Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Hackers suspected of holding Apple devices to ransom detained in Russia
http://www.smh.com.au/digital-life/consumer-security/hackers-suspected-of-holding-apple-devices-to-ransom-detained-in-russia-20140610-zs2bm.html
Russian authorities say they have detained two young hackers who are alleged to have hijacked Apple devices and digitally held them ransom.
Tomi Engdahl says:
Crypto-boffins propose safer buddy list protocol
Presence services with less privacy risk
http://www.theregister.co.uk/2014/06/10/cryptoboffins_propose_safer_friendlist_handling/
One of the attractions of presence in communications services is that you know someone’s available before you try to contact them. The flipside is that presence is also inimical to privacy. Now, a group of researchers has put forward a way to improve privacy of “buddy lists” but still allowing friends to know each others’ presence.
DP5 proposes a mechanism in which users’ buddy lists are encrypted but can still be interrogated
The paper also notes that with the experience of Lavabit and the Snowden revelations as examples, it’s probably a good idea for anyone trying to pitch a “secure online messaging” service to avoid collecting privacy-sensitive metadata.
Tomi Engdahl says:
Bitcoin ransomware racket makes bank
Thousands paid, but Durham says it won’t be bowed
http://www.theregister.co.uk/2014/06/10/bitcoin_ransomware_scum_racket_makes_bank/
Criminals appear to be pocketing hundreds of thousands of dollars with upgraded Cryptowall ransomware that has encrypted scores of hard drives across Britain, America and Australia demanding victims pay hefty Bitcoin ransoms.
The ransomware was foisted on victims through sneaky malvertising through unsuspecting big ticket sites including Facebook, The Guardian and eBay.
Cryptowall locked down victim files on local and attached storage devices with RSA-2048 encryption implemented well enough that no public side channel attacks have yet been reported.
Victims were asked to pay $US500 to unlock encrypted drives within a short period for face exponential increases in ransom.
The success of the scam since Cryptowall was bundled into the popular RIG exploit kit indicates that criminals have made huge profits from the crime.
Users of unpatched versions of Flash, Java and Silverlight were open to attack.
Tomi Engdahl says:
176 million records compromised in Q1 2014
http://www.csoonline.com/article/2361028/data-protection/176-million-records-compromised-in-q1-2014.html
A new report from Risk Based Security (RBS) says that while the number of security incidents during the first quarter of 2014 is comparable to those in 2013, the number of records compromised per incident is on the rise.
In their Data Breach QuickView Report, RBS notes that there were more than 176 million records exposed in Q1 2014 (based on 669 reported incidents), representing a 46 percent increase when compared to the same period one year earlier.
In addition, it seems that history keeps repeating itself. According to the report, many of the organizations that suffered a security incident during Q1 2014 had previously disclosed a similar issue in the past.
“It’s difficult to say whether security is deteriorating, bad actors are getting better or some combination of both,”
“What we do know is that there have been eight events in the past six months that have involved the compromise of at least 10 million records per event and the trend is continuing with the most recent revelations at eBay.”
Another interesting note from the report is the fact that 59 percent of the total records exposed were the result of insider activities.
Tomi Engdahl says:
Is your PC infected by gameover zeus?
http://campaigns.f-secure.com/en_global/zeus/ols/
Tomi Engdahl says:
Wanna secure BlackBerry, Android or Chrome OS? Why not ask GCHQ for advice
They’re your friends
http://www.theregister.co.uk/2014/06/10/security_guidance_for_blackberry_1021_android_44_and_chrome_os/
The sexy-named Communications Electronics Security Group – the bit of GCHQ that helps Brits protect secrets from foreign spies (never mind GCHQ) – has issued new advice for securing BlackBerry OS, Android and Chrome OS.
The guidelines are part of a series of updates on safeguarding various operating systems from hackers – and as we have previously noted this is to the OFFICIAL level of security, not SECRET or above. OFFICIAL is on a par with most business and corporate security.
The updates to the advice on Android are to the move from Jellybean to KitKat (version 4.4); enable SELinux in enforcing mode to enhance platform integrity and sandboxing; switch on device monitoring warnings; use certificate pinning to prevent interception and modification of SSL traffic; and switch on verified boot.
The document observes that there are cost and usability issues with the most locked-down of these modes and asks IT staff to weigh up the pros and cons.
Tomi Engdahl says:
2nd China Army Unit Implicated in Online Spying
http://www.nytimes.com/2014/06/10/technology/private-report-further-details-chinese-cyberattacks.html?_r=0
Their targets were the networks of European, American and Japanese government entities, military contractors and research companies in the space and satellite industry, systematically broken into for seven years.
Just weeks after the Justice Department indicted five members of the Chinese army, accusing them of online attacks on United States corporations, a new report from CrowdStrike, released on Monday, offers more evidence of the breadth and ambition of China’s campaign to steal trade and military secrets from foreign victims.
Those officials say the N.S.A. and its partners are currently tracking more than 20 hacking groups in China, over half of them units of the People’s Liberation Army, as they break into public and private sector companies ranging from satellite, drone and nuclear weapon component makers to technology and energy companies and research groups.
CrowdStrike’s researchers said they traced attacks on dozens of the company’s clients in the space and satellite industry to the group; the researchers say the list of victims could number in the hundreds, if not thousands.
In some cases, researchers said, attackers slipped up and registered websites used in their assaults under the same email address they used to register personal blog and social media accounts.
Tomi Engdahl says:
We’ve Set Up a One-Click Test For GameOver ZeuS
http://www.f-secure.com/weblog/archives/00002712.html
Today we’ve published a new, quick way to check if your computer is infected by GameOver ZeuS (GOZ). Last week the GOZ botnet was disrupted by international law enforcement together with industry partners, including ourselves.
It is of critical importance to realize GOZ was disrupted — not dismantled. It’s not technically impossible for the botnet administrators to reclaim control in the near future. More than one million computers are infected by GOZ, time is of the essence.
To assist with remediation, starting today, you can simply visit — http://www.f-secure.com/gameoverzeus — to see if your browser has signs of a GameOver ZeuS infection. The nice part is you don’t have to install any software and it takes only a few seconds!
GameOver ZeuS will notice that you are about to sign in to a site it’s interested in and steals your credentials straight from inside the browser. How does it do this? By including a configuration file which lists all the addresses it’s interested in.
So what does GameOver actually do when a user is going to Amazon.com? Since the malware lives inside the browser, not only can it see what you type into the login page, but it can also modify the webpage before you see it. When a user with an infected browser goes to Amazon, ZeuS will “inject” more content onto the page.
Often this extra code adds new fields to the login page and then sends the content to a server the attacker controls.
If you are infected, visiting our page makes GameOver ZeuS think you are going to Amazon, even if you’re not!
Tomi Engdahl says:
Quantum Cryptography
http://www.linuxjournal.com/content/quantum-cryptography
Classical cryptography provides security based on unproven mathematical assumptions and depends on the technology available to an eavesdropper. But, these things might not be enough in the near future to guarantee cyber security. We need something that provides unconditional security. We need quantum cryptography.
What is quantum cryptography? Quantum cryptography is a complex topic, because it brings into play something most people find hard to understand—quantum mechanics. So first, let’s focus on some basic quantum physics that you’ll need to know to understand this article.
Tomi Engdahl says:
We talk about cyber threats, but it does not show in terms of income to security companies – Security software market grew by only 5%
Security software market grew by five per cent last year to $ 20 billion dollars (about 15 billion Euros) estimates market research firm Gartner.
According to Gartner, the four companies in the field of Symantec, McAfee, IBM and Trend Micro security in place to reach over a billion dollars in turnover.
Finnish F-Secure has brought in 155 million euros in turnover. Second largest Finnish security software company Stonesoft was bought by McAfee.
Source: http://www.tietoviikko.fi/uutisia/kyberuhkista+puhutaan+mutta+se+ei+nay+tuloina++tietoturvaohjelmistomarkkinat+kasvoivat+vain+5/a992983
Tomi Engdahl says:
Banks: Credit Card Breach at P.F. Chang’s
https://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/
Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide.
The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).
The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines. The breaches at Target, Neiman Marcus, Michaels and Sally Beauty all were powered by malware that thieves planted on point-of-sale systems.
Tomi Engdahl says:
Audit Project Releases Verified Repositories of TrueCrypt 7.1a
https://threatpost.com/audit-project-releases-verified-repositories-of-truecrypt-7-1a/106569
As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.
The team behind the Open Crypto Audit Project, which has undertaken an audit of TrueCrypt, has posted a verified repository of TrueCrypt 7.1a on GitHub. There are versions for Windows, Linux and OS X.
OCAP team is continuing with its audit
Tomi Engdahl says:
Bank of England plans to shove cyber-microscope up nation’s bankers
BoE and pals will use govt intelligence to stage pen-tests at financial powerhouses
http://www.theregister.co.uk/2014/06/10/bank_of_england_plans_cyber_assaults_on_nations_financial_institutions/
The Bank of England today announced it plans to penetrate Blighty’s banks to test the security of their critical computer systems.
Speaking to the British Bankers’ Association, the BoE’s exec director of resolution, Andrew Gracie launched CBEST, a new defence-testing programme that mimics crims who attack crucial networks.
The idea is that attacks orchestrated by BoE will be more realistic than the ones the lenders organise to test themselves, because they’ll be planned using more up-to-date information.
Tomi Engdahl says:
China puts Windows 8 on TV, screams: ‘SECURITY, GET IT OUT OF HERE!’
Redmond’s latest OS is ‘big challenge for cybersecurity’, says state broadcast
http://www.theregister.co.uk/2014/06/04/chinese_windows_8/
China has stepped up its war on Microsoft’s Windows 8 operating system with a report in state-backed media that questions the security of the software.
In a one and a half minute segment aired on China’s CCTV television channel, journalists reported that the Chinese government is concerned by the security of the Windows 8 software and is increasing efforts to develop its own rival system.
“Microsoft would no longer open its Windows 8 source code to the Chinese government, however the security scheme of the Windows 8 operating system is designed to provide better access for Microsoft to users’ database. For China it’s a big challenge for our cybersecurity,”
“Your identity, account, contact book, phone numbers, all this data can be put together for big data analysis,”
“The US has a law that requires anyone that has this data to report to the government. The data might be a good way for the US to monitor other countries.”
Tomi Engdahl says:
Google’s URL-hiding ‘origin chip’ is ‘backburnered’
Translation: insecure feature scammers would have loved has been binned
http://www.theregister.co.uk/2014/06/11/googles_urlhiding_origin_chip_is_backburnered/
Google has “backburnered” a controversial feature that would have hidden full details of web addresses from Chrome users.
The ad-slinger’s rationale for origin chip was to tidy up the browser and highlight the sites users visit, to foil attacks that rely on spoofing sites with subtle variations on real sites’ names.
Critics pointed out that all sorts of criminals love the idea of users seeing only a domain name because if Joe or Jane Average sees http://www.google.com they’re not going to be able to see the likes of http://www.google.com/this_page_is_malware_planted_by_a_phisher.
Tomi Engdahl says:
Google Pays $500M for Satellite Maker Skybox, for Photos and Eventually Internet Access
http://recode.net/2014/06/10/google-pays-500m-for-satellite-maker-skybox-for-photos-and-eventually-internet-access/
Google said on Tuesday it had bought Skybox Imaging, a company that provides high-resolution photos using satellites, for $500 million in cash.
Google explained the deal as such: “Their satellites will help keep our maps accurate with up-to-date imagery. Over time, we also hope that Skybox’s team and technology will be able to help improve Internet access and disaster relief — areas Google has long been interested in.”
Skybox provides sub-meter images as well as 90-second videos from its network of small satellites.
Tomi Engdahl says:
Microsoft fights U.S. search warrant for customer e-mails held in overseas server
http://www.washingtonpost.com/world/national-security/microsoft-fights-us-search-warrant-for-customer-e-mails-held-in-overseas-server/2014/06/10/6b8416ae-f0a7-11e3-914c-1fbd0614e2d4_story.html
Microsoft, one of the world’s largest e-mail providers, is resisting a government search warrant to compel the firm to turn over customer data held in a server located overseas.
In what could be a landmark case, the Redmond, Wash., company is arguing that such a warrant is not justified by law or the Constitution. Microsoft and other tech firms also fear that if the government prevails and can reach across borders, foreign individuals and businesses will flee to their non-U.S. competitors.
“If the government’s position prevails, it would have huge detrimental impacts on American cloud companies that do business abroad,’’
Tomi Engdahl says:
Dropbox For Business Acquires MobileSpan To Make Bring-Your-Own-Device More Secure
http://techcrunch.com/2014/06/10/dropbox-mobilespan/
Dropbox has just acquired MobileSpan, a startup that helps enterprise employees access corporate firewalled content securely. MobileSpan will shut down at the end of 2014, and active development will cease immediately.
The idea was to secure the connection rather than lock down a user’s device, making BYOD much simpler. Due to device fragmentation, it’s tough to scale to work on every mobile handset and laptop.
Dropbox isn’t the only one with that dream. It’s battling Box, Microsoft, Google and more in the fight to provide enterprise cloud storage, access and collaboration.
Tomi Engdahl says:
The FCC Was Hacked After John Oliver Called for Net Neutrality Trolls
http://motherboard.vice.com/read/the-fcc-was-hacked-after-john-olivers-call-for-net-neutrality-trolls
When HBO host John Oliver called for Internet trolls to deluge the Federal Communications Commission with comments about net neutrality, he may not have expected for the FCC’s site to get shut down. That, however, is exactly what happened, but it wasn’t because Oliver’s viewers overwhelmed the site with public comments, as was widely reported.
In fact, shortly after Oliver’s 13-minute rant last Sunday, the FCC’s website was compromised by an external barrage that effectively shut down the site’s commenting system using database Denial of Service tactics, the FCC confirmed to Motherboard on Tuesday.
A database DoS attack is different from the more common web-based DoS attack
In a database DoS attack, the hacker targets the underlying infrastructure of the website itself, rather than just bombarding the site with traffic. In the FCC’s case, the intruders repeatedly initiated new public comments—most likely using an automated script—and then almost instantaneously executed searches for those records.
No internal FCC data was compromised, but the hackers temporarily blocked legitimate public comments, an ironic twist for an agency seeking public input on its Open Internet rule-making process.
Tomi Engdahl says:
Mirror group faces new phone-hacking claims
http://www.theguardian.com/uk-news/2014/jun/10/mirror-group-new-phone-hacking-claims
The publisher of the Sunday Mirror and Daily Mirror is facing compensation claims over alleged phone hacking from at least a dozen new litigants including Cilla Black and actor Christopher Eccleston.
Documents lodged at the high court in London also reveal that there have been at least another 36 claims for compensation for alleged phone hacking made against News International subsidiary News Group Newspapers, publisher of the Sun and the defunct News of the World, since January this year.
Ulster Unionist MEP James Nicholson is also suing News Group Newspapers. His office confirmed it was in relation to phone hacking.
Tomi Engdahl says:
Entirely new 1Password for Android app now available with redesigned interface, totally free until August 1
http://9to5google.com/2014/06/10/entirely-new-1password-for-android-app-now-available-with-redesigned-interface-totally-free-until-august-1/
After teasing the redesign earlier this year, 1Password has finally launched a much-needed update to its Android app.
For those unfamiliar, 1Password is a service that allows you to store all of your passwords within a single app. To access them, all you have to do is log into the app with your master password. From there, you can copy and paste the login you’re looking for into another app or website. The clipboard then auto-clears itself, the app relocks itself, and you are logged into.
While 1Password is normally a premium app, you can get all the features of it for free through August 1st.
Tomi Engdahl says:
Tools Will Drive the Hunt for Alien Hardware
http://www.eetimes.com/author.asp?section_id=36&doc_id=1322663&
We are only too aware today of the need to be constantly on guard against Trojan code that hackers try to convince us to run on our personal computers. Once loaded, the Trojan has easy access to core system functions that can track keystrokes, allowing hackers to break into online bank accounts and pick up important data for identity theft.
Now, the SoC industry has to face the threat of hardware Trojans. Today’s highly disaggregated supply chain opens up numerous doors to hackers looking of a way around the security functions embedded into the personal devices that are becoming ubiquitous in our lives. Research has uncovered a number of scenarios under which Trojans can enter an IC-design project, all the way from the system level down to physical layout. Even a tiny change to the well doping of a standard cell can disrupt the intended behavior of an IC.
Tiny, extremely stealthy Trojans could be used to open up gateways to financial data and DRM-protected content. Some research has shown how it is possible to weaken the security of a cryptoprocessor by reducing the effective entropy of a random-number generator or by providing information on the internal operation of the processor to an attacker through side-channel attacks.
It is unclear whether hardware Trojans have been deployed in production ICs or whether the incentives to do so are sufficiently strong to make it a major risk. However, actions by some publicly funded institutions — such as the decision by the Semiconductor Research Council (SRC) to create and fund the Trustworthy and Secure Semiconductors and Systems (T3S) Consortium — indicate that the threat is being taken seriously.
Tomi Engdahl says:
Popularity of public Wi-Fi complicates mobile security
Employees can put business data at risk by connecting to insecure wireless networks
http://www.computerworld.com.au/article/547271/popularity_public_wi-fi_complicates_mobile_security/
The research revealed that more Australians were choosing either to tether their devices or opting for public Wi-Fi as an inexpensive alternative to 3G or 4G connectivity.
However, although Wi-Fi hotspots can provide an inexpensive and sometimes free connection, their popularity as an alternative to cellular data connections can complicate even further the mobile security landscape for enterprise IT.
Some networks are more secure than others and if employees’ devices are not adequately secured, businesses could risk leaking sensitive data, according to security experts.
“Wi-Fi is probably easier to hack and has more risks than a mobile network,” Zumerle says. “It’s easier to set up a rogue access point than set up a false [mobile] base station.”
With Wi-Fi, “the security you get really depends on the network, and you never know what you will find,” he says. “You can find a very well secured network or a very poorly secured network.”
Tomi Engdahl says:
Evernote taken out by DDoS attack
Millions of users unable to sync their notes and web clippings
http://www.theregister.co.uk/2014/06/11/evernote_dos_attack/
The attack was not the first cyber problem for Evernote. Early last year, the firm was forced to implement a service-wide password reset after hackers managed to access user information.
Tomi Engdahl says:
Snowden’s Big Brother isn’t as Orwellian as you’d think
Secrets & lies: Spies & GCHQ
http://www.theregister.co.uk/2014/06/11/snowden_whistleblowing_big_brother_state_not_1984_just_yet/
Tomi Engdahl says:
SLOW DOWN: Insecure-by-design software on road
Electronic highway signage has default password, can be p0wned from afar
http://www.theregister.co.uk/2014/06/11/slow_down_insecurebydesign_software_on_road/
If your commute to work today featured an electronic highway sign suggesting you do something odd, the presence of a default password in sign management software called Daktronics Vanguard may be to blame.
US CERT points out that an early panic that the software possessed a hardwired password can be dismissed. But the application does come with “a default password that can be changed upon installation.” If the software’s operator doesn’t do so, remote “modification of sign text” is possible.
Which could lead to some unfortunate or mischievous instructions appearing on a roadside near you.
US CERT and Daktronics together recommend that any signs managed by the software be assigned an IP address the general public cannot access, or popped onto a VPN. There’s also a recommendation to “Disable the telnet, webpage, and web LCD interfaces when not needed”, plus the predictable advice to change passwords.
Tomi Engdahl says:
Troubled Truecrypt the ONLY OPTION for S3, but Amazon stays silent
No noise from web warehouse as hacking rumours fly.
http://www.theregister.co.uk/2014/06/11/troubled_truecrypt_the_only_option_for_s3_but_amazon_stays_silent/
Amazon Web Services (AWS) has kept mum on whether it will dump the troubled TrueCrypt platform used to encrypt data data imported and exported to its Simple Storage Service (S3).
Security bods midway through a comprehensive Truecrypt security audit vowed to continue and said they had not found any reason to dump the platform.
Questions remained whether Amazon considered TrueCrypt safe enough to be the only option for encrypting S3 data.
“TrueCrypt is the only device encryption supported by AWS import / export,”
All data exported from S3 was encrypted with TrueCrypt using a supplied password, but Amazon Glacier and Elastic Block Store customers could use any encryption method they liked.
Tomi Engdahl says:
Redmond is patching Windows 8 but NOT Windows 7, say security bods
New tool checks differences, could lead to 0-day bonanza
http://www.theregister.co.uk/2014/06/06/patch_piker_redmond_means_win_8_fixes_skip_7_researchers_say/
Microsoft has left Windows 7 exposed by only applying patches to its newest operating systems.
Researchers found the gaps after they scanned 900 Windows libraries and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities.
The missing safe functions were part of Microsoft’s dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks.
“Why is it that Microsoft inserted a safe function into Windows 8 [but not] Windows 7? The answer is money – Microsoft does not want to waste development time on older operating systems … and they want people to move to higher operating systems,” Joseph said in a presentation at the Troopers14 conference.
It was “scary simple”, Marschalek said, and faster than finding vulnerabilities by hand.
Security bods could then probe and pluck those functions to identify vulnerabilities and exploits.
“If we get one zero-day from this project, it’s worth it,”
Tomi Engdahl says:
Opera Now Imports Browser’s Passwords & Other Data Without Your Permission
http://www.favbrowser.com/opera-now-imports-browsers-passwords-other-data-without-your-permission/
Recently, Opera followed other browsers and revealed a new build, which would automatically update your software to the latest version.
And assuming that you have Opera Sync enabled, it will now transfer all your data to the mighty cloud.
Tomi Engdahl says:
Internet Explorer gets 59 bug fixes in Microsoft’s June Patch Tuesday
Patches the overlooked zero-day flaw discovered in October
http://www.theinquirer.net/inquirer/news/2349415/internet-explorer-gets-59-bug-fixes-in-microsofts-june-patch-tuesday
SOFTWARE BUG FACTORY Microsoft has issued a long list of security bulletins across its software line in its Patch Tuesday release for June, a record-breaking 59 of which patch the firm’s web browser, Internet Explorer (IE).
Tomi Engdahl says:
HP brings simple split-key encryption to the cloud
Promises the NSA won’t be able to access your data
http://www.theinquirer.net/inquirer/news/2349351/hp-brings-simple-split-key-encryption-to-the-cloud
LAS VEGAS: HP HAS ADDED data protection products to its security arsenal under the Atalla brand, which aim to protect sensitive data, whether it’s stored in the cloud, in-house or on mobile devices, and is structured or unstructured.
The cloud encryption product is based on a patented split-key system, which offers a double layer of protection for data transferred back and forwards from the cloud. Each data object like a file or disk is encrypted with a unique key that is split into two with one master key stored on-premise and a second virtual key created in the cloud service. When the master key is in the cloud, it is homomorphically encrypted, even when it is being used to encrypt or decrypt data to prevent unauthorised access.
“The broad use of encryption in environments is tough to manage, managing keys is difficult so we’ve looked at trying to solve that problem,”
“The second problem is our environments are not all owned by us today. We not only use our own on-premise environments but we also burst into the cloud and how do you manage encryption in the cloud, when information is living in somewhere other than your own infrastructure.”
The use of split-key homomorphic encryption means that no matter how the information is handled inside the cloud, the encryption keys are never exposed, as only a representation of the key is accessible. This makes the system a good option for firms concerned about monitoring by the NSA or other prying bodies.
“Even if they did get a snapshot, all they would see is a transient key, they could never reverse engineer to get access to the data,”
“It’s patented technology.”
HP is not the first or only firm to offer homomorphic encryption of this kind, however. Smaller outfit Porticor offers a similar service based on patented split-key encryption technology.
Tomi Engdahl says:
Guest Post: The NSA’s Culture of “Legal Compliance” Still Breaks the Law
http://justsecurity.org/7485/nsas-culture-legal-compliance-breaks-law/
Lately the NSA has been on a public relations offensive that has two principal aims. First, the agency is trying to convince the public that a lot of the NSA’s bad press is based on misunderstandings and factual errors regarding what the agency’s actual activities are. The agency isn’t completely wrong here, but given what we know to be true about NSA mass surveillance and the at best tenuous legal basis for much of what the agency is doing, the NSA’s complaints about inaccuracy are pretty weak stuff. With anything as complicated and secretive as the NSA’s mass surveillance programs, some of the press reporting and public debate will be off base – at least at first, until additional reporting has filled in some of the gaps and righted the inaccuracies. And the bulk of the reporting has been accurate right from the start – even though the agency has generally been unhelpful in sorting out the truth.
Tomi Engdahl says:
NSA’s Novel Claim: Our Systems Are Too Complex To Obey the Law
http://yro.slashdot.org/story/14/06/10/1426228/nsas-novel-claim-our-systems-are-too-complex-to-obey-the-law
Tomi Engdahl says:
NSA tells court that it can’t stop deleting evidence
Claims its systems are ‘too complicated’
http://www.theinquirer.net/inquirer/news/2349393/nsa-tells-court-that-it-cant-stop-deleting-evidence
THE UNITED STATES National Security Agency (NSA) has defended its failure to comply with a request for evidence in a lawsuit by saying that its systems are “too complicated” to prevent data from being deleted.
“A requirement to preserve all data acquired under Section 702 [of the Foreign Intelligence Surveillance Act (FISA)] presents significant operational problems, only one of which is that the NSA may have to shut down all systems and databases that contain Section 702 information.”
On one hand the Electronic Frontier Foundation (EFF) has lobbied to have such data destroyed, but on the other it is now in the rather unusual position of needing it preserved in order to argue that the NSA should not collect the data in the first place.
Tomi Engdahl says:
Google launches hacker game to train bug ‘mercenaries’
Increase your XSS-fu, win cake
http://www.theregister.co.uk/2014/05/30/goog_launches_hacker_game_to_train_bug_mercenaries/
Google wants to bring new blood into the security bug hunter community with a game launched to test developers’ knowledge of cross site scripting (XSS) vulnerabilities.
The XSS Game put devs through six games of increasing complexity that required successful attacks against mock vulnerable web applications.
“The game is designed primarily for developers working on web applications who do not specialise in security,” Google wrote on the game page.
“XSS bugs are common because they have a nasty habit of popping up wherever a web app deals with untrusted input.
Tomi Engdahl says:
https://xss-game.appspot.com/
Cross-site scripting (XSS) bugs are one of the most common and dangerous types of vulnerabilities in Web applications. These nasty buggers can allow your enemies to steal or modify user data in your apps and you must learn to dispatch them, pronto!
In this training program, you will learn to find and exploit XSS bugs. You’ll use this knowledge to confuse and infuriate your adversaries by preventing such bugs from happening in your applications.
Tomi Engdahl says:
EMV Chips in 70% of Credit Cards by 2015
http://www.eetimes.com/document.asp?doc_id=1322710&
Increasing fraud rates will push issuers to migrate customers to EMV-enabled cards before the October 2015 liability shift on card-present transactions, Aite Group says.
Credit card with EMV chip.
Credit card with EMV chip.
Rising card fraud will drive issuers to migrate 70% of credit cards in the US to EMV (Europay, MasterCard, and Visa*) by October 2015, along with 41% of debit cards, a new report by Aite Group predicts. Credit card fraud rates have doubled since 2007, an debit card fraud is also rising sharply, according to the report.
The beginning of October 2015 is when Visa will implement a liability shift or card-present transactions.
Tomi Engdahl says:
Feedly suffers DDoS attack as perpetrator tries to extort money [Update: The attack has been neutralized]
http://thenextweb.com/insider/2014/06/11/feedly-suffers-ddos-attack-perpetrator-tries-extort-money/
Feedly has posted on its blog that it has neutralized the DDoS attack as of 3:07PM PT.
“We refused to give in and are working with our network providers to mitigate the attack as best as we can,”
Just yesterday, Evernote reported it had been subjected to a similar attack, though it was quickly restored.
Tomi Engdahl says:
Project Eavesdrop: An Experiment At Monitoring My Home Office
http://www.npr.org/blogs/alltechconsidered/2014/06/10/320347267/project-eavesdrop-an-experiment-at-monitoring-my-home-office
If someone tapped your Internet connection, what would he find out about you?
But one big, basic question remains more or less unanswered: What exactly does the NSA’s surveillance reveal?
To try to answer that question, I had my home office bugged.
The box is a little wireless router that basically captures and copies all the traffic into and out of any device that connects to it. That data were sifted and analyzed by software automatically.
So for a little more than a week, Porcello and Gallagher stepped into the role of NSA analysts and spied on my work.
“A lot of times it’s pretty easy to identify not only the type of device but the person,” Weis says. “How many people’s iPhones are named Steve’s iPhone?”
“People are walking around every day with these mobile computers in their pockets, and they have no idea what they are sending to the world.”
Google’s search traffic is supposed to be encrypted, but the subject of my searches seeped out. Links to the sites I visited provided strong hints about what I was searching for.
“I had all your sources. I could have written that story for you,” Gallagher said.
Porcello says one weak link can spill your personal information out onto the Internet — in plain text.
If the NSA were monitoring me this way, would it be legal? The short answer is, it depends.
Tomi Engdahl says:
How Well Do Tech Companies Protect Your Data From Snooping?
http://www.npr.org/blogs/alltechconsidered/2014/06/12/320997037/how-well-do-tech-companies-protect-your-data-from-snooping
What happens to your information online? Is it safe? Is it private?
The answers depend in part on what services you use. So we set out to help you figure out the answers for yourself.
Fortunately for you, we are not the only ones asking these questions. The surveyed big tech companies and asked them what kinds of encryption they’ve been using.
Tomi Engdahl says:
US Appeals Court rules warrantless phone location tracking is illegal
http://www.zdnet.com/us-appeals-court-rules-warrantless-phone-location-tracking-is-illegal-7000030442/
Summary: A panel of appeals judges has ruled that police must obtain a warrant before collecting cellphone location data, adding further weight to the pro-privacy argument.
Tomi Engdahl says:
Tech companies are raising their game (and pants) post-Snowden
Is everything fatally borked? Not quite, say security godheads
http://www.theregister.co.uk/2014/06/12/safe_in_our_hands_security_industry_takes_a_hit_from_snowdens_year/
Snowden anniversary If there’s a positive to the disclosures by ex-National Security Contractor (NSA) contractor Edward Snowden, it’s that it’s been a disaster for technology and internet firms.
Yes, a positive.
The effect of all this should be a raising of these companies’ games and a shaking of users’ complacency in relying on “free” products and in being too accepting of what they’re given and of standard “solutions.”
Already, tech and web companies are coming back. Caught with their pants down, they are now being given the time and money to pull them back up again.
Pre-Snowden it was generally assumed the government was carrying out some sorts of surveillance against key targets and that the bright boys and girls at the National Security Agency (NSA) could subvert security systems if they really wanted to.
Snowden’s leaks showed not only that security weaknesses are being built into software but also that the large companies to whom we entrust our data are helping in this – and they have been criminally lax about the security of users’ data within their own organizations.
As any security expert knows, intentionally introducing flaws into your products is a stupid move. Sure, it gives the intelligence community a backdoor into software, but there’s no guarantee that someone else won’t discover the same flaw and start using it. In fact, the way code examination is these days, it’s a virtual certainty that someone will do this.
“The problem isn’t that we know the NSA is doing these things,” added privacy expert Bruce Schneier. “The real problem is that we don’t know what else the NSA is doing. Internet companies – hardware, software, service – simply cannot be trusted anymore.”
“The leaks caused a lot of anger in these companies, and in particular with the security teams in these companies. These security teams have had a list of things they’ve wanted to do for years but budgets are limited and so they focus resources on the biggest threats,” he told us.
“Now, it’s my understanding that in the wake of the Snowden disclosures, that security teams have been given pretty much a blank check and can spend whatever they want to spend to protect the link between the user and the company.”
RSA has consistently denied that it accepted any money to include a weakened security protocol, but that didn’t stop some key members of the security community from boycotting the security company’s annual show this year and setting up a rival TrustyCon get-together.
“The encryption vetting process is working fine. AES and SHA-3 are both stellar examples of a public process to choose a new encryption standard. I trust them both, and will continue to trust them,”
“There are a lot of people in the security industry who are taking a fresh look at the security technology we use and asking ‘can we make this better?’,”
Go with the industry standard, though, and you’re a sitting duck. “The default crypto used by everyone will blind bulk surveillance,”
Tomi Engdahl says:
Cybercriminals Ramp Up Activity Ahead of 2014 World Cup
http://www.securityweek.com/cybercriminals-ramp-activity-ahead-2014-world-cup
Attackers Have High Hopes for Success Around 2014 World Cup
Similar to the Sochi 2014 Olympics and all other major sporting events before it, the FIFA World Cup 2014 in Brazil is being leveraged by cybercriminals and scammers as a means to lure victims for their attacks.
In recent months, several security vendors have published advisories about the various scams, phishing and malware operations that target Internet users interested in the World Cup. While individuals from all over the world have been targeted, many of the malicious campaigns focus on Brazil and neighboring South American countries.
Malware: Cybercriminals are relying on the FIFA World Cup to trick users into installing malware on their computers.
Phishing: 2014 FIFA World Cup phishing websites have been around since 2013. Most of these sites advertise various promotions and contests in which users can allegedly win match tickets, trips to Brazil and other prizes. The catch is that they have to provide personal and financial information to supposedly get the chance to win.
Scams and spam: Not surprisingly, a large number of phony websites have been created by scammers over the past months. Trend Micro has come across a fake website selling tickets at prices almost 4000% higher than the price on FIFA’s official website.
Hacktivist Attacks: Anonymous hackers in Brazil began protesting against the World Cup more than 6 months ago. The hacktivists are unhappy with the high amounts of money that the Brazilian government spent around the World Cup, which they believe could have been used for more pressing issues that affect citizens.
Other threats: Those who plan on visiting Brazil should be careful when making payments with their credit card and when withdrawing money at ATMs. There are a number of ways fraudsters can steal payment card data from World Cup attendees.
The World Cup is a highly anticipated event that creates enormous waves of network traffic all over the world
“Criminal organizations love events like this, because targets tend to be numerous and highly concentrated around a few predictable websites (FIFA, broadcasters, etc). Anxiety leading up to the events themselves can lead network managers hastily add capacity with less-than-great security rigor, ironically making some of the most obvious targets easier to hack,”
Tomi Engdahl says:
New Permission System Could Make Android Much Less Secure
http://mobile.slashdot.org/story/14/06/11/1747251/new-permission-system-could-make-android-much-less-secure
“An update to the Google Play store now groups app permissions into collections of related permissions, making them much less fine grained and potentially misleading for users. “
Tomi Engdahl says:
Android’s App Permissions Were Just Simplified — Now They’re Much Less Secure
http://www.howtogeek.com/190863/androids-app-permissions-were-just-simplified-now-theyre-much-less-secure/
Google just made a huge change to the way app permissions work on Android. Apps already on your device can now gain dangerous permissions with automatic updates. Future apps can gain dangerous permissions without asking you, too.
This is all thanks to the latest Play Store update and its simplified app permission interface. The core idea here — making Android app permissions comprehensible to normal users — is good. The implementation is the big problem.
Permission Groups Contain Both Safe and Dangerous Permissions
The big problem is that groups can contain both normal, basic permissions as well as more dangerous permissions.
Every App Gets Internet Access
Google has also given each app Internet access, effectively removing the Internet access permission. Oh, sure, Android developers still have to declare they want Internet access when putting together the app. But users can no longer see the Internet access permission when installing an app and current apps that don’t have Internet access can now gain Internet access with an automatic update without prompting you.
Android App Permissions Were Broken, Anyway
Android’s app permission system was already broken. It’s less of a permission system and more of a demand system. An app demands that it requires certain features, and you can take it or leave it. You can’t choose whether you want to give an app some permissions but not others. Android actually had a built-in permission manager that was being worked on, but Google removed it.
And all the while, Apple’s iOS has a functional permission system that gives users control.
Tomi Engdahl says:
L337 crackrz use dumb passwords too
Haxxors hope ‘hack’ stops them from being hacked
http://www.theregister.co.uk/2014/06/12/l337_crackrz_use_dumb_passwords_too/
Black hats are just as blithe about the passwords they use as the rest of the world, according to a bit of research by security outfit Avast.
The anti-virus company’s Antonín Hýža, writes here that after he’d built a dictionary of hacked hackers’ passwords, the most common password was “hack”.
Tomi Engdahl says:
Poison PDF pusher released to public
A quick download, a couple of clicks, a naughty URL and you’re in the business of crime
http://www.theregister.co.uk/2014/06/12/adobe_hack_tool_makes_targeted_attacks_even_easier/
Attacking enterprises just got easier with the development of an idiot-friendly tool that spits out booby-trapped PDFs with a few clicks.
The tool weaves existing exploits into PDFs, allowing attacks against Adobe Reader and Acrobat versions 8.x prior to 8.2.1 and 9.x before 9.3.1.
Users can insert their own URL pointers into the program, which then spits out an exploited PDF.
Only unpatched users could be effectively targeted, but given the poor state of patching, that provides a pretty big pool of potential victims.
Users could combine the tool with one of many free or paid automated phishing platforms to create the ultimate lazy targeted attack system.
While the black hat uses for the tool were obvious, penetration testers and internal security teams can use it to launch attacks against staff to help improve social engineering awareness and defences.
Tomi Engdahl says:
BitTorrent Chat: The Want For Privacy
http://blog.bittorrent.com/2014/06/11/bittorrent-chat-the-want-for-privacy/
BitTorrent’s Jaehee Lee offers insight into the development of BitTorrent’s new chat application, focused on how we are addressing the various needs of privacy.
The list can go on. But privacy is, ultimately, the ability to express oneself freely with autonomy and to feel safe doing so. To not worry that the wrong friend will see a message that wasn’t intended for them.
Regardless of how the content of the messages are sent, our chat app will always use our distributed network for users to find one another on the network. This minimizes, and in many cases eliminates, the metadata that is created by other cloud based and centralized approaches to chat apps.
Tomi Engdahl says:
Sealed with an XSS: Teen comp sci boff Firo on how he gave TweetDeck a heart attack
I only wanted to post a cute graphic, says innocent lad
http://www.theregister.co.uk/2014/06/12/tweetdeck_xss_vuln_uncovered_by_heart_hunting_teenager/
A teenager claims to have been the source of the embarrassing TweetDeck security gaffe that was exposed to millions of Twitter users on Wednesday.
The 19-year-old “small, strange but cuddly” Austrian electronics and computer science student – whose handle on the micro-blogging site is Firo Xl – said that he spotted a very basic cross-site scripting (XSS) vuln in the Twitter desktop client when he was experimenting with the code for a heart symbol to tweet to his followers.
“TweetDeck actually did not react in any way. Their next tweet was saying that there is a security issue and that users should log in again.”
As The Register reported yesterday, the “XSS in TweetDeck” exploit was able to execute arbitrary JavaScript code in users’ browsers.
Tomi Engdahl says:
P.F. Chang’s Confirms Payment Card Breach: Reverts to Imprinting Devices
http://www.securityweek.com/pf-changs-confirms-payment-card-breach-reverts-imprinting-devices
After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang’s China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants.
Interestingly, the company also said that it has switched over to manual credit card imprinting systems for all P.F. Chang’s China Bistro branded restaurants located in the continental United States.
On Tuesday, security blogger Brian Krebs reported that cards reportedly used at P.F. Chang’s were found at carder forum rescator[dot], which happens to be the same site where cards belonging to victims of the Target breach were sold. According to Krebs, several banks said the latest collection of cards had all been used at P.F. Chang’s locations between March 1 and May 19.