Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
23-Year-Old X11 Server Security Vulnerability Discovered
http://tech.slashdot.org/story/14/01/08/1421235/23-year-old-x11-server-security-vulnerability-discovered
“The issue is a possible stack buffer overflow that could lead to privilege escalation to root and affects all versions of the X Server back to X11R5. After the vulnerability being in the code-base for 23 years, it was finally uncovered via the automated cppcheck static analysis utility.”
Tomi Engdahl says:
http://cppcheck.sourceforge.net/
Cppcheck is a static analysis tool for C/C++ code. Unlike C/C++ compilers and many other analysis tools it does not detect syntax errors in the code. Cppcheck primarily detects the types of bugs that the compilers normally do not detect. The goal is to detect only real errors in the code (i.e. have zero false positives).
Tomi Engdahl says:
Shambolic search for new head of EU privacy watchdog halted
Candidates not up to scratch – position will be left vacant from 16 Jan
http://www.theregister.co.uk/2014/01/08/eu_data_protection_supervisor_candidates_unsuitable_for_role/
A seven-month long search for a new European Data Protection Supervisor (EDPS) has ended chaotically, after five candidates who were shortlisted for the job failed to meet Brussels’ strict criteria, The Register has learned.
2014 is seen as something of a crunch year for data protection in Europe with elections coming up.
Tomi Engdahl says:
Bitcoin Woos Washington to Ensure Lawmakers Don’t Kill It
http://www.bloomberg.com/news/2014-01-08/bitcoin-woos-washington-to-ensure-lawmakers-don-t-kill-it.html
Bitcoin advocates entered Washington a year ago with the shadow of a federal criminal investigation cast over the virtual currency industry.
Their first mission: Win over, or at least not alarm, the U.S. Treasury Department’s Financial Crimes Enforcement Network, called Fincen.
“Our first reaction, particularly when I was on the law enforcement side, when we had something new was ‘Huge risk! Huge risk for money laundering. It’s bad!’” Fincen Director Jennifer Shasky Calvery said in an interview this week. “But we’re the Department of the Treasury, we can’t have that knee-jerk of a response.”
“As a rapidly growing hub for technology and venture capital, New York has every interest in building on the promise that technologies like Bitcoin have to revolutionize payment systems, or even form the building blocks for whole new technology platforms,” Schumer said during a Nov. 19 hearing.
The currency’s rapid rise in value, from about $13 per Bitcoin in January 2013 to about $840 yesterday, according to the CoinDesk Bitcoin Price Index, also is helping to push it onto Washington’s radar.
Tomi Engdahl says:
DoS attacks that took down big game sites abused Web’s time-sync protocol
Never-before-seen technique abused the Network Time Protocol to worsen effects.
http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game-sites-abused-webs-time-synch-protocol/
Miscreants who earlier this week took down servers for League of Legends, EA.com, and other online game services used a never-before-seen technique that vastly amplified the amount of junk traffic directed at denial-of-service targets.
Rather than directly flooding the targeted services with torrents of data, an attack group calling itself DERP Trolling sent much smaller-sized data requests to time-synchronization servers running the Network Time Protocol (NTP).
A spoofed request containing eight bytes will typically result in a 468-byte response to victim,
“Prior to December, an NTP attack was almost unheard of because if there was one it wasn’t worth talking about,” Shawn Marck, CEO of DoS-mitigation service Black Lotus, told Ars. “It was so tiny it never showed up in the major reports. What we’re witnessing is a shift in methodology.”
The technique is in many ways similar to the DNS-amplification attacks waged on servers for years.
During the first week of the year, NTP reflection accounted for about 69 percent of all DoS attack traffic by bit volume, Marck said. The average size of each NTP attack was about 7.3 gigabits per second, a more than three-fold increase over the average DoS attack observed in December.
Black Lotus recommends network operators follow several practices to blunt the effects of NTP attacks. They include using traffic policers to limit the amount of NTP traffic that can enter a network, implementing large-scale DDoS mitigation systems, or opting for service-based approaches that provide several gigabits of standby capacity for use during DDoS attacks.
Tomi Engdahl says:
Blackhole Exploit Kit Successor Years Away
http://yro.slashdot.org/story/14/01/08/2315258/blackhole-exploit-kit-successor-years-away
“The Blackhole Exploit Kit has been out of commission since October when its alleged creator, a hacker named Paunch, was arrested in Russia. The kit was a favorite among cybercriminals”
” a viable successor has yet to emerge–and experts believe one will not in the short term. “
Tomi Engdahl says:
Viable Blackhole Successor Could Take Years to Emerge
http://threatpost.com/viable-blackhole-successor-could-take-years-to-emerge/103492
“There are many kit vendors and distributors competing for customers and have replaced Blackhole,” explained Kaspersky Lab senior security researcher Kurt Baumgartner. “Over time, a single one most likely will stand out, but that can take a couple of years, like any active criminal marketplace.”
In the meantime, experts are keeping an eye on any number of kits in circulation, each with its own twist on the same business model: Selling website injections for Java, Adobe and other massively deployed products that are vulnerable to exploits that will redirect victims to websites hosting financial malware.
Tomi Engdahl says:
The Year in NSA
http://threatpost.com/the-year-in-nsa/103329
rather than trying to rank the NSA revelations on any sort of scale, we’ve put together an admittedly simplified list of some of the more interesting NSA-related stories to emerge in 2013.
Least Surprising NSA Capability: Breaking/Subverting Crypto
Most Surprising NSA Capability: Defeating the Collective Security Prowess of Silicon Valley
Most Interesting People to Emerge From the NSA Story: Jacob Appelbaum and Matthew Green
Tomi Engdahl says:
As Yahoo makes encryption standard for email, weak implementation seen
The company’s HTTPS implementation still needs some improvements, an SSL expert said
http://www.itworld.com/security/399071/yahoo-makes-encryption-standard-email-weak-implementation-seen
January 08, 2014, 8:38 AM — Yahoo has started to automatically encrypt connections between users and its email service, adding an important security layer that rival Gmail has had for almost four years, but its implementation needs work, according to at least one security expert.
Yahoo Mail had support for full-session HTTPS — SSL/TLS encryption over HTTP
“Anytime you use Yahoo Mail — whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP — it is 100% encrypted by default and protected with 2,048 bit certificates,” said Jeff Bonforte, senior vice-president of communication products at Yahoo, in a blog post. “This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.”
While this is a great step, the company’s HTTPS implementation appears to be inconsistent across servers and even technically insecure in some cases
For example, some of Yahoo’s HTTPS email servers use RC4 as the preferred cipher with most clients. “RC4 is considered weak, which is why we advise that people either don’t use it, or if they feel they must, use it as a last resort,” Ristic said.
Other servers, like login.yahoo.com, primarily use the AES cipher, but do not have mitigations for known attacks like BEAST and CRIME, the latter targeting a feature called TLS compression that login.yahoo.com still has enabled.
Google’s SSL configuration for Gmail supports forward secrecy since 2011 and Facebook and Twitter have also implemented it.
Because of various theoretical and practical attacks demonstrated against SSL in recent years, security experts also recommend the use of ciphers that function in Galois/Counter Mode (GCM). These are only available in TLS 1.2, the latest version of the protocol, but not all of Yahoo’s servers support TLS 1.2.
Tomi Engdahl says:
Google Ports Capsicum To Linux, and Other End-of-Year Capsicum News
http://tech.slashdot.org/story/14/01/08/1635210/google-ports-capsicum-to-linux-and-other-end-of-year-capsicum-news
“Security researcher Robert Watson at the University of Cambridge has posted a blog article describing recent progress on the Capsicum security model, which will shortly appear in FreeBSD 10.0 enabled by default, and has now been ported to Linux by Google, who have posted patches with the intent to upstream to the Linux kernel.”
Tomi Engdahl says:
Why I want Bitcoin to die in a fire
http://www.antipope.org/charlie/blog-static/2013/12/why-i-want-bitcoin-to-die-in-a.html
I want Bitcoin to die in a fire: this is a start, but it’s not sufficient.
Like all currency systems, Bitcoin comes with an implicit political agenda attached. Decisions we take about how to manage money, taxation, and the economy have consequences: by its consequences you may judge a finance system. Our current global system is pretty crap, but I submit that Bitcoin is worst.
For starters, BtC is inherently deflationary.
Bitcoin is designed to be verifiable (forgery-resistant) but pretty much untraceable, and very easy to hide.
But there are a number of huge down-sides. Here’s a link-farm to the high points:
Mining BtC has a carbon footprint from hell (as they get more computationally expensive to generate, electricity consumption soars).
Bitcoin mining software is now being distributed as malware because using someone else’s computer to mine BitCoins is easier than buying a farm of your own mining hardware.
Bitcoin violates Gresham’s law: Stolen electricity will drive out honest mining. (So the greatest benefits accrue to the most ruthless criminals.)
Bitcoin’s utter lack of regulation permits really hideous markets to emerge
It’s also inherently damaging to the fabric of civil society.
To editorialize briefly, BitCoin looks like it was designed as a weapon intended to damage central banking and money issuing banks, with a Libertarian political agenda in mind—to damage states ability to collect tax and monitor their citizens financial transactions.
Tomi Engdahl says:
A Rebuttal To Charles Stross About Bitcoin
http://news.slashdot.org/story/14/01/08/222253/a-rebuttal-to-charles-stross-about-bitcoin
Tomi Engdahl says:
Own encryption solves the cloud storage security concerns
Taking data security seriously, especially nowadays has to consider the double-own files to store a public cloud service like Dropbox. In theory, the files are encrypted, but in practice, guests can access the files.
Some public cloud services may be used, provided that your own files are encrypted before uploading to the cloud.
When encryption is done to individual files and folders is a tedious way and eat at the same time part of the cloud computing benefits such as easy access to your files on mobile devices.
Fortunately, the task is finished, there are applications that add an extra layer of security within the cloud, and which operate on mobile devices.
One of the most popular is the Boxcryptor https://www.boxcryptor.com/en
The application is offered in both free and paid version. The free version supports basic features such as file encryption, secure sharing, and mobile versions of the application. The free version is limited to a single user to select the cloud
Source: Tietoviikko
http://www.tietoviikko.fi/uutisia/oma+salaus+ratkaisee+pilvitallennuksen+tietoturvahuolet/a958178
Tomi Engdahl says:
Experts: No need to stress about mobile payment
The smartphone banking application is safer to use than a laptop pc internet banking machine – at least for now , say experts .
The reason is that the mobile phone applications are separated from each other , especially the iPhone , and Windows operating systems.
“Applications do not necessarily communicate with each other. Another application can not connect to the mobile banking application , “says F-Secure security expert Sean Sullivan .
Smart mobile banking is used to separate the application through which each bank is planning for himself .
Notebooks , in turn, is used for online banking through the browser. You may have at the same time, other activities and sites to use.
Browser on the server side of the program is easier to sneak in e-banking context.
” The good thing about mobile banking is the fact that the attacker is more difficult to make a hostile applications,” a senior security consultant Pekka Sillanpää from Nixu says.
Sillanpää to point out that in the world of mobile applications, security can be even worse situation , especially if the key is not used , for example, lists of numbers . Namely, the mobile applications themselves cause new types of threats , if they are not taken into account in the right way.
Android is more vulnerable to attack , as used in the app stores do not test all of the applications , which can be Android phones can be downloaded , as opposed to the iPhone and Windows Phone. Android is an open operating system , unlike its competitors
According to experts, cyber criminals are not currently interested in smartphones , because the use of banking services is low.
Sillanpää to admit that there is also a risk that some banks do not have time to thoroughly test the haste of these new applications, in which case they may remain in security vulnerabilities.
“No bank will not willfully neglect security.”
Source: Kauppalehti
http://www.kauppalehti.fi/etusivu/asiantuntijat+turha+stressata+kannykkamaksamisesta/201401597531
Tomi Engdahl says:
Bitcoin-hit by the ban in China
Virtual Currency Bitcoin is another headwind in China.
The Financial Times reports that the Chinese e-commerce giant Alibaba has banned the adoption of the Bitcoin network includes online shops.
Bitcoin has been specifically China, a relatively popular currency, and two of the leading Chinese-bitcoin exchanges are responsible for up to 60 percent of the world bitcoin-commerce.
Source: Tietoviikko
http://www.tietoviikko.fi/uutisia/bitcoinkielto+iski+kiinaan/a958123
Tomi Engdahl says:
Yahoo malware turned European computers into bitcoin slaves
http://www.theguardian.com/technology/2014/jan/08/yahoo-malware-turned-europeans-computers-into-bitcoin-slaves
Search firm remains silent on how its ad servers infected Windows PCs of visitors to homepage
As many as two million European users of Yahoo may have received PC malware from virus-laden ads served by its homepage over a four-day period last week.
Some of the malware would turn PCs into bitcoin miners – a huge drain on its computing resources – without users’ knowledge. Yahoo has been criticised for not saying how many people could be affected or doing anything to help those with the malware, which attacked flaws in Java modules on systems.
In a statement, Yahoo said: “From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware.” Users in North America, Asia Pacific and Latin America weren’t affected, Yahoo said. Nor were users of Apple Macs or mobile devices.
According to Light Cyber, a security research firm which warned Yahoo of the attacks in late December, one of the malware programs delivered in the attack turned the victim’s computer into a bitcoin miner.
Yahoo has been criticised for not doing more to aid users infected by the faulty adverts
“The attack focused on outdated software,” says Steve Regan of security site CSO. “The only way for the exploits to work is to have outdated versions of Java on your system. If Java is up to date, then the odds are, you’re safe. However, I don’t trust Java, so unless you absolutely need it, my advice is to uninstall it from your system. It seems like I see more zero-day attacks aimed at Java than anything else, the risk isn’t worth it for me.” Zero-day attacks exploit previously unreported flaws in software to install malware or take over a computer.
As well as the bitcoin mining malware, other software installed includes ZeuS, which attempts to steal banking information; Andromeda, which turns the computer into part of a “botnet” for use by third parties, and “adjacking” malware which hijacks the user’s browser to click on adverts, thus channeling income to corrupt site owners.
Bitcoin is fast becoming a tool of choice for malware developers. As well as directly using compromised computers to mine for new coins, software such as ZeuS lets criminals install Cryptolocker, a dangerous new type of malware which first encrypts the user’s files and then demands a ransom, payable in bitcoin, to decrypt them. In most versions of Cryptolocker, the ransom is set at two bitcoins, currently worth around $2,000.
Bitcoin is so valuable to botnet owners, criminals who control large numbers of compromised computers, that one academic paper argues that the security of the network is permanently at risk.
Tomi Engdahl says:
Online Privacy Could Spark U.S.-EU Trade Rift
French, Spanish Fines Against Google Are Latest Flare-Ups in Trans-Atlantic Disagreement
http://online.wsj.com/news/article_email/SB10001424052702304361604579291041878017398-lMyQjAxMTA0MDAwODEwNDgyWj
Knowing what Europeans like Rémi Boulle bought for Christmas could spark the next trans-Atlantic trade battle.
Mr. Boulle, a 39-year-old math professor in the southwestern French city of Toulouse, shopped online for toys for his two little children—and says he was stalked afterward by toy ads, a common technique known as “retargeting.”
“It bothers me,” Mr. Boulle said. “I don’t want to be someone who is permanently followed around.”
Now Europeans are punching back.
France on Wednesday fined Google Inc. GOOG +0.21% €150,000 ($204,000) for privacy violations, following a similar €900,000 fine in Spain last month
In Europe, some politicians see personal data as a new natural resource from which European companies should profit. Others see privacy laws as a bulwark against tyranny. Both camps are reluctant to let U.S. companies transfer personal information—such as Web-browsing patterns or purchase histories—without guarantees that the U.S. will enforce the same privacy rules as the European Union does.
“There’s a definite danger that data flows in and out of Europe could be restricted,” said Adam Schlosser of the U.S. Chamber of Commerce, a business-lobby group. “We’re hoping cooler heads prevail.”
The next several months could help determine the outcome.
To keep information flows open, the U.S. and the EU hashed out the Safe Harbor framework, which was approved by the EU in 2000 and is now under scrutiny. Under the agreement, which drew fire even then, U.S. companies can move data out of Europe provided they commit to principles such as giving users the ability to opt out of collection and limiting collection to “relevant” information.
Tomi Engdahl says:
Well done for flicking always-on crypto switch, Yahoo! Now here’s what you SHOULD have done
Securobods: Webmail provider’s HTTPS move too little, too late
http://www.theregister.co.uk/2014/01/09/yahoo_always_on_crypto_unstrong/
“Yahoo’s announcement that it has enabled HTTPS encryption for all Yahoo Mail users is not only too little too late, but also quite troubling,” Beardsley explained. “It appears that Yahoo! is not supporting PFS (Perfect Forward Secrecy). This means that an adversary can record the encrypted session, and if they later get Yahoo’s private key, they can still decrypt the session.”
“In other words, an attacker can’t decrypt the session today because they don’t have the private key. But in the future, ‘retrospective decryption’ is possible by getting a hold of that private key through an exploit on the webmail provider’s servers, a weakness on the cipher itself, webmail operator cooperation, or through the power of a court-issued warrant.”
Applying Perfect Forward Secrecy – a technology applied by Google, Facebook, and Twitter is their comparable HTTPS implementations – gets around this problem. With PFS, another encrypted session happens before the HTTPS session starts, using temporary keys that aren’t used for anything else. Beardsley adds: “Even if an attacker got a hold of that temporary key, it’s only good for that session and that session only. They’d have to recover a new, unique key for every session they decrypt.”
Tomi Engdahl says:
A quarter of British and Canadian businesses want their data taken out of U.S., according to Peer1
http://gigaom.com/2014/01/08/a-quarter-of-british-and-canadian-businesses-want-their-data-taken-out-of-u-s-according-to-peer1/
Summary: The cloud provider, which has infrastructure in the U.S., Canada and Britain, says last year’s NSA revelations are starting to hit home.
The NSA’s shenanigans are having a very real effect on businesses’ data storage decisions, according to Canadian cloud and hosting provider Peer1.
The company surveyed 300 businesses in the UK and Canada and discovered that 25 percent intended to move their company data out of the United States over NSA fears. U.S. laws compel any company located there to give intelligence agencies access to customer data if they ask for it.
Tomi Engdahl says:
Cisco, Dell, HP, IBM and EMC have most to lose in China post NSA-gate: Report
http://gigaom.com/2014/01/09/cisco-hp-ibm-and-emc-have-most-to-lose-in-china-post-nsa-gate-report/
Summary:
A new Sanford Bernstein research note susses out the potential damage to U.S. tech companies — especially in China — in the wake of Edward Snowden’s disclosures.
“While spying has occurred across many companies, governments and corporations, we believe U.S. technology companies face the most revenue risk in China by a wide margin, followed by Brazil and other emerging markets.
The degree of risk faced by U.S. providers in China depends on how much domestic competition they face.
Tomi Engdahl says:
Security Experts Call For Boycott of RSA Conference In NSA Protest
http://it.slashdot.org/story/14/01/09/1311231/security-experts-call-for-boycott-of-rsa-conference-in-nsa-protest
“‘Though boycotting the conference won’t have a big impact on EMC’s bottom line, the resulting publicity will,’ says Dave Kearns. ‘Security is hard enough without having to worry that our suppliers — either knowingly or unknowingly — have aided those who wish to subvert our security measures.’”
Tomi Engdahl says:
Borrowers Hit Social-Media Hurdles
Regulators Have Concerns About Lenders’ Use of Facebook, Other Sites
http://online.wsj.com/news/article_email/SB10001424052702304773104579266423512930050-lMyQjAxMTA0MDAwODEwNDgyWj
WASHINGTON—More lending companies are mining Facebook, FB +0.34% Twitter and other social-media data to help determine a borrower’s creditworthiness or identity, a trend that is raising concerns among consumer groups and regulators.
looking at potential problems such as whether applicants put the same job information on their loan application as they posted on LinkedIn, or if they shared on Facebook that they had been let go by an employer.
A small business that draws negative reviews on eBay also could undermine its chances of getting more credit, lending companies say.
The practice is being used largely by startups that grant smaller loans, but the concept seems likely to spread.
“There could come a time where certain social media could be predictive and we’re looking at that, but it isn’t yet,” said Anthony Sprauve, senior consumer-credit specialist at FICO.
Regulators are watching the trend and trying to determine whether to police financial institutions’ use of online data in credit scoring, officials say.
Tomi Engdahl says:
Senior managers are the worst information security offenders
http://www.net-security.org/secworld.php?id=16176
As companies look for solutions to protect the integrity of their networks, data centers, and computer systems, an unexpected threat is lurking under the surface—senior management.
According to a new survey, 87% of senior managers frequently or occasionally send work materials to a personal email or cloud account to work remotely, putting that information at a much higher risk of being breached.
the survey also found that 58% of senior management reported having accidentally sent the wrong person sensitive information, compared to just 25% of workers overall.
Corporate managers also put their companies at risk of intellectual property loss if and when they depart the company. Fifty-one percent of senior management and 37% of mid-level management admit to taking job-related emails, files, or materials with them when they have left past employers. Only one-fifth of lower ranking employees have done so.
The survey found that senior leaders in general believe their own security efforts are inadequate:
Nearly half (45%) of senior management acknowledge that the C-suite and senior leadership themselves are responsible for protecting their companies against cyber-attacks.
Yet, 52% of this same group indicated they are falling down on the job, rating corporate America’s ability to respond to cyber-threats at a “C” grade or lower.
Rank-and-file workers differ in their opinions about cyber security accountability, with 54% of those respondents saying IT professionals are responsible for putting the right safeguards in place.
Tomi Engdahl says:
Late last year, received a lot of attention to the malware that hijacked your computer files hostage and demanded money from the victim. The situation is getting worse, there are fears this year, significantly, as long as just around the corner, the new threat of strikes.
The most famous and popular of these programs is the tension CryptoLocker by the user is considered to be a single criminal gangs.
It is now becoming another similar tightening program, known as the PrisonLocker, and the quality may be much worse
PrisonLocker apparently become available for any cyber-criminal to purchase and use.
Source: Tietoviikko
http://www.tietoviikko.fi/uutisia/varo+ilkean+cryptolockerin+ilkeampi+seuraaja+tulossa/a958511
Tomi Engdahl says:
Hackers risk: automotive internet creates a serious threat, claims the security company
Internet Connectivity car information systems open to hackers the opportunity to tamper with the car information system and through the car governing the functioning of computers, warned of a technology company Harman at CES trade show.
For example, the 3-series BMW is equipped with 35 computer, the ECU that control the car’s functions and systems. 7 class in a BMW there may be up to 140 It is clear that the opportunities for tampering with the computers to open a hacker if he or she can access them incursion car information system.
Harman says that the problem is serious now. Car information system and the connected vehicle functions to control the devices and computers are not designed to networking in mind. Security is therefore a weak and there are hardly any obstacles against intrusions.
Source: Tietoviikko
http://www.tietoviikko.fi/uutisia/hakkerit+vaarana+autojen+nettiyhteys+luo+vakavia+uhkakuvia+vaittaa+turvafirma/a958574
Tomi Engdahl says:
Modern cars at serious risk from computer hackers
http://www.autoexpress.co.uk/car-news/85154/modern-cars-serious-risk-computer-hackers
Car hacking is already a “serious problem”
A car like a BMW 3 Series has around 35 ECUs, according to Harman, the company, which develops connectivity services for many manufacturers. With a high-end model like the 7 Series, the number of ECUs can be as high as 140.
“It is already a serious problem,” says Harman’s president of infotainment, Sachin Lawande. “The infrastructure of many cars was not designed with networking in mind.
“Now that they are connected to the internet their level of exposure is very different. A cyber attacker can take control of critical vehicle functions, and unless we can make them secure the increasing levels of connectivity are going to make it worse.”
Harman is developing a software barrier as part of its next-generation infotainment platform that will not prevent hackers from accessing in-car connectivity features but will stop them from being able to attack the vital ECUs.
It is an industry-first solution and is likely to be seen in 2016 or 2017 because of the time it takes for carmakers to introduce major model changes.
Tomi Engdahl says:
“Anti-Google” usage exploded due to spying stir
In 2013, over one billion searches were made on DuckDuckGo.
DuckDuckGo, the privacy-focused search engine, served over 1bn searches in 2013 after a huge surge in interest following the Snowden revelations. It is an ‘anti-Google’, which searches the web without tracking or monitoring the user.
Until Edward Snowden’s files detailing the extent of state surveillance, the search engine received around 1.5m queries per day. But in the weeks and months following the Guardian’s publication of the NSA files, the number of users more than doubled.
By November, more than 4 million people were using the site every day, and on Tuesday 7 January the site had its biggest day so far, serving 4,452,957 queries in a 24-hour period.
DuckDuckGo’s pitch to users is a sort of anti-Google. The site doesn’t store personal information, including searches, and keeps it safe from third parties by enabling encryption by default.
Google began encrypting all searches by default in September 2013, too late to prevent DuckDuckGo’s post-Prism gains, but users still have to jump through hoops to stop the site storing their own searches. By default, any user signed in to their Google account has their search terms saved to the site’s Web History feature, and the site also logs user searches separately, “to prevent spam and abuse and to improve our services”.
Sources:
http://www.theguardian.com/technology/2014/jan/09/anonymous-search-tool-duckduckgo-1bn-queries-2013-google
http://www.tietoviikko.fi/kaikki_uutiset/quotantigooglenquot+kaytto+rajahti+vakoilukohun+takia+miljardi+hakua+vuonna+2013/a958580
https://duck.co/blog/friends-newsletter-45
Tomi Engdahl says:
Obama Readies Revamp of NSA
President Leans Toward Extending Privacy Protections to Noncitizens and Restructuring Spy Agency’s Phone-Data Program
http://online.wsj.com/news/article_email/SB10001424052702303754404579311051971481812-lMyQjAxMTA0MDAwOTEwNDkyWj
President Barack Obama is leaning toward extending broad privacy protections to non-U.S. citizens and is seriously considering restructuring the National Security Agency program that collects phone-call data of nearly all Americans, officials familiar with the process said on Thursday.
Mr. Obama plans to unveil these and other changes to surveillance programs as soon as next week, the officials said.
Tomi Engdahl says:
The Grand Experiment Goes Live: Overstock.com Is Now Accepting Bitcoins
http://www.wired.com/business/2014/01/overstock-bitcoin-live/
Overstock.com is now accepting payments in bitcoin, making it the first major online retailer to embrace the increasingly popular but controversial digital currency.
Tomi Engdahl says:
Singapore bucks the trend and welcomes Bitcoin, laying out tax rules for the virtual currency
http://thenextweb.com/asia/2014/01/09/singapore-bucks-the-trend-and-welcomes-bitcoin-laying-out-tax-rules-for-the-virtual-currency/#!rRFW0
Governments all over the world have either been rejecting Bitcoin as a legitimate currency or issuing warnings about the use of it — including India, Norway and South Korea just last month, following in the footsteps of statements from the central bank in China and Thailand in July.
However, Singapore has bucked the trend by recognizing Bitcoin trading and laying out taxation rules governing transactions made in the virtual currency.
Tomi Engdahl says:
The Bitcoin-Mining Arms Race Heats Up
http://www.businessweek.com/printer/articles/176685-the-bitcoin-mining-arms-race-heats-up
Bitcoin is the digital currency that thrills nerds, inspires libertarians, and incites the passions of economists who debate the value of money made from nothing but ones and zeroes. Devotees watch the fluctuations of Bitcoin’s price with a fanaticism typically reserved for college football scores. Alternative currency startups are being lavishly funded by venture capitalists while visionaries gush about the world-changing possibilities of money free from government control. Silicon Valley is the natural center for Bitcoin mania. An advocacy group named Arisebitcoin recently put up 40 billboards around the Bay Area with messages such as: “The Revolution has started … where do you stand?”
As with an actual precious metal, Bitcoins are in limited supply—they must be “mined.”
Over the past six months the price of a Bitcoin has shot up, dived, shot up again—and kept on rising, making Bitcoin mining one of the most frenzied corners in technology.
The Bitcoin system was introduced in 2008 by a shadowy figure who went by the name of Satoshi Nakamoto. To this day no one knows if Nakamoto is a man or a woman or some sort of cabal
As the currency has gathered momentum, miners have piled in. But, because Nakamoto’s puzzles are designed to get more difficult over time, solving them requires ever-escalating computing capacity. It’s an ingenious trick
They dream of building a system free from the narrow interests of governments or the wealthy, allowing individuals greater freedom to move their capital around, whether it’s to avoid credit card fees, shop anonymously, or evade repressive regimes.
The fear is that an organization with piles of capital and not much idealism can buy enough computational might to corner the market and box out the individual miner. That may already be happening: Websites such as Bitcoin Watch that track the total computing power of miners have started to show large, mysterious spikes in capacity.
Tomi Engdahl says:
NSA and GCHQ activities appear illegal, says EU parliamentary inquiry
http://www.theguardian.com/world/2014/jan/09/nsa-gchq-illegal-european-parliamentary-inquiry
Civil liberties committee report demands end to indiscriminate collection of personal data by British and US agencies
Mass surveillance programmes used by the US and Britain to spy on people in Europe have been condemned in the “strongest possible terms” by the first parliamentary inquiry into the disclosures, which has demanded an end to the vast, systematic and indiscriminate collection of personal data by intelligence agencies.
The inquiry by the European parliament’s civil liberties committee says the activities of America’s National Security Agency (NSA) and its British counterpart, GCHQ, appear to be illegal and that their operations have “profoundly shaken” the trust between countries that considered themselves allies.
The draft by Moraes, a Labour MEP, describes some of the programmes revealed by Snowden over the past seven months – including Prism, run by the NSA, and Tempora, which is operated by GCHQ.The former allows the NSA to conduct mass surveillance on EU citizens through the servers of US internet companies.
The European commissioner Viviane Reding says the Safe Harbor scheme is flawed and may need to be frozen.
She wants to make it harder for the big US internet servers and social media providers to transfer European data to third countries. She also wants to subject the firms to EU law rather than secret American court orders.
Tomi Engdahl says:
Light Cyber First to Detect, Protect Customers from New Bitcoin-Related Malware
http://www.prnewswire.com/news-releases/light-cyber-first-to-detect-protect-customers-from-new-bitcoin-related-malware-238879491.html
Light Cyber’s MAGNA detected breaches from new Bitcoin mining malware some four days before the campaign became widely known, proving the system’s superiority in detecting and containing breaches from unknown malware early in the attack life cycle
Tomi Engdahl says:
Malicious advertisements served via Yahoo
Posted on January 3, 2014 by joostbijl
http://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/
Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious
Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains
All those domains are served from a single IP address: 193.169.245.78. This IP-address appears to be hosted in the Netherlands.
This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:
ZeuS
Andromeda
Dorkbot/Ngrbot
Advertisement clicking malware
Tinba/Zusy
Necurs
Based on a sample of traffic we estimate the number of visits to the malicious site to be around 300k/hr. Given a typical infection rate of 9% this would result in around 27.000 infections every hour. Based on the same sample, the countries most affected by the exploit kit are Romania, Great Brittain and France.
It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors.
Yahoo is aware of the issue and looking into it
Tomi Engdahl says:
China ALSO building encryption-cracking quantum computer
You didn’t think we’d let the West have all the fun, did you?
http://www.theregister.co.uk/2014/01/10/china_quantum_computer_race/
It’s not just the NSA that’s said to be working on a quantum computer – China is also pulling out all the stops to beat its arch rival with a crypto-cracking machine of its own.
Tomi Engdahl says:
India’s election regulator drops plan to partner Google after spying fears
http://www.reuters.com/article/2014/01/09/india-elections-google-idINL3N0KJ3ZT20140109
India’s election regulator dropped plans on Thursday to partner Google Inc on a project to ease voter access to information, after a backlash against the move from campaigners who fear Google and the U.S. government could use it for spying.
Tomi Engdahl says:
MEPs seek video link with Snowden for NSA spying probe
http://www.bbc.co.uk/news/world-europe-25669448#TWEET1008203
Euro MPs have agreed to invite fugitive US whistleblower Edward Snowden to give evidence via live video link to a European Parliament inquiry into US surveillance.
According to secret files leaked to the media by Mr Snowden, the US government, assisted by the UK spy agency GCHQ, conducts far-reaching global surveillance of internet and telephone traffic.
The spying row triggered calls from some European politicians for talks on a major EU transatlantic free trade deal with the US to be suspended.
In light of the Snowden revelations US President Barack Obama ordered a review of US intelligence-gathering operations and he is expected to announce changes soon.
“The issue of whether the intelligence services are out of control merits serious examination in Europe as in the US.”
Tomi Engdahl says:
Prison Locker: A load of überhyped malware FUD over… internet chatter
Forum posts about building a net nasty don’t mean it’s a live threat, folks
http://www.theregister.co.uk/2014/01/10/prison_locker_ransomware/
An underground advert seeking help in developing a file-encrypting ransomware kit that might be sold for just $100 a go sparked something of a panic on the interwebs this week.
But security watchers are yet to see any samples of the so-called Prison Locker ransomware, leading at least two security firms to characterise the threat as intangible and overhyped.
CryptoLocker, the infamous Bitcoin-demanding ransomware menace, has infected as many as a quarter of a million machines since it first surfaced last September, according to research from Dell SecureWorks’ Counter Threat Unit.
File-encrypted ransomware is a lucrative and now proven type of cybercrime and there’s little doubt we’ll see more copycats in this area, perhaps even strains that infect computers which aren’t running Windows. But it’s a leap of faith to imagine that the Prison Locker toolkit will deliver this nightmare scenario, especially at the ridiculously low prices quoted: far below the $1,000s in typical costs to buy malware creation kits through underground forums.
Tomi Engdahl says:
CERT-FI vulnerability release 001/2014
https://www.cert.fi/haavoittuvuudet/2014/haavoittuvuus-2014-001.html
OpenSSL library has been found three vulnerabilities that make it possible to cause a denial of service status in server application or a client that uses the OpenSSL library.
Affected Products :
OpenSSL 1.0.1e and older versions
SOLUTION AND LIMITATION OF OPPORTUNITIES :
Update OpenSSL version 1.0.1f .
TLS 1.2, a TCP server applications that use the vulnerability can limit the removal of TLS 1.2 ‘s disabled until the update is installed.
Tomi Engdahl says:
We MUST be told: How many Bitcoins do I need to kill a melon-head?
http://www.theregister.co.uk/2013/12/13/something_for_the_weekend_banks_bitcoin/
Wake up. Money is just a self-induced con-trick for reasons of convenient exchange of goods. We have all bought into this idea, quite literally. It’s a flimsy house of cards built purely on bluff – not great for something so untrustworthy, but there it is.
So is Bitcoin ready to burst yet?
The BBC quotes Garrick Hileman, a prof at the London School of Economics, asserting that there is a correlation between the rise in Bitcoin exchange rate value and the number of Bitcoin stories appearing in the media.
I wish someone would pay me to say stuff like that. “When something gets publicised, more people become interested in it.” I could be a media guru, me.
Bitcoin wasn’t developed as an investment opportunity but as a means of cross-national digital exchange free of political interference. Its intrinsic instability is intended to deter hoarding and gambling alike. You’re supposed to use it for spending – whoa, radical idea – and to this end, its transaction fees are designed to be tiny.
Now, if ever there was a bastard in banking, it’s transaction fees.
Bitcoin wallets need to be constantly checked, protected and cherished, like a miser stroking his money chest. I can’t just back it up and restore it, but have to invest time and tech to keep it intact, in one location, unique and irreplaceable.
Tomi Engdahl says:
Ford Exec: ‘We Know Everyone Who Breaks The Law’ Thanks To Our GPS In Your Car
http://www.businessinsider.com/ford-exec-gps-2014-1
Because of the GPS units installed in Ford vehicles, Ford knows when many of its drivers are speeding, and where they are while they’re doing it.
Farley has since retracted his statements.
Farley was trying to describe how much data Ford has on its customers, and illustrate the fact that the company uses very little of it in order to avoid raising privacy concerns: “We know everyone who breaks the law, we know when you’re doing it. We have GPS in your car, so we know what you’re doing. By the way, we don’t supply that data to anyone,” he told attendees.
Rather, he said, he imagined a day when the data might be used anonymously and in aggregate to help other marketers with traffic related problems.
Tomi Engdahl says:
Many Mac OS Users Not Getting Security Updates
http://apple.slashdot.org/story/14/01/10/1415248/many-mac-os-users-not-getting-security-updates
“According to security company Sophos, around 55% of home users and 18% of enterprise users have updated to Mavericks, the latest version of Mac OS (10.9). Unfortunately Apple appears to have stopped providing security updates for older versions.”
Tomi Engdahl says:
Largest Bitcoin Mining Pool Pledges Not To Execute ’51% Attack’
http://news.slashdot.org/story/14/01/10/1422206/largest-bitcoin-mining-pool-pledges-not-to-execute-51-attack
“If a single mining pool gains 51% of the overall computational power in the network, various forms of transaction manipulation become possible”
“Bitcoin mining pool ghash.io approaching 51% of mining power”
Tomi Engdahl says:
Bitcoin mining pool GHash.IO is preventing
accumulation of 51% of all hashing power
http://news.slashdot.org/story/14/01/10/1422206/largest-bitcoin-mining-pool-pledges-not-to-execute-51-attack
The hashing power of GHash.IO consists of:
~45% BitFury ASIC based miners
~55% independent miners !
Although the increase of hash-power in the pool is considered to be a good thing, reaching 51% of all hashing power is serious threat to the bitcoin community. GHash.IO will take all necessary precautions to prevent reaching 51% of all hashing power, in order to maintain stability of the bitcoin network
GHash.IO does not have any intentions to execute a 51% attack, as it will do serious damage to the Bitcoin community, of which we are part of.
Tomi Engdahl says:
Europe MPs: Time to change our data-sharing policy with US firms
Draft doc also condemns NSA and GCHQ dragnet surveillance
http://www.theregister.co.uk/2014/01/10/mep_surveillance_report/
A European Parliament report has condemned dragnet surveillance programmes by the NSA and the UK’s GCHQ, suggesting the schemes are motivated by political and economic espionage as well as the stated counter-terrorism objective.
The most significant element of the report is arguably a call on for the EU Commission to consider suspending Safe Harbour data-sharing arrangements with US companies. The draft report states:
Under the current circumstances the Safe Harbour principles do not provide adequate protection for EU citizens, these transfers should be carried out under other instruments, such as contractual clauses or BCRs setting out specific safeguards and protections .
Tomi Engdahl says:
Target Data Breach Much Worse Than First Thought
January 10, 2014, 6:25 AM PST
http://recode.net/2014/01/10/target-data-breach-much-worse-than-first-thought-up-to-70-million-affected/
Tomi Engdahl says:
More on Target’s data breach: Info on 70M people stolen
http://news.cnet.com/8301-1009_3-57617034-83/more-on-targets-data-breach-info-on-70m-people-stolen/
That stolen information, taken in December’s security lapse, includes names, phone numbers, and postal and e-mail addresses.
Target’s data breach is broader than once believed.
The nationwide retailer on Friday announced that personal information on as many as 70 million customers was stolen as part of the company’s payment card data breach. The information stolen includes names, mailing addresses, phone numbers, and e-mail addresses, the company said.
The news is the latest blow to Target, which in December revealed that hackers had stolen approximately 40 million credit and debit card numbers. Target said at the time that it believed the data stolen came from transactions made between November 27 and December 15.
Not surprisingly, hackers moved quickly to take advantage of the stolen information and put the information on the black market. According to reports, following the Target breach there was a “ten-to-twentyfold increase” in stolen cards available on underground markets.
Tomi Engdahl says:
January 10, 2014, 01:43 pm
Obama to unveil NSA reforms on Jan. 17
Read more: http://thehill.com/blogs/hillicon-valley/technology/195104-obama-to-unveil-nsa-reforms-on-jan-17#ixzz2q4bM2Ji3
Follow us: @thehill on Twitter | TheHill on Facebook
Tomi Engdahl says:
Oracle to patch Java, other products Tuesday
http://www.zdnet.com/oracle-to-patch-java-other-products-tuesday-7000025023/
Summary: 47 Oracle products to be patched on Patch Tuesday, with a total of 147 vulnerability fixes, 85 of them for flaws which are remotely-exploitable without authentication.
36 of the fixes will be for Java 7 SE products, 34 of them exploitable remotely without authentication.
Tomi Engdahl says:
Target Admits Data Breach May Have Up To 110 Million Victims
http://yro.slashdot.org/story/14/01/10/2321209/target-admits-data-breach-may-have-up-to-110-million-victims
“A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million, and that the data stolen included emails, phone numbers, street addresses and other information absent from the stolen transactional data that netted thieves 40 million debit- and credit-card numbers and PINs.”
“Most analysts and news outlets have blamed the breach on either the security of Target’s Windows-based Point-of-Sale systems or the company’s failure to fulfill its security obligations under the Payment Card Industry Data Security Standard (PCI DSS).”