Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Amine Doukkali: Keeping Kids Safe Online – IndyPosted
http://www.youtube.com/watch?v=uOjRGTGvMUg
Whatever the case may be, parents need to be focused on keeping their children safe on the internet.
Tomi Engdahl says:
Cryptocurrency-Stealing Malware Landscape
http://www.secureworks.com/cyber-threat-intelligence/threats/cryptocurrency-stealing-malware-landscape/
Bitcoin, a digital currency and payment system introduced in 2009, has been subject to an increasing amount of attention from thieves. Although the system itself is protected by strong cryptography, thieves have stolen millions of dollars of bitcoin[i] from victims by exploiting weaknesses in Bitcoin private key storage systems.
Since Bitcoin’s introduction, an increasing number of alternative digital currencies (altcoins) have been created, based on the original Bitcoin client’s source code.
Mass theft of cryptocurrency is usually accomplished through the hacking of exchanges or marketplaces. These thefts are typically well-publicized, and the total number of stolen coins is known. However, another category of Bitcoin theft targets individual users’ wallets or exchange accounts via malware such as general-purpose remote access trojans (RATs) or specialized cryptocurrency-stealing malware (CCSM).
As Bitcoin has become more valuable, more malware authors are targeting it.
The most common type of CCSM is the wallet stealer, a category that includes nearly every family of CTU-analyzed CCSM. This type of malware searches for “wallet.dat” or other well-known wallet software key storage locations, either by checking known file locations or by searching all hard drives for matching filenames. Typically, the file is uploaded to a remote FTP, HTTP, or SMTP server where the thief can extract the keys and steal the coins by signing a transaction, transferring the coins to the thief’s Bitcoin/altcoin address.
Most cryptocurrency security guides recommend protecting the wallet with a strong passphrase, preventing the thief from decrypting and using the private keys if the file is stolen. To counter this protection, many of the analyzed wallet-stealer malware families use a keylogger or clipboard monitor to obtain the wallet file’s passphrase and send it to the thief.
Hardware wallets work well for local transactions but not for safely interacting with a remote website on a potentially infected computer.
Tomi Engdahl says:
Enterprise Best Practices for Cryptocurrency Adoption
http://www.secureworks.com/resources/articles/featured_articles/enterprise-best-practices-for-cryptocurrency-adoption
Keeping funds and transaction information secure from prying eyes is of the utmost importance when handling finances. So too should it be when working with digital currencies. This white paper explores best practice approaches and concepts to ensure businesses and consumers alike don’t wind up with their digital currencies walking out the door.
Tomi Engdahl says:
Marc Andreessen: “My Prediction Is That The Libertarians Will Turn On Bitcoin.”
http://techcrunch.com/2014/03/25/marc-andreessen-my-prediction-is-that-the-libertarians-will-turn-on-bitcoin/
Marc Andreessen and Balaji Srinivasan, two of bitcoin’s biggest bulls in the venture capital industry, stepped up their rhetoric against skeptics of the crypto-currency today at the Coin Summit conference in San Francisco.
The two said they’re planning to invest hundreds of millions of dollars into startups around the cryptocurrency. They’ve already put $25 million into Coinbase, a leading wallet and payment processor for merchants, plus they have a few other unannounced investments.
“I think the relevant comparison point for bitcoin is 1993 or 1994 for the consumer Internet,” said Andreessen, who created the Netscape web browser back then. “It arrived with fringe politics and fringe characteristics. But you just have to go through a maturation process, and along the way, the fringe characters can get alienated.”
Tomi Engdahl says:
Bitcoin Is Property, Not Currency, in Tax System: IRS
http://www.bloomberg.com/news/2014-03-25/bitcoin-is-property-not-currency-in-tax-system-irs-says.html
The U.S. government will treat Bitcoin as property for tax purposes, applying rules it uses to govern stocks and barter transactions, the Internal Revenue Service said in its first substantive ruling on the issue.
Tomi Engdahl says:
Frank Frankovsky, one of the men responsible for Facebook’s foray into building hardware, has left the social networking giant to form his own startup.
http://gigaom.com/2014/03/25/facebook-has-built-threatdata-a-framework-for-web-security/
Facebook detailed on Tuesday a new cybersecurity framework called ThreatData. It’s a collection of systems for ingesting, analyzing and acting upon threat data that can vary greatly in both type and frequency.
Large web sites like Facebook are constantly under attack from hackers and groups trying to spread malware, which means sites like Facebook gather a lot of data about what attacks look like and where they’re coming from. In order to help standardize its methods for collecting and analyzing all this data, Facebook built a new framework called ThreatData, which it detailed in a blog post on Tuesday afternoon.
Tomi Engdahl says:
Understanding Online Threats with ThreatData
March 25, 2014 at 1:01pm
https://www.facebook.com/notes/protect-the-graph/understanding-online-threats-with-threatdata/1438165199756960
Here are some examples of feeds we have implemented:
Malware file hashes from VirusTotal [0];
Malicious URLs from multiple open source blogs and malware tracking sites;
Vendor-generated threat intelligence we purchase;
Facebook’s internal sources of threat intelligence; and
Browser extensions for importing data as a Facebook security team member reads an article, blog, or
other content.
Maintaining accurate threat databases is great and can help answer challenging questions, but that’s only part of the challenge in protecting the graph. We also need to quickly and consistently address threats that come to our attention. To help us, we built a processor to examine ThreatDatum at the time of logging and act on each of these new threats.
In a typical corporate environment, a single anti-virus product is deployed to all devices and used as a core defense. In reality, however, no single anti-virus product will detect all threats. Some vendors are great at detecting certain types of malware, while others can detect a wide array of threats but are more likely to mislabel them.
Tomi Engdahl says:
Chinese cops cuff 1,500 in fake base station spam raid
Thousands of devices, hundreds of millions of unwanted texts
http://www.theregister.co.uk/2014/03/26/spam_text_china_clampdown_police/
China’s police have arrested over 1,500 people on suspicion of using fake base stations to send out mobile SMS spam.
mobile spam is a massive problem in China.
Some 200 billion unwanted messages were sent in the country in the first half of 2013 alone
Fake base stations are becoming a particularly popular modus operandi.
The pseudo-base station used could send out around 6,000 messages in just half an hour, the report said.
Trend Micro highlighted the problem in a recent expose of the Mobile Cybercriminal Underground Market in China.
Tomi Engdahl says:
Encrypted Backup Solution “Home Paranoia Edition”
http://www.linuxjournal.com/content/encrypted-backup-solution-home-paranoia-edition
How to safeguard your personal data with TrueCrypt and SpiderOak.
The first step is addressing the physical aspect of security.
This article describes utilizing whole disk encryption to reduce some of the risks provided by a great open-source Linux operation system (Ubuntu 12.10). Whole disk encryption is a key factor, especially when considering all of the recent events concerning stolen government laptops that contained millions of social security numbers.
Tomi Engdahl says:
Advocates Seek ‘Smart Regulation’ of Surveillance Technology
https://threatpost.com/advocates-seek-smart-regulation-of-surveillance-technology/104974
The long shadow cast by the use of surveillance technology and so-called lawful intercept tools has spread across much of the globe and has sparked a renewed push in some quarters for restrictions on the export of these systems. Politicians and policy analysts, discussing the issue in a panel Monday, said that there is room for sensible regulation without repeating the mistakes of the Crypto Wars of the 1990s.
The last couple of years have seen a major uptick in the use of surveillance technology by governments around the world. Researchers have found government agencies in many countries, including Egypt, Syria Iran and others, using surveillance technology to identify and track dissidents, journalists and activists.
Some politicians, especially in Europe, and privacy advocates have been calling for some regulation of the sale of such technologies
“There’s virtually no accountability or transparency, while he technologies are getting faster, smaller and cheaper,”
“There has been a lot of skepticism about how to regulate and it’s very difficult to get it right. There are traumas from the Crypto Wars. Many of these companies are modern-day arms dealers. The status quo is unacceptable and criticizing every proposed regulation isn’t moving us forward.”
Tomi Engdahl says:
MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data
http://yro.slashdot.org/story/14/03/26/0352201/mit-researchers-create-platform-to-build-secure-web-apps-that-never-leak-data
“They’ve redesigned the entire approach to securing online data by creating Mylar, which builds and updates applications to keep data secure from server breaches with constant encryption during storage, only decrypting the data in the user’s browser.”
Tomi Engdahl says:
New Approach Could Stop Websites from Leaking or Stealing Your Data
http://www.technologyreview.com/news/525651/new-approach-could-stop-websites-from-leaking-or-stealing-your-data/
A system called Mylar makes it possible to build online services that can never decrypt or leak your data.
Researcher Raluca Popa of MIT thinks many online services should and could be redesigned to guard against that. “Really, there’s no trusting a server,” she says. Popa has led the development of a system called Mylar for building Web services that puts that philosophy into practice. Services built using it keep data on their servers encrypted at all times and only ever decrypt it on a person’s computer.
The idea of designing Web services that always keep data encrypted while it resides on their servers has been around for years, and researchers have developed tools to demonstrate how it might be done. But Popa says Mylar is more practical than previous efforts and could even be used to build services today.
Tomi Engdahl says:
Microsoft security advisory: Vulnerability in Microsoft Word could allow remote code execution
https://support.microsoft.com/kb/2953095
At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
Fix it solution, “Disable opening RTF content in Microsoft Word,”
Tomi Engdahl says:
Microsoft releases temporary fix for Word vulnerability used in targeted attacks
http://thenextweb.com/microsoft/2014/03/24/microsoft-releases-temporary-fix-vulnerability-versions-word-warns-targeted-word-2010-attacks/#!BqC90
Example says:
I have learn a few excellent stuff here. Certainly worth bookmarking for
revisiting. I surprise how a lot effort youu put
tto create one of these magnificent informative website.
Tomi Engdahl says:
Bitcoin user loses $10K to typosquatters – tips to avoid opening your wallet to imposters
http://nakedsecurity.sophos.com/2014/03/24/bitcoin-user-loses-10k-to-typosquatters/
Last week, SophosLabs alerted us to a Bitcoin phish orchestrated by email.
This week, they’ve pointed out a Bitcoin phish that relies on typosquatting.
Typosquatting is where you register a domain that is close to the name of someone else’s site
- and wait for users to stumble into your path because of minor typing mistakes.
The outright imposters presented content that you would readily associate with the real site – brand deception, in other words – to convince you that you’d reached the right place.
By the way, if you use a password manager to keep track of your passwords (and to pick strong passwords for you), you’ll enjoy some extra protection against imposter websites.
The password manager won’t even offer to put a password in for you on a bogus site, because it won’t know what password it’s supposed to use!
Before you log in, don’t forget/To check the site’s certificate.
Tomi Engdahl says:
Toshiba Electronics Europe will now tell you that the self-encrypting hard drives MQ01ABUxxxBW series have the U.S. FIPS 140-2 (Federal Information Processing Standard 140-2).
In contrast to the hard drives encrypted by the software, itsensäsalaava (SED, self encrypting drive) to encrypt data in hardware disk at full speed. This also means that the encryption slow down disk activity.
SED encryption can not be deactivated. Wipe technology to ensure that, if the plate is introduced somewhere else, all sensitive data yyhkiytyy definitely out.
Toshiba’s new drives are available in 500 and 320 GB versions.
Source: Elektroniikkalehti
http://www.elektroniikkalehti.fi/index.php?option=com_content&view=article&id=1118:kiintolevyn-salaus-tayttaa-usa-n-hallinnon-vaatimukset&catid=13&Itemid=101
Tomi Engdahl says:
Rebooting the Full Disclosure List
http://it.slashdot.org/story/14/03/26/1224243/rebooting-the-full-disclosure-list
“A week ago, the venerable full-disclosure list was shut down; now, a successor has arisen run by fyodor.”
Tomi Engdahl says:
Arrest of secret-leaking ex-Microsoftie raises Hotmail privacy concerns (Updated)
“We should not conduct a search… unless the circumstances would justify a court order.”
http://arstechnica.com/tech-policy/2014/03/arrest-of-secret-leaking-ex-microsoftie-raises-hotmail-privacy-concerns/
A former Microsoft employee has been arrested and is now facing accusations that he stole trade secrets from the software giant. Alex Kibkalo allegedly leaked pre-release updates for Windows RT and a Microsoft-internal Activation Server SDK to a French blogger.
The blogger contacted the third party using a Hotmail account.
The Microsoft investigation raises a potentially alarming privacy issue. The complaint says that TWCI asked Microsoft’s Office of Legal Compliance prior to reviewing the contents of the Hotmail inbox and that OLC authorized the request. The terms of service that cover the company’s online services do indicate that Microsoft reserves the right to access communications to protect the company’s rights and property and to turn over content to comply with valid legal requests.
Tomi Engdahl says:
Snowden: Big revelations to come, reporting them is not a crime
Former leaker encourages companies to enable Web encryption.
http://arstechnica.com/tech-policy/2014/03/snowden-big-revelations-to-come-reporting-them-is-not-a-crime/
“What Boundless Informant tells us is more communications are being intercepted in America by Americans than in Russia by Russians.”
“People should be able to pick up the phone and call their family, should be able to send a text message to their loved one, buy a book online, without worrying how this could look to a government possibly years in the future.”
The NSA “intentionally misleads corporate partners,” he said. One program, Bull Run, targeted America’s own superstructure in dangerous ways, he said, after being dishonest to Internet companies.
“The NSA has violated their own rules thousands of times in a single year—in one event they intercepted all the calls in Washington DC by accident.” Not only were there 2,776 abuses in 2011-12, he said, but the chairman of the US Senate Intelligence Committee had no idea that the rules were being broken thousands of times every year.
Tomi Engdahl says:
Speaking in Tech: GitHub users did WHAT to AWS’ backend?
Biz data in a consumer cloud ain’t never going to be secure, folks
http://www.theregister.co.uk/2014/03/26/speaking_in_tech_episode_102/
Tomi Engdahl says:
Passport PIN tech could have SAVED MH370 ID fraudsters
Integrated keypad security? They’d never have made it onboard
http://www.theregister.co.uk/2014/03/26/pin_pad_passports/
A man who developed PIN code protection for credit cards is looking to extend the technology to passports as a way of making stolen credentials more difficult to use.
In the paper, RFID/Proximity Card with PIN Code Protection, Cecil argues that his technology also protects against risks such as skimming.
Cards used in either access control security or financial transactions can be used by the person that happens to be in possession. Lost or stolen cards cost the industry billions. The PIN code protection patent requires the user to input a PIN code and/or finger swipe into a numeric keypad on the card’s surface.
“I’ve watched the technology on the payment card side since at least 2006 and it’s been really slow to develop,
Tomi Engdahl says:
EE BrightBox routers can be hacked ‘by simple copy/paste operation’
WPA keys, ISP creds, MD5 hashes – all in plain view
http://www.theregister.co.uk/2014/01/20/brightbox_routers_vuln/
BrightBox routers supplied by UK telco EE as standard kit to its broadband and fibre customers are riddled with security shortcomings that make the devices hackable, a UK security researcher warns.
A cache of sensitive traffic including ISP user credentials, WiFi SSIDs and WPA2 keys is kept in a file called cgi_status.js that can be accessed without logging into the device.
“Security appears not to be a factor in the design of the device. it appears to be a case of only making it functional,”
Tomi Engdahl says:
Self-encrypting drive wipes itself out if breached
http://www.electronics-eetimes.com/en/self-encrypting-drive-wipes-itself-out-if-breached.html?cmp_id=7&news_id=222920545
Toshiba Electronics Europe‘s MQ01ABUxxxBW series of self-encrypting drive (SED) has been validated to the FIPS 140-2 standard (the US Federal Information Processing Standard)
Tomi Engdahl says:
Distributed denial of service attacks are becoming more complex and more powerful. Popular among the attacking forces have been reflection attack. The latest trend is to use mobile devices as an offensive weapon. Finland has seen large DDoS attacks.
“In Finland, there have been only a few massive distributed denial of service attack. Those objects are caught up with his pants down, and there have been problems on many levels, “security consulting company Nixu Chief Technology Officer Pekka Sillanpää says.
Denial of service attack making does not require IT expertise. Can be purchased online crime DDoS attack on a turnkey basis.
Denial of service attack cost the attacker and the defender’s point of view, are heavily asymmetric. Frugal attacker can buy a hundred public do-it-yourself ddos program, to create a botnet itself and causes the victim a million expenses.
Denial of service attacks pesticides has increased its own security as a specialty. There is a whole raft of devices and cloud services, which is specially designed to combat denial of service attacks. Their use may have a deterrent effect: Forward easier to change the finish, if a first strike is not working.
“Perfect defenses can not be built. Risk can only be minimized, but not eliminated,”
Distributed denial of service attacks against the most common network traffic, network, transport and application layers. The trend is to use the methods of attacks on several layers at the same time, making it difficult for defense.
Recently, attackers have been favorites of UDP protocol ntp and dns application layer. Popularity is explained by the fact that each is suitable for reflection attack.
“Malicious actors are starting to use mobile applications to well-orchestrated DDOS attack,”
Source: Tietokone
http://www.tietokone.fi/artikkeli/uutiset/dossaamisen_uhri_yllatetaan_usein_housut_kintuissa
Tomi Engdahl says:
Research bods told: Try to ID anonymised data subjects? No more CASH for you
Four mega UK funders make joint statement
http://www.theregister.co.uk/2014/03/27/funding_threat_to_researchers_that_try_to_reidentity_people_behind_anonymised_data/
Medical research funding bodies in the UK may withdraw support for projects where researchers attempt to work out the identity of individuals behind anonymised data without the subjects’ permission.
Tomi Engdahl says:
Meet the manic miner who wants to mint 10% of all new bitcoins
1.4 million chips and 5,000 Raspberry Pis power absurdly large mining operation.
http://arstechnica.com/information-technology/2014/03/meet-the-manic-miner-who-wants-to-mint-10-of-all-new-bitcoins/
In a couple of large buildings near the Columbia River in Eastern Washington, where hydroelectricity is cheap and plentiful, Dave Carlson oversees what he says is one of the largest Bitcoin mining operations on the planet.
At any given time, Carlson’s goal is to account for seven to 10 percent of the entire world’s Bitcoin mining as measured by processing or hashing power, he said.
Carlson’s company, MegaBigPower, does the biggest portion of its mining on behalf of its primary investor, the BioInfoBank Institute in Poland. Carlson takes a cut in bitcoins and rents capacity to other people who want to mine without running their own hardware and software.
“We surface about half of our US mining power as something you can purchase as a leased hash product,” he said.
Tomi Engdahl says:
Security for the ‘Internet of Things’ (Video)
http://it.slashdot.org/story/14/03/26/1939203/security-for-the-internet-of-things-video
What happens when your oven is on the Internet? A malicious hacker might be able to set it to broil while you’re on vacation, and get it so hot that it could start a fire. Or a prankster might set your alarm to wake you up at 3 a.m. – and what if someone gets access to the wireless security camera over your front door and uses it to gain access to the rest of your home network, and from there to your bank account? Not good.
Tomi Engdahl says:
Hackers target Monster.com users with Gameover Zeus malware
Website needs two-factor authentication, says F-Secure
http://www.theinquirer.net/inquirer/news/2336598/hackers-target-monstercom-users-with-gameover-zeus-malware
HACKERS ARE TARGETING jobseekers and recruiters at Monster Jobs using Gameover Zeus malware, according to security firm F-Secure.
F-Secure said the purpose of the attack remains unknown, though it is likely designed to target the accounts of HR departments using Monster.
F-Secure said that the campaign could easily be dealt with if Monster adopted a more robust account authentication system.
Two-factor authentication is an increasingly common security protocol for online service providers. Many companies including Tumblr, Twitter and Dropbox have added the feature over the past two years.
Tomi Engdahl says:
Cyber threats to Windows XP and guidance for Small Businesses and Individual Consumers
http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-windows-xp-and-guidance-for-small-businesses-and-individual-consumers.aspx
It’s been well publicized that on April 8th, 2014 Microsoft discontinues product support for Windows XP. Released in 2001, the support policy for the life of Windows XP soon followed in October 2002.
Many of the enterprise customers I’ve talked to recently have finished, or are in the process of finishing, technology projects that move their desktop computing environments from Windows XP to Windows 7 or Windows 8. However, I’ve also talked to some small businesses and individuals that don’t plan to replace their Windows XP systems even after support for these systems ends in April. In light of this, I want to share some of the specific threats to Windows XP-based systems that attackers may attempt after support ends, so that these customers can understand the risks and hopefully decide to immediately upgrade to a more secure version of Windows, or accelerate existing plans to do so.
Tomi Engdahl says:
Taking Action to Stop Leaks
http://blogs.blackberry.com/2014/03/blackberry-leaks/?utm_source=dlvr.it&utm_medium=twitter
One of the most frustrating things for all of us at BlackBerry is when a critical and confidential project is reported in the media before we are ready to discuss it. Leaks are, at their best, distracting, and at their worst downright misleading to our stakeholders. The business implications of a leak are seldom advantageous.
in some cases, the leaks reflect people’s genuine interest in BlackBerry.
But, when curiosity turns to criminality, we must take strong action.
Tomi Engdahl says:
‘Malleability’ attacks not to blame for Mt. Gox’s missing bitcoins, study says
http://www.pcworld.com/article/2114200/malleability-attacks-not-to-blame-for-mt-goxs-missing-bitcoins-study-says.html
Fewer than 400 bitcoins could have been stolen from the Mt. Gox Bitcoin exchange using so-called transaction malleability attacks, according to a Swiss study—far less than the hundreds of thousands of bitcoins the company reported.
Before trading stopped at the exchange on Feb. 25, Mt. Gox had blamed the transaction malleability issue when it suspended withdrawals of bitcoin to outside addresses.
They found that only 302,700 bitcoins were involved in malleability attacks.
“Of these, only 1,811 bitcoins were in attacks before MtGox stopped users from withdrawing bitcoins,” they wrote. “Even more, 78.64 percent of these attacks were ineffective. As such, barely 386 bitcoins could have been stolen using malleability attacks from MtGox or from other businesses.”
Tomi Engdahl says:
ICO plugs XSS vuln in its website. Only took watchdog FIVE YEARS
‘Nonchalant attitude’ shocks me, says blogger
http://www.theregister.co.uk/2014/03/28/ico_xss_web_vulnerability/
The Information Commissioner’s Office (ICO) has finally fixed a security bug on its website – five years after it was first notified to the data privacy watchdog.
IT consultant Paul Moore first warned the ICO about a cross site scripting (XSS) problem on its website in 2009. The flaw meant it was possible to introduce arbitrary content under the control of hackers while presenting it as if it had originated from the ICO’s website, opening up the door to tricks that might be used to lend false authenticity to all manner of potential scams.
“The ICO web site has anti-XSS measures in many places, but not all. They’ve clearly missed some,”
Tomi Engdahl says:
Google claims 84 percent of online news sites are hacked by governments
Citizen journalists and bloggers also targeted
http://www.theinquirer.net/inquirer/news/2336840/google-claims-84-percent-of-online-news-sites-are-hacked-by-governments
THE COMPUTER SYSTEMS of news media organisations are a key target for state-sponsored hacking, according to a Google report.
The study found that 21 of the world’s top 25 news organisations have been the targets of attacks by hackers within or working for governments.
Over the past year, the Syrian Electronic Army has hacked a number of major news organisations including CNN, the Financial Times and the New York Times.
Huntley also explained that the attacks are not limited to corporate servers but also target the accounts and computers used by bloggers and citizen journalists.
Tomi Engdahl says:
‘I like big butts and I cannot lie, hackers take Pinterest on a joyride’
http://www.theregister.co.uk/2014/03/28/pinterest_hack/
Miscreants have made an ass out of users of bewildering photo-sharing website Pinterest – by hijacking their accounts to flood the boards with butt pics.
So it appears diet-pill spammers have moved on from joyriding the Twitter profiles of celebrities to the twee world of cats and cupcakes
Tomi Engdahl says:
Philips Smart TVs wide open to Gmail cookie theft, other serious hacks
Yes, you can use your TV to browse the Web, but are you sure you want to?
http://arstechnica.com/security/2014/03/philips-smart-tvs-wide-open-to-gmail-cookie-theft-other-serious-hacks/
Internet-connected TVs manufactured by Philips running the latest firmware update are wide open to browser cookie theft and other serious attacks by hackers within radio range, a security researcher has warned.
The hacks work against Philips Smart televisions that have a feature known as Miracast enabled, Luigi Auriemma, a researcher with Malta-based ReVuln (Twitter handle @revuln), told Ars. Miracast allows TVs to act as Wi-Fi access points that nearby computers and smartphones can connect to so their screen output can be displayed on the larger set.
Tomi Engdahl says:
Philips Smart TVs vulnerable to screen hijack, browser cookie theft, more
http://www.techienews.co.uk/978607/philips-smart-tvs-vulnerable-screen-hijack-browser-cookie-theft/
According to a video published by security research and solutions company ReVuln, Philips Smart TVs running the latest firmware could allow use of legitimate functions for malicious purposes. Features such as controlling the TV from another device, and transmitting video and audio to the TV could be exploited by unauthorised users.
Tomi Engdahl says:
Business data at risk as 10m devices lost in a year
http://www.mobile-ent.biz/industry/market-data/business-data-at-risk-as-10m-devices-lost-in-a-year/043295
With more private data being stored on phones, tablets and laptops, the consequence of losing them has worsened.
Over the last year, almost ten million mobile devices have containing sensitive business data have been lost in Britain, reports EE.
19 per cent of employees who have lost a device said they lost it on a work night out, where as 16 per cent left it on public transport. Most commonly, devices are left in taxis or public toilets.
The more data, and important content that devices contain due to the increase in BYOD of the issue of business owned gadgets, it is becoming an even bigger risk to misplace a phone, leave a laptop in a pub.
Tomi Engdahl says:
Report : Kill switch would save consumers up to 2.6 billion per year
The smartphone kill switch could save you USA consumers up to 2.6 billion dollars ( 1.8 billion euros) a year , a recent report says.
The U.S. Creighton University associate professor William Duckworthin , the majority of the savings to the payment of insurance premiums would be used for less money.
Duckworth estimates that Americans spend annually $ 580,000,000 (421 million) purchase of a new phone to replace a stolen and 4.8 billion dollars (3.4 billion euro) for phone insurance.
Kill switch allows lost or stolen phone could render it inoperative . If the property should be mandatory , with an estimated half of consumers would switch to a lower cost insurance policy.
U.S. law enforcement officials and politicians to put pressure on operators so that they would make kill switch possible.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/raportti+tappokytkin+saastaisi+kuluttajilta+jopa+26+miljardia+vuodessa/a978411
Tomi Engdahl says:
Malware In A Mouse
http://hackaday.com/2014/03/30/malware-in-a-mouse/
Keyloggers, in both hardware and software forms, have been around for a long, long time. More devious keyloggers are smart enough to ‘type’ commands into a computer and install Trojans, back doors, and other really nasty stuff. What about mice, though?
As it turns out, yes, breaking into a computer with nothing but a USB mouse is possible.
when a certain pattern of gray and grayer pixels appear, it triggers a command to download a file from the Internet
Tomi Engdahl says:
‘A’ for Angela Merkel: GCHQ and NSA Targeted Private German Companies
http://www.spiegel.de/international/germany/gchq-and-nsa-targeted-private-german-companies-a-961444.html
Documents show that Britain’s GCHQ intelligence service infiltrated German Internet firms and America’s NSA obtained a court order to spy on Germany and collected information about the chancellor in a special database. Is it time for the country to open a formal espionage investigation?
Tomi Engdahl says:
How Dropbox Knows When You’re Sharing Copyrighted Stuff (Without Actually Looking At Your Stuff)
http://techcrunch.com/2014/03/30/how-dropbox-knows-when-youre-sharing-copyrighted-stuff-without-actually-looking-at-your-stuff/
If you know what “file hashing against a blacklist” means, feel free to skip the rest of this post. Dropbox checks the hash of a shared file against a banned list, and blocks the share if there’s a match.
Tomi Engdahl says:
Exclusive: Mt. Gox faced questions on handling client cash long before crisis
http://www.reuters.com/article/2014/03/30/us-bitcoin-mtgox-idUSBREA2T01T20140330
Two years before Mt. Gox filed for bankruptcy, a half dozen employees at the Tokyo-based bitcoin exchange challenged CEO Mark Karpeles over whether client money was being used to cover costs, according to three people who participated in the discussion.
The question of how Mt. Gox handled other people’s money – the issue raised by staff in the showdown with Karpeles in early 2012 – remains crucial to unraveling a multi-million dollar mystery under examination by authorities in Japan.
Tomi Engdahl says:
What the IRS Bitcoin Tax Guidelines Mean For You
http://www.coindesk.com/irs-bitcoin-tax-guidelines-mean/
The US Internal Revenue Service finally announced its guidance for virtual currencies yesterday, explicitly referring to bitcoin
US businesses wanting to get involved in bitcoin have been waiting for this for a while.
Well, now, that’s official: in its guidance, the IRS has said that bitcoin should be treated as property, making it subject to capital gains tax. That has significant ramifications for different kinds of businesses and individuals dealing in bitcoin.
Miners that produce their own bitcoins are now subject to two different tax charges. They must include the fair market value of the virtual currency on the day that it is mined into their gross income.
Another stipulation in the IRS guidance is that capital gains are due on the sale of bitcoins viewed as a capital asset.
The exchanges themselves may have a tougher time of it, though
He suggests that exchanges may now have to file such a form describing every transaction made by a client. For some high-volume clients, this could run into hundreds of trades each year. Are bitcoin exchanges, which haven’t been legally bound to do this, ready for the administrative burden?
Tomi Engdahl says:
US to strengthen privacy rights for Euro bods’ personal data transfers
Makes commitment under ‘Safe Harbour’ framework
http://www.theregister.co.uk/2014/03/31/united_states_safe_harbour_personal_data_transfers_europe/
The US will take steps before the summer to comprehensively strengthen the “Safe Harbour” framework that helps facilitate some transfers of personal data to the US from the EU.
It follows a threat from the European Parliament to veto any future trade agreement between the EU and US unless safeguards for EU citizens’ privacy rights were improved by the US.
EU data protection laws prevent companies from sending personal data outside of the European Economic Area (EEA) unless “adequate protections” have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, but not including the US, are deemed by the European Commission to provide adequate protection.
Tomi Engdahl says:
Mt Gox staff tried to warn CEO of Bitcoin loss risks – reports
Fears over ‘customer funds covering operating costs’ says Reuters
http://www.theregister.co.uk/2014/03/31/staff_tried_to_warn_bitcoin_ceo_of_risks_reports/
Tomi Engdahl says:
Google’s Public DNS intercepted in Turkey
Saturday, March 29, 2014 4:45 PM
Posted by Steven Carstensen, Software Engineer
http://googleonlinesecurity.blogspot.fi/2014/03/googles-public-dns-intercepted-in-turkey.html
We have received several credible reports and confirmed with our own research that Google’s Domain Name System (DNS) service has been intercepted by most Turkish ISPs (Internet Service Providers).
Turkish ISPs have set up servers that masquerade as Google’s DNS service.
Tomi Engdahl says:
That the US and other nations operate spy satellites capable of taking very detailed photographs of Earth is not in doubt.
Also a well-established fact is that the US imaging satellite operators like DigitalGlobe are prevented from letting the public access the highest-resolution photographs their craft can capture. Those restrictions are made by the US government and DigitalGlobe appealed against them in September 2013.
The Committee understands that a commercial data provider has requested licensing approval to collect and sell on the open market, electro-optical imagery with a ground sample distance of 0.25-meter.
The Committee is concerned that foreign commercial imagery providers may soon be able to provide imagery at or better than the currently allowed commercial U.S. resolution limit of 0.5 meters.
Perhaps DigitalGlobe’s fleet can do even better than .25 metre resolution. If it can, it is entirely reasonable to assume it would be shared with the US’s partners in the “Five Eyes” intelligence-sharing alliance
For what it is worth, it is known that the US government rents satellites. In 2013 it even leased a Chinese satellite, according to US News.
Source: http://www.theregister.co.uk/2014/03/21/mh370_flight_satellite_photos/
Tomi Engdahl says:
Obama outlines replacement for NSA bulk data collection
Two degrees of separation makes Kevin Bacon world’s safest man
http://www.theinquirer.net/inquirer/news/2336919/obama-outlines-replacement-for-nsa-bulk-data-collection
US PRESIDENT BARACK OBAMA has outlined plans for ending the Section 215 metadata programme that has seen the US National Security Agency (NSA) collecting petabytes of data on US citizens’ telephone calls and text messages.
The new legislation will have to go before Congress, and that will take time.
Tomi Engdahl says:
Crack team of cyber warriors arrives to SAVE UK from grid-crippling HACK ATTACKS
National CERT goes live today
http://www.theregister.co.uk/2014/03/31/cert_uk_launch/
EU cyber security agency ENISA recently called for better data sharing and interoperability among European CERTs. Information sharing between senior techies with management positions in universities and the banking sector is not controversial. However, wider sharing of information is a politically fraught notion, as demonstrated by controversy over the US Cyber Intelligence Sharing and Protection Act (CISPA).