Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
They’re ba-ack: Browser-sniffing ghosts return to haunt Chrome, IE, Firefox
Privacy threat that allows websites to know what sites you’ve viewed is revived.
http://arstechnica.com/security/2014/06/theyre-ba-ack-browser-sniffing-ghosts-return-to-haunt-chrome-ie-firefox/
Chrome, Internet Explorer, and Firefox are vulnerable to easy-to-execute techniques that allow unscrupulous websites to construct detailed histories of sites visitors have previously viewed, an attack that revives a long-standing privacy threat many people thought was fixed.
Until a few years ago, history-sniffing attacks were accepted as an unavoidable consequence of Web surfing, no matter what browser someone used. By abusing a combination of features in JavaScript and cascading style sheets, websites could probe a visitor’s browser to check if it had visited one or more sites.
Now, a graduate student at Hasselt University in Belgium said he has confirmed that Chrome, IE, and Firefox users are once again susceptible to browsing-history sniffing. Borrowing from a browser-timing attack disclosed last year by fellow researcher Paul Stone, student Aäron Thijs was able to develop code that forced all three browsers to divulge browsing history contents.
Tomi Engdahl says:
Journalists increasingly under fire from hackers, Google researchers show
21 out of 25 top news organizations hit by state-sponsored attacks.
http://arstechnica.com/security/2014/03/journalists-increasingly-under-fire-from-hackers-google-researchers-show/
Tomi Engdahl says:
Workplace Surveillance Becoming More Common
Unblinking Eyes Track Employees
Workplace Surveillance Sees Good and Bad
http://www.nytimes.com/2014/06/22/technology/workplace-surveillance-sees-good-and-bad.html
A digital Big Brother is coming to work, for better or worse.
Advanced technological tools are beginning to make it possible to measure and monitor employees as never before, with the promise of fundamentally changing how we work — along with raising concerns about privacy and the specter of unchecked surveillance in the workplace.
Through these new means, companies have found, for example, that workers are more productive if they have more social interaction.
Tomi Engdahl says:
Difficult-to-use IT system led to the release of prisoners
Dallas police IT problems were a fluke more than 20 on the accused, who suddenly had the freedom retention time is up. The problems related to the new information system, which the police did not know how to use. There was poor user training and the problems caused by a slow system operation.
Source: https://translate.googleusercontent.com/translate_c?depth=1&hl=fi&ie=UTF8&prev=_t&rurl=translate.google.fi&sl=auto&tl=en&u=http://www.tivi.fi/kaikki_uutiset/vaikeakayttoinen%2Bitjarjestelma%2Bjohti%2Bvankien%2Bvapauttamiseen/a995055&usg=ALkJrhjpqg6FqHeR-g7kYt8hVCZ8CV5psg
Tomi Engdahl says:
“Free” Wi-Fi from Xfinity and AT&T also frees you to be hacked
Ars tests how easy it is to spoof big broadband providers to grab data.
http://arstechnica.com/security/2014/06/free-wi-fi-from-xfinity-and-att-also-frees-you-to-be-hacked/
If you’ve traveled and tried to get on the Internet, you’ve probably seen some pretty suspicious looking Wi-Fi networks with names like “Free Wi-Fi” and “Totally Free Internet.” Those are likely access points you’d best avoid. But there’s a much bigger threat to your security than somebody randomly fishing for you to connect to them—the networks you’ve already connected to and trusted, like AT&T and Xfinity.
Mobile broadband providers are eager to get you to connect to their Wi-Fi-based networks while you’re away from home. AT&T has built a network of free hotspots for customers at thousands of places
These free Wi-Fi connections are popular, for good reason—they help reduce the amount of broadband cellular data you consume, and they often provide better network speeds than what you can manage over a 4G connection. But they also offer a really easy way for someone to surreptitiously tap into your Internet traffic and capture your account information for less-than-friendly purposes. Millions of AT&T and Xfinity customers could be leaving themselves exposed to surreptitious hacking of their Internet traffic, exposing their personal data as a result.
Tomi Engdahl says:
Researchers blow past all protections in Microsoft’s EMET anti-exploitation tool
http://www.pcworld.com/article/2101640/researchers-bypass-protections-in-microsofts-emet-antiexploitation-tool.html
Security researchers managed to bypass the protections offered by Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), a utility designed to detect and block software exploits, and concluded that the tool would not be effective against determined attackers.
EMET can be used to apply 12 different security mitigations to other programs running on the computer. These mitigations are designed to block common techniques used in software exploits, like Return Oriented Programming (ROP), a technique that exploit authors use to defeat security defenses and execute malicious code on the system.
Tomi Engdahl says:
‘Most sophisticated DDoS’ ever strikes Hong Kong democracy poll
Cloudflare claims tip-off allowed it to tip traffic into sinkholes
http://www.theregister.co.uk/2014/06/23/most_sophisticated_ddos_strikes_hk_democracy_poll/
One of the largest and most sophisticated distributed denial of service (DDOS) attacks has hit a controversial online democracy poll canvassing opinion on future Hong Kong elections.
Over the weekend some 680,000 people cast votes in the unofficial poll that offered residents of special administrative region to highlight their preferred political representatives.
Security outfit CloudFlare said it was still fending off the sophisticated DDoS attack as of Monday morning, long after the polls closed.
“We saw 300Gbps at the peak of the attack, but it was likely significantly larger than that,”
“Since we had advanced warning the attack was coming, we’d put in place measures to sinkhole traffic in certain regions so it never hit our network,”
Tomi Engdahl says:
Prisoners freed after cops struggle with new records software
Officers didn’t get enough training on the new system, which went live June 1, according to Dallas’s police chief
http://www.itworld.com/software/423946/prisoners-freed-after-cops-struggle-new-records-software
The prisoners were able to get out of jail because police officers struggling to use the new system didn’t file cases on them within three days, as required by law, according to the newspaper.
“The law is real simple,” Judge Rick Magnis from the 283rd Judicial District Court told the paper. “The Constitution in America says you can’t hold people without charges.”
“At this point, it does not appear to be a very user-friendly program,” Todd said, according to the paper. The switchover has been “a nightmare,” Todd added.
“The frustration level is very high,” he said. “We never want to get to a point where people who need to be in jail are not in jail.”
Tomi Engdahl says:
Heartbleed-based BYOD hack pwns insurance giant Aviva’s iPhones
Slabs and mobes moved to BB10 service… yes, you read that right
http://www.theregister.co.uk/2014/06/23/aviva_heartbleed_hack/
Mobile device management systems at insurance giant Aviva UK were last month hit by an attack based on the Heartbleed exploit that allowed hackers to royally screw with workers’ iPhones.
Aviva was using BYOD service MobileIron to mange more than 1,000 smart devices such as iPhones and iPads. On the evening of the 20 May, a hacker compromised the MobileIron admin server and posted a message to those handhelds and the email accounts, according to our source.
The hacker then performed a full wipe of every device and subsequently took out out the MobileIron server itself.
In a statement sent to us, Aviva downplayed the impact of the breach, and moved to reassure clients that customer data was not exposed
Aviva reportedly moved impacted staff onto a new Blackberry 10 service to manage all their Apple devices, and are in discussions with MobileIron reseller Esselar to cancel their contract.
Tomi Engdahl says:
How to strip pesky copyright watermarks from photos … says a FACEBOOK photo bod
Engineer kills step-by-step instructions to steal pics online
http://www.theregister.co.uk/2014/05/29/facebook_photo_engineer_photograph_watermarks/
A Facebook software engineer who published a detailed guide to stealing photographs online – by explaining how to remove watermarks and ignore any copyright restrictions – has been shamed into removing the blog post.
Typically, graduates have to pay for photos taken of them in their funny hats and hoods during their graduation ceremonies – and are shown heavily watermarked previews of the images before they buy copies of the originals on the web.
Tomi Engdahl says:
Google’s tracking system is so effective that the NSA uses it, says F-Secure’s Mikko Hypponen.
Google entered data is used for profiling. For example, the Google search engine predictive text input operates in different countries in different ways.
Hyppönen that profiling does not remain, however, on a general level. It is exported to the individual level.
- Google last year made profits of EUR 13 billion and has a billion users. Each of us has an annual € 13 worth of Google. I’d rather pay the money as the use of the service for privacy, but it is not possible.
Hyppönen, Google encourages people to log in to the service, so that their various devices to its searches can be combined and to get people all-encompassing image. And when searches are done on Android devices can be combined to further location information.
- If you look at tracking that Google’s services set to your computer, they will expire only in 2033 or 2034, Hypponen said.
Source: http://www.iltasanomat.fi/digi/art-1288702882850.html
Tomi Engdahl says:
This will allow Google to profile you – please check your data with two clicks
The ads appear on Google’s own website, as well as to such websites that have concluded an agreement for small advertisements that appear on Google.
The ads are targeted, that is, Google is trying to head them as much as possible in line with users’ interest.
Google makes targeting instance, by monitoring the user’s search history, browsing history, advertising links klikkailua, Youtube views, Google account or a Gmail account data entered into the self, Gmail e-mail content (yes, Google reads them in an automated way), as well as the Android phone installed applications. Google also combines data from various devices.
The monitoring is done by using cookies
Google’s advertising profile page will tell many details on you
- Data can be edited. If any of the themes is unwanted, you can remove it. In this case, you do not see relevant ads at all.
Source: http://www.iltasanomat.fi/digi/art-1288705350435.html?utm_campaign=tf-IS&utm_medium=tf-desktop&utm_term=1&utm_source=hs.fi&utm_content=article
Tomi Engdahl says:
Google’s advertising profile page – check your details here
https://www.google.com/settings/u/0/ads
Tomi Engdahl says:
Columbia U boffins HACK GOOGLE PLAY to check apps
What they found: devs leave OAuth keys in the code
http://www.theregister.co.uk/2014/06/19/columbia_u_boffins_hack_google_play_to_check_apps/
It’s the app developer’s equivalent of hiding the door keys under the mat: researchers from Columbia University have found Android apps containing the developers’ secret keys.
That’s a more serious issue than the old “don’t re-use passwords”: the thousands of credentials embedded by developers, blithely assuming they’re not visible to an end user, were OAuth tokens valid on other sites
“We’ve been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk”, Viennot says in the university’s release, adding that Google has started using his decompilation techniques to see if it can raise “don’t embed your tokens” warnings when apps are submitted.
Tomi Engdahl says:
British Gas Twitter account hijacked by mystery phishermen
Login cred-stealing scammers get in, mayhem ensues
http://www.theregister.co.uk/2014/06/23/british_gas_twitter_account_hijacked_by_phishing_fraudsters/
An official British Gas Twitter account was hacked over the weekend as part of a phishing scam designed to harvest Twitter login credentials.
Victims would have found their Twitter accounts hijacked by spammers and scammers
The incident illustrates the utility of using two factor authentication to reduce the risk of Twitter profiles being hijacked. Such hijackings are all too common
Tomi Engdahl says:
On Taxis and Rainbows
Lessons from NYC’s improperly anonymized taxi logs
https://medium.com/@vijayp/f6bc289679a1
Recently, thanks to a Freedom of Information request, Chris Whong received and made public a complete dump of historical trip and fare logs from NYC taxis. It’s pretty incredible: there are over 20GB of uncompressed data comprising more than 173 million individual trips. Each trip record includes the pickup and dropoff location and time, anonymized hack licence number and medallion number (i.e. the taxi’s unique id number, 3F38, in my photo above), and other metadata.
These data are a veritable trove for people who love cities, transit, and data visualization. But there’s a big problem: the personally identifiable information (the driver’s licence number and taxi number) hasn’t been anonymized properly — what’s worse, it’s trivial to undo, and with other publicly available data, one can even figure out which person drove each trip.
Tomi Engdahl says:
SolarWinds Buys Web Performance Monitoring Provider Pingdom
http://www.thewhir.com/web-hosting-news/solarwinds-buys-web-performance-monitoring-provider-pingdom#
Pingdom, one of the biggest names in website performance tracking, has been bought by IT management company SolarWinds.
Tomi Engdahl says:
Cisco okayed for UK government comms
IPSec cleared for most gummint sites
http://www.theregister.co.uk/2014/06/24/cisco_okayed_for_uk_government_comms/
Cisco has had a bunch of products certified as by the GCHQ’s information security arm, the Communications-Electronics Security Group (CESG).
The certification covers IPsec security gateway products in Cisco’s ASA v9.1 family – hardware models 5505, 5510, 5520, 5540, 5550, 5580, 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X.
Tomi Engdahl says:
Security
Microsoft brings own security info exchange to the world
‘Interflow’ will allow pros to network and share machine-readable bug data
http://www.theregister.co.uk/2014/06/24/microsoft_brings_own_security_info_exchange_to_the_world/
Microsoft has announced a “a security and threat information exchange platform for analysts and researchers working in cybersecurity.”
Dubbed “Interflow”, Redmond says the new service is “a distributed system where users decide what communities to form, what data feeds to bring to their communities, and with whom to share data feeds.”
The Azure-based service “uses industry specifications to create an automated, machine-readable feed of threat and security information that can be shared across industries and groups in near real-time … to help security professionals respond more quickly to threats.” Microsoft also hopes the new service will “… help reduce cost of defense by automating processes that are currently performed manually.”
Tomi Engdahl says:
Secrets of the log traffic may disclose your information: “I know why you went to the doctor”
Properly encrypted web traffic can reveal the individual pages of a user browses to a particular website, the researchers warn. Pages on the basis of conclusions can be drawn, for example, related to the user’s health status or sexual orientation.
Scientists warn that the Internet traffic reveals visited by the user at the clinic site browsing information about diabetes or HIV, and whether the forthcoming Doctor running about appendectomy or abortion.
“Based on this information to discriminate against or victimize or they can be simple advertising of consumer products that they have a very high motivation to buy,”
Source: http://www.tivi.fi/kaikki_uutiset/salattukin+liikenne+voi+paljastaa+tietosi+quottiedan+miksi+kavit+laakarissaquot/a995158
Tomi Engdahl says:
Comcast Xfinity evil twin steals subcriptions
That’s not the login page you’re looking for
http://www.theregister.co.uk/2014/06/24/comcast_xfinity_evil_twin_steals_subcriptions/
A senior security researcher at the National Renewable Energy Laboratory has demonstrated how to steal Comcast Xfinity subscriptions by masquerading as a wireless access point.
Customer devices would automatically connect to the evil hotspot as soon as it came within wireless range of the Xfinitywifi SSID.
“… stealing Comcast credentials does have the added advantage of providing attackers with credentials they can later use to mask their online activity.”
Tomi Engdahl says:
Yes. Facebook will KNOW you’ve been browsing for smut
Zuck’s spell: Look into my eyes, not around the eyes. You’re under
http://www.theregister.co.uk/2014/06/12/facebook_mines_deep_into_your_browsing_history_to_make_more_ad_cash/
Facebook is pushing the idea that it is offering tighter ad controls to its users just as it prepares to start targeting the web and app browsing habits of netizens in the US.
The free content ad network said in a blog post that Facebookers who hate the idea of yet more intrusive advertising can switch the feature off via the “industry-standard Digital Advertising Alliance opt out”. In other words, all Facebook users in the US will have their browsing behaviour tracked by default.
Tomi Engdahl says:
Microsoft: NSA security fallout ‘getting worse’ … ‘not blowing over’
‘Double-digit declines in people’s trust in American tech companies’ is bad for business
http://www.theregister.co.uk/2014/06/19/microsoft_nsa_fallout/
Microsoft’s top lawyer says the fallout of the NSA spying scandal is “getting worse,” and carries grim implications for US tech companies.
In a speech at the GigaOm Structure conference in San Francisco on Thursday, Microsoft general counsel Brad Smith warned attendees that unless the US political establishment figures out how to rein in its spy agencies, there could be heavy repercussions for tech companies
“What we’ve seen since last June is a double-digit decline in people’s trust in American tech companies in key places like Brussels and Berlin and Brasilia. This has put trust at risk,” Smith said.
“The longer we wait or the less we do the worse the problem becomes,” he explained. “We are seeing other governments consider new procurement rules – procurement rules that could effectively freeze out US-based companies.”
If the US government does not work to clear up the rules around how it intercepts data both at home and abroad, how deeply its spy agencies penetrate tech from its domestic companies, and how it accesses overseas data held by American companies, then there’s a real danger that US companies could suffer, Smith implied.
Tomi Engdahl says:
SEA hacks Reuters website widget DESPITE 2FA security
Ad agency Taboola unwittingly provides backdoor for attackers
http://www.theregister.co.uk/2014/06/24/reuters_hacked_by_sea/
Hacktivists with the Syrian Electronic Army have hit news agency Reuters again.
Surfers intending to catch up with the latest news were briefly redirected to a page run by the Syrian Electronic Army.
The latest attack is a tad more subtle and involved exploiting systems at Taboola, a third party ad network used by the news agency.
In a statement Taboola admitted the hack, which it said was carried out using a phishing attack, without going into details. Sophisticated multi-stage phishing attacks are the SEA’s favourite hacking technique.
Tomi Engdahl says:
How Secret Partners Expand NSA’s Surveillance Dragnet
https://firstlook.org/theintercept/article/2014/06/18/nsa-surveillance-secret-cable-partners-revealed-rampart-a/
The program, which the secret files show cost U.S. taxpayers about $170 million between 2011 and 2013, sweeps up a vast amount of communications at lightning speed. According to the intelligence community’s classified “Black Budget” for 2013, RAMPART-A enables the NSA to tap into three terabits of data every second as the data flows across the compromised cables – the equivalent of being able to download about 5,400 uncompressed high-definition movies every minute.
The secret documents reveal that the NSA has set up at least 13 RAMPART-A sites, nine of which were active in 2013. Three of the largest – codenamed AZUREPHOENIX, SPINNERET and MOONLIGHTPATH – mine data from some 70 different cables or networks.
For any foreign government, allowing the NSA to secretly tap private communications is politically explosive, hence the extreme secrecy shrouding the names of those involved.
Tomi Engdahl says:
Should you entrust your systems management to the cloud?
Balancing the risks
http://www.theregister.co.uk/2014/06/24/cloud_security/
Cloud-based security and systems management (CSSM) applications have been going through my lab for testing lately and I find myself seriously weighing their use in production.
Tomi Engdahl says:
Microsoft improves its web password management in IE11
Hopes to prevent users from choosing weak passwords
http://www.theinquirer.net/inquirer/news/2351755/microsoft-improves-its-web-password-management-in-ie11
MICROSOFT HAS ANNOUNCED an improved credential manager and password syncing feature for its Internet Explorer (IE) web browser.
In a move that brings its functionality into line with Google Chrome and Mozilla Firefox, IE users will now have the option to sync passwords between Windows 7 and Windows 8 desktop PCs and Windows Phone 8 devices via the Windows Credential Locker.
Tomi Engdahl says:
US Court Dings Gov’t For Using Seized Data Beyond Scope of Warrant
http://yro.slashdot.org/story/14/06/24/1236235/us-court-dings-govt-for-using-seized-data-beyond-scope-of-warrant
The Fourth Amendment, the court pointed out, “prevents the seizure of one thing under a warrant describing another.”
Tomi Engdahl says:
Fearful of the drone-filled skies? Get some protection
No, not a shotgun, but a ‘Personal Drone Detection System’
http://www.theregister.co.uk/2014/06/24/drone_detection_system/
Those fearful of a future where the skies are darkened by swarms of camera-bearing drones peering over their garden fences and peeking through their bedroom windows should proceed directly to Kickstarter and the “Personal Drone Detection System”.
Yes, we know what you’re thinking, and in response to the FAQ “Isn’t this just fear-mongering?”
Tomi Engdahl says:
Even venture-backed Bitcoin miner startup can’t deliver on time, gets sued
CoinTerra’s product is still delayed despite designer veterans from Samsung, Intel.
http://arstechnica.com/tech-policy/2014/06/even-venture-backed-bitcoin-miner-startup-cant-deliver-on-time-gets-sued/
Yet another Bitcoin miner manufacturer, CoinTerra, now faces legal action for not fulfilling an order when it originally promised to. CoinTerra is the third Bitcoin-related startup to face litigation for breach of contract and/or fraud in recent months.
However, Cline’s suit also claims that CoinTerra did not deliver the miner until February 2014, and it “operated well below the speed advertised and consumed significantly more power than CoinTerra represented, causing Plaintiff to suffer significant lost profits and opportunities.”
The CoinTerra suit outlines a familiar tale: a company advertises a certain product with a certain hashing power—essentially the speed at which it can mine bitcoins—but fails to deliver.
While CoinTerra, HashFast, and Butterfly Labs struggle, there is one company that seems to have figured things out.
KnCMiner, a company based in Sweden, just recently boasted the release of a 20-nanometer ASIC processor, dubbed “Neptune.”
Tomi Engdahl says:
Bitcoin is MONEY, says Canada
Crypto-currency regulated same as a dollar
http://www.theregister.co.uk/2014/06/25/bitcoin_is_money_says_canada/
Canada’s government has enacted what’s believed to be the first legislation worldwide to define the status of crypto-currencies: they’re money and have to be accounted and reported as such.
It’s a move that will probably see some crypto-currency traders risk ignoring the law or exit Canada, with only traders aspiring to respectability likely to comply.
Tomi Engdahl says:
SHOCK HORROR: Oz’s biggest govt agencies to miss infosec deadline
They patch when they feel like it and ignore spooks’ advice
http://www.theregister.co.uk/2014/06/25/shock_horror_ozs_biggest_govt_agencies_to_miss_infosec_deadline/
Australia’s largest government agencies will miss a July deadline to implement even basic information security controls.
Under the Protective Security Policy Framework (PSPF) government agencies must follow mitigation controls that mandate application and operating system patching within two days of an update release, application whitelisting, and a reduction of admin privileges.
Tomi Engdahl says:
Sysadmins rejoice! Patch rampage killing off nasty DDoS attack vector
Server fleet open to NTP attack drops from 400k to just 17,000
http://www.theregister.co.uk/2014/06/25/sysadmins_rejoice_patch_rampage_killing_off_nasty_ddos_attack_vector/
Sysadmins rejoice! NSFOCUS researchers say hundreds of thousands of Network Time Protocol (NTP) servers have been patched, reducing the threat from some devastating and cheap distributed denial of service (DDoS) attacks.
The patching rampage saw the number of vulnerable NTP servers drop from 432,120 at the start of the year to 17,647 in May.
Tomi Engdahl says:
Own goal as World Cup WiFi passwords spilled in newspaper pic
Not-so-L33t login now sprayed across Twitter
http://www.theregister.co.uk/2014/06/25/brace_yourselves_brazil_dill_in_world_cup_wifi_spill/
The WiFi SSID and password for the football World Cup security centre have been exposed after a photograph of the nation’s federal police brass inadvertently captured the creds written on a white board.
In the background of the pic, it is possible to read the SSID “WORLD CUP” and password “b5a2112014″, leet speak for Brazil 2014.
Tomi Engdahl says:
Microsoft’s Top Lawyer Slams Secret Surveillance Court
http://blogs.wsj.com/digits/2014/06/24/microsofts-top-lawyer-slams-secret-surveillance-court/
The U.S.’s secret surveillance court is unaccountable to the public and not “inclined to promote justice,” Microsoft’s top lawyer said Tuesday.
Tomi Engdahl says:
Attackers poison legitimate apps to infect sensitive industrial control systems
Havex operators target mission-critical controllers around the world.
http://arstechnica.com/security/2014/06/attackers-poison-legitimate-apps-to-infect-sensitive-industrial-control-systems/
Corporate spies have found an effective way to plant their malware on the networks of energy companies and other industrial heavyweights—by hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps.
That’s what operators of the Havex malware family have done with aplomb, according to a report published Tuesday by researchers from antivirus provider F-Secure. Over the past few months, the malware group has taken a specific interest in the types of industrial control systems (ICS) used to automate everything from switches in electrical substations to sensitive equipment in nuclear power plants. In addition to the normal infection channels of spam e-mail, the malware operators have added a new tack—replacing the normal installation files of third-party software with tainted copies that surreptitiously install a remote access trojan (RAT) on the computers of targeted companies.
“It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers,” F-Secure researchers Daavid Hentunen and Antti Tikkanen wrote. “Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet.”
“Trojanizing ISC/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure.”
Tomi Engdahl says:
Australian spy agencies in line for new digital surveillance powers
http://www.theguardian.com/world/2014/jun/23/australian-spy-agencies-in-line-for-new-digital-surveillance-powers
Coalition also planning a mandatory data collection regime in which telcos store customers’ metadata
Tomi Engdahl says:
US trading, energy watchdogs asked: Does Google’s Skybox slurp pass the sniff test?
Public Citizen challenges sat firm deal
http://www.theregister.co.uk/2014/06/25/public_citizen_us_regulators_google_skybox/
Consumer advocacy group Public Citizen has asked US energy and trading regulators to probe Google’s acquisition of satellite firm Skybox Imaging, which it claims could give big players in commodities trading an unfair advantage.
In a letter to the authorities, Public Citizen said that banks and hedge funds already used the intel from Skybox’s satellite images of oil and gas infrastructure to help them trade in these commodities, but coupling that info with data from Google could hugely increase what they characterised as an unfair edge.
Obviously, any trader can use real-time information about power structures to make informed decisions about commodities like oil and gas futures.
“In fact, Skybox has already played a role in revolutionising aspects of commodity trading markets, which is precisely why it was an attractive purchase,”
Tomi Engdahl says:
Facelock: A new password alternative which plays to the strengths of human memory
http://phys.org/news/2014-06-facelock-password-alternative-strengths-human.html
Forgotten passwords are a serious problem for both IT managers and users. The root of the problem is a trade-off between memorability and security: simple passwords are easy to remember but easy to crack; complex passwords are hard to crack but hard to remember. A newly proposed alternative based on the psychology of face recognition was announced today. Dubbed ‘Facelock’, it could put an end to forgotten passwords, and protect users from prying eyes.
Humans can recognize familiar faces across a wide range of images
In contrast, recognition of unfamiliar faces is tied to a specific image
Facelock exploits this psychological effect to create a new type of authentication system
To register with the system, users nominate a set of faces that are well known to them, but are not well known to other people.
The ‘lock’ consists of a series of face grids and each grid is constructed so that one face is familiar to the user, whilst all other faces are unfamiliar. Authentication is a matter of simply touching the familiar face in each grid. For the legitimate user, this is a trivial task, as the familiar face stands out from the others. However, a fraudster looking at the same grid hits a problem—none of the faces stand out.
As well as being extremely durable, familiarity is very hard to fake. This makes the system difficult for fraudsters to crack.
Tomi Engdahl says:
Trivial Bypass of PayPal Two-Factor Authentication On Mobile Devices
http://it.slashdot.org/story/14/06/25/1621251/trivial-bypass-of-paypal-two-factor-authentication-on-mobile-devices
“researchers at DUO noticed that the PayPal iOS application would briefly display a user’s account information and transaction history prior to displaying that error message and logging them out. …”
” They discovered that the API uses the OAuth technology for user authentication and authorization, but that PayPal only enforces the two-factor requirement on the client — not on the server.”
Tomi Engdahl says:
Attackers fling Stuxnet-style RATs at critical control software in EUROPE
SCADA/ICS systems under attack, warns F-Secure
http://www.theregister.co.uk/2014/06/26/industrial_control_trojan/
Security researchers have uncovered a series of Trojan-based attacks which have infiltrated several targets by infecting industrial control system software from the makers of SCADA and ICS systems.
The majority of the victims are located in Europe, though at the time of writing at least one US firm’s compromised gear appears to be phoning home to botnet control servers set up by the attackers.
Two of the European victims are major educational institutions in France known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction firm.
The motive for the attacks – much less the identity of its perpetrators – remains unclear.
“The attackers have [made] Trojanised software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed”, Finnish security software firm F-Secure reports.
“We gathered and analysed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest.”
The Havex RAT at the centre of the assault is distributed through either spam emails, exploit kits or (much more unusually) trojan-laden installers planted on compromised vendor sites.
“It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers,”
Tomi Engdahl says:
Blame WWI, not Bin Laden, for NSA’s post-9/11 intel suck
War, peace and paranoia in modern US
http://www.theregister.co.uk/2014/06/13/surveillance_state_ww1_roots/
Tomi Engdahl says:
Watching Google’s Many Arms
http://www.nytimes.com/2014/06/26/technology/personaltech/a-reach-too-far-by-google.html?_r=0
One way to think of Google is as an extremely helpful, all-knowing, hyper-intelligent executive assistant. Already, it can remind you about your flight, open up your boarding pass when you get to the airport and offer you driving directions to your hotel when you land.
If what the company showed off at an event for developers on Wednesday is a true vision of our future, Google’s software will soon reach ever further into our lives, sitting on just about every other device you encounter. The software will be available to help you look up any bit of idle curiosity or accomplish any task, anytime you desire.
It’s an extremely far-reaching agenda — and that may be the company’s problem. For a company whose future depends on people voluntarily handing over their information in return for handy online services, Google’s very ambitions may now stand as its biggest hurdle. Is Google, in its globe-spanning reach, trying to do so much that it risks becoming creepy instead of helpful — the assistant who got too powerful and knows too much?
Tomi Engdahl says:
Security Expert: Industry Is Failing Miserably At Fixing Underlying Dangers
http://www.crn.com/news/security/300073238/security-expert-industry-is-failing-miserably-at-fixing-underlying-dangers.htm
The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday.
Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas. The problem has grown so bad that today businesses are rushing to invest in many of the latest security technologies designed to detect infections without any ability to efficiently address them, Spafford said.
“Instead of building secure systems, we are getting further and further away from solid construction by putting layer upon layer on top of these systems,” Spafford said. “The idea is for vendors to push things out rather than get things right the first time.”
Poorly coded software combined with growing network complexity has increased the attack surface at many organizations and it is taking its toll financially
Meanwhile, security vendors produce inadequate security platforms designed to protect software riddled with holes, Spafford said.
“We have effectively given up on secure systems when we have interest and funding in those kinds of products,” Spafford said. “We’re using all these tools on a regular basis because the underlying software isn’t trustworthy.”
Tomi Engdahl says:
Google Android wear fear: Hey, Glasshole – stop spying on me at the ATM
Wearable cams can RECORD your PIN from 40 METRES
http://www.theregister.co.uk/2014/06/26/google_glass_android_wearables_i_o/
Tomi Engdahl says:
Police at the door? Hit the PANIC button to erase your RAM
App wipes memory, encrypts hysterical hacker boxes
http://www.theregister.co.uk/2014/05/28/police_at_the_door_hit_the_panic_button/
The next time the police kick down a hackers’ door, suspects can reach for the Panic button to make it nigh-on impossible for plod to recover any data, even if they freeze their target PCs.
The Panic button is a new Python app called “Centry Panic” and was developed to mitigate cold boot and direct memory access attacks on Windows, Mac and Linux that could be used by forensics professionals to capture information from memory.
Cold boot attacks allow the fading contents of RAM to be preserved for reading after a target machine is shut down. Direct memory access side-channel attacks allow crypto keys to be yanked by attackers with access to the physical memory address space of a target machine.
Both attacks work after a computer’s chips are chilled by about ten degrees centigrade, as doing so noticeably delays memory fade on systems running DDR1 and DDR2, according to a paper (pdf) published last year on the feasibility of cold boot attacks.
Tomi Engdahl says:
Germany Scores First: Ends Verizon Contract Over NSA Concerns
NSA fears prompt Germany to end Verizon contract
http://phys.org/news/2014-06-nsa-prompt-germany-verizon.html
The German government is ending a contract with Verizon over fears the company could be letting U.S. intelligence agencies eavesdrop on sensitive communications, officials said Thursday.
The New York-based company has for years provided Internet services to a number of government departments
“There are indications that Verizon is legally required to provide certain things to the NSA, and that’s one of the reasons the cooperation with Verizon won’t continue,”
Tomi Engdahl says:
NSA fears prompt Germany to end Verizon contract
http://hosted.ap.org/dynamic/stories/E/EU_GERMANY_VERIZON?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT
Berlin has also proposed building more secure networks in Europe to avoid having to rely on American Internet companies that manage much of the electronic traffic circulating the globe.
The current contract with Verizon will expire in 2015
Tomi Engdahl says:
Google Starts Removing Search Results Under Europe’s ‘Right to be Forgotten’
Search Engine Updated Technical Infrastructure Overnight to Start the Implementation
http://online.wsj.com/news/article_email/google-starts-removing-search-results-under-europes-right-to-be-forgotten-1403774023-lMyQjAxMTA0MDIwNjEyNDYyWj
Tomi Engdahl says:
IBM, Lenovo Tackle Security Worries on Server Deal
http://online.wsj.com/news/article_email/ibm-lenovo-tackle-security-concerns-over-server-deal-1403733716-lMyQjAxMTA0MDIwNTEyNDUyWj
International Business Machines Corp. IBM -0.19% and Lenovo Group Ltd. 0992.HK -0.19% are grappling with ways to resolve U.S. security concerns over IBM’s proposed $2.3 billion sale of its computer-servers business to the Chinese company.
The deal, struck in January, remains in limbo as the U.S. government investigates security issues around IBM’s x86 servers, which are used in the nation’s communications networks and in data centers that support the Pentagon’s computer networks, say people familiar with the matter.