Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
BT caught in data gaffe drama: Whistleblower squeals over alleged email fail
Britain’s privacy watchdog probes ‘likely breach’
http://www.theregister.co.uk/2014/03/13/bt_likely_to_have_breached_data_protection_act_after_email_accounts_were_allegedly_compromised_over_http_and_details_kept_in_log_files/
Tomi Engdahl says:
SYSTEM ERROR DOWN: Twitter twits silenced by hack attack ‘false alarm’
http://www.theregister.co.uk/2014/03/04/twitter_twats_silenced_by_hack_attack_false_alarm/
Twitter had mistakenly sent out password reset emails.
Tomi Engdahl says:
UK.gov to train up 11-year-old cyberwarriors
Biz-backed scheme aims to create white hat apprentices
http://www.theregister.co.uk/2014/03/13/uk_kids_to_be_schooled_in_cyber_security/
British schoolkids as young as 11 will be trained in cyber security as part of a new drive to protect the UK from digital threats.
The government will produce learning materials designed to get 11- to 14-year-olds up to speed on cyber security.
Universities and Science Minister David Willetts said: “Today countries that can manage cyber security risks have a clear competitive advantage.”
Tomi Engdahl says:
How to Keep the NSA From Spying Through Your Webcam
http://www.wired.com/threatlevel/2014/03/webcams-mics/
But did you know that intruders might use the built-in camera to take surreptitious pictures and videos of you and your surroundings or hijack your microphone to eavesdrop on conversations?
The latest story from the Edward Snowden leaks yesterday drives home that the NSA and its spy partners possess specialized tools for doing exactly that. According to The Intercept, the NSA uses a plug-in called GUMFISH to take over cameras on infected machines and snap photos.
Another NSA plug-in called CAPTIVATEDAUDIENCE hijacks the microphone on targeted computers to record conversations.
Fortunately, WIRED is here with a solution: Cover your camera lens with a sticker.
It’s low-tech, to be sure. But it works.
Your best defense is probably to insert a dummy plug into the microphone jack to prevent sound from being picked up by the internal mic.
Tomi Engdahl says:
Mt. Gox kept exchange open despite knowledge of large-scale theft
Exchange continued to operate and collect transaction fees despite its troubles, U.S. bankruptcy filing suggests
http://www.computerworld.com/s/article/9246921/Mt._Gox_kept_exchange_open_despite_knowledge_of_large_scale_theft
Mt. Gox may have collected a large sum in trading fees in the weeks before its closure, even though it was already aware that a vast number of bitcoins had gone missing, its U.S. bankruptcy filing suggests.
Tomi Engdahl says:
“Virtually no evidence” for claim of remote backdoor in Samsung phones
Security researcher offers a different take on warning of secret Galaxy spy code.
http://arstechnica.com/security/2014/03/virtually-no-evidence-for-claim-of-remote-backdoor-in-samsung-galaxy-phones/
On Wednesday, developers of an alternative version of Google’s Android mobile operating system published a startling claim: Samsung’s S3, Note 2, and seven other models of Galaxy smartphones contained a backdoor that provides remote access to virtually all data stored on the devices. The code that allows access, which controls the phones’ baseband or modem processors, made it possible to remotely read, write, or even modify users’ files.
To get a second opinion, Ars turned to Dan Rosenberg, a senior security researcher at Azimuth Security, who specializes in the reverse engineering of Unix and embedded devices.
Rosenberg: I think calling this a “backdoor” is a bit far-fetched, much less one that can allow parties to remotely access data from your phone. This claim can be debunked with three crucial facts:
1. There is virtually no evidence for the ability to remotely execute this functionality.
2. The amount of data that can be read or written to by this functionality is very limited
3. The specifics of the vulnerability suggest that it was poorly programmed legitimate functionality rather than a secret backdoor.
Tomi Engdahl says:
A Close Look at the NSA’s Most Powerful Internet Attack Tool
http://www.wired.com/opinion/2014/03/quantum/
We already knew that the NSA has weaponized the internet, enabling it to “shoot” exploits at anyone it desires. A single web fetch, imitated by an identified target, is sufficient for the NSA to exploit its victim.
But the Edward Snowden slides and story published yesterday at The Intercept convey a wealth of new detailed information about the NSA’s technology and its limitations.
If NSA only used QUANTUM to attack wannabee terrorists attempting to read Inspire, hardly anyone would object. But instead the agency expanded it greatly, not only in target scope (including its confirmed use against Belgacom) but also in functionality.
Today QUANTUM packs a suite of attack tools, including both DNS injection (upgrading the man-on-the-side to a man-in-the-middle, allowing bogus certificates and similar routines to break SSL) and HTTP injection. That reasonable enough. But it also includes gadgets like a plug-in to inject into MySQL connections, allowing the NSA to quietly mess with the contents of a third-party’s database. (This also surprisingly suggests that unencrypted MySQL on the internet is common enough to attract NSA attention.)
Tomi Engdahl says:
Russia blocks internet sites of Putin critics
http://www.reuters.com/article/2014/03/13/us-russia-internet-idUSBREA2C21L20140313
Tomi Engdahl says:
The NSA Responds To Allegations It Impersonated Facebook And Infected PCs With Malware
http://techcrunch.com/2014/03/13/the-nsa-responds-to-allegations-it-impersonated-facebook-and-infected-pcs-with-malware/
The NSA’s terse response called the report “inaccurate,” denying that it uses its tools to “impersonate U.S. company websites.”
The NSA’s refutation of the story comes after Mark Zuckerberg publicly zinged the agency, called for reform and a better Internet, and said that he had called the president over the matter.
Tomi Engdahl says:
UK Sidelines Universities for Cybersecurity Training
http://www.eetimes.com/document.asp?doc_id=1321425&
The UK government is taking the training of new cybersecurity specialists out of the hands of universities and engineering departments with new apprenticeships.
“The Cyber Security Skills: Business Perspectives and Governments Next Steps” report recommends new higher-level and advanced apprenticeships and special learning materials for 11- to 14-year-olds alongside a new MOOC for online training, as well as working with vocational qualifications providers to look at how cybersecurity can be embedded in teaching in Further Education colleges.
Tomi Engdahl says:
Starting Today, Jealous Lovers Can Buy NSA-Like Monitoring Powers
http://www.forbes.com/sites/adamtanner/2014/03/12/starting-today-jealous-lovers-can-buy-nsa-like-monitoring-powers/
the phone records everything that happens on the device and sends the details to a remote website. Every call is recorded, every keystroke logged, every email seen, every SMS chat or photograph monitored. Whenever the boyfriend wants, he logs online and reviews the trove of information.
This is not some dystopian nightmare. It’s possible right now using commercially available software from mSpy, which cheerily advises potential buyers: “And they won’t find out.”
The phone’s proclaimed target markets are employers and parents who have the legal authority to watch what their children do on their smart phones.
Tomi Engdahl says:
Boffins propose brainwave privacy standard
EEG data can predict illness, and app-makers are storing it in the cloud …
http://www.theregister.co.uk/2014/03/14/boffins_propose_brainwave_privacy_standard/
Researchers from MIT Media Lab and the Technical University of Denmark have raised the issue of “Privacy for Personal Neuroinformatics”, a field they feel deserves attention because brainwave data is starting to go public.
The four writers’ paper on the idea points out that electroencephalography (EEG) has been around for ages and records brain activity using electrodes. Patients generally consent to EEG data being captured, often because it’s a useful diagnostic tool. But EEG data can also be used to “diagnose mental diseases, and traces of epilepsy, and decode personality traits,” the paper points out, arguing that current arrangements mean patients don’t consent to or contemplate deeper analysis. Nor can patients control the output of their minds
suggest that those who submit to EEG could benefit from privacy standards that make sure their data isn’t used to peer into their minds in ways they haven’t already contemplated
Tomi Engdahl says:
All hacking eyes on the prize money at CanSecWest
http://news.cnet.com/8301-1009_3-57620337-83/all-hacking-eyes-on-the-prize-money-at-cansecwest/
Nearly $4 million in prize money between Pwnium and Pwn2Own drives more attention than ever to the two hacking contests, as Google crosses the $3 million security award mark.
“We’ve gone from 2 to 3 really fast,” he said. “The more money we can put into the “white hat” community, the better off we all are.”
–Chris Evans, Google security engineer
“The major value of Pwn2Own is to show that even the most secure software can be compromised by a team of researchers with enough resources.”
–Chaouki Bekrar, Vupen Security CEO
Tomi Engdahl says:
Russia Blocks Access to Major Independent News Sites
https://www.eff.org/deeplinks/2014/03/russia-blocks-access-major-independent-news-sites
Russia’s government has escalated its use of its Internet censorship law to target news sites, bloggers, and politicians under the slimmest excuse of preventing unauthorized protests and enforcing house arrest regulations. Today, the country’s ISPs have received orders to block a list of major news sites and system administrators have been instructed to take the servers providing the content offline.
EFF is profoundly opposed to government censorship of the Internet, which violates its citizens right to freedom of expression, guaranteed under Article 19 of the Universal Declaration of Human Rights.
Tomi Engdahl says:
Google Play Store update lets you require a password for every purchase
http://androidcommunity.com/google-play-store-update-lets-you-require-a-password-for-every-purchase-20140313/
Google has just started rolling out an update to the Play Store app on Android that, among other things, now offers more fine-grained control when making purchases. This change could very well be related to the class action suit that the company is now facing.
Tomi Engdahl says:
Target IGNORED hacker alarms as crooks took 40m credit cards – claim
Red alert! Reports say staff dithered while crooks went to town
http://www.theregister.co.uk/2014/03/14/target_failed_to_act_on_security_alerts/
Staff at US chain Target reportedly failed to stop the theft of 40 million credit card records despite an escalating series of alarms from the company’s computer security systems.
FireEye’s technology could have auto-nuked the Target malware but the functionality was disabled. The FireEye system was installed six months prior to the breach and it could be that Target’s security team hadn’t yet got to the point where they trusted it to act semi-autonomously.
Tomi Engdahl says:
Firefox Was the Most Attacked & Exploited Browser At Pwn2own 2014
http://news.slashdot.org/story/14/03/15/2322229/firefox-was-the-most-attacked-exploited-browser-at-pwn2own-2014
“Though IE, Chrome and Safari were all attacked and all were exploited, no single web browser was exploited at this year’s Pwn2own hacking challenge as Mozilla Firefox”
Tomi Engdahl says:
Pwn2Own 2014 Claims IE, Chrome, Safari and More Firefox Zero-Days – See more at: http://www.eweek.com/security/pwn2own-2014-claims-ie-chrome-safari-and-more-firefox-zero-days.html#sthash.XRln5AZN.dpuf
Tomi Engdahl says:
Is no browser safe? Security bods poke holes in Chrome, Safari, IE, Firefox and earn $1m
Big names fail, iOS kernel flaw found during hacking contests
http://www.theregister.co.uk/2014/03/14/researchers_reap_over_one_meeelion_dollars_at_cansecwest_hacking_competitions/
The Pwn2Own and Pwnium hacking contests at the annual CanSecWest conference in Vancouver have earned security researchers over a million dollars in prizes, exposed 34 serious zero-day flaws in popular code, and earned over $82,000 for the Canadian Red Cross.
all the major browsers – Chrome, Safari, Internet Explorer and Firefox – fell to attacks within the 30-minute timeframe for each, along with Flash
Tomi Engdahl says:
It’s 2014 and Microsoft Windows PCs can still be owned by a JPEG
Update now: OS, Internet Explorer and (of course) Flash all in line for fixes
By Shaun Nichols, 11 Mar 2014
http://www.theregister.co.uk/2014/03/11/microsoft_adobe_patch_tuesday/
Microsoft has fixed security bugs in Internet Explorer and Windows that allow hackers to remotely execute code on victims’ vulnerable machines – one bug a result of poor JPEG handling.
Microsoft credited 23 outside researchers in helping to root out and report the IE flaws, exploits for which do exist, we’re told.
Tomi Engdahl says:
Compare the NSA’s Facebook Malware Denial to its Own Secret Documents
https://firstlook.org/theintercept/2014/03/15/nsa-facebook-malware-turbine-non-denial-denial/
The rapid proliferation of these hacking techniques in the past decade, under cover of intense secrecy, is extraordinary and unprecedented. The NSA insists in its denial that its hacking efforts are not “indiscriminate.” Yet how the agency defines “indiscriminate” in this context remains unclear.
The NSA’s outgoing chief has claimed that the agency supports increased transparency in the wake of the Snowden leaks – but its response to the latest disclosures illustrates that it is failing to live up to that commitment. If the NSA truly wants to gain citizens’ trust, it should rethink its slippery public relations strategy.
Tomi Engdahl says:
Google Docs Users Targeted by Sophisticated Phishing Scam
http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophisticated-phishing-scam
We see millions of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users.
The fake page is actually hosted on Google’s servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive’s preview feature to get a publicly-accessible URL to include in their messages.
After pressing “Sign in”, the user’s credentials are sent to a PHP script on a compromised web server.
Tomi Engdahl says:
Snowden A Hero? Gates Says No, Woz Says Yes
http://news.slashdot.org/story/14/03/15/148222/snowden-a-hero-gates-says-no-woz-says-yes
Tomi Engdahl says:
Attorney General’s new war on encrypted web services
How you might be forced to unlock seized packets.
http://www.itnews.com.au/News/375286,attorney-generals-new-war-on-encrypted-web-services.aspx
Australia’s Attorney-General’s department wants new laws to force users and providers of encrypted internet communications services to decode any data intercepted by authorities.
“Sophisticated criminals and terrorists are exploiting encryption and related counter-interception techniques to frustrate law enforcement and security investigations, either by taking advantage of default-encrypted communications services or by adopting advanced encryption solutions,” the submission noted.
Under 3LA, the individual is compelled to “‘provide any information or assistance that is reasonable and necessary’ to allow information held on the device to be converted into an intelligible form”, the department said.
The department isn’t specific about what it believes individual users could provide authorities that would aid in making sense of encrypted data from internet communication services.
Tomi Engdahl says:
MtGox remedy worse than the disease says Kaspersky researcher
‘Leaked database’ offering details of Bitcoin heists contained Trojan
http://www.theregister.co.uk/2014/03/17/mtgox_blog_hackers_malware_bitcoin_stealers/
A 700MB file that hackers claimed contains valuable database information on bankrupted MtGox is actually hiding Bitcoin wallet file-stealing malware, researchers have warned.
The real purpose of the file is Trojan malware designed to “search and steal” Bitcoin wallet files from the victim.
Tomi Engdahl says:
On your permanent record
Anonymity, pseudonymity, ephemerality & bears omfg!
https://medium.com/p/f5ab81f9f654
Anonymity seems to be all the rage in Silicon Valley and startups lately.
Recently Whisper raised
Secret announced
Then there is YikYak, Shrtwv, Banter, Blink
Techcrunch summarized the Twitter conversation and some of the recent problems that have emerged with the anonymity apps that are causing discussion amongst venture investors.
FALSE EXPECTATION OF ANONYMITY: The security model for both these applications is horrendous and irresponsible. The give the user an illusion of privacy, encourage users to say things without the burden of identity (both in good or bad cases) — but then provide no real anonymity or privacy is deceptive.
What happens when rumors of acquisitions are true and blow up a pending deal and destroy a company. What happens when the civil lawsuits and demands to disclose user information, IP address start to occur. What happens when a libel case, or a harassment case leads to a suicide and the lawsuits fly or criminal prosecution begins to reveal or force the retention of IP information of that user the next time they login.
Think it won’t happen? Look at your history.
Neither of these companies have done the bare minimum to develop a security model that backs up their claims of anonymity and they both should be ashamed.
Tomi Engdahl says:
The Future of Internet Freedom
By ERIC E. SCHMIDT and JARED COHENMARCH 11, 2014
http://www.nytimes.com/2014/03/12/opinion/the-future-of-internet-freedom.html?pagewanted=all&_r=0
OVER the next decade, approximately five billion people will become connected to the Internet. The biggest increases will be in societies that, according to the human rights group Freedom House, are severely censored: places where clicking on an objectionable article can get your entire extended family thrown in prison, or worse.
The details aren’t pretty. In Russia, the government has blocked tens of thousands of dissident sites
In Vietnam, a new law called Decree 72 makes it illegal to digitally distribute content that opposes the government
The mechanisms of repression are diverse. One is “deep packet inspection” hardware, which allows authorities to track every unencrypted email sent, website visited and blog post published. When objectionable activities are detected, access to specific sites or services is blocked or redirected. And if all else fails, the entire Internet can be slowed for target users or communities.
In other cases, like in Ukraine, sites are taken offline with distributed-denial-of-service attacks
Entire categories of content can be blocked or degraded en masse;
How common is each tactic? Reliable data can be scarce. Measuring patterns of censorship brings its own risks
the technologies of repression are a multibillion-dollar industry
Of course, detection is just the first step in a counterattack against censorship. The next step is providing tools to undermine sensors, filters and throttles.
Given the energies and opportunities out there, it’s possible to end repressive Internet censorship within a decade. If we want the next generation of users to be free, we don’t see any other option.
Tomi Engdahl says:
Microsoft is trying to get Americans Windows XP operating system users to buy a new Windows 8.1 computer.
End of official support for XP undermine the security of appreciably, because Microsoft will no longer fix it revealed in security holes. However, the use of the operating system may go on, but then it is advisable to keep the platform to safety concerns about third-party anti-virus software.
Source: Tietokone
http://www.tietokone.fi/artikkeli/uutiset/hylkaa_windows_xp_saat_lahjan
Tomi Engdahl says:
NSA-fuss goes to F-Secure’s bin, “the stars were right”
According to Järvinen, demand for European services has increased due Edward Snowden NSA leaks.
“We say NO to the prying eyes of Governments,” Younitedin presentation affirms. F-Secure is a security company best known anti-virus software, but recent product launches focusing on mobile devices for data protection.
“Our system does not have back doors, storage space is in Finland and we work under the Finnish legislation.”
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/nsakohu+sataa+fsecuren+laariin+quottahdet+olivat+kohdillaanquot/a970812
Tomi Engdahl says:
Tech CEOs Warn of Threats to Cloud, Big Data Economy
http://www.cio.com/article/749714/Tech_CEOs_Warn_of_Threats_to_Cloud_Big_Data_Economy
Leaders of some of the nation’s top tech firms say protectionist cloud policies and Internet restrictions could undermine the potential of the data revolution. To that end, they call on policymakers to advocate the free flow of information across national borders — and to pay special attention to nations restricting Internet freedom.
Top executives at firms such as Dell, IBM and Xerox gathered in the nation’s capital this week under the auspices of the Technology CEO Council, bringing with them a message that the data economy is imperiled by concerns about security and privacy and protectionist policies that could limit the growth of cloud computing and balkanize the Internet.
“The biggest barriers I think that we see are not around the engineering. It’s around regulation. It’s around protectionism. It’s around trust, or lack thereof. It’s around policies and procedures,” says Xerox Chairman and CEO Ursula Burns, who also chairs the CEO council.
“Countries that take a protectionist view and say, ‘I’m going to protect my data and make sure that it’s secure for my own economic purposes or political purposes,’ or for whatever reason, really run the significant risk of cutting themselves off from this bounty that comes with the data economy,”
Tomi Engdahl says:
Bitcoin farming – on a industrial scale
http://www.raspberrypi.org/archives/6437
Here’s a segment from KOMO 4, a Seattle news station. Last week’s news about the collapse of Mt Gox, one of the largest Bitcoin exchanges, has meant that there’s been lots media interest in Bitcoin, and this video talks about what it is…and, in doing so, visits one of the US’s biggest Bitcoin farms
Tomi Engdahl says:
Jam Intercept and Replay Attack against Rolling Code Key Fob Entry Systems using RTL-SDR
http://spencerwhyte.blogspot.ca/2014/03/delay-attack-jam-intercept-and-replay.html
If you jam in this manor, when the victim presses the unlock button on their key fob, nothing will happen because the receiver is being jammed by an adversary. The adversary can then use a SDR such as the RTL-SDR, to record the whole transaction.
The signal obtained is the Nth rolling code, it is still valid because the receiver has not yet received the Nth rolling code. Therefore the adversary can replay the signal at a later time and unlock the car.
Tomi Engdahl says:
They ACCUSED him of inventing Bitcoin. Now, Nakamoto hires lawyer to CLEAR his name
I can’t get a job because of Newsweek ‘outing’, wails man
http://www.theregister.co.uk/2014/03/17/alleged_bitcoin_inventor_satoshi_nakamoto_hires_lawyer_clear_name/
“Newsweek’s false report has been the source of a great deal of confusion and stress for myself, my 93-year-old mother, my siblings and their families.”
Tomi Engdahl says:
Malaysia Airlines mystery: Click here for the TRUTH
…but FIRST, fill out this survey scam innocuous form
http://www.theregister.co.uk/2014/03/17/mh370_survey_scams/
Scams circulating on Facebook and Twitter purport to offer video reports of the plane being found
Facebook has been busily purging the social network of links to the scam but they are still reappearing
“Anything asking you to share content or like something before watching a “shocking video” or asking you to complete surveys is likely going to end up being a scam,”
Tomi Engdahl says:
iOS 7 has weak random number generator
‘Trivial’ to break, says researcher
http://www.theregister.co.uk/2014/03/16/ios_7_has_weak_random_number_generator/
Mandt says the early_random() PRNG (pseudo-random number generator), shipped in the latest iOS 7 update, is “alarmingly weak”. According to ThreatPost, he told the conference the PRNG is “deterministic and trivial to brute force”.
Tomi Engdahl says:
Missing Malaysian Airlines flight MH370 could be the first ‘cyber hijack’
A former member of the Home Office claims hackers could have used a mobile phone
http://www.theinquirer.net/inquirer/news/2334509/missing-malaysian-airlines-flight-mh370-could-be-the-first-cyber-hijack
THE MISSING Malaysian Airlines flight MH370 could be a victim of the world’s first cyber-hijacking, a former member of the Home Office has claimed.
“There appears to be an element of planning from someone with a very sophisticated systems engineering understanding.”
“It is looking more and more likely that the control of some systems was taken over in a deceptive manner, either manually, so someone sitting in a seat overriding the autopilot, or via a remote device turning off or overwhelming the systems.
“A mobile phone could have been used to do so or a USB stick.”
“It is possible for hackers, be they part of organised crime or with government backgrounds, to get into the main computer network of the plane through the inflight, onboard entertainment system,”
Tomi Engdahl says:
Dorian Satoshi Nakamoto Releases Official Statement “Unconditionally” Denying Newsweek’s Bitcoin Story
http://www.buzzfeed.com/charliewarzel/satoshi-nakamoto-posts-official-statement-unconditionally-de
“I have no knowledge of nor have I ever worked on cryptography, peer to peer systems, or alternative currencies.”
Tomi Engdahl says:
14 Things You Can Buy With Bitcoins
http://www.buzzfeed.com/katienotopoulos/things-you-can-buy-with-bitcoins
Tomi Engdahl says:
Soon-to-be Facebook intern wins UK Cyber Security Challenge
http://www.theregister.co.uk/2014/03/17/cyber_security_challenge_final_winner_cambridge_student/
Cyber Security Challenge UK runs a series of national competitions ultimately aimed at attracting talented people into the profession, as well as providing information about cyber security careers and learning opportunities. The scheme has been supported by government departments, IT firms, universities and trade groups since it began in 2010. However not all the corporates who have been involved with the scheme are impressed with the results.
Tomi Engdahl says:
UK gov wants ‘unsavoury’ web content censored
http://www.wired.co.uk/news/archive/2014-03/15/government-web-censorship
The Home Office explained to Wired.co.uk that the Metropolitan Police’s Counter Terrorism Internet Referral Unit (CTIRU), responsible for removing illegal terrorist propaganda, does not have “super flagger” status, but has simply attained the platform’s Trusted Flagger accreditation — a status for users who regularly correctly flag questionable content.
“Terrorist propaganda online has a direct impact on the radicalisation of individuals and we work closely with the internet industry to remove terrorist material hosted in the UK or overseas,” Brokenshire told Wired.co.uk in a statement.
“Google has already modified its algorithms to accommodate government and rights-holder requests,”
the government has no interest in preventing access to legitimate and legal material
Tomi Engdahl says:
Simple Ways to Add Security to Web Development
http://www.linuxjournal.com/content/simple-ways-add-security-web-development
Although trying to improve code’s security obviously is a nice thing to do, the time when it commonly is done is often in the final code development phase, and as with the basic nature of software development, changing the code almost always leads the software away from maturity.
Why can’t developers make the code secure in the first place?
One simple way is to change developers’ coding styles and make them write code that is inherently secure.
Simple logic is that instead of passing the input taken from the front end directly, it should be checked thoroughly and only then sent to the database as a part of the query.
PHP provides an automatic input escape mechanism called magic_quotes_gpc that you can use before sending the input to the back end. But, it would be better to use the escaping mechanism provided by your database
MySQL provides the mysql_real_escape_string() method to escape the input.
Session management implementation: you always should use the built-in session management feature that comes out of the box with your Web development framework. Not only does this save critical development time and cost, it generally is safer as well, because many people are using and testing it.
Cookie management: whenever you plan to use cookies, be aware that you are sending out data about the user/session, which potentially can be intercepted and misused.
Session expiry management: a timeout should be enforced over and above the idle time out
the redirects can take a dangerous turn if not done properly
Validate the input before the redirect
Cross-Site Scripting
To counter such attacks/injections in your Web site, OWASP suggests treating the Web pages as templates with certain slots for the untrusted data
Untrusted data in HTML tags and attributes: when you need to insert untrusted data in HTML tags like div, p, b, td and so on, make sure it is escaped before being used.
Tomi Engdahl says:
Bitcoin bust litigants fling sueballs at Japanese bank
Mizuho Bank added to Mt Gox as defendant
http://www.theregister.co.uk/2014/03/17/bitcoin_bust_litigants_fling_sueballs_at_japanese_bank/
A major Japanese bank has now been swept up in the collapse of Bitcoin trader Mt Gox, with Mizuho Bank named as a defendant in one of the many lawsuits cropping up over the collapse.
The bank has been added to a lawsuit against Mt Gox, since by providing services to the former Magic-the-Gathering card trading operation, the complainants say, it “aided in a fraud”.
Tomi Engdahl says:
Mt. Gox gets its login page back, but only lets users check their Bitcoin balance
http://www.engadget.com/2014/03/17/mt-gox-login-page-returns/
gives users a way to verify their online wallets without putting their accounts at risk
Tomi Engdahl says:
Is Analog The Answer To Cyber Terrorism?
Posted by: Paul Roberts March 17, 2014 09:401 comment
https://securityledger.com/2014/03/is-analog-the-answer-to-our-digital-insecurity-dilemma/
Ralph Langner is one of the foremost experts on the security of critical infrastructure that we have. So, generally, when Ralph says something – whether its about Stuxnet, or cyberwar or the security of nuclear power plants – folks listen.
And these days, Ralph is wondering, out loud, whether our reliance on digital systems to manage critical infrastructure has gone too far. The answer, he suggests, may be to go “back to the future,” as it were: reintroducing analog systems into the control process chain as a backstop for cyber attacks.
Writing on Saturday, he said that the critical infrastructure sector is in a headlong rush to replace aging, analog control system infrastructure with modern, digital systems. Software based control infrastructure, he notes, offers many advantages – flexibility, the possibility of remote operation and management and access to a much larger pool of talent and expertise. Engineers who understand and can manage analog systems are, after all, a dying breed – literally.
But Langner cautions against the wholesale embrace of digital systems by stating the obvious: that “every digital system has a vulnerability,” and that it’s nearly impossible to rule out the possibility that potentially harmful vulnerabilities won’t be discovered during the design and testing phase of a digital ICS product.
“It would seem to follow that if …the hacking of digital safety systems at nuclear power plants was unacceptable, then analog control of safety systems ought to be a viable option on the table,” he writes.
Tomi Engdahl says:
Shuttleworth: Firmware is the universal Trojan
Kill proprietary firmware
http://www.theregister.co.uk/2014/03/18/shuttleworth_firmware_is_the_universal_trojan/
Canonical boss Mark Shuttleworth has called on the world to abandon proprietary firmware code, calling all such code “a threat vector”.
“Any firmware code running on your phone, tablet, PC, TV, wifi router, washing machine, server, or the server running the cloud your SaaS app is running on” is a threat, he writes, calling on the industry to abandon secret firmware entirely.
Certainly, there’s plenty of evidence out there to support Shuttleworth’s concerns.
Tomi Engdahl says:
NSA surveillance program reaches ‘into the past’ to retrieve, replay phone calls
http://www.washingtonpost.com/world/national-security/nsa-surveillance-program-reaches-into-the-past-to-retrieve-replay-phone-calls/2014/03/18/226d2646-ade9-11e3-a49e-76adc9210f19_story.html
The National Security Agency has built a surveillance system capable of recording “100 percent” of a foreign country’s telephone calls, enabling the agency to rewind and review conversations as long as a month after they take place, according to people with direct knowledge of the effort and documents supplied by former contractor Edward Snowden.
The voice interception program, called MYSTIC, began in 2009. Its RETRO tool, short for “retrospective retrieval,” and related projects reached full capacity against the first target nation in 2011. Planning documents two years later anticipated similar operations elsewhere.
In the initial deployment, collection systems are recording “every single” conversation nationwide, storing billions of them in a 30-day rolling buffer that clears the oldest calls as new ones arrive, according to a classified summary.
Tomi Engdahl says:
10,000 Linux servers hit by malware serving tsunami of spam and exploits
Two-year-old Windigo may also have infected kernel.org Linux developers.
http://arstechnica.com/security/2014/03/10000-linux-servers-hit-by-malware-serving-tsunami-of-spam-and-exploits/
Researchers have documented an ongoing criminal operation infecting more than 10,000 Unix and Linux servers with malware that sends spam and redirects end users to malicious Web pages.
Windigo, as the attack campaign has been dubbed, has been active since 2011 and has compromised systems belonging to the Linux Foundation’s kernel.org and the developers of the cPanel Web hosting control panel
The Windigo campaign doesn’t rely on technical vulnerabilities to take hold of servers, Eset said. Instead, it uses stolen credentials.
That finding led the researchers to conclude password authentication to access servers is inadequate. Instead, people should rely on two-factor authentication.
People who want to know if the servers they operate are affected in the Windigo campaign can run the following command:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”
Eset strongly recommends that operating systems of infected machines be completely reinstalled.
Tomi Engdahl says:
Phishing page hosted on Google: A true dog-bites-man scam
New trick gives tired old dog new legs.
http://arstechnica.com/security/2014/03/phishing-page-hosted-on-google-a-true-dog-bites-man-scam/
With literally millions of phishing scams crossing the wires each day, media reports about individual ones are the quintessential dog-bites-man stories that are rarely worth the time of writer or reader alike. Every now and then, though, one comes along that’s clever enough to make it rise to the top of the massive steaming pile of messages.
The fake page is actually hosted on Google’s servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive’s preview feature to get a publicly accessible URL to include in their messages.
Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content.
Tomi Engdahl says:
Surveys say enterprises are giving the ‘Internet of Things’ a cold shoulder, though, citing security, cost and integration concerns.
“more than 50 percent of companies have no interest ”
Source: http://www.cio.com/article/747634/What_the_Internet_of_Things_Will_Mean_for_CIOs
Tomi Engdahl says:
Hacker crashes Google Play — twice
http://money.cnn.com/2014/03/17/technology/security/google-play/
New Android apps and updates were blocked from appearing in Google’s Play Store on Monday, after a hacker attacked Google’s app publishing system.
Ibrahim Balic, a Turkish hacker, claimed responsibility for the attack. He said developer console crashed when he tried to test a vulnerability he discovered.
“I didn’t have any malicious aim,” he told CNNMoney. “I am so sorry for this damage.”