Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Automattic Acquires BruteProtect
http://jetpack.me/2014/08/26/automattic-bruteprotect/
Automattic has acquired BruteProtect, a plugin and service that protects your sites from malicious logins, saves server resources so your site runs faster, and keeps all your sites on the latest and greatest versions of WordPress core, plugins, and themes.
The plugin and service are currently available, but over the coming months we’re going to build their functionality into Jetpack and retire BruteProtect as a standalone thing.
BruteProtect also has a premium service that starts at $5 a month per site — effective immediately, that will be free for every BruteProtect user and Jetpack-enabled site.
Tomi Engdahl says:
Ex-federal official convicted in child porn case
http://www.washingtonpost.com/national/ex-federal-official-convicted-in-child-porn-case/2014/08/26/b44e0a2a-2d6f-11e4-be9e-60cc44c01e7f_story.html
A federal jury in Omaha has convicted a former acting director of cyber security at the U.S. Department of Health and Human Services of several child pornography counts.
Tomi Engdahl says:
Freedom on the Net 2013
http://www.freedomhouse.org/report/freedom-net/freedom-net-2013#.U_3iomNsUil
Despite Pushback, Internet Freedom Deteriorates
Freedom on the Net 2013 is the fourth report in a series of comprehensive studies of internet freedom around the globe and covers developments in 60 countries that occurred between May 2012 and April 2013.
Tomi Engdahl says:
Internet censorship map
https://www.ivpn.net/internet-censorship/#
Tomi Engdahl says:
Hands-on: Pwn Pro and Pwn Pulse, mass surveillance for the rest of us
Pwnie Express’ latest penetration testing offerings step up the power.
http://arstechnica.com/information-technology/2014/08/hands-on-pwn-pro-and-pwn-pulse-mass-surveillance-for-the-rest-of-us/
The Pwn Pro, Pwnie Express’ newest network penetration tool, is designed to provide long-term persistent testing of an organization’s information security.
At Black Hat and Def Con earlier this month, the penetration testing tool makers at Pwnie Express unveiled two new products aimed at extending the company’s reach into the world of continuous enterprise security auditing. One, the Pwn Pro, is essentially a souped-up version of Pwnie Express’ Pwn Plug line of devices; the other, Pwn Pulse, is a cloud-based software-as-a-service product that provides central control of a fleet of Pwn Pro “sensors.” Combined, the two are a whitehat’s personal NSA—intended to discover potential security problems introduced into enterprise networks before someone with malevolent intent does.
Tomi Engdahl says:
DEFCON: Blackphone
http://hackaday.com/2014/08/27/defcon-blackphone/
Despite being full of techies and people doing interesting things with portable devices, you don’t want to have an active radio on you within a quarter-mile of DEFCON. The apps on your phone leak personal data onto the Internet all the time, and the folks at DEFCON’s Wall Of Sheep were very successful in getting a few thousand usernames and passwords for email accounts.
Tomi Engdahl says:
The executive order that led to mass spying, as told by NSA alumni
Feds call it “twelve triple three”; whistleblowers says it’s the heart of the problem.
http://arstechnica.com/tech-policy/2014/08/a-twisted-history-how-a-reagan-era-executive-order-led-to-mass-spying/
One thing sits at the heart of what many consider a surveillance state within the US today.
The problem does not begin with political systems that discourage transparency or technologies that can intercept everyday communications without notice. Like everything else in Washington, there’s a legal basis for what many believe is extreme government overreach—in this case, it’s Executive Order 12333, issued in 1981.
“12333 is used to target foreigners abroad, and collection happens outside the US,” whistleblower John Tye, a former State Department official, told Ars recently. “My complaint is not that they’re using it to target Americans, my complaint is that the volume of incidental collection on US persons is unconstitutional.”
The document, known in government circles as “twelve triple three,” gives incredible leeway to intelligence agencies sweeping up vast quantities of Americans’ data. That data ranges from e-mail content to Facebook messages, from Skype chats to practically anything that passes over the Internet on an incidental basis. In other words, EO 12333 protects the tangential collection of Americans’ data even when Americans aren’t specifically targeted—otherwise it would be forbidden under the Foreign Intelligence Surveillance Act (FISA) of 1978.
Tomi Engdahl says:
JPMorgan and Other Banks Struck by Cyberattack
http://www.nytimes.com/2014/08/28/technology/hackers-target-banks-including-jpmorgan.html?_r=0
A number of United States banks, including JPMorgan Chase and at least four others, were struck by hackers in a series of coordinated attacks this month, according to four people briefed on a continuing investigation into the crimes.
The hackers infiltrated the networks of the banks, siphoning off gigabytes of data, including checking and savings account information, in what security experts described as a sophisticated cyberattack.
The motivation and origin of the attacks are not yet clear, according to investigators. The F.B.I. is involved in the investigation, and in the past few weeks a number of security firms have been brought in to conduct forensic studies of the penetrated computer networks.
The intrusions were first reported by Bloomberg, which indicated that they were the work of Russian hackers. But security experts and government officials said they had not yet made that conclusion.
Tomi Engdahl says:
Banking apps: Handy, can grab all your money… and RIDDLED with coding flaws
Yep, that one place you’d hoped you wouldn’t find ‘em
http://www.theregister.co.uk/2014/08/27/coding_flaws_study/
The whopping 70 per cent of retail and 69 perc ent of financial services apps are vulnerable to data breaches.
That’s according to an analysis of 705 million lines of code as used by 1,316 enterprise applications carried out by software analysis and measurement firm CAST. The firm reckons a growing number of data breaches and security incidents can be directly linked to poor code quality, which can be attributed to tightening project deadlines and other factors.
“So long as IT organisations sacrifice software quality and security for the sake of meeting unrealistic schedules, we can expect to see more high-profile attacks leading to the exposure and exploitation of sensitive customer data,” said CAST EVP Lev Lesokhin, the exec who led the security analysis.
He added: “Businesses handling customer financial information have a responsibility to improve software quality and reduce the operational risk of their applications – not only to protect their businesses, but ultimately their customers.”
Input validation errors gave rise to the infamous Heartbleed bug and are among the most common class of coding error more generally. CAST found that – contrary to public perception – government IT had the highest percentage of applications without any input validation violations (61 per cent), while independent software vendors scored worst (12 per cent without violations).
The research also revealed that the financial services industry has the highest number of input validation violations per application
Tomi Engdahl says:
we learned that Performance Efficiency is pretty uncorrelated to other health factors and that Security is highly correlated to software Robustness.
Source: http://www.castsoftware.com/news-events/event/crash-report-webinar?GAD=GGLRM&gclid=CIC7vevutcACFYTpcgodaGsARg
Tomi Engdahl says:
Online criminals are also interested in the Finnish patient data
Hospitals in the USA and Finland are now facing more security threats than before.
Hospitals have become attractive targets for cyber-criminals. Repeated intrusion due to the American health care companies are now actively investing in information security. This is a very topical in Finland: a healthcare information security threats directed more than before.
Data attracted cyber criminals, because so many Americans does not have health insurance. By selling the stolen information, criminals can make a big account
“If I were one of the 50 million Americans who do not have health insurance, and I need one million U.S. dollars to pay a heart transplant, I could buy with $ 250 criminal source of information on the other person’s medical history and insurance contract. Still needed a fake ID card, as well as roughly the right age, weight and length of the data, then the stolen information I could get a private hospital do not think the insurance company pay management measures, “he envisions the IDG News Service in an interview.
The Finnish health care system is totally different than across the Atlantic, but cyber criminals are also interested in the Finnish patient data, evaluate the Health House CIO Thomas Otala.
“Criminals are interested in all that is valuable. And because health is of great importance for both patients and health care for some, they are certainly of interest to cybercriminals.”
Security threats are faced today much more than in the past.
“I do not think that the situation is getting easier in the future”
“We trust in business, and, therefore, the fact that the customer can count on us to run things well, it is significant. We need everything to make sure that we are good enough level of security, ”
“In the USA the solutions are more modest”
Source: http://summa.talentum.fi/article/tv/uusimmat/86180
Tomi Engdahl says:
Netflix releases home-grown DDoS detectors
Planning on haxing Netflix? Don’t plan it on Facebook
http://www.theregister.co.uk/2014/08/28/netflix_releases_homegrown_web_detective_tools/
NetFlix’s security team has given the open source treatment to three tools it uses to monitor the internet and gather evidence of planned attacks against its infrastructure.
“Scumblr” and “Sketchy”, plus the “Workflowable” tool both rely on, are now on GitHub for any security teams to use.
Scumblr sifts through forums and social media networks in search of discussions of possible hacks or denial of service attacks against an organisation using keywords predefined by an administrator. Sketch takes screenshots and scrapes text from sites.
“Scumblr and Sketchy are helping the Netflix security team keep an eye on potential threats to our environment every day,” the pair wrote.
Netflix is releasing its wares to give back to the open source community under its Open Source Software Initiative which kicked off in 2010
Tomi Engdahl says:
Netflix Open Sources Internal Threat Monitoring Tools
http://news.slashdot.org/story/14/08/27/1923217/netflix-open-sources-internal-threat-monitoring-tools
Tomi Engdahl says:
Microsoft boots 1,500 dodgy apps from the Windows Store
DEVELOPERS! DEVELOPERS! DEVELOPERS! Naughty, misleading developers!
http://www.theregister.co.uk/2014/08/28/microsoft_boots_1500_dodgy_apps_from_windows_store/
Microsoft has turned 1,500 applications out of the Windows Store, the app bazaar for Windows 8 devices.
In a post titled How we’re addressing misleading apps in Windows Store, Microsoft explains it has conducted a promised spring clean by changing the rules for admission to the store
The new rules apply to the Windows Store and the Windows Phone Store.
Most developers, Redmond says, play nice and don’t fall foul of the regulations.
Tomi Engdahl says:
Fear has been used too much on security marketing
Security thread does not matter, if it does not pose a risk. Petri Mr Kairis from Nixu: we the need to talk about what the value does security have for business.
“F-Secure is the product of the company and left to grow internationally. Finland market size is of course limited, and the vast majority of security companies are consulting companies. It’s too bad that the internationalized product companies not born any more. But the industry has woken up and established the security cluster. Click here now want to go abroad.”
Source: http://summa.talentum.fi/article/tv/8-2014/82766
Tomi Engdahl says:
TippingPoint network security survey reveals top network security concerns
http://h30499.www3.hp.com/t5/HP-Security-Products-Blog/TippingPoint-network-security-survey-reveals-top-network/ba-p/6587710#.U_9DEKNQO9K
HP TippingPoint sponsored a national Network Security survey of IT professionals, with the help of research organization, Ipsos Observer. The results were released today—revealing the top network security concerns affecting enterprises today.
The survey revealed some astonishing key findings:
69 percent of IT professionals experience phishing attacks at least once a week
7 out of 10 attacks generated within the network perimeter stem from a malware-infected host
Approximately 6 out of 10 attacks stem from malicious communication within the command and control site.
Organizations must adjust their network security approach to accommodate the evolving threat landscape, and these numbers clearly show the importance for organizations to have layered security approaches in order to block suspicious attacks at the perimeter—not just the core.
HP’s recommendations to increase network Security posture:
Layered security is still relevant, especially in advanced threat scenarios
– Organizations need perimeter firewalls all the way to application security solutions
– Companies are layering IPS, NGFW, Sandboxing and SIEM products
With so many application vulnerabilities annually
– Companies have to consider the need for zero-day coverage
– Using application controls in NGFW and remediating software app vulnerabilities is key
Ensure you are spending your large (and increasing) Network Security budget on the right things
– How are you addressing command and control traffic?
– Are you able to block unfiltered spam or phishing attacks?
Tomi Engdahl says:
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
http://www.theregister.co.uk/2014/07/31/multipath_tcp_will_bork_your_network_probes_flummox_your_firewalls/
Tomi Engdahl says:
UK.gov eyes up virtual currencies, fingers red tape dispenser
‘Bitcoin a headline grabber but there’s … more going on’
http://www.theregister.co.uk/2014/08/07/uk_government_to_assess_whether_virtual_currencies_should_be_regulated/
The UK government is to review the trade in virtual currencies to investigate whether it should regulated.
Chancellor George Osborne said the review would look into the potential of “alternative payment systems” to boost UK growth and would include an assessment of the need to regulate the use of virtual currencies in transactions.
“These alternative payment systems are popular because they are quick, cheap, and convenient – and I want to see whether we can make more use of them for the benefit of the UK economy and British consumers. I also want to be alert to the risks that accompany any new technology.”
Tomi Engdahl says:
SIEMs like a good idea: How to manage security in real time
http://www.theregister.co.uk/2014/08/29/webcast_promo_security_information_event_management/
how security information and event management (SIEM) can work, what it does, and how to fit it into your existing security environment.
You face more, and more dangerous threats every day – drive-by infections, APTs, executive targeted phishing to name three. At the same time, the potential attack surface of IT systems are growing rapidly: your VMs, your cloud, your users’ mobile devices are all at risk. You have probably spent a large part of 2014 developing external-facing web applications. How do you secure them all?
Operating best-effort security isn’t enough, but security Information and event management, touted as the answer to this, has so far been complicated to set up and hard to interpret.
Has this changed? Is SIEM the future of enterprise security and, if so, what will that future look like?
Tomi Engdahl says:
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net’s most destructive ransomware threat
http://www.theregister.co.uk/2014/08/29/cryptowall_analysis/
Victims of the CryptoWall ransomware have been extorted out of at least $1m.
Despite a takedown operation in June, CryptoWall continues to be the largest and most destructive ransomware threat on the internet, according to the latest analysis of the threat by security researchers from Dell SecureWorks Counter Threat Unit.
Cryptowall is a strain of file-encrypting ransomware that encrypts files on infected Windows PCs and attached storage devices with RSA-2048 encryption before demanding a ransom for the private key that recovers the documents.
Between mid-March and late August, nearly 625,000 systems were infected with CryptoWall. CryptoWall encrypted more than 5.25 billion files over the period.
Data collected directly from the ransom payment server reveals the exact number of paying victims as well as the amount they paid. Of nearly 625,000 infections, 1,683 victims (0.27 per cent) paid the ransom, for a total take of $1,101,900 over the course of six months.
Based on post-mortem data collected by researchers, CryptoWall has been less effective at producing income than CryptoLocker. CryptoWall has only collected 37 per cent of the total ransoms collected by CryptoLocker, despite infecting nearly 100,000 more victims.
“CryptoWall’s higher average ransom amounts and the technical barriers typical consumers encounter when attempting to obtain Bitcoins has likely contributed to this malware family’s more modest success,”
Tomi Engdahl says:
How to marry malware to software downloads in an undetectable way (Hint: Please use HTTPS)
Boffins demo how traffic redirect can endanger code
http://www.theregister.co.uk/2014/08/20/malware_married_to_software_in_undetectable_attack/
Be thankful it’s only a proof-of-concept of a hack: German researchers have shown that internet software distribution mechanisms can be turned into virus vectors, without modifying the original code.
The Ruhr University boffins – Felix Gröbert, Ahmad-Reza Sadeghi and Marcel Winandy – have developed an on-the-fly mechanism for injecting code into a download. As they write in their paper [PDF] hosted at PacketStorm:
“Our algorithm deploys virus infection routines and network redirection attacks, without requiring to modify the application itself. This allows to even infect executables with a embedded signature when the signature is not automatically verified before execution.”
They use what they call a binder to concatenate the original application and the malicious code. “Upon starting the infected application the binder is started. It parses its own file for additional embedded executable files, reconstructs and executes them, optionally invisible for the user,” they write.
Governments, the paper notes, could be in a position to exploit network nodes between a sender and receiver to hijack the traffic (or, for that matter, vulnerable routers could be exploited to the same end).
To mitigate against such attacks, the researchers say, software distributors need to tighten up their delivery mechanisms, to defend against traffic hijacks. OpenVPN, IPSec or HTTPS would help here, they state, provided one can trust the certificate chain.
Antivirus software could be modified to check for binder behaviour, they add, and “trusted virtualisation” architectures could also help,
Tomi Engdahl says:
JPMorgan, Four Other Banks Hit by Hackers: U.S. Official
Aug 28, 2014
http://www.bloomberg.com/news/2014-08-27/customer-data-said-at-risk-for-jpmorgan-and-4-more-banks.html
Computer hackers targeted JPMorgan Chase & Co. (JPM) and at least four other banks in a coordinated attack on major financial institutions this month, according to a U.S. official.
The attack led to the theft of customer data that could be used to drain accounts, according to another person briefed by U.S. law enforcement.
Tomi Engdahl says:
U.S. banking group says unaware of any ‘significant’ cyber attack
http://www.reuters.com/article/2014/08/29/us-jpmorgan-cybersecurity-idUSKBN0GS1CO20140829
The group, known as the Financial Services Information Sharing and Analysis Center, or FS-ISAC, includes all major U.S. banks and dozens of smaller ones along with some large European financial institutions.
“There are no credible threats posed to the financial services sector at this time,” the group said in an email to its members.
“Banks are getting attacked every single day. These comments from FS-ISAC and its members indicate that this is not a major new offensive,” said Dave Kennedy, chief executive officer of TrustedSEC LLC, whose clients include several large U.S. banks.
“While we should remain diligent and active in monitoring, it doesn’t appear there is a major offensive,” said Kennedy.
Tomi Engdahl says:
3D Printed Bump Keys
http://hackaday.com/2014/08/29/3d-printed-bump-keys/
Getting past a locked door is easy if you have the right tools. It’s just a matter of knowing how to adjust the pins inside to an even level while turning the mechanism at the same time when everything is perfectly in place. That’s the beauty of a bump key. You never have to see the actual key or what it looks like. And with a simple hit to the back of the key, and bumping it just enough, the lock can magically be opened.
Lock picking items like this can be ordered online for a couple of dollars, or as [Jos Weyers] and [Christian Holler] showed in a recent Wired article, alternatively you can print your own at home.
The video of these 3D printed keys attempts to prove that a person can unlock a door with plastic
As the article states, “Weyers and Holler aren’t trying to teach thieves and spies a new trick for breaking into high-security facilities; instead, they want to warn lockmakers about the possibility of 3-D printable bump keys so they might defend against it.”
Tomi Engdahl says:
Stupid Security In A Security System
http://hackaday.com/2014/08/28/stupid-security-in-a-security-system/
a security system in their house, and when they wanted to make a few changes to their alarm rules
an installer would come out, plug a box into the main panel, press a few buttons, and charge 150 €.
tamper-evident seal on the alarm box, easily silenced by entering a code on the keypad
After finding a DE-9 serial port on the main board, [yaehob] went to the manufacturer’s website thinking he could download some software. The website does have the software available
would require the installer password, which, according to the documentation was between four and six characters. The system also responded quickly, so brute force was obviously the answer here.
the installer’s code was his postal code
From the installer’s point of view, this somewhat makes sense.
From a security standpoint, holy crap this is bad.
Tomi Engdahl says:
How I recovered my parents’ house alarm installer code or “security is not always where you would expect…”
http://yaehob.wordpress.com/2014/08/28/how-i-recovered-my-parents-house-alarm-installer-code-or-security-is-not-once-again-where-you-would-expect/
I could read a lot of things out of the alarm memory/configuration but surprise surprise I cannot modify anything without providing some ‘installer code’. My parents asked the guy but no way to get it… I’m not sure he can legally keep it from us but I then understood there was (?) another reason…
Given all these observations, I thought of a “brute-force” attack. Nowadays it’s rarely useful (because of the usually large key space used) but here, it could take less than one day.
So the software would exchange the code when it “connects” to the board the first time.
There were only a few bytes and some of them immediately caught my eyes… wait… these numbers sounds familiar…maybe this is a coincidence but they are the same that my postal code! Would the installer guy use the area postal code as it’s installer code…?
In the meantime, the brute-forcer app, stopped counting at my postal code, too.
I do not blame the alarm manufacturer, because if the thief is able to remove the cover to connect some PC, this thief is certainly already inside your house (and either the alarm bell is already ringing, or he already took care of that).
What scares me is the installer guy who supposedly uses the same (logic) code everywhere
Knowing that there is a logic behind the installer code, bad people could break any surrounding house and gently disarming the alarm system…
Windows are labeled with “protected by [the guy_company_name]“, I think the purpose is to ‘scare’ stupid thieves (or maybe to appeal the other ones :-)).
There is also a communication module (in option) which allows the end user to remotely (modem over phone line) arm/disarm the system, the problem is that this module also allows installer guy to make some changes remotely
A ‘more malicious’ attacker might try to remotely connect to random houses (the ones wearing the ‘protected stickers) using the phone book…
Tomi Engdahl says:
Kaspersky backpedals on ‘done nothing wrong, nothing to fear’ blather
Founder (and internet passport fan) now says privacy is precious
http://www.theregister.co.uk/2014/08/29/kaspersky_backpedals_on_done_nothing_wrong_nothing_to_fear_company_article/
Russian security software vendor Kaspersky has yanked an article from its website arguing that netizens shouldn’t fear state surveillance unless they had done something wrong in the first place.
“Remember if you’re doing nothing wrong, you have nothing to hide,” the cached version of the unsigned article states.
“There is almost to zero chance that you would be of interest to any secret service on the planet. The only nuisance to you will be advertisement robots – and there are more effective tools against them than online anonymity.”
The piece, entitled “Why we should not be afraid of being watched while online,” was published in Kaspersky’s Academy site
It’s not the first time Kaspersky’s founder has stirred the privacy pot with the suggestion that we have too much of it. Back in 2011 he kicked up a storm by suggesting that every internet user should be forced to use a passport showing their identity.
His firm’s latest posting used one of the oldest canards in the privacy verses surveillance playbook – that only the ‘bad guys’ have something to feel from being monitored – but Kaspersky’s views are common in the tech field.
Google’s Eric Schmidt has made the same argument repeatedly, although he’s very touchy about his own privacy
Tomi Engdahl says:
Mozilla To Support Public Key Pinning In Firefox 32
http://news.slashdot.org/story/14/08/29/2019251/mozilla-to-support-public-key-pinning-in-firefox-32
Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla’s own sites, all of the sites pinned in Google Chrome and several Twitter sites. Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain.
Tomi Engdahl says:
IEEE Guides Software Architects Toward Secure Design
http://developers.slashdot.org/story/14/08/29/1745251/ieee-guides-software-architects-toward-secure-design
The IEEE’s Center for Secure Design debuted its first report this week, a guidance for software architects called “Avoiding the Top 10 Software Security Design Flaws.”
Tomi Engdahl says:
AVOIDING THE TOP 10 SOFTWARE SECURITY DESIGN FLAWS
http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
Tomi Engdahl says:
Hal Finney, PGP and Bitcoin Pioneer, Dies At 58
http://developers.slashdot.org/story/14/08/30/0018221/hal-finney-pgp-and-bitcoin-pioneer-dies-at-58
xavier says:
I’m impressed, I have to admit. Rarely do I come across a blog that’s equally educative and interesting, and without a doubt, you have
hit the nail on the head. The problem is something which too few
folks are speaking intelligently about. Now i’m very happy I came across this in my hunt for something relating to this.
Tomi Engdahl says:
Think It’s Funny ‘Swatting’ Your Gaming Buds? Twitch Live Stream Shows Police Are Not Amused
http://hothardware.com/News/Think-Its-Funny-Swatting-Your-Gaming-Buds-Twitch-Live-Stream-Show-Police-Are-Not-Amused/#!bNleWS#ixzz3BzhDa6AR
Twitch streamer and YouTuber Jordan “Kootra” Mathewson is the latest victim in a trend called “Swatting.”
SWAT officers enter the room and arrest Mathewson in response to a false report of an active shooter.
Mathewson was live-streaming on The Creatures, a group of gamers who create content for YouTube, Twitch channel at the group’s office building when SWAT busted in. Police had received an anonymous call, via landline, that claimed there was an active shooter
Tomi Engdahl says:
ISIS Displaying a Deft Command of Varied Media
http://www.nytimes.com/2014/08/31/world/middleeast/isis-displaying-a-deft-command-of-varied-media.html
The extremists who have seized large parts of Syria and Iraq have riveted the world’s attention with their military prowess and unrestrained brutality. But Western intelligence services are also worried about their extraordinary command of seemingly less lethal weapons: state-of-the-art videos, ground images shot from drones and multilingual Twitter messages.
ISIS carefully tailors its recruiting pitch, sending starkly different messages to Muslims in the West and to those closer to home. But the image of unstoppable, implacable power animates all of its messaging.
ISIS is online jihad 3.0. Dozens of Twitter accounts spread its message, and it has posted some major speeches in seven languages. Its videos borrow from Madison Avenue and Hollywood, from combat video games and cable television dramas, and its sensational dispatches are echoed and amplified on social media. When its accounts are blocked, new ones appear immediately. It also uses services like JustPaste to publish battle summaries, SoundCloud to release audio reports, Instagram to share images and WhatsApp to spread graphics and videos.
“They are very adept at targeting a young audience,” said John G. Horgan, a psychologist at the University of Massachusetts at Lowell who has long studied terrorism. “There’s an urgency: ‘Be part of something that’s bigger than yourself and be part of it now.’ ”
The State Department’s Center for Strategic Counterterrorism Communications has stepped up its efforts to counter ISIS propaganda, publishing a steady stream of ISIS horror tales on Facebook and Twitter, using the hashtag #ThinkAgainTurnAway.
Tomi Engdahl says:
Stealing encryption keys through the power of touch
Researchers pilfer decryption keys through Ethernet and human touch side channel.
http://arstechnica.com/security/2014/08/stealing-encryption-keys-through-the-power-of-touch/
Researchers from Tel Aviv University have demonstrated an attack against the GnuPG encryption software that enables them to retrieve decryption keys by touching exposed metal parts of laptop computers.
There are several ways of attacking encryption systems. At one end of the spectrum, there are flaws and weaknesses in the algorithms themselves that make it easier than it should be to figure out the key to decrypt something. At the other end, there are flaws and weaknesses in human flesh and bones that make it easier than it should be to force someone to offer up the key to decrypt something.
In the middle are a range of attacks that don’t depend on flaws on the encryption algorithms but rather in the way they’ve been implemented. Encryption systems, both software and hardware, can leak information about the keys being used in all sorts of indirect ways, such as the performance of the system’s cache, or the time taken to perform encryption and decryption operations. Attacks using these indirect information leaks are known collectively as side channel attacks.
This research is a side-channel attack. The metal parts of a laptop, such as the shielding around USB ports, and heatsink fins, are notionally all at a common ground level. However, this level undergoes tiny fluctuations due to the electric fields within the laptop. These variations can be measured, and this can be used to leak information about encryption keys.
The researchers have reported their findings to the GnuPG developers, and the software has been altered to reduce some of the information leaked this way.
Tomi Engdahl says:
How we’re addressing misleading apps in Windows Store
http://blogs.windows.com/buildingapps/2014/08/27/how-were-addressing-misleading-apps-in-windows-store/
Every app store finds its own balance between app quality and choice, which in turn opens the door to people trying to game the system with misleading titles or descriptions.
Tomi Engdahl says:
Hacker Disrupts New Zealand Election Campaign
http://politics.slashdot.org/story/14/08/31/1539236/hacker-disrupts-new-zealand-election-campaign
New Zealand is facing its weirdest election ever with a hacker calling himself “Rawshark” progressively dumping emails hacked from a controversial blogger. This weekend, revelations forced the resignation of one Government minister and nobody knows what will drop next.
Tomi Engdahl says:
Hacker ‘Rawshark’ disrupts NZ election campaign
http://www.zdnet.com/hacker-rawshark-disrupts-nz-election-campaign-7000033148/
Summary: A Cabinet minister has resigned after an email revealed her contact with a controversial blogger.
New Zealand Cabinet Minister Judith Collins resigned yesterday in what appears to be a direct response to the hacking of a controversial blogger’s email.
The resignation is a blow to the ruling National Party, which, while well ahead in the polls, has seen its campaign plan torn apart by a series of unexpected and unwelcome disclosures.
The identity of the hacker, who calls him- or herself “Rawshark”, is a mystery.
Exactly how the emails were hacked is also unclear, but there has been some speculation about a “brute-force” attack — a systematic, computerised search of all possible password combinations.
Prime Minister John Key released the email when announcing Collins’ resignation yesterday, attracting a flurry of complaints to the Privacy Commissioner following the hacking. Whale Oil complained that in releasing it, Key himself breached New Zealand’s privacy laws.
“This isn’t just about party politics, he told Fairfax. “This is a network of politically connected individuals who launder political and media influence for money, power, and personal revenge
Tomi Engdahl says:
HP: NORKS’ cyber spying efforts actually a credible cyberthreat
‘Sophisticated’ spies, DIY tech and a TROLL ARMY – report
http://www.theregister.co.uk/2014/09/01/north_korea_cyberspies/
North Korea is ramping up its cyber spying efforts to the point where it is becoming a credible threat against Western enterprises and government, security researchers at HP warn.
North Korea’s cyber warfare capabilities are of particular interest to national security analysts and policy makers but the wider IT industry would be well advised to keep a close eye on its activities. The threat for now is principally faced by all kinds of companies in South Korea as well as US government and military systems, but this may extend more widely over time.
According to a 2009 report, North Korean hackers have successfully penetrated US defence networks more frequently than any other country that has targeted those assets. While one would expect the regime’s digital infrastructure to suffer from ageing or lack of resources, these factors do not take away from its technical abilities to wage cyber warfare, especially when the regime is able to use agents and resources in other countries, as HP explains.
North Korea has been often suspected of being behind malware and DDoS attacks against the South.
Tomi Engdahl says:
HP Security Research’s full 75-page report into the cyber threat landscape within North Korea:
HP Security Briefing
Episode 16, August 2014
Profil
ing an enigma: The
mystery of North Korea’s cyber
threat landscape
http://h30499.www3.hp.com/hpeb/attachments/hpeb/off-by-on-software-security-blog/388/2/HPSR%20SecurityBriefing_Episode16_NorthKorea.pdf
Tomi Engdahl says:
Celebrities exposed in apparent iCloud hack and 4chan share
Apple attack may be at core of the leak
http://www.theinquirer.net/inquirer/news/2362701/celebrities-exposed-in-apparent-icloud-hack-and-4chan-share
A HACKER has shared a database of private celebrity content, like home videos and photos, that allegedly has been plundered from Apple’s iCloud system.
The content has been shared on the 4chan website, and a list of victims has been uploaded. It is a long list.
“This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence,”
Law enforcement might come down on hard on celebrity hackers, and particularly those that share private images.
Some 60 celebrities are affected by this recent leak. Some have taken to Twitter to claim that the images are faked.
Tomi Engdahl says:
Coinbase surprises with news of a year-old deposit insurance program, but what of its cold storage?
http://pando.com/2014/08/28/coinbase-surprises-with-news-of-a-year-old-deposit-insurance-program-but-what-of-its-cold-storage/
Coinbase dropped a bombshell on the bitcoin world yesterday by revealing that not only are its bitcoin deposits insured, but they have been so for more than a year. This after months of competitors listing insurance as a differentiating feature.
While Coinbase’s latest announcement is undeniably good news, the details of the insurance protection demand further analysis. First, the company specifies that it is insured against “losses due to breaches in physical or cyber security, accidental loss, and employee theft,” by not “bitcoin lost or stolen as a result of an individual user’s negligence.” Fair enough.
The caveat to what has thus far been all good news is that Coinbase’s insurance only covers deposits held in its online wallet, or “hot wallet.” This means that the company’s offline deposits, “cold storage,” or vault are not insured. Cold storage could be thought of as a bank holding cash or gold reserves, except in the case of bitcoin, it means (hopefully encrypted) hard drives and occasionally even paper printouts of data corresponding to bitcoin deposits.
Coinbase likely holds just three to five percent of all deposits in it online wallet at any time, which means that 95 to 97 percent of all deposits would be uninsured. But is this a bad thing? The answer to that question depends on the reliability of the company’s security procedures pertaining to its offline storage and the faith that consumers have in Coinbase to make them whole should something go wrong.
The good news for consumers with regard to all three companies is that each is heavily funded – Coinbase has raised $32 million, Xapo $40 million, and Circle $26 million – backed by top tier investors, and led by capable and well-respected founders.
Tomi Engdahl says:
Nude Photos Of Jennifer Lawrence, Kate Upton, Ariana Grande Leak In Massive Hack
http://www.businessinsider.com/4chan-nude-photo-leak-2014-8#ixzz3C4boFHpD
The leaked photos were allegedly obtained via a massive hack of Apple’s iCloud. They were then posted on 4chan by users offering more explicit material in exchange for bitcoin payments.
Tomi Engdahl says:
Europol picks Brit to lead new international cybercrime taskforce
Six-month pilot project
http://www.theregister.co.uk/2014/09/01/cybercrime_taskforce/
European police agency Europol has launched an counter-cybercrime taskforce.
The Joint Cybercrime Action Taskforce (J-CAT) will coordinate international investigations into malware distribution, hacking and underground cybercrime forums.
J-CAT, which is being piloted for six months, will be based at the European Cybercrime Centre (EC3) at Europol. The unit will be led by Andy Archibald, deputy director of the national cybercrime unit at the UK’s National Crime Agency.
“For the first time in modern police history a multi-lateral permanent cybercrime taskforce has been established in Europe to coordinate investigations against top cybercriminal networks,”
“This is a unique opportunity for international law enforcement agencies to collectively share our knowledge to defend against cyber related attacks, and the UK’s National Crime Agency is proud to be a founding member.”
Eastern Europe – Russia and the Ukraine in particular – are well-known hotbeds of cybercrime.
Tomi Engdahl says:
Second hacking crew joins Syrian Electronic Army on Team Assad
Malware Team might even be an offshoot, say researchers
http://www.theregister.co.uk/2014/09/01/syrian_malware_team/
Net security firm FireEye reckons it has identified 11 members of the “Syrian Malware Team” after analysing a strain of malware called BlackWorm. The malware is used by the group to infiltrate targets, say the securobods. The researchers claim the group is active in everything from profiling targets to orchestrating attacks.
FireEye reckons the new group has close ties to the infamous Syrian Electronic Army and may even be an offshoot.
Tomi Engdahl says:
Reported iCloud hack leaks hundreds of nude celebrity photos
Jennifer Lawrence among stars whose pictures were stolen
http://www.theverge.com/2014/9/1/6092089/nude-celebrity-hack
It’s unclear how the images were obtained, but anonymous 4chan users said that they were taken from celebrities’ iCloud accounts.
Many of the images are reportedly forgeries
But other celebrity victims of the hack have confirmed that the pictures are real.
Tomi Engdahl says:
Sending nude selfies is increasingly common behavior
Research found the risqué behavior is twice as common as it was two years ago
http://www.theverge.com/2014/9/1/6093539/nude-selfies-increasingly-common-hackers-naked-photos
As the world digests the shocking breach of privacy, one common sentiment seems to be that anyone careless enough to take naked photos in digital form should be prepared for the embarrassment of having them leak.
“Also raises the awareness that you shouldn’t be putting nudes of yourself online…Maybe the lesson learnt from this should be “don’t be stupid”,
According to a recent study from the Pew Research Center, the 44 percent of teens reported sending or receiving a sexually explicit text, or sext,
A separate study from Purdue University found that among 21 year olds, 80 percent had sent or received a sext and 46 percent had sent a nude selfie. A report from the security firm McAffe found half of adults surveyed had used their mobile device to send and receive “intimate content” and half of those kept the images and texts stored on their phones.
Stars, in other words, they’re just like us.
Tomi Engdahl says:
This could be the iCloud flaw that led to celebrity photos being leaked (Update: Apple is investigating)
http://thenextweb.com/apple/2014/09/01/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/
An alleged breach in Apple’s iCloud service may be to blame for countless leaks of private celebrity photos this week.
On Monday, a Python script emerged on GitHub
that appears to have allowed malicious users to ‘brute force’ a target account’s password on Apple’s iCloud, thanks to a vulnerability in the Find My iPhone service.
Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.
When we tested the tool, it locked out our accounts after five attempts, meaning that the Python script certainly tries to attack the service but Apple has patched the hole.
“this bug is common for all services which have many authentication interfaces”
It’s unclear how long this hole was open, leaving those with simple, guessable passwords easily attacked once hackers had an email address to target.
A similar kind of attack has occurred before. Hackers have previously used Find My iPhone to hold victims ransom, locking their phones and demanding money in exchange for giving their phone back.
Tomi Engdahl says:
Tox, a Skype Replacement Built On ‘Privacy First’
http://tech.slashdot.org/story/14/09/01/2210246/tox-a-skype-replacement-built-on-privacy-first
Rumors of back door access to Skype have plagued the communication software for the better part of a decade. Even if it’s not true, Skype is owned by Microsoft, which is beholden to data requests from law enforcement.
a group of developers started work on Tox, which aims to rebuild the functionality of Skype with an emphasis on privacy
Tomi Engdahl says:
Hackers Behind Biggest-Ever Password Theft Begin Attacks
http://it.slashdot.org/story/14/09/01/2213202/hackers-behind-biggest-ever-password-theft-begin-attacks
“Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports the hackers have begun using the list to try and access accounts. “