Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Security updates available for Adobe Flash Player
Release date: February 4, 2014
http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
Adobe has released security updates for Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.335 and earlier versions for Linux. These updates address a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system.
Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users update their product installations to the latest versions
Tomi Engdahl says:
New Zealand Spy Agency Deleted Evidence About Its Illegal Spying On Kim Dotcom
http://www.techdirt.com/articles/20140204/07522126085/new-zealand-spy-agency-deleted-evidence-about-its-illegal-spying-kim-dotcom.shtml
‘We never, ever delete evidence, except when we do, and even then we only ever delete evidence when it might be used against us, by showing illegal activity conducted by our agency.’
Tomi Engdahl says:
We want it HARDER: City bankers survive simulated cyber-war
Finance firms reckon Waking Shark II should have featured espionage & malware threats
http://www.theregister.co.uk/2014/02/06/waking_shark_ii_post_mortem/
A Bank of England-sponsored exercise designed to test how well financial firms handle a major cyber attack has uncovered serious communication problems.
KPMG security expert Stephen Bonner warned that organisations will reduce the chances of successfully defending themselves, if they continue to act in isolation.
KPMG said the rising number of attacks targeting cyber vulnerabilities presents a growing danger to financial institutions.
Tomi Engdahl says:
Syrian Electronic Army: We hijacked FACEBOOK … honest, guv
It’s not like they actually GOT anywhere, but it’s a cute boast
http://www.theregister.co.uk/2014/02/06/facebook_dns_hijack_attempt/
“The real challenge in these situations is that the design and protocols of the internet were not designed to defend against malfeasance,” writes Chester Wisniewski, a senior security advisor at Sophos Canada.
The recent DNS hijack against eBay and PayPal, as well as the unsuccessful attack against Facebook
Digitally signing a domain with DNSSEC would prevent DNS hijacks, the argument goes.
Tomi Engdahl says:
Tech’s biggest players hire first NSA lobbyist
http://www.politico.com/story/2014/02/techs-biggest-players-hire-first-nsa-lobbyist-103214.html
Apple, Google, Facebook and five other technology giants that have banded together in their calls for surveillance reform officially registered a Washington lobbyist on Thursday.
The so-called “Reform Government Surveillance” coalition hired Monument Policy Group, a firm that already represents Microsoft and LinkedIn individually.
Tomi Engdahl says:
That NBC story 100% fraudulent
http://blog.erratasec.com/2014/02/that-nbc-story-100-fraudulent.html#.UvSs5bSgTps
Yesterday (Feb 5 2014) NBC News ran a story claiming that if you bring your mobile phone or laptop to the Sochi Olympics, it’ll immediately be hacked the moment you turn it on. The story was fabricated.
The story shows Richard Engel “getting hacked” while in a cafe in Russia. It is wrong in every salient detail.
100% of the story was about visiting websites remotely.
Tomi Engdahl says:
NBC News Confuses the World About Cybersecurity
http://slashdot.org/topic/datacenter/nbcnews-confuses-the-world-about-cybersecurity/
NBC News-got-hacked story ignores FSB surveillance that makes NSA look indifferent, warns of rampant hackery after opening spam email.
In a video report posted Feb. 4, NBC News reporter Richard Engel, with the help of a security analyst, two fresh laptops, a new cell phone, and a fake identity, pretended to go online with the technical naiveté of a Neanderthal housepet.
“So they had to surf to an infected site for the demonstration. Those pesky Russian hackers!” Proctor wrot
“NBC missed an opportunity to point out that you are not really ‘safe’ anywhere,” Proctor wrote.
Tomi Engdahl says:
‘I plead guilty to DDoS conspiracy and these GCHQ b*stards were doing the SAME thing?’
http://www.theregister.co.uk/2014/02/07/quotw_ending_february_7/
since the CIA and SOCA were among the victims of LulzSec attacks, it’s not surprising they were hacked back
“Legally, we enter a very grey area here; where members of Lulzsec were arrested and incarcerated for carrying out DDoS attacks, but it seems that JTRIG are taking the same approach with impunity.”
Tomi Engdahl says:
Police will have ‘backdoor’ access to health records despite opt-out, says MP
http://www.theguardian.com/society/2014/feb/06/police-backdoor-access-nhs-health-records
The database that will store all of England’s health records has a series of “backdoors” that will allow police and government bodies to access people’s medical data.
Tomi Engdahl says:
Snowden Used Low-Cost Tool to Best N.S.A.
http://www.nytimes.com/2014/02/09/us/snowden-used-low-cost-tool-to-best-nsa.html?pagewanted=all&_r=0
Using “web crawler” software designed to search, index and back up a website, Mr. Snowden “scraped data out of our systems” while he went about his day job, according to a senior intelligence official.
The findings are striking because the N.S.A.’s mission includes protecting the nation’s most sensitive military and intelligence computer systems from cyberattacks, especially the sophisticated attacks that emanate from Russia and China. Mr. Snowden’s “insider attack,” by contrast, was hardly sophisticated and should have been easily detected, investigators found.
Tomi Engdahl says:
There is an interesting comment at
Reverse Engineering A Bank’s Security Token
http://hackaday.com/2014/02/07/reverse-engineering-a-banks-security-token/
article:
xorpunk says:
February 7, 2014 at 3:11 pm
I’ve been all over the world, and have seen bank solutions that use smart card debit reader and browser plugins, apps with kergens, two factor auth inside SSL HTML, audio port mobile card swipers..
Some vulnerable to RCE(the keygens), all vulnerable to memory scraping and inline hooking.. Most importantly: all designed by mostly computer illiterate teams and designers who convinced a major financial entity that they were security experts..
sales and economics dictate security design, not talent and logic..
Tomi Engdahl says:
K.I.A – DailyMotion Part 2: FakeAV Threat
http://www.youtube.com/watch?feature=player_embedded&v=7xKmAsSzJv0#t=0
Excellent demonstration of how malware masquerades as anti-virus
Now that we’re mostly just paranoid enough to know sites can have malware through cross-site scripting, the new technique is top pretend “we’re here to help!”. Watch this.
Tomi Engdahl says:
Details Behind the NBC Honeypots: Part 2
http://blog.trendmicro.com/russia-experience-part-2/
an experiment to deploy honeypots in Moscow
First, all the attacks required some kind of user interaction.
Second, these attacks could happen anywhere. They would not just happen in Moscow, nor did it require us to be in Moscow.
Finally, to reiterate, while all three devices looked like they had been compromised with no user interactions that was just not the case.
Tomi Engdahl says:
Mt. Gox suspends bitcoin withdrawals (temporarily?), market falls amid concerns of impropriety
http://pando.com/2014/02/07/mt-gox-suspends-bitcoin-withdrawals-temporarily-market-falls-amid-concerns-of-impropriety/
Tomi Engdahl says:
Entering the Era of Private and Semi-Anonymous Apps
http://bits.blogs.nytimes.com/2014/02/07/entering-the-era-of-private-and-semi-anonymous-apps/
Today’s Web-enabled gadgets should come with a digital Miranda warning. “Anything you say or do online, from a status update to a selfie, can and will be used as evidence against you on the Internet.”
Over the past couple of years, it has become clear that everything we do online is somehow being tracked and tied back to our offline identity. Each update, Fav, Like or comment we make lives on in perpetuity.
It’s pretty hard to avoid this
Tomi Engdahl says:
October 2015: The End of the Swipe-and-Sign Credit Card
http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/?KEYWORDS=chip+and+pin
prepare to say farewell to the swipe-and-sign of a credit card transaction.
Beginning later next year, you will stop signing those credit card receipts. Instead, you will insert your card into a slot and enter a PIN number, just like people do in much of the rest of the world. The U.S. is the last major market to still use the old-fashioned signature system, and it’s a big reason why almost half the world’s credit card fraud happens in America, despite the country being home to about a quarter of all credit card transactions.
Tomi Engdahl says:
LinkedIn introduces, quickly says goodbye to email service that sparked security concerns
The Intro software dropped LinkedIn profile information into mobile emails
http://www.computerworld.com.au/article/537796/linkedin_introduces_quickly_says_goodbye_email_service_sparked_security_concerns/
Bishop Fox said that it was unlikely that LinkedIn shut down the service for security reasons alone.
“But this app exemplifies why it’s important to pay attention to privacy and security when installing features, whether short lived or not, on your mobile devices,” he said.
Tomi Engdahl says:
Microsoft offers intervention tips for kicking the Windows XP habit
Friends don’t let friends do Windows XP
http://www.theinquirer.net/inquirer/news/2327837/microsoft-offers-intervention-tips-for-kicking-the-windows-xp-habit
AGING PC OPERATING SYSTEM Windows XP has reached the 60 day threshold from Microsoft’s end of support date.
Tomi Engdahl says:
Support is ending soon
On April 8, 2014, support and updates for Windows XP will no longer be available. Don’t let your PC go unprotected.
http://windows.microsoft.com/en-US/windows/end-support-help
Tomi Engdahl says:
iFrame attack injects code via PNGs
Old malware, new trick
http://www.theregister.co.uk/2014/02/05/iframe_attack_injects_code_via_pngs/
Security vendor Sucuri is warning that it’s spotted an attack in the wild that embeds malicious code in PNG files.
Security vendor Sucuri is warning that it’s spotted an attack in the wild that embeds malicious code in PNG files.
New iFrame Injections Leverage PNG Image Metadata
http://blog.sucuri.net/2014/02/new-iframe-injections-leverage-png-image-metadata.html
The iFrame HTML tag is very standard today, it’s an easy way to embed content from another site into your own. It’s supported by almost all browsers and employed by millions of websites today, use Adsense? Then you have an iFrame embedded within your site too.
In today’s attacks, especially when we’re talking about drive-by-downloads, leveraging the iFrame tag is often the preferred method. It’s simple and easy, and with a few attribute modifications, the attacker is able to embed code from another site, often compromised, and load something via the client’s browser without them knowing (i.e., silently).
the attacker obfuscated the payload inside a PNG file.
Most scanners today will not decode the meta in the image
Tomi Engdahl says:
Hackers can use Snapchat to disable iPhones, researcher says
http://www.latimes.com/business/technology/la-fi-tn-snapchat-shut-down-iphone-20140207,0,3127301.story#ixzz2svaOFwq1
Tomi Engdahl says:
Three types of DNS attacks and how to deal with them
http://www.csoonline.com/article/738895/three-types-of-dns-attacks-and-how-to-deal-with-them
Tomi Engdahl says:
Computer virus locking important files targets local business
http://www.wsoctv.com/news/news/local/computer-virus-locking-important-files-targets-loc/ndF4Z/
Crypto Locker targets commonly used files like Word documents, and Excel spreadsheets.
Since September, the creators of this virus have made $30 million from businesses that have paid to re-gain access to their own files.
Cyber detectives tracked the virus to Poland and Russia
Tomi Engdahl says:
Reddit, Mozilla, Tumblr and more gear up for massive NSA protest tomorrow
http://venturebeat.com/2014/02/10/reddit-mozilla-tumblr-and-more-gear-up-for-massive-nsa-protest-tomorrow/
Remember the Internet’s reaction to SOPA and PIPA? Welcome to save the Internet: part two.
participants will be asked to “install banners to encourage their visitors to fight back against surveillance”
Tomi Engdahl says:
Future Samsung phones could share what you type with other apps
‘Context’ would reportedly share typing, sensor data, and app use
http://www.theverge.com/2014/2/10/5399138/samsung-context-smartphone-service-google-meeting
According to The Information, Samsung has been developing a service called Context that would collect what a person types, what apps they use, and what data their phone’s sensors pick up, and then allow developers to tap into that pool of data to enrich their apps.
The service has reportedly been delayed by disagreements over whether it would actually help Samsung sell more smartphones, and it’s unclear if it will ever launch.
Tomi Engdahl says:
The NSA’s Secret Role in the U.S. Assassination Program
https://firstlook.org/theintercept/article/2014/02/10/the-nsas-secret-role/
The National Security Agency is using complex analysis of electronic surveillance, rather than human intelligence, as the primary method to locate targets for lethal drone strikes – an unreliable tactic that results in the deaths of innocent or unidentified people.
Tomi Engdahl says:
UpCloud reckons Finnish privacy laws can protect data hosted in US
http://gigaom.com/2014/02/07/upcloud-reckons-finnish-privacy-laws-can-protect-data-hosted-in-us/
The Finnish infrastructure-as-a-service provider is moving into the U.S. with a slightly secretive new model that, it claims, will protect customers’ personal data from U.S. authorities.
Part of this involves carefully-constructed contracts, and part involves keeping all customers’ personal information in Finland – in other words, the authorities in the U.S. won’t have what they need to match any seized data to its owner.
Tomi Engdahl says:
DDoS Larger Than the Spamhaus Attack Strikes US and Europe
http://tech.slashdot.org/story/14/02/11/0349259/ddos-larger-than-the-spamhaus-attack-strikes-us-and-europe
“CloudFlare has been hit by what appears to be the world’s largest denial of service attack,”
“The Network Time Protocol Reflection attack”
Tomi Engdahl says:
World’s largest DDoS strikes US, Europe
Powered by SC Magazine
By Darren Pauli on Feb 11, 2014 1:55 PM (8 hours ago)
http://www.itnews.com.au/News/372033,worlds-largest-ddos-strikes-us-europe.aspx
New attack vector a sign of “ugly things to come”.
The Network Time Protocol (NTP) Reflection attack exploits
CloudFlare chief executive Matthew Prince said the attack tipped 400Gbps,
Prince said on Twitter “someone’s got a big, new cannon” and the attack was the “start of ugly things to come”.
Tomi Engdahl says:
3 Reasons To Hate Mass Surveillance; 3 Ways To Fight It
http://yro.slashdot.org/story/14/02/10/2318244/3-reasons-to-hate-mass-surveillance-3-ways-to-fight-it
THREE REASONS TO HATE MASS SURVEILLANCE:
1) Because the Internet is nearly everywhere, it means the spying it makes possible has spread to match its footprint.
2) Because “online surveillance” is a slippery slope, and it will only get slipperier.
3) Because you’re paying for it. How much you’re paying is hard to say
THREE WAYS TO FIGHT IT:
1) Encryption, more often and in more contexts.
2) Avoid standing in front of the biggest targets.
3) Tell companies, politicians (for instance, by voting for or against), and the people around you, that you object to being spied on.
Tomi Engdahl says:
Target hacked: news and updates on the massive retail breach that affected millions
http://www.theverge.com/2014/1/16/5316006/target-hacked-news-and-updates-on-massive-retail-breach
Tomi Engdahl says:
Target CFO apologizes for breach at Senate hearing
Data breach at Neiman Marcus potentially exposed 1.1 million accounts to malware
http://www.chicagotribune.com/business/chi-target-hearing-20140204,0,2238563.story
About 40 million credit and debit card records were stolen, along with 70 million other records with customer information such as addresses and telephone numbers.
The No. 3 U.S. retailer is working hard to earn back the trust of its customers
U.S. lawmakers are holding a series of hearings this week on aspects of the data breaches.
“All businesses – and their customers – are facing increasingly sophisticated threats from cyber criminals,” said Mulligan. “To prevent this from happening again, none of us can go it alone.”
Tomi Engdahl says:
Meet ‘Jerky’, a mobile browser for incognito surfing
http://asia.cnet.com/meet-jerky-a-mobile-browser-for-incognito-surfing-62223620.htm?src=twt
Jerky, a cheekily named mobile browsing app, is designed with one purpose in mind. Created by the same author who made the Go Away MDA and Go Away Cameron Chrome extensions, the app features the ability to bypass online filters for accessing sites blocked by ISPs.
app starts automatically in incognito mode
Tomi Engdahl says:
Forget Dystopian Fiction. Sochi Is Pure Dystopian Reality
http://www.wired.com/underwire/2014/02/sochi-olympics-dystopia/
Certainly, Sochi isn’t single-handedly decimating the dystopia YA marketplace, but it’s nonetheless a perfect example of why the genre is failing. It’s not because a shallow fad has run its course; it’s because the fantasies and the facts have become nearly identical. And that’s the problem — Entertainment is meant to be an escape, fantasy and science-fiction in particular
And it’s not just in Sochi, either; from Snowden, to the American wealth gap, to
there are countless examples of our satirical imagination matching the real world right at our front door.
Tomi Engdahl says:
John McAfee declares war on Android
Report says next venture will expose what apps are doing to your mobe or ‘slab
http://www.theregister.co.uk/2014/02/12/john_mcafee_cognizant_for_android/
John McAfee has reportedly decided on his next product
“Cognizant”
it reportedly takes a census of all the apps on your Android device and then reports on what they are allowed to do to it.
Tomi Engdahl says:
New Plane-Based Surveillance System Sees Practically Everything
http://www.popsci.com/article/gadgets/new-plane-based-surveillance-system-sees-practically-everything?dom=PSC&loc=recent&lnk=7&con=new-planebased-surveillance-system-sees-practically-everything
A new surveillance camera system can track movements in a city center for over six hours.
the HAWKEYE II can watch a 4-mile square
Persistent Surveillance Systems HAWKEYE II camera system instead uses 12 off-the-shelf Canon cameras, mounted in an array to capture a huge swath of terrain. The array is carried by a commercial plane, which flies at an altitude of between 8,000 and 10,000 feet.
Researchers at MIT were able to identify people from just four location points generated by their cell phones over the course of a day with 95 percent accuracy.
Tomi Engdahl says:
EU Pushes to Globalize Internet Governance
European Commission to Propose Steps to Curb U.S. Influence Over Key Web Functions
http://online.wsj.com/news/articles/SB10001424052702303874504579377052129964162?mod=WSJEUROPE_hps_sections_tech
The European Union’s executive body is raising pressure to reduce U.S. influence over the Internet’s architecture amid what it called weakened confidence in the network’s governance after revelations of U.S. surveillance.
The European Commission, the EU’s executive arm, will propose on Wednesday the adoption of “concrete and actionable steps” to globalize essential Web functions—including the assignment of so-called top-level domain names, such as “.com” or “.org”—that remain…
Tomi Engdahl says:
DDoS Attack Hits 400 Gbit/s, Breaks Record
http://www.informationweek.com/security/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787
A distributed denial-of-service NTP reflection attack was reportedly 33% bigger than last year’s attack against Spamhaus.
Launching a reflection attack isn’t difficult, especially if the attacker taps a toolkit such as DNS Flooder v1.1, which DDoS defense firm Prolexic said first appeared on underground hacking forums about six months ago.
Tomi Engdahl says:
Bitcoin Exchanges Under ‘Massive and Concerted Attack’
http://www.coindesk.com/massive-concerted-attack-launched-bitcoin-exchanges/
A “massive and concerted attack” has been launched by a bot system on numerous bitcoin exchanges, Andreas Antonopoulos has revealed.
DDoS attack is taking Bitcoin’s transaction malleability problem and applying it to many transactions in the network, simultaneously.
“So as transactions are being created, malformed/parallel transactions are also being created so as to create a fog of confusion over the entire network, which then affects almost every single implementation out there,”
Tomi Engdahl says:
EU Pushes to Globalize Internet Governance
European Commission to Propose Steps to Curb U.S. Influence Over Key Web Functions
http://online.wsj.com/news/article_email/SB10001424052702303874504579377052129964162-lMyQjAxMTA0MDEwMTExNDEyWj
“We want to work collectively to make multi-stakeholder governance more inclusive while maintaining the stability of the open and innovative Internet.”
By pushing for less U.S. control of the Internet, the European Commission is aligning itself in some ways with Brazil, which has struck a particularly strident tone over Internet governance in the wake of news reports alleging the U.S. government spied
“The Internet should remain a single, open, free, unfragmented network of networks, subject to the same laws and norms that apply in other areas of our day-to-day lives,” according to the EU document.
Tomi Engdahl says:
Hacked X-Rays Could Slip Guns Past Airport Security
http://www.wired.com/threatlevel/2014/02/tsa-airport-scanners/
Could a threat-simulation feature found in airport x-ray machines around the country be subverted to mask weapons or other contraband hidden in a traveler’s carry-on?
The answer is yes, according to two security researchers with a history of discovering flaws in critical systems
They found that an attacker would need access to a supervisor’s machine, and, theoretically, knowledge of the supervisor’s login credentials, to upload their own images into the system.
Rapiscan denies the supervisor password vulnerability exists, and claims the researchers must have purchased a machine that was misconfigured.
Tomi Engdahl says:
Inside Endgame: A Second Act For The Blackwater Of Hacking
http://www.forbes.com/sites/andygreenberg/2014/02/12/inside-endgame-a-new-direction-for-the-blackwater-of-hacking/
In the classic hacker career narrative, a juvenile genius breaks into the Internet’s most sensitive networks, gets caught and then settles into a lucrative corporate gig selling his skills for defense. Nate Fick is trying to pull off the same story with an entire company.
“The exploit business is a crummy business to be in,”
“If we’re going to build a top-tier security firm, we have to do things differently…. ”
Tomi Engdahl says:
Email Attack on Vendor Set Up Breach at Target
http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.
Last week’s story about Fazio’s role in the attack on Target mentioned that Target could be facing steep fines if it was discovered that the company was not in compliance with payment card industry (PCI) security standards.
“Only the vendors in the highest security group — those required to directly access confidential information — would be given a token, and instructions on how to access that portion of the network,”
Many of these email malware attacks start with shotgun attacks that blast out email far and wide; only after the attackers have had time to comb through the victim list for interesting targets do they begin to separate the wheat from the chaff.
Tomi Engdahl says:
White House pushes cybersecurity framework for critical infrastructure
http://www.pcworld.com/article/2097320/white-house-pushes-cybersecurity-framework-for-critical-infrastructure.html
A new cybersecurity framework released Wednesday by U.S. President Barack Obama’s administration aims to help operators of critical infrastructure develop comprehensive cybersecurity programs.
The voluntary framework creates a consensus on what a good cybersecurity program looks like, senior administration officials said. The 41-page framework takes a risk management approach that allows organizations to adapt to “a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner,” according to the document.
Administration officials said they hope the framework will drive changes in the way organizations deal with cybersecurity. After a series of high-profile data breaches in recent months, “it’s time to try something new,” an administration official said.
Framework for Improving
Critical Infrastructure Cybersecurity
Version 1.0
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
Tomi Engdahl says:
IDaaS: Identity as a service, what does it mean?
http://community.centrify.com/t5/Clarifying-Cloud-Identity/IDaaS-Identity-as-a-service-what-does-it-mean/ba-p/13933?ls=304-013-techmemeIDaaS
Seem like we have Everything as a Service now (Software, Platform, Infrastructure…), so what does one of the more recent ones, ‘Identity as a Service’, mean?
What would this identity system look like? It would be one place where an admin (our sole IT person) would go to add, modify and remove user accounts.
So what are the pieces of an IDaaS.
A database of users, passwords, groups
Services allowing users to login, maintain their accounts, reset their passwords etc. And manager to manage them.
A ‘glue’ system for connecting all the services we use to that database
More ‘glue’ to automatically manage users inside the services
Yet more ‘glue’ to connect this identity system to the device that my users use
Tomi Engdahl says:
Flappy Bird really *is* dead – beware of infected fakes that promise to keep him alive!
http://nakedsecurity.sophos.com/2014/02/11/flappy-bird-really-is-dead-beware-of-infected-fakes-that-promise-to-keep-him-alive/
What to do?
Don’t get sucked into this sort of trick, even if you missed out on Flappy Bird when it was alive and you are determined to find out what the fuss was about:
Be wary of apps from alternative markets.
Use an Android security and anti-virus program
Use a tool like the Sophos Privacy Advisor to review the sort of behaviour you can expect from new apps
Tomi Engdahl says:
Silk Road 2 Hacked, All Bitcoins Stolen – $2.7 Miliion
http://www.deepdotweb.com/2014/02/13/silk-road-2-hacked-bitcoins-stolen-unknown-amount/
It was just announced in a post by Defcon the Silk Road administrator:
We have been hacked.
Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker.
Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty.
Despite our hardening and pentesting procedures, this attack vector was outside of penetration testing scope due to being rooted in the Bitcoin protocol itself.
suspicions that this was in fact a SCAM by the Silk Road staff – and not a hack
Tomi Engdahl says:
MEPs reject Green asylum call for Snowden.
http://www.euronews.com/2014/02/12/meps-reject-green-asylum-call-for-snowden/
Tomi Engdahl says:
The Problem With How We Think Of Surveillance
http://yro.slashdot.org/story/14/02/14/004245/the-problem-with-how-we-think-of-surveillance
“Here’s a great essay on Snowden, technology and the problem with how we think of surveillance.”
Is the Internet good or bad? Yes.
It’s time to rethink our nightmares about surveillance.
https://medium.com/matter/76d9913c6011
Tomi Engdahl says:
Your personal data is worth a measly eight bucks a month
Post-broker dangles cash for right to sniff social emissions and spending habits
http://www.theregister.co.uk/2014/02/14/your_personal_data_is_worth_a_measly_eight_bucks_a_month/
You’ve heard it a zillion times by now: if an online service is free, you are the product.
A New York company called Datacoup is trying to turn that notion on its head a bit, by paying you if you let it monitor your online activities