Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Hackers’ Paradise: The rise of soft options and the demise of hard choices
How it all went wrong for computer security
http://www.theregister.co.uk/2014/08/15/feature_hack_proof_computing_and_the_demise_of_security/
The increasing power and low cost of computers means they are being used more and more widely, and put to uses which are becoming increasingly critical. By critical, I mean that the result of a failure could be far more than inconvenience.
Recently we became aware that hackers had found it was possible to open the doors of a Tesla car. But that’s not particularly exceptional: vulnerability is becoming the norm. Self-driving cars are with us too, and who is to blame if one of these is involved in a collision? What if it transpires that it was hacked?
It is not necessary to spell out possible scenarios in which insecure computers can allow catastrophes to occur.
No one expected IBM to respond to the emerging microcomputer market. In fact no one, IBM included, thought it could.
Essentially, IBM created a kind of skunkworks in which what would become the PC was put together at breakneck speed.
Possibly, also on account of that breakneck speed, some things were not anticipated. The PC was assumed to be a stand-alone device
A computer on a network is no longer standing alone and is prone to attack from an external source: the internet was not anticipated.
Once the computer became a networked consumer product, it would be exposed to the whole gamut of human behaviour from altruistic to malicious. The change in the nature of the user was not anticipated.
Whatever the reason, what we currently have is lamentable – scandalous even. If there is ever going to be an Internet of Everything, this isn’t how to go about it. No one in life-supporting disciplines such as aviation will touch PCs with several barge poles and for good reason.
Tomi Engdahl says:
NSA/GCHQ: The HACIENDA Program for Internet Colonization
http://www.heise.de/ct/artikel/NSA-GCHQ-The-HACIENDA-Program-for-Internet-Colonization-2292681.html
Since the early days of TCP, port scanning has been used by computer saboteurs to locate vulnerable systems. In a new set of top secret documents seen by Heise, it is revealed that in 2009, the British spy agency GCHQ made port scans a “standard tool” to be applied against entire nations
Tomi Engdahl says:
Bitcoin ASIC in Chips-to-$ Race
Running hot on 84 amps
http://www.eetimes.com/document.asp?doc_id=1323522&
In eight short months, startup CoinTerra designed a 28nm ASIC that pushes the envelope in logic power density and shipped a system using four of them. Its tale is typical of the headlong race to hardware acceleration in the emerging bitcoin economy
Tomi Engdahl says:
Windows 8.1 Update Crippling PCs With BSOD, Microsoft Suggests You Roll Back
http://it.slashdot.org/story/14/08/18/0016223/windows-81-update-crippling-pcs-with-bsod-microsoft-suggests-you-roll-back
Right on schedule, Microsoft rolled-out an onslaught of patches for its “Patch Tuesday” last week, and despite the fact that it wasn’t the true “Update 2″ for Windows 8.1 many of us were hoping for, updates are generally worth snatching up. Since the patch rollout, it’s been discovered that four individual updates are causing random BSoD issues
Tomi Engdahl says:
New Cridex Malware Copies Tactics From GameOver Zeus
http://it.slashdot.org/story/14/08/17/1556214/new-cridex-malware-copies-tactics-from-gameover-zeus
Specifically, the new strain of malware has adopted GOZ’s penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.
Tomi Engdahl says:
Exclusive: Nuke Regulator Hacked by Suspected Foreign Powers
http://www.nextgov.com/cybersecurity/2014/08/exclusive-nuke-regulator-hacked-suspected-foreign-powers/91643/
Nuclear Regulatory Commission computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual, according to an internal investigation.
The phishing emails baited personnel
A dozen NRC personnel took the bait and clicked the link.
As the overseer of the U.S. nuclear power industry, NRC maintains records of value to overseas aggressors, including databases detailing the location and condition of nuclear reactors. Plants that handle weapons-grade materials submit information about their inventories to one such system
To trace the origins of the attack, investigators subpoenaed an Internet service provider for records regarding the day the initial victim’s email account was hacked.
“But the ISP had no log records for that date that were relevant to this incident, since the logs had been destroyed,”
“An organization like the NRC would be a target for nation states seeking information on vulnerabilities in critical infrastructure,”
Tomi Engdahl says:
Hackers Steal Data Of 4.5 Million US Hospital Patients
http://it.slashdot.org/story/14/08/18/2358208/hackers-steal-data-of-45-million-us-hospital-patients
Community Health Systems said the attack occurred in April and June of this year, but it wasn’t until July that it determined the theft had taken place.
The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people
Tomi Engdahl says:
Linux Kernel Git Repositories Add 2-Factor Authentication
http://www.linux.com/news/featured-blogs/203-konstantin-ryabitsev/784544-linux-kernel-git-repositories-add-2-factor-authentication
For a few years now we have been mandating a fairly strict authentication policy for those developers who commit directly to the git repositories housing the Linux kernel. Each is issued their own ssh private key, which then becomes the sole way for them to push code changes to the git repositories hosted at kernel.org. While using ssh keys is much more secure than just passwords, there are still a number of ways for ssh private keys to fall into malicious hands — for example if the developer’s workstation is compromised or if someone manages to access some poorly secured backups
Keeping that in mind, we wanted to further tighten our access requirements, but without causing undue difficulties for the kernel developers.
Two-factor authentication is a pretty old concept
In very basic terms, there are three main categories, or “factors” when it comes to authenticating you to a computer:
1. something you know: a password or a numeric PIN
2. something you have: a device or a card in your possession
3. something you are: your unique biometric signature, such as your fingerprint or your retinal scan.
We’ll leave “something you are” out of scope for this article and concentrate on the “something you know” and “something you have” factors.
Soft tokens vs. hard tokens
In 2-factor authentication parlance, a “hard token” is a dedicated physical device that is purpose-built to do nothing else but authentication. A “soft token,” on the other hand, designates a pure-software implementation that is running on a multi-purpose portable computing device (such as a smartphone). If you’ve ever set up “two-step verification” with your Google account or turned on the “code generator” for Facebook, you’ve used a 2-factor authentication soft token. If you’ve ever used an RSA SecurID “key fob” or a Yubikey, you’ve had firsthand experience with “hard tokens.”
Both hard and soft tokens have their advantages and disadvantages.
At the Linux Foundation, we wanted to make both options available and leave the decision of whether to use a soft token or a hard token in the hands of kernel developers themselves. After all, 2-factor authentication with a soft token is still dramatically more secure than no 2-factor authentication at all.
we wanted to encourage the use of more secure hardware tokens, which is why we contacted Yubico, the makers of Yubikeys
In addition to Yubico’s own 2-factor implementation, yubikeys also support OATH’s HOTP standard, which is what we opted to use for our kernel.org needs. Doing so allows us to use both soft-tokens and hard tokens interchangeably (TOTP standard is an extension of the HOTP standard).
we put together a verification tool that allowed developers to temporarily whitelist their IP addresses using their 2-factor authentication token.
Tomi Engdahl says:
Microsoft’s Windows 8 App Store Is Full of Scamware
http://slashdot.org/story/14/08/18/186223/microsofts-windows-8-app-store-is-full-of-scamware
Windows 8 brought a lot to the table, with one of its most major features being its app store. However, it’s not a feature that Microsoft seems too intent on keeping clean. As it is today, the store is completely littered with misleading apps and outright scamware.
Tomi Engdahl says:
Microsoft Windows Store Is Polluted With Scamware And Microsoft Doesn’t Seem To Care
http://hothardware.com/News/Microsoft-Windows-Store-Is-Polluted-With-Scamware-And-Microsoft-Doesnt-Seem-To-Care/#!bF5Mc2
As a desktop user, I don’t feel the need to go into Windows 8′s app store for any other reason than to do some quick tests, either for a post like this one, or for general curiosity. Since the store’s introduction, I’ve always had a hunch that Microsoft’s gate-keeping was minimal, a fact that was heightened when I learned a couple of months ago that the 100% free LibreOffice was found in there – unofficially, and for a cost.
How-To Geek notes that when VLC is searched for, a large number of results come up, with just one of them being the official release. Some cost money, while others don’t. The site notes that software from non-official sources – and outright scams – are “easy to find”,
A “free” Firefox download, which when installed, is a single-screen ugly app that links you to a shareware website.
The problem here is obvious: Links to websites should not be made available as “apps” in any digital store. They especially shouldn’t be links to third-parties that can bundle junkware with their installers.
Tomi Engdahl says:
Security Hardening with Ansible
http://www.linuxjournal.com/content/security-hardening-ansible
Ansible is an open-source automation tool developed and released by Michael DeHaan and others in 2012. DeHaan calls it a “general-purpose automation pipeline”
Not only can it be used for automated configuration management, but it also excels at orchestration, provisioning of systems, zero-time rolling updates and application deployment. Ansible can be used to keep all your systems configured exactly the way you want them, and if you have many identical systems, Ansible will ensure they stay identical. For Linux system administrators, Ansible is an indispensable tool in implementing and maintaining a strong security posture.
Ansible can be used to deploy and configure multiple Linux servers (Red Hat, Debian, CentOS, OS X, any of the BSDs and others) using secure shell (SSH) instead of the more common client-server methodologies used by other configuration management packages, such as Puppet and Chef (Chef does have a solo version that does not require a server, per se). Utilizing SSH is a more secure method because the traffic is encrypted.
Tomi Engdahl says:
Forget Passwords. Now Banks Can Track Your Typing Behavior On Phones
http://www.forbes.com/sites/parmyolson/2014/08/18/forget-passwords-now-banks-can-track-your-typing-behavior-on-phones/
Password theft is an ongoing problem. Finger print and voice recognition is still years away. What’s a bank to do if it wants to verify the thousands of customers using its mobile app? One way is their behavior — or at least their typing behavior.
Banks in Europe’s Nordic region have begun rolling out a new kind of security technology for their mobile apps that tracks the pressure and speed of how customers type a pin number into their smartphones. This way even if a friend knows someone’s pin, they wouldn’t be able to get in thanks to all the automatic nuances in the way people type, such as rhythm and pressure on the keys.
“We’re monitoring the small stuff,”
“It’s constantly learning,”
Nordic banks including Danske Bank have trialled Behaviosec’s tracking technology and found it worked so well that by the end of the year, every Internet bank user in Sweden, Norway and Denmark will be doubly verified by their typing behavior, not just their pin number, Costigan claims.
The startup claims a high success rate on verification: it reached 99.7% session accuracy when it trialled its behavior-tracking technology in conjunction with a pin number for Danske Bank.
If the technology takes off, it could add a whole new layer of security for apps and phones that would be much harder for fraudsters to rip off. Hackers can put millions of user accounts at risk by raiding a database of passwords, but it’s far harder to spoof someone’s typing behavior remotely, especially on smart phones.
Tomi Engdahl says:
Research Unveils Improved Method To Let Computers Know You Are Human
http://it.slashdot.org/story/14/08/19/006258/research-unveils-improved-method-to-let-computers-know-you-are-human
CAPTCHA services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham. Researchers focused on a broad form of gamelike CAPTCHAs, called dynamic cognitive game, or DCG, CAPTCHAs, which challenge the user to perform a gamelike cognitive task interacting with a series of dynamic images.
Tomi Engdahl says:
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
http://www.theregister.co.uk/2014/08/19/uk_cops_want_to_lock_down_your_mobile_phone/
The Metropolitan Police has spent more than two years lobbying phone manufacturers and the government in a bid to introduce mandatory passwords on every new unit sold in Blighty, The Reg has learned.
Senior officers from the Met’s National Mobile Phone Crime Unit (NMPCU) have met with firms including Apple and Samsung to discuss the new measure, which police see as a key way of tackling handset and identity theft. Cops want to see each phone sold with a password already in place, so that buyers are dissuaded from leaving their mobe unlocked.
Internal research conducted by the NMPCU suggests that up to 60 per cent of phones do not have a password, offering thieves access to a treasure trove of valuable personal information.
Tomi Engdahl says:
Just when you thought you were alone in the bath: Hi-res mapping satellite ready for launch
Will beam back images of objects as small as 30cm
http://www.theregister.co.uk/2014/08/13/creepy_satellites_will_be_able_to_zoom_in_on_your_face/
An American firm is preparing to launch a satellite which will map the world in a higher resolution than the public has ever seen before.
Tomorrow, DigitalGlobe expects to send its WorldView-3 satellite into orbit, where it will begin sending images of objects as small as 30cm in size.
Previously, space companies were only allowed to sell images of objects smaller than 50cm to the US government or military.
Tomi Engdahl says:
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
http://www.theregister.co.uk/2014/08/19/think_crypto_hides_you_from_spooks_on_facebook_think_again/
Activists just got another reason to worry about what spooks might be able to learn about them, with boffins demonstrating that a decent traffic fingerprint can tell an attacker what’s going on, even if an app is defended by encryption.
The researchers from the Universities of Padua and Rome have found that for activities like posting messages on a friend’s Facebook wall, browsing a profile on a social network, or sending an e-mail, there’s no need to decrypt an encrypted data flow.
In this paper at Arxiv, the researchers note that even in the hands of a knowledgable user there are opportunities for “malicious adversaries willing to trace people … the adversary can still infer a significant amount of information from the properly encrypted traffic.”
Those algorithms plus the visible TCP/IP data provide a data set that allows user actions – read or send e-mail, post on Twitter, post on Facebook and so on – to be classified without looking inside the packets
Tomi Engdahl says:
Facebook: 95% of Notification Emails Encrypted Thanks to Providers’ STARTTLS Deployment
http://allfacebook.com/facebook-95-notification-emails-encrypted-thanks-providers-starttls-deployment_b134023
Facebook offered an update on the state of the deployment of the STARTTLS encryption standard, which it originally wrote about in May, saying that 95 percent of its notification emails are now successfully encrypted with both Perfect Forward Secrecy and strict certificate validation.
The social network said in May that only 28.6 percent of its outbound notification emails were successfully encrypted and passed strict certificate validation, with that figure jumping to 58 percent when factoring in opportunistic encryption.
Tomi Engdahl says:
EU to Boost RFID Use & Privacy
http://www.eetimes.com/author.asp?section_id=36&doc_id=1323595&
Although radio-frequency identification (RFID) has been around for many years, its use has not been properly regulated until now. Regulation did not seem necessary because, until a few years ago, the proximity needed between devices and the limited use — confined to basic tagging and security applications — did not pose any privacy concerns.
But the explosion of near-field communication (NFC) devices and the Internet of Things has opened up new applications for RFID, and it is starting to create serious implications.
Now the European Union is taking steps to ensure that RFID technologies are used properly, in line with the EU Privacy Directive, and help boost the use of smartcards and smart tags without posing a threat to people’s privacy.
It is easy, and cheap, for anyone to start using RFID tags for any application, and there is very little control of its deployment.
The EU has created a standard RFID sign that should be displayed and present in every product or service using smart tags or NFC. Also consumers should be able to remove the RFID device from the products purchased or request to be disabled immediately after purchase. What the EU wants is that consumers are aware of the presence of those smart tags and their rights to protect their privacy.
“People using electronic travel passes, or buying clothes and supermarket items with RFID tags in the label, will know that smart chips are present thanks to the RFID sign”
Tomi Engdahl says:
With good management of passwords to all types of passwords does not necessarily need to be changed when the network attacks are reported.
- Changing the passwords are not harmful, but it is a laborious task. It works only for emergency assistance, for the benefit of a while a better and longer-term solutions instead, says Sean Sullivan of F-Secure Security Labs.
Infiltrations is not about, hit by readings, it’s your turn, but when it happens. When properly manages passwords, passwords do not have to worry about the data during the burglary.
- Security experts little secret is that, despite their recommendation to change passwords, they do not actually do so because they do not need, Sullivan says.
- Intrusion time, I’m not worried, because I use passwords for me remembering a few simple tools and techniques to help manage the services and minimize the risks, expert says.
Sean Sullivan, a list of a few key things:
Minimize the risk. Separate services for each other, and use the services of different e-mail addresses.
Use a different email address for personal, professional or financial-related communication. If one email is broken, it does not jeopardize all the information.
If possible, leave the user name someone other than your email.
Use a unique password for all online services.
Do not let your web services any more information than is necessary. The less they have the knowledge, the better.
If you hear that you are using the service has been compromised, change the password.
Source: http://www.iltalehti.fi/digi/2014082018586859_du.shtml
Tomi Engdahl says:
Delaware becomes first state to give executors broad digital assets access
Meet the “Fiduciary Access to Digital Assets and Digital Accounts Act.”
http://arstechnica.com/tech-policy/2014/08/delaware-becomes-first-state-to-give-heirs-broad-digital-assets-access/
Delaware has become the first state in the US to enact a law that ensures families’ rights to access the digital assets of loved ones during incapacitation or after death.
Last week, Gov. Jack Markell signed House Bill (HB) 345, “Fiduciary Access to Digital Assets and Digital Accounts Act,” which gives heirs and executors the same authority to take legal control of a digital account or device, just as they would take control of a physical asset or document.
Tomi Engdahl says:
The ChipWhisperer At Defcon
http://hackaday.com/2014/08/20/the-chipwhisperer-at-defcon/
The ChipWhisperer is a security and research platform for embedded devices that exploits the fact that all security measures must run on real hardware. If you glitch a clock when a microcontroller is processing an instruction, there’s a good probability something will go wrong. If you’re very good at what you do, you can simply route around the code that makes up the important bits of a security system. Power analysis is another trick up the ChipWhisperer’s sleeve, analyzing the power consumption of a microcontroller when it’s running a bit of code to glean a little information on the keys required to access the system. It’s black magic and dark arts, but it does work, and it’s a real threat to embedded security that hasn’t had an open source toolset before now.
Tomi Engdahl says:
Nuclear regulator hacked 3 times in 3 years
http://www.cnet.com/news/nuclear-commission-hacked-3-times-in-3-years/
A new report details three recent incidents when intruders gained unauthorized access to Nuclear Regulatory Commission employees’ computers.
http://www.cnet.com/news/nuclear-commission-hacked-3-times-in-3-years/
Unspecified foreigners and a third unknown person or group are to blame for three computer hacks over the past three years at the US Nuclear Regulatory Commission, according to a new report.
The body that governs America’s nuclear power providers said in an internal investigation that two of the hacks are suspected to have come from unnamed foreign countries
Tomi Engdahl says:
Brother, can you spare a DIME for holy grail of secure webmail?
Lavabit man’s new project: One of security’s thorniest problems
http://www.theregister.co.uk/2014/08/20/secure_webmail_analysis/
Lavabit founder Ladar Levison promised attendees at security conference DefCon that he’d carve out a secure messaging service from the wreckage of the email service favoured by rogue NSA sysadmin Edward Snowden within six months.
The Dark Internet Mail Environment (DIME) project is promising, but recent problems experienced by others attempting to put together snoop-proof email platforms show that Levison and his partners at Silent Circle are grappling with one of the most difficult problems in computer security.
The Dark Mail Alliance, announced last year, has evolved to become the Dark Internet Mail Environment (DIME). Levison unveiled the latest plans for the project at DefCon.
DIME aims to be so secure that not even its administrators can read messages sent and received by its clients. It also aims to be easy to use.
The service will come with three security modes: Trustful, Cautious and Paranoid. When using Cautious and Paranoid modes, users’ email messages get encrypted by keys that don’t leave users’ devices.
Messages sent through sent through DIME will be segmented so that only the recipient and sender get to see the full contents of each email’s headers.
Dozens of products and services have emerged to fight spying and restore privacy in the wake of the Snowden revelations. The recent discovery of severe flaws of severe flaws in two webmail services touted as “snoop-proof” has once again illustrated the difficult of delivering secure webmail.
Both ProtonMail and German startup Tutanota were forced to acknowledge that their webmail services were vulnerable to a cross-site scripting bug despite boasting it offered an “NSA-proof email service”.
PGP has been held up as the gold standard for email security for decades, despite problems with key management and usability. Last week influential cryptographer Matthew Green said it was “time for PGP to die” because of usability and other problems.
Tomi Engdahl says:
U.S. Court Grants Order to Wipe Pirate Sites from the Internet
http://torrentfreak.com/u-s-court-wants-search-engines-remove-pirate-sites-140818/
In short, ABS-CBN requested power to take the sites offline before the owners knew that they were getting sued, and without a chance to defend themselves. While that may seem a lot to ask, Judge Anna Brown granted the request.
The court also ordered the domain name registrars to point the domains to a copy of the complaint, so the website owners would know why their sites had been wiped from the Internet. Further, to prevent the defendants from passing on Google traffic to a new domain, ABS-CBN was granted permission to access the Google Webmaster Tools of the defendants.
Tomi Engdahl says:
Google is distorting right to be forgotten debate, EU Justice head claims
https://gigaom.com/2014/08/19/google-is-distorting-right-to-be-forgotten-debate-eu-justice-head-claims/
A top EU official blasted Google and others for “playing false” over a court ruling that lets people delete material from the internet. The official also repeated the need for tougher fines for companies who breach data rules.
Tomi Engdahl says:
FBI Investigating Reported Theft of 1.2 Billion Passwords by Russian Gang
http://www.nbcnews.com/tech/security/fbi-investigating-reported-theft-1-2-billion-passwords-russian-gang-n184471
The Federal Bureau of Investigation is investigating a report by a U.S. cybersecurity firm that it uncovered some 1.2 billion Internet logins and passwords amassed by a Russian crime ring, the largest known collection of such stolen data. Hold Security of Milwaukee, Wisconsin, disclosed earlier this month that it had discovered the credentials, collected over several years from approximately 420,000 websites and other servers
Tomi Engdahl says:
German Intelligence Spying On Allies, Recorded Kerry, Clinton, and Kofi Annan
http://yro.slashdot.org/story/14/08/19/1755211/german-intelligence-spying-on-allies-recorded-kerry-clinton-and-kofi-annan
According to Foreign Policy, “The revelation that Germany spies on Turkey, a NATO member, should dispel any notion that spying on allies violates the unwritten rules of international espionage. … For nearly a year, the extent of NSA surveillance on German leaders … has drawn stern rebuke from the German political and media establishment”
“State Department senior advisor, added that the report on German spying is a perfect example of why rifts over intelligence among allies should be handled quietly and privately.”
Tomi Engdahl says:
Linux Trojan translated for Windows
Dr. Web Security indicates that the previously coded for Linux trojan has been translated into the Windows platform. This kind of porting is still quite rare.
Trojan.DnsAmp.1 malware that allows a denial of service attack machine. According to analysts it is a Chinese masterpiece. On start-up the program sends the information to the attacker’s machine to the server and waits for the command to start a denial of service.
Source: http://etn.fi/index.php?option=com_content&view=article&id=1671:linux-troijalainen-kaannettiin-windowsille&catid=13&Itemid=101
Tomi Engdahl says:
Symantec Moving All Norton Security into One Cloud Service
- See more at: http://www.eweek.com/security/symantec-moving-all-norton-security-into-one-cloud-service.html?google_editors_picks=true#sthash.I4cgBdtG.dpuf
Tomi Engdahl says:
51% of Computer Users Share Passwords
http://it.slashdot.org/story/14/08/20/1419223/51-of-computer-users-share-passwords
Consumers are inadvertently leaving back doors open to attackers as they share login details and sign up for automatic log on to mobile apps and services, according to new research by Intercede. While 52% of respondents stated that security was a top priority when choosing a mobile device, 51% are putting their personal data at risk by sharing usernames and passwords with friends, family and colleagues.
Tomi Engdahl says:
51% of consumers share passwords
http://www.net-security.org/secworld.php?id=17273
While 52% of respondents stated that security was a top priority when choosing a mobile device, 51% are putting their personal data at risk by sharing usernames and passwords with friends, family and colleagues.
Half of respondents stated that they try and remember passwords rather than writing them down or using password management solutions, suggesting that consumers are relying on easy to remember combinations and using the same password across multiple sites and devices.
Richard Parris, CEO of Intercede commented: “As we live more and more of our lives online, all our various digital identities need to be effectively protected – worryingly, it appears that this is not the case at the moment. We need so many passwords today, for social networking, email, online banking and a whole host of other things, that it’s not surprising consumers are taking shortcuts with automatic log ins and easy to remember passwords.”
The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.
“Keeping your Facebook, Gmail, shopping and financial accounts automatically logged in might be convenient for consumers, but it’s leaving the back door wide open to hackers,”
“Consumers are more wary about clicking ‘Remember me’ when it comes to online banking and financial apps, but cyber criminals don’t necessarily need access to your bank account or credit card details to commit identity theft.”
Tomi Engdahl says:
Doomsday scenarios to keep you up at night: Mikko Hypponen talks cyberthreats
http://venturebeat.com/2014/08/13/why-pulp-is-bigger-than-nokia-and-other-doomsday-scenarios-by-mikko-hypponen-interview/
Finnish cyber security legend Mikko Hypponen was a major presence at the Black Hat conference in Las Vegas last week. The ponytailed Hypponen regaled 3,000 people in a massive conference hall at the Mandalay Bay on the evolution of malware, emerging cyber threats, and details on who the hackers are spreading maliciously devastating viruses around the globe.
Hyponnen is a researcher at security play F-Secure and lives in Helsinki. Friendly, approachable, and possessing one of the biggest mental repositories of malware on the planet
Tomi Engdahl says:
One of the most critical ingredients in creating a connected world is making sure that our technology knows who we are. Once our smart car, smart TV and even our smart toaster confirm our identity they can provide more meaningful experiences like the perfect in-car temperature, your favorite TV channel or how light or dark you like our toast. Right now we mostly use passwords and pins to help our tech tell us apart from others, but these mechanisms are frustrating, cumbersome and definitely don’t feel very futuristic. One wristband, the Nymi, is about to change all that.
The Nymi is a wristband which uses your cardiac rhythm or your unique heartbeat to identify who you are and then relays your identity to any connected thing via Bluetooth. As the Nymi is something you wear, it offers persistent identity once you are authenticated which means that you only need to confirm your identity once rather than every time you want to get access to something.
Bionym, the company behind the Nymi, is getting ready to ship its first batch of wristbands out to those that have pre-ordered in the Fall of this year.
“Identity is not just about security but also about different profiles and different behaviors that depend on a person’s preferences”
Source: http://blog.designersofthings.com/post/92144135531/technology-that-knows-who-you-are-featured
Tomi Engdahl says:
Tue August 19, 2014
CHS Hacked via Heartbleed Vulnerability
http://www.trustedsec.com/august-2014/chs-hacked-heartbleed-exclusive-trustedsec/
As many of you may have already been aware, a breach at Community Health Systems (CHS) affecting an estimated 4.5 million patients was recently revealed. TrustedSec obtained the first details on how the breach occured and new information relating to this breach. The initial attack vector was through the infamous OpenSSL “heartbleed” vulnerability which led to the compromise of the information.
This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation. Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN.
From here, the attackers were able to further their access into CHS by working their way through the network
Tomi Engdahl says:
Apple’s iMessage Is Being Taken Over by Spammers
http://www.wired.com/2014/08/apples-imessage-is-being-taken-over-by-spammers/
Apple’s iMessage system is a great way to send texts from phone-to-phone without the paying fees to your mobile carrier. But over the past year, it has also become something of a nuisance. iMessage, you see, is yet another communications tool being polluted by spam. It’s a cheap and easy way for luxury goods spammers to get their junk messages front-and-center on your phone.
‘It’s almost like a spammer’s dream. With four lines of code, using Apple scripts, you can tell your Mac machine to send message to whoever they want.’
Most of the time, the spammer will need a phone number to deliver the iMessage spam, but if you’ve added your email address to iMessage, the spammers can get you using that address too.
Tomi Engdahl says:
Twitter details its anti-spam system, BotMaker
http://gigaom.com/2014/08/20/twitter-details-its-anti-spam-system-botmaker/
Twitter has developed a system called BotMaker to deal with its spam problem. Essentially, BotMaker scans messages before they’re posted, after they’re posted, and as part of bulk data analyses in order to determine what’s spam and then deal with them accordingly.
Tomi Engdahl says:
Slapdash SSL code puts tons of top Android Play Store apps in hack peril
Man-in-the-middles all round!
http://www.theregister.co.uk/2014/08/21/slapdash_ssl_leaves_majority_of_android_app_in_play_store_open_to_hacking/
Sloppy programming, poor patching, and unreliable trust engines are rife within Android apps, according to a new study. In short, millions smartphone users are potentially wide open to man-in-the-middle attacks, it’s claimed.
Researchers at security firm FireEye went through the 1,000 most popular Android applications from the Google Play store and found that a large majority of them were open to at least man-in-the-middle attacks, thanks to faulty SSL error and certificate handling. For the top 10,000 apps that figure was 60 per cent.
“The Android ecosystem is all about communicating, and right now it’s screaming for help,” the team said in a blog post. “That’s because SSL vulnerabilities and the Man-In-The-Middle (MITM) attacks they enable are wreaking havoc on data security.”
Tomi Engdahl says:
Researchers Find Security Flaws In Backscatter X-ray Scanners
http://it.slashdot.org/story/14/08/20/1853236/researchers-find-security-flaws-in-backscatter-x-ray-scanners
Researchers from UC San Diego, University of Michigan, and Johns Hopkins say they’ve found security vulnerabilities in full-body backscatter X-ray machines deployed to U.S. airports between 2009 and 2013.
Tomi Engdahl says:
Tor Browser Security Under Scrutiny
http://yro.slashdot.org/story/14/08/20/197221/tor-browser-security-under-scrutiny
The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool
report’s recommendations don’t favor Firefox as a baseline for Tor, rather Google Chrome
Tomi Engdahl says:
Smartphone Kill Switch, Consumer Boon Or Way For Government To Brick Your Phone?
http://yro.slashdot.org/story/14/08/20/224229/smartphone-kill-switch-consumer-boon-or-way-for-government-to-brick-your-phone
We’re often told that having a kill switch in our mobile devices — mostly our smartphones — is a good thing. At a basic level, that’s hard to disagree with. If every mobile device had a built-in kill switch, theft would go down
Here’s where the problem lays: It’s law enforcement that’s pushing so hard for these kill switches.
such functionality should be limited to the device’s owner, and no one else. If the owner can disable a phone with nothing but access to a computer or another mobile device, so can Google, Samsung, Microsoft, Nokia or Apple.
Tomi Engdahl says:
Boffins propose security shim for Android
Hoping Choc Factory wants third-party infosec sweeties
http://www.theregister.co.uk/2014/08/21/boffins_propose_security_shim_for_android/
An international group of researchers believes Android needs more extensible security, and is offering up a framework they hope either Google or mobe-makers will take for a spin.
Detailing their design goals, the researchers note that the ASM framework needs to maintain existing Android security (offering more restrictive security without breaking things like the sandbox), protect the integrity of the kernel, and support multiple authorisation modules without imposing a performance overhead.
“Security modules can also enhance consumer privacy. The framework provides callbacks that can filter, modify, or anonymise data before it is shared with third-party apps, in order to protect personal information.
Tomi Engdahl says:
Need a green traffic light all the way home? Easy with insecure street signals, say researchers
No crypto, default passwords, FTP servers? It’s 1998 again
http://www.theregister.co.uk/2014/08/20/sick_of_slow_commuting_americas_traffic_lights_are_easily_hackable/
In a paper [PDF] delivered to the USENIX Security 2014 conference this week, a team led by University of Michigan computer scientist Alex Halderman has found that traffic signals and their controllers can be hijacked in minutes.
Halderman and co claim this is possible from half a mile away with nothing more than a laptop and some radio broadcast equipment, since the electronics behind the lights communicate using almost no security checks.
To make matters worse, when the team approached the maker of the vulnerable traffic systems equipment, the academics were brushed off. The unnamed manufacturer apparently told the researchers that it “followed the accepted industry standard and it is that standard which does not include security,” and thus plans no changes.
All the lights have a safety subsystem called a malfunction management unit (MMU). This has all the allowable light sequences hardwired into its circuit board, and the allowable timings for each state. If the unit receives a duff command to enter an unsafe state, the electronics fall back to blinking the red lamp until manually reset.
The traffic light network uses a mix of industry-standard radios using 5.8GHz and 900Mhz to communicate wirelessly.
The wireless packets exchanged between the stations are unencrypted
The group also found they could open an FTP connection to the controller server and access it the old-fashioned way by using the default username and password. These credentials have been helpfully published online by the manufacturer.
Once inside the FTP site, the researchers found they could access configuration files to reset the timing systems on light changes
Tomi Engdahl says:
UPS Store Computer Breach Put Customer Data at Risk
http://www.bloomberg.com/news/2014-08-20/ups-store-computer-breach-put-customer-data-at-risk.html
United Parcel Service Inc. (UPS) said a breach of computer systems at UPS Store retail outlets may have exposed customers’ personal and payment data at some locations this year.
Malware was found at 51 locations in 24 states, or about 1 percent of the 4,470 franchise stores across the U.S., UPS said in a statement today. About 105,000 transactions were affected
UPS, the world’s largest package-shipping company
Information that may have been revealed includes names, postal and e-mail addresses, and payment-card data, the company said.
Tomi Engdahl says:
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
http://www.theregister.co.uk/2014/08/21/come_all_thee_cyber_warriors_of_the_realm_gchq_wants_you/
Spooks have called upon the good people of Blighty to help protect an airline from attack by a vicious group of nerdy cyber-terrorists.
That might sound like the secret services are getting a bit desperate, but don’t worry kids: it’s only a game.
The bods at GCHQ have announced a new part of the Cyber Security Challenge UK designed to unearth potential digital knights of the realm.
Tomi Engdahl says:
New twist as rogue antivirus enters death throes
That’s not the website you’re looking for
http://www.theregister.co.uk/2014/08/21/new_twist_as_rogue_antivirus_enters_death_throes/
Rogue and fake anti-virus has taken to the browser to find a smarter way of infecting users, Microsoft antivirus researcher Daniel Chipiristeanu says.
The Defru malware blocked users from visiting certain websites and instead displayed warnings about fake perceived threats while the correct intended web address was still displayed.
Most victims were based in Russia, with the US and Kazakhstan trailing behind, (@Chipiristeanu) said.
Rogue anti-virus has been devastated by the security industry’s targeting of its wares since it emerged in 2007.
Tomi Engdahl says:
RealVNC distances itself from factories, power plants, PCs hooked up to password-less VNC
Some 30,000 machines found with front doors wide open
http://www.theregister.co.uk/2014/08/21/vnc_security_flap/
A scan of the public internet by security researchers has seemingly revealed thousands upon thousands of computers fully accessible via VNC – with no password required.
Worryingly, the unsecured systems – from PCs and shopping tills to terminals controlling factories and heating systems – are at the mercy of any passing miscreant on the ‘net; the internet equivalent of leaving a front door unlocked.
Based on the openly defined Remote Frame Buffer protocol, VNC is a widely used system for accessing desktops over a network, very much like Microsoft’s RDP.
Roughly 30,000 computers have been found connected directly to the internet without a valid password required to gain access.
Their software worked, we’re told, by scanning a public IP address for open VNC ports, connecting to an unprotected desktop if available, screenshotting it
For anyone wondering about the legality of the research, Tentler insisted: “It isn’t [illegal]. Yahoo, Google, Microsoft, Websense, every antivirus vendor in the world, and Shodan – they all do similar scans.”
As well as home computers, the trio found all sorts of things from “a caviar plant, to Japanese, Italian, Latvian and Ukranian power stations, to a donut manufacturing plant.”
Tomi Engdahl says:
How to Read (and Actually Understand) a Wearable Tech Privacy Policy
http://www.cio.com/article/2465362/privacy/how-to-read-and-actually-understand-a-wearable-tech-privacy-policy.html
When was the last time you read a privacy policy? Any kind of privacy policy? Be honest.
Yeah, that’s what I thought. Nobody reads privacy policies. They’re not really meant for the users, anyway — they’re meant to protect companies from potential lawsuits. As such, they’re long, complicated and often packed with enough legalese to make even an eager litigator’s eyes glaze over.
Some CEOs of companies that make products to collect endless mountains of data don’t even read privacy policies.
“It’s almost impossible for users to read and understand privacy policies. All of the [services] I use, it doesn’t matter if it’s Netflix or whatever, I don’t read privacy policies. I wouldn’t understand it without a lawyer,” says Florian Gschwandtner, CEO of Runtastic, which makes a number of fitness tracking devices
The reality is that privacy policies have never been more important.
Many of the latest gadgets are designed to collect all kinds of user data, and much of their value is in the analysis of that information. But how do you know what happens to your information after you hand it over to that fitness tracker or smartwatch? Do you want a company secretly selling your data to your insurance company
Today, lots of device and app makers sneak all kinds of protections into privacy policies that let them do just about whatever they want with your data, assuming you’re willing to accept the terms of service (ToS).
Tomi Engdahl says:
Researchers can easily fool former TSA X-ray scanners and sneak in dangerous weapons
https://bgr.com/2014/08/20/tsa-scanners-security-issues/
This isn’t the first time someone managed to sneak by a weapon past a TSA Rapiscan full-body X-ray scanner, but Wired reports that scientists have taken the procedure to a new level and have come up with various techniques to completely fool the security device.
The team of researchers, from the University of California at San Diego, the University of Michigan and Johns Hopkins, have figured out ways to conceal weapons, explosive devices, and even insert malware into the PC that controls the machine that can then be activated with a simple QR code printed on a piece of clothing.
The Rapiscan Secure 1,000 machines that the researchers used were replaced in airports last year by a millimeter wave scanner that’s more privacy-friendly, but they’re still in use in various other locations including courthouses and other government security checkpoints.
Tomi Engdahl says:
Security Analysis of a Full-Body Scanner
https://radsec.org/paper.html
We present the first independent security evaluation of such a system, the Rapiscan Secure 1000 full-body scanner, which was widely deployed at airport checkpoints in the U.S. from 2009 until 2013.
Tomi Engdahl says:
Amazon flicks switch on CloudFront security features
Perfect Forward Secrecy added to SSL suite
http://www.theregister.co.uk/2014/08/21/amazon_flicks_switch_on_cloudfront_security_features/
Amazon has beefed up security on its CloudFront services, adding Perfect Forward Secrecy, OCSP stapling and session tickets to its SSL support.
The company describes the new AWS features in full in this blog post.
Session tickets are designed to improve performance, particularly in the case of an interrupted session between server and client. Instead of renegotiating the SSL session from scratch, the original negotiation ends with the server passing a session ticket to the client, which it can use to re-establish communications on the basis of the original handshake.