Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Stop begging, startup-land, and start YELLING at Catch of the Day
Consumer trust boost from data breach laws would do more for online biz than any subsidy or share scheme
http://www.theregister.co.uk/2014/07/23/oz_startups_want_to_get_angry_yell_at_cotd/
“As technology advances, there is a risk that those hashed [encrypted] passwords become compromised and Catch of the Day decided in light of these developments to proactively inform customers”.
That the breach might make Australians prefer to deal with online ventures that will let them know if their data is compromised?
It’s no good whatever for the Australian government to “consider” breach notification laws: it’s been doing so for years, and hasn’t acted. And it won’t act unless business demands action.
Tomi Engdahl says:
NIST wants better SCADA security
Preparing the way for a test lab
http://www.theregister.co.uk/2014/08/12/nist_wants_better_scada_security/
America’s National Institute of Standards and Technology (NIST) wants to take a hand in addressing the SCADA industry’s chronic insecurity, by building a test bed for industrial control systems.
The Reconfigurable Industrial Control Systems Cybersecurity Testbed is only in its earliest stages.
“The goal of this system is to measure the performance of industrial control systems when instrumented with cyber-security protections in accordance with best practices prescribed by national and international standards and guidelines,” the RFI states.
Industrial automation a big driver of Internet of Things spending, running well ahead of their security.
Tomi Engdahl says:
Fifteen countries KO’d in malware one-two punch
Snakes follow scouts as high value targets become snack food
http://www.theregister.co.uk/2014/08/12/fifteen_countries_kod_in_malware_onetwo_punch/
Someone suspected to be backed by a nation state is attacking embassies of former soviet states with a malware tool that has infiltrated networks across more than 15 countries.
Hacked embassies of unnamed former soviet states include those located in: France; Belgium; Ukraine; China; Jordan; Greece; Kazakhstan; Armenia; Poland, and Germany.
Suspected nation state attackers sent previously known but capable malware to staff at the embassies
Tomi Engdahl says:
Chinese Bitcoin farms: From scuzzy to sci-fi
Roaring fans to liquid baths, China’s cryptocurrency rigs are serious business
http://www.theregister.co.uk/2014/08/12/chinese_bitcoin_farms_from_scifi_to_scuzzy/
Bitcoin trading in China remains active but has dropped this year after a late 2013 surge of new users interested in the currency
Lee said 5000 to 10,000 Bitcoins were traded each day on Bitcoin China.
Tomi Engdahl says:
MPs to gaze upon biometric data industry’s ID-gobbling tech
Fresh laws may be needed to regulate burgeoning sector
http://www.theregister.co.uk/2014/08/12/uk_politicians_to_scrutinise_biometric_data_technologies/
The growing use and slurping of biometric data is to be probed by MPs sitting on the UK’s science and technology committee this autumn.
The panel is particularly interested in how government and the private sector might implement and regulate new tech that heavily relies on biometric data.
The committee said:
Commercial organisations … are starting to play a greater role in both developing and using biometric data and technologies. It is anticipated that this trend will continue over the next decade, particularly as the financial costs, and computational resources required, decrease. Some commercial uses are already mainstream.
Social media sites offer facial recognition software to assist users tagging uploaded photos, while accessing some mobile phones depends on fingerprint recognition rather than entering a passcode.
Supporters contend that technologies relying on biometric data have transformed identity authentication. However, concerns continue to be raised about data protection, loss of privacy and identity theft.
Tomi Engdahl says:
OpenSSL Security Advisory [6 Aug 2014]
https://www.openssl.org/news/secadv_20140806.txt
Tomi Engdahl says:
Did you know that 46% of companies expect to invest more in network security in 2014?
- Source: Understand The State of Network Security: 2013 To 2014, Forrester Research,Inc., January 6, 2014
Source: http://ww2.infoblox.com/dnsriskscore/showQAgroup.cfm
Tomi Engdahl says:
CIA Expert: Microsoft Should Make Windows XP Open Source
http://news.softpedia.com/news/CIA-Expert-Microsoft-Should-Make-Windows-XP-Open-Source-453951.shtml
Windows XP is no longer getting security patches and updates since April this year, but 25 percent of the desktop computers worldwide are still running it as we speak.
Speaking at Black Hat 2014, the Chief Security Officer of the CIA’s VC fund In-Q-Tel explained that Microsoft should make Windows XP open source and let developers improve the operating system on their own.
According to The Register, Geer pointed out that all software companies that decided to stop releasing updates for their products should make these solutions open source because the existing user base would thus become vulnerable to attacks.
Tomi Engdahl says:
CIA infosec guru: US govt must buy all zero-days and set them free
Destroy the software industry before it destroys the world, says Dan Geer
http://www.theregister.co.uk/2014/08/07/geer_we_have_to_destroy_the_software_industry_in_order_to_save_it/
Black Hat 2014 Computer security luminary Dan Geer has proposed a radical shakeup of the software industry in hope of avoiding total disaster online.
Geer played a crucial role in the development of the X Window System and the Kerberos authentication protocol, and is now the chief security officer of the CIA’s VC fund In-Q-Tel.
Without serious and drastic action, the technology industry will be destroyed by inaction, he suggested.
“We have to do something,” Geer told the audience
When code crashes, who gets punished?
One of his more radical suggestions was restructuring the way the software industry handles liability. There are only two industries that have no liability problems, he said – religion and software – and this needs to change for the coding community.
His proposed solution was offering two different business models. Software firms could carry on selling code, but if the programs are faulty then the companies must pay out when things go wrong. Alternatively, they can publish the source code of software, allow the user to shut down functions they don’t want, and enjoy freedom from being sued.
Geer also suggested a new way to stamp out the exploitation of software security vulnerabilities for which no patches exist – dreaded zero-day vulns: the US government should make a standing offer to pay a bug bounty equivalent to TEN times the price companies are willing to pay for the security flaws, and then make them public after a patch has been developed.
Tomi Engdahl says:
Fifteen zero days found in hacker router comp romp
Four routers rooted in SOHOpelessly Broken challenge
http://www.theregister.co.uk/2014/08/13/fifteen_zero_days_found_in_hacker_router_romp/
DEF CON Researchers have unveiled 15 zero day vulnerabilities in four home and small business routers as part of the SOHOpelessly Broken hacker competition in DEF CON this week.
Four of the 10 routers offered for attack including the ASUS RT-AC66U; Netgear Centria WNDR4700; Belkin N900, and TRENDnet TEW-812DRU were fully compromised.
Those devices allowed attackers to execute privileged commands through holes found on updated firmware.
The Linksys EA6500; Netgear WNR3500U/WNR3500L; TP-Link TL-WR1043ND; D-Link DIR-865L, and the Electronic Frontier Foundation’s Open Wireless Router firmware were either untested or emerged unscathed.
In January, backdoors were found across routers from manufacturers including Cisco, Netgear and Diamond.
Tomi Engdahl says:
You’ve got three days to patch Adobe Flash, Air, Reader
Seven flaws to fix in Flash, but do the Reader fix first cos’ it’s under attack already
http://www.theregister.co.uk/2014/08/13/youve_got_three_days_to_patch_adobe_flash_air_reader/
Adobe has patched seven vulnerabilities in its Flash and Air platforms and one in Reader and Acrobat that is being exploited by attackers.
The vulnerabilities could allow attacker to “take control of affected systems” dubbed critical by the company.
Administrators were urged to apply the updates within three days on Windows, Mac, and Linux platforms.
Tomi Engdahl says:
Naughty NSA was so drunk on data it forgot collection rules
Declassified court docs show systematic breaches over [REDACTED] years
http://www.theregister.co.uk/2014/08/13/nsa_overstepped_fisc_collection_rules/
Declassified documents from America’s Foreign Intelligence Surveillance Court (FISC) shows that even the NSA didn’t know the limits of what it was supposed to collect, and overstepped its authorisations for years.
The documents were released to the Electronic Privacy Information Centre in response to an FOI request, and record FISC judges’ disquiet about the program.
The court says NSA’s overcollection of metadata was “systematic” over a number of years.
“Those conducting oversight at NSA failed to do so effectively”, the documents state.
Tomi Engdahl says:
AWS adds on-premises Radius MFA to Workspaces DaaS
This might need new jargon – ‘hybrid cloud authentication’ anyone?
http://www.theregister.co.uk/2014/08/13/aws_radius_for_workspaces/
Amazon Web Services (AWS) has added multi-factor authentication to its Workspaces desktop-as-a-service service, but has done so using on-premises RADIUS servers.
AWS says this ain’t all folks, and that “we expect to add support for additional authentication options such as smart cards and certificates.”
AWS suggests Workspaces is not that interesting to customers and has become a curiosity rather than something AWS or its resellers are being asked about in meetings. Perhaps RADIUS-powered hybrid cloud authentication will change that.
Tomi Engdahl says:
Maybe it’s because I’m a Londoner: Capital is top target for computer thieves, say police
Got a tablet on you? NOT ANY MORE, sucker
http://www.theregister.co.uk/2014/08/11/london_tops_electronic_theft_league_table/
Computer kit including smartphones, laptops, tablets and desktop themselves, is twice as likely to be stolen in reported thefts in London compared to other regions in the UK.
A series of Freedom of Information (FOI) requests from security and communications firm ViaSat revealed the theft of electronic devices crops up in 34 per cent of all thefts in London, compared to 17 per cent in the rest of the country.
A total of 1,350,434 thefts were reported by UK forces that responded to ViaSat’s request, of which 290,651 involved electronic equipment
“As we live more and more of our lives electronically and online, so the amount of sensitive information held on electronic devices is increasing exponentially,”
Tomi Engdahl says:
Password manager LastPass goes titsup: Users LOCKED OUT
Customers can’t get into their accounts as service topples
http://www.theregister.co.uk/2014/08/12/lastpass_outage
Popular password management service LastPass went on the blink today, leaving users locked out of their accounts.
the problems had been caused by one of its data centres going down
“We immediately started taking action to migrate the service to run entirely on a different data centre – in the meantime, a percentage of our user base did experience connection errors with the LastPass service,”
Tomi Engdahl says:
Rutgers Researchers Show that How Fast You Drive Might Reveal Exactly Where You are Going
Computer experts find speed data collected by some insurance companies could compromise a customer’s privacy
http://news.rutgers.edu/research-news/rutgers-researchers-show-how-fast-you-drive-might-reveal-exactly-where-you-are-going/20140810#.U-sh-2NsUil
n our constantly connected, information-rich society, some drivers are jumping at the chance to let auto insurance companies monitor their driving habits in return for a handsome discount on their premiums.
What these drivers may not know is that they could be revealing where they are driving, a privacy boundary that many would not consent to cross.
A team of Rutgers University computer engineers has shown that even without a GPS device or other location-sensing technology, a driver could reveal where he or she traveled with no more information than a starting location and a steady stream of data that shows how fast the person was driving.
Insurance companies and customers both have incentive to monitor driving speeds
“The companies claim this doesn’t compromise privacy, because all they are collecting is your speed, not your location,” said Lindqvist, who is also a member of the university’s Wireless Information Network Laboratory, or WINLAB. “But we’ve shown that speed data and a starting point are all we need to roughly identify where you have driven.”
Tomi Engdahl says:
512KDay: Why the internet is BROKEN (Next time, big biz, listen to your network admin)
We failed the interne’s management challenge
http://www.theregister.co.uk/2014/08/13/512k_invited_us_out_to_play/
Yesterday, 12 August, 2014, the internet hit an arbitrary limit of more than 512K routes.
Internet service providers and businesses around the world chose not to address this issue in advance, as a result causing major outages around the world.
The LastPass outage is being blamed by many on 512KDay, though official confirmation of this is still pending.
Tomi Engdahl says:
Phone charging log helps to convict murderer
Alibi eroded by midnight metadata
http://www.theregister.co.uk/2014/07/16/phone_charging_log_helps_to_convict_murderer/
An Australian man has been convicted of murder after mobile phone metadata describing when the device was connected to a charger was tabled as evidence.
retrieving metadata from his phone that showed a new connection was made to a charger early on the morning
Tomi Engdahl says:
UK WhatsApp duo convicted of possessing extreme porn
Pair pleaded guilty to ‘unsolicited’ shock images featuring animals
http://www.theregister.co.uk/2014/08/05/whatsapp_smut_conviction/
The depraved images were found after police stopped them for unrelated matters and discovered the shock images upon inspecting their mobile phones
“You have pleaded guilty to possessing truly disgusting images,” Judge Worsley said, the Daily Mirror reports. “It makes a big difference if someone goes out of their way to seek it, or if they’re sent it by some mischievous colleague.”
“In your case it was unsolicited. This is an exceptional case in some ways. The public should not find this carte blanche to possess material of this nature,
Tomi Engdahl says:
LulzSec supergrass Sabu led attacks against Turkey – report
Revelations contained in ‘sealed court docs’ – news site
http://www.theregister.co.uk/2014/08/13/sabu_allegedly_masterminded_turkey_attacks_according_to_report/
Just months after reports emerged that LulzSec “kingpin” turned FBI snitch Hector Xavier Monsegur had allegedly led cyber-attacks against foreign governments while under FBI control, a “cache of sealed court documents” has provided some more startling reading.
Monsegur – whom prosecutors insist is “Sabu”, a leading figure in hacktivist group Lulzsec
Sabu operated as a “rooter” – someone who can gain root access to systems – in multiple attacks including assaults against HBGary, Fox Television and Nintendo.
Monsegur reportedly used zero-day vulnerabilities in Plesk, a common web-publishing platform, to draw up a list of vulnerable targets.
Tomi Engdahl says:
Cybercrooks breed SELF-CLONING MUTANT that STEALS your BANK DETAILS
Fresh Cridex variant plays merry hell via email
http://www.theregister.co.uk/2014/07/02/cridex_trojan_email_worm_hybrid/
Cybercrooks have put together a botnet client which bundles in worm-like functionality that gives it the potential to spread quickly.
Seculert warns that the latest version of the Cridex (AKA Geodo) information stealing Trojan includes a self-spreading infection method.
Tomi Engdahl says:
Microsoft issues 26 security fixes for Internet Explorer in August Patch Tuesday
Addresses zero-day flaws in IE versions 6 to 11 as well as Adobe Flash
http://www.theinquirer.net/inquirer/news/2360082/microsoft-issues-26-security-fixes-for-internet-explorer-in-august-patch-tuesday
MICROSOFT HAS ISSUED nine bulletins covering a total of 41 vulnerabilities across its software products for its August Patch Tuesday release, including two “Critical” patches addressing zero-day flaws in Internet Explorer (IE) versions IE6 to IE11 and Adobe Flash.
Tomi Engdahl says:
Meet MonsterMind, the NSA Bot That Could Wage Cyberwar Autonomously
http://www.wired.com/2014/08/nsa-monstermind-cyberwarfare/
Edward Snowden has made us painfully aware of the government’s sweeping surveillance programs over the last year. But a new program, currently being developed at the NSA, suggests that surveillance may fuel the government’s cyber defense capabilities, too.
The NSA whistleblower says the agency is developing a cyber defense system that would instantly and autonomously neutralize foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. The program, called MonsterMind, raises fresh concerns about privacy and the government’s policies around offensive digital attacks.
Tomi Engdahl says:
The Biggest iPhone Security Risk Could Be Connecting One To a Computer
http://it.slashdot.org/story/14/08/14/1426209/the-biggest-iphone-security-risk-could-be-connecting-one-to-a-computer
iOS’s Achilles’ heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled. The beauty of their attack is that it doesn’t rely on iOS software vulnerabilities, the customary way that hackers commandeer computers.
Tomi Engdahl says:
Ryan Lackey, Marc Rogers Reveal Inexpensive Tor Router Project At Def Con
http://hardware.slashdot.org/story/14/08/14/1311248/ryan-lackey-marc-rogers-reveal-inexpensive-tor-router-project-at-def-con
Ryan Lackey of CloudFlare and Marc Rogers of Lookout revealed a new OPSEC device at Def Con called PORTAL (Personal Onion Router to Assure Liberty). It “provides always-on Tor routing, as well as ‘pluggable’ transport for Tor that can hide the service’s traffic signature from some deep packet inspection systems.”
Tomi Engdahl says:
CVE-2014-0546 used in targeted attacks – Adobe Reader Update
https://securelist.com/blog/65577/cve-2014-0546-used-in-targeted-attacks-adobe-reader-update/
Today Adobe released the security bulletin APSB14-19, crediting Kaspersky Lab for reporting CVE-2014-0546.
This out of band patch fixes a rather creative sandbox escape technique that we observed in a very limited number of targeted attacks.
Tomi Engdahl says:
Bitcoin ASIC in Chips-to-$ Race
Running hot on 84 amps
http://www.eetimes.com/document.asp?doc_id=1323522&
In eight short months, startup CoinTerra designed a 28nm ASIC that pushes the envelope in logic power density and shipped a system using four of them. Its tale is typical of the headlong race to hardware acceleration in the emerging bitcoin economy
Bitcoin is the most high profile of several emerging digital exchanges founded on a set of mathematical formulas and open source software released in 2009. Its de-centralized economy is based on bitcoin mining, essentially clearing transactions that use an increasingly complex set of cryptographic puzzles based on the SHA-256 hashing algorithm.
The first bitcoin mining systems to crack the code of a puzzle get rewarded
Tomi Engdahl says:
The Gyroscopes in Your Phone Could Let Apps Eavesdrop on Conversations
http://www.wired.com/2014/08/gyroscope-listening-hack/
In the age of surveillance paranoia, most smartphone users know better than to give a random app or website permission to use their device’s microphone. But researchers have found there’s another, little-considered sensor in modern phones that can also listen in on their conversations. And it doesn’t even need to ask.
In a presentation at the Usenix security conference next week, researchers from Stanford University and Israel’s defense research group Rafael plan to present a technique for using a smartphone to surreptitiously eavesdrop on conversations in a room—not with a gadget’s microphone, but with its gyroscopes, the sensors designed measure the phone’s orientation.
“Whenever you grant anyone access to sensors on a device, you’re going to have unintended consequences,” says Dan Boneh, a computer security professor at Stanford. “In this case the unintended consequence is that they can pick up not just phone vibrations, but air vibrations.”
When the researchers tested their gyroscope snooping trick’s ability to pick up the numbers one through ten and the syllable “oh”—a simulation of what might be necessary to steal a credit card number, for instance—it could identify as many as 65 percent of digits spoken in the same room as the device by a single speaker. It could also identify the speaker’s gender with as much as 84 percent certainty. Or it could distinguish between five different speakers in a room with up to 65 percent certainty.
Google’s Android operating system allows movements from the sensors to be read at 200 hertz, or 200 times per second. Since most human voices range from 80 to 250 hertz, the sensor can pick up a significant portion of those voices. Though the result is unintelligible to the human ear, Stanford researcher Yan Michalevsky and Rafael’s Gabi Nakibly built a custom speech recognition program designed to interpret it.
Tomi Engdahl says:
Many US companies failing to uphold EU privacy rules, privacy group claims in FTC complaint
http://www.zdnet.com/many-us-companies-failing-to-uphold-eu-privacy-rules-privacy-group-claims-in-ftc-complaint-7000032595/
Summary: The rules that govern how EU data is treated in the US are being violated by major tech companies, according to a privacy group in a filed complaint to the FTC.
Tomi Engdahl says:
What’s the matter with PGP?
http://blog.cryptographyengineering.com/2014/08/whats-matter-with-pgp.html
Last Thursday, Yahoo announced their plans to support end-to-end encryption using a fork of Google’s end-to-end email extension. This is a Big Deal. With providers like Google and Yahoo onboard, email encryption is bound to get a big kick in the ass. This is something email badly needs.
So great work by Google and Yahoo!
As transparent and user-friendly as the new email extensions are, they’re fundamentally just re-implementations of OpenPGP — and non-legacy-compatible ones, too. The problem with this is that, for all the good PGP has done in the past, it’s a model of email encryption that’s fundamentally broken.
It’s time for PGP to die.
In the remainder of this post I’m going to explain why this is so, what it means for the future of email encryption, and some of the things we should do about it.
Tomi Engdahl says:
Chrome update to raise alarms over deceptive download bundles
That browser toolbar your Mum swears she never installed? Chrome’ll crimp it
http://www.theregister.co.uk/2014/08/15/chrome_safe_browsing_update/
Google is planning to roll out an update to the Safe Browsing feature of its Chrome web browser that will alert users to a new category of suspicious downloads: ones that look like they’re installing helpful software but could also include additional, unexpected payloads.
Safe Browsing already issues alerts to known malware downloads based on a database of file signatures maintained by Google. But with the new update, the service will also flag files that are more of a grey area.
Tomi Engdahl says:
US defense contractors still waiting for breach notification rules
http://www.net-security.org/secworld.php?id=17258
The US Congress will require “cleared defense contractors” – i.e. those who have been granted clearance by the DoD to access, receive, or store classified information – to effect a rapid report in the wake of a successful breach, and to include in it a description of the technique or method used in the penetration, a sample of the malicious software used (if discovered), and a summary of information created for the Department in connection with any Department program that has been potentially compromised due to such penetration.
Tomi Engdahl says:
It’s time for PGP to die, says … no, not the NSA – a US crypto prof
‘We’ve come a long way since the 1990s, but PGP mostly hasn’t’
http://www.theregister.co.uk/2014/08/14/pgp_viability/
A senior cryptographer has sparked debate after calling time on PGP – the gold standard for email and document encryption.
This week, on his personal blog, he argued that it’s “time for PGP to die”, describing it as “downright unpleasant”.
PGP key management “sucks”, he said, and complained that there’s no forward secrecy – meaning if someone’s private key is obtained, it can be used to decrypt previously encrypted files and messages.
“We’ve come a long way since the 1990s, but PGP mostly hasn’t,” Green writes. “While the protocol has evolved technically – IDEA replaced BassOMatic, and was in turn replaced by better ciphers – the fundamental concepts of PGP remain depressingly similar to what [Phil] Zimmermann offered us in 1991. This has become a problem, and sadly one that’s difficult to change.”
Other security experts argued that, despite its flaws, there’s nothing lying around to adequately replace PGP.
“If you’re a college professor, sure, replacing PGP sounds like an awesome project. If you care about real-world OPSEC, I’m not so sure,” said security researcher Thomas H. Ptacek in a Twitter update.
Tomi Engdahl says:
Snowden on NSA’s MonsterMind TERROR: It may trigger cyberwar
Plus: Syria’s internet going down? That was a US cock-up
http://www.theregister.co.uk/2014/08/13/snowden_warns_the_nsas_monstermind_software_could_trigger_cyberwar/
Rogue NSA sysadmin Edward Snowden says his former employer has developed software that will automatically attack foreign computers deemed to be a threat – without checking in with a human first.
The system, dubbed MonsterMind, is designed to detect strikes against key US servers and block the assaults as quickly as possible. But it is also designed to fire back to take out the perceived attacker without anyone giving it specific authorization.
Snowden, an ex-NSA techie, also spoke of the spying agency’s vast warehouse of documents, phone calls, emails and other highly personal information, all collected from everyone on the planet.
That data is stored in the NSA’s million-square-foot data center in Bluffdale, Utah.
Snowden said it was learning about systems like MonsterMind that helped persuade him that a whistleblower was needed to bring the subject to the American people. But he said the trigger that decided the issue was the Congressional hearings in March last year when the US director of national intelligence James Clapper denied putting US citizens under mass surveillance by “collecting” their online data. That denial has since been challenged.
Tomi Engdahl says:
Insert coin to continue: GameOver ZeuS zombie MUTATES, shuffles back to its feet
You! Back from the undead again?
http://www.theregister.co.uk/2014/08/15/gameover_zeus_back_from_the_dead_as_/
The resurfaced GameOver bot is back with a vengeance, having infected 12,000 computers after the network was taken down in June, according to Arbor Networks.
Abor set up a network of these sinkholes to gain five days’ worth of bot intelligence.
“Four days after the discovery of newGOZ, our first sinkhole saw 127 victims,
It targeted mostly internet service providers and others operating in the telco space.
Tomi Engdahl says:
Watch a Cat Video, Get Hacked: the Death of Clear-Text
http://it.slashdot.org/story/14/08/15/2032243/watch-a-cat-video-get-hacked-the-death-of-clear-text
Citizen Lab released new research today on a targeted exploitation technique used by state actors involving “network injection appliances” installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor.
just one more reminder to use https.
Tomi Engdahl says:
Technological dystopia looming, dooming the West
http://rt.com/op-edge/179428-western-technology-potential-slavery/
The power elite know that the more you threaten to deprive people of their basic human needs, set out conveniently by psychologists in Maslow’s hierarchy, the better they behave themselves. Any psychologist will tell you the best way to stoke those fears are by turning off the supply of cash, or even just threatening to. That’s why they have always seen banking as the key to social engineering
It sounds wrong because it’s evil and no amount of spin will make it right.
If technology is to be used to control populations it must be sold to us as pure progress with any downside or moral questions ignored.
Tomi Engdahl says:
Ebay in talks to take bitcoins at payments unit : WSJ
http://www.reuters.com/article/2014/08/14/us-bitcoin-ebay-idUSKBN0GE2D420140814
Ebay Inc’s (EBAY.O) PayPal is in talks with Coinbase Inc and other bitcoin transaction providers to integrate the virtual currency within its Braintree payments system, The Wall Street Journal reported on Thursday.
Tomi Engdahl says:
Time to ditch HTTP – govt malware injection kit thrust into spotlight
Don’t touch that cat video, warns Citizen Lab
http://www.theregister.co.uk/2014/08/16/time_to_ditch_http_state_network_injection_attacks_documented_in_the_wild/
A new report form the Toronto-based internet watchdog Citizen Lab has shown cases of governments running network injection attacks that can deliver malware via any HTTP web connection.
The dossier looks at two hacking tools created by the Italian firm Hacking Team and the German biz FinFisher that use the injection attack vector. Both firms claim to sell only to government sources, although leaked documents suggest at least one sale to a private security company has taken place.
The attack works if a spy or other miscreant fits a Hacking Team or FinFisher appliance in the telecommunications company used by the target. Once the victim’s IP address is known, the injection server can identify his or her connections to website, intercept the passing unencrypted HTTP stream and insert malicious code into the web page.
Citizen Lab says YouTube and Microsoft Live login pages are heavily targeted.
“The proliferation of tools for both tactical and on network injection attacks highlights a vulnerability that has existed since the beginning of the consumer Internet,”
One way to block this kind of attack is to connect via HTTPS, which encrypts the connection and protects it from tampering – assuming the SSL certificates aren’t compromised.
Tomi Engdahl says:
Revealed … GCHQ’s incredible hacking tool to sweep net for vulnerabilities: Nmap
Is that you, 007? Is that you, 007?
http://www.theregister.co.uk/2014/08/15/gchq_port_scan_hacienda/
For the past five years, British spying nerve-center GCHQ has been port scanning internet-connected computers in 27 countries – in a exhaustive hunt for systems to potentially exploit.
That bombshell comes amid fresh leaks detailing the dragnet surveillance programs operated by the Five Eyes nations: America, UK, Canada, Australia and New Zealand.
German publisher Heise reports that the HACIENDA program scans open ports on all public-facing servers to seek out vulnerable systems – a basic reconnaissance strategy adopted by countless hackers and other curious folk.
The HACIENDA database is shared by the UK’s GCHQ with other members of the Five Eyes spying club.
Port scanning software, such as nmap and Zmap, are standard issue tools for hackers, developers, students and anyone else with a sense of curiosity; the only things noteworthy about HACIENDA is its scale
Tomi Engdahl says:
NSA/GCHQ: The HACIENDA Program for Internet Colonization
http://www.heise.de/ct/artikel/NSA-GCHQ-The-HACIENDA-Program-for-Internet-Colonization-2292681.html
Since the early days of TCP, port scanning has been used by computer saboteurs to locate vulnerable systems. In a new set of top secret documents seen by Heise, it is revealed that in 2009, the British spy agency GCHQ made port scans a “standard tool” to be applied against entire nations
Twenty-seven countries are listed as targets of the HACIENDA program in the presentation, which comes with a promotional offer: readers desiring to do reconnaissance against another country need simply send an e-mail
Tomi Engdahl says:
Explainer: How Google’s New SSL / HTTPS Ranking Factor Works
New facts on the Google HTTPS ranking signal.
http://searchengineland.com/explainer-googles-new-ssl-https-ranking-factor-works-200492
Last Thursday, Google launched a new ranking signal to give HTTPS sites a ranking boost, a small ranking boost, to encourage webmasters to migrate their sites from HTTP to HTTPS.
Unlike Penguin or Panda algorithms, this is a ranking signal that is run in real time. As soon as Google indexes your new HTTPS URL, that URL will immediately see a tiny ranking boost because of the HTTPS URL.
If you have some parts of your site migrated to HTTPS and some parts not, Google will give the boost to the ones on the HTTPS URLs and not to the others.
HTTPS Ranking Signal Is Unrelated To Google Panda Or Other Algorithms
Tomi Engdahl says:
SEO Industry Tweets Its Reactions To Google’s SSL Ranking Boost
http://searchengineland.com/seo-industry-tweets-reactions-googles-ssl-ranking-boost-199510
The SEO industry is abuzz today with the news of Google’s latest ranking signal: Using SSL certificates will provide a boost in Google’s search rankings.
Tomi Engdahl says:
Making your site run over HTTPS or SSL can be easy for small websites but for really large sites, it would require a lot of reconfiguration and testing. Security certificates are not that expensive these days, depending on which security company you go with. The big cost may be involved in migrating larger and older sites into the new URL structure.
Source: http://searchengineland.com/ranking-benefit-making-site-ssl-yet-googles-cutts-like-make-happen-186810
Tomi Engdahl says:
U.S. firm helped the spyware industry build a potent digital weapon for sale overseas
http://www.washingtonpost.com/world/national-security/spyware-tools-allow-buyers-to-slip-malicious-code-into-youtube-videos-microsoft-pages/2014/08/15/31c5696c-249c-11e4-8593-da634b334390_story.html
CloudShield Technologies, a California defense contractor, dispatched a senior engineer to Munich in the early fall of 2009. His instructions were unusually opaque.
His contact, Martin J. Muench, turned out to be a former developer of computer security tools who had long since turned to the darkest side of their profession. Gamma Group, the British conglomerate for which Muench was a managing director, built and sold systems to break into computers, seize control clandestinely, and then copy files, listen to Skype calls, record every keystroke and switch on Web cameras and microphones at will.
Over several months, the engineer adapted Gamma’s digital weapons to run on his company’s specialized, high-speed network hardware.
CloudShield’s central role in Gamma’s controversial work — fraught with legal risk under U.S. export restrictions — was first uncovered by Morgan Marquis-Boire, author of a new report released Friday by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs.
Hacking Team and the company that now owns CloudShield denied any wrongdoing.
The “custom payload” that Hacking Team uses to compromise YouTube injects malicious code into the video stream when a visitor clicks the play button. The user sees the “cute animal videos” he expects, according to Citizen Lab, but the malicious code exploits a flaw in Adobe’s Flash video player to take control of the computer.
Another attack, custom-built for use on Microsoft pages, uses Oracle’s Java technology, another common browser component, to insert a back door into a victim’s computer.
Security and privacy advocates have identified those vulnerabilities before, but the two companies regarded them as hypothetical.
Since learning of Marquis-Boire’s findings in mid-July, Google has encrypted a majority of YouTube video links, and Microsoft has changed default settings to prevent unencrypted log-ins on most live.com services.
Tomi Engdahl says:
Knocking Down the Great Firewall of China
http://yro.slashdot.org/story/14/08/16/1325255/knocking-down-the-great-firewall-of-china
The FOSS project Lantern is having great success in unblocking the internet for many users in oppressive regimes, like China and Iran. Much like Tor and BitTorrent, Lantern is using peer-to-peer networking to overcome firewalls, but with the additional security of a trusted network of friends.
Tomi Engdahl says:
Hybrid Cloud: A New Way of Thinking About Disaster Recovery
http://blogs.vmware.com/vcloud/2014/04/hybrid-cloud-a-new-way-of-thinking-about-disaster-recovery.html
Protecting business applications against outages, failures, disasters and other causes of downtime is a top priority for many organizations
not all companies have the budget, expertise, time or staff to spare to improve their IT resiliency. For organizations that do have DR services in place, the challenge lies in maintaining the solution on an ongoing basis
Customers want DR to be faster, cheaper and simpler. And with only 5% of today’s applications protected by DR, Gartner predicts that mid-size enterprises are the expected growth market for recovery-as-a-service.
With hybrid cloud, organizations can easily extend their on-premise DR solution on- or off-premise, without heavy upfront investment. Hybrid cloud also allows DR to be within reach for more customers, giving them the ability to cost-effectively cover tier 2 applications not included in their existing DR plan.
Tomi Engdahl says:
Germany recorded John Kerry, Hillary Clinton phone calls ‘by accident’
http://www.theverge.com/2014/8/16/6020037/germany-recorded-john-kerry-and-hillary-clinton-phone-calls-by
Secretary of State John Kerry and his predecessor, Hilary Clinton, were both caught up in German spy efforts, says a new report. According to German weekly Der Spiegel, the country’s foreign intelligence agency, BND, inadvertently recorded phone calls from both Secretaries of State.
Tomi Engdahl says:
Ask Slashdot: How Dead Is Antivirus, Exactly?
http://ask.slashdot.org/story/14/08/17/012209/ask-slashdot-how-dead-is-antivirus-exactly
Symantec recently made a loud statement that antivirus is dead and that they don’t really consider it to be a source of profit. Some companies said the same afterwards; some other suggested that Symantec just wants a bit of free media attention. The press is full of data on antivirus efficiency being quite low. A notable example would be the Zeus banking Trojan, and how only 40% of its versions can be stopped by antivirus software. The arms race between malware authors and security companies is unlikely to stop.
Tomi Engdahl says:
New voting rules leave innocent Brits at risk of SPAM TSUNAMI
Read the paperwork very carefully – or fall victim to marketing shysters
http://www.theregister.co.uk/2014/08/15/voter_registration_rules_leave_brits_at_risk_of_spam_tsunami/
Changes to the electoral registration system have sparked fears that Britons are about to be swamped by a tsunami of unwanted spam from companies that harvest and sell on citizens’ personal data.
These complaints were sparked by a change to the way in which voters opt in or out of making their personal information available to marketers.
The Register has received a number of complaints about the way in which councils have added people to the open register.