Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
NSA phone record collection does little to prevent terrorist attacks, group says
http://www.washingtonpost.com/world/national-security/nsa-phone-record-collection-does-little-to-prevent-terrorist-attacks-group-says/2014/01/12/8aa860aa-77dd-11e3-8963-b4b654bcc9b2_story.html?hpid=z3
An analysis of 225 terrorism cases inside the United States since the Sept. 11, 2001, attacks has concluded that the bulk collection of phone records by the National Security Agency “has had no discernible impact on preventing acts of terrorism.”
In the majority of cases, traditional law enforcement and investigative methods provided the tip or evidence to initiate the case, according to the study by the New America Foundation, a Washington-based nonprofit group.
The researchers at the New America Foundation found that the program provided evidence to initiate only one case, involving a San Diego cabdriver, Basaaly Moalin, who was convicted of sending money to a terrorist group in Somalia. Three co-conspirators were also convicted. The cases involved no threat of attack against the United States.
“The overall problem for U.S. counterterrorism officials is not that they need vaster amounts of information from the bulk surveillance programs, but that they don’t sufficiently understand or widely share the information they already possess that was derived from conventional law enforcement and intelligence techniques,” said the report
Tomi Engdahl says:
Hackers stole £1.3 million from Barclays Bank using KVM device
http://grahamcluley.com/2013/09/hackers-barclays-bank-kvm/
Police have arrested eight men in connection with an audacious scheme which succeeded in stealing £1.3 million from Barclays Bank.
The heist was said to have taken place at a branch of Barclays Bank in Swiss Cottage, North London, back in April, after a hardware device was attached to a branch computer.
The device, a KVM (“Keyboard video mouse”) switch attached to a 3G router, allowed the hackers to record staff keypresses, and screen activity, helping them to steal password information. The criminal group then allegedly used the information to remotely transfer money to other accounts.
There’s a few things of interest here.
Firstly, it seems hard to believe that the Barclays heist isn’t connected to the very similar attempted robbery at Santander reported last week which also used a KVM switch.
The plot against Santander was foiled, of course, with no money stolen and no customer data being put at risk. At the time Santander said it “was aware of the possibility of the attack”,
But secondly, it appears something failed at Barclays Bank.
Even if the hackers had managed to attach a device, and steal passwords and the like, shouldn’t internal systems have alerted about the unusual movements of money and seeked authorisation? Maybe they did, but the money still appears to have been moved by the hackers.
And there’s a human failing too.
Companies need to be extremely careful about who they grant physical access to their offices, and how closely such people are monitored – especially if they are an unfamiliar face.
Tomi Engdahl says:
The massive leak of information recently suffered a U.S. Target stores will invest five million U.S. dollars (about 3.6 million Euros) to kyber security education.
This is a multi-year campaign aimed at educating consumers about cyber-threats, such as phishing. Involved in the campaign is a U.S. professional organizations, including the National Cyber-Forensics & Training Alliance, and the National Cyber Security Alliance.
In addition, Target will attempt to clean its reputation by offering customers a service that monitors their credit card data breaches and identity theft case.
It was estimated that 110 million customer credit card information was stolen.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/tietomurron+uhri+paikkailee+mainettaan+miljoonilla/a959496
Tomi Engdahl says:
Latest Chrome adds Chrome OS flavor to Windows 8 mode
Noisy tab alerts, supervised users, and malware blocking, too
http://www.theregister.co.uk/2014/01/15/chrome_32_new_features/
Google on Tuesday delivered a new stable version of Chrome that offers a few features previously only available in beta versions, as well as giving a major overhaul to the UI of the browser’s Windows 8 mode.
The new version is the first mainstream release to include a feature that allows users to quickly locate tabs that are playing unwanted audio.
Another feature that has made it into mainstream Chrome after premiering in experimental builds is supervised users, which allows parents and other overseers to monitor the browsing habits of their charges.
The latest Chrome also comes with a new anti-malware feature that will automatically block downloads of files that it considers malicious and issue a warning message.
Tomi Engdahl says:
Surveillance-court judges oppose White House group’s NSA proposals
http://www.washingtonpost.com/world/national-security/surveillance-court-judges-oppose-white-house-groups-nsa-proposals/2014/01/14/3c41e1e2-7d60-11e3-93c1-0e888170b723_story.html
Current and former judges on the nation’s secret surveillance court said in a letter released Tuesday that several recommendations made by a White House review group would significantly increase the court’s workload and undermine its effectiveness.
Tomi Engdahl says:
N.S.A. Devises Radio Pathway Into Computers
http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?pagewanted=all
The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.
Tomi Engdahl says:
Twitter enforces SSL encryption for apps connecting to its API
http://www.zdnet.com/twitter-enforces-ssl-encryption-for-apps-connecting-to-its-api-7000025138/
Summary: Twitter closes the end-user privacy gap in third-party apps that connected to its API in plaintext.
Tomi Engdahl says:
Thousands Of Hotel Listings Were Hijacked In Google+ Local
http://searchengineland.com/thousands-of-hotels-listings-were-hijacked-in-google-local-181670
Thousands of hotels listed within Google+ Local appear to have had links leading to their official sites “hijacked” and replaced with ones leading to third-party booking services.
The hijacked listings all make use of links that lead to either RoomsToBook.Info or RoomsToBook.Net.
In other cases, visitors were forwarded to the HotelsWhiz.com web site.
Whether any of these companies are ultimately responsible for the hijacking is uncertain. All we know so far is that these listings have been hijacked, but exactly how or why isn’t clear.
Google has now said that I can confirm it is aware of the issue and is working to fix it.
Tomi Engdahl says:
What Secrets Your Phone Is Sharing About You
Businesses Use Sensors to Track Customers, Build Shopper Profiles
http://online.wsj.com/news/article_email/SB10001424052702303453004579290632128929194-lMyQjAxMTA0MDEwMzExNDMyWj
He knows that 250 went to the gym that month, and that 216 came in from Yorkville, an upscale neighborhood.
And he gleans this information without his customers’ knowledge, or ever asking them a single question.
Mr. Zhang is a client of Turnstyle Solutions Inc., a year-old local company that has placed sensors in about 200 businesses within a 0.7 mile radius in downtown Toronto to track shoppers as they move in the city.
The sensors, each about the size of a deck of cards, follow signals emitted from Wi-Fi-enabled smartphones. That allows them to create portraits of roughly 2 million people’s habits as they have gone about their daily lives, traveling from yoga studios to restaurants, to coffee shops, sports stadiums, hotels, and nightclubs.
But Turnstyle is among the few that have begun using the technology more broadly to follow people where they live, work and shop. The company’s dense network of sensors can track any phone that has Wi-Fi turned on, enabling the company to build profiles of consumers lifestyles.
But as the industry grows in prominence, location trackers are bound to ignite privacy concerns.
In the U.S., companies don’t have to get a consent before collecting and sharing most personal information, including their location.
For example, by monitoring how many times a consumer visits a golf course in a month, Viasense can classify her as a casual, intermediate or heavy golfer.
Viasense doesn’t gather personal information or know any of its users’ names
Right now, the only way to opt-out of geolocation is to either switch off the Wi-Fi on a cellphone, or make a request through a website of one the data companies like Turnstyle that has an opt-out option.
Tomi Engdahl says:
Even ‘Your computer has a virus’ cold-call gits are migrating off XP
Malware telescammers now target slab-fondlers+mobe-strokers
http://www.theregister.co.uk/2014/01/15/tech_support_scammers_moving_on_to_target_smartphone_and_tablet_users/
Tech support scammers have begun targeting smartphone and tablet users with offers to fix non-existent problems – for exorbitant fees.
Cold call scams that attempt to hoodwink marks into paying for useless remote diagnostic and cleanup services have been a popular scam for years. Victims are often encouraged to sign up to multi-year support contracts costing hundreds of dollars for unnecessary and worthless services.
As before, the short con relies on social engineering techniques to create the perception of severe (in reality, imaginary) problems in urgent need of fixing. Victims are roped in using either cold calling or online advertising.
“Windows prefetch files are often used by scammers to make up non-existing threats,” Segura explained. “In this case the technician removed all the ‘infected files’ and simulated a ‘re-infection’ by quickly restoring them from the Recycle Bin (Ctrl+Z trick).”
Many people who aren’t too tech-savvy are likely to take the whole performance at face value before ultimately “paying several hundred dollars for dubious services from rogue technical support companies,” Segura concludes.
Segura recorded a video of the Android support scan in progress
Ridding the web of such scams is likely to prove akin to playing a game of Whack-A-Mole.
The progress of the tech support scam from Windows to Mac to tablet and smartphone reflects the changing way people access the internet.
“The tech support scam lives on by adapting to its environment and exploiting the never failing human factor,” Segura concludes
Tomi Engdahl says:
Mozilla Calls on World to Protect Firefox Browser From the NSA
http://www.wired.com/wiredenterprise/2014/01/mozilla/
Brendan Eich is the chief technology officer of the Mozilla Foundation, the non-profit behind the Firefox web browser. Among many other things, he oversees the Firefox security team — the software engineers who work to steel the browser against online attacks from hackers, phishers, and other miscreants — and that team is about to get bigger. Much, much bigger.
The move is one more way that the giants of the web are responding to revelations that the National Security Agency is snooping on web traffic via popular services and software.
“As the Lavabit case suggests, the government may request that browser vendors secretly inject surveillance code into the browsers they distribute to users,” Eich says. “We have no information that any browser vendor has ever received such a directive. However, if that were to happen, the public would likely not find out due to gag orders.”
Because Firefox is open source, outsiders can not only audit the code, they patch holes in the software and distribute such changes independently of Mozilla. In other words, if there’s a problem with Mozilla or Firefox, someone else can fix it and publish a new version online.
That isn’t necessarily the case with Firefox’s competitors. Microsoft’s Internet Explorer isn’t open source at all, and although Apple Safari, Google Chrome and Opera are based on open source software, all contain at least some proprietary code.
Tomi Engdahl says:
Are Ethical Hackers the Alchemists of Our Time… The Masters of the Binary Evolution?
http://www.wired.com/insights/2014/01/ethical-hackers-alchemists-time-masters-binary-evolution/
Far too many people still envision hackers as evil. The name hacker itself to most conjures up images of some basement-dwelling, pimply geek who gets off on trying to hack the Pentagon or MI5… or even worse, messes with ordinary peoples’ computers making misery of our lives as we battle spam, malware, Trojans and other forms of time-wasting and spending money hand over fist getting things back to normal.
But actually, as the English lexicon evolves the idea of hacking and hackers is changing.
Ethical Hackers are now kind of becoming the alchemists of the 21st century — speaking the language of code — that drives so much of our lives this millennium.
According to the Daily Mail in the U.K., the average person checks their mobile phone about 110 times a day (and up to every six seconds in the evening.)
Mobile Apps, developed largely by “hackers” are influencing lives in a huge way.
Tomi Engdahl says:
Finnish Study: every other large company network has signs online data breach
Every other Finnish listed companies in the networks discovered signs of the ongoing data breach, reveals a recent study. In-house systems and networks opens the encrypted connections between different parts of the world, in the servers, through which the co-ordinated attacks.
KPMG has today published study examined large Finnish companies’ IT environments, exposure to new, advanced malware, such as those used in espionage network. “Outbreak – Unknown Threat in Finland” research report can be downloaded from the company’s website.
A number of companies consider online through industrial espionage is only a theoretical threat, which is a preventable virus and passwords. In Finland, we are believed to be in advanced malware and online espionage, special position. It does not.
The study examined the situation of Finnish companies by analyzing the organizations network traffic in the autumn of 2013. The aim was to determine the exposure of companies to new and sophisticated threats zero day vulnerabilitied, which could result in, among other things, information leaks. The study involved 10 companies from various industries, most of which are listed on the Helsinki Stock Exchange.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/suomalaistutkimus+joka+toisen+suuryrityksen+verkossa+merkkeja+tietomurrosta/a959807
Tomi Engdahl says:
Unknown Threat in Finland
http://www.kpmg.com/FI/fi/Ajankohtaista/Uutisia-ja-julkaisuja/Neuvontapalvelut/Sivut/unknown-threat-in-finland.aspx
Conclusions
The main finding of the study is that almost half of the
case organisations in the scope of the study are already
breached. It means that organisations in Finland cannot
trust that their information assets are secured
In the study, we noticed that there is a lot of malicious
zero-day traffic that is impossible to detect using traditional
information security solutions. In addition to this advanced
threat, there is also known malicious traffic that should not
exist if already installed solutions would work properly.
Organisations should investigate whether their protection
mechanisms are sufficient in today’s interconnected world
where attacks are growing in complexity.
Information security attacks may have significant
business impact. Therefore, it is essential that IT and
business functions have a regular dialogue on the state of
information security and handle information security risks
as part of day-to-day risk management
Tomi Engdahl says:
Cyberspies blast Icefog into US targets’ backdoors
You dirty RATs
http://www.theregister.co.uk/2014/01/15/icefog_java_based_backdoor/
Miscreants behind a cyberespionage campaign have changed their methods to take advantage of Java-based malware.
The Icefog ATP (advanced persistent threat), discovered in September 2013, continues to be a problem, this time utilising a Java backdoor, according to the latest analysis of the threat by security researchers at Kaspersky Labs.
Analysts at the Russian security firm have observed three unique victims of “Javafog”, all of them in the US. One of the victims is a very large American independent oil and gas corporation, with operations in many other countries.
The threat first arose in 2011 with attacks against supply chain organisations to government institutions, military contractors, maritime and ship-building groups mainly in Japan and South Korea.
Java-based malware is less widely used than either Windows or Mac executables, and can be harder to spot, according to Kasperky researchers.
“We observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C,” Kaspersky researchers explain in a blog post
“Because organisations can’t eliminate Java from their environments, it is not surprising that adversaries and cyber-criminals are using malicious Java code to infiltrate them.”
To prevent Java exploits and malware-based infiltrations, it is important to restrict execution only to known trusted Java files.
Tomi Engdahl says:
The Icefog APT Hits US Targets With Java Backdoor
https://www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor
Icefog, also known as the “Dagger Panda” by Crowdstrike’s naming convention, infected targets mainly in South Korea and Japan. You can find our Icefog APT analysis and detailed report here.
Tomi Engdahl says:
Norwegian professor emeritus of Jan Arild Audestad reveals that the GSM network in the birth of it the original intention was to use 128-bit encryption.
The British authorities pressured to use the 48-bit encryption.
As a compromise the GSM network resulted in using 64-bit encryption, in which the last ten bits are zeros. In practice, therefore, the encryption of 54-bit.
64-bit A5/1 encryption was broken by 2009, when the German Karsten Nohl hacker partners announced this on and put the necessary codes for online distribution. 128-bit A5/3-versio was introduced in 2007 and it is still considered safe.
One comment says that some networks in certain countries used even weaker the A5 / 0 option “no encryption”.
Sources:
http://www.tietoviikko.fi/kaikki_uutiset/gsmverkon+kehittajat+paljastavat+brittien+tiedustelupalvelu+painosti+kayttamaan+heikompaa+salausta+jo+1980luvulla/a959220
http://www.nrk.no/norge/presset-til-a-svekke-mobilsikkerhet-1.11460787
Tomi Engdahl says:
Phil Zimmerman Launching Secure “Blackphone”
http://mobile.slashdot.org/story/14/01/15/1526211/phil-zimmerman-launching-secure-blackphone
“Famed cryptography activist Phil Zimmerman is set to launch Blackphone, a privacy-oriented phone which allows secure calls and messages. The phone is a joint venture between Zimmerman’s Silent Circle communications provider and Geeksphone,”
Privacy and control
https://www.blackphone.ch/
Blackphone is the world’s first smartphone to put privacy and control ahead of everything else. Ahead of carriers. Ahead of advertising. Blackphone is re-shaping the landscape of personal communication
Tomi Engdahl says:
Five UK banks sign up to hook up customers’ ACCOUNTS to their MOBILE DEVICES
Zapp! Yes, that’s the sound of your cash disappearing
http://www.theregister.co.uk/2014/01/15/zapp_mobile_payments/
British banks HSBC, First Direct, Nationwide, Santander and Metro Bank have all signed up to Zapp’s mobile payment system, allowing their customers to pay using a tablet or smartphone.
The announcement comes just days after O2 snapped shut its Wallet service.
The Zapp system will be rolled out through the banks’ own apps.
The reliance on banks to produce the apps means that which phone platforms will be supported is again down to the individual banks.
Tomi Engdahl says:
Obama reveals tiny NSA reforms … aka reforming your view of the NSA
Prez annonces tweaks here and there for ordinary American citizens
http://www.theregister.co.uk/2014/01/17/obama_promises_limited_reforms_of_nsa_powers_against_ordinary_americans/
President Obama has today outlined his plans to tweak the rules under which US intelligence services monitor their own population and citizens of countries around the world.
“As the nation that developed the Internet, the world expects us to ensure that the digital revolution works as a tool for individual empowerment rather than government control,” he said during a White House briefing.
Obama announced that today’s system of collecting metadata on all US phone calls under Section 215 of the Patriot Act will be changed at some point this year. Rather than having the government hold this vast repository of data, this will either be left to the phone companies or handed off to an unnamed third party for storage, Obama said.
In addition, starting immediately, intelligence analysts will no longer be able to search the phone records without obtaining a court order
Obama emphasized this was the start of the reform process and he would be appointing a senior White House official to oversee the changes. Obama said he would also be happy to work with Congress to adapt US intelligence protocols further and was starting a separate, more general, review of big data and privacy.
Tomi Engdahl says:
Proofpoint reveals ‘Internet of things’ cyberattack
http://www.technologytell.com/hometech/103593/proofpoint-reveals-iot-cyberattack/
Today Proofpoint, a security service provider, put out a press release that reveals a cyberattack coming from smart appliances–the first such documented Internet of Things (IoT) attack. More than 750,000 malicious emails were sent from 100,000+ compromised connected home appliances and gadgets, including routers, TVs, and a connected fridge. Considering that the market is flooded with such devices, it brings up some important security questions. Questions that the homeowner may not think to ask.
Apparently, the attack was pretty easy to execute, with the hackers using default passwords that left the devices completely exposed. Unlike computers that either have built-in protection, like Macs, or protective software, the study exposed the great vulnerability that IoT devices have, with “virtually no way to detect or fix infections when they do occur.”
Everything–from smart thermostats to security cameras to microwaves to smart TVs–is at risk. This is a huge blow to major manufacturers like Samsung, Bosch, LG, and others, who just launched major connected appliances for 2014.
Tomi Engdahl says:
ATMs Face Deadline to Upgrade From Windows XP
http://www.businessweek.com/articles/2014-01-16/atms-face-deadline-to-upgrade-from-windows-xp
When ATMs were introduced more than 40 years ago, they were considered advanced technology. Today, not so much. There are 420,000 ATMs in the U.S., and on April 8, a deadline looms for nearly all of them that underscores how sluggishly the nation’s cash delivery system moves forward. That’s the day Microsoft (MSFT) cuts off tech support for Windows XP, meaning that ATMs running the software will no longer receive regular security patches and won’t be in compliance with industry standards.
Most machines that get upgraded will shift to Windows 7, an operating system that became available in October 2009. (Some companies get a bit of a reprieve: For ATMs using a stripped-down version of XP known as Windows XP Embedded, which is less susceptible to viruses, Microsoft support lasts until early 2016.)
Microsoft’s 12-year-old Windows XP dominates the ATM market, powering more than 95 percent of the world’s machines and a similar percentage in the U.S
More advanced ATM fleets can do the update over their networks. Older ATMs must be upgraded one by one or even replaced entirely if they don’t have enough computing power to run the newer, more demanding software.
“A lot of ATMs will have to either have their components upgraded or be discarded altogether and sold into the aftermarket—or just junked.”
Microsoft is selling custom tech support agreements that extend the life of Windows XP, although the cost can soar quickly—multiplying by a factor of five in the second year, says Korala.
The cost to upgrade a single ATM to Windows 7 can range from a few hundred dollars if its hardware is adequate, says Stewart, to thousands of dollars if new components are required.
ATMs whose operators ignore the deadline will continue to function, says Dean Stewart, an executive at Diebold (DBD), which makes ATMs. They’ll just become more vulnerable to malware and other attacks against weaknesses discovered over time in Windows XP.
Tomi Engdahl says:
KC engineer ‘exposed unencrypted spreadsheet with phone numbers, user IDs, PASSWORDS’
Hull-based ISP investigates possible data gaffe spotted by customer
http://www.theregister.co.uk/2014/01/17/kc_caught_in_possible_data_gaffe_as_engineer_flashes_userid_spreadsheet_at_customer/
Hull’s dominant telco, KC, is investigating revelations of what appears to be poor handling of the company’s customer data.
setting up a Netgear router, the engineer carelessly exposed sensitive data, claimed Hill
“he opened a spreadsheet and looked my phone number up in it. There was my user ID and password, in plain text, along with everyone else’s.”
“I asked him if he had my password with him, he said ‘yes – it makes our job much easier’, then changed the subject. I said that I wasn’t happy that our passwords are not encrypted and that I realised it wasn’t his fault.”
“This cannot be a single engineer acting badly as if the passwords were stored encrypted he wouldn’t be able to get plain-text copies”
A KC spokeswoman told us:
“I can assure you that all of our laptops are encrypted, password-protected and fitted with tracking technology and the facility to remotely wipe data.”
Tomi Engdahl says:
PoS Malware Targeted Target
http://www.seculert.com/blog/2014/01/pos-malware-targeted-target.html
Dexter was a doozy, but recent Seculert research reveals that it wasn’t the source of the point-of-sale (PoS) attack on Target.
Seculert’s Research Lab ran the sample of the malware and discovered that unlike Dexter, this attack had 2 stages, which is a well known attribute of an advanced threat. First, the malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details. Then, after staying undetected for 6 days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network.
On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period.
Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP.
They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information.
Tomi Engdahl says:
highlighted in your article is the problems with the code itself. With industrial control and SCADA systems increasingly on standard networks, they are exposed to more and more frequent attacks.
This year, the IEEE and state licensing boards are instituting a Professional Engineer certification for Software Engineers. The main target of such a certification is avionics, medical and control software, especially embedded. The PE, as in other fields, will certify a product in terms of the relevant standards. These should include safety and security standards.
Source: comment at
Fuzzing Framework Fights Control Hackers
http://www.designnews.com/author.asp?section_id=1386&doc_id=270948&cid=nl.dn14&dfpPParams=ind_182,industry_machinery,aid_270948&dfpLayout=blog
Tomi Engdahl says:
Project Rocus
http://www.automatak.com/robus/
An ongoing search for 0-day vulnerabilities in SCADA/ICS protocols. ‘Robus’ is Latin for bulwark, source of strength, or solidity.
Why?
We believe that robust software is required to secure the ICS space. Research will create awareness. If not us, who? If not now, when?
Disclosure Policy
Relax, we’re the good guys. We disclose vulnerabilities to the vendor and ICS-CERT. We work with affected vendors to validate patches and improve testing practices.
Tomi Engdahl says:
Bitcoin’s so over. We’re mining Primeco… Oh SNAP, my box is a ZOMBIE!
Malware writers target would-be fans of new cryptocurrency
http://www.theregister.co.uk/2014/01/17/primecoin_malware_miner_discovered/
Security experts have warned crypto-currency fans of malware hidden in certain miners for Bitcoin-alike cryptocurrency Primecoin.
The malicious Primecoin miners were found on various Chinese sites and torrents by Panda Security researcher Mehrdad Yazdizadeh.
“Primecoin miners are written in Python and other scripting languages and are using a variety of methods to infect the users’ systems i.e. brute-forcing, privilege escalation, modify SQL tables,” he told The Hacker News.
“On execution, the malware will inject the SQL server to cmd.exe, svchost.exe, explorer.exe and similar processes to hide itself as rootkits.”
The malware apparently launches a brute force attack on user accounts for privilege escalation and will also try to download more malicious files from other servers.
Malware targeting crypto-currencies is nothing new, of course, but this latest discovery proves cyber-criminals are well aware there’s a thriving market to be exploited beyond Bitcoin.
Tomi Engdahl says:
Trust No US Companies With The Future Of Bitcoin
http://bitcoinmagazine.com/6386/trust-no-us-companies-with-the-future-of-bitcoin/
Secure email providers Lavabit and Silent Circle have taken the heroic steps of shutting down their businesses in order to preserve their integrity. Unfortunately the definition of heroism necessarily implies that their actions are heroic because they are unusual. Their actions surprised us because most companies, when faced between choosing between continued operation and honoring the trust their users have given them, toss integrity aside.
2013 was a great and terrible year for US Bitcoin companies. Several high profile companies received significant venture backing, which is good insofar as a recognition of their success and growth potential. However this also puts them in a hostage situation.
From its inception, Bitcoin was destined to come into conflict with laws and regulators in the same way P2P file sharing did, and from its inception some people respond to Bitcoin’s potential by suggesting that it be changed to make it more compatible with the systems of legal control it was designed to evade.
Some of the proposals which have been suggested in the past include: adding the capability to reverse transactions, confiscation of balances, creating a central authority that can whitelist and/or blacklist addresses, and requiring all users to register their wallets with a government agency. So far none of these have been implemented into the protocol but the pressure to do so is will only continue to increase, especially by venture-funded companies, especially in the USA.
Ultimately it will be up to the international Bitcoin community to resist these pressures.
Bits of Proof and btcd are positive steps towards making the Bitcoin protocol resistant to arbitrary change by a small group. The best possible outcome for the network is to be composed of heterogeneous nodes, consisting of independent implementations which only implement protocol changes via a standardization process which involves near-universal consensus.
The single best step the global Bitcoin community could take to ensure this outcome is to create and fund projects that implement alternate Bitcoin implementations in a manner independent of any US person, company, or organization.
Bitcoin promises to be a neutral and international monetary standard, which provides a level playing field for participants all over the world. In order to realize this potential, it must be protected from the controlling influences of any single government
Tomi Engdahl says:
China is building its own operating system – Android is not secure enough
China to develop its own operating system, which would be safer for the State than Android and Windows.
According to China, alone security concerns are the reason to develop its own operating system: a number of open-source platforms, including Android and Ubuntu have security holes. In addition, in the Western world developed in the substrates is not taken into account in the Chinese usage patterns.
Currently, the most common platforms are Windows and Android.
China has appointed its own platform COS (China Operating System).
COS is designed to run on traditional computers, smart phones, tablet computers than TVs. Platform supports HTML5 applications. China plans to attract the mobile phone manufacturers to use COS .
So far, the platform is still in progress.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/kiina+rakentaa+omaa+kayttojarjestelmaa++android+ei+ole+tarpeeksi+turvallinen/a960458
Tomi Engdahl says:
Encrypted messaging startup Wickr offers $100K bug bounty
The company hopes to tap the security research community to find potential problems
http://www.networkworld.com/news/2014/011514-encrypted-messaging-startup-wickr-offers-277752.html
Two-year-old startup Wickr is offering a reward of up to $100,000 to anyone who can find a serious vulnerability in its mobile encrypted messaging application, which is designed to thwart spying by hackers and governments.
The reward puts the small company in the same league as Google, Facebook and Microsoft, all of which offer substantial payouts to security researchers for finding dangerous bugs that could compromise their users’ data.
In a statement, Wickr said “we expect finding critical vulnerabilities in Wickr to be difficult and are honored to work with those that do.”
Tomi Engdahl says:
IN-CAR LOCATION-BASED SERVICES
http://www.gao.gov/assets/660/659509.pdf
Companies Are Taking Steps to
Protect Privacy, but
Some Risks May Not
Be Clear to Consumers
Tomi Engdahl says:
Java, Android were THE wide-open barn doors of security in 2013 – report
Cisco research claims two techs led to nearly all of the exploits
http://www.theregister.co.uk/2014/01/17/cisco_dont_like_malware_phishing_etc_stay_away_from_java_and_android/
While it was another tough year for network security all around, 2013 was particularly hard on users of Java and Android, new research from Cisco has found.
According to the networking giant’s latest Annual Security Report, Java flaws were responsible for 91 per cent of all web-based exploits in 2013. Meanwhile, fully 99 per cent of all mobile malware discovered during the year targeted Android, as did 71 per cent of all web-based attacks on mobile devices.
So many flaws have been found in the Java web plugin now, in fact, that no less than the US Department of Homeland Security has urged Americans to disable Java in their browsers unless it’s absolutely necessary, since there are likely to be many more vulnerabilities waiting to be exploited.
“If security professionals who have limited time to fight web exploits decide to focus most of their attention on Java, they’ll be putting their resources in the right place,” Cisco’s report suggests.
Often, Cisco says, criminals will target industry-specific websites to set up “watering holes,” malware-spewing sites designed to compromise groups of people with common interests, such as people who work in the same field.
Tomi Engdahl says:
US Government To Convert Silk Road Bitcoins To USD
http://news.slashdot.org/story/14/01/17/0326217/us-government-to-convert-silk-road-bitcoins-to-usd
“The founder of the Silk Road underground website has forfeited the site and thousands of bitcoins, worth around $28 million at current rates, to the U.S. government.”
‘The United States Marshals Service shall dispose of the Silk Road Hidden Website and the Silk Road Server Bitcoins according to law,’ wrote Judge J. Paul Oetken
Tomi Engdahl says:
Averting a data center legal crisis
Engineers involved in data center design can limit their potential exposure by taking a few simple steps.
http://www.controleng.com/single-article/averting-a-data-center-legal-crisis/844cfee5cba1f07d90e4ca7d0e3b29bf.html
Tomi Engdahl says:
Starbucks’ updated iOS app more securely stores user passwords (update)
http://www.theverge.com/2014/1/16/5315844/starbucks-will-update-ios-app-to-more-securely-store-user-passwords
Yesterday, it came to light that the Starbucks mobile payment app for iOS wasn’t totally secure: the app was storing usernames, passwords, and email addresses in an unencrypted plain text format.
Now, Starbucks says it will do just that. In a press statement issued by the company, Starbucks CIO Curt Gartner writes that while “there is no indication that any customer has been impacted by this or that any information has been compromised,” the company will indeed update its app.
Tomi Engdahl says:
NSA collects millions of text messages daily in ‘untargeted’ global sweep
http://www.theguardian.com/world/2014/jan/16/nsa-collects-millions-text-messages-daily-untargeted-global-sweep
• NSA extracts location, contacts and financial transactions
• ‘Dishfire’ program sweeps up ‘pretty much everything it can’
• GCHQ using database to search metadata from UK numbers
The National Security Agency has collected almost 200 million text messages a day from across the globe, using them to extract data including location, contact networks and credit card details, according to top-secret documents.
The untargeted collection and storage of SMS messages – including their contacts – is revealed in a joint investigation between the Guardian and the UK’s Channel 4 News based on material provided by NSA whistleblower Edward Snowden.
Tomi Engdahl says:
Norwegian professor emeritus of Jan Arild Audestad reveals that the GSM network in the birth of it the original intention was to use 128-bit encryption.
The British authorities pressured to use the 48-bit encryption.
As a compromise the GSM network resulted in using 64-bit encryption, in which the last ten bits are zeros. In practice, therefore, the encryption of 54-bit.
64-bit A5/1 encryption was broken by 2009, when the German Karsten Nohl hacker partners announced this on and put the necessary codes for online distribution. 128-bit A5/3-versio was introduced in 2007 and it is still considered safe.
One comment says that some networks in certain countries used even weaker the A5 / 0 option “no encryption”.
Sources:
http://www.tietoviikko.fi/kaikki_uutiset/gsmverkon+kehittajat+paljastavat+brittien+tiedustelupalvelu+painosti+kayttamaan+heikompaa+salausta+jo+1980luvulla/a959220
http://www.nrk.no/norge/presset-til-a-svekke-mobilsikkerhet-1.11460787
Tomi Engdahl says:
Making digital forensics a critical part of your cyber security defenses
http://www.controleng.com/single-article/making-digital-forensics-a-critical-part-of-your-cyber-security-defenses/640c16d8a4777788817b5373941b3029.html
Do you know your ICSs well enough to recognize when something is happening that shouldn’t be? That knowledge is critical to your defensive strategy, and represents the biggest advantage you have over attackers. See step-by-step cyber security table with tools, tactics, and tips.
Using digital forensic techniques with your industrial control systems (ICSs) and their networks is a hugely powerful defensive tool, yet it is one of the least understood concepts in cyber security.
Digital forensics is a branch of forensic science that focuses on the digital domain. It includes fields such as computer forensics, network forensics, and mobile forensics. It is a fairly new field in relation to other sciences and engineering; thus it is important to break it down and attempt to understand the topic more fully.
Forensic science is a method of gathering and examining information. It’s all about formulating a question and searching for an answer.
Imagine a simple example: Say the data historian did not collect commands sent from the SCADA (supervisory control and data acquisition) server to the RTU (remote terminal unit). Why not? Is there malicious activity going on within a network? Are there network abnormalities, failures, or misconfigurations that could lead to costly mistakes? These are questions well suited for digital forensic investigations.
With the increasingly interconnected nature of ICS environments, there are bound to be network and device configuration issues. There are also going to be malicious actors that break into networks to cause havoc or steal sensitive data. Verizon’s 2013 Data Breach Investigation Report showed that of the 47,000+ network intrusions observed in the past year, 20% involved manufacturing, transportation, and utilities. Of those intrusions, 66% took months or years to discover. Attackers, especially those who do not fully understand the unique nature of control systems, can cause significant damage with months to access sensitive networks. In reality, though, there has been and there will continue to be a lot of hype around cyber threats.
Tomi Engdahl says:
CIOs Must Balance Cloud Security and Customer Service
http://www.cio.com/article/745638/CIOs_Must_Balance_Cloud_Security_and_Customer_Service
Cloud era brings government IT new challenge of keeping data secure while broadening user access. This will require federal CIOs to take a more granular approach to access and encryption.
The government’s ongoing shift to the cloud has created a special set of challenges around that balancing act, particularly as employees grow more resistant to access and device limitations in the workplace
Security is often cited as among the chief barriers to the government’s further adoption of cloud technologies. A fundamental friction arises in the push for more open, collaborative services that can better support business objectives and an increasingly mobile workforce that can seem at odds with a traditional, locked-down security posture.
“It’s that balance that you have to get,” Kingsberry said. “You want to deliver the service, but there are tradeoffs.”
Those challenges can be more acute when dealing with sensitive types of data or in environments that call for heightened security, such as the military or intelligence communities.
“If you ask the security bubbas, they would lock everything down, but that prevents us from delivering quality health care,” Thornton said.
“Coupled with the speed and the agility of cloud is the need to have continuous oversight of what’s going on,” Doney said. “Roles alone are not enough to protect this data.”
The panelists also stressed that CIOs consider a similar level of differentiation when evaluating what level of security to apply to various types of data.
It “depends on the categorization of the data,” Kingsberry said. “Because there’s a price to pay” with heightened security, he added, which “is not necessarily monetary,” though cost is certainly a factor. But added layers of unnecessary encryption can also impair productivity when access to non-sensitive data is tightly restricted.
Tomi Engdahl says:
10 most serious risk to the IT in 2014
According to Check Point’s Finland Country Director Jukka Saaremaa
1 Good Faith from being cheated
2 My organization is leaking (NSA leaks showed)
3 Malware information vacuuming
4 Bots came here to stay (key attack techniques)
5 Mobility creates dangerous situations (data in mobile devices)
6 Spyware is increased (state sponsored spying increased)
7 Website swaying (multi-vector DDoS-attacks)
8 Customer data stolen (precious commodity for criminals)
9 Social media user accounts hijacked (Twitter captures reality now)
10 A thief likes the living room (smart home electronics)
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/10+vakavinta+tietotekniikkariskia+vuonna+2014/a960016
Tomi Engdahl says:
Bitcoin Mint Reopens After Nastygram From Feds
http://www.wired.com/wiredenterprise/2014/01/casascius-back/
Tomi Engdahl says:
TrueCrypt Master Key Extraction And Volume Identification
http://volatility-labs.blogspot.fi/2014/01/truecrypt-master-key-extraction-and.html
One of the disclosed pitfalls of TrueCrypt disk encryption is that the master keys must remain in RAM in order to provide fully transparent encryption. In other words, if master keys were allowed to be flushed to disk, the design would suffer in terms of security (writing plain-text keys to more permanent storage) and performance. This is a risk that suspects have to live with, and one that law enforcement and government investigators can capitalize on.
Tomi Engdahl says:
Jan 14
A First Look at the Target Intrusion, Malware
http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Today’s post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.
This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.
POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS
According the author of BlackPOS — an individual who uses a variety of nicknames, including “Antikiller” — the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones “budget version” of the crimeware costs $1,800, while a more feature-rich “full version” — including options for encrypting stolen data, for example — runs $2,300.
Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.
“The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,”
multiple sources say U.S. stores have traditionally used a home-grown software called Domain Center of Excellence, which is housed on Windows XP Embedded and Windows Embedded for Point of Service (WEPOS).
Tomi Engdahl says:
Microsoft confirms Syrian Electronic Army hacked into employee email accounts
http://www.theverge.com/2014/1/15/5312798/microsoft-email-accounts-hacked-syrian-electronic-army
Microsoft has confirmed to The Verge that a “small number” of employee email accounts were accessed during the latest round of attacks by the Syrian Electronic Army.
“A social engineering cyberattack method known as phishing resulted in a small number of Microsoft employee social media and email accounts being impacted,” says a Microsoft spokesperson.
Tomi Engdahl says:
Evan Schuman: Starbucks caught storing mobile passwords in clear text
http://www.computerworld.com/s/article/print/9245438/Evan_Schuman_Starbucks_caught_storing_mobile_passwords_in_clear_text_
In a case of convenience for users trumping security, Starbucks has been storing the passwords for its mobile-payment app, along with geolocation data, in clear text
The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14).
Tomi Engdahl says:
Microsoft extends updates for Windows XP security products until July 14, 2015
http://thenextweb.com/microsoft/2014/01/15/microsoft-extends-updates-windows-xp-security-products-july-14-2015/#!slFNh
Microsoft today announced it will continue to provide updates to its security products (antimalware engine and signatures) for Windows XP users through July 14, 2015. Previously, the company said it would halt all updates on the same day as the end of support date for Windows XP: April 8, 2014.
For consumers, this means Microsoft Security Essentials will continue to get updates after support ends for Windows XP. For enterprise customers, the same goes for System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection, and Windows Intune running on Windows XP.
Here is the previous guidance from a page Microsoft had set up specifically to discuss Windows XP end of support:
As a result, after April 8, 2014, technical assistance for Windows XP will no longer be available, including automatic updates that help protect your PC. Microsoft will also stop providing Microsoft Security Essentials for download on Windows XP on this date.
The company is thus providing updates to its security products for an additional 15 months. In other words, while Windows XP will no longer be a supported operating system come April, companies will be at least partially protected (the actual OS still won’t get security updates) until next July.
Microsoft is in a tricky situation.
The company thus says its research shows “that the effectiveness of antimalware solutions on out-of-support operating systems is limited”
Tomi Engdahl says:
Phil Zimmerman Launching Secure “Blackphone”
http://mobile.slashdot.org/story/14/01/15/1526211/phil-zimmerman-launching-secure-blackphone
“Famed cryptography activist Phil Zimmerman is set to launch Blackphone, a privacy-oriented phone which allows secure calls and messages. The phone is a joint venture between Zimmerman’s Silent Circle communications provider and Geeksphone,”
Privacy and control
https://www.blackphone.ch/
Blackphone is the world’s first smartphone to put privacy and control ahead of everything else. Ahead of carriers. Ahead of advertising. Blackphone is re-shaping the landscape of personal communication
Tomi Engdahl says:
The Icefog APT Hits US Targets With Java Backdoor
https://www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor
Icefog, also known as the “Dagger Panda” by Crowdstrike’s naming convention, infected targets mainly in South Korea and Japan. You can find our Icefog APT analysis and detailed report here.
Tomi Engdahl says:
Cyberspies blast Icefog into US targets’ backdoors
You dirty RATs
http://www.theregister.co.uk/2014/01/15/icefog_java_based_backdoor/
Miscreants behind a cyberespionage campaign have changed their methods to take advantage of Java-based malware.
The Icefog ATP (advanced persistent threat), discovered in September 2013, continues to be a problem, this time utilising a Java backdoor, according to the latest analysis of the threat by security researchers at Kaspersky Labs.
Analysts at the Russian security firm have observed three unique victims of “Javafog”, all of them in the US. One of the victims is a very large American independent oil and gas corporation, with operations in many other countries.
The threat first arose in 2011 with attacks against supply chain organisations to government institutions, military contractors, maritime and ship-building groups mainly in Japan and South Korea.
Java-based malware is less widely used than either Windows or Mac executables, and can be harder to spot, according to Kasperky researchers.
“We observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C,” Kaspersky researchers explain in a blog post
“Because organisations can’t eliminate Java from their environments, it is not surprising that adversaries and cyber-criminals are using malicious Java code to infiltrate them.”
To prevent Java exploits and malware-based infiltrations, it is important to restrict execution only to known trusted Java files.
Tomi Engdahl says:
Unknown Threat in Finland
http://www.kpmg.com/FI/fi/Ajankohtaista/Uutisia-ja-julkaisuja/Neuvontapalvelut/Sivut/unknown-threat-in-finland.aspx
Conclusions
The main finding of the study is that almost half of the
case organisations in the scope of the study are already
breached. It means that organisations in Finland cannot
trust that their information assets are secured
In the study, we noticed that there is a lot of malicious
zero-day traffic that is impossible to detect using traditional
information security solutions. In addition to this advanced
threat, there is also known malicious traffic that should not
exist if already installed solutions would work properly.
Organisations should investigate whether their protection
mechanisms are sufficient in today’s interconnected world
where attacks are growing in complexity.
Information security attacks may have significant
business impact. Therefore, it is essential that IT and
business functions have a regular dialogue on the state of
information security and handle information