Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
100 million in fines scare – “should be taken into account”
Americans privacy experts urge companies to their fellow European Parliament has just approved by the Data Protection Regulation into its own, though in its final form would expect for some time to the Council of Europe, namely the governments of the final stamp.
The European Parliament adopted last week by the EU data protection regulatory reform, that is, a new Data Protection Regulation.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/100+miljoonan+euron+sakot+pelottavat++quotsyyta+ottaa+huomioonquot/a975259
Tomi Engdahl says:
Google Under Fire for Data-Mining Student Email Messages
http://www.edweek.org/ew/articles/2014/03/13/26google.h33.html?cmp=ENL-EU-NEWS2
As part of a potentially explosive lawsuit making its way through federal court, giant online-services provider Google has acknowledged scanning the contents of millions of email messages sent and received by student users of the company’s Apps for Education tool suite for schools.
Regardless of whether the alleged data-mining practices of Google Apps for Education are found to constitute illegal wiretapping, such practices would constitute a direct violation of that principle, advocates say.
Tomi Engdahl says:
Security Industry Incapable of Finding Firmware Attackers
http://it.slashdot.org/story/14/03/19/1619222/security-industry-incapable-of-finding-firmware-attackers
“there is still a wide gap between the attackers’ ability to infect firmware, and the industry’s ability to detect their presence. The researchers from MITRE and Intel showed attacks on UEFI SecureBoot, the BIOS itself, and BIOS forensics software.”
Tomi Engdahl says:
ACPI, firmware and your security
http://www.markshuttleworth.com/archives/1332
ACPI comes from an era when the operating system was proprietary and couldn’t be changed by the hardware manufacturer.
We don’t live in that era any more.
If you read the catalogue of spy tools and digital weaponry provided to us by Edward Snowden, you’ll see that firmware on your device is the NSA’s best friend. Your biggest mistake might be to assume that the NSA is the only institution abusing this position of trust – in fact, it’s reasonable to assume that all firmware is a cesspool of insecurity courtesy of incompetence of the worst degree from manufacturers, and competence of the highest degree from a very wide range of such agencies.
Tomi Engdahl says:
Security mailing list Full-Disclosure to stop: “The hackers are no longer honor” and “the community is no longer”
Popular security-themed Full-Disclosure mailing list out of business. Administrator informed the reason for the security of an investigator come to the Community requirements to remove large amounts of content list archives.
12 years to function as a list of co-founder John Cartwright published online notification of the decision. He did not name the person who demanded the removal of content.
At the same time, he expressed a list of administrators over the years had seen a lot of disturbing the peace and legal threats.
“Hackers are no longer mutual respect. Real community no longer exists. There is quite a bit of skill. The whole security sector is more and more regulated. All of this is signs of the future and reflects the sad current state of the industry, which should never have become a business, “says newsletter mailing list.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/tietoturvapostilista+lopettaa+quothakkereilla+ei+ole+enaa+kunniaaquot+ja+quotyhteisoa+ei+enaa+olequot/a975829
Tomi Engdahl says:
Full Disclosure Mailing List archive
http://seclists.org/fulldisclosure/
Tomi Engdahl says:
Judge Rejects Class-Action Bid in Gmail-Scanning Case
http://www.pcmag.com/article2/0,2817,2455169,00.asp
Google scored a victory this week in a long-running Gmail lawsuit when a California judge denied a request to turn it into a class-action suit.
At issue is a feature within Gmail that anonymously scans the contents of peoples’ emails to serve up targeted ads on the right-hand side of the inbox. The lawsuit claims the practice violates federal and state wiretap laws, but Google has long held that scanning is done via an algorithm; no humans at Google are reading peoples’ emails.
Judge Koh found that the scanning of emails is not considered an “instrumental part of the transmission of email.”
Tomi Engdahl says:
Major Companies Not Making Full Use of Big Data to Spot Fraud
http://www.cio.com/article/749959/Major_Companies_Not_Making_Full_Use_of_Big_Data_to_Spot_Fraud?taxonomyId=600010
Most companies are spurning the chance to improve their anti-fraud and anti-bribery efforts by not taking full advantage of big data analysis, according to research from business consulting firm EY.
EY found that 63 percent of senior executives surveyed at leading companies around the world agreed that they need to do more to improve their anti-fraud and anti-bribery procedures, including the use of forensic data analytics (FDA).
Tomi Engdahl says:
Why Does the NSA Want to Keep Its Water Usage a Secret?
http://www.wired.com/wiredenterprise/2014/03/nsa-water/
The National Security Agency has many secrets, but here’s a new one: the agency is refusing to say how much water it’s pumping into the brand new data center it operates in Bluffdale, Utah. According to the NSA, its water usage is a matter of national security.
The situation shows just how important the new data center will be to the agency’s operations, including its widely discussed efforts to eavesdrop on internet communication
Tomi Engdahl says:
US Intel Program Targets Email Addresses, Not Keywords
http://www.securityweek.com/us-intel-program-targets-email-addresses-not-keywords
The US government’s clandestine PRISM Internet program exposed by Edward Snowden targets suspect email addresses and phone numbers but does not search for keywords like terrorism, officials said Wednesday.
Tomi Engdahl says:
Providing secure remote access to industrial Ethernet networks
http://www.controleng.com/single-article/providing-secure-remote-access-to-industrial-ethernet-networks/ff06a84312e73cfa224e6a3ad5b4c83c.html
You have many good reasons for wanting to access your networks remotely, but such access is not without potential threats. How can you keep those networks secure?
Ethernet-enabled automation environments are just as secure as their fieldbus-based predecessors, and their IT counterparts. While firewalls and VPNs are important pieces of the puzzle, and crucial for providing secure access to remote users, it takes additional layers of security to ensure a true, defense-in-depth security model. Always keep in mind: security is a lifestyle, not just a checkbox.
Tomi Engdahl says:
EA games web server was hosting PHISHING SITE – securobod
Old vulnerable software gave hackers a way in, claims researcher
http://www.theregister.co.uk/2014/03/20/ea_games_server_hosts_phishing_site/
An Electronic Arts server was hacked and used to host a phishing site targeting Apple ID holders, according to internet security firm Netcraft.
The site has since been pulled down and EA has told various news sites that it is “investigating” the report.
“We regularly see attackers take advantage of neglected, abandoned, or unpatched applications running on company infrastructure. This is interesting in that it is a problem that we know how to solve but enterprises just aren’t taking the necessary precautions,”
Tomi Engdahl says:
A sysadmin always comes prepared: Grasp those essential tools
Ah, I see you have the machine that goes ping
http://www.theregister.co.uk/2014/03/20/sysadmin_security/
There are certain tools that all sysadmins need. Some, such as the venerable ping, are so fundamental that their lack would be considered an oddity.
Others, such as backups, should by rights be deployed absolutely everywhere, yet incomprehensibly are not. Debating which tools are best is the blood sport of our industry.
Obscurity really was security.
Broadband arrived. With it came new threat vectors along with a technology industry exploding in innovation. Some of the biggest names in the industry were caught unawares
The companies behind major culprits such as Java, Flash, PDF readers and consumer broadband routers haven’t cleaned up their act despite years of continued assault.
This is about more than just standing up a firewall and hoping nobody crawls through. It is about assuming that someone eventually will and deploying tools to detect this when it happens.
Intrusion detection and prevention systems (IDPS) exist in any number of forms to attempt to detect the untoward activity.
No matter how sophisticated and well implemented your perimeter defences, something will inevitably get through.
In addition, you will have to cope with privileged users abusing their privilege, Pointy Haired Boss syndrome and inadequate funding.
Extant threat detection has to include various types of hardware, software and network monitoring.
Event log monitoring is the easiest path forward.
ACL auditing needs to be considered.
Entropy assurance tools have one job: to generate high entropy to secure system and service access and manage all of it in a human-compatible fashion.
certificate and key management systems
There are three elements to all desired state management tools: detection of current state; remediation (if current state does not equal desired state); and freaking out if remediation fails.
Asset management applications have reached must-have status.
Proper disaster recovery planning is even rarer. Despite this, our businesses increasingly depend upon complex automated IT to function.
job of telling you whether the problem is yours, the service provider’s or that of one of the ISPs between you.
Tomi Engdahl says:
Google co-founder Larry Page has said he was “disappointed” with the US government after NSA
“It is disappointing that the government secretly did this stuff and didn’t tell us about it,” Page said on stage at the TED Conference.
“It is not possible to have a democracy if we have to protect our users from the government. The government has done itself a tremendous disservice and we need to have a debate about it.”
Source: http://www.theregister.co.uk/2014/03/20/larry_page_ted_2014_snowden_youtube_deepmind/
Tomi Engdahl says:
Weev Is Still in Jail Because the Government Doesn’t Know What Hacking Is
http://motherboard.vice.com/read/weev-is-in-jail-because-the-government-doesnt-know-what-hacking-is
Tomi Engdahl says:
Wearable technology will bury the password, says Symantec
Just don’t forget to put your watch on
http://www.theinquirer.net/inquirer/news/2335399/wearable-technology-will-bury-the-password-says-symantec
WEARABLE TECHNOLOGY could eventually eliminate our need for cumbersome and hard to remember passwords, according to security firm Symantec.
Speaking at the Wearable Technology Show, Symantec technical specialist Sian John said that passwords are “frankly rubbish”, adding that we only continue to use them because they’re easy to use.
She said that with a bit of collaboration in the information technology industry around security standards, it will be feasible to have devices from different brands all talking to each other and a central security system to verify that a person is who they say they are. “If you’ve got collaboration, you can end up with a sort of personal area network. If you’ve got your phone, your Fitbit and your Google Glass all in the same place, the actual proximity of those things can help us know that it’s you,”
Tomi Engdahl says:
Bitcoin’s Software Gets Security Fixes, New Features
http://it.slashdot.org/story/14/03/20/1450253/bitcoins-software-gets-security-fixes-new-features
“The software driving Bitcoin’s network was upgraded Wednesday, with security fixes addressing a problem that defunct bitcoin exchange Mt. Gox blamed for losing nearly half a billion dollars worth of bitcoins. The latest version of bitcoin’s software, 0.9.0, “
Tomi Engdahl says:
“Weev” prosecutor admits: I don’t understand what the hacker did
Andrew “weev” Auernheimer gets his day in appellate court.
http://arstechnica.com/tech-policy/2014/03/lawyers-for-self-described-hacker-weev-contest-his-computer-fraud-conviction/
Lawyers for hacker and Internet troll Andrew “weev” Auernheimer appeared in federal appellate court in Philadelphia on Wednesday morning before a packed house to contest Auernheimer’s November 2012 conviction under the Computer Fraud and Abuse Act (CFAA).
The argument over Auernheimer’s conviction comes as serious reforms to the CFAA are being debated in Congress.
The national debate became emotional and heated after prosecutors wielded the law to charge Internet activist Aaron Swartz with wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and various other counts. These charges were brought after Swartz logged into MIT’s network to gain access to the JSTOR database to download journal articles.
Tomi Engdahl says:
MtGox finds 200,000 Bitcoin in old wallets
Upside for creditors is prospect for refunds, downside is MtGox was clearly very disorganised
http://www.theregister.co.uk/2014/03/21/mtgox_finds_200000_bitcoin_in_old_wallets/
it means the exchange is “only” missing about 650,000 Bitcoin
Tomi Engdahl says:
NSA ‘hunted sysadmins’ to find CAT PHOTOS, high-level passwords
Latest Snowden docs detail sniffing sysadmin activity to help attacks on carriers’ routers
http://www.theregister.co.uk/2014/03/21/nsa_hunted_sysadmins_to_find_cat_photos_highlevel_passwords/
Staff at the United States’ National Security Agency reportedly “hunted” system administrators because they felt doing so would yield passwords that enabled easier surveillance.
So says The Intercept, which claims this document came its way thanks to one E. Snowden
Tomi Engdahl says:
Inside the NSA’s Secret Efforts to Hunt and Hack System Administrators
https://firstlook.org/theintercept/article/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/
Across the world, people who work as system administrators keep computer networks in order – and this has turned them into unwitting targets of the National Security Agency for simply doing their jobs. According to a secret document provided by NSA whistleblower Edward Snowden, the agency tracks down the private email and Facebook accounts of system administrators (or sys admins, as they are often called), before hacking their computers to gain access to the networks they control.
The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity – they are targeted only because they control access to networks the agency wants to infiltrate. “Who better to target than the person that already has the ‘keys to the kingdom’?” one of the posts says.
Tomi Engdahl says:
Wearable technology will bury the password, says Symantec
Just don’t forget to put your watch on
http://www.theinquirer.net/inquirer/news/2335399/wearable-technology-will-bury-the-password-says-symantec
WEARABLE TECHNOLOGY could eventually eliminate our need for cumbersome and hard to remember passwords, according to security firm Symantec.
Speaking at the Wearable Technology Show, Symantec technical specialist Sian John said that passwords are “frankly rubbish”, adding that we only continue to use them because they’re easy to use.
She said that with a bit of collaboration in the information technology industry around security standards, it will be feasible to have devices from different brands all talking to each other and a central security system to verify that a person is who they say they are. “If you’ve got collaboration, you can end up with a sort of personal area network. If you’ve got your phone, your Fitbit and your Google Glass all in the same place, the actual proximity of those things can help us know that it’s you,” she explained.
Tomi Engdahl says:
Gmail Goes HTTPS Only For All Connections
http://tech.slashdot.org/story/14/03/20/1834242/gmail-goes-https-only-for-all-connections
Tomi Engdahl says:
The Internet of Things is being used to mine digital currency
Your connected devices could be making someone else money
By Chris Merriman
http://www.theinquirer.net/inquirer/news/2335460/the-internet-of-things-is-being-used-to-mine-digital-currency
A WORM that leverages the Internet of Things to mine cryptocurrencies has been found to have infected around 31,000 devices.
The worm named Linux.Darlloz is in active development and is designed by the author to use his network of infected machines to mine Mincoins and Dogecoins.
Symantec believes that the Internet of Things is being used because, although the devices have low computational power, they are also less likely to be adequately secured, with the username and password often left unchanged from factory settings.
Tomi Engdahl says:
Microsoft and Facebook deny PRISM pre-knowledge
Please ignore what the NSA said
http://www.theinquirer.net/inquirer/news/2335420/microsoft-and-facebook-deny-prism-pre-knowledge
FACEBOOK AND MICROSOFT have disputed claims by the NSA that they were well aware of PRISM and complicit with it.
NSA senior lawyer Rajesh De claimed that all of the big US technology firms knew that data was being collected under PRISM.
“PRISM was an internal government term that as the result of leaks became the public term,” he said. “Collection under this program was a compulsory legal process….”
Tomi Engdahl says:
Taken in phishing attack, Microsoft’s unmentionables aired by hacktivists
If Microsoft and eBay aren’t safe from social engineering attacks, who is?
http://arstechnica.com/security/2014/03/taken-in-phishing-attack-microsofts-dirty-laundry-aired-by-hacktivists/
Pro Syrian hacktivists have offered compelling proof that they successfully breached Microsoft’s corporate network and made off with highly sensitive documents that company employees sent to law enforcement officials, according to a media report published Thursday.
Billing invoices and other documents show Microsoft charging the FBI hundreds of thousands of dollars a month to comply with legal requests for customer information, according to the article published by The Daily Dot.
Most of the SEA’s successes result in little more than a public embarrassment for the compromised targets. But recent exploits against Microsoft and eBay, which Ars covered here and here, were more serious because they exposed confidential operations or data that could be used to further penetrate the companies or compromise operational security.
Tomi Engdahl says:
Hacked emails show what Microsoft charges the FBI for user data
http://www.dailydot.com/news/microsoft-compliance-emails-fbi-ditu/
Microsoft often charges the FBI’s most secretive division hundreds of thousands of dollars a month to legally view customer information, according to documents allegedly hacked by the Syrian Electronic Army.
the documents are more of an indication of just how frequently the government wants information on customers.
Nate Cardozo, a staff attorney for the Electronic Frontier Foundation, agreed, and told the Daily Dot the government should be transparent about how much it pays.
“Taxpayers should absolutely know how much money is going toward this,”
“I don’t see any indication that they’re not real,”
Tomi Engdahl says:
Man hangs himself and 4-year-old son over malware message
http://www.dailydot.com/crime/suicide-kills-son-over-malware/
Senseless tragedy struck in the Romanian commune of Movila Miresii when Marcel Datcu took a distressing but wholly impersonal malware threat at face value, killing himself and his four-year-old son, Nicusor, in a misguided attempt to avoid prison and spare his boy shame.
As with a scam designed to convince people that “PRISM” had found child porn on their hard drives
Tomi Engdahl says:
‘Arrogant’ Snowden putting lives at risk, says NSA’s deputy spyboss
President Madison would be proud, we just need better PR, huffs bigwig
http://www.theregister.co.uk/2014/03/20/arrogant_snowden_putting_lives_at_risk_nsa_deputy_tells_ted/
Ledgett said the NSA’s core problem was that it was lousy at PR, rather than that it was invading innocent people’s privacy. The bigwig said that the former US President James Madison, one of the key writers of the US Constitution, “would be proud” that the checks and balances he helped install still worked in today’s digital age.
Snowden gives whistleblowers a bad name, Ledgett asserted, and the techie should have gone to his line manager if he had complaints.
Ledgett said that the documents Snowden was responsible for leaking were full of “half-truths and distortions.” As a result, the intelligence-gathering facilities of the US had been damaged.
Tomi Engdahl says:
This drone can steal what’s on your phone
http://money.cnn.com/2014/03/20/technology/security/drone-phone/
Hackers have developed a drone that can steal the contents of your smartphone — from your location data to your Amazon password — and they’ve been testing it out in the skies of London. The research will be presented next week at the Black Hat Asia cybersecurity conference in Singapore.
The technology equipped on the drone, known as Snoopy, looks for mobile devices with Wi-Fi settings turned on.
Snoopy takes advantage of a feature built into all smartphones and tablets: When mobile devices try to connect to the Internet, they look for networks they’ve accessed in the past.
“Their phone will very noisily be shouting out the name of every network its ever connected to,”
When the phones connect to the drone, Snoopy will intercept everything they send and receive.
Collecting metadata, or the device IDs and network names, is probably not illegal, according to the Electronic Frontier Foundation. Intercepting usernames, passwords and credit card information with the intent of using them would likely violate wiretapping and identity theft laws.
Tomi Engdahl says:
Obama’s move to relieve snooping fears
http://thehill.com/blogs/blog-briefing-room/news/201434-obama-seeks-to-allay-surveillance-fears-of-tech-execs
The White House said Obama and the executives — which included Facebook founder Mark Zuckerberg, Netflix founder Reed Hastings, and Google chairman Eric Schmidt — discussed steps Obama had ordered to restrict government intelligence activities.
According to a Facebook spokeswoman, Zuckerberg and Obama “had an honest talk about government intrusion on the Internet and the toll it is taking on people’s confidence in a free and open Internet.”
“Technology is changing rapidly, from sensors all around us to the ability of companies and government to analyze and look at vast volumes of data.”
Tomi Engdahl says:
F-Secure’s Hypponen: “Tor is not bad, it is a tool”
Before last summer, many thought that surfing the web anonymously. Revelations of the U.S. Security Agency NSA’s ability to track the traffic attracted unsuspecting reality.
The network is, however, in the light of current knowledge still possible to travel incognito anonymous with Tor networks. Technology has begun to be interested in companies and other high-security organizations .
The Tor Project Development Director Karen Reilly, the Tor is a safer option than traditional VPN: “Vpn rely on one hub. If it can be hacked, there is no longer safe. ”
F-Secure researchers are using the Tor network when they are doing information security research.
“Tor is not bad, but a tool. Criminals are using also money”
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/fsecuren+hypponen+quottor+ei+ole+paha+vaan+tyokaluquot/a970846
Tomi Engdahl says:
AWS urges developers to scrub GitHub of secret keys
http://www.itnews.com.au/News/375785,aws-urges-developers-to-scrub-github-of-secret-keys.aspx
Devs hit with unexpected bills after leaving secret keys exposed.
Amazon Web Services (AWS) is urging developers using the code sharing site GitHub to check their posts to ensure they haven’t inadvertently exposed their log-in credentials.
Thousands of ‘secret keys’, which unlock access to private Amazon Web Services accounts are currently available unencrypted to members of the public with just two clicks of a mouse.
Tomi Engdahl says:
Cryptocurrency Exchange Vircurex To Freeze Customer Accounts
http://yro.slashdot.org/story/14/03/24/0023236/cryptocurrency-exchange-vircurex-to-freeze-customer-accounts
“opinions differ on whether cryptocurrency is the future of cash, a Dutch tulip bubble, a Ponzi scheme, or some varying mixture of all three”
Tomi Engdahl says:
Sound familiar? Bitcoin exchange Vircurex freezes customer accounts as it battles insolvency
http://thenextweb.com/insider/2014/03/23/sound-familiar-bitcoin-exchange-vircurex-freezes-customer-accounts-as-it-battles-insolvency/
The Beijing-based virtual currency exchange is much smaller than Mt. Gox, but it is notable that it has stopped withdrawals of Bitcoin, Litecoin and other coins today
Vircurex was hacked twice last year and had been using a reserve of ‘cold storage‘ currency to reimburse users whose balances were affected by the hacks.
Vircurex is betting that new users will continue to sign up to use its service despite the fact that it has become insolvent, while it is also relying on not being hacked again.
Tomi Engdahl says:
Interview: Cisco’s security supremo on the Internet of Everything
El Reg asks Chris Young how we can stop the IoT becoming a $19 TREELLLION honeypot
http://www.theregister.co.uk/2014/03/24/interview_ciscos_chris_young_on_internet_of_everything_security/
Chris Young is the Cisco executive charged with leading its security challenge.
securing the Internet of Everything.
Young: What’s important to know, at the end of the day, most of the behaviour that we’re seeing – most of the risks and challenges of the Internet of Everything mirrors the risks and challenges of society.
At the end of the day, what are people doing?
They’re stealing money, they’re stealing information, or they’re trying to disrupt someone’s operations. Those are all problems that we see in the physical world. It’s just magnified and scaled in a way that we can’t contemplate in our own physical world.
Young: The reality is – in security, a lot of the security problems, the criminals are going to go after where they’re going to get the most return for whatever they have in mind.
what’s important is that there’s always going to be vulnerabilities in any product that exists.
The point is that the context becomes very important in thinking about the security model.
Most of the movement in the industry right now is that we’re moving to more software-based models, more value in software. Hardware’s still important
you have to optimise your security model for the business context, and the environment in which you operate.
You can’t assume that there’s some way to outsource all security care-abouts.
Everybody’s going to have to follow secure development life cycle. Everybody’s going to need basic, foundational security. Identity is going to become important in all of this
That could be: “This is a machine, it has this image on it, it belongs to this group. Its normal behaviour looks like this, so if one day it behaves like this, then we have a problem”
Tomi Engdahl says:
Obama to Call for End to N.S.A.’s Bulk Data Collection
http://www.nytimes.com/2014/03/25/us/obama-to-seek-nsa-curb-on-call-data.html?pagewanted=all&_r=0
The Obama administration is preparing to unveil a legislative proposal for a far-reaching overhaul of the National Security Agency’s once-secret bulk phone records program in a way that — if approved by Congress — would end the aspect that has most alarmed privacy advocates since its existence was leaked last year, according to senior administration officials.
Under the proposal, they said, the N.S.A. would end its systematic collection of data about Americans’ calling habits.
Tomi Engdahl says:
10,000 GitHub users inadvertently reveal their AWS secret access keys
http://www.net-security.org/secworld.php?id=16566
GitHub developers who are also Amazon Web Services users are advised to check the code they made public on their project pages and to delete secret access keys for their AWS account they may have posted inadvertently.
“When you access AWS programmatically, you verify your identity and the identity of your applications by using an access key”
“Anyone who has your access key has the same level of access to your AWS resources that you do.”
Tomi Engdahl says:
Malicious apps can hose Android phones, erase data, researchers warn
Denial-of-service exploit may also work against official Google Play market.
http://arstechnica.com/security/2014/03/malicious-apps-can-brick-android-phones-erase-data-researchers-warn/
Security researchers said they have uncovered bugs in Google’s Android operating system that could allow malicious apps to send vulnerable devices into a spiral of endlessly looping crashes and possibly delete all data stored on them.
Apps that exploit the denial-of-service vulnerability work on Android versions 2.3, 4.2.2, 4.3, and possibly many other releases of the operating system, researcher Ibrahim Balic wrote in a blog post published last week.
Tomi Engdahl says:
Efficient Denial of Service Attacks on Web Application Platforms
December 28th, 2011. 28th Chaos Communication Congress
http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf
PHP: (realistic) efficiency
~70-100kbits/s keep one i7 core busy
1 Gbit/s keep ~10.000 i7 cores busy
ASP.NET: efficiency
~30 kbits/s keep one Core2 core busy
1 Gbit/s keep ~30k Core2 cores busy
Java (Tomcat): efficiency
~6 kbits/s keep one i7 core busy
1 Gbit/s keep ~100000 i7 cores busy
Python (Plone): efficiency
~20 kbits/s keep one Core Duo core busy
CRuby 1.8 (Rack): efficiency
~720 bits/s keep one i7 core busy
Just a POST request …
Can be generated on the fly using HTML and JavaScript
Use a randomized hash function!
Think about whether attacker controlled data ends up in a hash table!
Tomi Engdahl says:
Microsoft Word Zero-Day Used In Targeted Attacks
http://it.slashdot.org/story/14/03/25/0156203/microsoft-word-zero-day-used-in-targeted-attacks
“Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word 2010 that is being actively exploited in targeted attacks.”
Tomi Engdahl says:
Academics Spy Weaknesses in Bitcoin’s Foundations
http://www.technologyreview.com/news/525676/academics-spy-weaknesses-in-bitcoins-foundations/
Game theory suggests the rules governing Bitcoin may need to be updated if the currency is to endure.
One thing cannot be disputed about the person (or persons) responsible for creating Bitcoin: they were skilled in math, and expert at coding. Five years after the Bitcoin software was first released, no major fixes have been needed to the core code, which uses cryptography to generate and transfer virtual money.
Yet signs are emerging of more subtle flaws in the vision of Satoshi Nakamoto (which may or may not be a pseudonym), with analysis suggesting the rules governing how Bitcoin operates as a currency may be far from perfect. Some researchers claim that these rules leave room for cheats to destabilize Bitcoin.
One conclusion drawn by Kroll and his Princeton colleagues Ian Davey and Ed Felten is that those rules will have to be significantly changed if Bitcoin is to last. Their models predict that interest in “mining” for bitcoins, by downloading and running the Bitcoin software, will drop off as the number in circulation grows toward the cap of 21 million set by Nakamoto. This would be a problem because computers running the mining software also maintain the ledger of transactions, known as the blockchain, that records and guarantees bitcoin transactions
The only solution Kroll sees is to rewrite the rules of the currency.
making major changes to the basic rules of how the currency works is likely to meet stiff resistance.
Tomi Engdahl says:
Ubuntu phone isn’t important enough to demand an open source baseband
http://www.networkworld.com/community/blog/ubuntu-phone-isnt-important-enough-demand-open-source-baseband
Although it’s a bummer that Ubuntu-based smartphones won’t be fully open source, it’s not really Canonical’s fault.
“If you read the catalogue of spy tools and digital weaponry provided to us by Edward Snowden, you’ll see that firmware on your device is the NSA’s best friend,” Shuttleworth said in a recent blog post.
Tomi Engdahl says:
Bruce Schneier sneers at IBM’s NSA denials
Security chap pens open letter to Big Blue blowing holes in Big Blue’s open letter
http://www.theregister.co.uk/2014/03/25/bruce_schneier_sneers_at_ibms_nsa_denials/
Ten days ago IBM issued ”A Letter to Our Clients About Government Access to Data”
But the letter did not satisfy security commentator Bruce Schneier who’s penned an open letter of his own to Big Blue.
Tomi Engdahl says:
Bruce Schneier: An Open Letter to IBM’s Open Letter
https://www.schneier.com/blog/archives/2014/03/an_open_letter_.html
Last week, IBM published an “open letter” about “government access to data,” where it tried to assure its customers that it’s not handing everything over to the NSA. Unfortunately, the letter (quoted in part below) leaves open more questions than it answers.
Tomi Engdahl says:
Yahoo, Google and Apple also claim right to read user emails
http://www.theguardian.com/technology/2014/mar/21/yahoo-google-and-apple-claim-right-to-read-user-emails
Like Microsoft, other webmail giants all reserve the right to read user emails, if ‘deemed necessary’
Microsoft is not unique in claiming the right to read users’ emails – Apple, Yahoo and Google all reserve that right as well, the Guardian has determined.
Microsoft’s own terms of service allow the company to access content “when Microsoft forms a good faith belief that doing so is necessary [to] protect the… property of Microsoft”. It made use of that right to read the email of an un-named journalist who had allegedly taken possession of the source code to Windows 8 thanks to an internal leak at the firm.
Tomi Engdahl says:
One Billion Android Devices Open To Privilege Escalation
http://mobile.slashdot.org/story/14/03/22/2253223/one-billion-android-devices-open-to-privilege-escalation
“The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks.”
Tomi Engdahl says:
Weakness in Android Update Service Puts All Devices at Risk for Privilege Escalation
http://threatpost.com/weakness-in-android-update-service-puts-all-devices-at-risk-for-privilege-escalation/104906
Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges.
The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.
Pileup flaws, short for privilege escalation through updating, ramp up the permissions given to malicious apps once Android is updated without raising an alarm to the user.
Tomi Engdahl says:
Stallman: “The only protection against spying is free software”
Richard Stallman is thirty years led to a software release vehicle in front of the Free Software Foundation. His handiwork is the GNU project, which is the fruit of the GNU / Linux operating system.
“Free software to respect users’ freedom. The aim of our movement is that all software would be free, “he says.
“There are only two options. Either the user to control the program or the program controls the users. Non-free software users are the developers or owners of the exercise of the victims. ”
“Free and open are not synonyms. Many of the open source software is also free”
Stallman to honor Edward Snowden as hero: He has given the free software movement entirely new stimulus.
“The only protection is free software, ”
“Free software is not a complete guarantee, but it is at least much better than blind faith.”
Source: Tietokone
http://www.tietokone.fi/artikkeli/uutiset/stallman_ainoa_suoja_urkinnalta_ovat_vapaat_ohjelmistot
Tomi Engdahl says:
Microsoft issues less-than-helpful tips to XP holdouts
Don’t click on bad stuff and back up a lot, Redmond tells refuseniks
http://www.theregister.co.uk/2014/03/25/microsoft_issues_lessthanhelpful_tips_to_xp_holdouts/
Redmond’s recognition of the problem appears in a new ”Cyber threats to Windows XP and guidance for Small Businesses and Individual Consumers” document, that identifies five likely risks XP holdouts will face and offers advice on how they might be ameliorated.
If you never connect to a network, Microsoft’s mitigations would probably mean you could use your XP machine safely. For the rest of us, learning about firewall exceptions looks like the best alternative
Or install Linux, an operating system utterly likely to leave an XP machine eminently usable and secure.
Tomi Engdahl says:
Cybercrook? Bent on mischief? WE’LL GET YOU, vow Facebook and pals
Secure Domain Foundation will pull rug from under web miscreants
http://www.theregister.co.uk/2014/03/25/secure_domain_foundation/
Internet heavyweights have teamed up to form a non-profit organisation designed to supply internet infrastructure operators with free tools and intelligence in the fight against cybercrime.
Facebook, security intelligence firm Crowdstrike, Verisign, ESET Anti-Virus, Verizon and the Anti-Phishing Working Group, among others, are putting their support behind the Secure Domain Foundation) (SDF).
The SDF’s free API product will give “credit ratings” for customers based on security reputation and contact data validation.
The database of malicious domains and bad actors has been in development for two years.
“ICANN has recently mandated that domain registrars must validate postal addresses, phone numbers, and email addresses that are provided as contact information during the domain registration process,” said Norm Ritchie, chairman of the SDF.