Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Chinese hackers spied on investigators of Flight MH370 – report
Classified data on flight’s disappearance pinched
http://www.theregister.co.uk/2014/08/21/mh370_disaster_cyber_snooping/
Malaysian officials investigating the disappearance of flight MH370 have been targeted in a hacking attack that resulted in the theft of classified material.
The malware-based hacking attack hit around 30 PCs assigned to officials in the Malaysia Airlines, the Civil Aviation Department and the National Security Council, a security firm working on the hack told Malaysian newspaper The Star.
The malware was hidden in a PDF attachment posing as a news article
The infection was detected, but not before all manner of sensitive documents were siphoned off from compromised systems and channelled via email to an IP address in China. The methodology of the attacks matched those of so-called spear phishing assaults that are normally directed towards cyber-espionage and the theft of industrial secrets.
“This was well-crafted malware that antivirus programs couldn’t detect. It was a very sophisticated attack,”
Tomi Engdahl says:
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you’re either fighting fires or seen as incompetents now
http://www.theregister.co.uk/2014/08/18/microsoft_security_sanity_buster/
Patch early and patch often is the advice of security professionals when it comes to software updates.
After all, who needs to be left wide open to hackers and malware writers when the solution is delivered by the software’s maker?
Yet sysadmins will be increasingly leery of applying such an approach to Windows systems following Microsoft’s latest botch job.
Susan Bradley, a Microsoft “valued professional community moderator”, shot back:
“They do test, they just missed something here. Would you mind emailing me so we can get this officially investigated? The more samples/cases we have the faster we can get to the bottom of it.”
Tomi Engdahl says:
Hacking Gmail with 92 percent success
http://phys.org/news/2014-08-hacking-gmail-percent-success.html
A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.
The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate.
The paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks,” will be presented Friday, Aug. 22 at the 23rd USENIX Security Symposium in San Diego
The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system.
“The assumption has always been that these apps can’t interfere with each other easily,” Qian said. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”
Tomi Engdahl says:
Couchsurfing Hacked, Sends Airbnb Prank Spam
http://it.slashdot.org/story/14/08/21/1311218/couchsurfing-hacked-sends-airbnb-prank-spam
an anonymous prankster hacked the Couchsurfing.org website and sent spam to about 1 million members, snarkily advertising their commercial arch-rival Airbnb as “the new Couchsurfing.”
Obviously I think it’s unlikely that anyone at the real Airbnb would actually risk jail time by hacking Couchsurfing’s servers to send out spam advertising the Airbnb website; it seems more like the actions of someone being snarky, possibly a former employee or an outsider with an axe to grind.
Tomi Engdahl says:
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
http://www.theregister.co.uk/2014/08/21/windows_store_scamware_problems/
Microsoft has promised to crack down on rogue apps in its Windows Store following criticisms that the marketplace is littered with “scam” software.
Windows Store – which debuted with Windows 8 – is littered with misleading apps. Typical problems include knock-off “unofficial” packages of free apps such as the VLC media player. These apps charge you for downloads while offering little or no added functionality, How to Geek reports.
The consumer technology site argues that Redmond has brought this unsightly mess on itself by offering to pay developers $100 for each app they submitted to the Windows Store or Windows Phone Store as part of a discontinued promotion that began in March.
The majority of the problems arise with third-party apps, Hot Hardware adds.
“Whenever a big company creates an open platform for developers, it’s unfortunately always going to attract the wrong kind of attention,” she explained. “Scammers see these as a target and are increasingly abusing the trust that big brands have spent millions of dollars and years building. They create everything from browser extensions loaded with ads, to mobile apps packed with spyware.
Tomi Engdahl says:
Book Review: Social Engineering In IT Security Tools, Tactics, and Techniques
http://news.slashdot.org/story/14/08/20/1454200/book-review-social-engineering-in-it-security-tools-tactics-and-techniques
Tomi Engdahl says:
Mobile apps could be abused to make expensive phone calls
http://www.pcworld.com/article/2597860/mobile-apps-could-be-abused-to-make-expensive-phone-calls.html
A security precaution skipped in mobile applications such as Facebook’s Messenger could be abused to make an expensive phone call at a victim’s expense, a developer contends.
Phone numbers often appear as links on a mobile device. That is possible by using a Uniform Resource Identifier (URI) scheme called ”tel” to trigger a call.
Andrei Neculaesei, a full-stack developer with the wireless streaming company Airtame in Copenhagen, contends there’s a risk in how most native mobile applications handle phone numbers.
If a person clicks on a phone number within Apple’s mobile Safari browser, a pop-up asks if a person wants to proceed with a call.
But many native mobile applications, including Facebook’s Messenger and Google’s +, will go ahead and make the call without asking, Neculaesei wrote on his blog.
Tomi Engdahl says:
White House cybersecurity czar brags about his lack of technical expertise
http://www.vox.com/2014/8/21/6053819/white-house-cybersecurity-czar-brags-about-his-lack-of-technical
Michael Daniel is the White House’s cybersecurity coordinator, the man who “leads the interagency development of national cybersecurity strategy and policy” for the president. And in a recent interview with GovInfoSecurity, he argued that his lack of technical expertise gave him an advantage in doing that job.
“You don’t have to be a coder in order to really do well in this position,” Daniel said, when asked if his job required knowledge of the technology behind information security. “In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction.”
“You can get taken up and enamored with the very detailed aspects of some of the technical solutions,” he explained, arguing that “the real issue is looking at the broad strategic picture.”
As Princeton computer scientist (and, full disclosure, my former advisor) Ed Felten points out, it’s hard to imagine senior policymakers with responsibility for other technical subjects making this kind of claim. Imagine a White House economic advisor arguing that experience in the weeds of economic research would be a distraction, an attorney general making that claim about time in a courtroom, or a surgeon general bragging about never having set foot in an operating room.
Tomi Engdahl says:
NSA and GCHQ agents ‘leak Tor bugs’, alleges developer
http://www.bbc.com/news/technology-28886462
British and American intelligence agents attempting to hack the “dark web” are being deliberately undermined by colleagues, it has been alleged.
Spies from both countries have been working on finding flaws in Tor, a popular way of anonymously accessing “hidden” sites.
But the team behind Tor says other spies are tipping them off, allowing them to quickly fix any vulnerabilities.
The agencies declined to comment.
He said leaks had come from both the UK Government Communications Headquarters (GCHQ) and the US National Security Agency (NSA).
By fixing these flaws, the project can protect users’ anonymity, he said.
“And the fact that we take a completely anonymous bug report allows them to report to us safely.”
“It’s not surprising that agencies all over the world will be looking for weaknesses in Tor,” said Alan Woodward.
“But the fact that people might then be leaking that to the Tor Project so that it can undo it would be really very serious.
“So if that is happening, then those organisations are going to take this very seriously.”
“So you can imagine one part of GCHQ is trying to break Tor, the other part is trying to make sure it’s not broken because they’re relying on it to do their work.”
“So it’s typical within governments, or even within large agencies, that you have two halves of the same coin going after different parts of Tor. Some protect it, some to try to attack it.”
Tomi Engdahl says:
Malicious app can get past Android WITHOUT PERMISSIONS
Be careful what you install, say boffins. Again.
http://www.theregister.co.uk/2014/08/22/malicious_app_can_get_past_android_without_permissions/
Researchers presenting at Usenix have lifted the lid on yet another Android vulnerability: the way apps use memory can be exploited to leak private information with a success rate “between 82 and 92 per cent of the time”.
Announced by the University of California, Riverside here, the researchers’ paper gives a pretty good idea of what’s going on in its title: “Peeking into Your App without Actually Seeing It: UI State Inference andNovel Android Attacks”.
The paper explains that UI state reflects a specific piece of functionality at the window level – for example, in the login window the user’s text inputs may change, but layout and functionality are consistent. If the attacker builds a UI state machine based on UI state signatures, they can infer UI states “in real time from an unprivileged background app”.
Tomi Engdahl says:
Who needs hackers? ‘Password1′ opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
http://www.theregister.co.uk/2014/08/15/hundreds_of_thousands_of_corporate_passwords_cracked_in_minutes/
Hundreds of thousands of hashed corporate passwords have been cracked within minutes by penetration testers using graphics processing units.
The 626,718 passwords were harvested during penetration tests over the last two years conducted across corporate America by Trustwave infosec geeks.
The firm’s threat intelligence manager Karl Sigler said in a post that half of the plundered passwords were cracked within “the first few minutes”.
“We eventually cracked 576,533 or almost 92 percent of the sample within a period of 31 days,” Sigler said.
“Such a short cracking time using a word list from last year’s [common passwords] study shows that passwords were as predictable as ever.
“‘Password1′ was the password we came across most often in this year’s analysis.”
Passwords peaked at eight characters in keeping with business policies. The most common were Password1 with 2984 results, Hello123 with 2587, password with 2458 and welcome1 with 1697, the study found.
“Despite the best efforts of IT administrators, users find methods to meet complexity requirements while still creating weak passwords,” Sigler said, noting that Active Directory’s password requirements permitted ‘Password1′.
Tomi Engdahl says:
Security precogs divine web vulnerabilities BEFORE THEY EXIST
Three million web properties will go under the pwned hammer
http://www.theregister.co.uk/2014/08/22/security_precogs_divine_web_vulnerabilities_before_they_exist/
Wayback is way ahead: Three million webpages are set to become hacker fodder according to research that could predict what websites will become vulnerable ahead of time.
The research by Kyle Soska and Nicolas Christin of Carnegie Mellon University used an engine which divined the future by looking at the past – more specifically, by trawling the Way Back Machine with its 391 billion stored pages for sites that had become malicious.
It determined that of 4,916,203 current benign webpages (tied to 444,519 websites) about 3 million would become vulnerable within a year.
The work was a boon to search engines for assessing malicious hits, blacklist operators, and affected website admins who could be warned ahead of potential compromise, according to Soska and Christin.
It was then a matter of looking back between three to 12 months before a site was compromised to acquire indicators of why it was popped.
Those indicators included sudden increases to traffic, the presence of certain files like the WordPress CMS which may be unpatched, and particular HTML tags.
User-generated content was parsed out from the assessed data on websites as it was not useful for determining sites that would become vulnerable in the future.
“Our approach relies on an online classification algorithm that can automatically detect whether a server is likely to become malicious,”
Tomi Engdahl says:
True fact: 1 in 4 Brits are now TERRORISTS
YouGov poll reveals terrible truth about the enemy withi
http://www.theregister.co.uk/2014/08/22/one_in_three_brits_are_now_terrorists/
One in four Brits could be facing imminent arrest by the Metropolitan Police after apparently falling foul of the boys in blue’s astonishing new definition of a terrorist.
As we revealed earlier this week, simply viewing a beheading video is enough for the cops to label you a card-carrying threat to public safety.
The chart revealed that some 83 per cent of Brits have at least heard of the horrifying video nasty
Tomi Engdahl says:
UPS: We’ve Been Hacked
http://time.com/3151681/ups-hack/
Malware that impacted 51 franchises in 24 states may have compromised customers’ credit and debit card information
The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.
Tomi Engdahl says:
It’s Easy To Hack Traffic Lights
http://tech.slashdot.org/story/14/08/22/1241211/its-easy-to-hack-traffic-lights
As is typical in large urban areas, the traffic lights in the subject city are networked in a tree-type topology, allowing them to pass information to and receive instruction from a central management point. The network is IP-based
The 5.GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial
Tomi Engdahl says:
NSA Agents Leak Tor Bugs To Developers
http://yro.slashdot.org/story/14/08/22/1311210/nsa-agents-leak-tor-bugs-to-developers
We’ve known for a while that NSA specifically targets Tor, because they want to disrupt one of the last remaining communication methods they aren’t able to tap or demand access to. However, not everybody at the NSA is on board with this strategy.
Lewman estimates the Tor Project receives these reports on a monthly basis. He also spoke about how a growing amount of users will affect Tor. He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.
Tomi Engdahl says:
Top Five Reasons Why Your Organization Should Consider Cloud-Based Disaster Recovery
http://blogs.vmware.com/vcloud/2014/07/top-five-reasons-organization-consider-cloud-based-disaster-recovery.html
Few organizations can afford the downtime caused by a disaster. Those capable of weathering such events usually have the datacenters, internal expertise and budget to do so — options that aren’t available for most mid-market organizations.
However the tides are changing, as many organizations look away from traditional disaster recovery solutions and to the cloud. According to an IDG market survey, 43% of respondents are getting started with hybrid cloud to improve their disaster recovery capabilities.
Tomi Engdahl says:
Your Anonymous Posts to Secret Aren’t Anonymous After All
http://www.wired.com/2014/08/secret/
He’s showing me one of my posts to Secret, the popular anonymous sharing app that lets you confess your darkest secrets to your friends without anyone knowing it’s you.
My secret is pretty lame, but Secret’s stream is slurry of flippant posts, Silicon Valley gossip, and genuinely personally confessions
Fortunately for Secret users, Caudill is one of the good guys.
In an interview with WIRED this week, Secret CEO David Byttow confirmed the vulnerability, and said the company has blocked the attack and begun a post-mortem. “As near as we can tell this hasn’t been exploited in any meaningful way,” says Byttow. “But we have to take action to determine that.”
What’s surprising, though, is that this is routine for the company. Since Secret instituted a bug bounty in February, the company has closed 42 security holes identified by 38 white hat hackers. Given the sensitivity of what some people post to Secret, this iterative approach might seem disconcerting. But Byttow says the deluge of bugs proves the system works.
Tomi Engdahl says:
U.S. undercover investigators among those exposed in data breach
http://www.reuters.com/article/2014/08/22/us-usa-security-contractor-cyberattack-idUSKBN0GM1TZ20140822
A cyber attack at a firm that performs background checks for U.S. government employees compromised data of at least 25,000 workers, including some undercover investigators, and that number could rise, agency officials said on Friday.
Tomi Engdahl says:
Securing Networks In the Internet of Things Era
http://beta.slashdot.org/story/206285
Tomi Engdahl says:
Point-of-Sale malware attack hits BIG NUMBER of major businesses, warns US government
‘More than 1,000 enterprise networks compromised’
http://www.theregister.co.uk/2014/08/23/us_homeland_security_says_ups_malware_compromised_significant_number_of_enterprise_networks/
A Point-of-Sale malware attack has compromised the networks of a “significant” number of major businesses in the US, according to officials at the country’s Homeland Security office.
The US administration’s Computer Emergency Readiness Team (CERT) advised administrators and operators of PoS systems to familiarise themselves with the Backoff malware alert posted by Homeland Security at the end of last month.
“Organisations that believe they have been infected with Backoff are also encouraged to contact their local US Secret Service Field Office,” it added
US businesses including Target, Supervalu and UPS Stores have been affected by the malware attack.
Tomi Engdahl says:
Fear and Loathing at DEFCON 22
http://hackaday.com/2014/08/22/fear-and-loathing-at-defcon-2014/#more-129833
Tomi Engdahl says:
Researchers Made a Fake Social Network to Infiltrate China’s Internet Censors
http://motherboard.vice.com/read/researchers-made-a-fake-social-network-to-infiltrate-chinas-internet-censors
It’s no secret that China has been censoring and controlling the information its citizens can send and receive, especially on the internet. But, until Harvard researchers recently broke into the system, no one knew exactly how it worked.
Today, researchers from Harvard and the University of California San Diego released a report in Science that reads more like a spy novel than a scientific paper.
In order to get inside China’s notorious filter, researcher Gary King and his team created dozens of shill accounts and posted hundreds of messages on China’s most popular social networks to see what would be filtered.
Tomi Engdahl says:
Playstation Network Attacked Along With Battle.Net, Services Brought Down [Updated]
Sony’s PlayStation Network came under a DDoS attack early Sunday morning along with other gaming services like Blizzard’s Battle.net and League of Legends.
Read more at http://www.inquisitr.com/1429987/playstation-network-attacked-along-with-battle-net-services-brought-down/#5jcQuewTWg5TEScE.99
Tomi Engdahl says:
Android Phones Hit by ‘Ransomware’
http://bits.blogs.nytimes.com/2014/08/22/android-phones-hit-by-ransomware/?_php=true&_type=blogs&_php=true&_type=blogs&_r=1&
You are guilty of child porn, child abuse, zoophilia or sending out bulk spam. You are a criminal. The Federal Bureau of Investigation has locked you out of your phone and the only way to regain access to all your data is to pay a few hundred dollars.
That message — or variations of it — has popped up on hundreds of thousands of people’s Android devices in just the last month. The message claims to be from the F.B.I., or cybersecurity firms, but is in fact the work of Eastern European hackers who are hijacking Android devices with a particularly pernicious form of malware, dubbed “ransomware” because it holds its victims’ devices hostage until they pay a ransom.
Ransomware is not new. Five years ago, criminals in Eastern Europe began holding PC users’ devices hostage with similar tools.
Now those same criminals are taking their scheme mobile, successfully infecting Android devices at disturbing rates. In just the last 30 days, roughly 900,000 people were infected with a form of ransomware called “ScarePackage,” according to Lookout, a San Francisco-based mobile security firm.
Tomi Engdahl says:
Security
Hackers Target Video Games for Fun, Profit and Better Scores
http://bits.blogs.nytimes.com/2014/08/24/hackers-target-video-games-for-fun-profit-and-better-scores/
Hackers are breaking into American companies for credit card numbers, passwords, trade secrets and — it turns out — for phony video game scores.
For the past five years, hackers inside China have been breaking into American video game makers’ systems, collecting proprietary source code in an ambitious effort to crack the games for free use and to develop tools to cheat them, according to research by the counter threat unit at Dell SecureWorks, a security firm that was acquired by Dell in 2011.
In several cases, researchers say, amateur Chinese hackers have proven themselves even more stealthy and sophisticated than their military counterparts.
Tomi Engdahl says:
Cyber security experts find 92 percent successful Gmail hack
Works across Android, Windows and iOS operating systems
http://www.theinquirer.net/inquirer/news/2361674/cyber-security-experts-find-92-percent-successful-gmail-hack
US SECURITY RESEARCHERS have found out how to hack Gmail with up to 92 percent success across the Android, Windows and iOS operating systems due to a vulnerability.
The flaw was uncovered by experts at the University of California Riverside Bourns College of Engineering and the University of Michigan, who identified a weakness believed to exist in the app on all major operating systems. They said that the vulnerability could allow attackers to steal users’ sensitive data.
The findings will be presented at the USENIX Security Symposium in San Diego on 22 August in a report entitled “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks”. Although it was tested on only an Android phone, the team believes that the method could be used across all three operating systems because the apps on all of the operating systems can access a mobile device’s shared memory.
Tomi Engdahl says:
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
http://www.theregister.co.uk/2014/08/25/nist_to_sysadmins_clean_up_your_ssh_mess/
NIST has taken a look at how companies use Secure Shell (SSH), and doesn’t much like what it sees.
In spite of the depth of access generally handed SSH implementations for a host of different activities – “file transfers, back-ups, software/patch management, disaster recovery, provisioning and data base updates”, as SSH (the company) says – users aren’t working hard enough to protect those activities.
The report says: “Management of automated access requires proper provisioning, termination, and monitoring processes, just as interactive access by normal users does. However, the security of SSH-based automated access has been largely ignored to date”.
An SSH process running under a patch management system, it continues, will be given things root access to accounts or administrator-level access to the Oracle database. Security is, therefore, critical.
Tomi Engdahl says:
RSA SecurID two-factor authentication token extreme dissassembly
https://www.youtube.com/watch?v=r2VboznS96w&list=UUSbBz_gSAoO9TA-CRnh1K0w
In this video I take apart an RSA SecurID token used for two-factor authentication into secure computer networks.
The device contains an LCD screen which displays a 6 digit code which changes every 60 seconds. Simple versions of the device, contain the LCD only, which is used as a credential for login (usually together with a password).
In this more advanced device, the user enters a PIN into the keypad on the device. The device then encrypts the PIN with the displayed code, and produces a passcode which is used together with, or instead of, a password.
Tomi Engdahl says:
850 Billion NSA Surveillance Records Searchable By Domestic Law Enforcement
http://yro.slashdot.org/story/14/08/25/2227226/850-billion-nsa-surveillance-records-searchable-by-domestic-law-enforcement
The Intercept reported today on classified documents revealing that the NSA has built its own “Google-like” search engine to provide over 850 billion collected records directly to law enforcement agencies, including the FBI and the DEA.
Tomi Engdahl says:
The Surveillance Engine: How the NSA Built Its Own Secret Google
https://firstlook.org/theintercept/article/2014/08/25/icreach-nsa-cia-secret-google-crisscross-proton/
Tomi Engdahl says:
Calif. governor signs smartphone ‘kill switch’ bill into law
http://www.cnet.com/news/calif-governor-signs-smartphone-kill-switch-bill/
Law requires security software to come enabled by default, but other than that, not much will change for most smartphone users.
Tomi Engdahl says:
New Snowden leak: How NSA shared 850-billion-plus metadata records
‘Federated search’ spaffed info all over Five Eyes chums
http://www.theregister.co.uk/2014/08/26/new_snowden_leak_nsa_massively_expanded_metadata_sharing_in_200607/
Tomi Engdahl says:
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
http://www.theregister.co.uk/2014/08/26/ek_flogged_through_shinyclicky_social_media_buttons/
Web admins beware: social media buttons that load scripts from unknown external sites could see your sites foisting the FlashPack exploit kit to visitors.
Several sources warn that popular JavaScript social media panels are being modified to load external resources that pulled down FlashPack, formerly known as SafePack, which has so far compromised at least 66,000 users.
It was loaded onto visitor computers who failed to apply a February Adobe Flash patch (CVE-2014-0497), which would capture a decent number of victims who still ignore software updates.
Tomi Engdahl says:
Has Europe cut the UK adrift on data protection?
EU reckons we’ve one foot out the door anyway
http://www.theregister.co.uk/2014/07/31/has_europe_cut_the_uk_adrift_on_data_protection/
At a meeting on Monday 28 July held under Chatham House rules, an official said the UK was “lost” to Europe.
The European notion that the UK does not really care about data protection is not a new one; it has been around for more than two decades and developed during the protracted negotiations about the Directive 95/46/EC where the UK was instrumental as delaying agreement on the Directive for five years.
Data protection consequences if the UK leaves the EU
In other words, there is a real risk that the EU might find that the UK does not offer “an adequate level of protection” (even under the current data protection rules).
Tomi Engdahl says:
A Law Enforcement Encounter: If you ran a Bitcoin related service before the thing hit $100 you prolly ought to be somewhat concerned and/or prepared
http://www.thedrinkingrecord.com/2014/08/25/a-law-enforcement-encounter-if-you-ran-a-bitcoin-related-service-before-the-thing-hit-100-you-prolly-ought-to-be-somewhat-concerned-andor-prepared/
Tomi Engdahl says:
Malware is crawling around mobile applications using well-known brands
Malware spread clones of known applications for smartphones, warn security researchers.
“Attacks usually used brands, which people have confidence.”
The application stores found plenty of information security risks, while McAfee Labs to explore the popular Flappy Bird smart phone game copies. McAfee examining the 300 copies of the game four out of five contained malware. They are, among other things, played the calls to the user’s invoice, sent and received text messages and collected the phone contacts
“Application stores have hundreds of thousands of programs available, which makes a comprehensive quality control difficult.”
Source: http://www.hs.fi/tekniikka/Haittaohjelmat+ry%C3%B6miv%C3%A4t+k%C3%A4nnykk%C3%A4sovelluksiin+tunnettujen+br%C3%A4ndien+vanavedess%C3%A4/a1403577885160
Tomi Engdahl says:
Android users have an average of 95 apps installed on their phones, according to Yahoo Aviate data
http://thenextweb.com/apps/2014/08/26/android-users-average-95-apps-installed-phones-according-yahoo-aviate-data/
A by-product of this is that Yahoo/Aviate gathers a lot of data about key activities on Android, including what apps users interact with most, average apps installed and so on. Indeed, Yahoo Aviate and Yahoo Labs have pulled together an infographic (see below) that reveals users have an average of 95 apps installed on their phones, 35 of which are used (on average) each day.
Digging a little deeper, it’s clear that certain apps appeal to users at specific times of day, which probably doesn’t come as that much of a surprise.
Tomi Engdahl says:
Securing the U.S. electrical grid
http://www.net-security.org/article.php?id=2106
The Center for the Study of the Presidency & Congress (CSPC) launched a project to bring together representatives from the Executive Branch, Congress, and the private sector to discuss how to better secure the U.S. electric grid from the threats of cyberattack, physical attack, electromagnetic pulse, and inclement weather.
he result is the Securing the U.S. Electrical Grid report, and talking about critical security challenges we have Dan Mahaffee, the Director of Policy at CSPC.
Tomi Engdahl says:
SynoLocker Trojan crime gang: We QUIT this gig
Hold ‘closing down sale’ as they hotfoot it to … island?
http://www.theregister.co.uk/2014/08/14/synolocker_trojan_closing_down_sale/
A ransomware Trojan gang appears to be moving on, and has offered to sell its remaining decryption keys in bulk for 200 BTC ($103,000, £61,500).
Cybercrooks behind the recent SynoLocker Trojan – which targets the network attached storage devices manufactured by Synology – have apparently decided to cash out on their ill-gotten gains. The ransomware encrypted users’ files before demanding a payment for a private key necessary to unscramble them.
Regular victims are been given around seven days to pay up.
Of course, there’s nothing to stop the scammers continuing in business beyond their self-imposed deadline.
Tomi Engdahl says:
Many information security professionals would argue that the key to an organization’s security is security awareness, as it’s usually the weakest link that enables cyber attackers to execute an efficient attack. How can we motivate an entire nation to educate themselves and understand the risks?
As your question indicates, the human factor is one of the most important—if not the most important—aspects of physical and cyber security. Security awareness needs to be both top-down and bottom-up in an organization.
Beyond the C-suites, every employee and vendor must also be aware of how their decisions may affect the security of a company.
This is indeed a massive challenge that will require resources from the government and private sector
Source: http://www.net-security.org/article.php?id=2106&p=2
Tomi Engdahl says:
We scam the Indian call centre scammers
http://www.techcentral.co.za/we-scam-the-indian-call-centre-scammers/50579/
The Indian call centre scam that warns users that their computers are infected is one of the longest running and most annoying Internet rackets. TechCentral’s Regardt van der Berg took one of the scammers for a ride.
At TechCentral, we get called on average at least once a week — sometimes far more often — by a friendly sounding Indian national warning us that our Windows computer is infected with a virus. The call, which originates from a call centre, follows exactly the same script every time.
“John” told me that my PC — along with my licence keys and personal information — was registered on their servers as being an infected device that was sending all my personal information out into the world.
He proceeded to tell me there were millions of users with the same problem and wanted me to believe his “company” was calling all of them to help disinfect their computers.
So, if you get a call asking if you are the owner of the PC, just put the phone down. Or, if you’re tech savvy, why not have a little fun with them like I did?
Tomi Engdahl says:
Akamai warns: SMB security remains major risk
http://www.theregister.co.uk/2014/08/26/akamai_warns_smb_security_remains_major_risk/
Security offerings for small businesses need to look more like those offered to enterprises, according to Akamai global security senior director Fran Trentley.
Speaking to The Register while in Sydney for the Gartner Security & Risk Management Summit, Trentley said SMBs are increasingly seen as attack targets, and that poses a potentially devastating threat to economies.
In a world accustomed to high-profile attacks against large, famous enterprises, Trentley noted that small businesses remain drivers of most economies, are their largest employers, and in Akamai’s experience they suffer terribly from security breaches.
“Twenty per cent of the attacks we see are against SMBs,” he said, and when those attacks are successful, “60 per cent of the targets close their business within six months”.
Tomi Engdahl says:
Revoke App Permissions on Firefox OS
https://frederik-braun.com/revoking-permissions-on-firefox-os.html
On Firefox OS (FxOS), every app has its own set of permissions. The operating system makes sure that an app may only do things that are requested in the app manifest. Some of these permissions are always set to Ask.
The security model of Firefox OS is based on contextual prompts. So for APIs that are understandable and human meaningful like geolocation, using the camera or recording audio the OS will prompt the user. You can save & remember these choices and later revisit them in the Settings app under “App Permissions”. You may set them to Allow, Prompt, or Deny.
For simplicity’s sake, all permissions default to something that the inventor’s of these APIs deemed safe. For tcp-sockets and alarms this is Allow. For geolocation it’s Prompt.
But what if you are tech savvy? What if you do want to revoke or be asked for permissions that are a bit hard to explain?
To bridge this gap and empower tech savvy & paranoid privacy enthusiasts, I have created a developer settings that shows a verbose app permissions list. It enhances the normal App Permissions panel of the Settings app.
Beware that you may break the app that you wish to contain – just because it is not designed to cope with failure.
Tomi Engdahl says:
UK Prisons Ministry Fined For Lack of Encryption At Prisons
http://news.slashdot.org/story/14/08/26/2238211/uk-prisons-ministry-fined-for-lack-of-encryption-at-prisons
The Guardian reports that the UK Information Commissioner has levied a fine of £180,000 on the Ministry of Justice for their failure to encrypt data held on external hard drives at prisons. The fine is nominal — one part of government fining another is rather pointless, but it does show that there’s a little bit of accountability.
To make matters worse, one of the unencrypted backup hard drives walked away.
Tomi Engdahl says:
Project Zero Exploits ‘Unexploitable’ Glibc Bug
http://it.slashdot.org/story/14/08/26/2233257/project-zero-exploits-unexploitable-glibc-bug
“Google’s ‘Project Zero’ devised an exploit of the out-of-bounds NUL write in glibc to gain root access using the setuid binary pkexec in order to convince skeptical glibc developers. 44 days after being reported, the bug has been fixed.”
Tomi Engdahl says:
Bitcoin Bill Begs Questions
http://www.eetimes.com/author.asp?section_id=36&doc_id=1323647&
Bitcoin and other digital currencies are picking up steam worldwide, and in late June California attempted to legalize the use of digital currencies through Assembly Bill 129. The bill also was designed to make legal the use of so-called “community currencies,” the alternative currencies issued and circulated by a small but increasing number of local communities looking to, among other things, foster local businesses and community cohesion.
Tomi Engdahl says:
PCI Council wants YOU to give it things to DO
How about enforcing PCI DSS?
http://www.theregister.co.uk/2014/08/27/pci_council_wants_you_to_give_it_things_to_do/
Crusaders at the Payment Card Industry Security Standards Council have called for submissions into projects for 2015.
The council is responsible for PCI Data Security Standards (PCI DSS), a – to date – largely failed initiative to impose better credit card processing security by retailers.
The group was developed by the payment card industry initiatives as a means to target security challenges within the payments sector.
Proposed topics for examination next year include “daily log monitoring”, PCI DSS mainframe probes, network virtualisation, and certificate and crypto key guidelines.
Automated teller machines also deserve a look into, according to the group – perhaps given the resurgence of security research in the field that has uncovered evidence of ATMs being loaded with malware and the discovery of smaller and smarter skimmers.
‘Pay at the Pump’ petrol swipe slots should also be examined along with contactless payment vending machines that have popped up in recent years.
Tomi Engdahl says:
Securobods warn of wide open backdoor in Netis/Netcore routers
Single, hardcoded password in firmware, claim researchers
http://www.theregister.co.uk/2014/08/27/netis_routers_have_a_backdoor_say_reserachers/
Routers sold under the brand Netis by Chinese security vendor Netcore have a hardcoded password that leaves users with a wide-open backdoor that could easily be exploited by attackers, claim researchers.
The backdoor allows cyber-criminals to easily change settings or run arbitrary code on routers, securobods at Trend Micro warn.
Tomi Engdahl says:
How Much Is Your Privacy Worth?
http://www.technologyreview.com/news/529686/how-much-is-your-privacy-worth/
Despite the outcry over government and corporate snooping, some people allow themselves be monitored for money or rewards.
Anyone paying attention knows that his or her Web searches, Facebook feeds, and other online activity isn’t always safe—be it from the prying eyes of the NSA or those of the companies providing a social networking service.
While a substantial chunk of the populace finds all this tracking creepy and invasive, though, there’s a demographic that collectively shrugs at the notion of being mined for data.
Some startups hope to exploit this by buying access to your Web browsing and banking data (see “Sell Your Personal Data for $8 a Month”).
Luth Research, a San Diego company, is now offering companies an unprecedented window into the private digital domains of tens of thousands of people who have agreed to let much of what they do on a smartphone, tablet, or PC be tracked for a $100 a month.
Luth’s “ZQ Intelligence” service collects and analyzes data from preselected participants’ phones and computers via a virtual private network connection.
Luth’s current and former clients include Subway, Microsoft, Walmart, the San Diego Padres, Nickelodeon, and Netflix. The information it collects can help companies decide where to spend advertising dollars.