Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
OpenSSL receives nine post-Heartbleed critical bug fixes
The CII coding boys are earning their keep
http://www.theinquirer.net/inquirer/news/2359336/openssl-receives-nine-post-heartbleed-critical-bug-fixes
OPENSSL, the web security layer at the centre of the Heartbleed vulnerability, has been updated with a further nine critical patches.
While none of the flaws are as serious as Heartbleed, patching is recommended for all users according to an advisory released today. The vulnerabilities were found by various security research teams around the web including Google, Logmein and Codenomicom, based on their reports during June and July.
Tomi Engdahl says:
Google: Switch to HTTPS and we’ll rank you higher in search results
Search engine to award encrypted websites
http://www.theinquirer.net/inquirer/news/2359304/google-switch-to-https-and-well-rank-you-higher-in-search-results
GOOGLE IS OFFERING the incentive of higher ranking in its search results to websites that use HTTPS encryption.
In a bid to promote better security across the net and circumvent potential data surveillance, the search engine said that it wants to encourage HTTPS encryption across the industry and will attempt to boost the use of it by rewarding adopters with more traffic.
Google said it has seen positive results in its tests and so has started using HTTPS as a ranking signal.
Tomi Engdahl says:
nCrypted Cloud brings client side integration to Dropbox, Microsoft Onedrive
Puts security at the forefront
http://www.theinquirer.net/inquirer/news/2359305/ncrypted-cloud-brings-client-side-integration-to-dropbox-microsoft-onedrive
NCRYPTED CLOUD HAS ANNOUNCED the UK and European launch of its encryption layering software for cloud storage collaboration.
nCrypted Cloud is a client-side encryption application that meshes seamlessly with a range of cloud clients including Dropbox, Box, Egnyte, Google Drive and Microsoft Onedrive.
“What’s so ingenious about nCrypted Cloud is that, as cloud storage providers like Dropbox make enhancements, nCrypted Cloud continues to function as a layer on top of the services, encrypting at the endpoint (it encrypts at rest and in flight), and allowing enhanced control for enterprises, with the ability to audit files and implement data access controls.”
Tomi Engdahl says:
Network hijacker steals $83,000 in Bitcoin … and enough Dogecoin for a cup of coffee
Wow. Such hack. Very router. So BGP. Wow.
http://www.theregister.co.uk/2014/08/07/bgp_bitcoin_mining_heist/
Researchers at Dell’s SecureWorks Counter Threat Unit (CTU) have identified an exploit that can be used to steal cryptocurrency from mining pools – and they claim that at least one unknown miscreant has already used the technique to pilfer tens of thousands of dollars in digital cash.
The heist was achieved by using bogus Border Gateway Protocol (BGP) broadcasts to hijack networks belonging to multiple large hosting companies, including Amazon, Digital Ocean, and OVH, among others.
“In total, CTU researchers documented 51 compromised networks from 19 different Internet service providers (ISPs),” the Dell team wrote in a blog post on Thursday.
Tomi Engdahl says:
‘Up to two BEEELLION’ mobes easily hacked by evil base stations
Android, BlackBerry, and Apple fall to OMA-DM flaw – claim
http://www.theregister.co.uk/2014/08/08/two_billeeon_mobile_phones_easily_hackable_with_dummy_base_station/
The mechanisms used to update smartphone operating systems over the air are vulnerable to hijacking and abuse, researchers have claimed.
Mathew Solnik and Marc Blanchou at security firm Accuvant told conference attendees that the problem lies in the Open Mobile Alliance Device Management (OMA-DM) protocol, which is used by about 100 mobile phone manufacturers to deliver software updates and perform network administration.
They found that, to access to handsets remotely, the attacker needs to know the handset’s unique International Mobile Station Equipment Identity (IMEI) number and a secret token.
Tomi Engdahl says:
ePHI Prized by Cyber Criminals
http://www.peak10.com/blog/post/ephi-prized-by-cyber-criminals?utm_source=News&utm_medium=cpc-pk10mkto-2988&utm_campaign=datasecurity2#.U-S2dbFsUik
New technologies, legislation, mandates, regulations, deadlines, financial incentives and management models and entities have all swept through the businesses of patient care and health insurance in a relatively few short years. Left in the wake is a fragile, if not wobbly structure responsible for processing, exchanging and protecting increasingly massive amounts of personal information – financial as well as medical.
No wonder the healthcare industry has become a target-of-choice for the world’s cyber criminals and organized syndicates. The Identity Theft Resource Center said that nearly half of the 353 criminal attacks it tracked so far in 2014 occurred in the healthcare sector.
While a credit card or social security number is worth a dollar or two on the Internet black market, a complete medical profile can fetch upwards of $500. Perpetrating Insurance and prescription drug fraud lead the wish list for those in the market for stolen patient information.
A study done for ID Experts by the Ponemon Institute reports that criminal attacks on the healthcare industry have doubled in the past four years. And the average cost a healthcare organization absorbs is approximately $2 million over two years
While data privacy and confidentiality are essential, a healthcare provider can be HIPAA compliant and able to fend off OCR fines, but still not be secure from cyber terrorism.
The ID Experts-sponsored study found that despite the perceived risk, 40 percent of organizations reported they are heavy cloud users, primarily for data storage and back up, business applications, file- and document sharing, and collaboration.
Tomi Engdahl says:
UK Police Won’t Admit They’re Tracking People’s Phone Calls
http://motherboard.vice.com/read/uk-police-wont-admit-theyre-tracking-peoples-phone-calls
You’ve maybe heard a bit about Stingray. Over the past couple of years, it has emerged that police forces in the US have been using the powerful surveillance tool, which tricks phones into connecting to a dragnet, to track mobile devices, and intercept calls and text messages.
Meanwhile, the London Metropolitan Police Service (MPS) continue to remain tight lipped about their use of the technology, leaving citizens in the dark on what privacy protections, if any, are in place for those who may get swept up by the broad surveillance techniques.
Tomi Engdahl says:
Canadian Developers Are Making the Next Tails Privacy Software
http://motherboard.vice.com/read/canadian-developers-want-to-make-the-next-tails?trk_source=recommended
Whether it’s the NSA exploiting weaknesses in encryption software, the holes in Tor making it less anonymous, or the major problems with Tails—vulnerabilities are constantly testing the security and anonymity of computer users.
But little known Montreal-based developers at Subgraph want to change all that, and have started working on a zero-day resistant Operating System (OS), protecting against infiltration.
The company is billing their new OS as an alternative to Tails, another widely used anonymity platform promising to let users travel “the Internet anonymously.”
Since it’s unrealistic to aim for a completely zero-day-free OS, Subgraph is designed to almost quarantine the impact of those vulnerabilities by limiting how extensively an application allows access to the computer network.
“There were security problems [with Tails] that were not part of the security design,”
Tomi Engdahl says:
Do You Accept WankCoin? A Tour of the Most Niche Digital Currencies
http://motherboard.vice.com/read/do-you-accept-wankcoin-a-tour-of-the-most-niche-digital-currencies?trk_source=popular
Tomi Engdahl says:
Public Wi-Fi users in Russia will have to log on with ID, reports say
https://gigaom.com/2014/08/08/public-wi-fi-users-in-russia-will-have-to-log-on-with-id-under-new-information-war-order/
Russia’s clampdown on internet freedom continues, this time with a measure designed to counter “those interested in destabilization.” However, there is some confusion over which hotspots are affected.
Tomi Engdahl says:
TSA Checkpoint Systems Found Exposed On The Net
Researcher Billy Rios exposes new threats to airport security systems.
http://www.darkreading.com/vulnerabilities—threats/advanced-threats/tsa-checkpoint-systems-found-exposed-the-on-net/d/d-id/1297843?_mc=RSS_DR_EDT
A Transportation Safety Administration (TSA) system at airport security checkpoints contains default backdoor passwords, and one of the devices running at the San Francisco Airport was sitting on the public Internet.
Renowned security researcher Billy Rios, who is director of threat intelligence at Qualys, Wednesday here at Black Hat USA gave details on security weaknesses he discovered in both the Morpho Detection Itemiser 3 trace-explosives and residue detection system, and the Kronos 4500 time clock system used by TSA agents to clock in and out with their fingerprints, which could allow an attacker to easily gain user access to the devices.
Device vendors embed hardcoded passwords for their own maintenance or other technical support.
Rios found some 6,000 Kronos time clock systems open on the public Internet, two of which belonged to US airports.
fellow researcher Terry McCorkle revealed that a widely deployed carry-on baggage scanner used in most airports could be easily manipulated by a malicious TSA inside or outside attacker
Rapiscan’s baggage scanners remain in most airports, although its contract with TSA is now defunct
The ICS-CERT issued an advisory about the Itemiser flaw on July 24.
Default or hardcoded passwords are a systemic problem in many so-called embedded devices, Rios says. “All it takes is one person to figure it [the password] out, and the entire device is compromised.”
The big problem with such devices is there’s little visibility into them, so an organization whose device gets compromised may not even know or realize it, Rios says. “They may not even know, because they don’t have the tools or expertise to understand it.”
Tomi Engdahl says:
Black Hat 2014: A New Smartcard Hack
http://spectrum.ieee.org/riskfactor/telecom/security/black-hat-2014-how-to-hack-smartcards-and-termsofservice
According to new research, chip-based “Smartcard” credit and debit cards—the next-generation replacement for magnetic stripe cards—are vulnerable to unanticipated hacks and financial fraud. Stricter security measures are needed, the researchers say, as well as increased awareness of changing terms-of-service that could make consumers bear more of the financial brunt for their hacked cards.
The work is being presented at this week’s Black Hat 2014 digital security conference in Las Vegas. Ross Anderson, professor of security engineering at Cambridge University, and co-authors have been studying the so-called Europay-Mastercard-Visa (EMV) security protocols behind emerging Smartcard systems.
“Any forged signature will likely be shown to be a forgery by later expert examination,” Anderson wrote in his ACM article. “In contrast, if the correct PIN was entered the fraud victim is left in the impossible position of having to prove that he did not negligently disclose it.”
And PIN authentication schemes, Anderson says, have a number of already discovered vulnerabilities, a few of which can be scaled up by professional crooks into substantial digital heists.
Tomi Engdahl says:
Foursquare Now Tracks Users Even When the App Is Closed
http://blogs.wsj.com/digits/2014/08/06/foursquare-now-tracks-users-even-when-the-app-is-closed/
Hiding in Foursquare’s revamped mobile app is a feature some users might find creepy: It tracks your every movement, even when the app is closed.
Starting today, users who download or update the Foursquare app will automatically let the company track their GPS coordinates any time their phone is powered on.
Foursquare updated its privacy policy this week to warn users that with the new version of the app tracks and sometimes shares users’ locations even when the app is closed.
Tomi Engdahl says:
Cornering the Market On Zero-Day Exploits
http://it.slashdot.org/story/14/08/08/1617254/cornering-the-market-on-zero-day-exploits
While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits?
Tomi Engdahl says:
Intruder alert: Cyber thugs are using steganography to slip in malware badness
Signature-sniffers WILL be fooled – researcher
http://www.theregister.co.uk/2014/08/08/malware_steganography/
Common or garden cybercrooks have taken to using steganography – the art of hiding secret information within another image or message file – to run a click-fraud scam.
Steganography has long been the stuff of spy trade-craft and cypherpunk novels, but now cybercrooks have made the practice downmarket by applying it to the Lurk malware downloader.
Tomi Engdahl says:
Beware WarKitteh, the connected cat that sniffs your Wi-Fi privates
Inventor says, despite it all, he’s still not a cat person
http://www.theregister.co.uk/2014/08/09/beware_warkitteh_the_connected_cat_that_sniffs_your_wifi_privates/
Defcon 22 An inventive security researcher has successfully tested a war-driving kitty collar – so its wearer can prowl around the neighborhood exposing the lamentable state of Wi-Fi security.
“Techies get security, but try to explain the technology to the average consumer and you can see their eyes glaze over so I’ve become known for getting them back engaged with cat pictures,” he said. “Then someone told me about a cat collar with GPS and a cellular modem built in that texted the pet’s location, and I had the idea for WarKitteh.”
Bransfield built the WarKitteh collar using a Spark Core chip, which is an ARM processor backed by a Wi-Fi chip and a GP-635T GPS unit.
The WarKitteh collar found 23 unique Wi-Fi networks, including four that were completely open and four more that were using the easily broken WEP encryption standard. It’s clear from the data that security best practices still aren’t filtering down to many home Wi-Fi users.
Tomi Engdahl says:
DON’T PANIC! Satellite comms hacking won’t be able to crash an aircraft
Cute idea but it just won’t fly
http://www.theregister.co.uk/2014/08/08/dont_panic_satellite_comms_hacking_wont_be_able_to_crash_an_aircraft/
Black Hat 2014 Nervous fliers have one less thing to worry about after it turns out that, despite some alarmist reports, hackers won’t be making planes fall out of the sky any time soon.
The sensational headlines came after reporters learned that Ruben Santamarta, a consultant with security firm IOActive, was going to talk at Black Hat about insecure satellite communications systems on aircraft.
“We can disrupt satellite signals and modify the data channel but that doesn’t mean you can completely control the aircraft,”
“Aircraft have several ways to communicate with the ground, including VHF, and they don’t just rely on satellites.”
Tomi Engdahl says:
AVG: We need laws to stop biz from tracking our kids
CTO of antivirus firm calls for new laws on children’s privacy
http://www.theregister.co.uk/2014/07/03/avg_data_about_children/
The antivirus giant AVG will today call for legislative action to prevent data-grabbers from spying on children.
“Businesses can not just simply track and share my children’s data by default. You need my consent to do that,” Ben-Itzhak said.
“It’s time to tell vendors where the line lies. If there are not any law, they are just going to [keep gathering data on minors]. We need to tell lawmakers and influencers that there could be a problem.”
Tomi Engdahl says:
Black Hat 2014: How to Hack the Cloud to Mine Crypto Currency
http://spectrum.ieee.org/riskfactor/telecom/security/black-hat-2014-how-to-hack-the-cloud-to-mine-crypto-currency
Using a combination of faked e-mail addresses and free introductory trial offers for cloud computing, a pair of security researchers have devised a shady crypto currency mining scheme that they say could theoretically net hundreds of dollars a day in free money using only guile and some clever scripting.
“We realized that … for about two-thirds of cloud service providers, their free trials only required a user to confirm an e-mail address,”
In other words, they had access to many introductory accounts at sites like Google’s Cloud Platform, Joyent, CloudBees, iKnode, CloudFoundry, CloudControl, ElasticBox and Microsoft Windows Azure.
Some of these sites, each offering their own enticement of free storage and free computing as a limited introductory offer, could be spoofed, the researchers discovered.
“A lot of the e-mail confirmation and authentication features rely on the old concept that one person has one e-mail address—and that is simply not the case anymore,” Ragan says. “We’ve developed a platform that would allow anyone to have 30,000 e-mail addresses.”
Tomi Engdahl says:
A Cloud-Connected Car Is a Hackable Car, Worries Microsoft
http://spectrum.ieee.org/tech-talk/transportation/advanced-cars/a-connected-car-is-a-hackable-car
Nowadays steel plants and other super-sensitive industrial machinery are (or should be) walled off from the Internet.
But tomorrow’s autonomous cars will be far more vulnerable because they will be networked, says Michal Braverman-Blumenstyk, the general manager of cybersecurity at Azure, Microsoft’s cloud service.
“Some of the functionality of connected cars can be accessed remotely—velocity adjustment for example,” she said. “If police are chasing a criminal, you’d want the police to be able to slow the suspect’s car down. However, if a malicious entity gets hold of the car, the damage is limitless.”
Tomorrow’s autonomous cars will need to access networks to augment their onboard sensors. But even today’s semi- or non-autonomous cars are getting connected. Already governments are speaking of mandating a capability for “car2car” talk
“car2I” capability would let vehicles query infrastructure
Car companies, including GM, Chrysler and Audi, are already beginning to use wireless connections to update software.
Tomi Engdahl says:
Linux Security Threats on the Rise
http://www.linuxjournal.com/content/linux-security-threats-rise
Every year, heck…every month, Linux is adopted by more companies and organizations as an important if not primary component of their enterprise platform. And the more serious the hardware platform, the more likely it is to be running Linux. 60% of servers, 70% of Web servers and 95% of all supercomputers are Linux-based!
One of the many benefits cited by enterprises bringing in Linux is the security and the resultant “cost of ownership” benefits that come from, among many other things, not having to deal with security-related issues and attacks. While Gartner and other analyst companies have poo-poohed the actual cost benefits in the past, a lawsuit showed that Microsoft had actually influenced its computations and models in favor of calculating Windows’ total cost of ownership, and real-world anecdotal evidence shows the same.
“Vulnerabilities in software are found all the time, so the critical piece of advice is to make sure that your servers are kept up to date with security fixes all the time.”
Tomi Engdahl says:
Crypto Daddy Phil Zimmerman says surveillance society is DOOMED
We’ve been here before when we defeated slavery and the absolute monarchy
http://www.theregister.co.uk/2014/08/09/technology_and_market_forces_will_defeat_surveillance_society_claims_crypto_king/
Defcon 22 A killer combination of rapidly advancing technology and a desire for greater privacy among the public should condemn current surveillance state to an historical anachronism, according to PGP creator Phil Zimmermann.
Zimmermann praised the release of information by NSA whistleblower Edward Snowden, saying his efforts have alerted the populace to the real state of affairs and made people much more concerned about privacy. The revelations had also forced the technology industry to “up its game” and provide products to meet that demand, he opined.
Once people get used to the practice of privacy they will rebel if politicians try to take it away from them, Zimmermann opined. He pointed out that if the government decided that everyone using SSL for internet banking had to be routed through a surveillance proxy people wouldn’t stand for it.
Tomi Engdahl says:
F-Secure: Xiaomi Smartphones Do Secretly Steal Your Data
http://mobile.slashdot.org/story/14/08/09/220243/f-secure-xiaomi-smartphones-do-secretly-steal-your-data
Tomi Engdahl says:
Scientists warn: Hackers have access to millions of home networks
Many ISPs, routers, and switches managed by special servers is possible to find the network and capture, scientists warn. Such a trick hackers could manage up to millions of consumer devices and home networks.
The matter told the security company Check Point Software Technologies researcher Tal Shahar. She appeared on the weekend in Las Vegas held DefCon security event. The essence of this problem is a protocol called TR-069 or Cwmp, which allows many Internet service providers to remotely change the settings routers. The researcher says that many customers do not know the ability of operators to access the routers, as they used the system software often hides the TR-069′s setup page and it cannot be often turned off. A competent hacker could get hold of protocol, such as passwords, administrators logos, devices mac addresses, and network names.
Source: http://www.tivi.fi/kaikki_uutiset/tutkijat+varoittavat+hakkereilla+paasy+miljooniin+kotiverkkkoihin/a1002632
Tomi Engdahl says:
Anonymous wifi the latest casualty of Russia net neurosis
Ruskies must provide mobile phone numbers to surf Starbucks
http://www.theregister.co.uk/2014/08/11/anonymous_wifi_the_latest_casualty_of_russia_net_neurosis/
Russians will be required to hand over their passport-validated phone numbers to access public wireless networks under new laws.
The laws ban the use of public wireless networks, creating confusion around precisely which networks would be affected and what form of identification would need to be provided.
Tomi Engdahl says:
Why hackers won’t be able to hijack your next flight – the facts
Commercial aircraft are safe, for the time being
http://www.theregister.co.uk/2014/08/10/why_hackers_wont_be_able_to_hijack_your_next_flight_the_facts/
Defcon 22 Two seasoned pilots, one of whom is a published hacking expert, have been puncturing some of the myths about aircraft hacking at Defcon 22.
Firstly, no commercial airliner’s avionics systems can be accessed from from either the entertainment system or in-flight Wi-Fi. Avionics systems are also never wireless, but always wired, and don’t even use standard TCP/IP to communicate.
Commercial aircraft networks use a variety of standards for data traffic, all derived from Ethernet but all subtly different in a way that would give hackers a very tough time.
In all cases the signals sent are time-sliced
Older commercial airplanes use a system called ARINC 429
More modern aircraft use an updated standard, ARINC 664 – except for Airbus planes that use a modified version dubbed AFDX.
The one exception to this is the Boeing 777, which uses a modified version of ARINC dubbed 629, which allows Boeing to use off-the-shelf network components in the aircraft. Boeing was also granted special leave to allow ARINC 629 to be linked into a standard IP network, but only for data outputs not inputs, and with no connections to the flight management or avionics systems.
Earlier this week at the Black Hat conference security researchers from IOActive told of code flaws in the satellite communications equipment used by aircraft. It should be possible to disrupt communications with an aircraft and feed it false data they said, thanks to shoddy coding by the equipment’s manufacturers.
the aircraft would still be able to communicate via VHF or HF
Aircraft are in constant communication with the ground, and regular updates are sent out hourly
It might be feasible to send false messages to an aircraft’s collision avoidance systems
Polstra did however have words of warning; all of this information is as of the present day and things are changing in the aviation industry.
Tomi Engdahl says:
14 antivirus apps found to have security problems
Vendors just don’t care, says researcher, after finding basic boo-boos in security software
http://www.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die/
Tomi Engdahl says:
‘Things’ on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
http://www.theregister.co.uk/2014/07/30/each_internetofthings_thing_contains_25_vulnerabilities/
Ten of the most popular Internet of Things devices contain an average of 25 security vulnerabilities, many severe, HP researchers have found.
HP’s investigators found 250 vulnerabilities across the Internet of Things (IoT) devices each of which had some form of cloud and remote mobile application component and nine that collected personal user data.
Flaws included the Heartbleed vulnerability, cross site scripting, weak passwords and denial of service.
Tomi Engdahl says:
Secure microkernel that uses maths to be ‘bug free’ goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
http://www.theregister.co.uk/2014/07/28/aussie_droneprotecting_hackerdetecting_kernel_goes_open_source/
A nippy microkernel mathematically proven to be bug free*, and used to protect drones from hacking, will be released as open source tomorrow.
The formal-methods-based secure embedded L4 (seL4) microkernel was developed by boffins backed by National ICT Australia (NICTA). In 2012, the software was enlisted to help stop hackers knocking unmanned birds out of the sky, and it’s used in the US Defense Advanced Research Projects Agency’s High-Assurance Cyber Military Systems program.
It was noted as the most advanced and highly-assured member of the L4 microkernel family due to its use of formal methods that did not impact performance.
Tomorrow at noon Eastern Australian Standard Time (GMT +10) seL4′s entire source code including proofs and additional code used to build trustworthy systems will be released under the GPL v2 licence.
Tomi Engdahl says:
Now even Internet Explorer will throw lousy old Java into the abyss
Out-of-date, unsafe ActiveX controls to be blocked starting next week
http://www.theregister.co.uk/2014/08/07/ie_out_of_date_activex_control_blocking/
Internet Explorer will soon join its rival browsers by automatically blocking old, insecure add-ons – and it’s got its eye set squarely on Java.
Microsoft said on Wednesday that starting on August 12, Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and potentially insecure.
The change mirrors similar features found in competing browsers, including Chrome and Firefox, both of which already block out-of-date and unsafe plugins.
Microsoft will maintain the list of verboten ActiveX controls itself
What’s interesting, though, is that when the blocking feature launches later this month, Redmond’s blacklist will consist of but a single culprit: Oracle’s Java ActiveX control.
And not just one or two versions of the add-on will raise the alarm, either. Microsoft has flagged every version from all but the most recent patch levels of the Java SE platform, going all the way back to Java SE 1.4.
Tomi Engdahl says:
Xiaomi makes its cloud messaging service optional for users following security concerns
http://thenextweb.com/asia/2014/08/10/xiaomi-makes-miui-cloud-messaging-service-optional-users-following-security-concerns/
Fast-growing Chinese smartphone company Xiaomi is making the cloud messaging service that is automatically activated on its devices optional for users, following security concerns raised during the past week.
The MIUI Cloud Messaging service works much like Apple’s iMessage. It routes SMS sent between fellow MIUI device owners via the internet, meaning that they can message each other for free.
However, a recent report from F-Secure highlighted that the service appears to share a range of information with a server in China — including the device’s IMEI number, customer’s phone number, phone contacts and text messages received.
Now Xiaomi is introducing a way for users to opt out of the service if they wish
In response to a range of conspiracy theories offered following F-Secure’s findings, Barra said that the MIUI Cloud Messaging service does not store information about a user’s phone book or their social graph (i.e. details of overlap between users) on its servers.
Tomi Engdahl says:
Silent Circle’s Blackphone Exploited at Def Con
http://it.slashdot.org/story/14/08/10/1630246/silent-circles-blackphone-exploited-at-def-con
Def Con shows no mercy. As gleefully reported by sites several Blackberry-centric sites, researcher Justin Case yesterday demonstrated that he could root the much-heralded Blackphone in less than five minutes
Tomi Engdahl says:
Operators endanger the smartphone security
The smartphone security interest to us all. Accuvant has released alarming data that smart phone security is threatened in some cases on the operator’s actions.
There are problems with Android and Blackberry devices, as well as some iPhone models.
Multi-operator to use the OMA standard (Open Mobile Alliance) their devices for remote monitoring. The standard allows the operator to configure the equipment for its own network varetn and information if required to enter the firmware via the network.
OMA standard has Accuvant of the vulnerabilities that could allow an attacker to install malicious devices.
Source: http://etn.fi/index.php?option=com_content&view=article&id=1628:operaattorit-vaarantavat-alypuhelimien-tietoturvan&catid=13&Itemid=101
Tomi Engdahl says:
Why no one smells a RAT: Trojan uses YAHOO WEBMAIL to pick up instructions
Badness uses innocent-looking mailer for c&c ops
http://www.theregister.co.uk/2014/08/05/yahoo_webmail_controlled_trojan/
Cybercrooks commonly run botnet command-and-control networks using servers or (less frequently) a peer-to-peer network, but one gang of scammers has broken the mould by managing a Trojan using Yahoo webmail.
The recently discovered IcoScript Trojan is a classic remote administration tool (RAT), but what makes it highly unusual is its use of a Yahoo Mail account controlled by its authors to receive instructions. Commands are stored as specially crafted emails in the inbox of the account.
the malware has gone undetected for two years since 2012.
the modular nature of the malware makes it easy for attackers to switch to another webmail service – such as Gmail, Facebook or LinkedIn – to control the malware.
Tomi Engdahl says:
Cybercenturion security competition launches in UK to help form future cyber army
Aims to inspire young people towards careers in cyber security
http://www.theinquirer.net/inquirer/news/2359620/cybercenturion-security-competition-launches-in-uk-to-help-form-future-cyber-army
THE CYBER SECURITY CHALLENGE has partnered with US defence contractor Northrop Grumman to bring the Cyber Patriot competition to the UK – an education programme that has previously seen success in the US – to encourage kids to pursue careers in cyber security and help build a bigger British pool of cyber security talent.
Tomi Engdahl says:
CryptoWall! crooks! ‘turn! to! Yahoo! ads! to! spread! ransomware!’
Purple Palace not directly involved but maybe it should chat to these infosec bods
http://www.theregister.co.uk/2014/08/11/cryptowall_malvertising_yahoo_ad_network/
Crooks are using Yahoo!’s advertising network to infect PCs with the CryptoWall ransomware, it’s claimed.
Windows software nasty CryptoWall encrypts a victim’s files using an OpenSSL-generated key pair before demanding a ransom to decrypt the data. It communicates with its masters using RC4-encrypted messages to command servers hidden in the Tor network, we’re told.
initially spread by spamming email inboxes
evolved to use poisoned web advertisements – or malvertising
Since the end of July, researchers at security defence biz Blue Coat have been tracking the spread of CryptoWall through online advertising networks
“The interconnected nature of ad servers and the ease with which would-be-attackers can build trust to deliver malicious ads points to a broken security model that leaves users exposed to the types of ransomware and other malware that can steal personal, financial and credential information.”
Tomi Engdahl says:
Facebook Messenger Privacy Fears? Here’s What to Know
http://blogs.wsj.com/digits/2014/08/08/facebook-messenger-privacy-fears-heres-what-you-need-to-know/
The Internet has been simmering lately over privacy concerns surrounding Facebook FB Messenger app, which will soon become the only way mobile users can send and receive messages on the social network.
But amid the forced adoption of Messenger, some bloggers have cried foul over seemingly draconian permissions required for users of the Android version of the app. Most of the criticisms echo a December Huffington Post article that highlighted several Orwellian-sounding policies, like the ability of the app to “call phone numbers without your intervention,” and “use the camera at any time without your permission.”
“Facebook has pushed this too far. It’s time we stood up and said ‘no!’” The Huffington Post article said.
But according to Facebook, the concerns about its Messenger app are overblown, and based on misinformation.
Much of the problem, Facebook says, is due to Android’s rigid policy on permissions.
While Android app users must agree to all permissions before using the app, iPhone users can decline to give permission to the app for some features
Tomi Engdahl says:
Facebook Messenger Hysteria
http://itworksllc.net/facebook-messenger-hysteria
There’s a lot of hysteria floating around because of the new requirement to install Facebook Messenger on your phone. To clarify, you don’t HAVE to install Facebook Messenger on your phone. You simply have to if you want to continue sending messages to your Facebook friends, because Facebook has decided to make it a separate app.
People are upset that Facebook has full access to the phone’s camera, microphone, and location data. So to try and make people feel a little better, let’s look at a side-by-side comparison of Facebook Messenger and Instagram
Tomi Engdahl says:
DIME for your TOP SECRET thoughts? Son of Snowden’s crypto-chatter client here soon
Hardened email platform should be ready for Xmas
http://www.theregister.co.uk/2014/08/11/spy_busting_dark_mail_relaunched_as_dime/
DefCon Lavabit founder Ladar Levison will within six months carve out a military-grade email service from the ashes of Ed Snowden’s favourite email client.
As many of you will remember, Levison killed the service to prevent his clients’ information from getting into the clutches of the Federal Bureau of Investigations.
Levison shot to fame in tech circles after he responded to a FBI demand for access to the private SSL certificates used to encrypt all traffic on Lavabit by printing the keys on reams of paper in a 4-point font described by one prosecutor as “largely illegible”.*
The move frustrated the Feds and he was subsequently slapped with a $5,000-a-day fine until he provided the keys – which he did, shortly before shutting down the email service.
Dark Mail has since expanded to include the Magma email server and the Volcano Mozilla Thunderbird desktop client, and has been re-badged as the Dark Internet Mail Environment (DIME).
The platform broke up email headers encrypting each piece before it was sent and was built so that no single service could hold all of the data – a bid to shake off further Lavabit-style requests from government spy agencies.
Tomi Engdahl says:
Memo to Users: SpamCop Winding Down Webmail Service
http://it.slashdot.org/story/14/08/11/0239232/memo-to-users-spamcop-winding-down-webmail-service
we have decided to retire the SpamCop Email System and its webmail service; while SpamCop will continue to focus on providing the World’s best spam reporting platform and blacklist for the community
Tomi Engdahl says:
Clever Workaround: Visual Cryptography On Austrian Postage Stamps
http://politics.slashdot.org/story/14/08/10/208256/clever-workaround-visual-cryptography-on-austrian-postage-stamps
Tomi Engdahl says:
Visual cryptography
http://en.wikipedia.org/wiki/Visual_cryptography
Visual cryptography is a cryptographic technique which allows visual information (pictures, text, etc.) to be encrypted in such a way that decryption becomes a mechanical operation that does not require a computer.
transparencies can be used to implement a one-time pad encryption, where one transparency is a shared random pad, and another transparency acts as the ciphertext.
There is a simple algorithm for binary (black and white) visual cryptography that creates 2 encrypted images from an original unencrypted image.
Tomi Engdahl says:
Wikipedia swears to fight ‘censorship’ of ‘right to be forgotten’ ruling
http://www.theguardian.com/technology/2014/aug/06/wikipedia-censorship-right-to-be-forgotten-ruling
Wikipedia’s founder Jimmy Wales has revealed new details about what he describes as the site’s “censorship” under the EU’s “right to be forgotten” laws.
Wales revealed that Google has been asked to remove five links to Wikipedia in the last week.
“History is a human right and one of the worst things that a person can do is attempt to use force to silence another,” he said. “I’ve been in the public eye for quite some time. Some people say good things, some people say bad things … that’s history, and I would never use any kind of legal process like to try to suppress it.”
The revelations about Wikipedia pages being censored under the right to be forgotten were made at the launch of Wikimedia’s transparency report.
Tomi Engdahl says:
GCHQ recruits spotty teens – for upcoming Hack Idol
Aims to steer 12 to 18-year-olds towards infosec careers
http://www.theregister.co.uk/2014/08/11/cybercenturion_hacker_youth/
The GCHQ-backed Cyber Security Challenge UK is bringing cybersecurity education to UK schoolkids aged from 12 to 18 with the importation of the US-created Cyber Patriot programme.
Tomi Engdahl says:
Extrahop makes wire tapping the saviour of big data
With your permission, of course
http://www.theinquirer.net/inquirer/news/2359657/extrahop-makes-wire-tapping-the-saviour-of-big-data
Extrahop augments existing big data analysis by tapping its customer’s internet traffic and translating the findings into tangible data that can be used to isolate events or results that can be used to explain events or confirm patterns and trends.
While the term “wire tapping” brings forth images of the US National Security Agency (NSA) PRISM snooping and the UK press phone hacking scandal involving Andy Coulson, when used legitimately, responsibly and most importantly with permission, it can become a powerful tool.
Tomi Engdahl says:
Many online operators use customers routers remotely administering a protocol, which is highly vulnerable according to Check Point. TR-069 protocol called also known as cwmp (customer-premises equipment Wide network management protocol). Operators Technical Support can protocol allows clients to search delivered to the device configuration faults: “We can not assume that customers know how to or want to determine their router settings”
Elisa utilizes tr-069 in an encrypted https connection, such as determinations of the protocol is recommended. So that Check Point’s data, however, does not require immediate action.
TeliaSonera’s communication stresses that the Sonera Entertainment -digibokseissa used ip-address filtering in conjunction with the protocol.
According to Check Point, the four of five real-life implementation do not used for encrypted connections. And even if you have an encrypted connection, the can be certificate problems. Many users do not realize that operators can manage their home router remotely. To use tr-069 the attacker needs to know user name and password. In most cases, using the username and password, however, is the same for all routers and can be easily to find out the busted machine.
Source: http://summa.talentum.fi/article/tv/uutiset/82115
Tomi Engdahl says:
DARPA Wants To Kill the Password
http://news.slashdot.org/story/14/08/11/1142237/darpa-wants-to-kill-the-password
Many security experts agree that our current authentication system, in which end users are forced to remember (or, more often, write down) a dizzying array of passwords is broken.
Tomi Engdahl says:
Seven ways DARPA is trying to kill the password
From analyzing the way you walk to your heartbeat, these futuristic authentication systems could be here soon
http://www.itworld.com/security/430883/seven-ways-darpa-trying-kill-password
Tomi Engdahl says:
Father of PGP encryption: Telcos need to get out of bed with governments
Zimmermann’s Silent Circle working with Dutch telco to deliver encrypted calls.
http://arstechnica.com/tech-policy/2014/08/father-of-pgp-encryption-says-telcos-need-to-get-out-of-bed-with-government/
Zimmermann compared telephone companies’ thinking with the long-held belief that tomatoes were toxic until it was demonstrated they weren’t. “For a long time, for a hundred years, phone companies around the world have created a culture around themselves that is very cooperative with governments in invading people’s privacy. And these phone companies tend to think that there’s no other way—that they can’t break from this culture, that the tomatoes are poisonous,” he said.
Doing business with US government customers generally requires the use of National Institute of Standards and Technology (NIST) standards for encryption. But by default, Zimmermann said, Silent Circle uses an alternative set of encryption tools.
“It wasn’t because there was anything actually wrong with the NIST algorithms,” Zimmermann explained. “After the Snowden revelations, we felt a bit resentful that NIST had cooperated with the NSA.”
Silent Circle does offer the NIST algorithms as an alternative.
Tomi Engdahl says:
IBM whips out its checkbook to buy ID management specialist Lighthouse Security Group
http://gigaom.com/2014/08/11/ibm-whips-out-its-checkbook-again-to-buy-lighthouse-security-group/
Big Blue has apparently caught identity and access management fever, and is buying its second IAM specialist in three weeks.
Cloud is hot. Security is hot. Identity and access management (IAM) is hot.