Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Psst, Secrets You Share Online Aren’t Always Safe
What you should consider when using secrecy apps
http://online.wsj.com/news/articles/SB10001424052702303880604579405020639967010
A secret is hard to keep on a smartphone.
Yet sharing secrets—broadcasting them, anonymously, with an app as megaphone—is becoming a pastime for millions. It may seem counterintuitive for a generation that has grown up with social networks that tie their names to photos stored forever online. But using apps like Secret, Whisper and Ask.fm, nameless people offer frank glimpses of their lives, glimpses they keep out of Facebook.
As we bare our souls, the question is: Can apps keep our secrets anonymous?
What we found was that none of the apps can guarantee anonymity. Instead, there are trade-offs in privacy and safety. It can be hard to know which apps to trust, but there are three factors to keep in mind: what information you’re comfortable sharing, which company might best protect your data, and which acts the most responsibly when users are in trouble.
Tomi Engdahl says:
Inside Japan’s Bitcoin Heist
A former Mt. Gox employee says incompetent management and faulty accounting—not virtual robbers—are the real culprits in the missing millions.
http://www.thedailybeast.com/articles/2014/02/27/inside-japan-s-bitcoin-heist.html
Bitcoin, the virtual currency that has been racing toward acceptance as a genuine currency, had a colossal setback this past Tuesday, when a major Bitcoin exchange, Mt. Gox, based in Tokyo, went off-line.
The Daily Beast was able to speak with a former employee of Mt. Gox, on the condition of anonymity, due to a nondisclosure agreement with the company.
According to the former employee’s testimony and other expert analysis, it seems very likely that the collapse of Mt. Gox was not a criminal fraud but the result of poor management, faulty accounting, and system bugs that went unfixed many months after being recognized by the CEO himself. The final nail in the coffin was the unauthorized release of an internal document that was supposed to serve as the groundwork for saving the company. It is unclear who leaked the document—which was an unfinished draft of a plan of action.
“Mt. Gox kept 90 percent of their Bitcoins in cold storage—in paper wallets and USB keys. They rented safety-deposit boxes in banks and when they needed to refill the transaction accounts, they took the Bitcoins out of storage, and deposited them into the system. Well, there was no reconciliation in the accounting sense between the cold storage and the transactions done. As long as money was coming in at a steady pace, no one realized that actually they had been losing huge amounts of Bitcoin. And when they did—all hell broke loose.”
Tomi Engdahl says:
Inside The Billion-Dollar Hacker Club
http://techcrunch.com/2014/03/02/w00w00/
Tomi Engdahl says:
Join the Challenge: Secure the Internet of Things
http://blogs.cisco.com/security/join-the-challenge-secure-the-internet-of-things/
We’re connecting more of our world every day through smart, IP-enabled devices ranging from home appliances, healthcare devices, and industrial equipment. These new connected devices are offering new ways to share information and are changing the way we live. This technology transformation is what we call the Internet of Things (IoT) – and it is evolving daily.
With this in mind, Cisco is launching the Internet of Things Security Grand Challenge. We’re inviting you — the global security community — to propose practical security solutions across the markets being impacted daily by the IoT.
the Challenge offers up to US$300,000 in prize money
Tomi Engdahl says:
Teen’s Facebook brag costs dad $80,000 lawsuit settlement
http://www.bbc.com/news/blogs-echochambers-26393546
The story has writers drawing conclusions about the foolishness of today’s youth and the perils of social media.
“Remember when all you had to worry about was your daughter posting naked selfies of herself on Facebook?” he writes. “Now, things are worse.”
Tomi Engdahl says:
Cisco kicks off $300k Internet of Things security competition
Borg wants an Internet of secure things and wants you to do the heavy thinking
http://www.theregister.co.uk/2014/03/03/cisco_kicks_off_iot_security_comp/
Anyone who watches the procession of SCADA vulnerabilities, the exposures discoverable through the Shodan search engine, or the recent bugs popping up in cars, routers, home automation and (maybe) smart appliances knows that the Internet of Things is a security minefield.
participants have until June 17 2014 to put forward proposals for dealing with Internet of Things security
Tomi Engdahl says:
How to foil the NSA and GCHQ with strong encryption
Column Now is the time to secure your communications
http://www.theinquirer.net/inquirer/opinion/2331668/how-to-foil-the-nsa-and-gchq-with-strong-encryption
THE MOST INTERESTING DEVICE shown at Mobile World Congress (MWC) in Barcelona this week was the secure Blackphone developed by Silent Circle and Geeksphone.
The Blackphone features anonymous search, automatic disabling of non-trusted WiFi hotspots, and private texting, calling and file transfer capabilities. It’s available to the general public, and bundles additional security features that apparently go beyond the basic messaging security provided by Blackberry to enterprise customers in its Blackberry Messaging (BBM) service.
Whether or not you’re interested in the Blackphone to secure your phone calls and messages from unwarranted snooping by government intelligence agencies in the US, UK and elsewhere, there are other measures you can take to keep your private communications secure from the prying Five Eyes and others, and these have become easier to use in recent years.
There’s Pretty Good Privacy (PGP) for email as implemented by the OpenPGP Alliance and the GnuPG project for all major operating systems, including Windows, Mac OS X, Linux, BSD, Android and iOS. There are also a number of secure email service providers.
For online chat, there’s the Off The Record (OTR) plugin for Pidgin with several implementations.
Tomi Engdahl says:
Another example of foolishness of today’s youth and the perils of social media:
The boy’s video demonstration leaked flagship model – HTC dismissed the father
HTC has apparently fired the employee because the son posted online video demonstration of HTC’s as yet unpublished flagship model to YouTube.
Sources:
http://www.tietoviikko.fi/kaikki_uutiset/poika+vuoti+lippulaivamallista+videosittelyn++htc+erotti+isan/a971658
http://vr-zone.com/articles/htcs-jeff-gordon-bullies-new-htc-one-leaker/73221.html
http://www.youtube.com/watch?v=ivOspWGlMdk
Tomi Engdahl says:
The State of Smartphones in 2013, Part III: How the experts use their phones
Tips, tweaks, and cool apps from folks who spend all day, every day, on their phones.
http://arstechnica.com/gadgets/2013/12/the-state-of-smartphones-in-2013-part-iii-how-the-experts-use-their-phones/
Tomi Engdahl says:
The Inside Story of Mt. Gox, Bitcoin’s $460 Million Disaster
http://www.wired.com/wiredenterprise/2014/03/bitcoin-exchange/
From a distance, the world’s largest bitcoin exchange looked like a towering example of renegade entrepreneurism. But on the inside, according to some who were there, Mt. Gox was a messy combination of poor management, neglect, and raw inexperience.
Its collapse into bankruptcy last week — and the disappearance of $460 million, apparently stolen by hackers, and another $27.4 million missing from its bank accounts
McCaleb had registered the Mtgox.com web domain in 2007 with the idea of turning it into a trading site for the wildly popular Magic: The Gathering game cards. He never followed through on that idea, but in late 2010, McCaleb decided to repurpose the domain as a bitcoin exchange. The idea was simple: he’d provide a single place to connect bitcoin buyers and sellers.
sold the site to Karpeles, an avid programmer, foodie, and bitcoin enthusiast
Karpeles soon set about rewriting the site’s back-end software, eventually turning it into the world’s most popular bitcoin exchange.
But beneath it all, some say, Mt. Gox was a disaster in waiting.
Mt. Gox, he says, didn’t use any type of version control software
According to this developer, the world’s largest bitcoin exchange had only recently introduced a test environment, meaning that, previously, untested software changes were pushed out to the exchanges customers — not the kind of thing you’d see on a professionally run financial services website.
By the fall of 2013, Mt. Gox’s business was also a mess.
Tomi Engdahl says:
Russians Suspected In ‘Uroburos’ Digital Espionage Attacks
http://www.techweekeurope.co.uk/news/russian-intelligence-uroburos-malware-140494
Russian intelligence linked to super-sophisticated rootkit targeting high-profile organisations and nation states
G-Data said Uroburos was “one of the most advanced rootkits we have ever analysed in this environment”.
It works on both 32-bit and 64-bit Microsoft Windows machines, again pointing to a well-funded effort. It’s likely the Uroburos attacks went undetected for at least three years, as a sample of a rootkit driver was dated back to 2011.
“We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered,” G-Data added.
Tomi Engdahl says:
Police hid use of cell phone tracking device from judge because of NDA
Use of a cell phone tracker is kept secret at manufacturer’s request.
http://arstechnica.com/tech-policy/2014/03/police-hid-use-of-cell-phone-tracking-device-from-judge-because-of-nda/
A police department in Florida failed to tell judges about its use of a cell phone tracking tool “because the department got the device on loan and promised the manufacturer to keep it all under wraps,” the American Civil Liberties Union said in a blog post today.
The device was likely a “Stingray,” which is made by the Florida-based Harris Corporation. Stingrays impersonate cell phone towers in order to compel phones to “reveal their precise locations and information about all of the calls and text messages they send and receive,” the ACLU noted. “When in use, stingrays sweep up information about innocent people and criminal suspects alike.”
Tomi Engdahl says:
London firm at centre of hack redirecting 300,000 routers
http://www.pcpro.co.uk/news/security/387385/london-firm-at-centre-of-hack-redirecting-300-000-routers
Florida-based security firm Team Cymru said it was examining a “widespread compromise” of consumer and small office/home office (SOHO) routers in Europe and Asia.
In January, the firm uncovered a “SOHO pharming” campaign that had overwritten DNS settings on 300,000 routers. That allows attackers to redirect traffic to sites and domains controlled by them, “effectively conducting a man-in-the-middle attack,” the company’s report said.
“If [your router's] been hijacked and is pointing to someone else’s DNS server, you really have no trust over what you’re actually getting – you could be getting the bad guy’s version of Google, or your bank site,”
Cymru’s Santorelli stressed that the router attack was serious. “It’s not new as an issue to the InfoSec community but this is one of the biggest we’ve seen recently as it’s quite insidious,” he said.
The attack affects devices from several manufacturers, the firm said said, adding that “consumer unfamiliarity” with configuring routers and weak default settings makes the devices a “very attractive target”.
“It’s about the people who write the original firmware… this is ubiquitous firmware,” he said. “It’s on all these very good value, cheap routers – it’s really a firmware vendors’ problem than a hardware manufacturers’ problem.”
Tomi Engdahl says:
MtGox: Yup, we’re pretty sure your Bitcoin were stolen. Sorry about that.
Call centre is still not answering the phone
http://www.theregister.co.uk/2014/03/04/mtgox_sorry_about_your_bitcoin_we_got_p0wned_real_bad/
“Approximately 750,000 Bitcoins DEPOSITED by users and Approximately 100,000 Bitcoins Belonging to U.S. had Disappeared.”
The statement goes on to say MtGox’s operators are pretty sure they disappeared “as a result of an abuse of this bug”
Tomi Engdahl says:
Book Review: Threat Modeling: Designing For Security
http://books.slashdot.org/story/14/03/02/1748257/book-review-threat-modeling-designing-for-security
Rather than letting clueless Washington bureaucrats define threats, the book details a formal system in which you can understand and particularize the unique threats your organizations faces.
In the introduction, Shostack sums up his approach in four questions:
1. What are you building?
2. What can go wrong with it once it’s built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?
The remaining 600 densely packed pages provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software or services, such as cloud computing.
Tomi Engdahl says:
Ukraine hit by cyberattacks: head of Ukraine security service
http://www.reuters.com/article/2014/03/04/us-ukraine-crisis-telecoms-idUSBREA230Q920140304
“I confirm that an IP-telephonic attack is under way on mobile phones of members of Ukrainian parliament for the second day in row,” Valentyn Nalivaichenko told a news briefing.
Tomi Engdahl says:
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
This GnuTLS bug is worse than the big Apple “goto fail” bug patched last week.
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.
The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package.
The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates.
The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates.
Security researchers are still studying the vulnerability and assessing its effect on the wide array of OSes and applications that depend on GnuTLS.
Tomi Engdahl says:
Bitcoin bank Flexcoin shuts down after theft
http://www.reuters.com/article/2014/03/04/us-bitcoin-flexcoin-idUSBREA2329B20140304
Bitcoin bank Flexcoin said on Tuesday it was closing down after it lost bitcoins worth about $600,000 to a hacker attack.
Flexcoin said in a message posted on its website that all 896 bitcoins stored online were stolen on Sunday.
Mt. Gox, once the world’s biggest bitcoin exchange, filed for bankruptcy protection in Japan on Friday, saying it may have lost some 850,000 bitcoins due to hacking into its faulty computer system.
Bitcoin bank Flexcoin shuts down after massive theft
http://www.pcworld.com/article/2104400/bitcoin-bank-flexcoin-shuts-down-after-massive-theft.html
The company will shut down immediately because it does not have the resources or assets to recuperate from the loss, it said. Flexcoin will work with law enforcement to determine the origins of the attack.
According to that document, Flexcoin transactions were carried out using HTTPS encryption but the company “is not responsible for insuring any bitcoins stored in the Flexcoin system.”
Bitcoin Bank Flexcoin Shuts Down After $620,000 Heist
http://gizmodo.com/bitcoin-bank-flexcoin-shuts-down-after-620-000-heist-1535960407
To Flexcoin’s credit, it wasn’t completely cleaned out by hackers. Hackers did clean out Flexcoin’s hot wallet, but an undisclosed number of bitcoins in cold storage were untouched. “Cold storage” simply means that the bitcoins were kept in computers not connected to the internet, an extra level of security for which customers pay an extra 0.5 percent. Flexcoin will give those bitcoins back to customers.
If this sounds like a familiar story, that’s because it is. On Tuesday, another bitcoin firm called Polonix also admitted that hackers broke in and stole 12.5 percent of its reserves, though it plans on replenishing the lost ‘coin itself.
Tomi Engdahl says:
Japan to regulate Bitcoin trades, impose taxes
http://asia.nikkei.com/Politics-Economy/Policy-Politics/Japan-to-regulate-Bitcoin-trades-impose-taxes
The Japanese government will set rules for trading bitcoins, defining the virtual tender not as a currency but as a commodity akin to gold.
Gains from trading bitcoins on online exchanges, and purchases made with them will be subject to Japanese tax. Banks will be prohibited from handling them, and securities firms will be barred from brokering Bitcoin trades.
Japan will become the first major economy to attempt to regulate the virtual currency and may prompt others to move in the same direction. Last week, Mt. Gox, a Tokyo-based Bitcoin exchange, filed for bankruptcy, drawing attention to the issue of protecting users.
Tomi Engdahl says:
Ukraine Crisis: Cyber War with Russia Heating up
http://www.ibtimes.co.uk/ukraine-crisis-cyber-war-russia-heating-1438890
If you think the crisis in the Ukraine is limited just to being on the ground, think again. A cyberwar is flaring up between Ukraine and Russia and it looks like this is only the beginning.
The first blow came on 28 February when a group of unidentified men took control of several communications centres in Crimea, which are maintained by Ukraine’s telecom provider Ukrtelecom JSC.
Ukrainian hackers or sympathisers have been getting busy themselves, hacking the website of Russian state-funded news channel RT
A group of hackers in Ukraine who call themselves “Cyber-Berkut” have boasted about defacing at least 40 Russian news websites on their Facebook page
While this is the extent of the cyber-attacks that we have learned of so far, the worry is that Russia could expand its military activity to include distributed-denial-of-service (DDoS) attacks to bring down crucial Ukrainian servers, the way they have done during other conflicts.
During the 2008 South Ossetia war with Georgia, DDoS attacks were used
Tomi Engdahl says:
New design flaw found in crypto’s TLS: Pretend to be a victim online
Researchers reveal way to hoodwink encryption protocol – and how to fix it
http://www.theregister.co.uk/2014/03/05/tls_authentication_broken_again/
Security researchers have developed a new man-in-the-middle attack against the cryptographic protocol TLS – a protocol that is used to encrypt online banking and shopping, and other sensitive connections, to thwart eavesdroppers.
The so-called Triple Handshake attack can, in certain conditions, outwit vital checks carried out to verify the identity of a user connecting to a server over a secure connection.
The attack also has implications for the security of SSL (Secure Sockets Layer), the still widely used predecessor to TLS (Transport Layer Security), as the researchers explain on their website
“Let me stress that the attacks we found exploit a protocol-level issue, and not specific implementation bugs,” Pironti told El Reg.
“We also propose short-term application-level mitigation, but we aim at getting the protocol fixed, which would solve the issue at its root.”
Tomi Engdahl says:
GNU security library GnuTLS fails on cert checks: Patch now
Many eyes missed bug for many years
http://www.theregister.co.uk/2014/03/05/gnu_security_library_gnutls_fails_on_cert_checks_patch_now/
According to this Red Hat advisory: “It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.”
Red Hat has issued a patch for its users, and for everyone else, the GnuTLS team has a patch available for 2.12.x versions, or you can upgrade to version 3.2.12.
Tomi Engdahl says:
F-Secure: Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play
http://thenextweb.com/google/2014/03/04/f-secure-android-accounted-97-mobile-malware-2013-0-1-google-play/#!yushz
Back in 2012, Android accounted for 79 percent of all mobile malware. Last year, that number ballooned even further to 97 percent.
Both those data points come from security firm F-Secure, which today released its 40-page Threat Report for the second half of 2013.
Android threats are primarily a non-US problem
Despite the extreme focus of malware authors on the Android platform, F-Secure believes it would be incorrect to say that “Google hasn’t been actively making efforts to increase the security of the Android platform.”
We already know that third-party app stores are the most likely sources of mobile malware. How dire is the situation?
For the top four stores (Anzhi, Mumayi, Baidu and eoeMarket), which all cater to the mainland Chinese user population that has restricted access to Google Play, less than 10 percent of the samples were identified as malicious. That’s still a worrying figure
At the very bottom of the list was Google Play itself, with the lowest percentage of malware in the gathered samples: 0.1 percent. F-Secure also noted that “the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.”
Tomi Engdahl says:
Appeals Court Affirms Ruling in Favor of FTC, Upholds $163 Million Judgment Against ‘Scareware’ Marketer
http://www.ftc.gov/news-events/press-releases/2014/02/appeals-court-affirms-ruling-favor-ftc-upholds-163-million
In a victory for the Federal Trade Commission in its efforts to protect consumers from spyware and malware, a federal appeals court has upheld a district court ruling that imposed a judgment of more than $163 million on Kristy Ross for her role in an operation that used computer “scareware” to trick consumers into thinking their computers were infected with malicious software, and then sold them software to “fix” their non-existent problem.
“This is a huge victory for consumers,”
Tomi Engdahl says:
“Free” Security Scans
http://www.consumer.ftc.gov/articles/0263-free-security-scans
Messages telling you to install and update security software for your computer seem to be everywhere. So you might be tempted by an offer of a “free security scan,” especially when faced with a pop-up, an email, or an ad that claims “malicious software” has already been found on your machine. Unfortunately, it’s likely that the scary message is a come-on for a rip-off.
The free scan claims to find a host of problems, and within seconds, you’re getting urgent pop-ups to buy security software. After you agree to spend $40 or more on the software, the program tells you that your problems are fixed. The reality: there was nothing to fix. And what’s worse, the program now installed on your computer could be harmful.
Scareware schemes can be quite sophisticated. The scam artists buy ad space on trusted, popular websites. Even though the ads look legitimate and harmless to the website’s operator, they actually redirect unsuspecting visitors to a fraudulent website that performs a bogus security scan.
Tomi Engdahl says:
Apple publicly disclosed terms of its Nokia license while seeking sanctions against Samsung
http://www.fosspatents.com/2014/03/apple-publicly-disclosed-terms-of-its.html
Here’s the latest, absolutely stunning development: Apple actually filed the terms of its Nokia license (as well as the terms of a license agreement with NEC) on a publicly-accessible court docket last October, where it remained for about four months until it was finally removed.
Tomi Engdahl says:
Sally Beauty Hit By Credit Card Breach
http://krebsonsecurity.com/2014/03/sally-beauty-hit-by-credit-card-breach/
Nationwide beauty products chain Sally Beauty appears to be the latest victim of a breach targeting their payment systems in stores, according to both sources in the banking industry and new raw data from underground cybercrime shops that traffic in stolen credit and debit cards.
On March 2, a fresh batch of 282,000 stolen credit and debit cards went on sale in a popular underground crime store.
Fugate said Sally Beauty uses an intrusion detection product called Tripwire, and that a couple of weeks ago — around Feb. 24 — Tripwire detected activity. Unlike other products that try to detect intrusions based on odd or anomalous network traffic, Tripwire fires off alerts if it detects that certain key system files have been modified.
All of the banks reported fraud occurring on cards shortly after they were used at Sally Beauty, in the final week of February and early March.
Tomi Engdahl says:
Behold Arscoin, our own custom cryptocurrency!
And you can mine them to buy fancy hats!
http://arstechnica.com/business/2014/03/behold-arscoin-our-own-custom-cryptocurrency/
Arscoin is one of around 100 or so “altcoins,” or alternative bitcoins, derived from the same source code as the original cryptocurrency.
The existing Bitcoin community has an inherent distrust of many altcoins. Bitcoin forums are replete with discussions of “pump and dump” scams, where the originators of a new altcoin might “pre-mine” coins, release their currency to the general public, and market their hot new cryptocurrency hard in order to drive the price up. Then the creators simply sell off their coins at a profit and walk away. It’s one of the oldest financial tricks in the book.
Tomi Engdahl says:
A vast hidden surveillance network runs across America, powered by the repo industry
http://betaboston.com/news/2014/03/05/a-vast-hidden-surveillance-network-runs-across-america-powered-by-the-repo-industry/
Sousa’s unmarked car is part of a technological revolution that goes well beyond the repossession business, transforming any industry that wants to check on the whereabouts of ordinary people.
An automated reader attached to the spotter car takes a picture of every license plate it passes and sends it to a company in Texas that already has more than 1.8 billion plate scans from vehicles across the country.
These scans mean big money for Sousa — typically $200 to $400 every time the spotter finds a vehicle that’s stolen or in default — so he runs his spotter around the clock, typically adding 8,000 plate scans to the database in Texas each day.
But Digital Recognition and other so-called “data brokers” who collect plate scans are fighting Hecht and Creem’s bill, arguing that repo agents are not invading privacy when they scan a license plate, which is available for all to see.
Tomi Engdahl says:
Alleged Mt.Gox code leaked on IRC node by Russian Hacker (pastebin.com)
https://news.ycombinator.com/item?id=7332391
Wow. This code is pretty bad. I mean, it’s bad for a college project. It’s horrible for a company dealing with large sums of money.
Some random red flags:
- There’s a class with the name of the application. (Issues: Scope, SRP)
- There’s a class with 1708 lines of code. (Scope)
- There’s a switch-case statement that runs over 150 LOC (readability, maintainability)
- There’s a string parsing function in the same class as transaction processing (Separation of concerns)
- There are segments of code commented out (are they not using source control?)
- There’s inlined SQL (maintainability, security)
- There’s JSON being generated manually & inline (SoC, DRY)
- There’s XML being generated manually & inline (SoC, DRY)
- To sum up function _Route_getStats($path): XML production, JSON production, file writing, business logic, SQL commands, HTTP header fiddling, hard coded paging limits, multiple exit points…
Code
http://pastebin.com/W8B3CGiN
Discussion
http://pastebin.com/cbA09WwA
Tomi Engdahl says:
Cisco patches enterprise wireless vulns
Everything from DoS to device access
http://www.theregister.co.uk/2014/03/06/cisco_patches_enterprise_wireless_vulns/
Cisco has issued patches and mitigation instructions for 16 of its wireless products, to take care of a number of denial of service vulnerabilities and one unauthorised access vulnerability.
Tomi Engdahl says:
Ask Slashdot: Reviewing 3rd Party Libraries?
http://ask.slashdot.org/story/14/03/05/2015239/ask-slashdot-reviewing-3rd-party-libraries
” I don’t check libraries for security vulnerabilities. I check websites for information about that, and to see how often the provider is refreshing the library with patches and fixes.
If I don’t get the feeling that they take their security seriously, I don’t use the library.”
“Committing to a 3rd party library is a lot like adopting a child. It’s a long term commitment that’s not easily broken, and you can’t ever have a thorough understanding of what the relationship will be like ahead of time.”
Good security comes from a lot of people’s testing and input. If you look investigate a product, you will only be able to categorize it into two categories: “utterly craptastic” and “probably utterly craptastic”.
Tomi Engdahl says:
Target’s technology chief resigns amid breach investigations
http://www.startribune.com/business/248578631.html
The retailer is shaking up its information technology management team after last year’s massive cybertheft of customer data.
In a statement Wednesday, Target Chief Executive Gregg Steinhafel described the search for an interim CIO as a “first step.”
The management shake-up is Target’s latest response to last year’s monster data breach in which cyberthieves made off with two sets of data, the debit and credit card information of about 40 million shoppers and the partial personal information, such as e-mail addresses, of about 70 million people.
The company doesn’t know how much overlap there is between the two breaches
Reporting year-end earnings last week, Target said it spent $61 million in the fourth quarter on costs related to the cybertheft, but expects insurance to cover $44 million of it. That number is expected to grow substantially.
Tomi Engdahl says:
Cloud Security Concerns Are Overblown, Experts Say
Security concerns should not deter enterprises from using public cloud technologies when it makes business sense.
http://www.cio.com/article/748863/Cloud_Security_Concerns_Are_Overblown_Experts_Say?taxonomyId=3024
Security concerns should not deter enterprises from using public cloud technologies when it makes business sense.
A panel of practitioners said at the RSA Security Conference here this week agreed that if cloud providers are vetted properly, most enterprise workloads and data can be safely migrated to cloud environments.
“The horse is largely out of the barn,” said John Pescatore, director of research at the SANS Institute. “There is no debate about whether we are going to use the cloud,” he said.
An Intermap survey of 250 decision makers at medium and large companies found that 40% of those who described themselves as “cloud-wary” cited security as their biggest impediment to adoption. In contrast only about 15% of “cloud-wise” respondents felt the same way.
Tomi Engdahl says:
Even HTTPS can leak your PRIVATE browsing
‘Secure’ browsing trapped in a BoG
http://www.theregister.co.uk/2014/03/06/even_https_can_leak_your_private_browsing/
HTTPS may be good at securing financial transactions, but it isn’t much use as a privacy tool: US researchers have found that a traffic analysis of ten HTTPS-secured Web sites yielded “personal data such as medical conditions, legal or financial affairs or sexual orientation”.
Sites tested in the study included healthcare services, banking and finance, legal services, as well as Netflix and YouTube.
The researchers call their analysis a “Bag of Gaussians” (BoG) “due to similarity with the Bag-of-Words approach to document classification”:
The attack isn’t trivial: as the authors note, the attacker has to be able to visit the same Web pages as the target, and has to be able to capture the victim’s traffic. That way, the attacker can identify patterns in the encrypted traffic that can be matched against the pages the attacker and victim both visited.
Tomi Engdahl says:
Triple-headed NHS privacy scare after hospital data reach marketers, Google
‘Pseudonymised’ data mapped, stored in Google BigQuery, sparking offshore data panic
http://www.theregister.co.uk/2014/03/04/tripleheaded_nhs_privacy_scare_after_hospital_data_reach_marketers_google/
The UK’s National Health Service (NHS) and the NHS Information Centre are riding out a three-pronged privacy storm.
“The NHS Information Centre (NHS IC) signed an agreement to share pseudonymised Hospital Episodes Statistics data with PA Consulting in November 2011.”
Tomi Engdahl says:
Bitcoin’s digital tip jar: Microtransactions reborn
http://finance.fortune.cnn.com/2014/03/05/bitcoin-microtransactions/
The digital currency’s low transaction costs may revive a long-frustrated online content model — the paywall.
Since the mid 1990s, vendors have dreamed of being able to sell music, news, games, and other digital goods online for tiny amounts that would in theory add up to big revenue. But structural barriers including fees from payments processors have stymied the model for nearly two decades, leaving publishers to rely on meager advertising, underperforming subscription models, and expensive centralized stores from Amazon, Apple, and Google.
Low costs and other features are making bitcoin an attractive basis for resurrecting the micropayments idea. Two startups, Bitwall and Coinlock, could help shift consumer activity away from walled gardens like iTunes and toward a less centralized ecosystem in which independent vendors could offer content at micro-prices, ultimately opening up vast new flows of consumer spending online.
Tomi Engdahl says:
Bitcoin mining botnets and Windows XP threats are booming, says Dell Sonicwall
There are 10 malware infections for every person on the planet
http://www.theinquirer.net/inquirer/news/2332589/bitcoin-mining-botnets-and-windows-xp-threats-are-booming-says-dell-sonicwall
THE AMOUNT OF MALWARE infecting machines in 2013 was equal to around 10 infections for every person on the planet, Dell’s Sonicwall threat research team has found.
In its annual report, Dell’s Sonicwall Global Response Intelligent Defense (GRID) Network uncovered 78 billion global hits of post-infection malware activity last year.
The evolution of Bitcoin malware was also a focus of the report, which said that as Bitcoin gained popularity and value, cybercriminals set out to obtain the digital currency through malicious activities.
“[Windows XP] will continue to realise a surge of attacks as its support life cycle is ending in 2014,”
Tomi Engdahl says:
The Face Behind Bitcoin
http://mag.newsweek.com/2014/03/14/bitcoin-satoshi-nakamoto.html
Satoshi Nakamoto
It seemed ludicrous that the man credited with inventing Bitcoin – the world’s most wildly successful digital currency, with transactions of nearly $500 million a day at its peak
Far from leading to a Tokyo-based whiz kid using the name “Satoshi Nakamoto” as a cipher or pseudonym (a story repeated by everyone from Bitcoin’s rabid fans to The New Yorker), the trail followed by Newsweek led to a 64-year-old Japanese-American man whose name really is Satoshi Nakamoto.
Tacitly acknowledging his role in the Bitcoin project, he looks down, staring at the pavement and categorically refuses to answer questions.
“I am no longer involved in that and I cannot discuss it,” he says, dismissing all further queries with a swat of his left hand. “It’s been turned over to other people. They are in charge of it now. I no longer have any connection.”
There are several Satoshi Nakamotos living in North America
“The whole reason geeks get excited about Bitcoin is that it is the most efficient way to do financial transactions,” says Bitcoin’s chief scientist, Gavin Andresen, 47. He acknowledges that Bitcoin’s ease of use can also lead to easy theft and that it is safest when stored in a safe-deposit box or on a hard drive that’s not connected to the Internet. “For anyone who’s tried to wire money overseas, you can see how much easier an international Bitcoin transaction is. It’s just as easy as sending an email.”
“I got the impression that Satoshi was really doing it for political reasons,”
One of the first people to start working with Bitcoin’s founder in 2009 was Martti Malmi, 25, a Helsinki programmer who invested in Bitcoins
Communication with Bitcoin’s founder was becoming less frequent by early 2011. Nakamoto stopped posting changes to the Bitcoin code and ignored conversations on the Bitcoin forum.
Tomi Engdahl says:
Target Rich Environment: Mobile Malware in China
http://yro.slashdot.org/story/14/03/06/1348231/target-rich-environment-mobile-malware-in-china
“Every country’s cybercriminal underground market has distinct characteristics, and with 500 million national mobile Internet users and the number continuously rising, the Chinese underground market is awash with cyber crooks buying and selling services and devices aimed at taking advantage of them.”
A peek into China’s burgeoning mobile cybercriminal underground
http://www.net-security.org/secworld.php?id=16483
Mobile apps that stealthily subscribe users to premium services are, naturally, very popular with cyber crooks in China as in the rest of the world. Premium service numbers can also be bought on underground markets. Network carriers usually assign premium service numbers to qualified service providers, but obviously some of them are not adverse of selling them on to criminals.
SMS-sending apps are the so-called SMS forwarders
To send out spam messages in huge numbers, the crooks can buy and use a number of different devices.
Just go give you an idea: a 16-slot (with a SIM card in each) GSM modem can send 9,600 text messages per hour.
An SMS server – also known as “fake base station” – is radio frequency hardware that can send out software-defined radio signals in GSM frequency ranges.
iMessage spam computer software finds phone numbers tied to Apple devices and sends messages to it.
Tomi Engdahl says:
Yahoo Ads Hack Spreads Malware
1/6/2014
http://www.informationweek.com/security/attacks-and-breaches/yahoo-ads-hack-spreads-malware/d/d-id/1113325
Millions of users exposed to drive-by malware attacks that targeted Java bugs to install six types of malicious code.
Yahoo.com visitors received an unexpected surprise beginning on New Year’s Eve: advertisements that targeted their systems with malware.
“The attackers are clearly financially motivated and seem to offer services to other actors,” said Fox-IT, noting that the exploit kit behind the attacks dropped six different types of malware, including the Zeus banking Trojan, Dorkbot, and a click-fraud Trojan. The greatest number of users targeted by the malicious advertisements were in Romania (24%), the United Kingdom (23%), and France (20%), according to Fox-IT.
Yahoo said it acted quickly after learning of the attacks, and said they appeared to target only European users. “These advertisements were taken down on Friday, January 3,”
Tomi Engdahl says:
Malwarebytes updates its mobile app to protect Android users from rising ad threats
Aggressive ads on Android are exploiting people to make money
http://www.theinquirer.net/inquirer/news/2332634/malwarebytes-updates-its-mobile-app-to-protect-android-users-from-rising-ad-threats
ANTI-MALWARE FIRM Malwarebytes has updated its free mobile security app to protect users from the rise of what it calls “Potentially Unwanted Programs” (PUPs) affecting Android users.
The update to the app protects users against a rising number of Android apps that cannot be strickly classified as malware.
According to Malwarebytes, PUPs are offered through legitimate channels and are “aggressive advertising and in-app purchases” that exploit people to make money, take unnecessary amounts of personal data and degrade smartphone performance.
“Aggressive advertising and sneaky pay-to-play schemes in particular are on the increase.”
Tomi Engdahl says:
Data theft for more than 100 000 per year
Online data theft at its plants at an accelerated pace. Finnish Communications Regulatory Authority kyberturvallisuuskeskus recorded in Finland in 2013, over 100 000 Data breakthrough.
Network tracing criminals abroad takes a long time and the end result can be water-borne. The banking system, there has been no breakthrough in the data, but the murky doings thus weigh “the weakest link in” – directly to the customer.
The network of criminals IP addresses can be found most often from abroad. As a result, intrusion crime solving is becoming increasingly difficult.
- It is challenging, because often require international co-operation of several different countries.
Within the EU the legal aid works pretty well, but, for example, in China, Korea or Russia, the answer to questions is not necessarily receiver ever.
The police end up on the books, only a small part of the cyber-crimes. A single computer user may not be aware victim of a crime, if there is a break-in. On the other hand companies feared intrusions future image of knocks. Data snooping is now a precision work.
Financial Central Union: Finnish banking systems has not been a single breakthrough data.
Trying to get IDs from users is, however, common and clever.
Source: YLE
http://yle.fi/uutiset/tietomurtoja_jo_yli_100_000_vuodessa/7091293
Tomi Engdahl says:
More than 600 red alert network attacks
Finnish Cyber Security Center detection and warning system “Havaro” issued in the last year, more than 600 alarms malware that had come through the other security software.
Finland’s energy supply companies are the most critical in terms of the last two years have received a new form of protection against network attacks. Kyberturvallisuuskeskuksen detection and warning system monitors the Havaro corporate communications company between the network and the Internet and alerts you if the traffic is noted anomalies suggestive of a security breach.
If a company employee, say, accidentally downloading malicious program, which begins to steal your information, this is detected.
Havaro system is utilizing for example Fingrid and the energy company Fortum.
The system has been installed in around 20 companies: to the banks, ICT companies, energy sector companies, YLE, health care, and the most critical manufacturing industries. The system is installed only with the consent of customers. Cost of the system is responsible for emergency supply companies, which also specifies where the system are provided.
The system did last year, 15 million observations, which Kyberturvallisuuskeskuksen on duty examined in more detail in about 20 000. Customers were given 622 red alerts.
Source: YLE
http://yle.fi/uutiset/yli_600_punaista_halytysta_verkkohyokkayksista__kohteena_tarkeimmat_yritykset/7117056
Tomi Engdahl says:
AP Exclusive: Man said to create bitcoin denies it
http://hosted.ap.org/dynamic/stories/U/US_BITCOIN_FOUNDER_DENIAL?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT
Dorian Prentice Satoshi Nakamoto said Thursday that he is not the creator of bitcoin, adding further mystery to the story of how the world’s most popular digital currency came to be.
The denial came after Newsweek published a 4,500-word cover story claiming Nakamoto is the person who wrote the computer code underpinnings of bitcoin.
Tomi Engdahl says:
Japan Says Bitcoin Not a Currency
Government Also Says Commercial Banks Not Allowed to Provide Bitcoin as a Product
http://online.wsj.com/news/article_email/SB10001424052702303369904579423730757355014-lMyQjAxMTA0MDAwNDEwNDQyWj
The Japanese government officially said Friday that it doesn’t consider bitcoin to be a currency and has no plans at present to regulate it as a financial product.
As it tries to cope with the fallout from the bankruptcy of the Tokyo-based Mt. Gox exchange, the government said that the crypto-currency would be treated like other goods and services, with commercial sales of bitcoin itself and bitcoin-based transactions subject to sales tax. In addition, any gains on exchange rates will be taxed as well.
“Any bitcoin transactions are taxable when they fulfill requisitions stated by laws on income tax, corporate tax and consumption tax,”
Tomi Engdahl says:
Scientist-devised crypto attack could one day steal secret Bitcoin keys
Technique exposes weaknesses not only in Bitcoin but also in OpenSSL.
http://arstechnica.com/security/2014/03/scientist-devised-crypto-attack-could-one-day-steal-secret-bitcoin-keys/
Exposing a previously unknown weakness in the cryptographic system securing bitcoins, scientists have devised an attack that can steal large amounts of the digital currency when hackers run even unprivileged software on the same computer processing the coins.
The technique, laid out in an academic paper published Wednesday, doesn’t pose an immediate threat to Bitcoin users. A successful hack relies on the thief having some access to the same Intel-made processor that processes the targeted bitcoins.
The attack relies on “side channel analysis,”
The Bitcoin attack is in many respects more limited. It succeeded only when private keys were interacting with the same CPU that an attacker was monitoring with a specially designed “spy program.”
Tomi Engdahl says:
Twelve million hit as Korea suffers ANOTHER massive data breach
KT Corp caught with its passwords down for third time in two years
http://www.theregister.co.uk/2014/03/07/kt_data_breach_12_million_customers/
The South Korean government was forced to launch an inquiry today after another massive data breach rocked the country, time the theft of account information belonging to 12 million customers of telco KT Corp.
The data grab apparently went undetected by KT for an entire year with the suspects allegedly snatching up to 300,000 records in a single day.
Tomi Engdahl says:
CIOs Battle Worker Apathy Towards Lost or Stolen Mobile Phones
http://www.cio.com/article/749212/CIOs_Battle_Worker_Apathy_Towards_Lost_or_Stolen_Mobile_Phones
American workers don’t get too worked up about lost or stolen mobile phones — even if those phones contain company data. A large percentage think it’s not their problem and don’t change their security practices afterwards. Are CIOs partly to blame for not setting stricter and clearer mobile security policies?
there appears to be a general feeling of apathy toward mobile security.
Tomi Engdahl says:
Microsoft plans to patch critical under-attack IE bug next week
Will ship four updates for Windows XP in second-to-last round of patches for the aged OS
http://www.computerworld.com/s/article/print/9246809/Microsoft_plans_to_patch_critical_under_attack_IE_bug_next_week
Microsoft today announced it will deliver five security updates to customers next week, two tagged as “critical,” including one that will quash the open vulnerability in Internet Explorer (IE) that hackers have been exploiting since January.
Four of the five updates will affect Windows XP, the nearly-13-year-old operating system that Microsoft plans to retire from patch support on April 8. After next week’s Patch Tuesday, Microsoft has just one more chance to fix flaws in the aged OS before it pulls the plug.