Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Google Can Coexist With the Right to Be Forgotten:
The Case for Scrubbing Search Results
http://www.businessweek.com/articles/2014-05-22/google-can-coexist-with-the-right-to-be-forgotten
In Luxembourg, the Court of Justice of the European Union ruled on May 13 that individuals have the “right to be forgotten,” meaning they have the right to ask Google (GOOG) to remove information about them from its search index. In America, where the right to free speech trumps the right to privacy, commentators such as City University of New York journalism professor Jeff Jarvis see the ruling as “a blow against free speech.” But even free speech absolutists have good reason to side with the EU.
Google regularly removes illegal material, copyright violations, and the like from its index
Tomi Engdahl says:
The Internet of Things needs a security model to protect user data
IoT security becomes a hot topic at The INQUIRER and Intel’s roundtable event
http://www.theinquirer.net/inquirer/news/2346239/the-internet-of-things-needs-a-security-model-to-protect-user-data
THE INTERNET OF THINGS (IoT) needs its own security model to protect user data and enable innovation, it was argued at The INQUIRER’s Internet of Things roundtable event in London on Wednesday.
The INQUIRER and Intel welcomed a number of professionals from organisations including Bosch, the London School of Economics and the West Middlesex Hospital to the roundtable at London’s Groucho Club on Wednesday, where the security concerns surrounding the Internet of Things quickly became a hot area for discussion
Intel said that the Internet of Things, which is expected to see 26 billion connected devices by 2020, needs its own security model in order to fully protect user data, and to allow that data to be shared in a secure, personalised way.
“You’re going to have to secure the device or the sensor, you need to secure the data, and you’re going to have to secure that across an open network – it really is a massive, massive change.”
“The access to personal data is probably one of the biggest changes we’ve got going forward – and it can destroy your company. It’s very important [that] we understand what that security model is going to look like, because we can’t afford to run private networks,”
“Intel doesn’t believe it’s about locking it down so it’s not accessible – it’s about deciding, and who gets to decide is really interesting,”
Tomi Engdahl says:
23 May 2014. Cryptome placed online No Place to Hide, 310 pages, to compensate for failure to release Snowden documents:
http://cryptome.org/2013/11/snowden-tally.htm
The copying and unlimited distribution of No Place to Hide is to compensate in a small way for the failure to release 95% of the Snowden material to the public.
After Snowden dumped the full material on Greenwald, Poitras and Gellman, about 97% of it has been withheld. This book provides a minuscule amount, 106 images, of the 1500 pages released so far out of between 59,000 and 1.7 million allegedly taken by Snowden.
Tomi Engdahl says:
128-bit crypto scheme allegedly cracked in two hours
Boffins splat ‘supersingular curve’ crypto
http://www.theregister.co.uk/2014/05/26/boffins_splat_supersingular_curve_crypto/
Crypto researchers are preparing to scatter the ashes of a class of Discrete Logarithm Problems (DLPs) as the future of security, following a claim by Swiss researchers to have cracked a 128-bit crypto scheme in two hours.
the work by researchers at EPFL in Switzerland excludes crypto based on “supersingular curves” from future consideration.
“When initially proposed, these fields were believed to be 128-bit secure”
Tomi Engdahl says:
Greenwald’s book tour draws ire from Anonymous hacktivists
http://rt.com/usa/158976-greenwald-anonymous-paypal-pastebin/
As Glenn Greenwald begins a book tour to commemorate the release of a story detailing his work with former national security contractor Edward Snowden and the secret documents he supplied, a new campaign has caught the author in its crosshairs.
The Pastebin post — read more than 5,000 times as of Wednesday afternoon just two days after being published — goes on to call for demonstrations outside of Greenwald’s scheduled book events that began this week.
Tomi Engdahl says:
Cyber security requires understanding of bits and money
Jarno Limnell , Klaus Majewski and Mirva Salminen written a book ‘s message is that Cyber security is included in any strategy to work, and even today, almost all sectors of the new business comes to computers and networks with varying degrees of recovery .
Machine -2- Machine functions will increase in the near future on a massive scale , including logistics. At the same time they offer the old business for the benefit, which is measured in euro, but also the criminals access to corporate secrets .
The authors consider the major problem that the strategy and business decision-making by senior management rarely understand the bits , while the bits are in their understanding of ” the IT department ” , and the end of the big lines. Communication between the two sectors is the future of the company the most important thing .
Source: http://www.tietoviikko.fi/uutisia/kirjaarvio+kyberturvallisuus+vaatii+seka+bittien+etta+rahan+ymmartamista/a990012
Tomi Engdahl says:
Ukraine’s top election official confirms hacker attack on computer system on May 22
http://www.kyivpost.com/content/ukraine/ukraines-top-election-official-confirms-hacker-attack-on-computer-system-on-may-22-349216.html
Chairman of Ukraine’s Central Election Commission (CEC) Mykha i lo Okhendovsky has confirmed that there was a hacker attack on the CEC computer system on May 22.
“At present, we have a ground to believe that this software or a virus was designed by special services of one of the developed countries,” he said.
Tomi Engdahl says:
Twitter Has Quietly Learned To Censor And Ban Its Users When Governments Ask
http://www.businessinsider.com/twitter-censors-political-accounts-2014-5
Twitter has a reputation as an open platform for expressing one’s opinions. It’s become a place for dissent and debate. It played a key role in the “Arab Spring” revolutions of the last couple of years.
But last week, it agreed to censor a pro-Ukrainian Twitter feed in Russia. It also blocked a “blasphemous” account in Pakistan. It’s not the first time Twitter has censored politically sensitive accounts.
Tomi Engdahl says:
Darpa Turns Oculus Into a Weapon for Cyberwar
http://www.wired.com/2014/05/darpa-is-using-oculus-rift-to-prep-for-cyberwar/
For the last two years, Darpa has been working to make waging cyberwar as easy as playing a video game. Now, like so many other games, it’s about to get a lot more in-your-face.
At the Pentagon Wednesday, the armed forces’ far-out research branch known as the Defense Advanced Research Projects Agency showed off its latest demos for Plan X, a long-gestating software platform designed to unify digital attack and defense tools into a single, easy-to-use interface for American military hackers. And for the last few months, that program has had a new toy: The agency is experimenting with using the Oculus Rift virtual-reality headset to give cyberwarriors a new way to visualize three-dimensional network simulations–in some cases with the goal of better targeting them for attack.
“You’re not in a two-dimensional view, so you can look around the data. You look to your left, look to your right, and see different subnets of information,
Tomi Engdahl says:
Registry Hack: Get Windows XP Security Updates until 2019
Monday, May 26, 2014 Wang Wei
http://thehackernews.com/2014/05/registry-hack-get-windows-xp-security.html
Microsoft ended its support for Windows XP officially more than a month ago on April 8, 2014.
While some companies and organizations who were not able to migrate their operating system’s running Windows XP to another operating system before the support phase ended, are still receiving updates by paying Microsoft for the security patches and updates.
Now a relatively simple method has emerged as a trick for the XP users which makes it possible to receive Windows XP security updates for the next five years i.e. until April 2019.
It makes use of updates for Windows Embedded POSReady 2009 based on Windows XP Service Pack 3, because the security updates which are being released for POSReady 2009 are inevitably the same updates Microsoft would have rolled out for its Windows XP, if it was still supporting XP Operating System.
Microsoft will continue to deliver new security updates and patches for this version of its embedded operating system till April 9th, 2019
Tomi Engdahl says:
Anti-virus firm Avast! takes down forums after breach
You know the drill: change your passwords and prepare for the worst
http://www.theregister.co.uk/2014/05/27/antivirus_firm_avast_takes_down_forums_after_breach/
user names, email addresses and hashed passwords were compromised
“we do believe that the attack just occurred and we detected it essentially immediately.”
The company plans to rebuild the forum on a different software platform.
Tomi Engdahl says:
Finnish insurance company Fennia outsourced authentication
The insurance company has executed the service by outsourcing, as the company was found inside the implementation of a suitable means of identification skills. Fennia has introduced a service that allows customers to identify the network in many different ways. Service was implemented by the Norwegian Signicat that has saas-services reach more than 60 million people in Europe.
Source: http://www.tietoviikko.fi/kaikki_uutiset/fennia+ulkoisti+tunnistuksen/a990211
Tomi Engdahl says:
USA has had many harsh judgments on intrusions and other cyber-crimes
(for example Jeremy Hammond received a data breach a 10-year prison sentence)
Hector Xavier Monsegur , which was known as the internet , Sabu LulzSec, was caught in 2011. , He agreed to cooperate with the authorities , and his help has been caught several Anonymous hackers.
According to the court documents Sabun has made it possible for authorities to interfere with at least 300 cyber-attacks (which have focused on among other things, the U.S. armed forces , Congress and the courts , as well as a number of companies).
Fruitful co-operation enabled him to set out penalties for any offenses mild , only 7 months of imprisonment .
Source: http://www.tietokone.fi/artikkeli/uutiset/muita_karayttanyt_hakkerimyyra_selvinnee_pikkutuomiolla
Tomi Engdahl says:
Look, pal, it’s YOUR password so it’s YOUR fault that it’s gone AWOL
Security begins at home… and ends up in someone else’s
http://www.theregister.co.uk/2014/05/23/look_pal_its_your_password_so_its_your_fault_we_lost_it/
Showing ID, as anyone working in retail security will tell you, is irrelevant. Proof of identity and proof of payment are not the same thing at all. It is not possible to stride into a mobile phone shop, demand half a dozen iPhones and shuffle off without paying
Basically, it’s all too tempting. The goods and the customer database are just sitting there, pleading to be raided. Just borrow the key to each – or easier still, nick them – and you’re away.
The scam may not even be that smart.
Who needs to hack into a database of customer addresses when the original paper versions are already kicking about the shop in various unmonitored filing cabinets and in-trays? Forget name and password, these sheets of triplicate contain my bank and credit card details, inside leg measurement and DNA samples.
businesses don’t “get” anything. It’s the customer who ends up in a world of shit.
Back to eBay, though. The consensus appears to be that a hack into a relatively small number of eBay employees’ login credentials was enough to lay open 145 million user account passwords. These passwords may or may not have been adequately hashed or encrypted; no-one outside eBay knows because eBay isn’t saying.
Surely the key problem at eBay isn’t what it did or didn’t do to disguise customer records, so much as how feeble the protection must have been to prevent anyone from entering in the first place.
Most of the IT departments at places where I work deliberately inflict multi-login hell on their users, apparently for no practical purpose other than the sheer fun of it, like a smirking school bully.
But what really, really bugs me is being told to change my password again and again, not for sound security reasons but – as eBay, Adobe, SSL developers and countless others have ably demonstrated over the years – bad security reasons.
The argument that regularly changing my passwords held by a third party will keep my details more secure at that third party, however, is one that has been carefully constructed from a veritable mountain of smelly arses.
What’s the point of changing my login credentials if the third party simply keeps giving them away?
The logic is this: they want to put the blame on YOU.
Hackers stole 145 million passwords on our servers but actually they’re YOUR passwords so it’s YOUR fault and YOU have to sort it out.
Tomi Engdahl says:
China ponders ban on IBM servers
Report says Middle Kingdom worried Big Blue boxen bring big backdoors
http://www.theregister.co.uk/2014/05/27/china_ponders_ban_on_ibm_servers/
The dispute between China and the USA over backdoor-riddled information technology equipment has just heated up, with Bloomberg reporting Chinese authorities are wondering whether the time has come for local banks to ditch their IBM servers.
The newswire’s report mentions “high-end” servers and suggests Chinese authorities “are reviewing whether Chinese commercial banks’ reliance on the IBM servers compromises the country’s financial security.”
China surely knows this and that any order to change would be futile for at least a few months. Such an order would also telegraph to the USA or other powers the need to find another attack vector.
Yet the mere suggestion China is interested in kicking IBM when it is down is useful, as a muscle-flexing exercise in which Beijing tells Washington it can hurt US industry with the stroke of a pen.
Tomi Engdahl says:
Microsoft warns against Windows XP security update hack
Hackers discover way to trick Microsoft into continuing to support Windows XP after updates ceased
http://www.theguardian.com/technology/2014/may/27/microsoft-windows-xp-security-hack-update
Microsoft has warned against using a hack that allows Windows XP to continue to receive important security updates after Microsoft withdrew support in April.
The hack tricks Microsoft’s update servers into applying security patches to Microsoft’s 13-year-old Windows XP. A small change within Windows XP makes it appear as other versions of Windows that are still supported until 2019.
Microsoft warned that Windows XP customers may face problems if they install the updates. “The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers,” Microsoft said in a statement released to ZDnet. “Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP.”
Tomi Engdahl says:
DUDE, WHERE’S MY CAR? New leccy BMWs have flimsy password security – researcher
Motor giant told to try harder with mobe app
http://www.theregister.co.uk/2014/05/27/bmw_password_security_shortcomings/
New BMW cars have security shortcomings that could allow thieves to pop open a victim’s flash motor from a smartphone.
Ken Munro, a partner at Pen Test Partners, uncovered security issues in the systems that pair the latest generation of beamers with owners’ mobiles. By stringing together the flaws, a crook could open doors, windows and the boot, and leave the lights on for an added headache.
Preliminary findings from the ongoing research – which El Reg passed onto BMW last month – suggest it may be possible to determine the usernames of drivers through social networks, and then use a mix of social engineering and other techniques to gain access to vehicles – or trick BMW into suspending security protections, clearing the way for other attacks.
The car manufacturer said it had passed Munro’s research onto its people in Germany, and played down any risk. “If it was an issue then it’s solved now,
The i3 and i8 have an iOS app called iRemote, which is closely related to the Android and iOS Connected Drive application familiar to most BMW and Mini drivers.
Tomi Engdahl says:
Avast Anti Virus Forum hacked, Login Credentials of 400,000 users compromised
http://www.techworm.net/2014/05/avast-anti-virus-forum-hacked-login.html
Antivirus firm Avast has today confirmed that it took its Community support forum offline following a data breach which may have affected log in ids and passwords of more than 400,000 users.
Company’s CEO Vincent Steckler today stated in a blog post that user’s nicknames, user names, email addresses and hashed passwords were compromised in a attack on Avast Forum which took place over this past weekend.
Avast claims that this attack seems to have affected less than 0.2% of a total of 200 million users of the forum. It also claimed that no financial details like payment, license terms or other data was compromised.
Tomi Engdahl says:
iPhones frozen by hackers demanding ransom
http://www.telegraph.co.uk/technology/apple/10857715/iPhones-frozen-by-hackers-demanding-ransom.html
People around the world have found their iPads and iPhones frozen by hackers who are demanding cash ransoms to unlock their devices
Owners of iPhones and iPads have been targeted by a hacker who is freezing iOS devices and demanding a ransom of up to £55 to unlock them.
The majority of the attacks have taken place in Australia although there are also reports of Britons being affected.
It appears that the hacker, who goes by the name Oleg Pliss, has managed to exploit the Find My iPhone feature which can track and remotely lock stolen devices.
An Australian government website, Stay Smart Online, has told affected users not to pay the ransom.
“Currently there is only speculation about how the attacks have been carried out. Apple has not yet responded officially,”
“Such scams have been around for years. By using the credentials to access an Apple iCloud account, the attackers can enable the ‘Find My iPhone’ service – this is not only able to locate a lost or stolen device, but also to set a passcode preventing third parties from accessing the personal data stored on the smartphone.”
“This is clearly a form of ransomware, previously only seen on PC and, recently, on Android devices”
Tomi Engdahl says:
New Data Sheds Light on Shifting Cybercriminal Tactics
http://blogs.technet.com/b/security/archive/2014/05/07/new-data-sheds-light-on-shift-in-cybercriminal-tactics.aspx
New data released today suggests that the security mitigations that Microsoft has included in newer software has helped make malicious cyber acts more difficult for would-be attackers. Effective security mitigations raise the cost of doing business for cybercriminals. The data also indicates that cybercriminals are increasingly utilizing deceptive tactics in their attempts to compromise systems.
New research conducted by Trustworthy Computing’s Security Science team shows a 70 percent decline in the number of severe vulnerabilities (those that can enable remote code execution) that were exploited in Microsoft products between 2010 and 2013. This is a clear indication that newer products are providing better protection, even in cases where vulnerabilities exist.
The continued increase in deceptive tactics is striking; in the last quarter of 2013, the number of computers impacted as a result of deceptive tactics more than tripled.
Foremost among the tactics many attackers are using is “deceptive downloads.” In more than 95% of the 110 countries/regions we studied, deceptive downloads were a top threat. Cybercriminals are secretly bundling malicious items with legitimate content such as software, games or music.
In the last half of 2013, deceptive downloads were definitely in vogue with cybercriminals. But that wasn’t the only tactic they used. A second notable deceptive tactic in use was Ransomware. The concept is simple: cybercriminals digitally hijack a person’s machine and hold it for ransom; refusing to return control of it or their files until the victim pays a fee.
Tomi Engdahl says:
Microsoft Security Intelligence Report
http://www.microsoft.com/security/sir/default.aspx
Tomi Engdahl says:
The nine companies that know more about you than Google or Facebook
http://qz.com/213900/the-nine-companies-that-know-more-about-you-than-google-or-facebook/
You probably assume Google and Facebook know everything about you. You may not have heard of a group of companies who possibly know even more. They’re called data brokers, and their business is collecting and selling personal data—typically without your knowledge or consent—that are used to verify identity, help marketers, detect fraud and help perform detailed “people searches.”
The report looked at nine major data brokers: Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future.
Tomi Engdahl says:
Australian Mac and iOS users find devices remotely locked, held for ransom (and how to keep yours safe)
http://9to5mac.com/2014/05/26/australian-mac-and-ios-users-find-devices-remotely-locked-held-for-ransom-and-how-to-keep-yours-safe/
The Sydney Morning Herald reports that several Australian Mac, iPhone, and iPad users are finding that their devices have been locked remotely through Apple’s Find My iPhone service by someone using the name “Oleg Pliss.” The hacker (or hackers) then demand payments of around $50 to $100 to an anonymous PayPal account in order to restore the devices to their owners.
Because the hackers used Find My iPhone to lock out the victims, users who had set a passcode on their devices were able to regain access. This is because Find My iPhone can only be used to add a passcode to devices that don’t already have one set. If you’ve created a passcode on your device, you (or malicous users with access to your account) cannot change it from Find My iPhone. It can only be changed or removed directly from the device.
Unfortunately, users affected by this attack will need to get in touch with Apple to work around the issue.
Tomi Engdahl says:
iCloud not compromised in Apple ID attack: Apple
http://www.zdnet.com/icloud-not-compromised-in-apple-id-attack-apple-7000029914/
Summary: Apple has produced a minuscule response to the Apple ID attack that began affecting Australian and New Zealand iCloud users yesterday.
It is presumed that the attackers gained access to users’ Apple ID credentials, and from that point on, have been able to access the Find My iPhone service to lock the devices.
Tomi Engdahl says:
IoT security under scrutiny as Apple looks at smart home system
http://www.zdnet.com/iot-security-under-scrutiny-as-apple-looks-at-smart-home-system-7000029859/
Summary: Internet of Things security is under scrutiny as Apple moves to introduce its smart home system and Google works to expand its suite of web-enabled home devices.
The security issues around the emerging Internet of Things (IoT) technology are taking centre stage, as Apple reportedly prepares to introduce its ‘smart home’ system and Google is rumoured to be considering new acquisitions to round out its web-enabled home device offering.
The emergence of the IoT could lead to the biggest security threat to the IT landscape, according to Armando Dacal, Australia and New Zealand regional director for enterprise security provider, Palo Alto Networks.
According to Dacal, governments, enterprises, and standards organisations will need to work together to establish security regulations suitable for the IoT phenomenon.
“This year’s buzz is all about the IoT, which is made up of everyday devices that are IP-enabled, that can communicate over the internet and transmit what may be very important and confidential data. There are now more ‘things’ connected to the internet than there are people on Earth,”
Tomi Engdahl says:
Google blocking extensions not listed in the Chrome Web Store for Windows users
http://9to5google.com/2014/05/27/google-blocking-extensions-not-listed-in-the-chrome-web-store-for-windows-users/
Google announced today that it’s now blocking local Chrome extensions to protect Windows users from malicious software. This means that only extensions coming from the Chrome Web Store can be installed on Chrome for Windows. As an additional safety precaution, Google says that previously installed extensions may automatically be disabled and cannot be restored until they’re hosted in the Chrome Web Store.
Tomi Engdahl says:
LulzSec hacker-informant ‘Sabu’ set free
http://www.dailydot.com/news/sabu-hector-xavier-monsegur-fbi-antisec-anonymous-sentenced/
Anonymous hacker Hector Monsegur, best known as Sabu, was released Tuesday on time served for his role in a slew of high-profile cyberattacks on corporate and civilian targets. He also received one year probation.
Monsegur, 30, received a significantly lighter sentence thanks to the government’s request for leniency for his cooperation with law enforcement. Federal prosecutors originally asked that he serve an additional seven months behind bars.
The FBI called Monsegur “extremely helpful,” and claims that he helped thwart more than 300 separate cyberattacks in the three years he served as an informant.
Sabu’s pre-informant charges begin with Dec. 2010′s “OpPayback” attacks on PayPal, Visa, and Mastercard. The hacking campaign came as retaliation for those companies’ refusal to process payments to WikiLeaks.
Monsegur also pled guilty to using stolen credit cards to cover his own bills, and to hacking an automotive company to send him $3,450 in stolen car parts.
Monsegur originally faced up to 122 ½ years in prison.
Tomi Engdahl says:
Kinsley review of Greenwald’s book “unworthy” of NYT Book Review; ignored media’s constitutional role — Kinsley, Greenwald and Government Secrets — Michael Kinsley’s review of Glenn Greenwald’s new book, “No Place to Hide” hasn’t even appeared in the printed Book Review yet …
http://publiceditor.blogs.nytimes.com/2014/05/27/kinsley-greenwald-and-government-secrets/?_php=true&_type=blogs&_r=0
Tomi Engdahl says:
Federal court pulls plug on porn copyright shakedown scam
Judge: ‘lawsuit a quintessential example of Prenda Law’s modus operandi’
http://www.networkworld.com/community/blog/federal-court-pulls-plug-porn-copyright-shakedown-scam
Deciding a case we wrote about here a year ago, a federal appeals court today has for the first time has put the kibosh on a shakedown scheme aimed at pornography downloaders and practiced by AF Holdings, an arm of notorious copyright troll Prenda Law.
Tomi Engdahl says:
Snowden’s finale: naming victims of surveillance
http://www.thesundaytimes.co.uk/sto/news/world_news/article1411910.ece
THE man who helped bring about the most significant leak in American intelligence history is to reveal names of US citizens targeted by their government in what he promises will be the “biggest” revelation from nearly 2m classified files.
Greenwald’s plan to publish will further unnerve an American intelligence establishment reeling from 11 months of revelations about government surveillance activities.
Tomi Engdahl says:
‘I was trained as a spy’ says Snowden
Whistleblower reveals he was much more than just a contractor for US government
http://www.theregister.co.uk/2014/05/28/i_was_a_trained_as_a_spy_says_snowden/
Government whistleblower Edward Snowden said he was “trained as a spy” by the US government, and that he worked with an assumed name and identity while serving both the CIA and the NSA in overseas positions.
In the first part of a larger interview filmed with NBC News, Snowden disputes the idea that he was a “low-level” outside contractor who managed to manipulate his way into possession of the massive cache of data which would become a massive leak of US government intelligence information.
“I was trained as a spy in the traditional sense of the word in that I lived and worked undercover overseas, pretending to work in a job that I am not and even being assigned a name that was not mine,” Snowden told the network.
“But I am a technical specialist. I am a technical expert.”
Tomi Engdahl says:
Warning to Android users — Outlook.com app stores emails unencrypted
http://betanews.com/2014/05/22/warning-to-android-users-outlook-com-app-stores-emails-unencrypted/
Researchers at Include Security, whilst practicing their reverse engineering skills, turned their attention to the Outlook.com app for Android and discovered a potentially worrisome security issue.
The team found that the app — which was produced by Seven Networks rather than Microsoft itself — stores emails and attachments in the Android file system without encryption or security. This fact could be exploited by maliciously coded third party apps which would be able to read the unencrypted subject lines and body text of email, as well as accessing attached files.
Even if PIN protection is in place, a backup email database is stored in an easily accessible location in the file system, completely unencrypted.
Include Security says “We feel a key security and privacy attribute of any mobile messaging application is the ability to maintain the confidentiality of data stored on the device the app runs on”.
Tomi Engdahl says:
Kiwis unplug supercomputer after intrusion
34 Tflops in hackers’ hands
http://www.theregister.co.uk/2014/05/26/kiwis_unplug_niwa_super_after_intrusion_spotted/
New Zealand’s National Institute of Water and Atmospheric Research (NIWA) has deployed perhaps the ultimate security device – an RJ 45 plug’s locking tab – to protect its 34 Tflops FitzRoy supercomputer after its security was breached.
Tomi Engdahl says:
Defense Against the Dark Arts (of Cyberspace)
Universities are offering graduate degrees in cybersecurity
http://spectrum.ieee.org/at-work/education/defense-against-the-dark-arts-of-cyberspace
In an increasingly networked world, security attacks have become not just more frequent and sophisticated but also more financially damaging. The silver lining is the growing need for cybersecurity experts. Information security analyst jobs are expected to grow by 37 percent by 2022, according to the U.S. Bureau of Labor Statistics. “Every time there’s a new breach anywhere, a light goes on in some C-suite office and it opens up hiring,”
Consequently, more and more institutions now offer specialized master’s degrees in cybersecurity. Big names like IBM and Intel are collaborating with schools to keep security curricula up to date. “Today many companies are educating their workforce on their own,”
Previously, a computer science degree, on-the-job training, or even self-taught hacking skills had been enough to qualify someone for a security position. But cybersecurity has expanded enough in depth and scope in the past decade to warrant its own degree
Cybersecurity master’s students take basic computer science courses, but two-thirds of their curriculum covers specialized areas such as network security, cryptography, data forensics, and policy
Tomi Engdahl says:
Careless staff beats theft and malware as biggest CISO fear
http://www.scmagazineuk.com/careless-staff-beats-theft-and-malware-as-biggest-ciso-fear/article/329237/
Careless employees are the biggest security concern for IT professionals, research shows, prompting calls for CISOs to step up staff education and the use of technology.
Sixty per cent of 110 IT professionals surveyed by service provider SecureData view employee carelessness as the biggest risk to their organisation’s security – well above “the usual suspects” like data theft (13 percent), external malware (10 percent) and technology failure (7 percent).
Operations teams are seen as the biggest risk (40 percent), followed by finance staff (13 percent), while cloud security – often raised as a potential issue – was not once cited as a primary security concern.
While 40 percent of respondents felt educating employees was the most important step to improving security, 25 percent said that implementing a clear security management policy was their weakest area.
“Consequently, organisations need to complement their short-term, training-based approach with a longer-term, regular and consistent awareness and education programme on information security.”
Tomi Engdahl says:
Exclusive: Security enthusiasts may revive encryption tool after mystery shutdown
http://www.reuters.com/article/2014/05/29/us-internet-security-encryption-idUSKBN0E925M20140529
A team of security experts may seek to restore and improve a popular computer encryption system after its developers mysteriously shut it down, claiming “unfixed security issues,” a leader of the effort told Reuters on Thursday.
TrueCrypt, one of a number of programs that encrypt all of a user’s hard drive, had gained popularity after fugitive former National Security Agency contractor Edward Snowden praised it and law enforcement officials complained of their inability to crack it.
Tomi Engdahl says:
OpenSSL to get a security audit and two full-time developers
$5.4M plan to help open source funds OpenSSL, OpenSSH, and Network Time Protocol.
http://arstechnica.com/information-technology/2014/05/openssl-to-get-a-security-audit-and-two-full-time-developers/
A Linux Foundation project inspired by the Heartbleed security flaw announced that it will fund a security audit for the OpenSSL code base and the salaries of two full-time developers.
The Heartbleed flaw shone a spotlight on how poorly funded the OpenSSL cryptographic software library is despite being used by many of the world’s richest technology companies. The Linux Foundation, with support from those tech companies, created the Core Infrastructure Initiative (CII) to boost the security of OpenSSL and other open source projects in need of help.
Tomi Engdahl says:
German State Prosecutor does not intend to investigate the NSA spying
The German state prosecutor Harald Range is not going to investigate the NSA’s spying activities, writes the Süddeutsche Zeitung. The NSA has been rumored to spy numerous German citizens, including Chancellor Angela Merkel for years.
According to the newspaper the State Prosecutor’s office in legal battle would only be a symbolic measure: Germany does not in Range’s opinion have sufficient evidence of the NSA’s activities. It stood neither witnesses nor incriminating documents available. There was no way it says in Karlsruhe to come on-duty material on the activities of NSA and British GCHQ eavesdropping service in Germany.
Sources:
http://www.tietoviikko.fi/kaikki_uutiset/saksan+valtionsyyttaja+ei+aio+tutkia+nsan+vakoilua/a990823
http://www.sueddeutsche.de/politik/abgehoertes-merkel-handy-generalbundesanwalt-will-nicht-in-nsa-affaere-ermitteln-1.1977054
Tomi Engdahl says:
Spotify to ask users to re-enter passwords after cyberattack
http://www.reuters.com/article/2014/05/27/us-spotify-cybercrime-idUSKBN0E723520140527
Music streaming service Spotify AB will ask some of its 40 million users to re-enter their passwords and upgrade their software in coming days after detecting unauthorized access to its internal systems and data.
Important Notice to Our Users
http://news.spotify.com/us/2014/05/27/important-notice-to-our-users/
We’ve become aware of some unauthorized access to our systems and internal company data and we wanted to let you know the steps we’re taking in response.
Our evidence shows that only one Spotify user’s data has been accessed and this did not include any password, financial or payment information.
As an extra safety step, we are going to guide Android app users to upgrade over the next few days. If Spotify prompts you for an upgrade, please follow the instructions.
Tomi Engdahl says:
Snowden complained about mass surveillance tactics to his NSA masters
“NSA has now explained that they have found one email inquiry by Edward Snowden.”
http://arstechnica.com/tech-policy/2014/05/snowden-complained-about-mass-surveillance-tactics-to-his-nsa-masters/
During his recent interview with NBC’s Brian Williams, whistleblower Edward Snowden said that he did go through official channels to air his grievances within the National Security Agency, contrary to what the spy agency has declared previously.
On Thursday, the Office of the Director of National Intelligence changed its tune. On its official blog, the ODNI published Snowden’s e-mail.
“NSA has now explained that they have found one e-mail inquiry by Edward Snowden to the Office of General Counsel asking for an explanation of some material that was in a training course he had just completed,” the agency wrote
Tomi Engdahl says:
Google’s forget-me-knot: Ad giant ties on cheap search query squash request tool
‘We’re working with the EU to improve this. Meantime, give us YOUR ID’
http://www.theregister.co.uk/2014/05/30/google_search_removal_request_from_eu_court_of_justice_ruling/
Google is now offering European Union netizens a hastily thrown together online form they can fill in to submit requests for certain types of links to be removed from the ad giant’s search index.
It comes after the EU’s highest court ruled earlier this month that Google can be held responsible for the type of personal data that appears on its ubiquitous search engine.
Meanwhile, anyone asking to have queries removed from Google’s search index will need to provide valid photo ID, such as a copy of their passport or driving licence.
But Google – which commands more than 90 per cent of the search market in Europe – made no mention today of how long it plans to retain that particular sensitive information on its servers.
Tomi Engdahl says:
Bombshell TrueCrypt advisory: Backdoor? Hack? Hoax? None of the above?
A sampling of theories behind Wednesday’s notice that TrueCrypt is unsafe to use.
http://arstechnica.com/security/2014/05/bombshell-truecrypt-advisory-backdoor-hack-hoax-none-of-the-above/
Wednesday’s bombshell advisory declaring TrueCrypt unsafe to use touched off a tsunami of comments on Ars, Twitter, and elsewhere. At times, the armchair pundits sounded like characters in Oliver Stone’s 1991 movie JFK, as they speculated wildly—and contradictorily—about what was behind a notice that left so many more questions than answers. Here are some of the more common theories, along with facts that either support or challenge their accuracy.
Tomi Engdahl says:
Root backdoor found in surveillance gear used by law enforcement
Vulnerability one of nine critical weaknesses from lawful intercept provider.
http://arstechnica.com/security/2014/05/root-backdoor-found-in-surveillance-gear-used-by-law-enforcement/
Software used by law enforcement organizations to intercept the communications of suspected criminals contains a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password, security researchers said today.
In a scathing advisory published Wednesday, the researchers recommended people stop using the Nice Recording eXpress voice-recording package. It is one of several software offerings provided by Ra’anana, Israel-based Nice Systems, a company that markets itself as providing “mission-critical lawful interception solutions to support the fight against organized crime, drug trafficking and terrorist activities.” The advisory warned that critical weaknesses in the software expose users to attacks that compromise investigations and the security of the agency networks.
“Attackers are able to completely compromise the voice recording/surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication,”
The most serious of the weaknesses is a root backdoor account that contains poorly secured login credentials that can’t easily be changed.
The flaws may also affect former products, including Cybertech eXpress and Cybertech Myracle.
Tomi Engdahl says:
Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass
Accounts accessed from Wi-Fi hotspots and other unsecured networks are wide open.
May 26 2014
http://arstechnica.com/security/2014/05/unsafe-cookies-leave-wordpress-accounts-open-to-hijacking-2-factor-bypass/
Memo to anyone who logs in to a WordPress.com-hosted blog from a public Wi-Fi connection or other unsecured network: It’s trivial for the script kiddie a few tables down to hijack your site even if it’s protected by two-factor authentication.
Yan Zhu, a staff technologist at the Electronic Frontier Foundation, came to that determination after noticing that WordPress.com servers send a key browser cookie in plain text, rather than encrypting it, as long mandated by widely accepted security practices. The cookie, which carries the tag “wordpress_logged_in,” is set once an end user has entered a valid WordPress.com user name and password. It’s the website equivalent of a plastic bracelets used by nightclubs. Once a browser presents the cookie, WordPress.com servers will usher the user behind a velvet rope to highly privileged sections
Fortunately, WordPress sites that are self-hosted on a server with full HTTPS support are not susceptible, as long as every page supports HTTPS and cookies contain the “secure” flag. Until a fix is available, WordPress.com users should ensure the site they’re logging into contains the full HTTPS support.
Tomi Engdahl says:
Get UNCRACKABLE quantum keys – from a smartphone
Would take ’1018 times the age of the universe’ to guess
http://www.theregister.co.uk/2014/05/30/get_uncrackable_quantum_keys_from_a_smartphone/
Your smartphone is a quantum device that can be used to generate truly random keys, according to boffins at the University of Geneva.
The authors say that smartphone CMOS cameras are now sensitive enough to take the place of expensive kit. “Their readout noise is of the order of a few electrons and their quantum efficiencies can achieve 80 per cent”, the paper states.
That’s a lot cheaper than the QRNG kit currently on offer – although it’s more expensive than visiting the ANU’s https://qrng.anu.edu.au/RainBin.php online QRNG site.
Tomi Engdahl says:
Tens of thousands of ‘Watch Dogs’ pirates ENSLAVED by Bitcoin botmaster
Watch Dogs fans targeted for access to their juicy GPUs
http://www.theregister.co.uk/2014/05/28/watch_dogs_pirate_gamers_botnet/
Tens of thousands of pirate gamers have been enslaved in a Bitcoin botnet after downloading a cracked copy of popular game Watch Dogs.
A torrent of the infected title, which supposedly has had its copy-protection removed, had almost 40,000 active users
quietly installed a Bitcoin miner along with a working copy of the game.
“If you happen to download cracked games via Torrent or other P2P sharing services, chances are that you may become a victim of [a] lucrative trojan bundled with a genuine GPU miner,”
Tomi Engdahl says:
Police at the door? Hit the PANIC button to erase your RAM
App wipes memory, encrypts hysterical hacker boxes
http://www.theregister.co.uk/2014/05/28/police_at_the_door_hit_the_panic_button/
The next time the police kick down a hackers’ door, suspects can reach for the Panic button to make it nigh-on impossible for plod to recover any data, even if they freeze their target PCs.
The Panic button is a new Python app called “Centry Panic” and was developed to mitigate cold boot and direct memory access attacks on Windows, Mac and Linux that could be used by forensics professionals to capture information from memory.
Cold boot attacks allow the fading contents of RAM to be preserved for reading after a target machine is shut down. Direct memory access side-channel attacks allow crypto keys to be yanked by attackers with access to the physical memory address space of a target machine.
The Python application is replete with a shiny graphical user interface would lock down Truecrypt disks, erase keys and overwrite RAM before shutting down a targeted system.
Tomi Engdahl says:
CERT Oz report: 76 orgs popped in targeted attacks
What’s whitelisting? We’re still married to XP
http://www.theregister.co.uk/2014/05/30/cert_oz_report_76_orgs_popped_in_targeted_attacks/
Seventy six businesses have owned up to targeted attacks getting past their defences, according to the government’s Computer Emergency Response Team (CERT), which released the findings in an annual report late yesterday.
The mostly Australian businesses represented 135 organisations reporting to the CERT Australia survey and were part of a 35 percent uptick in reported information security incidents from the previous 2012 survey.
In other findings:
Eighteen organisations said they would maintain their Windows XP deployments despite Microsoft’s botched end of life plans for the operating system.
Use of cryptography had spiked by 35 percent to 60 percent of responding organisations.
Tomi Engdahl says:
TrueCrypt turmoil latest: Bruce Schneier reveals what he’ll use instead
Plus other alternatives and theories behind disk-crypto util’s demise
http://www.theregister.co.uk/2014/05/29/truecrypt_analysis/
In the past hour, crypto-guru Bruce Schneier has told us he’s switched back to Symantec’s PGPDisk to encrypt his data.
“I have no idea what’s going on with TrueCrypt,” he added on his blog. “Speculations include a massive hack of the TrueCrypt developers, some Lavabit-like forced shutdown, and an internal power struggle within TrueCrypt. I suppose we’ll have to wait and see what develops.”
Last month the software successfully cleared the first phase of an independent code-quality inspection, which “found no evidence of backdoors or intentional flaws”. A grassroots campaign raised $70,000 to pay for the professional audit, funds that the latest developments would suggest may have been wasted.
The ominous warning slapped on TrueCrypt came as an unwelcome bolt from the blue
Veteran security world watcher Graham Cluley said: “Whether hoax, hack or genuine end-of-life for TrueCrypt, it’s clear that no security-conscious users are going to feel comfortable trusting the software after this debacle. It’s time to start looking for an alternative way to encrypt your files and hard drive.”
Johannes Ullrich of the SANS Technology Institute recommended FileVault and LUKS, for Mac OS X and Linux users, respectively, as potential alternatives. “
Tomi Engdahl says:
Alternative TrueCrypt Implementations
http://grugq.tumblr.com/post/60464139008/alternative-truecrypt-implementations