Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Another RAT crawls out of the malware drain
Dyreza/Dyre MITMs SSL sessions
http://www.theregister.co.uk/2014/06/17/another_rat_crawls_out_of_the_malware_drain/
Yet another banking trojan has appeared, using browser hooking to steal data from Internet Explorer, Chrome and Firefox users.
Dyreza, or Dyre, is pitched the usual way, via a phishing e-mail (a lesson that’s never learned well enough for the approach to fail), and the e-mail contains what purports to be a zipped document that actually drops the malware payload.
Both PhishMe and CSIS believe it’s a new RAT (remote access trojan) rather than another Zeus variant.
Tomi Engdahl says:
Book Review: Security Without Obscurity
http://books.slashdot.org/story/14/06/16/1245237/book-review-security-without-obscurity
In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world.
The premise of the author and the need for the book is that the traditional information security CIA triad (confidentiality, integrity, availability) has led to the situation where authentication has to a large part gotten short shrift. This is a significant issue since much of information security is built around the need for strong and effective authentication. Without effective authentication, networks and data are at direct risk for compromise.
While Stapleton modifies the CIA triad, the book is not one of a security curmudgeon, rather of a security doyen. For anyone looking for an authoritative text on how to fully implement cross-platform security and authentication across the enterprise, this is a valuable reference to get that job done.
Tomi Engdahl says:
UK intelligence forced to reveal secret policy for mass surveillance of residents’ Facebook and Google use
https://www.privacyinternational.org/press-releases/uk-intelligence-forced-to-reveal-secret-policy-for-mass-surveillance-of-residents
Britain’s top counter-terrorism official has been forced to reveal a secret Government policy justifying the mass surveillance of every Facebook, Twitter, Youtube and Google user in the UK.
This disturbing policy was made public due to a legal challenge brought by Privacy International, Liberty, Amnesty International, the American Civil Liberties Union, Pakistani organisation Bytes for All, and five other national civil liberties organisations.
The statement, from Charles Farr, the Director General of the Office for Security and Counter Terrorism, claims that the indiscriminate interception of UK residents’ Facebook and Google communications would be permitted under law because they are defined as ‘external communications’.
Farr’s statement, published today by the rights organisations, is the first time the Government has openly commented on how it thinks it can use the UK’s vague surveillance legal framework to indiscriminately intercept communications through its mass interception programme, TEMPORA.
Tomi Engdahl says:
Two new security treads by Mikko Hyppönen / F-secure:
- The first of the tension phones program has already been seen. In our tests, we got it to work LG’s smart TV. Tightening could go through if the application claims to be a program that requires a TV license fee or payment of tax, Hypponen said.
Phones already seen the tension is technically spreading web browser screen to full screen and blocking the function key operation. The same technique also works on smart TVs.
- The second item is the personal cloud recordings capturing and demanded a ransom of the content. In credit card stealing get your money back and you will lose in the end only time. But when the image is captured, and files, you can not get back, Hypponen said.
Source: http://www.iltasanomat.fi/digi/art-1288702849068.html?utm_campaign=tf-IS&utm_medium=tf-desktop&utm_term=4&utm_source=hs.fi&utm_content=article
Tomi Engdahl says:
Tor Is For Everyone: Why You Should Use Tor
http://gizmodo.com/tor-is-for-everyone-why-you-should-use-tor-1591191905
EFF recently kicked off its second Tor Challenge, an initiative to strengthen the Tor network for online anonymity and improve one of the best free privacy tools in existence. The campaign—which launched with partners at the Freedom of the Press Foundation, the Tor Project, and the Free Software Foundation—is already off to a great start. In just the first few days, it’s seen over 600 new or expanded Tor nodes—more than during the entire first Tor Challenge.
This is great news, but how does it affect you? To understand that, you have to dig into what Tor actually is, and what people can do to support it. Support can come in many forms, too. Even just using Tor is one of the best and easiest things a person can do to preserve privacy and anonymity on the Internet.
Tomi Engdahl says:
Tor Browser Bundle for Windows
https://www.torproject.org/download/download-easy.html.en
Tomi Engdahl says:
Privacy for anyone anywhere
https://tails.boum.org/
Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity
Tomi Engdahl says:
FBI arrests claims NullCrew hacker in Tennessee takedown
Stool pigeon fooled hackers into self-incrimination
http://www.theregister.co.uk/2014/06/17/fbi_arrests_claims_nullcrew_hacker_in_tennessee_takedown/
The FBI has arrested a Tennessee man on computer crime charges, claiming he is a key player in the NullCrew hacking squad that attacked businesses and educational institutions from 2012 onwards.
NullCrew came to the attention of the authorities in 2012 after a successful attack against the World Health Organization and PBS
“Cyber crime sometimes involves new-age technology but age-old criminal activity ― unlawful intrusion, theft of confidential information, and financial harm to victims,”
Tomi Engdahl says:
Hacker Hijacks Storage Devices, Mines $620,000 in Dogecoin
http://www.wired.com/2014/06/hacker-hijacks-storage-devices-mines-620000-in-dogecoin/
Dogecoin, for those who don’t spend their time indulging in Internet meta-memes, may seem like harmless nerdery. But for one enterprising hacker, it’s created a small fortune—at the price of annoying a lot of systems administrators.
A pair of researchers at Dell’s Secureworks security division have traced a collection of malware-infected storage devices to a hacker who has amassed more than $620,000 worth of the currency, which they say he mined from those hijacked machines and others.
“To date, this incident is the single most profitable, illegitimate mining operation,”
Litke and Shear say mining that many dogecoins couldn’t be accomplished with the hijacked storage devices alone—each has the cryptocurrency mining power of a smartphone, they say.
Tomi Engdahl says:
FTC seeks DEFCON help to finger illegal robocallers
Plans cash-money honeypot competition in August
http://www.theregister.co.uk/2014/06/17/ftc_seeks_defcon_help_to_finger_illegal_robocallers/
The Federal Trade Commission is to host a cash competition at this year’s DEFCON hacking conference in Las Vegas, with the goal of building a honeypot that can lure in robocallers and allow technologists to analyze how to block them in the future.
“Honeypots have been used extensively among information security specialists, but until today, there has been limited cross-pollination between their expertise and the efforts to fight telephone spam,” said the agency.
Tomi Engdahl says:
F-Secure: Google’s digital profiling is ‘extremely dangerous’ [Video]
Firm says it could keep the company ‘in power forever’
http://www.theinquirer.net/inquirer/news/2350430/f-secure-googles-digital-profiling-is-extremely-dangerous-video
HELSINKI: FINNISH SECURITY FIRM F-Secure has warned about the dangers of Google’s digital profiling, slamming the internet search firm’s ability to guess typical search queries as “extremely dangerous”.
Speaking at a roundtable at the company’s lab in Helsinki, Finland on Tuesday, F-Secure CEO Christian Fredrikson said that Google knows far too much about us, and any kind of profiling is not something we should condone.
“We don’t think profiling is just innocent, [that] it doesn’t matter; we think it is extremely dangerous,” Fredrikson said.
“It actually means that if you have all the information of people gathered over 10 years, you – in democracies even – could stay in power forever, because if you have all the information, you have all the power.”
Tomi Engdahl says:
The FBI Built the Most Comprehensive List of Twitter Slang We’ve Ever Seen
http://motherboard.vice.com/read/the-fbi-built-the-most-comprehensive-list-of-twitter-slang-weve-ever-seen
Tomi Engdahl says:
FBI Twitter List
http://www.scribd.com/doc/230074315/FBI-Twitter-List
Tomi Engdahl says:
We Can No Longer Ignore Bitcoin’s Fatal Flaw
http://motherboard.vice.com/read/we-can-no-longer-ignore-bitcoins-fatal-flaw?trk_source=popular
Bitcoin is no longer decentralised and the cryptocurrency needs fixing if it’s to survive. That’s the warning some cryptocurrency researchers are giving since a single entity, a Bitcoin mining pool called GHash, managed to acquire 51 percent of total network mining power for 12 hours straight at the end of last week.
Even though its monopoly was brief, this is bad news for those who were attracted to Bitcoin for its distributed foundation, designed to decentralize trust and prevent anyone from gaming or controlling the system. GHash, if it was able to consistently hold on to 51 percent or higher, could effectively act as a central Bitcoin bank if it so wished.
This power is possible because Bitcoin miners vote to verify every transaction before it’s added to the blockchain, which records those transfers. But when there is a majority miner, they can rig the votes and effectively prohibit or deny any transaction.
This means they can spend coins that aren’t theirs or take other miners out of the game, either by preventing transfers or swamping their networks with fake transactions, causing denial of service conditions. They could also extort users by rendering addresses—what most call wallets—unusable unless a high mining fee is paid.
Tomi Engdahl says:
City of London Police Commissioner says TOR is ’90 per cent of the net’
Of course he’s wrong: the TOR-using population is tiny
http://www.theregister.co.uk/2014/06/18/no_commissioner_tor_isnt_90_per_cent_of_the_net/
Yet again, someone who should know better is hyping up the size of the so-called “darkweb” to push a law enforcement case.
I can’t tell you whether Leppard said “BitTorrent” and was mis-transcribed, or whether he slipped, but I’d like to address the assertion that TOR – The Onion Router – is “90 per cent of the Internet”.
Let’s take three definitions of “The Internet”: the number of users, the amount of stored data, and the amount of traffic.
In terms of the number of users, TOR is nowhere near “90 per cent” of anything: by its own metrics, TOR users peaked at around three million users and currently the number hovers between 2 and 2.5 million users.
That should spike Leppard’s statement straight away: the ITU estimates that there were 2.7 billion Internet users in 2013 so for TOR user there’s more than a thousand ignoring the network.
Worldwide, Cisco’s Visual Networking Index tells us that 29 Exabytes is sucked down the Internet’s various pipes each month. If TOR users are “90 per cent” of that volume, their average monthly downloads would be nearly 10,000 GB, and the rest of us would have an average monthly download volume of just 100 kilobytes.
The TOR isn’t 90 per cent of anything
Tomi Engdahl says:
Punters happily run malware if paid ONE CENT
Years of infosec education and users still click on anything
http://www.theregister.co.uk/2014/06/18/everyone_go_home_people_accept_one_cent_to_run_trojan/
Security professionals despair: Users will run dodgy executables if they are paid as little as one cent.
Even more would sign up to botnets if the price was increased to five or 10 cents. Offer a whole dollar and you’ll secure a herd of willing internet slaves.
The presence of malware actually increased on machines running the latest patches and infosec tools in what was described as an indication of users’ false sense of security.
It was fantastic news for bot owners who could offer payment in exchange for exclusive control of more stable zombie machines: such a model was dubbed a “Fair Trade Botnet”.
“While ignorance could explain this state of affairs, we show that the reality is much worse, as some users readily turn a blind eye to questionable activities occurring on their systems, as long as they can themselves make a modest profit out of it,” the researchers write, adding that “…many users seem to be content ignoring possible security compromises as long as the compromised state does not noticeably impact the performance of the machine.”
“This raises questions about the effectiveness of well known security advice when competing against the smallest of incentives,” the researchers wrote.
Tomi Engdahl says:
Boob Tube BOFFINS finger Red Button, trigger TELLY MAYHEM
Nothing safe as drones target credit cards, Facebook, Twitter, printers, warn security brains
http://www.theregister.co.uk/2014/06/10/hackers_fondle_boob_tubes_in_red_button_mayhem_attacks/
The standards body behind a broadband-powered television system has downplayed talk of dramatic attacks on the security of tens of thousands of smart TVs.
Top boffins at Columbia University’s Network Security Lab say the “Red Button” exploit could involve drones and roof-mounted aerials deployed to silently target tellies, commandeer TV networks, and even dive deeper to infect home printers and PCs.
The attack basically works by feeding malicious JavaScript payloads into television sets over the air; the code can then silently hijack connections to websites from the device.
Commandeered Boob tubes could be made to purchase DRM-protected content or dial premium-rate phone numbers from VoIP apps, sending profits to attackers.
Anyone with the skills to program a smart TV channel could purchase open-source hardware to launch the “untraceable” attacks which worked as long as consumers kept their boxes switched on.
The potential damage would increase if the threat remained unchecked
He blamed the attack vector on the “great idea” of attaching TVs to the internet, but the HbbTV body in January dismissed the threat, stating it did not warrant a change in standards.
Tomi Engdahl says:
Domino’s hackers fail to release customer data following Twitter suspension
Even hackers need to earn a (thin) crust
http://www.theinquirer.net/inquirer/news/2350198/hackers-demand-domino-s-pizza-delivery-of-eur30-000-to-prevent-customer-data-leak
THE HACKERS who on Monday pilfered information related to 600,000 Domino’s Pizza customers have been suspended from Twitter, and have failed to release the data as threatened.
Topping the recent attack on RSS firm Feedly where hackers demanded ransom to end distributed denial of service (DDoS) attacks, hackers attacked Dominos France and Belgium and demanded €30,000 to prevent the public disclosure of users’ details.
The hacking group boasted, “Earlier this week, we hacked our way into the servers of Domino’s Pizza France and Belgium, who happen to share the same vulnerable database.”
“While it’s important to try and keep out intruders, it’s equally important that organisations secure data that’s behind their perimeter defences so that, if those defences are breached, an attacker isn’t able to obtain confidential data that can be used to compromise the online identities of its customers.”
“The fact that credit card details and other financial data weren’t stolen in this case is good, but the theft of personal information is bad news for customers too. This is especially true of passwords since, sadly, many people use the same passwords for many of (or all) their online accounts.”
Tomi Engdahl says:
MS Research publishes JS crypto code for devs
W3C WebCrypto for cloud
http://www.theregister.co.uk/2014/06/18/ms_research_publishes_js_crypto_code_for_devs/
Microsoft Research has published an under-development JavaScript crypto library, for exposure to developers and researchers interested in cloud and browser security.
Designed to work with HTML5-compliant cloud services, the Microsoft Research JavaScript Cryptography Library uses the W3C WebCrypto API to expose crypto functions, and Redmond says it’s tested the software against IE11′s implementation of the interface.
the company says it’s been tested on all Internet Explorer versions from IE8 up, as well as the current Firefox, Chrome, Opera and Safari browsers.
Supported crypto functions in the library include RSA PKCS#1 v1.5, OAEP and PSS; its psuedo-random number generator (PRNG) follows the AES-CTR spec; and NIST’s Concat KDF (key derivation function).
Tomi Engdahl says:
CIO Discovers the ‘Terrifying’ Reality of Cloud Apps Running Wild
http://www.cio.com/article/752676/CIO_Discovers_the_Terrifying_Reality_of_Cloud_Apps_Running_Wild
Rogue cloud services are ripping gaping holes in the security fabric of most companies, putting the CIO in a tough spot. But as the fallout from the Target attack shows, IT and business leaders will go down together if the breach hits the fan.
Tomi Engdahl says:
Security software market grew last year to 19.9 billion dollars, or nearly 15 billion. According to Gartner, the growth came to 4.9 per cent from the previous year.
Last year’s biggest security threats to the security trend Gartner raises the frequency of growth. Malicious software is hosted on the black market becoming more readily available. Companies, in turn, realized that the existing system vulnerabilities.
On the monetary value of the Symantec security companies in it’s own class. With more than 3.7 billion USD, its market share was 18.7 per cent. Symantec does not, however, managed to increase its sales.
McAfee Fair 1.7 billion USD, it captured the market by 8.7 per cent.
IBM capturing 5.7 percent of the market .
The five largest list of complements Trend Micro and EMC.
Source: http://etn.fi/index.php?option=com_content&view=article&id=1500:tietoturvaan-lahes-15-miljardia-euroa&catid=13&Itemid=101
Tomi Engdahl says:
7 Unusual Behaviors That Indicate Security Breaches
http://www.wallstreetandtech.com/security/7-unusual-behaviors-that-indicate-security-breaches/d/d-id/1268794?wc=4&_mc=sem_otb_edt_wstrelaunch&wc=4&_mc=sem_otb_edt_wstrelaunch
Breaches create outliers. Identifying anomalous activity can help keep firms in compliance and out of the headlines.
Here is a rather uncontested statement: In the world of cyber security there are many things that can go wrong.
Some breaches are intentional, other accidental. A case in which an employee unwittingly discloses confidential information, or is working from an infected machine may look similar to the actions of employee who has gone rogue by uploading or downloading inappropriate data.
Regardless of the cause of the behavior, determining if a behavior is normal or not normal is important to catching a variety of security breaches.
Tomi Engdahl says:
Failed bitcoin exchange Mt Gox gets U.S. bankruptcy protection
http://www.reuters.com/article/2014/06/17/us-bitcoin-mtgox-bankruptcy-idUSKBN0ES2WZ20140617
The failed Tokyo-based bitcoin exchange, Mt Gox, received court approval on Tuesday to begin Chapter 15 bankruptcy proceedings in the United States as it awaits approval of a settlement with U.S. customers and a sale of its business.
Sunlot, a firm backed by child actor-turned entrepreneur Brock Pierce and venture capitalist William Quigley, has proposed buying Mt Gox for one bitcoin, or around $600.
Tomi Engdahl says:
GHash Looks To Quell Bitcoin Market Worries In Wake Of “51%” Scare
http://techcrunch.com/2014/06/16/ghash-looks-to-quell-bitcoin-market-worries-in-wake-of-51-scare/
The bitcoin community was rattled recently when it became known that GHash, a mining pool, had crossed the 51 percent mark, indicating that it was powering more than half of the computing heft that undergirds the cryptocurrency’s foundation.
The group, however, isn’t sorry for the situation, stating that it is being “punished for [its] success.” That’s true to an extent. If GHash were less popular, it wouldn’t have managed to accrete such market share to itself.
Tomi Engdahl says:
Is China the World’s Leading Cyberspy?
Denial is a river in China
http://www.eetimes.com/document.asp?doc_id=1322785&
This is first of a three-part series examining the industry fallout from China’s alleged cyberspying, and specifically if the spying has hurt the tech industry. Today we review history, piecing together evidence of spying with China’s pattern of denial.
Tomi Engdahl says:
NSA ‘third party’ partners tap the Internet backbone in global surveillance program
http://www.information.dk/501280
’Third parties’ give NSA access to international fiber-optic cables, sharing massive amounts of phone and Internet data, new Snowden documents show. Germany and, by all accounts, Denmark, are among the partners in the NSA mass surveillance program codenamed RAMPART-A.
Tomi Engdahl says:
P.F. Chang’s Breach Likely Began in Sept. 2013
http://krebsonsecurity.com/2014/06/p-f-changs-breach-likely-began-in-sept-2013/
The recently-announced credit card breach at P.F. Chang’s Chinese Bistro appears to have gone on for at least nine months: New information indicates that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn’t end until June 11, one day after KrebsOnSecurity.com broke the news about the break-in.
Tomi Engdahl says:
Apple last year presented by the iOS system, kill switch has reduced the iPhone and iPad devices against theft significantly. For example, in New York on iOS devices thefts fell by 19 per cent early in the year, when the total number of thefts dropped by only 10 percent.
At the same time Samsung devices reported the theft of up to 40 percent more. Samsung’s devices, it is not installed by default the corresponding function. A similar phenomenon was also observed in San Francisco and London.
Among the major manufacturers including Google and Microsoft are planning to bring their systems similar kill switch feature.
“These statistics confirm that a technical solution to prevent wireless users falling into a victim,”
Source: http://www.tivi.fi/kaikki_uutiset/iphonevarkaudet+romahtivat+nain+apple+karkotti+rosvot/a994821
Tomi Engdahl says:
Student beats Simplelocker Android ransomware with Java applet
Flicks the baddies the Control V sign
http://www.theinquirer.net/inquirer/news/2350981/student-beats-simplelocker-android-ransomware-with-java-applet
A SUSSEX UNIVERSITY STUDENT has neutralised the Simplelocker ransomware that has been targeting Android devices by flexing his Control Key.
PHP developer Simon Bell successfully reversed the ransomware after realising that the decryption algorithm and passwords were hidden within the virus’s source code.
The Simplelocker virus uses AES encryption to render the SD cards of victims completely inaccessible.
“Future versions of advanced smartphone ransomware will likely prove significantly harder to reverse engineer.”
Tomi Engdahl says:
US Marshal CCs, rather than BCCs, those interested in anonymous Bitcoin auction
A simple CC/BCC mistake embarrasses agency in charge of selling off Silk Road funds.
http://arstechnica.com/tech-policy/2014/06/us-marshal-hits-reply-all-reveals-those-interested-in-anonymous-bitcoin-auction/
The US Marshals Service is in charge of auctioning off almost 30,000 bitcoins that the federal government seized from Silk Road servers last year, and it had planned to do so in an anonymous auction this month. But that anonymity was compromised on Wednesday when the US Marshals Service accidentally revealed the names of several potential bidders by sending around an auction FAQ to a group of e-mail addresses that it placed in the CC field rather than in the BCC field.
The tens of thousands of bitcoins up for auction are currently worth around $18 million.
Tomi Engdahl says:
AWS console breach leads to demise of service with “proven” backup plan
Code Spaces closes shop after attackers destroy Amazon-hosted customer data.
http://arstechnica.com/security/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/
A code-hosting service that boasted having a full recovery plan has abruptly closed after someone gained unauthorized access to its Amazon Web Service account and deleted most of the customer data there.
Wednesday’s demise of Code Spaces is a cautionary tale, not just for services in the business of storing sensitive data, but also for end users who entrust their most valuable assets to such services. Within the span of 12 hours, the service experienced the permanent destruction of most Apache Subversion repositories and Elastic Block Store volumes and all of the service’s virtual machines. With no way to restore the data, Code Spaces officials said they were winding down the operation and helping customers migrate any remaining data to other services.
“Code Spaces will not be able to operate beyond this point,” a note left on the front page of codespaces.com said. “The cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a[n] irreversible position both financially and in terms of on going credibility. As such at this point in time we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us.”
“In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.”
Tomi Engdahl says:
Emails Show Feds Asking Florida Cops to Deceive Judges
http://www.wired.com/2014/06/feds-told-cops-to-deceive-courts-about-stingray/
Police in Florida have, at the request of the U.S. Marshals Service, been deliberately deceiving judges and defendants about their use of a controversial surveillance tool to track suspects, according to newly obtained emails.
“Concealing the use of stingrays deprives defendants of their right to challenge unconstitutional surveillance and keeps the public in the dark about invasive monitoring by local police,” the ACLU writes in a blog post about the emails.
The government has long asserted it doesn’t need a probable-cause warrant to use stingrays because the devices don’t collect the content of phone calls and text messages, but instead operate like pen-registers and trap-and-traces, collecting the equivalent of header information.
The U.S. Marshals Service is not the only entity conspiring with police to prevent the public from learning about the equipment. The Harris Corporation, a Florida-based company that makes one of the most popular models of stingrays called Stingray, has made law enforcement agencies sign a non-disclosure agreement explicitly prohibiting them from telling anyone, including other government bodies, about their use of the secretive equipment.
Tomi Engdahl says:
As Iraq censors Internet, Tor usage jumps tenfold
http://www.dailydot.com/politics/iraq-internet-censorship-tor/
As the Iraqi government censors large swaths of the Internet following devastating attacks and victories by the militant group Islamic State of Iraq and Syria (ISIS), thousands of people are adopting Tor, the most popular anonymizing tool online, to get around government obstruction.
Tomi Engdahl says:
House passes amendment to cut NSA’s ‘backdoor search’ funding
http://www.engadget.com/2014/06/19/house-of-representatives-pass-amendment-cut-backdoor-searches/
The amendment would curb this in two ways: it would cut off funding for the search of government databases for information on US citizens while also prohibiting both the NSA and CIA from requiring “backdoors” in online services and products. It’s not a done deal just yet: now that it’s passed the House, it needs to go through the Senate before it can become a reality.
Tomi Engdahl says:
This Tool Boosts Your Privacy by Opening Your Wi-Fi to Strangers
http://www.wired.com/2014/06/eff-open-wireless-router/
In an age of surveillance anxiety, the notion of leaving your Wi-Fi network open and unprotected seems dangerously naive. But one group of activists says it can help you open up your wireless internet and not only maintain your privacy, but actually increase it in the process.
At the Hackers on Planet Earth conference next month, the Electronic Frontier Foundation plans to release software designed to let you share a portion of your Wi-Fi network, password-free, with anyone nearby. The initiative, part of the OpenWireless.org campaign, will maintain its own flavor of free, open-source router firmware called Open Wireless Router. Good Samaritans can install this firmware on a cheap Wi-Fi router, creating a public slice of bandwidth that can dialed up or down with a simple smartphone interface.
Tomi Engdahl says:
Google unveils independent “fork” of OpenSSL called “BoringSSL”
Stripped down package means there will be three independent versions of OpenSSL.
http://arstechnica.com/security/2014/06/google-unveils-independent-fork-of-openssl-called-boringssl/
Google is releasing its own independently developed “fork” of OpenSSL, the widely used cryptography library that came to international attention following the Heartbleed vulnerability that threatened hundreds of thousands of websites with catastrophic attacks.
Tomi Engdahl says:
Android 4.4.4 fixes OpenSSL hijacking vulnerability
http://www.pcworld.com/article/2366040/android-444-fixes-openssl-connection-hijacking-flaw.html
Less than three weeks after pushing Android 4.4.3 to users of its Nexus devices, Google released a new version of the OS that incorporates a patch for a serious vulnerability identified in the OpenSSL cryptographic library.
Android 4.4.4 factory images using build version KTU84P were released for Nexus 4, 5, 7 and 10 late Thursday.
According to a recent scan by security vendor Qualys, around 14 percent of the Internet’s most popular 155,000 SSL-enabled websites are vulnerable to possible attacks exploiting CVE-2014-0224.
Tomi Engdahl says:
Hackers reverse-engineer NSA’s leaked bugging devices
http://www.newscientist.com/article/mg22229744.000-hackers-reverseengineer-nsas-leaked-bugging-devices.html#.U6U3lyjuc_w
Using documents leaked by Edward Snowden, hackers have built bugs that can be attached to computers to steal information in a host of intrusive ways
“SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format,” says Ossmann.
Having figured out how the NSA bugs work, Ossmann says the hackers can now turn their attention to defending against them – and they have launched a website to collate such knowledge, called NSAPlayset.org. “Showing how these devices exploit weaknesses in our systems means we can make them more secure in the future,” he says.
Tomi Engdahl says:
Google’s New Web Starter Kit Is A Boilerplate For Multi-Screen Web Development
http://techcrunch.com/2014/06/19/google-launches-web-starter-kit-a-boilerplate-for-multi-screen-web-development/
Tomi Engdahl says:
Your Grandfather’s Backup Tools Weren’t Built for Today’s Virtual Environments.
Posted on April 8, 2014 by Tricia ONeill
http://blogs.vmware.com/smb/2014/04/grandfathers-backup-tools-werent-built-todays-virtual-environments.html
When the health of your business rides on the availability of your virtual machines and the applications they run, you shouldn’t be working with legacy backup and recovery tools. You’re not in your grandfather’s data center, so why use his data protection tools?
Yet that’s the case in many data centers. Instead of deploying backup and recovery solutions built for virtual machines, many organizations are using legacy data protection solutions that were designed for physical environments and retrofitted for use in virtualized environments. And here’s the bottom line: Some are finding they aren’t getting everything they need.
Tomi Engdahl says:
Ex-NSA Chief Pitches Banks Costly Advice on Cyber-Attacks
http://www.bloomberg.com/news/2014-06-20/ex-nsa-chief-pitches-advice-on-cyber-threats-to-the-banks.html
As the four-star general in charge of U.S. digital defenses, Keith Alexander warned repeatedly that the financial industry was among the likely targets of a major attack. Now he’s selling the message directly to the banks.
Joining a crowded field of cyber-consultants, the former National Security Agency chief is pitching his services for as much as $1 million a month. The audience is receptive: Under pressure from regulators, lawmakers and their customers, financial firms are pouring hundreds of millions of dollars into barriers against digital assaults.
“It would be devastating if one of our major banks was hit, because they’re so interconnected,” Alexander said in an interview.
Rising Losses
Banks that not long ago had 10 or 15 people repelling computer invaders now have 50 to 100 people “that do nothing but respond to attacks and review intelligence,” Joe Nocera, head of the financial-services cybersecurity group at PriceWaterhouseCoopers LLP, said in an interview.
The largest banks are allocating the most resources. JPMorgan Chase & Co. (JPM) has 1,000 people focused on the danger and will spend $250 million this year, Chief Executive Officer Jamie Dimon said in an April letter to shareholders.
Financial executives responding to a PricewaterhouseCoopers survey reported that incidents rose from 1,720 in 2012 to 4,628 last year. Losses from the attacks are up “significantly,” according to the report.
Tomi Engdahl says:
This top turns see-through if you leave personal data exposed
Clothing reveals how much wearer is revealing.
http://arstechnica.com/business/2014/06/this-top-turns-see-through-if-you-leave-personal-data-exposed/
A Brooklyn-based designer has created a 3D-printed sculptural boob tube to spark social commentary on the state of privacy in a data-driven world—by making the top gradually more sheer.
“By participating in this hyper-connected society while having little to no control of my digital data production, how much of myself do I unknowingly reveal?” asks Chen, who created X.pose in around three weeks with fellow artist Pedro Oliveira. “To what degree does the aggregated metadata collected from me paint an accurate portrait of who I am as a person? What aspects of my individuality are reflected in this portrait?”
She decided to aggregate this data collected on her everyday, building a mobile app to do the job using Node.js and PhoneGap. X.pose is the result of those data points, which have been translated into an abstract geometric representation using 3D printing software Rhino.
“I wanted to quantify the data exposure physically because that’s what people can see,” Chen told Wired.co.uk. “Discussions about privacy concerns have been around for ages, but only when it’s in your face do people really get a reaction.”
“I don’t think much will change in the near future,” she said. “Even if the system seems a bit twisted, it all ‘works’ and is providing so many free services to billions. Like I said, connectivity has become so necessary for some… maybe it outweighs the privacy concerns?”
Tomi Engdahl says:
Hackers steal trade secrets from major US hedge firm
Trades delayed as multi-million dollar secret sauce snaffled
http://www.theregister.co.uk/2014/06/23/hackers_steal_trade_secrets_from_major_us_hedge_firm/
Criminals have successfully attacked a hedge fund, delaying trades and stealing profitable secrets in a rare direct raid on the financial services sector, according to BAE Systems Applied Intelligence.
The clever hack cost the unnamed US-based hedge fund millions of dollars over two months, the firm alleges. Attackers apparently lifted information on complex and high speed trades from the firm, then sent the details to external servers using malware which implanted on the victim’s network.
Attacks against hedge funds don’t often make it onto the public record.
Tomi Engdahl says:
Cisco open-sources experimental cipher
The Borg want to protect traffic privacy in cloud systems
http://www.theregister.co.uk/2014/06/22/borg_opensources_experimental_cipher/
Cisco is offering up an experimental cipher which, among other things, could help preserve the anonymity of data in cloud environments.
In putting what it calls “FNR” (Flexible Naor and Reingold) into the hands of the public, The Borg says its work is currently experimental rather than production software.
Cisco software engineer Sashank Dara explains that FNR is a block cipher that works without the need for padding, as happens in ciphers such as AES.
FNR, Dara explains, is designed to encrypt small objects while preserving their input length, making it applicable to “IPv4 addresses, MAC addresses” and other arbitrary strings. It could also encrypt legacy databases containing fields that need their length preserved, reducing the amount of re-engineering required.
Tomi Engdahl says:
Infosec bods try Big Data in search for better anti-virus mousetrap
It might not be a meaningless marketing term after all…
http://www.theregister.co.uk/2014/06/20/big_data_panda/
Infosec house Panda Security is looking to Big Data and application monitoring as a means to achieve better malware detection.
The launch of Panda Advanced Protection Service (PAPS) is a response to the widely known shortcomings of signature-based anti-virus detection as well as a means for Panda to sell extra services. The technology will be marketed to larger firms as well as offered through cloud tech partners, such as Spanish managed security services firm Indra.
The sheer volume of malware production has long outpaced legacy blacklisting techniques based on recognising known bad apps by their signatures. In response security vendors have developed technologies such as heuristics (generic detection of similar malware), whitelisting and cloud-based technologies.
Most modern security scanners incorporate all these technologies despite marketing claims by rival vendors to the contrary.
Panda – like most of its peers – argues that anti-virus technology still has its place as something that’s necessary, albeit insufficient.
“Anti-virus is a cost-effective means to detect and stop known attacks,” said Luis Corrons, technical director of PandaLabs.
Tomi Engdahl says:
Supermicro chip has an unencrypted admin password
Over 30,000 servers affected
http://www.theinquirer.net/inquirer/news/2351366/supermicro-chip-has-an-unencrypted-admin-password
THOUSANDS OF SERVERS are vulnerable to attack because the administrator password was embedded in plain text on one of the chips during manufacturing.
The Supermicro WPCM450 mainboard’s dirty little secret can be easily downloaded by connecting to the correct port of the server and scanning the Baseband Management Controller (BMC).
Wikholm said that 31,964 servers containing the faulty chips were online during his research and of those 3,296 were using the default password.
Wikholm wrote, “It is time to call for stronger security of embedded platforms… devices can no longer dwell amongst the anonymity of the nearly 4.3 billion IPv4 addresses. Recent findings on the above platforms have proven everything is visible. With the advent of IPv6 and the ‘Internet of Things’, we as both customers and vendors need to ensure the security of our networks and connected devices.”
Tomi Engdahl says:
300k vulnerable to Heartbleed two months later
http://blog.erratasec.com/2014/06/300k-vulnerable-to-heartbleed-two.html#.U6fcs7GHjps
Tomi Engdahl says:
#YO_NO! Messaging app ‘Yo’ gets hit by hackers
Well, at least someone found a use for the thing…
http://www.theregister.co.uk/2014/06/20/yono_messaging_app_yo_get_hit_by_hackers/
Just days after the Yo app debuted to much fanfare (and head-scratching), the mono-message social tool has fallen prey to hackers.
A group of students from Georgia Tech University claim via TechCrunch to have accessed the application’s entire user database, and gained the ability to obtain the phone number of anyone currently using the one-word messaging platform.
Tomi Engdahl says:
Devices generate an average of 10,000 security events per day
The number of security events sheds light on why recent high profile attacks go undetected for so long.
http://www.controleng.com/single-article/devices-generate-an-average-of-10000-security-events-per-day/376dbfb11ddcfaf6acaba27cd1cc4cf9.html
Devices in an average company’s network are generating an aggregate average of 10,000 security events per day, with the most active generating around 150,000 events per day, a new report said.
In addition, large, globally-dispersed enterprises were averaging 97 active infected devices each day and leaking an aggregate average of more than 10GB of data per day, according to Damballa’s Q1 2014 State of Infections Report, compiled from analysis of 50 percent of North American ISP Internet traffic and 33 percent of mobile traffic, plus large volumes of traffic from global ISPs and enterprise customers.
That is just one small indication showing how daunting it is for security staff to manually go through mountains of alerts in order to discover which (if any) constitute a real and present threat.
“We are already facing a profound scarcity of skilled security professionals, which the latest Frost & Sullivan figures estimate will equate to a 47 percent shortfall by 2017,” said Brian Foster, CTO of Damballa. “If we compound this fact with the increase in data breaches and the scope of work required to identify a genuine infection from the deluge of security events hitting businesses every day, we can see why security staff are struggling to cope.”
The ability to reduce the time-to-discovery from 90 days to 1 day, across those 97 infected devices, would result in a savings of 89 man-days per device, or 8,633 man-days (23.65 years) per enterprise.
Tomi Engdahl says:
Syrian Electronic Army targets Reuters again—but ad network provided the leak
By targeting a third party service, SEA could potentially create more havoc.
http://arstechnica.com/security/2014/06/syrian-electronic-army-targets-reuters-again-but-ad-network-provided-the-leak/
The Syrian Electronic Army has made old hat of hacking major US media outlets throughout the past year, and Reuters was no exception. However, while visitors to the news outlet’s site undoubtedly noticed the SEA’s handiwork on display temporarily this afternoon, security researcher Frederic Jacobs is reporting this latest breach was not due to any wrongdoing from Reuters.
“By compromising Taboola, the value of the compromise is significantly higher than just compromising Reuters,” Jacobs wrote. “Taboola has 350 million unique users and has partnerships with world’s biggest news sites including Yahoo!, the BBC, FoxNews, the New York Times… Any of Taboola’s clients can be compromised anytime now.”
Jacobs reminds us that the security of any site using third party analytics or advertising networks is simply reliant on “the weakest of those,”