Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Obama to Nominate Navy Cybersecurity Chief to Head NSA
If Confirmed by Senate, Vice Admiral Michael Rogers Would Succeed Gen. Keith Alexander
http://online.wsj.com/news/article_email/SB10001424052702303519404579353173552039730-lMyQjAxMTA0MDMwMDEzNDAyWj
Tomi Engdahl says:
GitHub Launches Bug Bounty Program, Offers Between $100 and $5,000
http://developers.slashdot.org/story/14/01/30/205226/github-launches-bug-bounty-program-offers-between-100-and-5000
Tomi Engdahl says:
Eurocops want to build remote car-stopper, shared sensor network
EU-wide ‘open source intelligence’ and video-sharing also on the agenda
http://www.theregister.co.uk/2014/01/31/eurocops_want_to_build_remote_carstopper_shared_sensor_network/
Tomi Engdahl says:
Larry Ellison claims Oracle servers are untouchable
We always knew that oracles don’t look backwards
http://www.theinquirer.net/inquirer/news/2326107/larry-ellison-claims-oracle-servers-are-untouchable
AMERICA’S CUP YACHTSMAN and Oracle CEO Larry Ellison has claimed that Oracle’s servers can’t be subverted or monitored by the US National Security Agency (NSA).
On Twitter today, Litchfield suggested that Ellison is “someone who should spend less time sailing and more on what’s actually going on with his software”.
Tomi Engdahl says:
Android App Warns When You’re Being Watched
http://www.technologyreview.com/news/523981/android-app-warns-when-youre-being-watched/
Researchers find a way to give Android users prominent warnings when apps are tracking their location
Tomi Engdahl says:
How App Developers Leave the Door Open to NSA Surveillance
http://www.technologyreview.com/news/523971/how-app-developers-leave-the-door-open-to-nsa-surveillance/
U.S. and U.K. surveillance of smartphone users has been helped by mobile developers—few of whom bother to adopt basic encryption.
Tomi Engdahl says:
EU Secretly Plans To Put a Back Door In Every Car By 2020
http://tech.slashdot.org/story/14/01/30/2127238/eu-secretly-plans-to-put-a-back-door-in-every-car-by-2020
“A secretive EU body has agreed to develop a device to be fitted to all cars allowing police to cut off any engine at will”
Tomi Engdahl says:
This tool demands access to YOUR ENTIRE DIGITAL LIFE. Is it from GCHQ? No – it’s by IKEA
http://www.theregister.co.uk/2014/01/29/ikea_demands_access_all_areas_for_kitchen_tool/
Yet in spite of frequent demonstrations that a determined attacker will gain access to private data – and in spite of privacy regulations in many jurisdictions which stipulate that companies shouldn’t go fishing for data in case it’s useful one day – examples abound of cavalier attitudes to data collection.
Yet for some reason, IKEA – or the developer it hired – thinks the kitchen planner needs very, very wide permissions before it will run.
It’s quite likely, in fact, that neither IKEA nor its partner are aware, at a corporate level, that the application is so potentially intrusive.
Tomi Engdahl says:
Tor-enabled malware stole credit card data from PoS systems at dozens of retailers
http://www.pcworld.com/article/2093200/torenabled-malware-stole-credit-card-data-from-pos-systems-at-dozens-of-retailers.html
Payment card data was stolen during the past three months from several dozen retailers that had their point-of-sale systems infected with a memory-scraping malware program called ChewBacca.
Most of the affected retailers are based in the U.S., but PoS infections with this malware were also detected in 10 other countries
The malware installs a Tor proxy client on the infected systems and connects to a server via a .onion address.
the malware also has a keylogger component
Organizations don’t usually run antimalware software on their PoS devices
“So far, most PoS systems have been completely unprotected,”
“Retailers have a few choices against these attackers,”
Tomi Engdahl says:
F-Secure’s Hypponen: “We lived in a utopia of twenty years”
“When people learn to use the web, was born in naive and utopian concept of web world. Furthermore, there was no matter where the services are, where the people are, or data device in which country and under which legislation the data. In such a utopia we lived twenty years, “he said Tietoviikko Digital & mobile event.
Utopia crumbled concrete last July 6 day, when Edward Snowden began started leaking out information on NSA snooping activities. It will change the world faster than anything else has changed in a long time.
“Little by little the web has become more and more organized and more normal. And now it is controlled too much. ”
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/fsecuren+hypponen+quotelimme+utopiassa+kaksikymmenta+vuottaquot/a963827
Tomi Engdahl says:
In an Age of Cyber War, Where Are the Cyber Weapons?
http://it.slashdot.org/story/14/02/01/1849238/in-an-age-of-cyber-war-where-are-the-cyber-weapons
“MIT Tech Review has an interesting piece that asks an obvious, but intriguing question: if we’re living in an age of cyber warfare, where are all the cyber weapons?”
Tomi Engdahl says:
If This Is Cyberwar, Where Are All the Cyberweapons?
http://www.technologyreview.com/news/523931/if-this-is-cyberwar-where-are-all-the-cyberweapons/
The discovery of Stuxnet in 2010 seemed to herald a new age of cyberwar, but that age has yet to materialize.
Industrial control professionals and academics complain that the information needed to research future attacks are being kept out of the public domain. And public utilities, industrial firms, and owners of critical infrastructure are just now becoming aware that systems they assumed were cordoned off from the public Internet very often are not.
Meanwhile, technology is driving even more rapid and transformative changes as part of what’s called the Internet of things.
Without proper security features built into industrial products from the get-go, the potential for attacks and physical harm increase dramatically. “If we continue to ignore the problem, we are going to be in deep trouble,” Langner said.
Tomi Engdahl says:
Securing the Smart Home, from Toasters to Toilets
http://www.technologyreview.com/news/523531/securing-the-smart-home-from-toasters-to-toilets/
Efforts are underway to make your smart toilet—and other connected devices—less vulnerable to hackers.
In some cases, then, the simplest solution may be to simply limit the number of devices that can connect to the Internet. One thing the AllSeen Alliance’s AllJoyn software can do is enable smart devices to communicate just with other devices in the home—a group of light bulbs, for instance, or a door lock—and not connect to the Internet beyond.
“I don’t necessarily want a cloud service to know every single time I walk in and out of my front door,” Ben-Zur says.
Tomi Engdahl says:
David Cameron wants fresh push on communications data
http://www.bbc.co.uk/news/uk-politics-25969918
David Cameron wants a fresh push after the next election to “modernise” laws to allow monitoring of people’s online activity
The prime minister told a parliamentary committee that gathering communications data was “politically contentious” but vital to keep citizens safe.
He said TV crime dramas illustrated the value of monitoring mobile data
Tomi Engdahl says:
HP offers $150,000 for ‘exploit unicorn’ in Pwn2Own hacker competition
Big bucks also up for grabs for browser and app cracking
http://www.theregister.co.uk/2014/02/01/hp_offers_150000_for_exploit_unicorn_in_pwn2own_hacker_competition/
HP has been laying out the ground rules for the latest Pwn2Own contest and is offering a new prize of $150,000 to the cunning cracker who can get root access to a Windows 8.1 PC running Redmond’s Enhanced Mitigation Experience Toolkit (EMET).
Browser security is a major part of Pwn2Own and crackers can earn $100,000 for beating Internet Explorer 11 or the Chrome browser on an x64 Windows 8.1 system
Tomi Engdahl says:
Footage released of Guardian editors destroying Snowden hard drives
GCHQ technicians watched as journalists took angle grinders and drills to computers after weeks of tense negotiations
http://www.theguardian.com/uk-news/2014/jan/31/footage-released-guardian-editors-snowden-hard-drives-gchq
New vdeo footage has been released for the first time of the moment Guardian editors destroyed computers used to store top-secret documents leaked by the NSA whistleblower Edward Snowden.
Tomi Engdahl says:
Cyber Criminal Pleads Guilty to Developing and Distributing Notorious Spyeye Malware
http://www.justice.gov/opa/pr/2014/January/14-crm-091.html
Tomi Engdahl says:
SpyEye malware creator Aleksandr Panin pleads guilty
http://grahamcluley.com/2014/01/spyeye-malware-creator-aleksandr-panin-pleads-guilty/
Tomi Engdahl says:
Microsoft to build ‘transparency centres’ for source code checks
Governments invited to Brussels for a look up Redmond’ skirts
http://www.theregister.co.uk/2014/02/03/microsoft_to_build_transparency_centres_for_source_code_checks/
Microsoft has announced it will establish a set of “transparency centres” around the world, at which government clients can rifle through its source code to satisfy themselves it contains no back doors.
Thomlinson’s announcement says “It is my hope to open the Brussels Transparency Center by the end of this year.”
Tomi Engdahl says:
NHS website hit by MASSIVE malware security COCKUP
HSCIC spokeswoman says: ‘I’m not au fait with web, digital, etc’
http://www.theregister.co.uk/2014/02/03/nhs_choices_website_serves_up_100s_of_pages_of_malware/
Hundreds of URLs on the NHS website have been flooded with malware by hackers and – at time of writing – it remains exposed.
A DoH spokesman said “thanks for letting us know” before adding that it was not responsible for the website.
Tomi Engdahl says:
ChewBacca point-of-sale keylogger SLURPS your CREDIT CARD data
Latest nasty blamed for theft of 49,000 punters’ details
http://www.theregister.co.uk/2014/01/31/chewbacca_pos_malware/
Point-of-sale malware dubbed ChewBacca has hit dozens of small retailers in 11 countries as far apart as the US, Russia, Canada and Australia.Point-of-sale malware dubbed ChewBacca has hit dozens of small retailers in 11 countries as far apart as the US, Russia, Canada and Australia.
The malware has logged track 1 and 2 payment cards data scraped from infected PoS systems
communication is handled through the TOR network
And ChewBacca is but one item in a menagerie of retail malware that also include Dexter and Alina.
Moulds described the point of sale terminal as a weak link in a chain
Tomi Engdahl says:
GameOver Zeus now uses Encryption to bypass Perimeter Security
http://garwarner.blogspot.com.au/2014/02/gameover-zeus-now-uses-encryption-to.html
The criminals behind the malware delivery system for GameOver Zeus have a new trick. Encrypting their EXE file so that as it passes through your firewall, webfilters, network intrusion detection systems and any other defenses you may have in place, it is doing so as a non-executable “.ENC” file. If you are in charge of network security for your Enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently.
ALL OF THESE SPAM CAMPAIGNS ARE RELATED TO EACH OTHER! They are all being distributed by the criminals behind the Cutwail malware delivery infrastructure. It is likely that many different criminals are paying to use this infrastructure.
Tomi Engdahl says:
Hackers Sue German Government for Helping the NSA
http://mashable.com/2014/02/03/hackers-sue-germany-nsa/
The Chaos Computer Club (CCC), one of the largest hacker groups in the world, and the International League for Human Rights (ILHR) filed a criminal complaint to German federal prosecutors on Monday.
Tomi Engdahl says:
Android Malware: Alcatel-Lucent Diagnoses Plague
Smartphone becomes cyberespionage device
http://www.eetimes.com/document.asp?doc_id=1320874&
If China is worried about the security of Android phones (so much so that it was compelled to launch a homegrown OS), Alcatel-Lucent’s latest malware report might have just made the case for all that costly angst.
The latest Malware Report put together by Alcatel-Lucent’s security team says that more than 11.6 million mobile devices are infected worldwide, and 60% of them are Android smartphones. Most of the rest are Windows computers tethered to mobile networks through USB dongles, MiFi, or mobile phones. Less than 1% of the infections affect other devices, including iPhones, BlackBerrys, and Windows Phones.
“We applied intrusion detection technologies, often used by enterprises, to carriers’ network traffic and cloud space,”
Tomi Engdahl says:
Super Bowl’s SUPER BALLSUP: CBS broadcasts Wi-Fi password
Not so top secret, huh?
http://www.theregister.co.uk/2014/02/04/super_bowl_becomes_super_balls_up_as_cbs_broadcasts_wifi_code_to_the_world/
The Super Bowl’s security nerve centre was billed as a “secret, first of its kind” unit.
But that claim was kicked into touch out of bounds after CBS accidentally screened the base’s Wi-Fi password.
Tomi Engdahl says:
Facebook Estimates Around 10% of Accounts Are Fake
http://slashdot.org/story/14/02/03/2317241/facebook-estimates-around-10-of-accounts-are-fake
Tomi Engdahl says:
Anonymous means NO identifying element left behind – EU handbook
http://www.theregister.co.uk/2014/02/04/new_data_protection_handbook_outlines_alternative_test_for_determining_anonymisation/
A new handbook on European data protection laws contains a different test from the one used by the UK’s Information Commissioner’s Office (ICO) for determining whether data is personal or anonymised for the purposes of data protection law.
The document is non-binding but is designed to “raise awareness”
EU data protection rules apply to the personal data of living “data subjects”. The rules do not apply where that data has been anonymised.
“Data are anonymised if all identifying elements have been eliminated from a set of personal data,” according to the handbook.
Tomi Engdahl says:
Corruption across EU ‘breathtaking’ – EU Commission
http://www.bbc.co.uk/news/world-europe-26014387
The extent of corruption in Europe is “breathtaking” and it costs the EU economy at least 120bn euros (£99bn) annually, the European Commission says.
Organised crime groups have sophisticated networks across Europe and the EU police agency Europol says there are at least 3,000 of them.
Tomi Engdahl says:
Hotel Franchise Firm White Lodging Investigates Breach
http://krebsonsecurity.com/2014/01/hotel-franchise-firm-white-lodging-investigates-breach/
White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, KrebsOnSecurity has learned.
News of the breach comes on the heels of similar attacks against major retailers
Tomi Engdahl says:
Sync’n’steal: Hackers brew Android-targeting Windows malware
Connect device to infected PC, kiss your bank balance bye-bye
http://www.theregister.co.uk/2014/01/27/win_malware_hops_onto_droids/
Internet Igors have stitched together the first strain of Windows malware that can hop over and infect Android smartphones and tablets.
The Droidpak mobile banking trojan exploits syncing between smartphones and Windows PCs to jump from a compromised PC onto an Android device.
The combo is targeted against online banking users in South Korea
Tomi Engdahl says:
Cryptography Breakthrough Could Make Software Unhackable
http://www.wired.com/wiredscience/2014/02/cryptography-breakthrough/
The idea of “obfuscating” a program had been around for decades, but no one had ever developed a rigorous mathematical framework for the concept, let alone created an unassailable obfuscation scheme.
Secure program obfuscation would be useful for many applications
Then, on July 20, 2013, Sahai and five co-authors posted a paper on the Cryptology ePrint Archive demonstrating a candidate protocol for a kind of obfuscation known as “indistinguishability obfuscation.”
However, the new obfuscation scheme is far from ready for commercial applications. The technique turns short, simple programs into giant, unwieldy albatrosses. And the scheme’s security rests on a new mathematical approach that has not yet been thoroughly vetted by the cryptography community.
Sahai and Waters proceeded to show that their indistinguishability obfuscator seems to offer much of the all-encompassing cryptographic protection that a black box obfuscator would offer. It can be used, for example, to create public key encryption, digital signatures
The team’s obfuscator works by transforming a computer program into what Sahai calls a “multilinear jigsaw puzzle.” Each piece of the program gets obfuscated by mixing in random elements that are carefully chosen so that if you run the garbled program in the intended way, the randomness cancels out and the pieces fit together to compute the correct output. But if you try to do anything else with the program, the randomness makes each individual puzzle piece look meaningless.
Tomi Engdahl says:
According to HP’s 2013 Cyber Risk Report, more researchers tried to sell IE vulnerabilities than any other product vulnerability. ‘IE is the most prevalent browser on the systems that attackers want to compromise
Source: Slashdot
http://tech.slashdot.org/story/14/02/04/0449251/microsofts-ie-is-the-most-targeted-application-by-security-researchers
Tomi Engdahl says:
App Misconfiguration, Mobile Apps With Poor Encryption Pose Risks, HP
http://www.eweek.com/security/app-misconfiguration-mobile-apps-with-poor-encryption-pose-risks-hp.html#sthash.S71aqkOo.dpuf
“We don’t see mobile developers having to roll their own encryption in an ad hoc way,” West said. “That’s an area where developers in the past always made mistakes.”
There are still problems with encryption because, typically, developers aren’t also security experts
Looking beyond just mobile apps, HP found that 80 percent of applications, in general, are misconfigured, which leads to insecure deployments.
West sees the application misconfiguration issue as a significant concern.
Microsoft IE Is the Top Target
Tomi Engdahl says:
HP Security Research Cyber Risk Report 2013
http://info.hpenterprisesecurity.com/register_hpenterprisesecurity_cyber_risk_report_2013
56% of the applications tested exhibited weaknesses to revealing information
74% of apps exhibit unnecessary permissions
80% of applications are vulnerable to misconfiguration vulnerabilities
Tomi Engdahl says:
Facebook turns 10: Big Brother isn’t Mark Zuckerberg. It’s YOU
How the social network turned us all into secret policemen
http://www.theregister.co.uk/2014/02/04/facebook_10th_birthday_big_brother_is_you/
But Mark Zuckerberg’s greatest achievement isn’t financial or technical. Facebook has turned its users into networks of anxious spies.
The result is a world where any deviation from a machine-processed conformity is frowned upon.
One is that these companies, the Facebooks and Googles, have some fantastic wisdom into how we interact.
For hundreds of years, if not more, people have maintained a constructed public self – but social networks now require you to mine the private self to feed
more people than ever were publishing intimate data that could be collected without a warrant
Tomi Engdahl says:
Antivirus Software Starts Blocking Pirate Websites
http://torrentfreak.com/anti-virus-pirate-block-140204/?utm_source=dlvr.it&utm_medium=twitter
Popular Russian anti-virus vendor Dr. Web has rolled out a new feature that prevents users from visiting allegedly copyright infringing URLs. The company is accepting takedown requests from copyright holders, and blocking access to pirated files when claims are considered legitimate.
For years the MPAA and RIAA have been warning people not to visit The Pirate Bay and other sites where pirated files are traded. These sites pose a threat to the public, they argue, and Russian anti-virus vendor Dr. Web agrees.
The new feature, which is included in the latest release of Dr.Web 9.0, is the first of its kind. Unlike other blocklists Dr. Web’s database of pirate URLs is built based on reports from copyright holders.
Tomi Engdahl says:
Manual Bitcoin Transactions
http://hackaday.com/2014/02/04/manual-bitcoin-transactions/
cryptocurrencies such as Bitcoin are actually very impressive pieces of software. It’s a very ingenious solution to the Two Generals Problem
[Ken Shirriff] decided to take a look at the Bitcoin protocol by creating a Bitcoin address and transferring a small amount of bitcoin to that address, manually.
It’s an awesome writeup and impressive achievement to manually send a few Bitcoins from one wallet to another.
Tomi Engdahl says:
Senate cybersecurity report finds agencies often fail to take basic preventive measures
http://www.washingtonpost.com/business/technology/senate-cybersecurity-report-finds-agencies-often-fail-to-take-basic-preventive-measures/2014/02/03/493390c2-8ab6-11e3-833c-33098f9e5267_story.html
It was the federal Emergency Alert System under control of hackers — who exploited weaknesses that are disturbingly common in many critical systems throughout government, according to a Senate cybersecurity report set for release Tuesday.
U.S. officials have warned for years that the prospect of a cyberattack is the top threat to the nation and have sharply increased spending for computer security.
federal agencies are ill-prepared to defend networks against even modestly skilled hackers
Tomi Engdahl says:
Flash flaw could allow attackers to remotely control Macs and PCs, Adobe issues critical update
http://appleinsider.com/articles/14/02/04/flash-flaw-could-allow-attackers-to-remotely-control-macs-and-pcs-adobe-issues-critical-update
Adobe on Tuesday released a security update for their Flash Player to address a vulnerability that could allow an attacker to remotely take control of users’ computers, an exploit that the company says has been documented in the wild.
According to Adobe, both Mac and Windows machines running Flash Player version 12.0.0.43 or earlier are susceptible to the attack. Linux users are not immune,
Tomi Engdahl says:
War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show
http://www.nbcnews.com/news/investigations/war-anonymous-british-spies-attacked-hackers-snowden-docs-show-n21361
Intelligence sources familiar with the operation say that the British directed the DDOS attack against IRC chat rooms where they believed criminal hackers were concentrated.
Tomi Engdahl says:
Experts refute Verizon’s claim that NSA can’t grab non-U.S. data
http://www.zdnet.com/verizon-vs-experts-over-foreign-data-surveillance-7000025858/
Summary: What Verizon says and does appears to be in conflict, according to privacy specialists, legal experts, and academics, who argue the U.S. government can demand foreign data held by American telecom and technology companies.
Tomi Engdahl says:
Facebook releases “Conceal,” a lightweight tool to make Android apps safer
Writing secure crypto apps is hard. Facebook hopes to make it easier.
http://arstechnica.com/security/2014/02/facebook-releases-conceal-a-lightweight-tool-to-make-android-apps-safer/
Conceal, as the code library has been dubbed, provides a set of easy-to-use programming interfaces for securely storing sensitive app data on an Android-based smartphone’s secure digital (SD) card.
Android designates SD cards as a public resource, a design that allows other apps to access the same files.
Selecting the right cryptography settings can be challenging.
Conceal presents developers with a set of best practices by default.
Tomi Engdahl says:
With HTTPS Everywhere, Is Firefox Now the Most Secure Mobile Browser?
http://news.slashdot.org/story/14/02/05/0135253/with-https-everywhere-is-firefox-now-the-most-secure-mobile-browser
Tomi Engdahl says:
Facebook Shares Its Groundbreaking Android Security Tool With World
http://www.wired.com/wiredenterprise/2014/02/facebook-conceal/
You often store new apps and new data on the tiny SD cards that slide in and out of your phone, letting you add more storage space as needed.
Typically, an app that has permission to read and write data from an SD card has the power to read all data on the card — including information written by other apps.
Facebook calls its Android security tool Conceal, and in short, it’s a programming code library for safely encrypting and decrypting data stored on SD cards. The company is already using the tool with the primary Facebook app that runs on Android.
Tomi Engdahl says:
Clean up your hijacked settings
http://chrome.blogspot.co.uk/2014/01/clean-up-your-hijacked-settings.html
To help keep your browser settings under your control we added a “reset browser settings” button to Chrome’s settings page in October.
Despite this, settings hijacking remains our number one user complaint
If you’ve been affected by settings hijacking and would like to restore your settings, just click “Reset” on the prompt below when it appears.
Note that this will disable any extensions, apps and themes you have installed
Tomi Engdahl says:
Bitcoin hash-rate exceeds total computing power of all the world’s computers!
Posted on February 3, 2014 by Tarandeep Gill
http://tarangill.com/2014/02/03/bitcoin-networks-computing-power/
Bitcoin’s hash-rate (the total computing power of the network, defined as number of SHA-256 hashes it can compute per second) has most likely exceeded the total computing power of all the world’s computers.
Tomi Engdahl says:
Visitors to Sochi Olympics should expect to be hacked (video)
http://www.engadget.com/2014/02/05/sochi-olympics-hackers/
According to NBC, it’s a near-guarantee that connected devices are being watched by hackers within Russia, who use malware downloaded on smartphones and laptops to steal personal information. It can be assumed that visiting dignitaries, athletes and journalists face a particular risk when it comes to unauthorized access.
The “honeypot” was a success,
According to NBC, the US State Department has informed Americans traveling to the Olympics that they should have “no expectation of privacy” while in Russia. And if a device is infected, it could continue transmitting information back to The Motherland long after tourists return home.
Tomi Engdahl says:
Target Hackers Broke in Via HVAC Company
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor
why Target would have given an HVAC company external network access
it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs
Litan estimates that Target could be facing losses of up to $420 million as a result of this breach
Tomi Engdahl says:
Lawmakers Threaten Legal Basis of NSA Surveillance
http://yro.slashdot.org/story/14/02/05/2244244/lawmakers-threaten-legal-basis-of-nsa-surveillance
“The author of the Patriot Act has warned that the legal justification for the NSA’s wholesale domestic surveillance program will disappear next summer if the White House doesn’t restrict the way the NSA uses its power.”
House Threatens Legal Basis of NSA Surveillance
http://slashdot.org/topic/datacenter/house-threatens-legal-basis-of-nsa-surveillance/
Without major reforms and serious limitations on what the NSA can do, Section 215 of the Patriot Act will be allowed to expire, the legislation’s author warns.
Section 215 of the Patriot Act will expire during the summer of 2015 and will not be renewed unless the White House changes the scale of the surveillance programs
Tomi Engdahl says:
FISA Data Release by Google, Yahoo, Facebook, Microsoft Means Squat
http://slashdot.org/topic/bi/fisa-data-release-by-google-yahoo-facebook-microsoft-means-squat/
A “range” of government data requests, posted after a six month lag, tell users as little as possible about federal requests for information.
Google, Yahoo, and other tech firms are offering some updated statistics about government requests for data.