Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Finnish Study: every other large company network has signs online data breach
Every other Finnish listed companies in the networks discovered signs of the ongoing data breach, reveals a recent study. In-house systems and networks opens the encrypted connections between different parts of the world, in the servers, through which the co-ordinated attacks.
KPMG has today published study examined large Finnish companies’ IT environments, exposure to new, advanced malware, such as those used in espionage network. “Outbreak – Unknown Threat in Finland” research report can be downloaded from the company’s website.
A number of companies consider online through industrial espionage is only a theoretical threat, which is a preventable virus and passwords. In Finland, we are believed to be in advanced malware and online espionage, special position. It does not.
The study examined the situation of Finnish companies by analyzing the organizations network traffic in the autumn of 2013. The aim was to determine the exposure of companies to new and sophisticated threats zero day vulnerabilitied, which could result in, among other things, information leaks. The study involved 10 companies from various industries, most of which are listed on the Helsinki Stock Exchange.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/suomalaistutkimus+joka+toisen+suuryrityksen+verkossa+merkkeja+tietomurrosta/a959807
Tomi Engdahl says:
Are Ethical Hackers the Alchemists of Our Time… The Masters of the Binary Evolution?
http://www.wired.com/insights/2014/01/ethical-hackers-alchemists-time-masters-binary-evolution/
Far too many people still envision hackers as evil. The name hacker itself to most conjures up images of some basement-dwelling, pimply geek who gets off on trying to hack the Pentagon or MI5… or even worse, messes with ordinary peoples’ computers making misery of our lives as we battle spam, malware, Trojans and other forms of time-wasting and spending money hand over fist getting things back to normal.
But actually, as the English lexicon evolves the idea of hacking and hackers is changing.
Ethical Hackers are now kind of becoming the alchemists of the 21st century — speaking the language of code — that drives so much of our lives this millennium.
According to the Daily Mail in the U.K., the average person checks their mobile phone about 110 times a day (and up to every six seconds in the evening.)
Mobile Apps, developed largely by “hackers” are influencing lives in a huge way.
Tomi Engdahl says:
Mozilla Calls on World to Protect Firefox Browser From the NSA
http://www.wired.com/wiredenterprise/2014/01/mozilla/
Brendan Eich is the chief technology officer of the Mozilla Foundation, the non-profit behind the Firefox web browser. Among many other things, he oversees the Firefox security team — the software engineers who work to steel the browser against online attacks from hackers, phishers, and other miscreants — and that team is about to get bigger. Much, much bigger.
The move is one more way that the giants of the web are responding to revelations that the National Security Agency is snooping on web traffic via popular services and software.
“As the Lavabit case suggests, the government may request that browser vendors secretly inject surveillance code into the browsers they distribute to users,” Eich says. “We have no information that any browser vendor has ever received such a directive. However, if that were to happen, the public would likely not find out due to gag orders.”
Because Firefox is open source, outsiders can not only audit the code, they patch holes in the software and distribute such changes independently of Mozilla. In other words, if there’s a problem with Mozilla or Firefox, someone else can fix it and publish a new version online.
That isn’t necessarily the case with Firefox’s competitors. Microsoft’s Internet Explorer isn’t open source at all, and although Apple Safari, Google Chrome and Opera are based on open source software, all contain at least some proprietary code.
Tomi Engdahl says:
Even ‘Your computer has a virus’ cold-call gits are migrating off XP
Malware telescammers now target slab-fondlers+mobe-strokers
http://www.theregister.co.uk/2014/01/15/tech_support_scammers_moving_on_to_target_smartphone_and_tablet_users/
Tech support scammers have begun targeting smartphone and tablet users with offers to fix non-existent problems – for exorbitant fees.
Cold call scams that attempt to hoodwink marks into paying for useless remote diagnostic and cleanup services have been a popular scam for years. Victims are often encouraged to sign up to multi-year support contracts costing hundreds of dollars for unnecessary and worthless services.
As before, the short con relies on social engineering techniques to create the perception of severe (in reality, imaginary) problems in urgent need of fixing. Victims are roped in using either cold calling or online advertising.
“Windows prefetch files are often used by scammers to make up non-existing threats,” Segura explained. “In this case the technician removed all the ‘infected files’ and simulated a ‘re-infection’ by quickly restoring them from the Recycle Bin (Ctrl+Z trick).”
Many people who aren’t too tech-savvy are likely to take the whole performance at face value before ultimately “paying several hundred dollars for dubious services from rogue technical support companies,” Segura concludes.
Segura recorded a video of the Android support scan in progress
Ridding the web of such scams is likely to prove akin to playing a game of Whack-A-Mole.
The progress of the tech support scam from Windows to Mac to tablet and smartphone reflects the changing way people access the internet.
“The tech support scam lives on by adapting to its environment and exploiting the never failing human factor,” Segura concludes
Tomi Engdahl says:
What Secrets Your Phone Is Sharing About You
Businesses Use Sensors to Track Customers, Build Shopper Profiles
http://online.wsj.com/news/article_email/SB10001424052702303453004579290632128929194-lMyQjAxMTA0MDEwMzExNDMyWj
He knows that 250 went to the gym that month, and that 216 came in from Yorkville, an upscale neighborhood.
And he gleans this information without his customers’ knowledge, or ever asking them a single question.
Mr. Zhang is a client of Turnstyle Solutions Inc., a year-old local company that has placed sensors in about 200 businesses within a 0.7 mile radius in downtown Toronto to track shoppers as they move in the city.
The sensors, each about the size of a deck of cards, follow signals emitted from Wi-Fi-enabled smartphones. That allows them to create portraits of roughly 2 million people’s habits as they have gone about their daily lives, traveling from yoga studios to restaurants, to coffee shops, sports stadiums, hotels, and nightclubs.
But Turnstyle is among the few that have begun using the technology more broadly to follow people where they live, work and shop. The company’s dense network of sensors can track any phone that has Wi-Fi turned on, enabling the company to build profiles of consumers lifestyles.
But as the industry grows in prominence, location trackers are bound to ignite privacy concerns.
In the U.S., companies don’t have to get a consent before collecting and sharing most personal information, including their location.
For example, by monitoring how many times a consumer visits a golf course in a month, Viasense can classify her as a casual, intermediate or heavy golfer.
Viasense doesn’t gather personal information or know any of its users’ names
Right now, the only way to opt-out of geolocation is to either switch off the Wi-Fi on a cellphone, or make a request through a website of one the data companies like Turnstyle that has an opt-out option.
Tomi Engdahl says:
Thousands Of Hotel Listings Were Hijacked In Google+ Local
http://searchengineland.com/thousands-of-hotels-listings-were-hijacked-in-google-local-181670
Thousands of hotels listed within Google+ Local appear to have had links leading to their official sites “hijacked” and replaced with ones leading to third-party booking services.
Tomi Engdahl says:
Twitter enforces SSL encryption for apps connecting to its API
http://www.zdnet.com/twitter-enforces-ssl-encryption-for-apps-connecting-to-its-api-7000025138/
Summary: Twitter closes the end-user privacy gap in third-party apps that connected to its API in plaintext.
Tomi Engdahl says:
N.S.A. Devises Radio Pathway Into Computers
http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?pagewanted=all
The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.
Tomi Engdahl says:
The massive leak of information recently suffered a U.S. Target stores will invest five million U.S. dollars (about 3.6 million Euros) to kyber security education.
This is a multi-year campaign aimed at educating consumers about cyber-threats, such as phishing. Involved in the campaign is a U.S. professional organizations, including the National Cyber-Forensics & Training Alliance, and the National Cyber Security Alliance.
In addition, Target will attempt to clean its reputation by offering customers a service that monitors their credit card data breaches and identity theft case.
It was estimated that 110 million customer credit card information was stolen.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/tietomurron+uhri+paikkailee+mainettaan+miljoonilla/a959496
Tomi Engdahl says:
Hackers stole £1.3 million from Barclays Bank using KVM device
http://grahamcluley.com/2013/09/hackers-barclays-bank-kvm/
Police have arrested eight men in connection with an audacious scheme which succeeded in stealing £1.3 million from Barclays Bank.
The heist was said to have taken place at a branch of Barclays Bank in Swiss Cottage, North London, back in April, after a hardware device was attached to a branch computer.
The device, a KVM (“Keyboard video mouse”) switch attached to a 3G router, allowed the hackers to record staff keypresses, and screen activity, helping them to steal password information. The criminal group then allegedly used the information to remotely transfer money to other accounts.
There’s a few things of interest here.
Firstly, it seems hard to believe that the Barclays heist isn’t connected to the very similar attempted robbery at Santander reported last week which also used a KVM switch.
The plot against Santander was foiled, of course, with no money stolen and no customer data being put at risk. At the time Santander said it “was aware of the possibility of the attack”,
But secondly, it appears something failed at Barclays Bank.
Even if the hackers had managed to attach a device, and steal passwords and the like, shouldn’t internal systems have alerted about the unusual movements of money and seeked authorisation? Maybe they did, but the money still appears to have been moved by the hackers.
And there’s a human failing too.
Companies need to be extremely careful about who they grant physical access to their offices, and how closely such people are monitored – especially if they are an unfamiliar face.
Tomi Engdahl says:
NSA phone record collection does little to prevent terrorist attacks, group says
http://www.washingtonpost.com/world/national-security/nsa-phone-record-collection-does-little-to-prevent-terrorist-attacks-group-says/2014/01/12/8aa860aa-77dd-11e3-8963-b4b654bcc9b2_story.html?hpid=z3
An analysis of 225 terrorism cases inside the United States since the Sept. 11, 2001, attacks has concluded that the bulk collection of phone records by the National Security Agency “has had no discernible impact on preventing acts of terrorism.”
The researchers at the New America Foundation found that the program provided evidence to initiate only one case
Tomi Engdahl says:
Donate to Support Encryption Tools for Journalists
https://pressfreedomfoundation.org/
Protecting the digital communications of journalists is now one of the biggest press freedom challenges in the 21st Century. A record number of whistleblowers have recently been prosecuted in large part because the government thinks it can now obtain email and phone records detailing sources talking to journalists, without ever attempting to force the journalist to testify in court.
Tomi Engdahl says:
Edward Snowden To Join Daniel Ellsberg, Others on Freedom of the Press Foundation’s Board of Directors
https://pressfreedomfoundation.org/blog/2014/01/edward-snowden-join-daniel-ellsberg-others-freedom-press-foundations-board-directors
Freedom of the Press Foundation was founded in 2012 in part to build a movement to support and strengthen the First Amendment and defend those who are on the front lines holding power to account.
FPF co-founder Glenn Greenwald said: “We began this organization to protect and support those who are being punished for bringing transparency to the world’s most powerful factions or otherwise dissent from government policy. Edward Snowden is a perfect example of our group’s purpose, as he’s being persecuted for his heroic whistleblowing, and it is very fitting that he can now work alongside us in defense of press freedom, accountability, and the public’s right-to-know.”
Ellsberg added: “The secrecy system in this country is broken. No one is punished for using secrecy to conceal dangerous policies, lies, or crimes, yet concerned employees who wish to inform the American public about what the government is doing under their name are treated as spies.”
Freedom of the Press Foundation was founded in 2012 to support and defend aggressive, public-interest journalism dedicated to transparency and accountability.
Tomi Engdahl says:
US BACKDOORED our satellites, claim UAE
French sat contract at risk
http://www.theregister.co.uk/2014/01/06/us_backdoored_our_satellites_claim_uae/
A French contract to supply intelligence satellites to the United Arab Emirates could be cancelled, with the UAE claiming it’s discovered backdoors in US-supplied components of the birds.
Defence News, which broke the story, claims that the $US930 million contract could be scrapped, according to high-level UAE sources, if the issue can’t be resolved. That would be a blow for prime contractor Airbus Defence and Space, and payload maker Thales Alenia Space.
Defence News says the backdoors would “provide a back door to the highly secure data transmitted to the ground station”. An unnamed UAE source says the discovery of the components has been reported to Sheikh Mohammed Bin Zayed, deputy supreme commander of the UAE’s armed forces.
Along with a ground station, the Pleiades-type satellites, known as Falcon Eye, are due for delivery 2018.
Tomi Engdahl says:
PayPal President Says Company ‘Believes’ in Bitcoin
http://www.wired.com/wiredenterprise/2014/01/paypal_bitcoin/
PayPal president David Marcus is trying to make nice with bitcoin, the digital currency that could ultimately become a big competitor to his company’s massively popular online payments service.
Today, on Twitter, he said the folks at PayPal are in fact “believers” in bitcoin and that the company supports the sale of bitcoin mining rigs, the machines that help drive the worldwide open source software system that is bitcoin. It’s yet another sign that the influence of bitcoin is expanding — and that existing tech outfits like PayPal have no choice but to respond.
Tomi Engdahl says:
Canadian Spy Agency: We Spied on Canadian Residents “Incidentally”
http://www.dailytech.com/Canadian+Spy+Agency+We+Spied+on+Canadian+Residents+Incidentally/article34117.htm
This is the first time the CSE has admitted to spying on Canadians while looking for foreign targets
Leaks by former U.S. National Security Agency (NSA) contractor Edward Snowden have brought many reviews, questions and even forthcoming changes to the government agency. Now, it looks like Canada’s foreign intelligence agency could receive similar treatment as its actions have now come under the microscope as well.
According to the Ottawa Citizen, the Communications Security Establishment Canada (CSE) — which is Canada’s spy agency — admitted that it has “incidentally” spies on Canadians while searching for foreign intelligence.
This is the first time the CSE has admitted to spying on Canadians.
Tomi Engdahl says:
Use strong passwords and install antivirus, mmkay? UK.gov pushes awareness campaign
It’s meant to be ‘accessible’, so don’t point and laugh
http://www.theregister.co.uk/2014/01/14/uk_gov_initiative_cyber_streetwise/
THOUSANDS of UK.gov Win XP PCs to face April hacker storm… including boxes at TAXMAN, NHS
FOIs reveal bureaucrats losing switchover race by widest margin
http://www.theregister.co.uk/2014/01/14/win_xp_uk_gov_hacker_deadline_miss/
Tomi Engdahl says:
Mathematical Model Helps Estimate Optimal Timing of Cyber Attack
http://it.slashdot.org/story/14/01/14/0353208/mathematical-model-helps-estimate-optimal-timing-of-cyber-attack
http://news.sciencemag.org/technology/2014/01/cyberwar-surprise-attacks-get-mathematical-treatment
http://www.theregister.co.uk/2014/01/14/us_researchers_develop_decision_model_for_cyberattacks/
Tomi Engdahl says:
Out in the Open: An NSA-Proof Twitter, Built With Code From Bitcoin and BitTorrent
http://www.wired.com/wiredenterprise/2014/01/twister/
Tomi Engdahl says:
Firefox, which is 100% open source, has a critical security advantage over all other browsers
http://brendaneich.com/2014/01/trust-but-verify/
http://www.theregister.co.uk/2014/01/14/eich_urges_open_source_surveillance_audits/
Tomi Engdahl says:
When Google closes the Nest deal, privacy issues for the internet of things will hit the big time
http://gigaom.com/2014/01/13/when-google-closes-the-nest-deal-privacy-issues-for-the-internet-of-things-will-hit-the-big-time/
Summary:
Google intends to buy a connected thermostat that knows when you’re home and where you are within it. Given Google’s quest to index all the world’s information, this deal should jumpstart the conversation about privacy and the internet of things.
Google rocked the smart home market Monday with its intention to purchase connected home thermostat maker Nest for $3.2 billion, which will force a much-needed conversation about data privacy and security for the internet of things.
It’s a conversation that has seemingly stalled as advocates for the connected home expound upon the benefits in convenience, energy efficiency and even the health of people who are collecting and connecting their data and devices together through a variety of gadgets and services. On the other side are hackers and security researchers who warn how easy some of the devices are to exploit — gaining control of data or even video streams about what’s going on in the home.
But when a company like Google — which has had numerous run-ins over privacy in the U.S. and abroad — plans to buy a company that makes products equipped with motion detectors that track what’s happening inside the home, it’s time that conversation about privacy and the internet of things takes a step forward.
More information:
http://gigaom.com/2014/01/13/when-google-closes-the-nest-deal-privacy-issues-for-the-internet-of-things-will-hit-the-big-time/
http://gigaom.com/2014/01/13/the-winners-and-losers-in-googles-acquisition-of-nest/
http://investor.google.com/releases/2014/0113.html
http://gigaom.com/2014/01/13/breaking-google-acquires-digital-device-maker-nest-for-3-2b/
http://tech.slashdot.org/story/14/01/13/2256228/google-buys-home-automation-company-nest
http://www.theregister.co.uk/2014/01/13/google_buys_smart_home_device_builder_nest_for_32_beeelion_in_cash/
http://www.tietokone.fi/artikkeli/uutiset/googlen_suuri_yritysosto_nest_kalliimpi_kuin_youtube
http://www.tietoviikko.fi/kaikki_uutiset/google+alkaa+nuuskia+koteja+uusilla+vempeleillaan/a959351
http://techcrunch.com/2014/01/13/nest-says-customer-data-from-devices-will-only-be-used-for-nest-products-and-services/
https://nest.com/blog/2014/01/13/welcome-home/
http://recode.net/2014/01/13/google-acquires-nest-for-3-2b/
http://daringfireball.net/2014/01/googles_acquisition_of_nest
http://www.wired.com/business/2014/01/google-nest-buy/
http://www.theinquirer.net/inquirer/news/2322719/google-spends-usd32bn-feathering-its-nest
http://www.elektroniikkalehti.fi/index.php?option=com_content&view=article&id=833:google-panostaa-kotiautomaatioon&catid=13&Itemid=101
http://techcrunch.com/2014/01/13/nest-investors-strike-it-rich/?source=gravity
http://www.tietokone.fi/artikkeli/uutiset/googlen_suuri_yritysosto_nest_kalliimpi_kuin_youtube
http://www.mercurynews.com/business/ci_24834727/palo-altos-nest-labs-reportedly-raising-at-least
http://www.tietoviikko.fi/kaikki_uutiset/google+alkaa+nuuskia+koteja+uusilla+vempeleillaan/a959351
Tomi Engdahl says:
Target Hackers Have More Data Than They Can Sell
http://it.slashdot.org/story/14/01/15/0156201/target-hackers-have-more-data-than-they-can-sell
“The hackers who stole millions of credit card numbers from Target customers are probably ‘laying low knowing that everyone is looking for them,’”
“it’s also likely that they can’t sell them”
Tomi Engdahl says:
You win, Kanye’: Coinye creators throw in towel after rapper sues
This time, Kanye West is not gonna let them finish
http://www.theregister.co.uk/2014/01/15/coinye_cancelled/
The short and turbulent life of Coinye, the digital cryptocurrency named after rapper Kanye West, has come to an end.
Tomi Engdahl says:
N.S.A. Devises Radio Pathway Into Computers
http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?partner=rss&emc=rss&smid=tw-nytimesworld&module=ArrowsNav&contentCollection=U.S.&action=keypress®ion=FixedLeft&pgtype=article&_r=0
The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.
The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers.
The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.
There is no evidence that the N.S.A. has implanted its software or used its radio frequency technology inside the United States. While refusing to comment on the scope of the Quantum program, the N.S.A. said its actions were not comparable to China’s.
“N.S.A.’s activities are focused and specifically deployed against — and only against — valid foreign intelligence targets in response to intelligence requirements,” Vanee Vines, an agency spokeswoman, said in a statement.
Tomi Engdahl says:
Modern spying 101: How NSA bugs Chinese PCs with tiny USB radios – NYT
Project ‘Quantum’ pwns air-gapped computers with mysterious devices
http://www.theregister.co.uk/2014/01/15/nsa_quantum_radio_compromize/
The NSA has compromised almost 100,000 computers around the world in its quest to get its tentacles into air-gapped computers operated by adversaries such as the Chinese Army.
The revelation was made by the New York Times in a report published on Tuesday based on documents released by Edward Snowden.
uses a “covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards.”
These ghastly widgets sometimes pass data onto a briefcase-sized relay point named “Nightstand” that can be used up to eight miles away, and can feed data packets back to the compromised host.
Tomi Engdahl says:
Porn Will Be Bitcoin’s Killer App
http://tech.slashdot.org/story/14/01/18/0343204/porn-will-be-bitcoins-killer-app
“In December, porn.com started accepting Bitcoin for its premium services”
“boosted the figure to 50 percent, before settling down to about 25 percent.”
‘I definitely believe that porn will be Bitcoin’s killer app,’ he told The Guardian. ‘Fast, private and confidential payments.’”
Tomi Engdahl says:
VPN Related Vulnerability Discovered on an Android device – Disclosure Report
http://cyber.bgu.ac.il/blog/vpn-related-vulnerability-discovered-android-device-disclosure-report
As part of our ongoing mobile security research we have uncovered a network vulnerability on Android devices which has serious implications for users using VPN. This vulnerability enables malicious apps to bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure.
Tomi Engdahl says:
Analyst Calls Russian Teen Author of Target Malware
http://slashdot.org/topic/datacenter/analyst-calls-russian-teen-author-of-target-malware/
Security analyst Andrey Komarov posted details of the BlackPOS code, tracing its trail back to a St. Petersburg teen.
A digital-activity data analytics firm called IntelCrawler, Inc. claims to have identified the author of the BlackPOS malware used in attacks against Target and Neiman Marcus, and spotted similar attacks that are still in progress against six other retailers.
Andrey Komarov, CEO of the Los Angeles-based IntelCrawler, told Reuters Jan. 17 that his company had spotted the six ongoing attacks while analyzing Web traffic in search of the specific entry points and origin of the malware infection behind the Target data breach, which allowed hackers to steak magnetic card-strip data on 40 million debit- and credit cards and demographic data on 70 million additional customers.
According to Komarov, BlackPOS was developed by a 17-year-old Russian who goes by the username Ree4 and lives in St. Petersburg.
Ree4 probably did not participate in the attack on Target, but did sell the malware to the actual attackers,
Ree4 sold more than 40 builds of BlackPOS, mostly to buyers in Eastern Europe, according to the IntelCrawler analysis, which names several alleged credit-card-number sales sites among the buyers.
Ree4 tells a potential customer that the price for the software is US$2,000 and that the malware grabs credit-card numbers from system memory as they’re scanned, dumps them into a file called time.txt that is sent back to the controller.
Tomi Engdahl says:
Fridge sends spam emails as attack hits smart gadgets
http://www.bbc.co.uk/news/technology-25780908
A fridge has been discovered sending out spam after a web attack managed to compromise smart gadgets.
The fridge was one of more than 100,000 devices used to take part in the spam campaign.
Uncovered by security firm Proofpoint the attack compromised computers, home routers, media PCs and smart TV sets.
The attack is believed to be one of the first to exploit the lax security on devices that are part of the “internet of things”.
About 25% of the messages seen by Proofpoint researchers did not pass through laptops, desktops or smartphones, it said.
Instead, the malware managed to get itself installed on other smart devices such as kitchen appliances, the home media systems on which people store copied DVDs and web-connected televisions.
About 25% of the messages seen by Proofpoint researchers did not pass through laptops, desktops or smartphones, it said.
Instead, the malware managed to get itself installed on other smart devices such as kitchen appliances, the home media systems on which people store copied DVDs and web-connected televisions.
Many of these gadgets have computer processors onboard and act as a self-contained web server to handle communication and other sophisticated functions.
Mr Knight speculated that the malware that allowed spam to be sent from these devices was able to install itself because many of the gadgets were poorly configured or used default passwords that left them exposed.
Tomi Engdahl says:
Adware vendors buy Chrome Extensions to send ad- and malware-filled updates
Once in control, they can silently push new ad-filled “updates” to those users.
http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/?
One of the coolest things about Chrome is the silent, automatic updates that always ensure that users are always running the latest version. While Chrome itself is updated automatically by Google, that update process also includes Chrome’s extensions, which are updated by the extension owners. This means that it’s up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it.
To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome’s update service, which sends the adware out to every user of that extension.
The reality, though, is that while it’s extremely easy for a novice user to install an extension, it’s nearly impossible for them to diagnose and remove an extension that has turned sour, and Chrome Sync will make sure that extension hangs around on all their devices for a long time.
Tomi Engdahl says:
Expert: Spy frenzy can destroy the whole of the open Internet
United States of America to the world spread espionage scandal at worst, may lead to an open, global network breakup, ranked F-Secure’s Chief Research Officer Mikko Hypponen.
The revelations may even lead to a global, free data network breakup, says security company F-Secure Chief Research Officer Mikko Hypponen.
- Maybe it’s a polarized view, but a free and open network loss is really happening. Managed to go 20 years, so that the network had its own world where national borders or laws does not really did not matter. It was a bit naive utopia, which is now clearly broken.
- Now, after all the revelations of people are starting to think about the country where the servers are, where programs come from and what laws apply.
Spyware news have been citizens as well as countries seek alternatives for vulnerable network. For example, Germany and Brazil have already begun to consider whether it would be a stand alone, the need for a national network. They would follow this way of China and Saudi Arabia, an example of which networks are heavily infiltrated.
Hyppönen according to changes in the network into separate islands would be the stuff of nightmares. However, he did not consider it likely that Finland should set up a national, closed network.
- I do not think that there are national do not want to go to this.
Sources:
http://www.iltalehti.fi/uutiset/2014011917945888_uu.shtml
http://www.iltasanomat.fi/digi/art-1288644002469.html
Tomi Engdahl says:
In case you weren’t aware, that little ‘write protect’ switch on your SD cards probably doesn’t do anything. It’s only a switch, really, and if an SD card reader doesn’t bother to send that signal to your computer, it’s completely ineffective. Then there’s the question of your OS actually doing something with that write protect signal.
The better way to go about write protecting an SD card is using the TMP_WRITE_PROTECT bit on the SD card’s controller.
It’s just like the write-protect notch on floppies (aaaah, remember them!). I think it’s more intended at preventing accidental overwriting by the user.
Floppy disks didn’t have any mechanical write protection mechanism. They worked the same way SD cards do. There was a small push button inside the drive that would be pressed or not pressed depending on the state of the write-protect switch on the disk. It was up to the drive to enforce the actual write protection
Source: http://hackaday.com/2014/01/18/the-tiniest-sd-card-locker/
Tomi Engdahl says:
Adware vendors buy Chrome Extensions to send ad- and malware-filled updates
Once in control, they can silently push new ad-filled “updates” to those users.
http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/
One of the coolest things about Chrome is the silent, automatic updates that always ensure that users are always running the latest version. While Chrome itself is updated automatically by Google, that update process also includes Chrome’s extensions, which are updated by the extension owners.
This means that it’s up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it.
Google Removes Two Chrome Extensions Amid Ad Uproar
http://blogs.wsj.com/digits/2014/01/19/google-removes-two-chrome-extensions-amid-ad-uproar/
Google removed two Chrome browser extensions from its web store after it was discovered the software included code that served people ads in a way that violated the company’s terms of service.
Internet message boards were abuzz this weekend over the two extensions — “Add to Feedly” and “Tweet This Page” — each of which had fewer than 100,000 users. In both cases, people described how the extensions were silently updated to include code that served undesirable ads. One user review for “Add to Feedly” called the extension “spam” that caused ads to suddenly pop up on any website visited.
Google updated its policies in December to prevent software developers from using extensions to insert advertising on more than one part of a page.
While “Add to Feedly” and “Tweet This Page” had small numbers of users, their kind of situation could be more pervasive: The owners of far more popular extensions say they have been offered money to incorporate ad code into their extensions.
Tomi Engdahl says:
Corporations Abusing Copyright Laws Are Ruining the Web for Everyone
http://www.wired.com/opinion/2014/01/internet-companies-care-fair-use/
By allowing limited use of copyrighted material for things like criticism, review, commentary, parody, or just personal non-commercial use, fair use has a widespread and often invisible impact on today’s social internet. Yet its very ubiquity means it’s often taken for granted by individuals — and the internet companies who benefit from it.
This is worrying because fair use is under threat, and one of the culprits is the DMCA takedown notice that provides copyright owners an easy tool to remove content they claim to be unlawfully posted. Copyright owners send these notices to web companies who host content; the companies must then remove the content or risk legal liability themselves. Meant to promote the quick removal of impermissible copyright infringement, the DMCA system works well in many cases.
Unfortunately, an increasing number of copyright holders misuse this system to target even lawful fair use of their work. And the current DMCA system enables these aggressive copyright owners by providing virtually no penalties for failing to consider common exceptions to infringement — like fair use.
Many times per week, WordPress.com receives such DMCA takedown notices that target what we can plainly see is fair use.
Tomi Engdahl says:
Obama’s restrictions on NSA surveillance rely on narrow definition of ‘spying’
http://www.washingtonpost.com/world/national-security/obamas-restrictions-on-nsa-surveillance-rely-on-narrow-definition-of-spying/2014/01/17/2478cc02-7fcb-11e3-93c1-0e888170b723_story.html
President Obama said Friday, in his first major speech on electronic surveillance, that “the United States is not spying on ordinary people who don’t threaten our national security.”
Obama placed restrictions on access to domestic phone records collected by the National Security Agency, but the changes he announced will allow it to continue — or expand — the collection of personal data from billions of people around the world, Americans and foreign citizens alike.
Obama squares that circle with an unusually narrow definition of “spying.” It does not include the ingestion of tens of trillions of records about the telephone calls, e-mails, locations and relationships of people for whom there is no suspicion of relevance to any threat.
As digital communications have multiplied, and NSA capabilities with them, the agency has shifted resources from surveillance of individual targets to the acquisition of communications on a planetary scale. That shift has fed the appetite of Big Data tools, which are designed to find unseen patterns and make connections that NSA analysts don’t know to look for.
“It’s noteworthy that the president addressed only the bulk collection of call records, but not any of the other bulk collection programs revealed by the media,”
Obama avoided almost entirely any discussion of overseas intelligence collection that he authorized on his own, under Executive Order 12333, without legislative or judicial supervision.
Why Obama’s NSA Reforms Won’t Solve Silicon Valley’s Trust Problem
http://www.wired.com/threatlevel/2014/01/obama-nsa-2/
When Barack Obama announced his reforms of National Security Agency surveillance programs today, few people were as interested as Larry Page, Mark Zuckerberg, Tim Cook, Marissa Mayer, and Steve Ballmer.
And the president knew it. The official order he released as he spoke — Presidential Policy Directive/PPD-28, which laid out the changes he was making — included a bow to the tech giants. High up in the document, he acknowledged that the nation’s intelligence-gathering activities risk “a potential loss of international trust in U.S. firms [and]…the credibility of our commitment to an open, interoperable, and secure global Internet.” In the battle to balance national security with vital civil liberties, the tech industry has suffered the most severe collateral damage, as trust in its products has indeed eroded. Today the president had the opportunity to cut Silicon Valley a break.
So what did the tech companies get?
As expected, they will have more freedom to disclose the number and the nature of requests from the government for data related to national-security concerns. So we can expect more detailed transparency reports from the companies showing that they only provide a fraction of their information to the government.
The State Department will add a “senior officer to coordinate our diplomacy on issues related to technology and signals intelligence.”
But don’t expect celebrations in Silicon Valley — their blues in the wake of leaks made by former NSA contractor Edward Snowden are far from over. Generally, the Obama reforms tweak or constrain existing surveillance programs. But the overseas customers of U.S. companies aren’t micro-analyzing the protections the NSA takes when it accesses customer data: They are incensed that the U.S. collects the data the first place.
The president is not going to give up programs that collect bulk data — the haystacks that NSA chief General Keith Alexander insists are necessary to locate the deadly threats from enemies who may attack the U.S. Though Obama’s directive dictates limitations on how the government can use the databases it amasses, the program itself will continue. (Doing otherwise, Obama says, would irresponsibly leave us vulnerable.)
Maybe the president is sending a message to both the NSA and the Internet companies — a message that the tech industry doesn’t want to hear: We’re in this together.
Tomi Engdahl says:
Those NSA ‘reforms’ in full: El Reg translates US Prez Obama’s pledges
Filleting fact from fiction
http://www.theregister.co.uk/2014/01/18/that_obama_nsa_reform_speech_with_el_reg_annotations/?page=1
You can watch the entire speech here, but words are tricky things – never more so than when national security is involved. As such we’ve taken a transcript of the president’s words and, given what we know about today’s mass surveillance operations, tried to work out what was actually said. Prez Obama’s speech is presented below in bold, with our annotations throughout.
Tomi Engdahl says:
20 Million People Exposed In Massive South Korea Data Leak
http://it.slashdot.org/story/14/01/19/1745243/20-million-people-exposed-in-massive-south-korea-data-leak
“While the recent data breach that hit Target has dominated headlines lately, another massive data breach was disclosed this week that affected at least 20 million people in South Korea. According to regulators, the personal data including names, social security numbers, phone numbers, credit card numbers and expiration dates of at least 20 million bank and credit card users was taken by a temporary consultant working at the Korea Credit Bureau (KCB).”
Tomi Engdahl says:
01/20/2014
Vulnerabilities in VMware software
VMware Workstation , Player, Fusion, ESXi , ESX , and vCloud Director software has detected a large number of vulnerabilities.
SOLUTION AND LIMITATION OF OPPORTUNITIES :
Update the software manufacturer’s instructions. ESXi and ESX NFC-enabled traffic handling abuse can be mitigated by placing the vSphere system components differentiated network.
Source: CERT-FI
https://www.cert.fi/haavoittuvuudet/2014/haavoittuvuus-2014-009.html
Tomi Engdahl says:
Still Don’t Get Bitcoin? Here’s an Explanation Even a Five-Year-Old Will Understand
http://www.coindesk.com/bitcoin-explained-five-year-old/
Tomi Engdahl says:
Bitcoin 2.0 Explained: Colored Coins Vs Mastercoin Vs Open Transactions Vs Protoshares
2014 Will Show the True Power of the Blockchain
http://voices.yahoo.com/bitcoin-20-explained-colored-coins-vs-mastercoin-vs-12475857.html
While the entire world is beginning to learn about the power of the Bitcoin payment network, the real innovation behind this protocol is happening behind the scenes. There have been many different Bitcoin enthusiasts who have been talking about the holy grail of decentralized exchanges and using the Bitcoin protocol for more than just payments, and it seems that 2014 is going to be the year when we see these features finally get implemented into some real world applications. There are many different projects that are currently aiming to take Bitcoin to the next level, and it’s likely that there won’t be one clear winner when everything is said and done. Before we hop into the competition, let’s take a closer look at exactly what these projects are trying to accomplish.
At its core, Bitcoin is a new technology that allows everyone around the world to come to a consensus on who owns what without the use of a centralized third party. There are many different applications that can be built on top of this technology, and Bitcoin is only the first of many apps to come. When you forget about Bitcoin and just look at the technology, there are a large number of new possibilities that jump out at you. For example, if you can have a decentralized ledger that explains who owns which asset, then why do we need centralized stock exchanges? If we can have a global consensus on who owns which domain name or email address, then why do we need centralized versions of these services? If it’s possible to create a global marketplace where buyers and sellers can find each other in a decentralized manner, then why do we need to use eBay? These are just a few of the possibilities that people are looking at right now when it comes to taking the technology behind Bitcoin and applying it to more than just payments.
Open Transactions is a project that has been in development since before Bitcoin became a big deal.
At the end of the day, the reality is that all of these Bitcoin 2.0 technologies are not really competing against each other. Open Transactions will allow people to trade protoshares, mastercoins, bitcoins, and everything else on their servers.
Tomi Engdahl says:
F-Secure’s Hypponen leads RSA refuseniks to NSA-free infosec chatfest
TrustyCon scores speakers from Google, cash from Microsoft
http://www.theregister.co.uk/2014/01/21/hypponen_leads_rsa_con_refuseniks_to_new_confab/
It was probably inevitable: a group of RSA Conference refuseniks have established a rival conference within walking distance of the original.
The one-day TrustyCon, to be held on 27 February at the AMC Metreon Theatre in San Francisco, has drawn Mikko Hypponen as its keynote, giving “The talk I was going to give at RSA”. So far, the only other confirmed speakers are ISEC Partners’ Alex Stamos; Marcia Hofmann (EFA) and Christopher Soghoian (American Civil Liberties Union) who dropped out of the RSA Conference; Google’s Chris Palmer; and Black Hat’s Jeff Moss.
At the time of writing, that left three slots still open at TrustyCon. Microsoft and Cloudflare have both signed on as sponsors.
Momentum to abandon the RSA Conference has been building since a Reuters report emerged suggesting that the NSA had paid the company $10 million to put a backdoor in its encryption code in its Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG).
Tomi Engdahl says:
Java Primary Cause of 91 Percent of Attacks: Cisco
http://www.eweek.com/security/java-primary-cause-of-91-percent-of-attacks-cisco.html
Cisco’s 2014 Annual Security Report points the blame at Oracle’s Java for being a leading cause of security woes.
There are many different risks and attacks that IT professionals had to deal with in 2013, but no one technology was more abused or more culpable that Java, according to Cisco’s latest annual security report.
The Cisco 2014 Annual Security Report found that Java represented 91 percent of all Indicators of Compromise (IOCs) in 2013.
What that means is that the final payload in observed attacks was a Java exploit
“I was surprised to see that the Java IOC number was 91 percent,” Gundert said. “There were a number of Java zero days that were used in various attacks, but there were also a ton of well-known Java vulnerabilities that were packaged into various exploit packs.”
Cisco isn’t the only one that saw a high degree of Java exploit activity in 2013. Multiple vendors, including Hewlett-Packard and Kaspersky Lab, reported a surge in Java attacks during 2013. Just yesterday, Oracle updated Java yet again, this time for 51 vulnerabilities.
“2013 really was the year of Java exploits,” Gundert said.
Java exploits tend to have great success because people simply just aren’t patching it regularly, Gundert said.
Overall 2013 Trends
While the use of Java is a highlight of the Cisco report, there are other key data points, including the fact that the overall number of threats rose by 14 percent on a year-over-year basis.
Another surprising finding is that among a sample of 30 large, multinational company networks taken by Cisco, 100 percent of them at some point in 2013 visited a Website that hosts malware.
“I was really surprised that the number was 100 percent,” Gundert said. “It speaks to the fact that it’s not about when an organization will be compromised; it’s more about how long it will take an organization to detect a compromise and if the remediation window can be shortened.”
Tomi Engdahl says:
Warning: Your Browser Extensions Are Spying On You
http://discuss.howtogeek.com/t/warning-your-browser-extensions-are-spying-on-you/12394
The internet exploded Friday with the news that Google Chrome extensions are being sold and injected with adware. But the little-known and much more important fact is that your extensions are spying on you and selling your browsing history to shady corporations. HTG investigates.
Tomi Engdahl says:
New documents: NSA provided 2-3 daily “tips” to FBI for at least 3 years
Secret 2007 court order mentions “approximately three telephone identifiers.”
http://arstechnica.com/tech-policy/2014/01/new-documents-nsa-provided-2-3-daily-tips-to-fbi-for-at-least-3-years/
According to newly-declassified court orders from the Foreign Intelligence Surveillance Court (FISC), the National Security Agency (NSA) was (and may still be) tipping off the FBI at least two to three times per day going back at least to 2006.
“Reasonable, articulable suspicion”
As we reported after the August 2013 release of declassified court documents, Judge Reggie Walton lambasted the government’s mistakes on the business records metadata collection program.
The newly-declassified court orders from last Friday appear to indicate that while the FBI is being granted the order, it is in fact the NSA that is obtaining and analyzing the information first before handing it over to the FBI.
Tomi Engdahl says:
EU Commissioner Renews Call for Serious Fines in Data Privacy Laws
http://yro.slashdot.org/story/14/01/21/0140227/eu-commissioner-renews-call-for-serious-fines-in-data-privacy-laws
“Despite Google being fined €900,000 by Spanish authorities and €150,000 in France for its controversial privacy policies in recent months, an EU commissioner has admitted this is mere ‘pocket money’ to the company”
Tomi Engdahl says:
The Battle of Wills Between the European Commission and Google
http://www.infosecurity-magazine.com/view/36539/the-battle-of-wills-between-the-european-commission-and-google/
Earlier this month Google’s global privacy counsel Peter Fleischer declared that the ‘much-flawed’ European General Data Protection Regulation (GDPR) had collapsed and the ‘old draft is dead.’ But in a speech yesterday, Commissioner Viviane Reding explained that she will persist; and she used Google as an example of why she must.
Tomi Engdahl says:
Although ‘password’ is no longer the #1 sesame opener, it’s still STUPID
http://www.theregister.co.uk/2014/01/20/password_no_longer_the_worst_password_still_a_terrible_password/
Despite the fact that users continue to cling to predictable and insecure passwords, the worst of them all is no longer the most popular.
Security firm SplashData reports that in 2013, “password” slipped from the top spot as the most popular log-in code. Taking over the dubious distinction of most popular (and perhaps least secure) passphrase was the numerical string “123456″.
After “password”, “12345678″ was the third most popular login. Rounding out the top five passwords were “qwerty” and “abc123″.
The top five will be enough to make any security administrator cringe, but the list should hardly come as a surprise.
Avoiding the use of easily-guessed passwords is simple enough if users employ a bit of creativity and standard best practices, such as using hard-to-guess mnemonic device and mixing letters and numbers (non-sequential, obviously) in their passwords.
Tomi Engdahl says:
Although ‘password’ is no longer the #1 sesame opener, it’s still STUPID
http://www.theregister.co.uk/2014/01/20/password_no_longer_the_worst_password_still_a_terrible_password/
Despite the fact that users continue to cling to predictable and insecure passwords, the worst of them all is no longer the most popular.
Security firm SplashData reports that in 2013, “password” slipped from the top spot as the most popular log-in code. Taking over the dubious distinction of most popular (and perhaps least secure) passphrase was the numerical string “123456″.
After “password”, “12345678″ was the third most popular login. Rounding out the top five passwords were “qwerty” and “abc123″.
The top five will be enough to make any security administrator cringe, but the list should hardly come as a surprise.
Tomi Engdahl says:
Google Transparency Report: government takedown requests are on the rise
http://www.engadget.com/2013/12/19/google-transparency-report-government-takedown-requests-rise/?ncid=rss_truncated
Tomi Engdahl says:
Insecure healthcare.gov allowed hacker to access 70,000 records in 4 minutes
http://blogs.computerworld.com/cybercrime-and-hacking/23412/insecure-healthcaregov-allowed-hacker-access-70000-records-4-minutes
When it comes to the atrocious state of HealthCare.gov security, white hat hacker David Kennedy, CEO of TrustedSec, may feel like he’s beating his head against a stone wall. Kennedy said, “I don’t understand how we’re still discussing whether the website is insecure or not. It is; there’s no question about that.” He added, “It is insecure – 100 percent.”
Kennedy has continually warned that healthcare.gov is insecure. In November, after the website was allegedly “fixed,” he told Congress it was even more vulnerable to hacking and privacy breaches.
Last week, Kennedy testified again about holes in healthcare.gov that could allow hackers to access personal information like names, social security numbers, email addresses, home addresses and more. And because other government sites like DHS and IRS are integrated into healthcare.gov, for verification purposes, hackers could also access those other government sites and create an online profile for practically anyone in the system.
Then yesterday, after explaining “passive reconnaissance, which allows us to query and look at how the website operates and performs,” Kennedy said he was able to access 70,000 records within four minutes! It was “a rudimentary type attack that doesn’t actually attack the website itself, it extracts information from it without actually having to go into the system.”
““70,000 was just one of the numbers that I was able to go up to. And I stopped after that.”
“The problem is if you look at the integration between the IRS, DHS, third party credit verification processes, you have all of these different organizations that feed into this data hub for the healthcare.gov infrastructure to provide all that information and validate everything. And so if an attacker gets access to that, they basically have full access into your entire online identity”
a pack of elite white hat hackers — Kevin Mitnick, Ed Skoudis, Chris Nickerson, Eric Smith, Chris Gates, John Strand, Kevin Johnson, and Scott White – blasted the website’s insecurity.
HealthCare.gov still has major security problems, experts say
Democrats question whether outside security experts can tell what defenses are being deployed
January 16, 2014
http://www.computerworld.com/s/article/9245488/HealthCare.gov_still_has_major_security_problems_experts_say
HealthCare.gov remains riddled with security vulnerabilities and is ripe for ID theft three and a half months after its launch, two cybersecurity experts told U.S. lawmakers Thursday.
But a third cybersecurity expert and Democratic members of the U.S. House of Representatives Science, Space and Technology Committee questioned those warnings, saying Republican critics of the Affordable Care Act, the 2010 law with HealthCare.gov as its insurance-shopping centerpiece, are trying to scare U.S. residents and keep them from using the site.
Still, security at HealthCare.gov appears to have gotten worse in the past two months, said David Kennedy, CEO of TrustedSEC, a cybersecurity consulting firm. Since Kennedy first talked to the committee in November, he and other security researchers discovered multiple vulnerabilities, he said, through passive scans of the website.
“The website is not getting any better,” he said. “TrustedSec’s opinion still holds strong that the website fails to meet even basic security practices for protecting sensitive information of individuals and does not provide adequate levels of protection for the website itself.”
HealthCare.gov: Basic Security Failures and IT Bloopers
http://blog.secureideas.com/2014/01/healthcaregov-basic-security-failures.html
From a security perspective, items such as the JSON injection and the lack of access controls for eligibility reports are commonly seen in applications not scrutinized by any type of security assessment. These are the types of flaws that a security assessment should find with little effort. Given the existence of these flaws for such a prolonged amount of time after the release of the application, it is a certainty that security testing is either not being performed at all, not being performed well, or the results of the testing are not being made part of remediation efforts. Applications containing low hanging fruit such as these flaws typically also contain much more serious issues.
From a basic IT perspective, the problems and concerns discovered also reflect a lack of change validation and functionality testing that should be performed regularly throughout an application’s lifecycle
The fact that this SPF record is not correctly implemented in healthcare.gov indicates that no one verified the functionality.
These are the types of issues that security professionals would hope never to see in a government application. Given the industry standard application development lifecycle, these problems should simply not exist in this application.