Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
New crimeware tool Dendroid makes it easier to create Android malware, researchers warn
The tool can be used to add malicious functionality to legitimate applications, researchers from Symantec said
http://www.itworld.com/security/408405/new-crimeware-tool-dendroid-makes-it-easier-create-android-malware-researchers-warn
A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware.
The toolkit is called Dendroid and can be used to create “trojanized” apps — legitimate applications with malicious code added to them — that connect back to a command-and-control server over HTTP and allow attackers to perform a variety of malicious actions on devices that have those apps installed.
Dendroid is marketed by its creators as an Android remote administration tool (RAT) and is being sold for US$300, security researchers from Symantec said Wednesday in a blog post. Buyers receive a tool called an “APK Binder” that can be used to add the Dendroid RAT functionality and its required permissions to any clean APK (Android application package) as well as access to a sophisticated PHP-based control panel that allows detailed management of the infected devices.
Tomi Engdahl says:
Hackers Hit Mt. Gox Exchange’s CEO, Claim To Publish Evidence Of Fraud
http://www.forbes.com/sites/andygreenberg/2014/03/09/hackers-hit-mt-gox-exchanges-ceo-claim-to-publish-evidence-of-fraud/
The Bitcoin community has been angrily pressing for details on what the Bitcoin exchange Mt. Gox has described as a massive hacker attack that stole hundreds of millions of dollars worth of its users’ bitcoins and left the company bankrupt. Mt. Gox’s staff isn’t talking. So another group of hackers say they’ve broken into the company’s servers to provide answers of their own.
Tomi Engdahl says:
Suspected Russian spyware Turla targets Europe, United States
http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307
A sophisticated piece of spyware has been quietly infecting hundreds of government computers across Europe and the United States in one of the most complex cyber espionage programs uncovered to date.
Several security researchers and Western intelligence officers say they believe the malware, widely known as Turla, is the work of the Russian government and linked to the same software used to launch a massive breach on the U.S. military uncovered in 2008.
Experts in state-sponsored cyber attacks say that Russian government-backed hackers are known for being highly disciplined, adept at hiding their tracks, extremely effective at maintaining control of infected networks and more selective in choosing targets than their Chinese counterparts.
“They know that most people don’t have either the technical knowledge or the fortitude to win a battle with them.”
Although computer security researchers have been quietly studying Turla for more than two years, public discussions of the threat only began after G Data published its report.
The malware is a “root kit” that hides the presence of the spying operation
The operators can download specialized tools onto an infected system, adding any functionality they want
Tomi Engdahl says:
Assange Says NSA Holds The Power In The Obama Administration
http://techcrunch.com/2014/03/08/assange-takes-aim-at-facebook-and-googles-unbridled-power-in-sxsw-livestream/?source=gravity
Wikileaks founder Julian Assange gave a rare talk via video at annual tech mega-conference SXSW, where he came out swinging not only at President Obama but also Google and Facebook.
Since the global uproar over the National Security Agency’s spying practices were exposed last summer, there have been no major shakeups, Assange claimed. When a government wants actual reform, “someone is fired, someone is forced to resign, someone is prosecuted,” he argued.
Assange seemed to imply that Obama is powerless, claiming that if he really wanted to disband the NSA, he might be impeached and the intelligence agencies would drudge up dirt to discredit him.
Tomi Engdahl says:
Mt Gox fielded MASSIVE DDOS attack before collapse
Report in Japan says ’150,000 hits per second’
http://www.theregister.co.uk/2014/03/10/mt_gox_fielded_massive_ddos_attack_before_collapse/
A Japanese newspaper is reporting that during the spectacular collapse of the Mt Gox Bitcoin exchange, the operation’s servers were also suffering a large-scale DDOS attack.
The Yomiuri Shimbun’s English-language Japan News reports that the attacks in early February reached 150,000 DDOS hits per second, “mostly from servers in the United States and Europe”.
“DDoS attacks can be done without high-level hacking techniques.”
Referring to attacks on Slovenian Bitstamp and Canada’s Flexcoin, Uehara said: “It is possible that copycats turned their eyes on other exchanges after weaknesses in Mt. Gox’s system were found.”
Tomi Engdahl says:
You Know Who Else Collected Metadata? The Stasi
from the compare-and-contrast dept
http://www.techdirt.com/articles/20140228/15025026393/you-know-who-else-collected-metadata-stasi.shtml
The East German secret police, known as the Stasi, were an infamously intrusive secret police force. They amassed dossiers on about one quarter of the population of the country during the Communist regime.
But their spycraft — while incredibly invasive — was also technologically primitive by today’s standards.
Tomi Engdahl says:
Snowden: I raised NSA concerns internally over 10 times before going rogue
http://www.washingtonpost.com/blogs/the-switch/wp/2014/03/07/snowden-i-raised-nsa-concerns-internally-over-10-times-before-going-rogue/?tid=hpModule_1728cf4a-8a79-11e2-98d9-3012c1cd8d1e
Former National Security Agency contractor Edward Snowden said he repeatedly tried to go through official channels to raise concerns about government snooping programs but that his warnings fell on the deaf ears. In testimony to the European Parliament released Friday morning, Snowden wrote that he reported policy or legal issues related to spying programs to more than 10 officials, but as a contractor he had no legal avenue to pursue further whistleblowing.
Tomi Engdahl says:
Schmidt: Not even US gov’t can get at Google user data
http://news.cnet.com/8301-1023_3-57620078-93/schmidt-not-even-us-govt-can-get-at-google-user-data/
Google Chairman Eric Schmidt tells the crowd at South by Southwest that the company’s efforts to secure its user data from attacks are now complete.
On the first day of the annual South by Southwest Interactive conference, Schmidt told panel moderator Stephen Levy of Wired that the solution to governmental intrusions was “to encrypt data more.”
“We are pretty sure that now the info inside of Google is safe from prying eyes, including those of the US government,” said Schmidt, who clarified that his company was still subject to the Patriot Act and “secret” US courts.
Schmidt said that he saw US government intrusions, including the National Security Agency accessing Google user data without Google’s knowledge, as no different from similar incursions by other governments.
“We were attacked by the Chinese in 2010. We were attacked by the NSA in 2013,” Schmidt said.
Tomi Engdahl says:
No Holes in the Dike: Securing Older Systems to Protect the Enterprise
http://mds.ricoh.com/blog/no_holes_in_the_dike_securing_older_systems_to_protect_the_enterprise
While much attention has been paid to deploying next generation security devices and protecting information on mobile systems, securing older systems is sometimes not adequately planned for nor potential impact anticipated.
It is also important to note that patching is a component of regulatory compliance and security programs such as PCI DSS, HIPAA and ISO27001. Any system that falls under these programs or regulations that is not able to be patched could be in violation of the regulation or program.
New vulnerabilities are being discovered all the time, on the order of several thousand each year. Already identified and patched vulnerabilities on newer systems can still impact older systems.
Tomi Engdahl says:
Mt.Gox Hack Allegedly Reveals Bitcoin Balances, Customer Account Totals
http://techcrunch.com/2014/03/09/mt-gox-hack-allegedly-reveals-bitcoin-balances-customer-account-totals/
Tomi Engdahl says:
HTTPS can’t be trusted to obscure private online activity
http://www.net-security.org/secworld.php?id=16485
HTTPS was initially used to prove to Internet users that the website and web server with which they are communicating are indeed the ones they want to communicate with, but later this use was extended to keeping user communication, identity and web browsing private.
But a group of researchers has, unfortunately, proven that HTTPS is a lousy privacy tool, and that anyone who can view, record and analyze visitors’ traffic can identify – with 89 percent accuracy – the pages they have visited and the personal details they have shared.
Tomi Engdahl says:
Tomorrow’s Apps Will Come From Brilliant (And Risky) Bitcoin Code
http://www.wired.com/opinion/2014/03/decentralized-applications-built-bitcoin-great-except-whos-responsible-outcomes/
For many, bitcoin — the distributed, worldwide, decentralized crypto-currency — is all about money …
Yet the actual innovation brought about by bitcoin is not the currency itself but the platform, which is commonly referred to as the “blockchain” — a distributed cryptographic ledger shared amongst all nodes participating in the network, over which every successfully performed transaction is recorded.
And the blockchain is not limited to monetary applications. Borrowing from the same ideas (though not using the actual peer-to-peer network bitcoin runs on), a variety of new applications have adapted the bitcoin protocol to fulfill different purposes: Namecoin for distributed domain name management; Bitmessage and Twister for asynchronous communication; and, more recently, Ethereum (released only a month ago). Like many other peer-to-peer (P2P) applications, these platforms all rely on decentralized architectures to build and maintain network applications that are operated by the community for the community.
Indeed, if DAOs are independently operated — neither owned nor controlled by any given entity — who is actually in charge, responsible for, or accountable for their operations? And if their resources cannot be seized (because DAOs have full sovereignty over them), how can they be required to pay damages for their torts?
Tomi Engdahl says:
Julian Assange at SXSW: ‘national security reporters are a new kind of refugee’
http://www.theverge.com/2014/3/8/5484784/julian-assange-at-sxsw-wikileaks
“National security reporters are a new kind of refugee,” Assange said, then ran down a list of American reporters and activists who have left US borders in order to continue their work, including Glenn Greenwald, Laura Poitras, Wikileaks’ Sarah Harrison, and Tor researcher Jacob Appelbaum.
Assange described the trend as part of a broader political consciousness that’s been created by the internet.
Tomi Engdahl says:
NHS England patient data ‘uploaded to Google servers’, Tory MP says
Health select committee member Sarah Wollaston queries how data was secured by PA Consulting and uploaded to servers outside UK
http://www.theguardian.com/society/2014/mar/03/nhs-england-patient-data-google-servers
A prominent Tory MP on the powerful health select committee has questioned how the entire NHS hospital patient database for England was handed over to management consultants who uploaded it to Google servers based outside the UK.
The patient information had been obtained by PA Consulting
The management consultants said: “Within two weeks of starting to use the Google tools we were able to produce interactive maps directly from HES queries in seconds.”
The revelations alarmed campaigners and privacy experts, who queried how Google maps could have been used unless some location data had been provided in the patient information files.
Tomi Engdahl says:
Intelligence watchdog warns against intel agency mission creep
An insider’s view of data retention
http://www.theregister.co.uk/2014/03/09/intelligence_watchdog_warns_against_intel_agency_mission_creep/
A genuine intelligence insider has told a government inquiry that expanding telecommunications intercept powers could be both risky and privacy-invasive.
Tomi Engdahl says:
Euro cops on free Wi-Fi not-so-hotspots: For pity’s sake, don’t use them for email
… or banking. Or Facebook. What were you THINKING?
http://www.theregister.co.uk/2014/03/10/wifi_insecurity_reminder/
Using free Wi-Fi hotspots poses a data risk to users, the boss of European police agency Europol warns.
Troels Oerting, head of Europol’s cybercrime centre, told BBC Click that growing number of attacks are being carried out via public Wi-Fi and that people should send personal data only across trusted networks.
“We have seen an increase in the misuse of Wi-Fi, in order to steal information, identity or passwords and money from the users who use public or insecure Wi-Fi connections,” he said.
“This has been a concern for years – that’s why sensible companies force employees to use VPN connections. A Firefox plugin called ‘Firesheep’ definitively demonstrated just how utterly insecure Wi-Fi hotspots can be back in 2010.”
“If you want to use an open Wi-Fi hotspot to search for the latest sports scores – go for it. But if you want to check your bank balance, read your email, have a private chat with your friends – get yourself a VPN service,”
Tomi Engdahl says:
Free wi-fi hotspots pose data risk, Europol warns
http://www.bbc.com/news/technology-26469598
Sensitive information should not be sent over public wi-fi hotspots, to avoid hackers stealing it, Europe’s top cybercrime police officer has warned.
The attackers were not using novel techniques, he said, but relied on well-known approaches that attempt to trick people into connecting to a hotspot that, superficially, resembles those seen in cafes, pubs and restaurants and other public spaces.
“Everything that you send through the wi-fi is potentially at risk, and this is something that we need to be very concerned about both as individual users but also as police,”
“There is the need for raising awareness of what the vulnerabilities are and what you should be doing to protect yourself whether you’re on the move or in a physical location,”
Tomi Engdahl says:
Microsoft risks security reputation when it kills XP
Microsoft has been trying its best to encourage users to switch to XP operating system to replace later. The last security update for the operating system gives the distribution of the April 8 day.
A decade ago, the company developed the sdl-process (Security Development Lifecycle), and began publishing security updates via the network downloadable packages. The way has spread widely since then. Microsoft and XP at the time were at the forefront of safety.
Microsoft has a business economic reasons to quit XP to maintaining. Last October, Microsoft admitted that the consequences of current Windows XP support ending can be devastating. The malware infections are expected to increase by 66 percent. The image of the Windows machines may be badly bruised as the problems experienced by consumers increases.
Net Applications says that in February XP machines to be still 29.5 per cent of the world’s PCs.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/microsoft+riskeeraa+tietoturvamaineensa+tappaessaan+xpn/a973271
Tomi Engdahl says:
The operator is launching an application for encrypted calls
Telecom operator Vodafone wants to facilitate its customers’ privacy concerns. The company plans to announce on Android, iOS and Windows Phone for an application that allows phone calls to be encrypted.
Vodafone has developed a Secure Call application together with Secusmart.
Vodafone is planning the publication of the application only in Germany for 10 euro per month.
Source: Tietoviikko
http://www.tietoviikko.fi/uutisia/operaattori+lanseeraa+sovelluksen+salatuille+puheluille/a973342
Tomi Engdahl says:
The Data Brokers: Selling your personal information
http://www.cbsnews.com/news/the-data-brokers-selling-your-personal-information/
Steve Kroft investigates the multibillion dollar industry that collects, analyzes and sells the personal information of millions of Americans with virtually no oversight
Companies and marketing firms have been gathering information about customers and potential customers for years, collecting their names and addresses, tracking credit card purchases, and asking them to fill out questionnaires, so they can offer discounts and send catalogues. But today we are giving up more and more private information online without knowing that it’s being harvested and personalized and sold to lots of different people..
Tomi Engdahl says:
McAfee: Cybercrime-As-A-Service Led To Credit Card Breach, While Mobile “Malware Zoo” Grew 197% In Q4
http://techcrunch.com/2014/03/10/mcafee-q4-report/
It looks like the rise of the “as a service” model, where people can buy software, platform access, security and more from a cloud-based provider for a fixed term, may have spawned its Damien: cybercrime as a service. The latest report from McAfee notes that the rush of point-of-sale credit card breaches that hit consumers in Q4 of last year — most notably at Target but other retailers as well — came from such sources, with the malware used “likely purchased ‘off the shelf’ from the Cybercrime-as-a-Service community”
McAfee’s conclusions on the credit card breach paint a depressing picture for what is on offer for those who are intent on such thefts in the future.
– Mobile malware. This continues to climb, with 2.47 million new samples collected in 2014, and 744,000 in Q4 alone, rising 197% compared to a year ago. McAfee doesn’t single out a specific platform, but Android — as the world’s most popular smartphone platform, has been pinpointed by others as a particular target.
Tomi Engdahl says:
Snowden says encryption and oversight are key to protecting the public from surveillance
http://www.engadget.com/2014/03/10/Snowden-encryption-and-oversight/
Of course, encryption tools also need to be easier to use. Popular tools like PGP (pretty good privacy) and Tor are incredibly difficult to install and use for the less technically inclined. The ACLU’s Ben Wizner, who was moderating the conversation, said that when Tor is the best choice for the “average user” to protect themselves “we’ve failed.”
The second essential ingredient is public oversight of our spy agencies and government.
Tomi Engdahl says:
US network to scan workers with secret clearances
http://bigstory.ap.org/article/us-plans-scan-workers-secret-clearances
Stung by internal security lapses, U.S. intelligence officials plan to use a sweeping electronic system to continually monitor workers with secret clearances, current and former officials told The Associated Press.
The system is intended to identify rogue agents, corrupt officials and leakers and draws on a Defense Department model under development for more than a decade, according to officials and documents reviewed by the AP.
Intelligence officials have long wanted a computerized system that could monitor employees, in part to foil leakers like former National Security Agency analyst Edward Snowden, whose revelations bared massive U.S. surveillance operations.
A report released last week by an intelligence consortium, the Intelligence and National Security Alliance, urged continuous monitoring for government workers and the near-1 million private contractors with clearances.
Tomi Engdahl says:
Stop Glorifying Hackers
http://www.nytimes.com/2014/03/09/opinion/sunday/stop-glorifying-hackers.html?_r=0
The cult of the hacker is the tech-age update of America’s long romance with the outlaw; hence an emerging narrative that casts Guccifer as sort of a Sundance Kid to Edward Snowden’s Butch Cassidy
For us civilians, with no choice but to wander into the digital crossfire, it becomes increasingly hard to know who, if anyone, wears the white hat.
Tomi Engdahl says:
For his part, Snowden still believes that companies should store user data that contributes directly to their respective business: “It’s not that you can’t collect any data, you should only collect the data and hold it as long as necessary for the operation of the business.”
Source: http://slashdot.org/topic/bi/sxsw-snowden-touts-encryption-swipes-nsa/
Tomi Engdahl says:
University of Cambridge Develops Potentially More Secure Password Storage System
http://it.slashdot.org/story/14/03/11/002206/university-of-cambridge-develops-potentially-more-secure-password-storage-system
“University of Cambridge’s S-CRIB Scrambler resides in a Raspberry Pi and performs a hash-based message authentication code (HMAC).”
Can this $70 dongle stem the epidemic of password breaches?
Maybe not, but its approach could improve the security of password databases.
http://arstechnica.com/security/2014/03/can-this-70-dongle-stem-the-epidemic-of-password-breaches/
The S-CRIB Scrambler uses an additional layer of protection over methods many websites use now to prevent mass account compromises in the event a password database is exposed during a site breach, according to a post published Friday on the University of Cambridge’s Light Blue Touchpaper blog. Rather than relying solely on a one-way cryptographic hash to represent plaintext passwords, the small dongle performs an additional operation known as hash-based message authentication code (HMAC). The secret 10-character key used to generate the HMAC resides solely on the dongle. Because it’s not included in password tables that are stored on servers, the key could remain
secret even in the event of a major security breach.
The new method comes amid twin epidemics of website security breaches that spill password databases and a large percent of end users who use “princess,” “123abc,” and other easily guessed passcodes to safeguard their accounts.
Tomi Engdahl says:
Bitcoin Exchange Mt. Gox Files for U.S. Bankruptcy as Death Spiral Continues
http://www.wired.com/wiredenterprise/2014/03/gox-texas/
The Mt. Gox death spiral continues. The big-name bitcoin exchange has now filed for bankruptcy protection here in the U.S., as well as Japan, and hackers are saying they’ve uncovered evidence of fraud at the Tokyo-based company, after allegedly breaking into a website controlled by its CEO.
Mt. Gox was once the most popular site for buying and selling the digital cryptocurrency bitcoin.
Tomi Engdahl says:
CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk
http://threatpost.com/cansecwest-presenter-self-censors-risky-critical-infrastructure-talk/104687
A presenter at this week’s CanSecWest security conference has withdrawn his scheduled talk for fear the information could be used to attack critical infrastructure worldwide.
Since his lab is under supervision of the French government, he was required to review his findings with authorities.
“They told me that this presentation was unsuitable for being public,” Filiol said in an email
Filiol said his methodology—a combination of information gathered through open source intelligence means, mathematical modeling and infantry techniques—could damage critical infrastructure in the United States, and likely worldwide.
“With a small unit of around 10 people, it is possible in an invisible way to cause major national disruptions,” Filiol said.
Filiol said his research is now classified.
Tomi Engdahl says:
Can I tell you SIM sig in private? Vodafone Germany inks deal with G&D for encrypto tech
Telecoms colossus provide SIM-based security
http://www.theregister.co.uk/2014/03/11/vodafone_germany_takes_g_and_d_secure_sim/
German SIM card manufacturer G&D has announced that it will be supplying Vodafone Germany with an end-to-end security system based on the phone SIM.
Emails, documents and VPN connections are signed and encrypted by the SIM so that the user doesn’t have to enter a password or use a security token. The service will not be offered to individual subscribers but will be available through corporate and government sales.
It is available now for Android phones, with BB10 and Windows Phone planned, but iOS will be locked out as it does not provide the necessary access to the firmware.
Crypto-technology does, however, fall under dual-use restrictions governed by the Wassenaar Agreement which means it can’t be exported to places where UN sanctions exist. A Vodafone Germany customer who took his phone with a crypto-SIM to one of those countries would be liable for prosecution. Ironically those are just the countries where you would probably want secure communications.
Tomi Engdahl says:
Snowden: NSA pressured EU into creating ‘European bazaar’ of spy networks
http://rt.com/usa/snowden-eu-nsa-testimony-526/
National Security Agency leaker Edward Snowden answered questions before the European Parliament on Friday, saying that the United States spy agency pressures its allies to take steps towards further enabling widespread and indiscriminate surveillance.
“One of the foremost activities of the NSA’s FAD, or Foreign Affairs Division, is to pressure or incentivize EU member states to change their laws to enable mass surveillance,” Snowden said in a testimony delivered remotely from Russia. “Lawyers from the NSA, as well as the UK’s GCHQ, work very hard to search for loopholes in laws and constitutional protections that they can use to justify indiscriminate, dragnet surveillance operations that were at best unwittingly authorized by lawmakers.”
Tomi Engdahl says:
Malware samples tripled in 2013 as point-of-sale attacks boomed
Criminals are constantly developing new ways to bypass defences
http://www.theinquirer.net/inquirer/news/2333309/malware-samples-tripled-in-2013-as-point-of-sale-attacks-boomed
the rise in digitally-signed malware samples was driven by abuse of automated Content Distribution Networks (CDNs) that wrap malicious binaries within digitally signed, otherwise legitimate installers.
By the end of 2013, McAfee Labs saw the number of malicious signed binaries rise to more than eight million suspicious binaries, with the firm finding more than 2.3 million new malicious signed applications in the fourth quarter alone, a 52 percent increase from the previous quarter.
“[We] believe this accelerating trend could pose a significant threat to the long-established certificate authority (CA) model for authenticating ‘safe’ software,” the firm said.
Researchers at McAfee also highlighted an increase in Point of Sale (POS) malwar
McAfee said that during the last few years it had seen a notable rise in the malware families POScardstealer, Dexter, Alina, Vskimmer, Project Hook and others, many of which are available for purchase online.
Criminals behind the campaigns are particularly dangerous as they are constantly developing new ways to bypass traditional defences
Tomi Engdahl says:
In April, Microsoft will be ending its support of Windows XP. What do you do to protect your investment? This popular operating system (OS) used by point-of-sale (POS) terminals, ATMs, medical devices, back-office servers, and industrial control systems need ongoing security patches to counter attacks from new virus, malware and code vulnerabilities.
Additionally, when an unsupported OS is running the traditional anti-virus security software, system performance will be greatly impacted.
What can OEM do to ensure that systems handling mission-critical data or that require high availability remain compliant to the respective regulatory or auditing body?
Source:
https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=764888&sessionid=1&key=79D82CFDD55E745B0856712A2986F68A&sourcepage=register
Tomi Engdahl says:
Attackers trick 162,000 WordPress sites into launching DDoS attack
Technique allows lone attacker hidden in the shadows to wage crippling attacks.
http://arstechnica.com/security/2014/03/more-than-162000-legit-wordpress-sites-abused-in-powerful-ddos-attack/
Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.
The technique made it possible for an attacker with modest resources to greatly amplify the bandwidth at its disposal. By sending spoofed Web requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle.
the attack is notable for targeting XML-RPC, a protocol the sites running WordPress and other Web applications use to provide services such as pingbacks, trackbacks, and remote access to some users.
Researchers from security firm Sucuri recently counted more than 162,000 legitimate WordPress sites hitting a single customer website.
The post also provides instructions that operators of WordPress sites can follow to prevent their servers from being abused to carry out these types of attacks. The technique involves adding the following code to a site theme:
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );
Cid doesn’t say if there are any negative consequences that will result from adding the filter.
Tomi Engdahl says:
Hacker Claims This Crucial WhatsApp Flaw Can Expose Your Messages in Minutes
http://www.businessinsider.com/crucial-whatsapp-security-issue-2014-3?op=1
WhatsApp users should be careful when downloading Android apps. If you don’t read an app’s permissions attentively before installing, your WhatsApp chat history could end up in a stranger’s hands
Since WhatsApp backs up messages on your phone’s SD card, apps can easily access this information if granted permission to do so.
Read more: http://www.businessinsider.com/crucial-whatsapp-security-issue-2014-3#ixzz2vjXnb800
Tomi Engdahl says:
Ransoms paid by two of every five victims of CryptoLocker
http://www.kent.ac.uk/news/stories/Cybercrime_survey2/2014
New research from the University of Kent has revealed that around 40% of people who fall victim to an advanced form of malware, known as CryptoLocker, have agreed to pay a ransom of around £300 to recover their files.
Their research also reveals that the prevalence of this type of ransomware (or malware) which makes personal files inaccessible by encrypting them – equates to approximately one case in 30, much higher than previous estimates suggested.
Other findings include 28.2% of respondents in the survey claim not to engage in any security practices online, such as using antivirus software, firewalls, and password management tools.
Results show that almost one in thirty (2.9%) people say they had been a victim of online bullying or harassment, whilst similar numbers had been victims of online stalking (2.3%).
Tomi Engdahl says:
An online Magna Carta: Berners-Lee calls for bill of rights for web
Exclusive: web’s inventor warns neutrality under sustained attack from governments and corporations
http://www.theguardian.com/technology/2014/mar/12/online-magna-carta-berners-lee-web
The inventor of the world wide web believes an online “Magna Carta” is needed to protect and enshrine the independence of the medium he created and the rights of its users worldwide.
Sir Tim Berners-Lee told the Guardian the web had come under increasing attack from governments and corporate influence and that new rules were needed to protect the “open, neutral” system.
Barners-Lee’s Magna Carta plan is to be taken up as part of an initiative called “the web we want”, which calls on people to generate a digital bill of rights in each country – a statement of principles he hopes will be supported by public institutions, government officials and corporations.
Principles of privacy, free speech and responsible anonymity would be explored in the Magna Carta scheme. “These issues have crept up on us,” Berners-Lee said
The web constitution proposal should also examine the impact of copyright laws and the cultural-societal issues around the ethics of technology.
“But we need our lawyers and our politicians to understand programming, to understand what can be done with a computer. We also need to revisit a lot of legal structure, copyright law – the laws that put people in jail which have been largely set up to protect the movie producers … “
Tomi Engdahl says:
BB10′s ‘dated’ crypto lets snoops squeeze the juice from your BlackBerry – researcher
BEAST will attack your sensitive web traffic, warns poster
http://www.theregister.co.uk/2014/03/12/bb10_dated_crypto/
The latest version of the smartphone maker’s operating system, BlackBerry 10, uses TLS 1.0, while competitors use TLS 1.2. According to the researcher, this leaves BlackBerry fans using BB10 at risk of being attacked by BEAST, a cryptographic attack developed in 2011 that’s capable of decrypting sensitive web traffic protected by the ubiquitous secure sockets layer protocol.
Tomi Engdahl says:
Mastercard, Syniverse target holiday payment security with mobile verification system
Not in Bora Bora? Crooks can’t use your credit card there
http://www.theregister.co.uk/2014/03/12/mastercard_and_syniverse_in_roaming_pact/
It’s ironic that when people are abroad so many people switch off their mobile phones’ data and so many banks switch off customers’ credit cards.
You’ll have heard of Mastercard but are less likely to know about Syniverse unless you work in the mobile industry. The firm is a kind of central broker for mobile phone networks that want to deal with lots of other networks without having to set up individual arrangements one at a time.
When you move your mobile phone number from one network to another, the protocols to do this probably go through Syniverse.
The new project allows the Mastercard network to tap into the data in mobile phone networks to establish that a credit card being used abroad is kosher.
The tie-up between Mastercard and Syniverse allows customers to register their mobile phone number with their credit card company
the system checks the Visitor Location Register to make sure the phone is where the card is.
There are no mechanisms used to check the position of the phone and card more accurately such as Cell ID, triangulation or correlating phone and point-of-sale locations. Other checks will still be in place
Aligned with this is a pre-paid data service which will offer customers roaming packages to use while they are abroad
Tomi Engdahl says:
MUM’s WordPress recipe blog USED AS ZOMBIE in DDoS attacks
Well, it’s statistically reasonably likely. Just update to 3.8.1, OK?
http://www.theregister.co.uk/2014/03/12/wordpress_vuln_creates_botnet_army/
Tens of thousands of vulnerable WordPress sites have been co-opted into a server-based botnet being used to run DDoS attacks.
More than 160,000 legitimate WordPress sites were abused to run a large HTTP-based (layer 7) distributed flood attack against a target, which called in cloud security firm Sucuri for help.
“Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites,” Cid explains.
the specific problem abused in the latest run of attacks was fixed more than a year ago in a WordPress core release in January 2013
Tomi Engdahl says:
EU Parliament rubber-stamps ‘irreversible’ data protection reforms
Will make life, um, ‘easier for business’ – Viv Reding insists
http://www.theregister.co.uk/2014/03/12/european_parliament_waves_through_data_protection_reforms/
“we need a uniform and strong European data protection law, which will make life easier for business and strengthen the protection of our citizens.”
“Data Protection is made in Europe. Strong data protection rules must be Europe’s trade mark. Following the US data spying scandals, data protection is more than ever a competitive advantage.”
Tomi Engdahl says:
Brand.com, Top Exec Blackmailed and Targeted in Massive Cyber Attacks
http://segment.com/mike-zammuto-cyber-attack-brand-com/?utm_source=taboola&utm_medium=referral
Online Brand Management company Brand.com reported today that the company and its president, Mike Zammuto, were victims of online libel and cyber attacks after a failed extortion attempt in December.
A spokesman said that online businesses like Brand.com, as well as their owners and operators, can become targets of online extortion when individuals or groups make financial solicitations by threatening to disparage the company’s reputation anonymously through consumer review websites.
Because of certain legal loopholes, and no financial motive on the part of the review websites to remove it, the malicious content can remain online indefinitely.
Tomi Engdahl says:
How the NSA Plans to Infect ‘Millions’ of Computers with Malware
By Ryan Gallagher and Glenn Greenwald 12 Mar 2014, 9:19 AM ED
https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/
Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.
In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer’s microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.
The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans.
Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be “out of control.”
NSA has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers.
The NSA has a diverse arsenal of malware tools, each highly sophisticated and customizable for different purposes.
Tomi Engdahl says:
Web firms face a strict new set of privacy rules in Europe — here’s what to expect
http://gigaom.com/2014/03/12/web-firms-face-a-strict-new-set-of-privacy-rules-in-europe-heres-what-to-expect/
The European Parliament has overwhelmingly passed a large package of laws intended to strengthen data protection – that’s “privacy” in non-legalese – across the European Union.
The European Parliament has passed the EU’s first major overhaul of data protection legislation since 1995, taking into account today’s online landscape. Meanwhile, parliamentarians also approved a resolution calling for the suspension of a key deal affecting U.S. web firms.
The resolution, which follows a lengthy inquiry into mass surveillance, also calls for the suspension of the Terrorist Finance Tracking Program, which gives U.S. authorities access to European’s financial records if they ask for them through official channels. MEPs have already voted to do this, as U.S. spies are accessing such data through unofficial channels
there would be big impact in Europe.
Tomi Engdahl says:
Perseus, Atlas Launch Global Bitcoin Trading Platform
Venture Seeks to Facilitate Trading in Bitcoin by Institutional Investors
http://online.wsj.com/news/article_email/SB10001424052702303795904579433222564439410-lMyQjAxMTA0MDEwMjExNDIyWj
High-speed telecommunications provider Perseus Telecom and digital currency trading platform Atlas ATS formally launched Wednesday a globally integrated bitcoin exchange system in New York, Hong Kong and Singapore to facilitate trading in the digital currency by high-frequency trading firms and other large financial institutions.
Tomi Engdahl says:
Samsung Galaxy Back-door
http://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor
Samsung Galaxy devices running proprietary Android versions come with a back-door that provides remote access to the data stored on the device.
This back-door is present in most proprietary Android systems running on the affected Samsung Galaxy devices, including the ones that are shipped with the devices.
The affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems.
Tomi Engdahl says:
Bitcoin, Meet Darwin: Crypto Currency’s Future
First-movers rarely survive, but some experts see a real future for government-issued crypto currency.
http://www.informationweek.com/security/risk-management/bitcoin-meet-darwin-crypto-currencys-future/d/d-id/1127655
In five years, might the Bitcoin market be little more than a smoking ruin?
That’s the dystopian future facing crypto-currency traders, if the current pace of attacks against Bitcoin exchanges and holders continues. Both could see a never-ending onslaught of distributed denial-of-service (DDoS), hacking, and malware attacks designed to drain their virtual currency coffers.
just because one cryptographic currency gets pummeled, the odds are that the next “Satoshi Nakamoto” will build an even better one.
Beyond Bitcoin, which has the world’s largest virtual currency market capitalization (nearly $8 billion), there are at least 100 other crypto currencies, ranging from Ripple ($1.4 billion) and Litecoin ($453 million) — also at the high end — to Deutsche eMark ($106,000) and Grumpycoin ($88,000) at the low end.
Tomi Engdahl says:
N.S.A. Nominee Promotes Cyberwar Units
http://www.nytimes.com/2014/03/12/world/europe/nsa-nominee-reports-cyberattacks-on-ukraine-government.html?pagewanted=all
All of the major combat commands in the United States military will soon have dedicated forces to conduct cyberattacks alongside their air, naval and ground capabilities, Vice Adm. Michael S. Rogers, President Obama’s nominee to run the National Security Agency, told the Senate on Tuesday.
During a two-hour appearance before the committee, Admiral Rogers also confirmed that the United States had seen evidence of cyberattacks on the new government in Ukraine
“Clearly, cyber will be an element of almost any crisis we’re going to see in the future,” he told the senators.
Tomi Engdahl says:
Ethical hacker backer hacked, warns of email ransack
Switches registrars, tightens security after ‘upsetting’ incident
http://www.theregister.co.uk/2014/03/13/ethical_hacker_cert_org_pwned/
The IT security certification body that runs the Certified Ethical Hacker programme has itself been hacked.
The EC-Council said the same hackers who ran the DNS poisoning attack that resulted in the defacement of its website in late February had also managed to access the control panel for its website after breaking into the systems of a third-party registrar.
Tomi Engdahl says:
Stanford Researchers Spot Medical Conditions, Guns, and More In Phone Metadata
http://news.slashdot.org/story/14/03/13/0133223/stanford-researchers-spot-medical-conditions-guns-and-more-in-phone-metadata
“Since the NSA’s phone metadata program broke last summer, politicians have trivialized the privacy implications. It’s ‘just metadata,’”
MetaPhone: The Sensitivity of Telephone Metadata
http://webpolicy.org/2014/03/12/metaphone-the-sensitivity-of-telephone-metadata/
We were able to corroborate Participant B’s medical condition and Participant C’s firearm ownership using public information sources.
Phone records held by the NSA and telecoms span millions of Americans over multiple years. Reasonable minds can disagree about the policy and legal constraints that should be imposed on those databases. The science, however, is clear: phone metadata is highly sensitive.
Tomi Engdahl says:
YouTube to be monitored by British security
Google has given officials special access to its video site
http://www.irishtimes.com/business/sectors/technology/youtube-to-be-monitored-by-british-security-1.1722722
Google has given British security officials special access to its YouTube video site, allowing them to have content instantly reviewed if they think that it threatens national security.
The new “super flagger” powers underline growing concern among governments that are scrambling to contain the proliferation of jihadi material prompted by the war in Syria, but they are likely to stir concern among civil liberties campaigners.