Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Supreme Court: Cops Can’t Search Your Phone Without a Warrant
http://gizmodo.com/supreme-court-cops-cant-search-your-phone-without-a-wa-1595858318
Turns out, SCOTUS doesn’t like warrantless cell phone snooping. In a unanimous decision, the Supreme Court ruled that the police generally need a warrant before searching cell phones or mobile devices of the people they arrest.
If they happened to be carrying around a letter from their co-conspirator or an incriminating photo, it was fair game. But the police couldn’t rummage through their correspondences and photo albums at their home without a warrant. Since cell phones make it easy to store huge amounts of personal data and communications in someone’s pocket, they’ve seriously changed how much information an arresting officer can find out with an initial search. This ruling acknowledges that searching the contents of a phone inside someone’s pants is an entirely different thing than simply searching someone’s pants.
Tomi Engdahl says:
The Biggest Thing That Yo Got Right Is Hiring Its Hackers
http://gizmodo.com/the-biggest-thing-that-yo-got-right-is-hiring-its-hacke-1594875015
Yo is a borderline-offensively useless (if amusing) app, but its founder Or Arbel made a shrewd decision by hiring one of the Georgia Tech students who hacked into the absurdly simple service last week.
Arbel’s dumbass novelty app should never be replicated, but it’d be a boon for everyone if his attitude towards hackers spread. Snapchat, a far superior social tool, is hampered by how its team treats (or mistreats) its hackers.
Last year, they repeatedly ignored warnings about a security loophole, and hackers who tried to warn them about the eventual leak of 4.6 million user names, among other security failings, expressed frustration at the way they were treated.
Start-ups like Snapchat and other social apps are seeing explosive user growth in small slots of time, and what slides for a rinkydink operation is a total nightmare for a legit company. Making sure users are secure often comes in a distant second (or third, or fourth) to ensuring that those users’ data is secure. Companies that are up front about their potential failings and quick to work with and incentivize hackers, like Yo, are more likely to ramp up their security in shorter periods of time.
Tomi Engdahl says:
At least 32,000 servers broadcast admin passwords in the clear, advisory warns
Exploiting bug in Supermicro hardware is as easy as connecting to port 49152.
http://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/
An alarming number of servers containing motherboards manufactured by Supermicro continue to expose administrator passwords despite the release of an update that patches the critical vulnerability, an advisory published Thursday warned.
The threat resides in the baseboard management controller (BMC), a motherboard component that allows administrators to monitor the physical status of large fleets of servers, including their temperatures, disk and memory performance, and fan speeds. Unpatched BMCs in Supermicro motherboards contain a binary file that stores remote login passwords in clear text. Vulnerable systems can be detected by performing an Internet scan on port 49152. A recent query on the Shodan search engine indicated there are 31,964 machines still vulnerable, a number that may not include many virtual machines used in shared hosting environments.
Tomi Engdahl says:
‘Our entire corporation cannot send or receive emails from Outlook’
Plus: ‘We’ve seen… a double-digit decline in trust in American tech companies’
http://www.theregister.co.uk/2014/06/27/quotw_ending_june_27/
This was the week when Microsoft’s top legal eagle said the fallout from the NSA snooping scandal was only getting worse for US tech companies.
“Public affairs have to be known by the public. When citizens are reduced to the status of subjects, where we’re not active participants … that diminishes us as a free people, as a society and as a culture.”
And in still more surveillance news, Citizen Lab at the University of Toronto and security firm Kaspersky Lab have discovered a massive network of mobile malware that is being sold by Italian firms to police forces around the world.
The malware, Remote Control System (RCS), works across all platforms and operating systems and has 320 command-and-control servers (C&C) running in over 40 countries.
Milan-based firm Hacking Team sells the malware, which can trick the user with a spearphishing attack or install by exploiting vulnerabilities in the target’s OS, once the cops have identified them.
In outages this week, Microsoft’s online Exchange service was down for nine hours
Tomi Engdahl says:
Android SMS worm punts dodgy downloads… from your MATES
If a friend texts you a URL, for pity’s sake don’t open it
http://www.theregister.co.uk/2014/06/27/selfmite_android_self_replicating_sms_worm/
Internet ne’er-do-wells have put together a strain of Android malware that spreads like a email worm rather than acting like a conventional trojan.
Selfmite spreads by automatically sending a text message to contacts in the infected phone’s address book. Theses SMS messages contain a URL that redirects to the malware: ‘Dear [NAME], Look the Self-time, http://goo.gl/REDACTED‘.
If a user clicks on the goo.gl shortened link, they are invited to download and install an APK file which appears as an icon on their smartphone menu after installation.
Once launched, Selfmite reads the device’s address book before sending the message to 20 different contacts using their name as a greeting, restarting the infection cycle.
Tomi Engdahl says:
100,000 users lose their bank passwords to fake banking apps!
http://www.cmcm.com/blog/2014-06-25/136.html
The CM Security Research Lab is closely monitoring the proliferation of malware which is infecting Korean Android users at a rapid rate. This malware infects users by typical trojan means, and once installed it replaces your banking apps with fake versions that are designed to steal your information.
It can pretend to be a popular game or tool on third party Android markets and fool the user into downloading it. There are dozens of Android markets in Korea.
After installation, the virus will scan your app list for the official apps of certain banks. If it detects one of these apps, the virus will tell you that your bank app needs to be updated. If you agree to the update, the official app (latter one) actually gets deleted and is replaced with a convincing copy(former one).
Once the fake app has been loaded, it will ask you to input your certification password (which it will then steal).
With the information that they stole, the hackers can apply for a new certificate, which they then use to freely access the victim’s bank account.
Tomi Engdahl says:
Send Bitcoin or we’ll hate-spam you on Yelp, say crims
Extortion letters demand cryptocurrency from pizza parlours
http://www.theregister.co.uk/2014/06/27/bitcoin_brutes_post_notice_of_extortion_letters/
Businesses are being served printed ‘Notice of Extortion’ letters demanding Bitcoins to avoid ‘severe and irreparable’ damage to their reputation.
A handful of US Pizza restaurants have reported the scam to local newspapers, and to Reddit. The letters appear to come from the same extortionist.
The letters demanded payment of one Bitcoin (US$578) within a month or have the fee escalated to three coins (US$1730).
The villains threatened a laundry list of attacks for non-payment ranging from “negative online reviews” and complaints to the US Better Business Bureau, to denial of service attacks against telephones, mercury contamination and various reports to police of false financial crimes and drug production allegedly taking place at the victim business.
“Because many of the actions we take are catastrophic and irreversible, it is advised pay the tribute before the deadline is reached,” the letters read.
The letters were the latest vector for delivering Bitcoin ransoms
Tomi Engdahl says:
UK privacy watchdog warns: Google Glass could VIOLATE data protection law
Oi Glasshole! Enough already with that sinister peep show, yeah?
http://www.theregister.co.uk/2014/06/27/google_glass_could_violate_data_protection_law_warns_uk_privacy_watchdog/
Google’s creepy Glass wearable could breach Britain’s Data Protection law, the Information Commissioner’s office has warned.
The ad giant began flogging the device in Blighty this week for £1,000 a pop.
That move prompted the country’s data watchdog to outline the “privacy implications of wearable technology” in a blog post penned by the ICO’s senior tech officer Andrew Paterson.
Tomi Engdahl says:
Norway axes online voting experiment over security threats
http://venturebeat.com/2014/06/27/norway-axes-online-voting-experiment-over-security-threats/
For the foreseeable future, Norwegians can no longer cast their votes online.
The Norwegian government this week announced it would end its experiments with voting over the Internet, which it held in 2011 and 2013. Despite the “broad political desire” to make e-voting an option, it said in a statement, the government has decided it was irresponsible to continue spending money on more experiments.
After Norway posted the source code for its e-voting system online, the government faced warnings from security experts that the votes Norwegians were piping across the web weren’t adequately protected.
Other security professionals pointed out that the system could be much less secure for folks voting through a smartphone or tablet.
Tomi Engdahl says:
Exploiting Wildcards On Linux/Unix
DefenseCode researcher Leon Juranic found security issues related to using wildcards in Unix commands.
Back To The Future: Unix Wildcards Gone Wild
http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
Tomi Engdahl says:
Exploiting wildcards on Linux
http://www.net-security.org/article.php?id=2061
There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress out the risks accompanying practice of using the * wildcard with Linux/Unix commands.
The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users – root as well.
Tomi Engdahl says:
The NSA just posted its first full transparency report
http://www.theverge.com/2014/6/27/5849618/the-nsa-just-posted-its-first-ever-transparency-report
19
inShare
The National Security Agency has posted its first full transparency report. Posted on the official agency Tumblr, the report breaks out the total number of orders for 2013, broken out into FISA orders, National Security Letters, and government requests for business records. The office of the Director of National Intelligence said the report was part of a larger push for transparency within the agency, and would continue in the future. “We are releasing information related to the use of these important tools,” the office said, “and will do so in the future on an annual basis.”
The report details 38,812 targets of National Security Letters, 1,767 FISA orders, and 423 targets of FISA business records requests, consistent with the relatively low numbers offered by President Obama in previous speeches.
The word “target” is a little misleading, since the report makes clear that a single target “could be an individual person, a group, or an organization composed of multiple individuals or a foreign power that possesses or is likely to communicate foreign intelligence information.”
Tomi Engdahl says:
U.S. Says It Spied on 89,000 Targets Last Year, But the Number Is Deceptive
http://www.wired.com/2014/06/90000-foreigners-targeted-for-spying/
About 89,000 foreigners or organizations were targeted for spying under a U.S. surveillance order last year, according to a new transparency report.
Civil liberties groups say the real number is likely “orders of magnitude” larger than this.
“Even if it was an honest definition of ‘target’—that is, an individual instead of a group—that also is not encompassing those who are ancillary to a target and are caught up in the dragnet,” says Kurt Opsahl, deputy general counsel of the Electronic Frontier Foundation.
Tomi Engdahl says:
How NSA spying disclosures influence security strategies
http://applymobile.co.uk/how-nsa-spying-disclosures-influence-security-strategies/
Tomi Engdahl says:
How NSA spying disclosures influence security strategies
http://www.computerweekly.com/feature/How-NSA-spying-disclosures-influence-security-strategies?asrc=EM_ERU_29406463&utm_medium=EM&utm_source=ERU&utm_campaign=20140520_ERU%20Transmission%20for%2005/20/2014%20%28UserUniverse:%20862236%[email protected]&src=5246071
Regardless of motives and objectives, how should Snowden’s revelations influence businesses’ information security strategies?
While it is difficult to get a clear-cut, unqualified answer to this, most information security professionals feel Snowden did not really uncover anything new, and some are unequivocal in their response. “Organisations should not build their strategy around stopping the NSA or GCHQ monitoring: this is a very negative, reactive and ultimately pointless exercise,” says Adrian Davis, principal research analyst at the Information Security Forum (ISF).
An important part of the strategy, he says, should be to create and implement processes to manage contractors; control access rights and stop accrual of such rights by employees and contractors; and to monitor and review critical system activity on a regular basis.
“These were some of the flaws that allowed the leaks to occur,” says Davis.
But, like many others in the security industry, he feels the revelations that certain technologies, especially encryption, have back doors should come as no surprise.
The shortcomings of open source software
Risk management and policy
Snowden’s disclosures bring business benefits
Balancing internal and external threats
Tomi Engdahl says:
Serious Android crypto key theft vulnerability affects 86% of devices
Bug in Android KeyStore that leaks credentials fixed only in KitKat.
http://arstechnica.com/security/2014/06/serious-android-crypto-key-theft-vulnerability-affects-86-of-devices/
Researchers have warned of a vulnerability present on an estimated 86 percent of Android phones that may allow attackers to obtain highly sensitive credentials, including cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices.
The vulnerability resides in the Android KeyStore, a highly sensitive region of the Google-made operating system dedicated to storing cryptographic keys and similar credentials, according to an advisory published this week by IBM security researchers.
There are several technical hurdles an attacker must overcome to successfully exploit the vulnerability.
In addition to snuffing the vulnerability in Android version 4.4, it wouldn’t be surprising if Google offered additional protections through the Bouncer service that scours Google Play for malicious apps.
Tomi Engdahl says:
Netflix Could Be Classified As a ‘Cybersecurity Threat’ Under New CISPA Rules
http://yro.slashdot.org/story/14/06/29/1653215/netflix-could-be-classified-as-a-cybersecurity-threat-under-new-cispa-rules
“The cybersecurity bill making its way through the Senate right now is so broad that it could allow ISPs to classify Netflix as a “cyber threat,” which would allow them to throttle the streaming service’s delivery to customers. “A ‘threat,’ according to the bill, is anything that makes information unavailable or less available.
Tomi Engdahl says:
Netflix Could Be Classified As a ‘Cybersecurity Threat’ Under New CISPA Rules
http://motherboard.vice.com/read/netflix-could-be-classified-as-a-cybersecurity-threat-under-new-cispa-rules
Tomi Engdahl says:
The Senate’s New Cybersecurity Bill Threatens Net Neutrality
http://motherboard.vice.com/read/the-senates-new-cybersecurity-threatens-net-neutrality
Cybersecurity bills are normally looked at as being terrible for privacy. But a new one being considered by the Senate has a bonus—it’s still bad for privacy, but it could also kill whatever is left of net neutrality.
CISA’s overly broad terminology would make it much easier for the NSA and local police departments to conduct surveillance.
“CISA ignores [the NSA] revelations,” the groups wrote. “Instead of reining in NSA surveillance, the bill would facilitate a vast flow of private communications data to the NSA. CISA omits many of the civil liberties protections that were incorporated, after thorough consideration, into the cybersecurity legislation the Senate last considered.”
Among the group’s concerns with CISA are the fact that “cyber threat” information from CISA would be funneled from the Department of Homeland Security, a civilian agency, to the Department of Defense (and NSA), a military one.
“CISA ignores [the NSA] revelations,” the groups wrote. “Instead of reining in NSA surveillance, the bill would facilitate a vast flow of private communications data to the NSA. CISA omits many of the civil liberties protections that were incorporated, after thorough consideration, into the cybersecurity legislation the Senate last considered.”
Among the group’s concerns with CISA are the fact that “cyber threat” information from CISA would be funneled from the Department of Homeland Security, a civilian agency, to the Department of Defense (and NSA), a military one.
As we mentioned in our earlier coverage, the bill would also create the possibility of “backdoor wiretaps”
Tomi Engdahl says:
CISPA 3.0: The Senate’s New Bill As Bad As Ever
http://motherboard.vice.com/read/the-senates-new-cispa-bill-might-let-law-enforcement-create-backdoor-wiretaps
CISPA is back for a third time—it has lost the ‘P,’ but it’s just as bad for civil liberties as ever.
The Senate Intelligence Committee is considering a new cybersecurity bill that contains many of the provisions that civil liberties groups hated about the Cybersecurity Information Sharing and Protection Act (CISPA). Most notably, under the proposed bill companies could not be sued for incorrectly sharing too much customer information with the federal government, and broad law enforcement sharing could allow for the creation of backdoor wiretaps.
Tomi Engdahl says:
Dropbox used as command and control for Taiwan time bomb
PlugX trojan gets an upgrade for new attacks
http://www.theregister.co.uk/2014/06/30/dropbox_used_as_command_and_control_in_taiwanese_govt_attack/
A remote access trojan (RAT) is using Dropbox for command and control in a targeted attack against the Taiwanese Government, malware analyst Maersk Menrige says.
The upgraded PlugX RAT is the first targeted attack to use Dropbox to update command and control settings, Menrige said, as distinct from other malware and ransomware which used the popular cloud storage platform to fling malicious files at victims.
The trojan logs a victim’s keystrokes, maps ports and opens remote shells to facilitate further data theft and exploitation.
“The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents,” Trend Micro’s Menrige said.
The code includes tools such as password recovery, network utilities, port scanners and the common HTran reverse proxy tool used to hide command and control.
Tomi Engdahl says:
California law removes ban on alternative currencies
The law paves the way for legal use of community currencies, bitcoin and other U.S. dollar alternatives
http://www.itworld.com/it-management/425046/california-law-removes-ban-alternative-currencies
June 29, 2014, 9:40 PM — A new California law removes a ban on using currencies other than the U.S. dollar, which is intended to accommodate the growing use of alternative payment methods such as bitcoin.
The law, signed by state Governor Jerry Brown on Saturday, is likely to boost confidence around bitcoin, as regulators and tax authorities worldwide examine how to handle the popular virtual currency.
Tomi Engdahl says:
Ars Takes an Early Look At the Privacy-Centric Blackphone
http://hardware.slashdot.org/story/14/06/30/0715219/ars-takes-an-early-look-at-the-privacy-centric-blackphone
Tomi Engdahl says:
RAND Study: Looser Civil Service Rules Would Ease Cybersecurity Shortage
Hackers Wanted
An Examination of the Cybersecurity Labor Market
http://www.rand.org/pubs/research_reports/RR430.html
There is a general perception that there is a shortage of cybersecurity professionals within the United States, and a particular shortage of these professionals within the federal government, working on national security as well as intelligence. Shortages of this nature complicate securing the nation’s networks and may leave the United States ill-prepared to carry out conflict in cyberspace.
RAND examined the current status of the labor market for cybersecurity professionals — with an emphasis on their being employed to defend the United States.
Key findings:
Sudden demand creates scarcity, competition, and crisis
Educational initiatives are already addressing the cybersecurity demand
It’s normal for the labor market to lag demand and education initiatives
The best steps may already have been taken
Civil service and related rules that unnecessarily prevent federal agencies from hiring talented cybersecurity professionals should be waived for such hires. At a minimum, NSA’s ability to waive the rules should be extended to all.
Taking a longer perspective, more methods to attract women into this profession may also increase long-term supply.
Tomi Engdahl says:
AKAMAI’S STATE OF THE INTERNET
Q1 2014 REPORT
http://www.akamai.com/dl/akamai/akamai-soti-q114.pdf?WT.mc_id=soti_Q114
Tomi Engdahl says:
Are Digital Retailers Focusing Their Security in the Wrong Place?
Digital retailers spend the lion’s share of their IT security budget on network security, but most experts say they’d be better off focusing elsewhere.
http://www.cio.com/article/754861/Are_Digital_Retailers_Focusing_Their_Security_in_the_Wrong_Place_?page=1&taxonomyId=3140
High-profile data breaches have plagued retail this year — Target, Neiman Marcus, Michael’s and other U.S. retailers have seen headlines about their woes splashed across both digital and print media.
In Target’s case, the breach of 40 million credit cards and 70 million personally identifiable information (PII) database records led the CIO and then the CEO to resign. Could retailers be focusing their security efforts in the wrong areas?
According to a study released this month by privacy and security research firm Ponemon Institute and database security specialist DB Networks, a majority of security experts believe that the venerable technique of SQL injection was an important component of these attacks.
“SQL injection is a likely component of retailer attacks,” says Larry Ponemon, founder and chairman of Ponemon Institute. “SQL injection has been around for ages, and some of these vulnerabilities are not because of lacking tools.”
Sixty-five percent of the organizations represented in the study had experienced a SQK injection attack in the past 12 months that had successfully evaded their perimeter defenses, and 49 percent of respondents said the SQL injection threat facing their company is significant.
The majority of these experts — 65 percent — believe the best way to defend against SQL injection attacks and avoid mega data breaches like the one suffered by Target is through continuous monitoring of the database network followed by advanced database activity monitoring (56 percent) and database encryption (49 percent). And yet, when asked how the IT security budget is allocated in their organizations, these experts said the lion’s share (40 percent) is allocated to network security, 23 percent is allocated to Web server security and only 19 percent is allocated to database security
Ponemon notes that this misalignment in the allocation of security budget may be a result of old-think in the security profession.
“Older security professionals have done most of their training around network security and the perimeter,” Ponemon says. “That’s what they know.”
“We have always been concerned about the perimeter,” Durbin says. “It’s an easier message for the board or the risk management committee to understand. Increasingly, we are seeing the question being asked around cybersecurity: ‘How protected are we?’ The easy answer is that our perimeter is secure.”
“The pursuit of 100 percent security is just folly,” Durbin says. “It’s a fool’s goal. You have to assume that even though you’re doing your best, you’re going to be breached at some point in time. That is not a palatable message to deliver to the board.”
And that often leads security professionals to focus on initiatives that appeal to the board rather efforts to mitigate the damage when breaches do occur.
Tomi Engdahl says:
London teen charged over Spamhaus mega-DDoS attacks
Accused will tap the boards before the beak today
http://www.theregister.co.uk/2014/06/30/ddos_charges/
An unnamed London teenager has been charged with a series of criminal offences following a series of denial-of-service attacks against internet exchanges and the Spamhaus anti-spam service last year.
The 17-year-old male from London was charged on Friday
The teenager was arrested in April 2013 after a series of distributed denial of service (DDoS) attacks which led to worldwide disruption of internet exchanges and services.
Tomi Engdahl says:
Facebook’s Emotion Experiment: Too Far, Or Social Network Norm?
http://tech.slashdot.org/story/14/06/30/0230246/facebooks-emotion-experiment-too-far-or-social-network-norm
Facebook’s recently disclosed 2012 experiment in altering the tone of what its users saw in their newsfeeds has brought it plenty of negative opinions to chew on.
Facebook’s methodology raises serious ethical questions.
Given that Facebook has over half a billion users, it’s a foregone conclusion that every tiny change Facebook makes to the news feed or any other part of its websites induces a change in millions of people’s emotions. Yet nobody seems to complain about this much–presumably because, when you put it this way, it seems kind of silly to suggest that a company whose business model is predicated on getting its users to use its product more would do anything other than try to manipulate its users into, you know, using its product more. …
Tomi Engdahl says:
Application delivery controllers tighten the security perimeter
Protect your assets
http://www.theregister.co.uk/2014/06/30/data_security/
The application and data landscape today is in something of a state of flux. Of course, information technology is always in a state of flux but this is a new kind of dynamism.
The current network IT stack is a heady concoction of old apps on new infrastructures and data-delivery mechanisms. Serve that up on new devices in a BYOD (bring your own device) world with ever more unstructured data streams – and the inevitable result is the emergence of new threats.
What kind of threats? They surface in the shape of malicious content, security vulnerabilities, malware and destructive code in all shapes and forms.
But they also manifest themselves as network-level forces that hover ominously over operational processes such as continuous application delivery and update cycles, mobile device management schedules, operational reporting and so on.
As fast as security, cloud and other infrastructure technology layers have progressed, nastier threat agents capable of targeting entire companies and their data have evolved with them.
So how can the average IT manager take advantage of all the state-of-the-art developments in the IT ecosphere while continuing to maintain a ship that stays afloat?
The answer comes down not just to IT infrastructure but to the application-access infrastructures.
This arena is witnessing rapid development in security monitoring, analytics and forensics.
Network-embedded dataset-level protection of this kind logically brings us to the use of application delivery controllers (ADCs).
According to a whitepaper entitled Controlling Application Access, written by analyst house Freeform Dynamics and sponsored by Barracuda Networks, the current relatively low level of use of ADCs reflects a general lack of awareness of the potential value in protecting the network offered by multi-function appliances of this kind.
What is an ADC?
An ADC is a hardware-based device shipped with dedicated software, designed to sit inside a data-centre network between the firewall and the application server (or servers).
More than just a load balancer or application acceleration engine, a modern ADC works to manage client connections across the network, the installed base of devices and the web.
ADCs operate so that if one application within a network were to become compromised, then that application can be segregated and the users can continue to use the rest of the IT stack.
This control is, in theory, not possible if a data centre has simply put up perimeter protection defences: once these are breached, then all applications are immediately under an equal level of threat.
Although we previously said the ADC market is relatively new, these technologies have in fact been around for most of the last decade. Before ADCs we saw vendors such as F5 Networks and Juniper Networks offer application accelerators of a more dedicated sort, with less security intelligence on board.
Today’s expanding ADC market still includes names such as F5 and Juniper, as well as the previously mentioned Barracuda Networks.
Tomi Engdahl says:
Aaron Swartz documentary, The Internet’s Own Boy, out today
http://boingboing.net/2014/06/27/aaron-swartz-documentary-the-2.html
The Internet’s Own Boy, Brian Knappenberger’s brilliant documentary about the life and death of Aaron Swartz, is out in cinemas and through on demand channels today.
if you buy the Vimeo version for $10, you get a downloadable, remixable, CC-licensed version
Tomi Engdahl says:
UK intelligence services report highlights secret service failings
Too many already, but not enough investigation
http://www.theinquirer.net/inquirer/news/2352537/uk-intelligence-services-report-highlights-secret-service-failings
THE UK Intelligence Services Commissioner has delivered his report on the present state of the UK surveillance system and found it to be lacking in accuracy.
Sir Mark Waller, the intelligence services commissioner, has reviewed a series of surveillance cases by government departments and agencies MI5, MI6, and GCHQ. He said that he studied some 300 cases and found problems with 10 percent of them.
Tomi Engdahl says:
New N.S.A. Chief Calls Damage From Snowden Leaks Manageable
http://www.nytimes.com/2014/06/30/us/sky-isnt-falling-after-snowden-nsa-chief-says.html?_r=0
The newly installed director of the National Security Agency says that while he has seen some terrorist groups alter their communications to avoid surveillance techniques revealed by Edward J. Snowden, the damage done over all by a year of revelations does not lead him to the conclusion that “the sky is falling.”
In an hourlong interview Friday in his office here at the heart of the country’s electronic eavesdropping and cyberoperations, Adm. Michael S. Rogers, who has now run the beleaguered spy agency and the military’s Cyber Command for just short of three months, described the series of steps he was taking to ensure that no one could download the trove of data that Mr. Snowden gathered — more than a million documents.
But he cautioned that there was no perfect protection against a dedicated insider with access to the agency’s networks.
“Am I ever going to sit here and say as the director that with 100 percent certainty no one can compromise our systems from the inside?” he asked. “Nope. Because I don’t believe that in the long run.”
Tomi Engdahl says:
Using Android 4.3? Don’t let malware snatch your private login keys
Bad news: One in ten devices suffer KeyStore flaw. Good news: It’s hard to exploit
http://www.theregister.co.uk/2014/06/30/android_jelly_bean_users_open_to_passwordstealing_flaw/
If you’re one of the 10.3 per cent of Android users running version 4.3, aka Jelly Bean, your login keys are at risk of theft – thanks to a vulnerability in the operating system’s KeyStore software.
KeyStore, as the name suggests, stores a user’s cryptographic keys, which are used by apps to log into services without the user having to retype their password.
But IBM researchers have found that the program is vulnerable to a classic stack-based buffer overflow by an attacker who is able to get a dodgy app running on a device. By borking KeyStore, some secure login functions could be accessed and master keys obtained.
“To keep things simple, buffers are always larger than the maximum space we needed, so boundary checks on buffers are omitted.”
The IBM researchers found the flaw last September and alerted the Android security team privately about the issue. By November a fix was developed for Android 4.4, but not the Jelly Bean build
Tomi Engdahl says:
Germany dumps Verizon for Deutsche Telekom over NSA spying
Nein, danke, we need ‘a very high level of security’
http://www.theregister.co.uk/2014/06/26/germany_boots_verizon/
The German government has said it will cancel its contract with US telecoms provider Verizon, citing spying fears.
“The pressures on networks as well as the risks from highly-developed viruses or Trojans are rising,” the country’s Interior Ministry told Reuters on Thursday. “Furthermore, the ties revealed between foreign intelligence agencies and firms in the wake of the US National Security Agency (NSA) affair show that the German government needs a very high level of security for its critical networks.”
Germans aren’t alone in their outrage. Upon hearing about the Merkel affair, US senator John McCain (R-AZ) called for the resignation of then-NSA chief General Keith Alexander. That was largely for show, though; Alexander retired from military service in March, to be replaced by Navy Vice Admiral Michael Rogers.
German carrier Deutsche Telekom will reportedly pick up where Verizon leaves off after getting the boot, and Reuters notes that DT already has a contract with the German government for carrying its most sensitive phone calls and data.
Tomi Engdahl says:
Millions of dynamic DNS users suffer after Microsoft seizes No-IP domains
Legitimate users caught in legal fire designed to take down botnets.
http://arstechnica.com/security/2014/06/millions-of-dymanic-dns-users-suffer-after-microsoft-seizes-no-ip-domains/
Millions of legitimate servers that rely on dynamic domain name services from No-IP.com suffered outages on Monday after Microsoft seized 22 domain names it said were being abused in malware-related crimes against Windows users.
Tomi Engdahl says:
Active malware operation let attackers sabotage US energy industry
“Dragonfly” infected grid operators, power generators, gas pipelines, report warns.
http://arstechnica.com/security/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/
Researchers have uncovered a malware campaign that gave attackers the ability to sabotage the operations of energy grid owners, electricity generation firms, petroleum pipelines, and industrial equipment providers.
Called Dragonfly, the hacking group managed to install one of two remote access trojans (RATs) on computers belonging to energy companies located in the US and at least six European countries, according to a research report published Monday by Symantec. One of the RATs, called Havex, was spread by hacking the websites of companies selling software used in industrial control systems (ICS) and waiting for companies in the energy and manufacturing industries to install booby-trapped versions of the legitimate apps.
“This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems,” the Symantec report stated. “While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required.”
Dubbed Energetic Bear by other researchers, Dragonfly has been in operation since at least 2011. It initially targeted US and Canadian companies in the defense and aviation industries before shifting its focus to energy concerns.
Dragonfly operators hacked websites of at least three different companies providing ICS software. The first provided a product used to provide VPN access to programmable logic controller devices (PLC). The unnamed provider discovered the attack shortly after it was mounted, but by then there had already been 250 downloads of the trojanized software.
The second provider was a European manufacturer of specialist PLC devices. Symantec estimated that a compromised package containing a computer driver was available for download for at least six weeks last June and July. The last firm was also based in Europe and develops systems to manage wind turbines, biogas plants, and other energy infrastructure.
Tomi Engdahl says:
Hacker infects Synology storage devices, makes off with $620,000 in Dogecoin
Mining cryptocurrencies is expensive. One hacker passed the cost on to NAS users.
http://arstechnica.com/security/2014/06/hacker-infects-synology-storage-devices-makes-off-with-620000-in-dogecoin/
A hacker generated digital coins worth more than $620,000 by hijacking a popular type of Internet-connected storage device from Synology, security researchers said.
The open-source software added to hacked Synology devices was called CPUMiner.
Given the expense and hassle of mining cryptocurrencies, attackers have been sneaking mining code onto other people’s devices for years now; given the skyrocketing prices of Bitcoin, the practice has become more common.
Tomi Engdahl says:
MIT and CERN’s secure webmail plan stumped by PayPal freeze
Money-shuffler shutters cash flow after asking if crypto is legal
http://www.theregister.co.uk/2014/07/01/proton_mail_caught_by_paypal_processing_freeze/
The Proton Mail project, which offers end-to-end encrypted webmail from the user’s browser, has had a stick thrust into its operational spokes courtesy of PayPal.
The MIT-and-CERN-inspired project, based on Switzerland, had decided against VC funding for reasons of credibility among users. Instead, it relies on users willing to fork out US$5 for 1 GB of stored mail, and was running a crowd-funding campaign – and that means it depends on payment processing.
That’s where PayPal has gotten in the way.
Tomi Engdahl says:
Voice & Face Unlock Smartphones & Tablets
http://www.eetimes.com/document.asp?doc_id=1322939&
With the advent of increasingly sophisticated personal electronic devices, security is becoming more and more of an issue. In the case of products like smartphones, tablets (and other computers), and even digital cameras, people don’t want others to gain access to their private data. Similarly, in the case of things like home automation, people don’t wish others to be able to access the systems in their homes.
Until recently, the main security solutions have required the user to enter a PIN code or a more complex password. Some products, like Android smartphones, allow the user to “draw” a shape with her finger. Although these methods may seem to be relatively unobtrusive, they become tiresome when one has to perform them multiple times a day.
Another alternative is to add a fingerprint sensor, but this requires additional hardware that consumes valuable real estate on the device and that can cost between $5 and $10. Furthermore, these sensors don’t always work as well as one might hope
More recently, there has been a growing interest in biometric identification technologies, such as speech identification and facial recognition. Using just one of these techniques in isolation can result in an unacceptable level of “false negatives” (blocking access to the right person) and “false positives” (granting access to the wrong person). However, using both of these techniques together — referred to as “biometric fusion” — yields extremely high levels of accuracy.
Tomi Engdahl says:
Maxim – Deep Cover Secure Authenticators
http://www.eeweb.com/company-blog/maxim/maxim-deep-cover-secure-authenticators/
Device authentication is used to protect end users and original equipment manufacturers (OEMs) from the use of counterfeit peripherals, sensors, consumables, or other devices. It is a method that verifies to the host system that an attached device is genuine and can be trusted.
Tomi Engdahl says:
A strange gap on some Android handsets – a simple text message can reboot the device
According to French blogger many Android phones based on MediaTek chipset can be restarted with text message that contains characters =.
MediaTek chipsets are widely used in countries such as India and China in the lower end of the Android phones. The problem can be fixed by replacing the default SMS handling app.
Source: http://www.tivi.fi/kaikki_uutiset/outo+aukko+androidluureissa++yksinkertainen+tekstiviesti+kaynnistaa+laitteen+uudelleen/a996116
Tomi Engdahl says:
UK government to team with the Open University to teach cyber security
Will aim to educate 200,000 people
http://www.theinquirer.net/inquirer/news/2352852/uk-government-to-team-with-the-open-university-to-teach-cyber-security
BLETCHLEY PARK: THE UK GOVERNMENT will team with the Open University to launch a cyber security course “very soon” that will enable 200,000 people to study online.
the initiative will aim to bring education to 200,000 people with an overall aim to “introduce them to the subject”.
Tomi Engdahl says:
Exclusive: A review of the Blackphone, the Android for the paranoid
Custom-built with privacy in mind, this handset isn’t for (Google) Play.
http://arstechnica.com/security/2014/06/exclusive-a-review-of-the-blackphone-the-android-for-the-paranoid/
Based on some recent experience, I’m of the opinion that smartphones are about as private as a gas station bathroom. They’re full of leaks, prone to surveillance, and what security they do have comes from using really awkward keys. While there are tools available to help improve the security and privacy of smartphones, they’re generally intended for enterprise customers. No one has had a real one-stop solution: a smartphone pre-configured for privacy that anyone can use without being a cypherpunk.
That is, until now. The Blackphone is the first consumer-grade smartphone to be built explicitly for privacy.
Tomi Engdahl says:
Bitcoin was illegal in California? Whoops, governor fixes that 165-year-old money law
Crypto-currencies threatened by anti-counterfeit cash rules
http://www.theregister.co.uk/2014/07/01/california_bitcoin_new_law/
California Governor Jerry Brown has signed off on a law legitimizing Bitcoin and other cryptocurrencies for use in the state.
The governor rubber-stamped AB 129, enacting what legislators say is a much-needed overhaul of the state codes on currencies.
Under the new law, digital currencies and community currencies are protected from the state’s counterfeiting laws – which ban the use of anything other than genuine US dollars.
While the danger of the state economy being undermined by multiple currencies is no longer a worry, lawmakers feared the provisions were a dangerous technical threat to digital currencies, which could be seen in violation of a law carrying penalties of up to 15 years of imprisonment.
Among the digital currencies listed in the bill are Bitcoin, Litecoin, Ripple and Dogecoin. The bill also covers locally used “community currency” vouchers
Tomi Engdahl says:
The back door
How a hacker helped ProPublica expose Russia’s secret infusion of cash to the embattled Syrian government
- See more at: http://www.cjr.org/feature/the_back_door.php#sthash.RJNyKalG.dpuf
Tomi Engdahl says:
100,000 users lose their bank passwords to fake banking apps!
http://www.cmcm.com/blog/2014-06-25/136.html
The CM Security Research Lab is closely monitoring the proliferation of malware which is infecting Korean Android users at a rapid rate. This malware infects users by typical trojan means, and once installed it replaces your banking apps with fake versions that are designed to steal your information.
Once the fake app has been loaded, it will ask you to input your certification password (which it will then steal). This is a document used to indentify people for the purposes of online banking services, e-commerece, and other government related administrative purposes.
Tomi Engdahl says:
In Russia, A Like Or Retweet Can Now Cost You Five Years In Jail
http://www.buzzfeed.com/maxseddon/in-russia-a-like-or-retweet-can-now-cost-you-5-years-in-jail
Nobody seems to have told Putin that retweets aren’t endorsements.
KIEV, Ukraine — In Russia, likes, reposts, and retweets aren’t just endorsements — they’re now punishable by up to five years in prison.
President Vladimir Putin has approved new amendments introducing harsh sentences for online incitement to religious hatred and “extremism,” further tightening the screws in the Kremlin’s recent internet clampdown.
“Retweeting and publication is the same thing as distribution,” an account said to be run unofficially from Russia’s Investigative Committee replied to the original tweet, since deleted. “Get ready.”
Tomi Engdahl says:
You are ALL Americans now: Europeans offered same rights as US folks in data slurp leaks
So we cool now, right?
http://www.theregister.co.uk/2014/06/25/us_privacy_rights_deal_offered_eu/
US Attorney General Eric Holder has raised a few eyebrows by announcing plans to give Europeans the same legal protections as US citizens when Uncle Sam’s agents seek their private information.
Holder claimed the Obama administration would put forth legislation to offer EU citizens the same data protection rights and access to the courts under law as US citizens, including the ability to file for redress in America should their data be wrongfully disclosed by g-men.
Tomi Engdahl says:
Microsoft Opens ‘Transparency Center’ For Governments To Review Source Code
http://yro.slashdot.org/story/14/07/02/0042241/microsoft-opens-transparency-center-for-governments-to-review-source-code
Tomi Engdahl says:
Privacy board backs NSA’s foreign spying
http://thehill.com/policy/technology/211140-privacy-board-backs-nsa-program
A federal privacy watchdog is largely putting its support behind a major pillar of the National Security Agency’s foreign snooping.
The PRISM program is “clearly authorized” by the law, the PCLOB report found. It added that the legal authority also “can permissibly be interpreted” to authorize the “upstream” collection.
“The recommendations are surprisingly anemic when you compare them to the more robust approach that the board took when it reviewed the bulk collection.”