Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.



3,110 Comments
Tomi Engdahl says:
Thousands of ‘directly hackable’ hospital devices exposed online
Hackers make 55,416 logins to MRIs, defibrillator honeypots
http://www.theregister.co.uk/2015/09/29/thousands_of_directly_hackable_hospital_devices_found_exposed/
Derbycon Thousands of critical medical systems – including Magnetic Resonance Imaging machines and nuclear medicine devices – that are vulnerable to attack have been found exposed online.
Security researchers Scott Erven and Mark Collao found, for one example, a “very large” unnamed US healthcare organization exposing more than 68,000 medical systems. That US org has some 12,000 staff and 3,000 physicians.
Exposed were 21 anaesthesia, 488 cardiology, 67 nuclear medical, and 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear.
The healthcare org was merely one of “thousands” with equipment discoverable through Shodan, a search engine for things on the public internet.
Erven, an associate director at Protiviti and who has five years of experience specifically securing medical devices, said critical hospital machinery is at the fingertips of miscreants.
“Once we start changing [Shodan search terms] to target speciality clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors,” Erven said.
“Not only could your data get stolen but there are profound impacts to patient privacy.”
“[Medical devices] are all running Windows XP or XP service pack two … and probably don’t have antivirus because they are critical systems.”
Executing custom payloads, establishing shells, and lateral pivoting within a network, are all possible, he said.
Proven attacks
The security men showcased the real-world risks to exposed hospital equipment after their “real life” MRI and defibrillator machine honeypots attracted tens of thousands of login attempts from miscreants on the internet.
In total, the machines built to mimic actual equipment attracted a whopping 55,416 successful SSH and web logins and some 299 malware payloads.
Attackers also popped the devices with 24 successful exploits of MS08-067, the remote code execution hole tapped by the ancient Conficker worm.
Collao said attackers did not appear to realize the machines they popped were would-be critical medical devices.
“They come in, do some enumeration, drop a payload for persistence and connect to a command and control server,” Collao said.
“These devices are getting owned repeatedly now that more hospitals are WiFi-enabled and no longer support arcane protocols.”
The honeypots ran for about six months and mimicked devices “to a tee” complete with security vulnerabilities. The pair used Shodan to find devices on which to base their honeypots.
Tomi Engdahl says:
NSA? Illegal spying? Europe’s head lawyer is talking out of his Bot, says US government
Yes, we spied, but when caught out we make some changes
http://www.theregister.co.uk/2015/09/29/europes_head_lawyer_us_government/
The US government has responded to Europe’s top lawyer, who last week said sending people’s private data to the United States is illegal.
Uncle Sam is not happy.
At the heart of the matter is the so-called safe harbor agreement between the US and the EU. You cannot by law pipe people’s private information out of Europe unless you can promise to keep that data safe. Under the safe harbor framework, America promises to do exactly that, and respect Europeans’ privacy. That agreement is being renegotiated as you read this.
In the meantime, the European Court of Justice’s Advocate General Yves Bot has said, what with all this mass spying going on worldwide by the NSA, the safe harbor agreement is not worth the paper it’s written on.
In response, America reckons Bot has said some stupid things and gone too far.
“The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens,” the mission insists. Instead, “the PRISM [mass internet surveillance] program … targeted against particular valid foreign intelligence targets, is duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations.”
Which appears to argue that because the program is legal under US law, it can’t be “indiscriminate.”
What’s illegal between friends?
Bot claimed the discussions to change the “safe harbor agreement” indicate that all is not well between America and its friends. What he doesn’t realize, the US mission complains, is that the framework is a “living document.”
That means if there’s anything illegal is really happening, it can be straightened out, OK pal?
Those discussions are still ongoing: US Under Secretary Catherine Novelli said nearly four months ago that they would be completed in a few weeks.
Tomi Engdahl says:
Here are the God-mode holes that gave TrueCrypt audit the slip
Elevation-of-privilege vulnerabilities found in popular encryption system
http://www.theregister.co.uk/2015/09/29/google_flaks_find_admin_elevation_holes_that_gave_truecrypt_audit_the_slip/
Google Project Zero hacker James Forshaw has found a pair of privilege-elevation holes in the once-popular TrueCrypt encryption package. The bugs have been patched in spinoff app Veracrypt.
The flaws are not the fabled backdoors feared lurking in the TrueCrypt code, but can be exploited to compromise the machine, install spyware, record password keystrokes, and so on.
A comprehensive audit of its source code ensued in which crypto bods from NCC Group reported finding no backdoors or serious holes.
Forshaw says his work demonstrates that an audit is no guarantee TrueCrypt is clean.
The bugs (CVE-2015-7358, CVE-2015-7359) are rated critical, and fixed in VeraCrypt.
Tomi Engdahl says:
Cyber crims up the ante with Google Play brainteaser malware
Intelligence-testing app attack shows it isn’t just dumb people who get caught
http://www.theregister.co.uk/2015/09/22/braintest_android_rootkit_brainteaser_malware/
Android malware bundled in an intelligence-testing game has been published to the official Google Play Store, not once but twice, claiming hundreds of thousands of victims in the process.
Dodgy versions of a gaming app called BrainTest were able to bypass Google’s security scanning of mobile apps using a range of techniques. Security researchers at Check Point reported that the trojan packed a virtual arsenal of privilege escalation exploits, partly directed towards installing a rootkit on compromised devices.
The trick means that malicious software persists on infected devices even after a user uninstalls the dodgy app. This rootkit functionality meant that malicious code was reinstalled on compromised Android smartphones or tablets.
Cybercrooks used multiple methods to evade detection by Google, including bypassing Google’s “Bouncer” Android defence tool, which scans submitted apps in the Play store.
Tomi Engdahl says:
AdSense fraud still too easy, says Spanish boffin
Uni prof goes public with two-year-old bug
http://www.theregister.co.uk/2015/09/29/adsense_fraud_still_too_easy_says_spanish_boffin/
A bit of code-work is all it takes to sidestep one of Google’s key AdSense protection mechanisms.
That’s the conclusion of Spanish researcher Manuel Blázquez, a PhD and professor at the Complutense University of Madrid.
In a paper just published at Arxiv, he says a combination of cross-site scripting (XSS) and old-fashioned Web crawling means you can obtain “the validated links of the ads published on a website”.
For an attacker, penetrating the JavaScript that’s supposed to protect advertisers is a big thing, because it raises the spectre of being able to launch automated click campaigns on an advertisement – either to falsely boost the apparent performance of an ad network, or to attack an advertiser by getting Google to down-rate them in the AdSense system.
In response to previous click-fraud, the professor explains, Google’s worked hard to put a kind of air-gap between an advertisement and the site hosting it.
A vulnerability in Google AdSense: Automatic extraction of links to ads
http://arxiv.org/abs/1509.07741
Tomi Engdahl says:
Hack attacks strike top porn site
http://fortune.com/2015/09/28/malvertising-porn-sites/
Several of the world’s most popular pornographic websites were struck by cyberattacks in the past week, according a blog post by the malware hunting software firm Malwarebytes.
Sites infected with malicious code included Pornhub and YouPorn, both owned by the Luxembourg-based adult website conglomerate MindGeek. These two sites rack up a combined 800 million visits each month
This particular type of attack is known as a malicious advertising—or malvertising—campaign. It involves attackers pushing malicious ads through advertising networks, which then appear on websites that display those ads. The worst kinds can compromise users’ machines through “drive-by downloads,” while others can push fake webpages filled with scams, alerts, and pop-ups.
In this case, the attack targeted the third party ad network ExoClick.
a similar campaign targeted the adult site xHamster last week.
Malvertising campaigns have also hit news sites such as Yahoo, MSN, and Forbes in recent weeks.
The news arrives as a debate over ad blocking technology rages thanks to Apple’s iOS 9 software update, which makes it easy to install mobile ad blocking tech on its devices.
Pornhub, YouPorn Latest Victims of Adult Malvertising Campaign
https://blog.malwarebytes.org/malvertising-2/2015/09/pornhub-youporn-latest-victims-of-adult-malvertising-campaign/
Users should make sure that their computers are fully patched and protected with several layers of security (the 3 A’s is a very effective line of defense: Anti-exploit, Antivirus, Anti-malware) in order to defeat malvertising and drive-by download attacks.
Tomi Engdahl says:
Gender gap widens in cyber security field long dominated by men
http://www.reuters.com/article/2015/09/28/us-cybersecurity-women-employment-idUSKCN0RS11J20150928
Women account for just one out of 10 cyber security professionals, as the gender gap widened over two years in a male-dominated field with a drastic workforce shortage, a survey showed.
ISC2, the largest organization that certifies cyber professionals, said on Monday that a poll of nearly 14,000 information security professionals in developed countries found that just 10 percent were women. That is down from 11 percent two years ago, said ISC2 official Elise Yacobellis.
One reason for concern is a talent shortage. ISC2 reported earlier this year that 62 percent of respondents said their organizations did not have enough security professionals.
“Companies are saying that they want to hire more women in information security”
Tomi Engdahl says:
How the FBI Hacks Around Encryption
http://it.slashdot.org/story/15/09/29/0134232/how-the-fbi-hacks-around-encryption
To hear FBI Director James Comey tell it, strong encryption stops law enforcement dead in its tracks by letting terrorists, kidnappers and rapists communicate in complete secrecy. But that’s just not true. In the rare cases in which an investigation may initially appear to be blocked by encryption — and so far, the FBI has yet to identify a single one — the government has a Plan B: it’s called hacking.
Trojan horses, and other forms of malicious code onto suspects’ devices. Doing so gives them the same access the suspects have to communications — before they’ve been encrypted, or after they’ve been unencrypted.
The Big Secret That Makes the FBI’s Anti-Encryption Campaign a Big Lie
https://theintercept.com/2015/09/28/hacking/
To hear FBI Director James Comey tell it, strong encryption stops law enforcement dead in its tracks by letting terrorists, kidnappers and rapists communicate in complete secrecy.
But that’s just not true.
In the rare cases in which an investigation may initially appear to be blocked by encryption — and so far, the FBI has yet to identify a single one — the government has a Plan B: it’s called hacking.
Hacking — just like kicking down a door and looking through someone’s stuff — is a perfectly legal tactic for law enforcement officers, provided they have a warrant.
Government officials don’t like talking about it — quite possibly because hacking takes considerably more effort than simply asking a telecom provider for records.
But they don’t deny it, either. Hacking is “an avenue to consider and discuss,” Amy Hess, the assistant executive director of the FBI’s Science and Technology branch, said at an encryption debate earlier this month.
The FBI “routinely identifies, evaluates, and tests potential exploits in the interest of cyber security,” bureau spokesperson Christopher Allen wrote in an email.
There are still only a few publicly known cases of government hacking, but they include examples of phishing, “watering hole” websites, and physical tampering.
Phishing involves an attacker masquerading as a trustworthy website or service and luring a victim with an email message asking the person to click on a link or update sensitive information.
A watering hole attack infects a website with malware, so that anyone who visits it is also infected, potentially allowing the attackers to identify and control the visitor’s devices.
In 2013, as part of a child-porn investigation, the FBI seized a large number of web servers and installed malware that reveals personally identifying information of online visitors to several different popular websites, including an email provider. The sites were “Tor hidden service sites,”
This watering hole attack landed a large number of people in the FBI’s trap, most of them innocent people who hadn’t committed any crimes. And the FBI never told them about it, because it never subpoenaed their identities — even though their computers had been compromised.
The earliest reported case of the FBI using physical tampering dates back all the way to 2001, when agents broke in and installed a system to record keystrokes on Nicodemo Scarfo Jr.’s computer as part of their investigation of the American Mafia.
As Wired first reported in 2007, the FBI has its own brand of malware called the Computer and IP Address Verifier (CIPAV), which can capture information about a machine including browser activity, IP address, operating system details, and other activity. The FBI, for instance, used CIPAV to discover the identity of the teen in Washington making bomb threats.
The FBI also uses non-proprietary hacker tools.
Wired reported in 2014 that the FBI has turned to a popular hacker app called Metasploit, which publishes security flaws. In 2012, the FBI’s “Operation Torpedo” used the app to monitor users of the Tor network. Metasploit is a sort of one-stop shop for putting together hacking code, complete with fresh exploits and payloads.
“Virtually all consumer devices include the capability to remotely download and install updates to their operating system and applications,” the task force wrote. Law enforcement would use a “lawful process” to force tech companies to “use their remote update capability to insert law enforcement software into a targeted device.” That malware would then “enable far-reaching access to and control of the targeted device.”
The NSA has a separate program, revealed by documents provided by whistleblower Edward Snowden, that aims to hack into computers on a massive scale — automating processes to help decide which attack method to use to get into millions of computers.
The Time a Judge Said No
All the known cases of the FBI implementing hacking techniques so far have dealt with obtaining information about the location of a device, what programs are running, and its owner — metadata, rather than actual content of messages.
Only once, at least in the public view, has the FBI plainly asked a judge to let it hack everything: photos, messages, emails, and more. And the FBI was told no.
It’s unclear whether or not the FBI has ever succeeded in securing a warrant to hack in such an intrusive way. But it does demonstrate that the FBI has the ability, or at least the confidence, to try.
Better Than a Back Door
Although it would seem self-evident that law enforcement shouldn’t hack into someone’s computer without a warrant, the FBI has internally debated whether that’s true, according to Jonathan Mayer, a PhD candidate in computer science at Stanford University and author of a recent academic paper titled “Constitutional Malware.”
He also looked through declassified FBI documents and found that officials there have “theorized that the Fourth Amendment does not apply” when investigators “algorithmically constrain the information that they retrieve from a hacked device, ensuring they receive only data that is — in isolation — constitutionally unprotected,” such as a name. Sometimes the FBI deploys malware on a device in order to find out who it belongs to.
“I believe that hacking can be a legitimate and effective law enforcement technique,” Mayer concluded in his paper. “But appropriate procedural protections are vital, and present practices leave much room for improvement.”
“The FBI is extremely close-mouthed” about how often they hack
Tomi Engdahl says:
A Death in Athens
Did a Rogue Operation Cause the Death of a Greek Telecom Employee?
https://theintercept.com/2015/09/28/death-athens-rogue-nsa-operation/
JUST OUTSIDE THE MAIN DOWNTOWN part of Athens lies Kolonos, an old Athenian neighborhood near the archaeological park of Akadimia Platonos, where Plato used to teach.
It was a neighborhood Costas Tsalikidis knew well.
for the last 11 years he had worked for Vodafone-Panafon, also known as Vodafone Greece, the country’s largest cell phone company, and was promoted in 2001 to network-planning manager
Costas hanging from a rope tied to pipes above the lintel of his bathroom door
The day before his death, Costas’ boss at Vodafone had ordered that a newly discovered code — a powerful and sophisticated bug — be deactivated and removed from its systems. The wiretap, placed by persons unknown, targeted more than 100 top officials, including then Prime Minister Kostas Karamanlis and his wife, Natassa; the mayor of Athens; members of the Ministerial Cabinet; as well as journalists, capturing not only the country’s highest secrets, but also its most intimate conversations. The question was, who did it?
For a year, the eavesdropping case remained secret, but when the affair finally became public, it was regarded as Greece’s Watergate. One newspaper called it “a scandal of monumental proportions.”
A decade later, Costas’ death is caught up in an investigation into what now appears to have been a U.S. covert operation in Greece. Last February, Greek authorities took the extraordinary step of issuing an international arrest warrant for a CIA official the Greeks believe was a key figure in the operation while based in Athens.
An investigation by The Intercept has uncovered not only the role of the CIA, but also that of the NSA, as well as how and why the operation was carried out.
the evidence points to a massive illegal eavesdropping program that may have led to Costas’ tragic death.
“COSTAS WAS ENGAGED”
“He had met the woman of his life and they were planning to get married really soon.”
“I thought there was no reason for him to commit suicide,”
he was working very hard because Greece had undertaken the Olympic Games of 2004
Costas’ workload increased enormously in the months before the games were to begin
At work, things suddenly began to change. Costas told his brother that he wanted to quit. “He tendered his resignation to the company, but it wasn’t accepted,” Panagiotis told me. “He wanted to get out.”
NSA has a long history of tapping into Olympic Games, both overseas and within the U.S.
“NSA has had an active role in the Olympics since 1984 Los Angeles games,” according to a classified document from 2003, “and has seen its involvement increase with the recent games in Atlanta, Sydney, and Salt Lake City.
NSA will support is the EYP, or Greek National Intelligence Service. NSA will gather information and tip off the EYP of possible terrorist or criminal actions.
“The Greeks identified terrorist nets, so NSA put these devices in there and they told the Greeks, OK, when it’s done we’ll turn it off,” said the source. “They put them in the Athens communications system, with the knowledge and approval of the Greek government. This was to help with security during the Olympics.”
The Olympic Games ran smoothly
Two weeks later, the Paralympics ended, and at that point, keeping their promise to the Greek government, the NSA employees should have quietly disconnected their hardware and deleted their software from the local telecommunications systems, packed up their bugging equipment, and boarded a plane for Fort Meade. The problem was, they didn’t. Instead, they secretly kept the spying operation active, but instead of terrorists, they targeted top Greek officials.
NSA began conducting the operation secretly
Not informing the chief of station and the ambassador was an enormous breach of protocol
Inglis did confirm, however, that NSA operations in foreign countries would normally have the approval of the CIA chief of station. “The chief of station,”
At the time of the Greek bugging operation, Hayden was also secretly running the NSA’s illegal warrantless eavesdropping and metadata dragnet surveillance programs, the largest domestic spying operations in U.S. history.
As normal calls from Vodafone went to and from legitimate parties, a parallel stream of digitized voice and data — an exact copy — was directed to the NSA’s shadow phones.
“The world will be watching and so will NSA!”
A key part of the operation would be obtaining secret access to the Greek telecom network. And it is here that Costas Tsalikidis may have entered the picture. As a senior engineer in charge of network planning, working for the country’s largest cellular service provider
The operation could have been accomplished a number of ways.
In fact, recruiting a foreign telecom employee as an “inside person” for a major bugging operation was standard operating procedure for both the NSA and the CIA, according to the senior intelligence official involved with the Athens operation. “What the NSA really doesn’t like to admit, about 70 percent of NSA’s exploitation is human enabled,” the former official said.
And according to a highly classified NSA document provided by Snowden and previously published by The Intercept, covertly recruiting employees in foreign telecom companies has long been one of the NSA’s deepest secrets. A program code-named “Sentry Owl,”
With an agent in place inside the network, the next step would be to implant spyware capable of secretly transmitting the conversations of the NSA’s targets to the shadow phones where they could be resent to NSA computers. Developing such complex malware is the job of the NSA’s Tailored Access Operations (TAO) organization.
The key to the operation was hijacking a particular piece of software, the “lawful intercept” program. Installed in most modern telecom systems, it gave a telecom company the technical capability to respond to a legal warrant from the local government to monitor a suspect’s communications. Vodafone’s central switching equipment was made by Ericsson, the large Swedish company, and on January 31, 2002, Ericsson delivered to Vodafone an upgrade containing the lawful intercept program, a piece of software known as the Remote Control Equipment Subsystem (RES).
But despite having the capability to initiate wiretaps with the RES program, at the time of the Olympics Greece did not have laws in place to permit them. As a result, Vodafone never paid the additional fee to Ericsson for the IMS program and the digital key to activate the system. Far behind the NSA, the Greek government had only simple wiretap technology.
Thus, according to Greek sources, prior to the Olympics U.S. officials began asking the Greek government for permission to secretly activate the lawful intercept program, which led to the government agreeing to the U.S. bugging operation. Ironically, the presidential decree permitting widespread eavesdropping was finally enacted on March 10, 2005, the day after Costas’ death.
For NSA, the missing IMS program was the technical opening its operatives needed. In essence, they created malware that would secretly turn on the RES program and begin tapping. But without the IMS program there would be no audit trail, no indication or evidence that eavesdropping was going on
Exploiting the weaknesses associated with lawful intercept programs was a common trick for NSA.
With the malware installed, the NSA was set to go, with more than a dozen shadow phones purchased
on September 28, following the conclusion of the Paralympic Games, some of the malware was removed. But less than a week later, long after the Olympic Torch had been extinguished, new malware was implanted.
“Once you have access, you have access. You have the opportunity to put implants in, that’s an opportunity.”
Then, at 7:56 p.m. on January 24, 2005, someone installed a routine update in the NSA’s bugging software at Vodafone’s facility in the Paiania section of the city. It would turn out to be anything but routine. Within seconds, errors appeared
Vodafone sent the voluminous logs and data dumps to Ericsson for analysis
“We have heard that Costas was in meetings inside the company, in meetings that were very loud and a lot of people were arguing,” said Panagiotis. “He tendered his resignation to the company, but it wasn’t accepted. … He wanted to get out.”
On March 4, after weeks of investigation, Ericsson notified Vodafone that it had discovered a sophisticated piece of malware, containing a hefty 6,500 lines of code — evidence of a large bugging operation.
Three days later, Vodafone technicians isolated the malware. Then on March 8, before law enforcement had an opportunity to get involved, Koronias, the Vodafone Greece CEO, ordered the software deactivated and removed, thus hampering any future investigation. Apparently alerted, those involved in the bugging operation immediately turned off their shadow phones.
The next morning Panagiotis discovered his brother’s body hanging from a white rope tied to a pipe above the bathroom doorway. To this day, he is convinced that Costas was murdered to keep him quiet and prevent him from quitting and going public with the details.
Within hours of Costas’ death, Ericsson prepared a formal “Incident Case Description,” outlining technical details about the malware and how it worked. It contained the warning: “This document is to be treated as highly confidential and … all necessary steps to protect this information must be taken, including the mandatory use of Entrust encryption within Ericsson.”
report concluded that someone had loaded unauthorized “corrections,” i.e. malware implants, “designed to introduce RES functionality in such a way that it is not visible to any observer
The Tsalikidis family’s former lawyer, Themistoklis Sofos, believes that Costas discovered the spy software by chance and then reported it. “Some people were afraid that he would talk so they killed him in a professional manner,”
Nevertheless, Supreme Court prosecutor Dimitris Linos said that Costas’ death was clearly tied to the eavesdropping operation. “If there had not been the phone tapping, there would not have been a suicide,”
Around the time the eavesdropping was discovered, Basil left the country, apparently with a quick reassignment by CIA to Sudan.
One person who spent a great deal of time buying shadow phones was William Basil. “We used to call him the telephone man,”
But Basil wasn’t the only one buying shadow phones.
Sitting in his apartment overlooking Athens’ Plaka, John Brady Kiesling could make little sense of it all. “I don’t see a shred of evidence that this wiretapping did the U.S. government any good,” he said. “I think it’s just important to underscore that intelligence gathering is never free. It always comes at a human and political cost to someone. In this case it was paid by an innocent Vodafone technician.”
Tomi Engdahl says:
Malware artists have created a shakedown Google BSOD
Nothing is sacred
http://www.theinquirer.net/inquirer/news/2427956/malware-artists-have-created-a-shakedown-google-bsod
INVENTIVE INTERNET THREAT ACTORS are tricking users out of cash via a spiked advertising investment and a fake blue screen of death (BSOD).
The BSOD is a thing that computer users like to avoid. It is probably most associated with Windows
“What’s interesting in this case is that the supposed destination URL is the actual YouTube.com site itself, and even placing the mouse over the ad shows a link to a YouTube channel. This really makes it look like a click on the link would take you directly to YouTube but unfortunately that was not the case.”
“Clicking on either one of the ads leads to a scary and convincing-looking web page with the infamous BSOD.”
“As with most similar scam pages, users are instructed to call a toll-free ‘helpline’ to resolve their computer issues. This is no help line at all, however. Con artists are waiting for victims to phone in so that they can further scare them into purchasing expensive – and unnecessary – support packages.”
“innocent and unsavvy computer users” could be defrauded by as much as $599
Tomi Engdahl says:
Smartphone browser-based DDoS attack is your latest threat
Malware delivered via spiked adverts and iframes
http://www.theinquirer.net/inquirer/news/2427872/smartphone-browser-based-ddos-attack-is-your-latest-threat
RESEARCHERS AT CLOUDFLARE have found another internet risk to keep you awake at night, and this one relates to mobile phone browsers.
That is as close to our pockets as we want to take a distributed denial-of-service (DDoS) threat, and it is plenty far enough. CloudFlare alerts us to the risk through a blog post revealing how the security firm has seen such a thing in the wild, and what a bad egg it is.
Of course, there is malware involved and CloudFlare said that it is spiked adverts and iframes that have caught users out and helped hook up a takedown system with the beans to send out 4.5 billion page requests on victim firms.
Mobile Ad Networks as DDoS Vectors: A Case Study
https://blog.cloudflare.com/mobile-ad-networks-as-ddos-vectors/
CloudFlare servers are constantly being targeted by DDoS’es. We see everything from attempted DNS reflection attacks to L7 HTTP floods involving large botnets.
Recently an unusual flood caught our attention. A site reliability engineer on call noticed a large number of HTTP requests being issued against one of our customers.
We received millions of similar requests, clearly suggesting a flood.
Browser-based L7 floods have been rumored as a theoretical threat for a long time
Finally, in April it was reported that the Great Cannon distributing JavaScript with a novel method – by injecting raw TCP segments into passing by connections. And just this week a flaw popular image hosting site was used to attack another site.
It seems the biggest difficulty is not in creating the JavaScript — it is in effectively distributing it.
This is what made the flood described above interesting — it was pretty large, peaking at over 275,000 HTTP requests per second.
The distribution vector
This is the part where the hard evidence ends and a speculation begins. There is no way to know for sure why so many mobile devices visited the attack page, but the most plausible distribution vector seems to be an ad network. It seems probable that users were served advertisements containing the malicious JavaScript. This ads were likely showed in iframes in mobile apps, or mobile browsers to people casually browsing the internet.
During the flood we were able to look at the packet traces and we are confident the attack didn’t involve a TCP packet injection.
To recap, we think this had happened:
A user was casually browsing the Internet or opened an app on the smartphone.
The user was served an iframe with an advertisement.
The advertisement content was requested from an ad network.
The ad network forwarded the request to the third-party that won the ad auction.
Either the third-party website was the “attack page”, or it forwarded the user to an “attack page”.
The user was served an attack page containing a malicious JavaScript which launched a flood of XHR requests against CloudFlare servers.
Attacks like this form a new trend. They present a great danger in the internet — defending against this type of flood is not easy for small website operators. The good news is CloudFlare handles these attacks easily and automatically without the flood of HTTP requests ever hitting our customers’ infrastructure.
Tomi Engdahl says:
An introduction to JavaScript-based DDoS
https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/
CloudFlare protects millions of websites from online threats. One of the oldest and most pervasive attacks launched against websites is the Distributed Denial of Service (DDoS) attack. In a typical DDoS attack, an attacker causes a large number of computers to send data to a server, overwhelming its capacity and preventing legitimate users from accessing it.
In recent years, DDoS techniques have become more diversified: attackers are tricking unsuspecting computers into participating in attacks in new and interesting ways.
How JavaScript DDoS Works
Most of the interactivity in modern websites comes from JavaScript. Sites include interactive elements by adding JavaScript directly into HTML, or by loading JavaScript from a remote location
Browsers fetch the code pointed to by src and run it in the context of the website.
(slightly modified) script was found to be sending floods of requests to a victim website
This script creates an image tag on the page 100 times per second. That image points to “victim-website.com” with randomized query parameters. Every visitor to a site that contains this script becomes an unwitting participant in a DDoS attack against “victim-website.com”. The messages sent by the browser are valid HTTP requests, making this a Layer 7 attack. Such attacks can be more dangerous than network-based attacks like NTP and DNS reflection. Rather than just “clogging up the pipes” with a lot of data, Layer 7 attacks cause the web server and backend to do work, overloading the website’s resources and causing it to be unresponsive.
If an attacker sets up a site with this JavaScript embedded in the page, site visitors become DDoS participants. The higher-traffic the site, the bigger the DDoS. Since purpose-built attack sites typically don’t have many visitors, the attack volume is typically low. Performing a truly massive DDoS attack with this technique requires some more creativity.
An Aside: Introducing Subresource Integrity
The problem of third party assets being compromised is an old one. There are no mechanisms in HTTP to allow a website to block a script from running if it has been tampered with. To solve this problem, the W3C has proposed a new feature called Subresource Integrity (SRI). This feature allows a website to tell the browser to only run a script if it matches what the site expects.
Tomi Engdahl says:
Feds want a phone smart enough to burn itself if it falls into the wrong hands
Walk this way – ’cause if you don’t, the phone will die
http://www.theregister.co.uk/2015/09/29/feds_want_self_destructing_phone/
It won’t surprise you at all to know that the US government is keenly interested in the idea of self-destructing electronics.
What it wants, apparently, is to give a phone the ability to detect whether the person carrying it is the right person – for example, by walking style.
Since phones are crawling with sensors, there are plenty of opportunities to use sensor data to build up a pretty comprehensive profile of a user’s normal behavior.
The aim is to develop smartphones, initially based on Boeing’s Black Smartphone, suitable for the top-secret community – a world which has become increasingly paranoid post-Snowden.
The Black Smartphone was a joint Boeing-Blackberry project, based on (as the company says) Android “with enhanced security policy” (meaning, we suppose, “a security policy rather than almost none”).
It’s designed to self-destruct if it’s tampered with, and the new project would presumably integrate with that capability if it makes it into production.
Tomi Engdahl says:
Quantum Computing Kills Encryption
http://hackaday.com/2015/09/29/quantum-computing-kills-encryption/
Imagine a world where the most widely-used cryptographic methods turn out to be broken: quantum computers allow encrypted Internet data transactions to become readable by anyone who happened to be listening. No more HTTPS, no more PGP. It sounds a little bit sci-fi, but that’s exactly the scenario that cryptographers interested in post-quantum crypto are working to save us from. And although the (potential) threat of quantum computing to cryptography is already well-known, this summer has seen a flurry of activity in the field, so we felt it was time for a recap.
How Bad Is It?
If you take the development of serious quantum computing power as a given, all of the encryption methods based on factoring primes or doing modular exponentials, most notably RSA, elliptic curve cryptography, and Diffie-Hellman are all in trouble. Specifically, Shor’s algorithm, when applied on a quantum computer, will render the previously difficult math problems that underlie these methods trivially easy almost irrespective of chosen key length. That covers most currently used public-key crypto and the key exchange that’s used in negotiating an SSL connection. That is (or will be) bad news as those are what’s used for nearly every important encrypted transaction that touches your daily life.
All is not doom and gloom, however. There are families of public-key algorithms that aren’t solved by Shor’s algorithm or any of the other known quantum algorithms, although they haven’t been subjected to as much (classical) cryptanalysis and the algorithms and protocols aren’t as polished yet. (More on this topic below.)
Strong symmetric ciphers, algorithms that use the same key for encryption and decryption (AES, Blowfish, etc.) will also be easier to crack with quantum computers, but only by roughly a factor of two. So if you are happy with AES-128 today, you’ll be happy with AES-256 in a quantum-computing future.
Tomi Engdahl says:
Carly Fiorina: I Supplied HP Servers for NSA Snooping
http://motherboard.vice.com/read/carly-fiorina-i-supplied-hp-servers-for-nsa-snooping?utm_source=mbtwitter#
When former National Security Agency director Michael Hayden reached out to Carly Fiorina with an urgent request in the weeks after 9/11, the HP CEO responded swiftly.
Hayden needed computer servers—a lot of them, and quickly—as part of his effort to build what would become the most wide-ranging domestic surveillance program in US history.
“Carly, I need stuff and I need it now,” Hayden recalled telling Fiorina, according to a report published Monday by Yahoo News.
Fiorina, who had been named HP CEO in 1999 and is now running for president as a Republican, promptly redirected truckloads of HP servers that had been destined for retail stores into the custody of federal officials who took them to NSA headquarters in Fort Meade, Md.
The servers were needed for a massive new warrantless surveillance program codenamed “Stellar Wind” that had been approved by President George W. Bush.
Fiorina acknowledged providing the HP servers to the NSA during an interview with Michael Isikoff in which she defended the Bush administration’s warrantless surveillance programs and framed her collaboration with the NSA in patriotic terms.
“I felt it was my duty to help, and so we did,” Fiorina said.
Fiorina’s compliance with Hayden’s request for HP servers is but one episode in a long-running and close relationship between the GOP presidential hopeful and US intelligence agencies.
Tomi Engdahl says:
UK.gov unleashes 3D virtual world to train GCHQ’s kiddie division
Cyber-workforce to learn in ‘Cyphinx’ land from an early age, just like Nork hackers
http://www.theregister.co.uk/2015/09/29/cyphinx_uk_cyber_gchq_kids_training/
The next generation of Blighty’s cybersecurity workforce is to be trained without even realising it, in a Cabinet Office-funded cyber skyscraper built “solely to find, test and recruit cyber talent”.
The cyber skyscraper, which is sadly not hosted in the cloud, has been dubbed Cyphinx.
Cyphinx is a browser-based MMO-inspired platform for Play-on-Demand (PoD) cyber-security games and ciphers, running on the vuln-ignoring Unity’s Web Player, with levels peppered with advertisements from sponsors.
According to Cyber Security Challenge UK’s (CSCUK’s) CEO Stephanie Damon, Cyphinx was developed in direct response to an ISC² study which estimated there would be a workforce cyber-skills shortage of 1.5 million by 2020.
“We believe Cyphinx has huge benefits in identifying the cyber professionals of the future,” he said.
Cyber Security Challenge UK’s sponsors, both public and private, have declared their interests in the organisation as a means of mitigating a “cyber-skills shortage”.
Cyphinx, however, features different challenges, including:
A game in which a corrupt worker has caused havoc on a room of full of computers and machines, requiring candidates to download and work through various files in order to restore the network, which was developed by a team of cyber-apprentices from Malvern aged between 17 and 20.
A game using the Minecraft platform to hide “codes in walls, behind pictures and in a virtual game of hopscotch”.
A series of mini-challenges developed by Clearswift, which ask candidates to find hidden information within files buried by an employee.
A game created by pen-testing company ProCheckUp, in which candidates are asked to analyse a network trace using traditional methods of file extraction.
Cyphinx was developed by Clearswift and ProCheckUp, as well as “talented cyber hobbyists”, one of the youngest of which – Ben Radcliffe – is 12 years old.
Tomi Engdahl says:
FBI and DEA Under Review For Misuse of NSA Mass Surveillance Data
http://yro.slashdot.org/story/15/09/29/1235200/fbi-and-dea-under-review-for-misuse-of-nsa-mass-surveillance-data
The FBI and DEA were among the agencies fed information from a NSA surveillance program described as “staggering” by one judge who helped strike the program down. N
FBI and DEA under review for use of NSA mass surveillance data
http://www.dailydot.com/politics/nsa-dea-fbi-snowden-doj-oig/
The Justice Department is investigating the FBI’s use of information taken directly from mass surveillance conducted by the National Security Agency (NSA)’s collection of telephone metadata.
The yield of that NSA spying program was described by a judge as a “staggering” amount of data when the agency’s ability to collect it was struck down as illegal in court earlier this year. The program was resumed in June and will run until at least December.
Another ongoing Justice Department investigation is examining the Drug Enforcement Administration (DEA)’s use of “parallel construction.”
Parallel construction is a controversial investigative technique that takes information gained from sources like the NSA’s mass surveillance, covers up or lies about the sources, and then utilizes them in criminal investigations inside the United States. The information was passed to other federal agencies like the Internal Revenue Service (IRS).
The technique was described as “decades old, a bedrock concept” by a DEA official.
Critics at the Electronic Frontier Foundation (EFF) described the technique as “intelligence laundering” designed to cover up “deception and dishonesty” that ran contrary to the original intent of post-9/11 surveillance laws.
Both the FBI and DEA, which operate under the jurisdiction of the Justice Department, are under review by the department’s Office of Inspector General (OIG).
The OIG is charged with identifying and investigating fraud, waste, abuse, and mismanagement. Although OIG reports cannot on their own force change, detailed information is always shared with Congress and often the public which can lead to the investigated party agreeing to the suggested changes and conclusions from the OIG or other entities.
The NSA’s mass collection of telephone metadata was thought to be authorized under Section 215 of the Patriot Act. Both the George W. Bush and Barack Obama administrations argued for and renewed authorization until the program expired in Congress earlier this year.
The Justice Department’s Office of Inspector General is also investigating the FBI’s use of Patroit Act Section 215 from 2012 to 2014 that allowed it to obtain “any tangible thing” from any business or entity as part of investigations against international terrorism or spying.
Tomi Engdahl says:
Raytheon Wins US Civilian Cyber Contract Worth $1 Billion
http://news.slashdot.org/story/15/09/29/0413234/raytheon-wins-us-civilian-cyber-contract-worth-1-billion
Raytheon is a company well-known in military-industrial and political circles, but not so much for software, networking and cybersecurity. That has not stopped the DHS awarding it a $1 billion, five year contract to help more than 100 civilian agencies manage their computer security
Raytheon says new U.S. civilian cyber contract worth about $1 billion
http://www.reuters.com/article/2015/09/29/us-raytheon-cyber-idUSKCN0RS2F820150929
Raytheon Co on Monday said a new five-year contract it won from the U.S. Department of Homeland Security
Raytheon said DHS selected it to be the prime contractor and systems integrator for the agency’s Network Security Deployment (NSD) division, and its National Cybersecurity Protection System (NCPS).
Tomi Engdahl says:
Latest Version of WinRAR Plagued by Dangerous Security Bug
http://news.softpedia.com/news/latest-version-of-winrar-is-plagued-by-a-dangerous-security-bug-493158.shtml?utm_source=spd_hotlatest&utm_medium=spd_hotlatest&utm_campaign=spd_hotlatest
WinRAR, the popular file compression and decompression utility, has a security vulnerability that allows attackers to remotely execute code on the user’s computer when opening an SFX (Self-extracting archive) file.
The bug was discovered by Mohammad Reza Espargham from Vulnerability Lab, and was also reproduced by Pieter Arntz from Malwarebytes.
According to the vulnerability disclosure details, the bug only affects the latest version, 5.21, and can be used by any attacker crafty enough to place malicious HTML code inside the “Text to display in SFX window” section when creating a new SFX file.
To exploit this vulnerability, attackers don’t need special privileges on the targeted machine.
Because users interact with RAR and SFX files on a daily basis, hackers have a high chance of exploiting this bug in the wild.
WinRAR SFX v5.21 – Remote Code Execution Vulnerability
http://seclists.org/fulldisclosure/2015/Sep/106
Tomi Engdahl says:
Security firm discovers Linux botnet that hits with 150 Gbps DDoS attacks
http://www.engadget.com/2015/09/29/linux-botnet-hits-with-150-gbps-ddos/
Akamai announced on Tuesday that its Security Intelligence Response Team has discovered a massive Linux-based botnet that’s reportedly capable of downing websites under a torrent of DDoS traffic exceeding 150 Gbps. The botnet spreads via a Trojan variant dubbed XOR DDoS. This malware infects Linux systems via embedded devices like network routers then brute forces SSH access. Once the malware has Secure Shell credentials, it secretly downloads and installs the necessary botnet software, then connects the newly-infected computer to the rest of the hive.
Security researchers had been aware of XOR DDoS since last year but have just recently noticed the effects of the botnet itself. According to Akamai, the network strikes around 20 times a day, though 90 percent of its targets are various businesses in Asia — typically gambling and educational sites.
“A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time, and companies increasingly adopted Linux as part of their security-hardening efforts,” Akamai told PC World. “As the number of Linux environments has grown, the potential opportunity and rewards for criminals has also grown.” As such, anyone with a Linux rig is strongly advised to review their existing security implementations and harden them accordingly.
A Linux botnet is launching crippling DDoS attacks in excess of 150Gbps
The XOR DDoS botnet can generate attacks more powerful than most businesses can withstand.
http://www.pcworld.com/article/2987580/security/a-linux-botnet-is-launching-crippling-ddos-attacks-at-more-than-150gbps.html#tk.rss_all
XOR DDoS is one of several malware programs that target Linux systems, and reflects a wider trend of hijacking poorly configured Linux-based systems for use in DDoS attacks. Old and unmaintained routers are especially vulnerable to such attacks, as several incidents have shown over the past two years.
Tomi Engdahl says:
Edward Snowder now in Twitter
https://twitter.com/Snowden
Tomi Engdahl says:
“If you change the default password, the aid will stop” – hospital equipment security leaks
The doctor and the nurses are not necessarily the only ones who have access to, for example, magnetic or X-ray results.
Medical devices are in fact in danger of being compromised. The matter is sorted out, researchers Scott Erven and Mark Collao, who presented their findings to DerbyCon conference earlier this week.
More and more healthcare facilities are connected to the network so that the data obtained can help to move to electronic health information systems. Included is, for example, magnetic and equipment for use in X-ray imaging, and drug pumps. In addition to the breach of privacy is theoretically possible that patients suffer real danger, if the cybercriminals change through roundneck equipment research and management plans.
Researchers are looking for health care equipment Shodan search engine, which is intended for connection to the network to retrieve the equipment. According to them, some of the systems and devices are connected to the network by default, some others due to improper configuration. In addition, many devices use the manufacturer’s default passwords.
The alarming discovery was that different models of the same device were to use the same default passwords. In some cases, manufacturers even warned users that a change default passwords could lead to the elimination of aid.
Source: http://www.tivi.fi/Kaikki_uutiset/jos-vaihdat-oletussalasanan-tuki-lakkaa-sairaalalaitteiden-tietoturva-vuotaa-6001031
Tomi Engdahl says:
Tinder fights STD ad campaign in US
http://www.bbc.com/news/technology-34390795
Tinder is calling for the removal of an advertising campaign by an Aids awareness group, which linked the dating app with sexually transmitted diseases.
The Aids Healthcare Foundation also named gay dating app Grindr in a series of posters in the US.
It said that location-based dating apps had become a “digital bath house” for sexually transmitted infections because they facilitated casual sex.
“Mobile dating apps are rapidly altering the sexual landscape by making casual sex as easily available as ordering a pizza,” said Whitney Engeran-Cordova, a senior director at the AHF.
“In many ways, location-based mobile dating apps are becoming a digital bath house for millennials wherein the next sexual encounter can literally just be a few feet away—as well as the next STD.”
Tomi Engdahl says:
Snowden Joins Twitter, Follows NSA
http://www.securityweek.com/snowden-joins-twitter-follows-nsa
Former US intelligence contractor and whistleblower Edward Snowden joined Twitter Tuesday, picking up more than a quarter of a million followers on the social network in just over two hours.
Snowden followed a single Twitter account: the US National Security Agency, from which he stole electronic documents revealing the agency’s secret surveillance programs.
“Can you hear me now?” he asked in his first tweet, which was quickly resent by Twitter users tens of thousands of times.
Edward Snowder now in Twitter
https://twitter.com/Snowden
Tomi Engdahl says:
Intel Security names a Dutch DJ the world’s most dangerous celebrity
We’re in the gutter, some of us are looking at the stars
http://www.theinquirer.net/inquirer/news/2428027/intel-security-names-a-dutch-dj-the-worlds-most-dangerous-celebrity
A TRANCE MUSIC DJ is leading the list of celebrity threats that Intel/McAfee has put out as some sort of alert about fame, malware, using the internet and searching for the stars.
McAfee presents this information in written format, sparing us the broken expression on the face that serves it, and lets us know that a European dance disk jockey is a bigger threat to your online security than Britney Spears.
“Who doesn’t love to search for celebrities online?”
“Cyber criminals take advantage of our interest in celebrities by riddling search results with links to sites that may host malware and other online threats that can steal personal data and harm our devices.”
Van Buuren is more dangerous to your browsing than Luke Bryan (no idea) and Usher (same). These chaps (we had to Google them – apologies to Mr Usher) are the biggest international threats.
The 2015 Most Dangerous Celebrity is Putting Devices in a State of Trance
https://blogs.mcafee.com/consumer/most-dangerous-celebrities-2015/
Intel Security conducted a study using McAfee® WebAdvisor to determine the number of risky sites that would be generated in search results including a celebrity name and commonly searched terms. We refer to these stars as the Most Dangerous Celebrities™, meaning that they are likely popular search subjects. And this year’s roundup is seeing some new, surprising faces. Not so surprising is the Netherlands native who’s taken our No. 1 spot, up from his No. 2 placement in 2014: world famous DJ, Armin van Buuren
So, how dangerous is it exactly to search for the trance music legend? To be precise, searching for van Buuren presents a 17.92% chance of running into online threats — if a user clicked all the results generated by the search terms. That’s nearly a 1 in 5 chance of landing on a site that has ‘malicious’ written all over it.
What makes musicians such a focus for cybercriminals? Well, unassuming music fans tend to turn to the Web to find downloads of their favorite tunes—most often in the form of .mp3 files. That said, cybercriminals might use the terms ‘free mp3’ or ‘torrent’ to entice you to download a seemingly-legitimate file that is, in reality, malicious. In the case of our No. 1 Most Dangerous Celebrity, search terms like “HD download “and “torrent” combined with “Armin van Buuren” are hotbeds for hacker hoaxes.
Tomi Engdahl says:
Google AdSense click fraud made possible by uncloaking advertisers’ sites
https://thestack.com/security/2015/09/28/google-adsense-click-fraud-iframe-blazquez/
According to new research source code manipulation can be used to penetrate the security of Google’s AdSense system, by automatically obtaining the JavaScript code which protects advertisers from click fraud.
The paper A vulnerability in Google AdSense: Automatic extraction of links to ads [PDF] by Prof. Manuel Blázquez of the Complutense University of Madrid, outlines a procedure whereby the attacker can de-obfuscate the ‘cloaked’ advertiser target links automatically and perform automated clicks of the ads, either to the benefit of the site hosting the ads – if the intention is to generate simulated commercial traffic, or to the detriment of competitor sites, if the intention is to compromise their standing with Google’s AdSense system by creating a blizzard of patently bogus ad-clicks.
A vulnerability in Google AdSense:
Automatic extraction of links to ads
http://arxiv.org/ftp/arxiv/papers/1509/1509.07741.pdf
Tomi Engdahl says:
Citadel Botnet Operator Gets 4.5 Years In Prison
http://yro.slashdot.org/story/15/09/30/038248/citadel-botnet-operator-gets-45-years-in-prison
The U.S. Department of Justice has announced that Dimitry Belorossov, a.k.a. Rainerfox, an operator of the “Citadel” malware, has been sentenced to 4.5 years in prison following a guilty plea. Citadel was a banking trojan capable of stealing financial information.
Russian Developer of the Notorious “Citadel” Malware Sentenced to Prison
http://www.justice.gov/usao-ndga/pr/russian-developer-notorious-citadel-malware-sentenced-prison
ATLANTA – Dimitry Belorossov, a/k/a Rainerfox, has been sentenced to four years, six months in prison following his guilty plea for conspiring to commit computer fraud. Belorossov distributed and installed Citadel, a sophisticated malware that infected over 11 million computers worldwide, onto victim computers using a variety of infection methods.
“Global cyber-crime requires a global response, and this case is a perfect example,” said U.S. Attorney John Horn. “This defendant committed computer hacking offenses on victims in the United States from the relative safety of his home country of Russia, but he was arrested by our law enforcement partners in Spain. As malware and hacking toolkits continue to victimize computer users around the world, we will step up our efforts to focus internationally on the criminals who develop these programs.”
Cybercriminals, including Belorossov, distributed and installed Citadel onto victim computers through a variety of infection methods, including malicious attachments to spam emails and commercial Internet ads containing malware or links to malware. Since 2011, multiple versions of Citadel have been distributed and operated throughout the world. Citadel became one of the most advanced crimeware tools available in the underground market, as it had the capability, among other things, to block antivirus sites on infected computers. According to industry estimates, Citadel, and other botnets like it, infected approximately 11 million computers worldwide and are responsible for over $500 million in losses.
Tomi Engdahl says:
South Korean Citizen IDs Vulnerable, Based On US Model
http://yro.slashdot.org/story/15/09/30/2128223/south-korean-citizen-ids-vulnerable-based-on-us-model
South Korea’s Resident Registration Number (RRN) has been proven ‘vulnerable to almost any adversary’ by the ‘Queen of re-identification’, Harvard Professor Latanya Sweeney, who previously proved that 87 percent of all Americans could be uniquely identified using just their ZIP code, birthdate, and sex.
Cracking the citizen: a warning from South Korea about National IDs
https://thestack.com/security/2015/09/30/latanya-arvette-sweeney-south-korea-rrn-cracked/
The ‘Queen of re-identification’, Harvard Professor Latanya Arvette Sweeney, has just published an interesting set of findings regarding the vulnerability of the system that South Korea uses to uniquely identify its 50+ million citizens – and believes that those proposing new ‘Citizen ID’ systems in the United States and elsewhere should take note of the fact that she was able to de-cloak a complete set of 23,163 supposedly encrypted South Korean sample IDs using two totally different methods.
Sweeney described the encrypted RRNs as ‘vulnerable to almost any adversary’ – and is based on systems and techniques both in use and proposed for use in future ‘citizen ID’ systems in the United States and beyond.
The research was conducted on prescription data where the RRN is intended to shield the subject from being specifically identified. The system under scrutiny is modelled on one used by U.S.-based multinational IMS Health, which collates data on millions of (living) South Koreans.
Independent third party sources were able to verify Sweeney’s claims about the deanonymisation technique.
Not all countries use a citizen ID system that in itself contains any information, encrypted or otherwise.
Tomi Engdahl says:
175,000 whinge to Microsoft about phone tech support scams
3.3 million Americans will pay $1.5 billion this year.
http://www.theregister.co.uk/2015/10/01/175000_whinge_to_microsoft_about_phone_tech_support_scams/
Microsoft has received more than 175,000 complaints about phone technical support scams since May last year, and Redmond says the “Hello I’m Joe from Windows Technical Support” callers will filch around US$1.5 billion from Americans this year.
Redmond in response increased its education awareness through the American Association of Retired Persons’ Fraud Watch department.
“Since May 2014, Microsoft has received over 175,000 customer complaints regarding fraudulent tech support scams,” Microsoft cybercrime center director David Finn says.
“This year alone, an estimated 3.3 million people in the United States will pay more than $1.5 billion to scammers.”
Tomi Engdahl says:
Linux-powered botnet can kick out a huge and persistent DoS attack
Imagine what a Windows powered one might achieve?
http://www.theinquirer.net/inquirer/news/2428310/linux-powered-botnet-can-kick-out-a-huge-and-persistent-dos-attack
A LINUX -POWERED BOTNET has joined the list of threats for you to stick in a scrapbook.
The botnet alarm rings at security firm Akamai and its Security Intelligence Response Team, which is tracking the threat and has given it a name. That name is XOR DDoS.
An XOR DDoS threat advisory (PDF) said that the trojan malware has enabled the hijacking of Linux machines and their placement in the ranks of a distributed denial-of-service network
The threat is a lurker, according to Akamai, and was detected almost exactly a year ago by the Malware Must Die security team.
Akamai said that XOR DDoS has pulled together to carry out attacks that range in weight from a few gigabits per second to 150Gbps.
Threat Advisory: XOR DDoS
https://www.stateoftheinternet.com/downloads/pdfs/2015-threat-advisory-xor-ddos-attacks-linux-botnet-malware-removal-ddos-mitigation-yara-snort.pdf
Tomi Engdahl says:
Would you like to avoid hacking? Remember these 5 new cases
1) Hackers love to health care operators. Companies and organizations in the field of health care are the top destinations worldwide for attackers. In second place are the national governments and authorities, third place in the stores.
2) Credit card data theft have increased 169 percent over five years. Information is stolen, for example, with modified cash and ATMs and payment terminals.
3) The most common tool is the malware. Do not click on suspicious links or open strange attachments in your email.
4) Personal data and customer accounts are trafficked around the network. Criminals often sell stolen information to come.
5) Lost the machine is also a security risk. Criminals tend to have access onto sensitive data with malicious software, but the machine itself, it is much easier.
Source: http://www.tivi.fi/Kaikki_uutiset/haluatko-valttya-hakkeroinnilta-muista-nama-5-uutta-asiaa-6000952
More:
TrendLabs Research Paper
Follow the Data:
Dissecting Data Breaches and Debunking Myths
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-follow-the-data.pdf
Tomi Engdahl says:
Virginia State Police Cars Hacked
http://it.slashdot.org/story/15/09/30/2041224/virginia-state-police-cars-hacked
http://it.slashdot.org/story/15/09/30/2041224/virginia-state-police-cars-hacked?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Two models of Virginia State Police cruisers were hacked in an experiment to expose vulnerabilities in the vehicles and to come up with ways to protect the cars from hackers.
State Trooper Vehicles Hacked
http://www.darkreading.com/attacks-breaches/state-trooper-vehicles-hacked-/d/d-id/1322415
Car-hacking research initiative in Virginia shows how even older vehicles could be targeted in cyberattacks.
A state trooper responding to a call starts his vehicle, but is unable to shift the gear from park to drive. The engine RPMs suddenly spike and the engine accelerates, no foot on the pedal. Then the engine cuts off on its own.
The unmarked 2012 Chevrolet Impala from the Virginia State Police’s (VSP) fleet has been hacked — but luckily, by good hackers.
This is what police officers could someday face in the age of car hacking. It’s just one in a series of cyberattacks waged on the VSP’s Impala and on one of its 2013 Ford Taurus marked patrol cars as part of an experiment by a public-private partnership to test how state trooper vehicles could be sabotaged via cyberattacks.
Car-hacking has shifted into overdrive this past year, mainly thanks to research by famed car hackers Charlie Miller and Chris Valasek, who this summer demonstrated how they were able to remotely control a 2014 Jeep Cherokee’s steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.
the VSP research didn’t hack moving vehicles. But the Virginia project demonstrated how even non-networked, older-model vehicles are also susceptible to cyberattacks.
The hacks of the VSP cruisers require initial physical tampering of the vehicle as well. The researchers inserted rogue devices in the two police vehicles to basically reprogram some of the car’s electronic operations, or to wage the attacks via mobile devices, which they demonstrated.
The project evolved out of concerns by security experts as well as police officials of the dangers of criminal or terror groups tampering with state police vehicles to sabotage investigations or assist in criminal acts. And unlike most car-hacking research to date, it includes the creation of prototype solutions for blocking cyberattacks as well as data-gathering for forensics purposes.
Perhaps a bigger surprise than the car hacks themselves was that a police department would agree to participate in potentially sensitive cyberattack research.
“The University of Virginia study is helpful to remind industry, regulators, law enforcement and consumers that cybersecurity is an issue that requires focused attention. The staged cyber-attack on a Ford vehicle required unrestricted physical access to the interior to install a device that provided remote access to the electronic control module. This study does not simulate any immediate real-world risk,” Ford said in its statement. “It highlights the need to be vigilant about vehicle security and to avoid plugging in devices or technologies that do not have proper security safeguards. And, it serves as a reminder that all connected computing systems should have appropriate safeguards in place to mitigate the threat of cyber-attacks.”
GM declined to comment directly on the project, but noted that it’s working on securing its vehicles from cyberattacks
The Hacks
In addition to the gearshift, instrument panel, and engine hacks, researchers from Mitre Corp. also wrote attack code that opened the trunk, unlocked the passenger doors and locked the driver’s door, and ran the windshield wipers and wiper fluid.
“We think this is really not about car hacking as it is about coming up with strategies” to protect vehicles from attack, says Brian Barrios, portfolio director of Mitre’s National Cybersecurity FFRDC.
The first set of attacks by Mitre occurs via a smartphone app connected via Bluetooth to a hacking device planted in the vehicle, he says. “This car [the Impala] doesn’t have Bluetooth or cellular” connectivity built in, he says, so connectivity was provided via the Mitre device.
MSi performed its own set of attacks on the VSP’s marked Ford Taurus cruiser. One attack basically performs a denial-of-service hack that blocks the car from starting. The researchers also were able to remotely start up the car from a smartphone-borne attack, and lock and unlock the car such that the driver would be trapped in the vehicle unless he or she rolled down the window to manually open the door.
“A policeman would get out of the car to see what’s wrong, he looks under the hood and the car starts itself and the dashboard is going crazy. Horns blow, lights blink, and he decides this car is no good,”
The researchers also used a device placed in the vehicle that monitors the OBD II port and detects any hacking tools plugged into the car’s port, as well as any attacks over the CAN bus. Like the Kaprica tool, it stops any attacks and collects attack information for forensic analysis afterward.
VSP’s Davis says the new age of car hacking means law enforcement will be faced with considering the cybersecurity of its fleet. “We understand with vehicles that not being connected [to the Internet] is a good thing. Taking a look at systems and components embedded in there and how they communicate together: is this something I need to consider in my purchase?”
He says VSP already has in place technicians who investigate computer fraud, so forensics analysis out of a potential car hack would be another aspect of their duties.
Tomi Engdahl says:
Verisign opens up its DNS
Free for ordinary users, promises not to harvest your requests
http://www.theregister.co.uk/2015/09/30/verisign_opens_up_its_dns/
Verisign is throwing its hat into the “free DNS” ring, promising not to retain information about recursive requests to its just-launched service.
Verisign Public DNS is at 64.6.64.6 / 64.6.65.6, alas nowhere near as easy for people to remember as Google’s 8.8.8.8 / 8.8.4.4.
In the blog post launching the service, the director of product management for the service Michael Kaczmarek says most people don’t understand that their recursive DNS requests can be, and routinely are, harvested, stored, mined and “sold to the highest bidder”.
There’s also the practice of redirecting failed DNS queries, which regularly becomes a sore point for in-the-know Internet users.
Tomi Engdahl says:
Researchers: Thousands of Medical Devices Are Vulnerable To Hacking
http://it.slashdot.org/story/15/09/30/2114230/researchers-thousands-of-medical-devices-are-vulnerable-to-hacking
At the DerbyCon security conference, researchers Scott Erven and Mark Collao explained how they located Internet-connected medical devices by searching for terms like ‘radiology’ and ‘podiatry’ in the Shodan search engine. Some systems were connected to the Internet by design, others due to configuration errors. And much of the medical gear was still using the default logins and passwords provided by manufacturers.
Thousands of medical devices are vulnerable to hacking, security researchers say
http://www.itworld.com/article/2987812/thousands-of-medical-devices-are-vulnerable-to-hacking-security-researchers-say.html
The security flaws put patients’ health at risk
Next time you go for an MRI scan, remember that the doctor might not be the only one who sees your results.
Thousands of medical devices, including MRI scanners, x-ray machines and drug infusion pumps, are vulnerable to hacking, creating significant health risks for patients, security researchers said this week.
The risks arise partly because medical equipment is increasingly connected to the Internet so that data can be fed into electronic patient records systems, said researcher Scott Erven, who presented his findings with fellow researcher Mark Collao at the DerbyCon security conference.
Besides the privacy concerns, there are safety implications if hackers can alter people’s medical records and treatment plans, Erven said.
“As these devices start to become connected, not only can your data gets stolen but there are potential adverse safety issues,” he said.
The researchers located medical devices by searching for terms like “radiology” and “podiatry” in Shodan, a search engine for finding Internet-connected devices.
Some systems were connected to the Internet by design, others due to configuration errors
The researchers studied public documentation intended to be used to set up the equipment and found some frighteningly lapse security practices.
The same default passwords were used over and over for different models of a device, and in some cases a manufacturer warned customers that if they changed default passwords they might not be eligible for support. That’s apparently because support teams needed the passwords to service the systems.
Tomi Engdahl says:
MEDJACK: Hackers hijacking medical devices to create backdoors in hospital networks
http://www.itworld.com/article/2932539/security/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html
Attackers are infecting medical devices with malware and then moving laterally through hospital networks to steal confidential data, according to TrapX’s MEDJACK report.
After the Office of Personnel Management breach, medical data was labeled as the “holy grail” for cybercriminals intent on espionage. “Medical information can be worth 10 times as much as a credit card number,” reported Reuters. And now to steal such information, hospital networks are getting pwned by malware-infected medical devices.
Subscribe to ITworld Today!
You could win a print copy of “Teach Yourself AngularJS, JavaScript, and jQuery.”
Read Now
TrapX, a deception-based cybersecurity firm, released a report about three real-world targeted hospital attacks which exploited an attack vector the researchers called MEDJACK for medical device hijack. “MEDJACK has brought the perfect storm to major healthcare institutions globally,” they warned. “Medical devices complimented by the MEDJACK attack vector may be the hospital’s ‘weakest link in the chain’.”
Tomi Engdahl says:
FBI: We unmasked and collared child porn creep on Tor with spy tool
Metasploit decloaking kit rides again?
http://www.theregister.co.uk/2015/10/01/fbi_busted_malware_creep_on_dark_web/
Dark-web deadbeats may not be as anonymous as they think. A bloke in the US was charged on Friday after FBI spyware caught him downloading child sex abuse material.
The child porn website’s systems were seized in Lenoir, North Carolina, after agents got a court order in February. The Feds continued to keep it in operation for two weeks afterwards to catch perverts using it. The site had nearly 215,000 users.
Because users had to use Tor to access the warped website, the web server’s logs were of little use to investigators – they simply listed the exit nodes of the anonymizing network. Instead, the FBI deployed a NIT – a “network investigative technique,” or what in the hands of criminals would be termed spyware.
The FBI has been using NITs for over a decade. While the Escobosa indictment doesn’t give details, other court documents have stated that the software was developed by adapting a tool written by white hat hacker HD Moore called the Metasploit Decloaking Engine.
A NIT works like this: a file, typically a Flash file, is hosted by a seized child porn website, and sent to web browsers when perverts visit the hidden service via Tor. This Flash file is run in Adobe’s plugin, and establishes a direct connection to an FBI-controlled server on the public internet without going through Tor.
The Feds can then, in most cases, read off the user’s real public IP address from this connection, unmasking the scumbag.
Tomi Engdahl says:
Weird garbled Windows 7 update baffles world – now Microsoft reveals the truth
So about those automatic Windows updates …
http://www.theregister.co.uk/2015/09/30/windows_update_glitch/
Windows 7 users were left scratching their heads on Wednesday when a mysterious garbled patch appeared in Windows Update, origins unknown.
The update only seems to have popped up on Windows 7 systems, including Windows 7 Pro and Windows 7 Enterprise.
While the text and links look highly suspicious – making some fear that Microsoft’s systems had been compromised – none of the URLs seemed legitimate.
The Register poked Microsoft about the issue, and a spokesman told us: “We incorrectly published a test update and are in the process of removing it.”
How that sort of thing happens, though, we’re not totally clear on. The bizarre update has certainly confused a load of Windows users, who hit the support forums in search of answers.
Beginning with Windows 10, Microsoft has begun touting a new strategy of “Windows as a service,” where updates are continuous and automatic, and only enterprise customers are given the option of refusing them.
Tomi Engdahl says:
Will ‘Chip and Pin’ Credit Card Technology Really Increase Security? (Video)
http://it.slashdot.org/story/15/09/30/1711235/will-chip-and-pin-credit-card-technology-really-increase-security-video?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The answer seems to be: sort of, a little, but not a whole lot, according to Jerry Irvine, who is a member of the U.S. Chamber of Commerce Cybersecurity Leadership Council and CIO of Chicago-based Prescient Solutions. More security theater? It sounds that way when Jerry starts reeling of the kinds of attacks the new cards will do nothing to prevent.
Comments:
It’s the date after which merchants are supposed to be liable for fraudulent purchase made with New-style chip and PIN cards which are made as signature transactions (e.g. with an old terminal).
Their idea is: The bank will be liable for a fraudulent charge if the original bank/card doesn’t support Chip and Pin but the merchant does, AND the Merchant will be liable if the Bank’s issued card supports chip and pin, but the merchant doesn’t support the feature.
…that’s not the system we’re getting in the US, at least for the time being and at most retailers. We’re getting Chip and Signature, which is much less secure. We’re just calling it Chip and PIN, but most retailers aren’t actually using PIN numbers to complete transactions…
Studies in europe showed that when chip and pin nearly eliminated point-of-sale (in store) fraud, that within a year or so the fraud moved to card-not-present sales (that is, the fraud occured by european cards used on the internet, phone, and also countries where the Pin network was not integrated back to europes clearinghouses like brazil, the US, and off-the-grid stores). The total amount of fraud was roughly the same as it had been (one can argue about details or if it’s less than it would have been).
For in-store (card present) sales, It isn’t lost cards that are the biggest problem. It’s stolen card numbers being either cloned onto forged plastic.
So no this isn’t going to do much about fraud since card-not-present is actually goging to become the dominant mode of sales (internet). But the pin doesn’t help much.
While the PIN is stored on the card it cannot be read externally since you cannot read that part of memory using the pins on the card. AFAIK when you enter the pin on the terminal it sends it to the card together with the amount and then the card creates a one time key for that amount signed with the cards internal secret key if the pin matches what it has stored inside and this one time key is what it sends to the terminal and which it in turn sends to VISA/Mastercard/… so yes the chip+pin is way more secure than the old magstripe and the chip+signature.
Samsung Pay still provides a virtual card number, so there’s some benefit to it. And it can be used now, unlike Apple/Android Pay (which may very well never have anywhere near 100% acceptance if most retailers choose to keep NFC support on their brand new terminals turned off).
Tomi Engdahl says:
Facebook ‘unfriending’ can constitute workplace bullying, Australian tribunal finds
http://www.telegraph.co.uk/news/worldnews/australiaandthepacific/australia/11890275/Facebook-unfriending-can-constitute-workplace-bullying-Australian-tribunal-finds.html
Australia’s workplace tribunal ruled that a woman was bullied after she was unfriended on Facebook following work dispute
The commission has issued an order to stop the bullying.
Legal experts said the case did not mean that unfriending a colleague on Facebook would automatically constitute bullying.
“The Fair Work Commission didn’t find that unfriending someone on Facebook constitutes workplace bullying,” Josh Bornstein, a lawyer at the firm Maurice Blackburn, told ABC News.
“What the Fair Work Commission did find is that a pattern of unreasonable behaviour, hostile behaviour, belittling behaviour over about a two-year period, which featured a range of different behaviours including berating, excluding and so on, constituted a workplace bullying.”
Tomi Engdahl says:
Drop-dead simple exploit completely bypasses Mac’s malware Gatekeeper
A key limitation makes it trivial for attackers to skirt Gatekeeper protections.
http://arstechnica.com/security/2015/09/drop-dead-simple-exploit-completely-bypasses-macs-malware-gatekeeper/
Since its introduction in 2012, an OS X feature known as Gatekeeper has gone a long way to protecting the Macs of security novices and experts alike. Not only does it help neutralize social engineering attacks that trick less experienced users into installing trojans, code-signing requirements ensure even seasoned users that an installer app hasn’t been maliciously modified as it was downloaded over an unencrypted connection.
Now, a security researcher has found a drop-dead simple technique that completely bypasses Gatekeeper, even when the protection is set to its strictest setting. The hack uses a binary file already trusted by Apple to pass through Gatekeeper. Once the Apple-trusted file is on the other side, it executes one or more malicious files that are included in the same folder. The bundled files can install a variety of nefarious programs, including password loggers, apps that capture audio and video, and botnet software.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
New Stagefright Bugs Leave More Than 1 Billion Android Users Vulnerable — In July, a security researcher revealed that Android phones could be hacked with a simple text, thanks to a series of bugs in the Android operating system that are now commonly known as Stagefright.
New Stagefright Bugs Leave More Than 1 Billion Android Users Vulnerable
http://motherboard.vice.com/read/new-stagefright-bugs-leave-more-than-1-billion-android-users-vulnerable
In July, a security researcher revealed that Android phones could be hacked with a simple text, thanks to a series of bugs in the Android operating system that are now commonly known as Stagefright.
On Thursday, the same security researcher warned that two new Stagefright bugs can allow hackers to break into your phone by tricking you into visiting a website containing a malicious multimedia file, either mp3 or mp4. These two new bugs were also found in the Android media playback engine called Stagefright, just like the first series of bugs disclosed in late July.
It’s likely that 1.4 billion people are affected by these bugs.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Hackers breach crowdfunding site Patreon, dump nearly 15 GB of stolen data online including site’s source code, user email addresses and hashed password data — Gigabytes of user data from hack of Patreon donations site dumped online — The inclusion of source code and databases suggest breach was extensive.
Gigabytes of user data from hack of Patreon donations site dumped online
The inclusion of source code and databases suggest breach was extensive.
http://arstechnica.com/security/2015/10/gigabytes-of-user-data-from-hack-of-patreon-donations-site-dumped-online/
Hackers have published almost 15 gigabytes worth of password data, donation records, and source code taken during the recent hack of the Patreon funding website.
The data has been circulating in various online locations
“The fact that source code exists … is interesting [and] suggests much more than just a typical SQL injection attack and points to a broader compromise,” he told Ars. Referring to the inclusion of a 13.7-gigabyte database, he added: “At the very least, it means mapping individuals with the Patreon campaigns they supported. There’s more data. I’ll look closer once the restore is complete.”
Hunt, who maintains the widely visited have i been pwned? website, said he expected to index affected e-mail addresses on the service as soon as possible. Update 1: Hunt has now been able to sift through the data and has found 2.3 million unique e-mail addresses, including his own.
According to Patreon officials, user passwords were cryptographically protected using bcrypt, a hashing function that’s extremely slow and computationally demanding to use. Its use was one of the saving graces of the breach, since it meant crackers would have to devote vast amounts of time and resources to crack the hashes. With the inclusion of source code, however, it’s possible crackers may find programming mistakes that could significantly accelerate the process.
Patreon subscribers should make sure they have changed their compromised password, both on Patreon and on any other websites it may have been used
Check if you have an account that has been compromised in a data breach
https://haveibeenpwned.com/
Tomi Engdahl says:
Russia-linked hackers tried to access Clinton’s email server
http://www.foxnews.com/politics/2015/10/01/emails-russia-linked-hackers-tried-to-access-clinton-server/
Hackers linked to Russia attempted at least five times to gain access to Hillary Clinton’s private email account while she was secretary of state, according to emails released Wednesday.
Clinton originally received the infected emails, disguised as speeding tickets, over four hours on the morning of Aug. 3, 2011. The infected emails instructed recipients to print the attached tickets, which would have allowed hackers to take control of their computers.
It is unclear if Clinton clicked on any of the attachments and exposed her account to hackers.
“We have no evidence to suggest she replied to this email or that she opened the attachment,” Nick Merrill, a spokesman for Clinton’s Democratic presidential campaign told the Associated Press. “As we have said before, there is no evidence that the system was ever breached. All these emails show is that, like millions of other Americans, she received spam.”
Security researchers who analyzed the malicious software in September 2011 said the infected computers would transmit information from victims to at least three server computers overseas, including one in Russia
The virus was concealed as a speeding ticket from Chatham, New York, which was misspelled in the infected emails, and came from a supposed New York City government account containing a “Ticket.zip” file that would have raised a red flag.
A private-sector IT security researcher told Fox News on Wednesday that details associated with the five faux traffic ticket emails sent to Clinton’s private account are in line with a U.S.-government aimed phishing campaign carried out by Russian-linked hackers during that same time period.
Most commercial antivirus software at the time would have detected the software and prevented users from infecting themselves, but it’s unclear if the State Department’s network security would have flagged the infected message, or if Clinton’s private server would have caught it.
Tomi Engdahl says:
I was GOOGLE for a MINUTE, claims dude
Mountain View scrambles after domain quirk gives intern Google.com access
http://www.theregister.co.uk/2015/10/02/guy_buys_google_for_60_seconds/
Google is investigating how an Amazon intern ‘bought’ its Google.com domain.
Mountain View says it has not “noticed anything unusual” and that it didn’t lose control of the domain. Beyond that the company is keeping mum.
Intern Sanmay Ved says he noticed Google.com was available for sale and quickly purchased it for $12.
Ved says he received notifications for the change in ownership for various Google properties that he declined to name name them) that are powered by Google Sites (which makes sense given that websites powered by Google Sites rest on the master domain Google.com). “Quite clearly, ownership had been granted to me. Order was successful.”
Without any official comment from Google, it’s nearly impossible to verify whether Ved ever “officially” held the domain. In any case, ICANN rules about brands, intellectual property and domains would have seen the domain revert to Google’s ownership if it had been transferred.
Tomi Engdahl says:
Dangerous resurgent banking malware hits UK
Bank trojan twin pivots to smash supply chain biz
http://www.theregister.co.uk/2015/10/02/dangerous_resurgent_banking_malware_hits_uk/
The formidable Dyreza and Dridex banking malware are back in renewed and rejigged macro-based campaigns that includes a shift by the former to target industrial supply chain organisations and by the latter to smash the UK.
Both malware instances are dangerous. Dyreza is a powerful man-in-the-browser bank trojan whose creators have been shifting to target outside of the financial sector.
The authors over time have added targets like the recruitment sector, cyberlockers, domain registrars, and tax services.
Now big ticket industrial supply chain entities have become the latest arrows in Dyreza’s quiver.
“As of 17 September Dyreza now counts an additional 20 organisations directly involved in fulfillment and warehousing including four software companies and five wholesale computer distributors,” Proofpoint researchers say.
“Credential theft triggers include Apple, Iron Mountain, OtterBox and Badge Graphics Systems, and many other well-known consumer- and business- facing technology and service brands.
Tomi Engdahl says:
Had your ‘anonymised’ health data shared? Bad news
Harvard boffins unmask 100% of ‘encrypted’ S Korean records
http://www.theregister.co.uk/2015/10/02/s_korean_anonymised_health_data_sharing_a_breach_in_waiting/
Researchers from Harvard University have published a paper claiming a 100 per cent success rate in de-anonymising patients from their supposedly anonymised healthcare data in South Korea.
The study, which bears the ronseal title of “De-anonymizing South Korean Resident Registration Numbers Shared in Prescription Data”, was published this week in Technology Science.
Two de-anonymisation experiments were conducted in the study on prescription data from deceased South Koreans, with encrypted national identifiers – Resident Registration Numbers (RNN) – included.
The researchers found significant vulnerabilities in the anonymisation process which is applied to identifiers contained within prescription data, data which is often sold to multinational health companies.
De-anonymizing South Korean Resident Registration Numbers Shared in Prescription Data
http://jots.pub/a/2015092901/#Abstract
Tomi Engdahl says:
Dear President Obama, Stand Up For Strong Security No Secret Backdoors in Our Technology
https://savecrypto.org/
What this is:
Certain members of Congress and the FBI want to force companies to give the government special access to our data—such as by building security vulnerabilities or giving the government a “golden key” to unlock our encrypted communications. But security experts agree that it is not possible to give the government what it wants without creating vulnerabilities that could be exploited by bad actors.
These proposals jeopardize not just our private data, but the security of every technology that relies on this encryption.
One voice could tilt the balance in this debate. We need the President to speak out for uncompromised security.
Sign the below petition to submit your signature electronically to the White House’s “We the People” site. Help us make this the most popular petition in the site’s history.
Tomi Engdahl says:
VeraCrypt Patched Against Two Critical TrueCrypt Flaws
https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-flaws/114833/
TrueCrypt may be a fond memory for most of its users, but that hasn’t stopped researchers and hackers from poking about the open source encryption software.
Recently, researchers from Google’s Project Zero team uncovered a pair of elevation of privilege vulnerabilities in TrueCrypt, both of which were patched this weekend in VeraCrypt, one of the remaining free disk encryption software packages for Windows available. VeraCrypt is one of two projects that forked the last available TrueCrypt build—CipherShed being the other.
Researcher James Forshaw has not yet made public any details about the flaws, but said on his Twitter feed that the vulnerabilities, though not added intentionally into the codebase, are the type that could have slipped past a code audit and review.
- See more at: https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-flaws/114833/#sthash.fXkEWA11.dpuf
Tomi Engdahl says:
Security Alert: New Ransomware Campaign Has 0% Detection
https://heimdalsecurity.com/blog/security-alert-new-ransomware-campaign-has-0-detection/
There is a new spam campaign targeting Scandinavians and it’s spreading as you’re reading this.
This is the fourth major ransomware campaign we’ve reported since the beginning of September, and what is worrisome is the fact that detection rates have remained very, very low.
How the current ransomware campaign works
The current spam campaign is spreading ransomware by sending a spam email to arbitrary recipients with an attached Word document. That document contains macros, which, when activated, will download and run the malicious ransomware.
The infection will then encrypt all the data files available on the local disk and those available in the network drive, by adding this extension to each of them: “.breaking_bad”
Tomi Engdahl says:
Hack Brief: Hackers Steal 15M T-Mobile Customers’ Data From Experian
http://www.wired.com/2015/10/hack-brief-hackers-steal-15m-t-mobile-customers-data-experian/
For hackers looking for fraud victims, few targets are as tempting as the data brokers that make a business out of assembling millions of people’s private information. That’s a lesson T-Mobile is learning now that its partnership with one such data collector, Experian, has resulted in the theft of 15 million T-Mobile customers’ private details.
On Thursday T-Mobile revealed that hackers had breached Experian’s network and stolen a trove of T-Mobile’s data, which the carrier had sent to Experian to perform credit checks on potential customers seeking financing for phones or cellular plans. The data stolen from those 15 million victims includes their names, addresses, and birthdates, as well as encrypted social security numbers, drivers’ license ID numbers, and passport ID numbers. Both companies note that encryption may have been cracked by the intruders
The danger in any breach of a data broker like Experian, of course, is that the company aggregates information on many millions of consumers for credit checks and marketing. The resulting hacker bullseye includes private data that goes well beyond any single corporate client’s consumers.
How Serious Is This?
As massive data breaches go, it could be worse: Experian and T-Mobile have both said that the hacked files didn’t include any credit card or banking data. Even so, the hoard of T-Mobile customer data can still be used for assembling profiles for identity theft.
Though the breach will no doubt ding the reputations of both companies, T-Mobile is taking pains to pin the blame squarely on Experian. “Experian has taken full responsibility for the theft of data from its server,” reads an FAQ on T-Mobile’s website.
The theft of T-Mobile’s customer details is hardly the first time hackers have hit a data broker, as fraudsters hone their attacks on ever-more centralized repositories of personal information.
This latest breach is unusual only in that Experian’s insecurity has dragged T-Mobile into its privacy scandal.