduce their risk. That’s what security is supposed to be all about, isn’t it?
There were a few bright spots of course. I did see several people on Twitter who provided new insights and added to the discussion, rather than regurgitating the same talking points over and over again.
So what’s the problem you ask? That actionable information was buried in an avalanche of hype, buzz, and in some cases, misinformation. How is the security practitioner supposed to find the time to sort through that mess to find what he or she needs in order to safeguard his or her organization?
Tomi Engdahl says:
AutoSploit: Automated Hacking Tool Set to Wreak Havoc or a Tempest in a Teapot?
http://www.securityweek.com/autosploit-automated-hacking-tool-set-wreak-havoc-or-tempest-teapot
Tomi Engdahl says:
Increasing Number of Industrial Systems Accessible From Web: Study
http://www.securityweek.com/increasing-number-industrial-systems-accessible-web-study
The number of industrial control systems (ICS) accessible from the Internet has increased significantly in the past year, reaching more than 175,000 components, according to a new report from Positive Technologies.
Using the Shodan, Censys and Google search engines, researchers identified 175,632 ICS components accessible from the Web. In comparison, similar searches conducted in the previous year uncovered just over 162,000 systems.
Of all the systems identified in 2017, more than 66,000 were accessible via HTTP, followed by the Fox building automation protocol associated with Honeywell’s Niagara framework (39,000), Ethernet/IP (25,000), BACnet (13,000), and the Lantronix discovery protocol (10,000).
Tomi Engdahl says:
Google Adds Custom Roles Feature to Cloud IAM
http://www.securityweek.com/google-adds-custom-roles-feature-cloud-iam
The Identity & Access Management (IAM) service in the Google Cloud Platform (GCP) now includes a feature that allows users to assign custom roles for finer-grained security.
The custom roles feature was first announced back in October when the beta version was introduced. The tech giant announced on Wednesday that nearly all permissions can now be customized.
Tomi Engdahl says:
Parrot Security OS 3.11 Released With Collection of New Powerful Hacking Tools & Car Hacking Menu
https://gbhackers.com/parrot-security-os-3-11-released/
Parrot Security OS 3.11 Released with new Powerful hacking tools along with Car hacking Menu and they included many improvements with a lot of security patches compare to the previous version.
Parrot Security OS 3.11 is a Penetration Testing & Forensics Distro dedicated to Ethical Hackers & Cyber Security Professionals.
https://www.parrotsec.org/download-full.fx
Tomi Engdahl says:
Open source software security challenges persist, but the risk can be managed
https://www.csoonline.com/article/3157377/application-development/report-attacks-based-on-open-source-vulnerabilities-will-rise-20-percent-this-year.html?utm_campaign=Black%20Duck%20Press&utm_content=65514008&utm_medium=social&utm_source=facebook#tk.rss_vulnerabilities
Using open source components saves developers time and companies money. In other words, it’s here to stay. Here’s a look at what it will take to improve open source security.
Open source code is now in widespread use by companies of all sizes, in all industry verticals. There are open source operating systems, productivity software, tools for administrators and developers, and code libraries that companies use to build their own software. Even commercial software is typically built on a foundation of open source code.
Developers rely heavily on open source software and companies are especially comfortable with major open source projects that have large groups maintaining them, says Howard. Plus, there’s the “many eyes” approach to security. “That is the major advantage of using open source software — other than it being lower cost,” he says. “You theoretically have more eyes looking at it.”
Another security advantage of open source code is that if there’s a problem, a company can open it up and fix it immediately.
Why open source software poses a security threat
Synopsys manages Coverity, a free service that scans open source code for defects. “Overall, the quality of open source software has been improving,” Llaguno says. “We have about 750 million lines of open source code that participate in our scan projects, and identified 1.1 million defects — and 650,000 defects have already been addressed.” He adds that many projects, especially smaller ones, do not scan their code for potential security weaknesses.
Who’s using all that open source code? Everybody. According to the latest Black Duck report, open source components are now present in 96 percent of commercial applications. The average application had 147 different open source components — and 67 percent of the applications used components with known vulnerabilities.
“In the average application, over a third of the code base is open source,”
“To replace that third of the code base, you’re going to have to increase either your development team or development time by 50 percent — and I don’t think those are viable options in today’s world.”
This has also created security challenges, Harriss says. “I think there’s a misguided reliance on the fact that, being open source, these libraries are being reviewed for security bugs by the community,” he says. “In reality, it seems this isn’t always the case.”
New vulnerabilities are constantly being found in open source code and many projects have no mechanisms in place for finding and fixing problems.
There’s also no standard way of documenting security on open source projects. In the top 400,000 public repositories on GitHub, only 2.4 percent had security documentation in place.
Then, if the problem is fixed, there’s often no way to find and notify all of the users of the old code. “The open source community has no idea of who is using their components,”
According to the Snyk survey, 88 percent of open source code maintainers add security-related announcements to the release notes, and 34 percent say that they deprecate the older, insecure version. Twenty-five percent say that they make no effort at all to notify users of vulnerabilities and only 10 percent file a CVE.
However, getting a CVE can be a complicated process, and requires a committee to agree on the CVE details, as well as agreement from the project owner. “The way the method currently works doesn’t scale,”
Finally, if a vulnerability is found and patched, and the patch is broadly publicized, enterprises that use that code might not be aware that they have it or may have problems finding all instances of it.
Find and fix
In an ideal world, applications would all update themselves the instant a security patch became available, without any intervention required. In practice, however, this isn’t always possible.
Instead, enterprises need to have a way to find all instances of open source code in their environments, to update this list continuously, to steer developers away from old, insecure libraries, and finally to go out and deploy patches whenever new vulnerabilities are discovered.
new vulnerabilities are discovered in old libraries that were previously thought secure. “Software doesn’t age like wine,” Eng says. “It ages like milk.”
Developers rarely go back and review the libraries they used in old projects
Tomi Engdahl says:
Types of Injection and their CHEAT SHEET
http://www.hackeone.info/2018/01/types-of-injection-and-their-cheat-sheet.html?lipi=urn:li:page:d_flagship3_feed;GWKv/bztSs%2BwOQcDMUG50w%3D%3D&m=1
Tomi Engdahl says:
DuckDuckGo CEO: ‘Google and Facebook Are Watching Our Every Move Online. It’s Time To Make Them Stop’
https://m.slashdot.org/story/336869
You may know that hidden trackers lurk on most websites you visit, soaking up your personal information. What you may not realize, though, is 76 percent of websites now contain hidden Google trackers, and 24 percent have hidden Facebook trackers, according to the Princeton Web Transparency & Accountability Project. The next highest is Twitter with 12 percent. It is likely that Google or Facebook are watching you on many sites you visit, in addition to tracking you when using their products.
Tomi Engdahl says:
Protecting your business from cyber threats
https://techcrunch.com/2018/02/01/protecting-your-business-from-cyber-threats/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
It’s Friday afternoon (it always happens on Friday afternoon) and the phone rings — there’s a breach.
The incident response plans are triggered and everyone goes into high alert, looking for the source.
The common thought trajectory goes something like: How could this happen? We use the latest and greatest security products. Did someone open a phishing email? Did a hacker breach our firewall or was a vendor compromised? There goes my weekend.
How can we stop fearing that Friday afternoon call?
Integrating security into each aspect of your business could mitigate this stressor. When people, processes, inventory and technology are coordinated, the fear and uncertainty of security breaches is replaced with straightforward and seamless responses that protect your Friday evening dinner plans.
Business security
The conversation should always begin with your business. You need to understand the processes, the people and the vendor and partner relationships. Understanding how the critical aspects of the company function and interact will often point to gaps in security.
Consider how vendors deliver invoicing, how employees collaborate and how development processes are executed. It is important to understand these (and any other) processes as your data
The answers — or lack thereof — may be surprising.
Key components to consider
Are the tools that facilitate secure business processes in place? Look for:
Single-sign solutions to ease integration of people and technology
Multi-factor authentication solutions that ease the password management burden on users (compromised passwords are responsible for nearly half of organizations that are breached according to the 2017 Verizon DBIR)
Product suites that integrate business processes and technology solutions
Secure supply chains that enumerate the risks to both hardware and software solutions while protecting them (a white paper published by the SANS Institute offers guidance on combating supply chain cyber risk)
Solution security
Whether your business is delivering software, hardware or services, the development of those solutions include security from the start. The ability to clearly articulate the purpose of the system, how it will be used, who will be using it and what value it provides will help begin the conversation. Articulating these key factors will help define the threat environment, the adversaries and the controls necessary to mitigate the attacks. Mitigations will therefore have context and be able to address real threats, rather than generic ones.
Implementing security
The best security solutions are often lost during implementation. Feature requests, timelines and bugs will complicate the best laid plans. It is critical that security is integrated during the development and implementation of your solution(s). Keep track of projects — effective version controls, source code protections and secure collaboration of team members must be considered.
Designing and developing solutions securely matter very little if deployment is poorly managed.
Evaluating security
Testing solutions for weaknesses is a critical piece of holistic security. Suites such as Tenable’s Nessus security scanner can test for known vulnerabilities and compliance violations
Deploying security
Designing and developing solutions securely matter very little if deployment is poorly managed. The challenge facing technology today is that the hosting environment is constantly changing.
Monitoring
Continuous monitoring is the goal to strive for.
The challenge is how to monitor the entire service stack effectively.
When considering and prioritizing solutions in this space, focus first on what is most critical and move out from there. Detecting data flow anomalies should be the first priority, followed by services exposed to untrusted entities and inward from there.
Tomi Engdahl says:
Interesting story:
I Made My Shed the Top Rated Restaurant On TripAdvisor
https://www.vice.com/en_uk/article/434gqw/i-made-my-shed-the-top-rated-restaurant-on-tripadvisor
And then served customers Iceland ready meals on its opening night.
Tomi Engdahl says:
Teens more likely to be hacking computers than smoking or having sex
http://www.telegraph.co.uk/news/2018/01/24/teens-likely-hacking-computers-smoking-having-sex/
Teenagers used to rebel by smoking, doing drugs and getting pregnant.
But modern 14-year-olds are eschewing these traditional forms of acting out – in favour of hacking computers from their bedrooms.
Figures from a study carried out by University College London suggest that more teens of this age have hacked a computer than have had sex or are regular smokers.
One in 20 teenagers in the Millennium Cohort Study
told researchers they had hacked a computer in the past year. Just under one per cent had sent a virus.
Tomi Engdahl says:
LKRG – Linux Kernel Runtime Guard
http://www.openwall.com/lkrg/
Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel. As controversial as this concept is, LKRG attempts to post-detect and hopefully promptly respond to unauthorized modifications to the running Linux kernel (integrity checking) or to credentials (such as user IDs) of the running processes (exploit detection).
Tomi Engdahl says:
It’s Time For Machine Learning to Prove Its Own Hype
http://www.securityweek.com/its-time-machine-learning-prove-its-own-hype
Machine Learning is a Black Box that is Poorly Understood
2017 was the year in which ‘machine learning’ became the new buzzword — almost to the extent that no new product could be deemed new if it didn’t include machine learning.
Although the technology has been used in cybersecurity for a decade or more, machine learning is now touted as the solution rather than part of the solution.
But doubts have emerged. Machine learning is a black box that is poorly understood; and security practitioners like to know exactly what it is they are buying and using.
The problem, according to Hyrum Anderson, technical director of data science at Endgame (a vendor that employs machine learning in its own endpoint protection product), is that users don’t know how it works and therefore cannot properly evaluate it. To make matters worse, machine learning vendors do not really understand what their own products do — or at least, how they come to the conclusions they reach — and therefore cannot explain the product to the satisfaction of many security professionals.
The result, Anderson suggests in a blog post this week, is “growing veiled skepticism, caveated celebration, and muted enthusiasm.”
It’s not that machine learning doesn’t work — it clearly does. But nobody really understands how it reaches its decisions.
Prove it!: A 2018 Wave in Information Security Machine Learning
https://www.endgame.com/blog/technical-blog/prove-it-2018-wave-information-security-machine-learning
Tomi Engdahl says:
Healthcare IT Systems: Tempting Targets for Ransomware
https://spectrum.ieee.org/riskfactor/computing/it/healthcare-it-systems-tempting-targets-for-ransomware
Healthcare IT Systems: Ransomware Target of Choice
While the Norway cyber intrusion doesn’t appear to involve ransomware, these types of attacks against healthcare systems have been going on for quite some time. (The first known ransomware event happened in 1989 and it was against healthcare systems.) The advent of widespread EHR systems, a lack of IT security expertise, and a plethora of legacy systems existing in the healthcare industry have made them a very tempting target. If fact, some 88 percent of ransomware attacks are reportedly against hospital systems. That number could actually be higher, considering that many have likely gone unreported.
Tomi Engdahl says:
DuckDuckGo CEO: ‘Google and Facebook Are Watching Our Every Move Online. It’s Time To Make Them Stop’
https://m.slashdot.org/story/336869
You may know that hidden trackers lurk on most websites you visit, soaking up your personal information. What you may not realize, though, is 76 percent of websites now contain hidden Google trackers, and 24 percent have hidden Facebook trackers, according to the Princeton Web Transparency & Accountability Project. The next highest is Twitter with 12 percent. It is likely that Google or Facebook are watching you on many sites you visit, in addition to tracking you when using their products.
https://webtransparency.cs.princeton.edu/webcensus/
Tomi Engdahl says:
Google and Facebook are watching our every move online. It’s time to make them stop
https://www.cnbc.com/2018/01/31/google-facebook-data-privacy-concerns-out-of-control-commentary.html
Google and Facebook’s impact on our privacy cannot be understated.
76 percent of websites now contain hidden Google trackers, and 24 percent have hidden Facebook trackers, according to one study.
To make any real progress in advancing data privacy this year, we have to start doing something about Google and Facebook. Not doing so would be like trying to lose weight without changing your diet. Simply ineffective.
these two companies have amassed huge data profiles on each person, which can include your interests, purchases, search, browsing and location history, and much more. They then make your sensitive data profile available for invasive targeted advertising that can follow you around the Internet
Tomi Engdahl says:
Real-Time Intelligence: Security Silver Bullet or Too Good to Be True?
http://www.securityweek.com/real-time-intelligence-security-silver-bullet-or-too-good-be-true
Many Real-time Threat Intelligence Offerings Aggregate Indicators of Compromise (IoCs) and Are Strictly Reactive
The concept of “real-time intelligence” is frequently portrayed as the panacea for our security woes. And, in theory, it certainly could be. The purpose of intelligence, after all, is to equip its consumer with a decision advantage over relevant threats and adversaries. So, if intelligence pertaining to these threats or adversaries could be ready for consumption at the exact “real-time” moment a potentially malicious activity occurred, it would theoretically provide an even greater decision advantage.
Tomi Engdahl says:
The Argument Against a Mobile Device Backdoor for Government
http://www.securityweek.com/argument-against-mobile-device-backdoor-government
Just as the Scope of ‘Responsible Encryption’ is Vague, So Too Are the Technical Requirements Necessary to Achieve It
The ‘responsible encryption’ demanded by law enforcement and some politicians will not prevent criminals ‘going dark’; will weaken cyber security for innocent Americans; and will have a hit on the U.S. economy. At the same time, there are existing legal methods for law enforcement to gain access to devices without requiring new legislation.
These are the conclusions of Riana Pfefferkorn, cryptography fellow at the Center for Internet and Society at the Stanford Law School in a paper published Tuesday titled, The Risks of “Responsible Encryption” (PDF).
One of the difficulties in commenting on government proposals for responsible encryption is that there are no proposals — merely demands that it be introduced. Pfefferkorn consequently first analyzes the various comments of two particularly vocal proponents: U.S. Deputy Attorney General, Rod Rosenstein, and the current director of the FBI, Christopher Wray to understand what they, and other proponents, might be seeking.
Wray seems to prefer a voluntary undertaking from the technology sector. Rosenstein is looking for a federal legislative approach. Rosenstein seems primarily concerned with mobile device encryption. Wray is also concerned with access to encrypted mobile devices (and possibly other devices), but sees responsible encryption also covering messaging apps (but perhaps not other forms of data in transit).
Just as the scope of ‘responsible encryption’ is vague, so too are the technical requirements necessary to achieve it.
“The only technical requirement that both officials clearly want,” concludes Pfefferkorn, “is a key-escrow model for exceptional access, though they differ on the specifics. Rosenstein seems to prefer that the provider store its own keys; Wray appears to prefer third-party key escrow.”
The Risks of
“Responsible Encryption”
https://cyberlaw.stanford.edu/files/publication/files/2018-02-05%20Technical%20Response%20to%20Rosenstein-Wray%20FINAL.pdf
Tomi Engdahl says:
Malware is Pervasive Across Cloud Platforms: Report
http://www.securityweek.com/malware-pervasive-across-cloud-platforms-report
Leading Cloud Service Providers and Majority of AV Engines Failed to Detect New Ransomware Variant
Cloud Access Security Brokers (CASBs) provide visibility into the cloud. Some CASBs provide malware protection. Some clouds provide malware protection. Bitglass analyzed the efficacy of cloud-only protection by scanning the files of its customers that had not implemented its own Advanced Threat Protection (actually Cylance).
Bitglass scanned tens of millions of customer files and found (PDF) a remarkably high number of infections: 44% of organizations had at least one piece of malware in their cloud applications; and nearly one-in-three SaaS app instances contained at least one threat. Among the SaaS apps, 54.4% of OneDrive and 42.9% of Google Drive instances were infected. Dropbox and Box followed, both at 33%.
https://pages.bitglass.com/rs/418-ZAL-815/images/Bitglass_Report-Malware_PI.pdf
Tomi Engdahl says:
The Time to Focus on Critical Infrastructure Security is Now
http://www.securityweek.com/time-focus-critical-infrastructure-security-now
The Software That Controls our Infrastructure is Vulnerable to Attack
Is the world becoming desensitized to cyber attacks?
Television has shown us examples of our own government using nonkinetic warfare, shutting down power in specific regions to demonstrate our strength and resolve. On screen, elected officials stare grimly at satellite images as large areas glowing from electric light slowly grow dark.
This is not a new idea. I grew up with war and espionage movies that always included a “cut the power” part of the mission. That is because disruption of infrastructure is a key element of sound military strategy. Except in these movies, someone had to physically disrupt the power—someone had to be on-site. What is new is the ability to cut the power from a safe distance with the stroke of a key or the click of a mouse. No bombs, no missiles, no exotic kinetic devices.
Tomi Engdahl says:
Surviving Your Digital Transformation
http://www.securityweek.com/surviving-your-digital-transformation
Digital Transformation Without an Equivalent Security Transformation is Leaving Organizations More Vulnerable
2018 is lining up to be the year of Digital Transformation. Just about every organization looking to remain viable in the growing digital marketplace has some sort of digital transformation in progress or one in the planning stages for this year. These projects range from implementing basic applications to better interact with online consumers, to converging OT and IT networks, or even pushing their entire infrastructure to the cloud.
But digital transformation without an equivalent security transformation is leaving organizations more vulnerable than ever. The results are alarming. According to Gartner, nearly $90 billion was spent on information security in 2017 and is expected to top a trillion dollars over the next five years. But cybercrime over that same period is expected to continue to rise. In spite of our efforts, we are falling further and further behind.
An Outside-In Look at Digital Transformation
http://www.securityweek.com/outside-look-digital-transformation
Digital Transformation is a Massive Undertaking and Must be Entered into With Equal Thought to Security and Business Strategy
Tomi Engdahl says:
Tosibox’s virtual central locking was awarded
The Virtual Central Lock, developed by Oululainen’s Tosibox, has been honored with honorary mention in the Engineers’ Choice Awards of the US-based Control Engineering.
The company has developed an unprecedented, easy to use and secure software product for managing large IoT networks. The solution scales from a few connections to thousands of times.
Virtual Central Lock creates a controlled IoT network from the Tosibox environment, allowing continuous, real-time monitoring and data collection and storage. Virtual Central Lock brings all connections from remote locations to one point and helps you manage centralized user rights and network in real time.
Source: http://etn.fi/index.php?option=com_content&view=article&id=7536&via=n&datum=2018-02-09_14:51:35&mottagare=31202
Tomi Engdahl says:
Stealthy Data Exfiltration Possible via Magnetic Fields
http://www.securityweek.com/stealthy-data-exfiltration-possible-magnetic-fields
Researchers have demonstrated that a piece of malware present on an isolated computer can use magnetic fields to exfiltrate sensitive data, even if the targeted device is inside a Faraday cage.
A team of researchers at the Ben-Gurion University of the Negev in Israel have created two types of proof-of-concept (PoC) malware that use magnetic fields generated by a device’s CPU to stealthily transmit data.
A magnetic field is a force field created by moving electric charges (e.g. electric current flowing through a wire) and magnetic dipoles, and it exerts a force on other nearby moving charges and magnetic dipoles. The properties of a magnetic field are direction and strength.
The CPUs present in modern computers generate low frequency magnetic signals which, according to researchers, can be manipulated to transmit data over an air gap.
The attacker first needs to somehow plant a piece of malware on the air-gapped device from which they want to steal data. The Stuxnet attack and other incidents have shown that this task can be accomplished by a motivated attacker.
Tomi Engdahl says:
2017 Coverity Scan Report
Open-source software: The road ahead.
https://semiengineering.com/2017-coverity-scan-report/
Tomi Engdahl says:
Cisco, Apple Launch Cyber Risk Offering With Insurance Giant Allianz
http://www.securityweek.com/cisco-apple-launch-cyber-risk-offering-insurance-giant-allianz
Cisco, Apple, Aon, Allianz Partner to Help Businesses Protect Against Common Malware Threats
Munich, Germany-based Allianz — named by Forbes as the world’s second largest insurance firm — is offering cyber insurance at competitive premiums with reduced deductibles; but only if the insured is risk-assessed by Aon and uses certain Cisco and Apple products.
Tomi Engdahl says:
TLS-Abusing Covert Data Channel Bypasses Network Defenses
http://www.securityweek.com/tls-abusing-covert-data-channel-bypasses-network-defenses
Researchers from Fidelis Cybersecurity have discovered a new method of abusing the X.509 public key certificates standard for covert channel data exchange following initial system compromise.
The standard is used in both Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic Internet protocol implementations, but the manner in which the certificates are exchanged can be abused to hijack them for command and control (C&C) communication, the researchers say.
The X.509 extensions can be used for covert channel data transfer to bypass network protection methods that do not inspect certificate values, the researchers say. To date, no confirmed cases of this technique being abused have been observed, but the widespread use of certificates could put many organizations at risk, Fidelis researchers argue.
Tomi Engdahl says:
SSL Increasingly Abused by Malware, Phishing: Report
http://www.securityweek.com/ssl-increasingly-abused-malware-phishing-report
There has been a significant increase in the number of phishing and malware attacks abusing SSL and TLS technology, according to Zscaler’s SSL Threat Report for the second half of 2017.
In the first half of 2017, Zscaler’s products blocked roughly 600,000 threats hidden in encrypted traffic every day, but that number grew to 800,000 in the second half of the year, which represents an increase of 30 percent.
Tomi Engdahl says:
Cybersecurity in an IoT and mobile world: The key trends
http://www.zdnet.com/article/cybersecurity-in-an-iot-and-mobile-world-the-key-trends/
As ever more mobile and IoT devices connect to the internet, the potential for damaging cyberattacks can only increase. How can organisations begin to get the upper hand over the burgeoning cast of ‘bad actors’?
As each new technology appears, manufacturers and service providers rush to bring products to market, often without due consideration for security. Inevitably, ‘bad actors’ — including low-level hackers, organised criminals, ‘hacktivists’ and nation states — exploit the resulting vulnerabilities, stealing or compromising data, denying access to services or causing other kinds of cyber-mayhem. In due course, the tech industry gets its security act together in areas such as threat intelligence, firewalling, endpoint protection, intrusion detection, incident response, network and application architecture, best practices and user education. Governments may also weigh in with laws and regulations, and the insurance industry picks up the pieces. Eventually, some sort of order is restored.
But cybersecurity remains, and will probably always remain, an arms race — especially in the early stages of an innovation cycle.
So what’s the state of play today, and what’s in store down the line?
Tomi Engdahl says:
Huawei: National security concerns not a blank cheque for public policy decisions
http://www.zdnet.com/article/huawei-national-security-concerns-cannot-justify-all-public-policy-decisions/
Speaking to a joint Australian Parliament committee on the digital economy, Huawei has said national security cannot be used to to ‘disguise protectionism’ for every public policy decision by governments globally.
While national security concerns are important for governments globally, Huawei has argued that they cannot be used as “talismanic” exceptions for all public policy decisions.
Speaking to the Joint Standing Committee on Trade and Investment Growth on Friday afternoon, Huawei Technologies VP of Global Government Affairs Simon Lacey said that governments are becoming more aware of both the benefits and risks of a connected world.
Tomi Engdahl says:
It’s 2018. Do You Know Where Your Data Are?
https://www.eetimes.com/author.asp?section_id=36&doc_id=1332778&_mc=RSS_EET_EDT
Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for.
We’ve always suspected that the real motivation behind the Internet of Things (IoT) is new revenue opportunities that IoT promises to deliver to the business community.
After all, IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.
By 2017, big data was already a given, at least in concept if not universally in practice. Cisco is just one company expecting to surf the tide of IoT and big data.
Speaking of a platform called “Cisco Kinetic,” Jahangir Mohammed, vice president and general manager of IoT, said: “Cisco Kinetic is a cloud-based platform that helps customers extract, compute and move data from connected things to IoT applications to deliver better outcomes and services.”
Tomi Engdahl says:
Debating Slaughterbots and the Future of Autonomous Weapons
https://spectrum.ieee.org/automaton/robotics/military-robots/debating-slaughterbots
Stuart Russell, Anthony Aguirre, Ariel Conn, and Max Tegmark recently wrote a response to my critique of their “Slaughterbots” video on autonomous weapons. I am grateful for their thoughtful article. I think this kind of dialogue can be incredibly helpful in illuminating points of disagreement on various issues, and I welcome the exchange. I think it is particularly important to have a cross-disciplinary dialogue on autonomous weapons that includes roboticists, AI scientists, engineers, ethicists, lawyers, human rights advocates, military professionals, political scientists, and other perspectives because this issue touches so many disciplines.
Tomi Engdahl says:
How Machine Learning And Other Tech Trends Will Disrupt Cyber Security In 2018
https://www.forbes.com/sites/julianmitchell/2018/01/31/how-machine-learning-and-other-tech-trends-will-disrupt-cyber-security-in-2018/#dda385b80093
This estimated valuation reflects a significant rise from last year, in which the market value reached $137.8 billion worldwide in 2017. marking an impressive Compound Annual Growth Rate of 11%.
The emergence of mobile platforms and cloud-based enterprise apps, coupled with the increased adoption of advanced technologies such as fingerprint identification and biometrics have collectively fueled a notable spike in the space.
Tomi Engdahl says:
Open source software security challenges persist, but the risk can be managed
https://www.csoonline.com/article/3157377/application-development/report-attacks-based-on-open-source-vulnerabilities-will-rise-20-percent-this-year.html?utm_campaign=Black%20Duck%20Press&utm_content=65514008&utm_medium=social&utm_source=facebook#tk.rss_vulnerabilities
Using open source components saves developers time and companies money. In other words, it’s here to stay. Here’s a look at what it will take to improve open source security
Tomi Engdahl says:
Software Defined Radio Attack Tool: RFCrack
https://n0where.net/software-defined-radio-attack-tool-rfcrack
RFCrack is my personal RF test bench, it was developed for testing RF communications between any physical device that communicates over sub Ghz frequencies. IoT devices, Cars, Alarm Systems etc… Testing was done with the Yardstick One on OSX, but RFCrack should work fine in linux.
Tomi Engdahl says:
UQDS: A software-development process that puts quality first
https://opensource.com/article/18/2/uqds?sc_cid=7016000000127ECAAY
Ultimate Quality Development System is key to software project Twisted’s ability to release stable, reliable code.
Tomi Engdahl says:
The rise of chaos engineering
https://techcrunch.com/2018/02/04/the-rise-of-chaos-engineering/?utm_source=tcfbpage&sr_share=facebook
How do you build reliable software? It is a question that has been at the top of my mind the past few weeks, as I seem to be increasingly confronted by software that just doesn’t work anymore. Bugs, crashes, errors, data leaks: they are so common in our every day lives that they can seem completely unremarkable.
Tomi Engdahl says:
The best VPN for Linux in 2018
http://www.techradar.com/vpn/the-best-vpn-for-linux
Which are the top providers for penguin privacy?
Tomi Engdahl says:
Why Linux is better than Windows or macOS for security
https://www.computerworld.com/article/3252823/linux/why-linux-is-better-than-windows-or-macos-for-security.html
Decisions made years ago about which operating system to roll out can affect corporate security today. Of the big three in widespread use, one can credibly be called the most secure.
Enterprises invest a lot of time, effort and money in keeping their systems secure. The most security-conscious might have a security operations center. They of course use firewalls and antivirus tools. They probably spend a lot of time monitoring their networks, looking for telltale anomalies that could indicate a breach. What with IDS, SIEM and NGFWs, they deploy a veritable alphabet of defenses.
But how many have given much thought to one of the cornerstones of their digital operations: the operating systems deployed on the workforce’s PCs? Was security even a factor when the desktop OS was selected?
Tomi Engdahl says:
How a Tiny Startup Became the Most Important Hacking Shop You’ve Never Heard Of
https://motherboard.vice.com/en_us/article/8xdayg/iphone-zero-days-inside-azimuth-security
Inside the secretive industry that helps government hackers get around encryption.
At first glance, Azimuth Security looks like any other bustling startup
The story of this little-known company provides a rare peek inside the secretive exploit trade, which is populated with military contractors, individual researchers, and boutique high-end hacking shops like Azimuth. While the trade is commonly painted as a wild west full of mercenaries who sell hacking tools to whoever can afford them, over a dozen well-placed sources described an overlooked section of the industry that focuses on supplying to a select group of democratic governments, rather than authoritarian regimes.
Tomi Engdahl says:
Security Awareness Training Top Priority for CISOs: Report
https://www.securityweek.com/security-awareness-training-top-priority-cisos-report
Thirty-five percent of CISOs in the financial sector consider staff training to be the top priority for cyber defense. Twenty-five percent prioritize infrastructure upgrades and network defense.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) polled more than 100 of its 7,000 global members to produce the first of its planned annual CISO Cybersecurity Trends Study. ISACs are non-profit organizations, usually relevant to individual critical infrastructure sectors, designed to share threat information among their members and with relevant government agencies.
“I think that speaks to CISOs seeing first-hand how their largest risks of breach rest in the people component vs. the product or process components,” he suggests. “Executives and Boards cannot underestimate the need for a robust security culture inside their organizations; and the way that you achieve that is through proper education and training.”