Here is my collection of security trends for 2012 from different sources:
Windows XP will be the biggest security threat in 2012 according to Sean Sullivan, security advisor at F-Secure: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favourite target.”
F-Secure also says also that it might not be long before the cyber criminals turn their attentions to tablet devices. Attacks against mobile devices have become more common and I expect this to continue this year as well.
Americans more susceptible to online scams than believed, study finds. A recent survey from The Ponemon Institute and PC Tools dives into this question and reveals a real gap between how aware Americans think they are of scams and how likely they actually are to fall for them.
Fake antivirus scams that have plagued Windows and Mac OSX during the last couple of years and now it seems that such fake antivirus scams have spread to Android. Nearly all new mobile malware in Q3 2011 was targeted at Android.. When antivirus software becomes a universally accepted requirement (the way it is on Windows is the day), has the platform has failed and missed the whole point of being mobile operating system?
Cyber criminals are developing more sophisticated attacks and the police will counterattack.
Mobile phone surveillance will increase and more details of it will surface. Last year’s findings have included Location data collecting smart-phones, Carrier IQ phone spying busted and Police Surveillance system to monitor mobile phones. In USA the Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices and can monitor everything. Leaked Memo Says Apple Provides Backdoor To Governments: “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
Geo-location tagging in smartphones to potentially cause major security risks article says that geo-location tagging security issues are likely to be a major issue in 2012—and that many users of smartphones are unaware of the potentially serious security consequences of their use of the technology. When smartphones images to the Internet (to portals such Facebook or Flickr) there’s a strong chance they will also upload the GPS lcoation data as well. This information could be subsequently misused by third parties.
You need to find your balance between freedom and security (
Vapauden ja turvallisuuden tasapaino). Usernames poured out for all to see, passwords and personal identification numbers are published. A knowledge of access management is even more important: who has the right to know when and where the role of functioning? Access, identity and role management are essential for the protection of the whole system. Implementation of such systems is still far from complete.
When designing networked services, the development of safety should taken into account in the planning stage, rather than at the end of execution. Even a secure network and information system can not act as operating a vacuum.
Reliability of the server certificates will face more and more problems. We can see more certificate authority bankruptcies due cyber attacks to them. Certificate attacks that have focused on the PC Web browsers, are now proven to be effective against mobile browsers.
Stonesoft says that advanced evasion techniques (AET) will be a major threat. Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many IDS/IPS systems (including their own, at the time last summer). Using the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. This is real and they foresee a not too distant future where things like botnet kits will have this as a checkbox feature.
Rise of Printer Malware is real. Printer malware: print a malicious document, expose your whole LAN says that sending a document to a printer that contained a malicious version of the OS can send your sensitive document anywhere in Internet. Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Potential scenario: send a resume to HR, wait for them to print it, take over the network and pwn the company. HP does have firmware update software for their printers and HP Refutes Inaccurate Claims; Clarifies on Printer Security. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.
Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. How Do You Protect PCs from BIOS Attacks? The U.S. National Institute of Standards and Technology (NIST) has drafted a new computer-security publication that provides guidance for computer manufacturers, suppliers, and security professionals who must protect personal computers as they start up “out of the box”: “BIOS Integrity Measurement Guidelines,” NIST Special Publication 800-155.
According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues.
849 Comments
Tomi Engdahl says:
Well now leaks: more than 50 holes of nuclear power plants and factory IT system
Siemens industrial software (previously plagued by Stuxnet) is still full of security holes, a Russian security expert says.
Security holes found in the Siemens WinCC software, which is used in factories and energy plants. The software is used in many countries for society of critical business issues.
Moscow-based security company Positive Technologies’ information security team has found more than 50 security vulnerabilities in the latest WinCC version. Most of the vulnerabilities allows an attacker WinCC’s remote management (for example through browser-based management software page).
Source: http://www.tietoviikko.fi/kaikki_uutiset/no+nyt+vuotaa+yli+50+reikaa+ydinvoimaloiden+ja+tehdaiden+itjarjestelmassa/a854517?s=r&wtm=tietoviikko/-08112012&
Tomi Engdahl says:
RIM good for secret jobs: BlackBerry 10 cleared for Restricted data
http://www.theregister.co.uk/2012/11/08/blackberry_10_fips/
BlackBerry 10 has passed the US Federal Information Processing Standard (FIPS) certification, meaning devices based on the platform can be used to send classified data between government agents. Despite a drop in US government uptake of its kit, this is still something unique to RIM.
Apple and Android have both made huge strides in security, but only RIM has ever managed to get a mobile platform through the FIPS 140-2 process, which is managed by National Institute of Standards and Technology and recognised by the US and Canadian governments. The classification permits the transit of documents up to “restricted” level, so RIM’s devices will be turning up in some halls of power, if not all of them.
The news isn’t hugely surprising. Security has always been core to the BlackBerry platform, rather than something to be added on later, and that’s reflected at every level.
But the certification achieves two other important things too: it reminds everyone that BlackBerry is still the most secure mobile platform, and it keeps everyone talking about the new version for another week or two, the latter being particularly important as there’s still a few months until the launch and RIM needs to stay in the public eye until then.
Tomi Engdahl says:
Adobe Reader 0-day exploit surfaces on underground bazaars
Malformed pdf horrors prowl the internet sewers
http://www.theregister.co.uk/2012/11/08/adobe_reader_zero_day/
Miscreants have reportedly discovered a zero-day vulnerability in latest version of Adobe Reader.
Exploits based on the vulnerability, which circumvents sandbox protection technology incorporated into Adobe X and Adobe XI, are on sale in underground forums. Pricing starts at a hefty $30,000 but the exploit has already made its way into custom versions of the Blackhole Exploit Kit, a popular tool for the distribution of banking trojans such as ZeuS using drive-by download attacks.
The illicit trade was discovered by Moscow-based forensics firm Group-IB
Group-IB explained that the Adobe X vulnerability relies on malformed PDF documents with specially crafted forms.
Adobe is in the process of investigating the vulnerability, which potentially makes its PDF viewing software less safe than alternatives such as Foxit and Sumatra PDF.
Tomi Engdahl says:
Big banks have suffered continuous attacks
Large American banks are constantly under cyber attacks. This said U.S. Napolitano said that the attackers steal money from banks and data, but he refused to reveal further details.
Last month the continuing denial of service attacks have disrupted several major banks, including Wells Fargo, Bank of America and JPMorgan Chase. In addition to that criminals try to get online banking user names and passwords using malware.
In whole world banks use 25 billion dollars security every year. Research firm IDC estimates that banks data security consuming will increase every year 7-9 percent.
Source: http://www.tietoviikko.fi/kaikki_uutiset/isot+pankit+karsivat+jatkuvista+hyokkayksista/a854448?s=r&wtm=tietoviikko/-09112012&
Tomi Engdahl says:
Australian Telcos Declare SMS Unsafe For Bank Transactions
http://it.slashdot.org/story/12/11/08/2143233/australian-telcos-declare-sms-unsafe-for-bank-transactions
“Australia’s telcos have declared that SMS technology should not be used by banks to verify identities for online banking transactions, in a bid to wash their hands of culpability for phone porting hacks. But three of Australia’s largest four banks insist they will continue to use SMS messages to carry authentication codes for transactions.”
Telcos declare SMS ‘unsafe’ for bank transactions
http://www.itnews.com.au/News/322194,telcos-declare-sms-unsafe-for-bank-transactions.aspx
The lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction.
Communications Alliance chief executive John Stanton, representing the interests of mobile providers Telstra, Optus and Vodafone, took the extraordinary step of of declaring the technology insecure in the wake of numerous reports of Australians being defrauded via a phone porting scam first uncovered in Secure Computing magazine.
“SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication,” Stanton told iTnews this week.
Security experts have warned about the inherent lack of security posed by SMS technology for several years.
As far back as 2008, Australian security expert Stephen Wilson noted that “SMS was not designed to act as a second authentication factor” and its use as one is “probably going to leave [customers] vulnerable to frauds that exploit their credulity or naivety”.
A spokesman for the Commonwealth Bank said the company “has no plans to phase out SMS”.
“While mobile porting is a concern, SMS authentication remains a reliable ID measure in combination with secure passwords and proper phone security,” said a spokesman for the National Australia Bank.
“Sending an SMS message to a customer’s mobile provides a secondary check of identity outside the online platform.”
Spokesmen for both banks said SMS should be considered part of a “layered” security solution.
Home buyer funds targeted in phone porting scam
http://www.itnews.com.au/News/322059,home-buyer-funds-targeted-in-phone-porting-scam.aspx
Real estate trusts targeted.
Australia’s banks and telcos have failed to prevent fraudsters from using phone porting to siphon funds from compromised bank accounts.
As first explored in an investigation in SC Magazine, cybercriminals have developed simple social engineering techniques to take control of the mobile phones of online banking users whose credentials have earlier been captured by key loggers and other malware.
With only a few phone calls to a victim’s workplace or home address, a fraudster can gain enough information (date of birth and mobile phone number) to port a victim’s mobile phone number to a new SIM device and intercept one-time passwords sent via SMS for online banking sessions.
Several new cases in Western Australia suggest that fraudsters have discovered a new form of target.
Tomi Engdahl says:
“Why the hell does this mouse need to connect to the Internet?”
Razer asks users to activate gaming mice online, uproar follows.
http://arstechnica.com/gadgets/2012/11/why-the-hell-does-this-mouse-need-to-connect-to-the-internet/
In this hyper-connected, networked world, many more of our devices are getting linked to the cloud, whether we want them to or not. That’s sometimes good, and sometimes bad, so when a basic device like a mouse requires a user to go online and set up an account to activate all of its functionality, people are understandably going to ask why?
We’ve seen really bad implementations of cloud connectivity for devices that simply don’t need it. Witness Cisco’s “Connect Cloud” program that replaced the traditional management interface for wireless routers with a cloud-connected one that was less useful and contained some bizarre anti-porn and anti-piracy terms of service
Tomi Engdahl says:
Cleaning Out The Turkey Coop: What To Do After You Get Rid of an Incompetent Employee
http://h30565.www3.hp.com/t5/Feature-Articles/Cleaning-Out-The-Turkey-Coop-What-To-Do-After-You-Get-Rid-of-an/ba-p/8656
Everyone focuses on security tasks, after you fire the idiot, such as changing passwords, but that’s just one part of the To Do list. More important, in the long run, is the cleanup job that needs to be done after you fire the turkey, looking for the hidden messes and security flaws the ex-employee may have left behind.
Tomi Engdahl says:
Fake tech gear has infiltrated the U.S. government
http://money.cnn.com/2012/11/08/technology/security/counterfeit-tech/index.html
A record number of tech products used by the U.S. military and dozens of other federal agencies are fake. That opens up a myriad of national security risks, from dud missiles to short-circuiting airplane parts to cyberespionage.
Despite laws designed to crack down on counterfeiters, suppliers labeled by the U.S. government as “high risk” are increasing their sales to federal agencies.
Suppliers with the high-risk branding are known to engage in counterfeiting, wire fraud, product tampering and a laundry list of other illicit and illegal behaviors.
The number of fake tech products floating around in the market quadrupled from 2009 to 2011, according to IHS — and they’re sneaking into some high-profile places.
“Counterfeit parts pose an increasing risk to our national security, to the reliability of our weapons systems and to the safety of our men and women in uniform,” Sen. John McCain, a Republican from Arizona, said last year in support of anti-counterfeiting regulations.
Tomi Engdahl says:
Network banking malware is developing so rapidly that prevention programs are struggling to keep up with.
Scam companies against online banking has become a daily occurrence. What is new is that the threats lurking up the banks’ own websites.
There are security problems in site analytics extensions that have been purchased from external partners.
“discovery of vulnerabilities, which the criminals could have access to the client and the network between the bank’s”
“Until now, they have been observed in checks on time.”
The biggest and the most common threat lurking at the moment, “man in the browser” – that is, “the man in your browser” type of malware. It means that the criminal sees the customer’s bank sent usernames and passwords.
“The attacker captures when going to an online bank transfers and makes the background. The user sees online banking pages normally, “security company RSA’s online banking expert Jon Estlander says.
Finnish security company F-Secure trying to respond to this challenge by adding online banking security feature to it’s security software suite. It is activated when the well-known online bank opens.
Source: http://www.3t.fi/artikkeli/uutiset/teknologia/nain_verkkopankkirikollinen_iskee
Tomi says:
Failure to have proper security measures on your computers can cause quite considerable financial losses even if no information gets stolen like in this new story:
Exclusive: SEC left computers vulnerable to cyber attacks – sources
http://www.reuters.com/article/2012/11/09/net-us-sec-cyber-idUSBRE8A804P20121109
Staffers at the U.S. Securities and Exchange Commission failed to encrypt some of their computers containing highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks, according to people familiar with the matter.
Some of the staffers even brought the unprotected devices to a Black Hat convention, a conference where computer hacking experts gather to discuss the latest trends.
One of the people familiar with the SEC’s security lapse said the agency was forced to spend at least $200,000 and hire a third-party firm to conduct a thorough analysis to make sure none of the data was compromised.
The watchdog’s report has already been circulated to the SEC’s five commissioners, as well as to key lawmakers on Capitol Hill, and is expected to be made public soon.
The revelation comes as the SEC is encouraging companies to get more serious about cyber attacks. Last year, the agency issued guidance that public companies should follow in determining when to report breaches to investors.
Cyber security has become an even more pressing issue after high-profile companies from Lockheed Martin Corp to Bank of America Corp have fallen victim to hacking in recent years.
Nasdaq OMX Group, which runs the No. 2 U.S. equities exchange, in 2010 suffered a cyber attack on its collaboration software for corporate boards, but its trading systems were not breached.
Tomi says:
Professional thieves tormenting tourists:
Finnish mobile phones was the manufactured outrageous bills
Finnish mobile phones are stolen was the manufactured large bills, especially in Barcelona. A wild sum is possible to create a very short period of time.
A stolen phone is to make the greatest possible bill in a very short period of time. The phone is used to call abroad from Spain to the service number, or the phone is call forwarding, which directs the caller to foreign service number.
- Looks a bit, it appears that this activity is organized or at least going in the direction of a professional, estimates of Sonera’s mobile communications business leader Timo Saxen.
Stolen phones are used to call especially to Somalia and Sri Lanka.
- Call transfer seems to be especially popular now.
You should always protect your phone with a PIN. If your phone has other security features, you should also use them.
The surest way to protect against this is to call your operator immediately when the phone is lost or stolen.
The consumer is responsible for the use of their phones until the connection loss is reported to the operator.
- Oman operator shut-off service number should carry with you at places other than on the phone. When the phone is lost, there is no time to start looking for internet cafes, but should immediately call the operator and to cancel the subscription
Source: http://www.iltalehti.fi/uutiset/2012110916300476_uu.shtml
Tomi Engdahl says:
Windows 8 protected from 85% of malware detected in the past six months, right out the box
http://thenextweb.com/microsoft/2012/11/09/windows-8-protected-from-85-of-malware-detected-in-the-past-six-months-right-out-the-box/
Security firm BitDefender ran a very interesting test recently: the company took 385 of the most popular malware samples it found in the past six months and threw them at Windows 8 to see how it fares in its default state (with Windows Defender enabled).
Only 61 malware threats managed to infect Windows 7′s successor, or about 15.84 percent. BitDefender rounded this down and declared that the “Newly launched Window 8 is prone to infection by some 15 per cent of the 100 malware families most used by cyber criminals this year.” I prefer the reverse number, as you can see in the headline above.
While we do know BitDefender is in the business of selling security software, it’s difficult to say more on the results without more data. Either way, 15 percent is an impressive achievement. Microsoft will surely continue updating its definitions, and this number will only drop further.
With Windows Defender disabled, 234 of the samples ran successfully (60.78 percent), 138 samples could not be started on the machine for various reasons (35.84 percent), six threats executed but then crashed (1.56 percent), and seven others launched but had their payload blocked by UAC (1.82 percent).
Tomi says:
The New Face of Energy Insecurity
http://nationalinterest.org/commentary/the-new-face-energy-insecurity-7715#.UJ6wNNja3-c.twitter
The future of energy insecurity has arrived. In August, a devastating cyber attack rocked one of the world’s most powerful oil companies, Saudi Aramco, Riyadh’s state-owned giant, rendering thirty thousand of its computers useless.
What makes this kind of attack so worrying is the risk it poses to energy prices and hence the U.S. economy. Stopping oil production in Saudi Arabia could turn into a catastrophic loss of oil supplies.
The August attack on Saudi Aramco was only the most recent volley in what Washington has described as “low-grade cyberwar” in the Middle East, in this case likely involving Iran.
Saudi Aramco was not the only casualty. RasGas, a Qatari natural gas company and the second-biggest producer of liquefied natural gas in the world, fell victim to an identical virus a short time after the Saudis.
Oil, gas and petrochemical companies are popular targets for hackers, who have ramped up their assault on these firms over the last two years. McAfee, an Internet-security firm, described in a recent study a barrage of “coordinated covert and targeted cyberattacks,” coming mostly from China, targeting energy companies around the world. The aim of these operations was to get ahold of proprietary data such as oil reserves, bidding strategies and critical infrastructure.
But this summer’s attack on Saudi Aramco differs from these more traditional cyber espionage cases in a critical way: It wasn’t about the data. It was about disabling the company’s operations.
Virtual warfare against energy companies will not end anytime soon. Hackers are well aware that crippling oil operations offers significant leverage, strategically speaking, as acts of terror: a single successful act has the potential to hurt oil-consuming nations far beyond the Middle East.
Defending the world’s major energy suppliers against debilitating cyber threats will not be easy, but it is essential. The risk cannot be eliminated
Tomi says:
One in four don’t clean their stinky old browsers – especially Firefoxers
http://www.theregister.co.uk/2012/11/12/outdated_browser_software_kaspersky/
Nearly one in four netizens are using outdated web browsers and are therefore easy pickings for viruses and exploit-wielding crooks.
The average home user upgrades his or her browser to the latest version one month after it is released, according to a survey of 10 million punters. Two thirds of those using old browser software are simply stuck on the version prior to the latest release – the remaining third are using even older code.
Firefox users tend to be the worst for keeping up to date with new software releases, according to the survey by security biz Kaspersky Lab. The proportion of users with the most recent version installed was 80.2 per cent for Internet Explorer and 79.2 per cent for Chrome, but just 66.1 per cent for Firefox.
“Our new research paints an alarming picture. While most users make a switch to the most recent browser within a month of the update, there will still be around a quarter of users who have not made the transition. That means millions of potentially vulnerable machines, constantly attacked using new and well-known web-born threats.”
tomi says:
Petraeus case shows FBI’s authority to read email
http://news.yahoo.com/petraeus-case-shows-fbis-authority-read-email-221953424.html
Your emails are not nearly as private as you think.
Under the 1986 Electronic Communications Privacy Act, federal authorities need only a subpoena approved by a federal prosecutor — not a judge — to obtain electronic messages that are six months old or older. To get more recent communications, a warrant from a judge is required.
Tomi says:
Lockheed Martin: Cyber attacks have increased dramatically
The U.S. defense giant, Lockheed Martin says their networks against attacks have increased dramatically in recent years in both volume and quality terms.
Lockheed Martin’s network is managed to break at least once (related to break to RSA), but the company says the damages were minor.
Lockheed’s security chief Chandra McMahon pointed out by Reuters that the company’s improved protection has caused that attackers have begun to bombard its suppliers.
McMahon said Lockheed had seen “very successful” attacks against a number of its suppliers.
Defence companies are not only cyber attack items, they are also cyber weapon developers.
Northrop Grumman, Lockheed Martin and Raytheon have been looking for people who know how to do cyber attacks.
Source: http://www.itviikko.fi/uutiset/2012/11/13/asejatti-kyberiskut-ovat-kasvaneet-dramaattisesti/201241919/7?rss=8
Tomi Engdahl says:
Technology does not solve the security problems
Security organizations seek to solve as the islets, which is why the technical security takes too much attention to the states this week at Aalto University in the audited dissertation. The candidate Paavo Bourgeois believes that the technical protection of information security, does not improve overall security significantly.
greater significance to organizational measures, such as leadership and staff capabilities. Technical measures he considers to cover only 36 per cent of safety.
Bourgeois advises assimilate information security management seamlessly into business processes, management, and also to tailor its undertaking. Staff security awareness and participation are key.
Dissertation surveyed one city and nine corporate information security space
Source: http://www.tietokone.fi/uutiset/tekniikka_ei_ratkaise_tietoturvaongelmia
Tomi Engdahl says:
The Globalization Of Cyberespionage
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240115353/the-globalization-of-cyberespionage.html
Newly revealed cyberspying campaign against Israeli and Palestinian targets demonstrates how the threat is no longer mostly a China thing.
While much of the attention has been trained on China as the source of cyberespionage, the discovery of this latest operation highlights just how popular and easy it has become to execute cyberspying. Thanks to ease of access and use of remote access Trojan (RAT) tools and reliability of social engineering, you don’t need nation-state backing to conduct these types of targeted attacks.
Researchers at Norman Security today revealed that they recently analyzed malware used in phishing emails targeting Israeli and Palestinian targets and found that attackers used malware based on the widely available Xtreme RAT crimeware kit.
Oftedal says he has seen XTreme RAT used in all types of attacks.
Cyberespionage attacks from various players will increase in the coming year, he says. “I believe that next year we’ll see more actors from different nations” conducting cyberespionage, Raff says. “I think such efforts are already in place, and [we] saw that with last year’s attacks. The way I see this is that next year, more of such attacks will be discovered — meaning they are taking place as we speak but go under the radar.”
“Now that people realize espionage is the focus in a lot of cases, they are not so quick to dismiss malware samples that come in that are new and not usual,”
Tomi Engdahl says:
You’ve got more chance of being selected than ever before…. for a DDoS attack.
With Distributed Denial of Service (DDoS) attacks on the rise, it’s time to realize that your existing security solutions might not be enough.
If you think your business is covered then consider this…• 40% of current attacks penetrate existing security mechanisms (when no DDoS solution is in place)
• The average DDoS attack size is up 27% in 2012
• The hard cost of a DDoS attack is directly related to your ability to mitigate it
The impact on reputation and customer loyalty however, can be even greater.
Source:
[MARKETING] Think you’re not in the line-up?
“Exclusive Networks”
Tomi Engdahl says:
Security hole allows anyone to hijack your Skype account using only your email address
http://thenextweb.com/microsoft/2012/11/14/security-hole-allows-anyone-to-hijack-your-skype-account-using-only-your-email-address/
A new security hole has been discovered in Microsoft’s Skype that allows anyone to change your password and thus take over your account. The issue was first posted on a Russian forum two months ago and has been confirmed by The Next Web (we have not linked to any of the blogs or posts detailing the exploit because it is very easy to reproduce).
Update: Skype appears to have pulled its password reset page, stopping this flaw in its tracks.
Tomi Engdahl says:
Surveillance and Security Lessons From the Petraeus Scandal
http://www.aclu.org/blog/technology-and-liberty-national-security/surveillance-and-security-lessons-petraeus-scandal
When the CIA director cannot hide his activities online, what hope is there for the rest of us? In the unfolding sex scandal that has led to the resignation of David Petraeus, the FBI’s electronic surveillance and tracking of Petraeus and his mistress Paula Broadwell is more than a side show—it’s a key component of the story. More importantly, there are enough interesting tidbits (some of which change by the hour, as new details are leaked), to make this story an excellent lesson on the government’s surveillance powers—as well as a reminder of the need to reform those powers.
Metadata is king
Webmail providers like Google, Yahoo and Microsoft retain login records (typically for more than a year) that reveal the particular IP addresses a consumer has logged in from. Although these records reveal sensitive information, including geo-location data associated with the target, US law currently permits law enforcement agencies to obtain these records with a mere subpoena—no judge required.
Although Ms. Broadwell took steps to disassociate herself from at least one particular email account, by logging into other email accounts from the same computer (and IP address), she created a data trail that agents were able to use to link the accounts.
Digital “dead drops” don’t protect you from government surveillance
For more than a decade, a persistent myth in Washington DC, fueled by several counterterrorism experts, has been that it is possible to hide a communications trail by sharing an email inbox, and instead saving emails in a “draft” folder.
Apparently, this method was also used by General Petraeus. According to the Associated Press
The problem is, like so many other digital security methods employed by terrorists, it doesn’t work. Emails saved in a draft folder are stored just like emails in any other folder in a cloud service, and further, the providers can be compelled, prospectively, to save copies of everything (so that deleting the messages after reading them won’t actually stop investigators from getting a copy).
I hope that this scandal will finally kill off this inaccurate myth about hiding emails from the government. General Petraeus should have known better—placing documents in an email “drafts” folder is not an effective way to hide things from the government. It wasn’t 10 years ago, and it certainly isn’t anymore.
Tomi Engdahl says:
Cybersecurity Bill Killed, Paving Way for Executive Order
http://www.bloomberg.com/news/2012-11-15/cybersecurity-bill-killed-paving-way-for-executive-order.html
U.S. Senate Republicans yesterday killed cybersecurity legislation backed by President Barack Obama, increasing prospects the White House will implement some of the bill’s provisions through an executive order.
“It to some degree hardens the lines of division, which makes it more likely we’ll see an executive order rather than an attempt to revive the legislation in the near term,”
“The only other thing that can produce legislation is a major cybersecurity meltdown,” said Baker, a partner at the Steptoe & Johnson law firm in Washington.
“Cybersecurity is dead for this Congress,” Reid said after the vote.
The legislation, introduced in February by Senators Joe Lieberman, a Connecticut independent, and Susan Collins, a Maine Republican, would have created voluntary cybersecurity standards for companies that operate infrastructure such as power grids and chemical plants considered essential to U.S. national security. The bill also would have encouraged companies and the government to share information on cyber threats.
“Whatever we do on this bill, it’s not enough for the Chamber of Commerce,” Reid said.
Pentagon Role
Obama has signed a separate directive setting policy for how the government handles threats in cyberspace, according to three current and former administration officials. The directive opens the door to a bigger role for the Defense Department, directing it to provide civilian agencies with technical help on cybersecurity, according to a former senior intelligence official familiar with the document.
Tomi Engdahl says:
Obama signs secret directive to help thwart cyberattacks
http://www.washingtonpost.com/world/national-security/obama-signs-secret-cybersecurity-directive-allowing-more-aggressive-military-role/2012/11/14/7bf51512-2cde-11e2-9ac2-1c61452669c3_story.html
President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyberattacks on the nation’s web of government and private computer networks.
Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October.
The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism
The policy also lays out a process to vet any operations outside government and defense networks
“What it does, really for the first time, is it explicitly talks about how we will use cyber-
operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
The policy, which updates a 2004 presidential directive, is part of a wider push by the Obama administration to confront the growing cyberthreat, which officials warn may overtake terrorism as the most significant danger to the country.
The Pentagon is expected to finalize new rules of engagement that would guide commanders on when and how the military can go outside government networks to prevent a cyberattack that could cause significant destruction or casualties.
Tomi Engdahl says:
Battery-Powered Transmitter Could Crash A City’s 4G Network
http://mobile.slashdot.org/story/12/11/14/1932211/battery-powered-transmitter-could-crash-a-citys-4g-network
“With a £400 transmitter, a laptop and a little knowledge you could bring down an entire city’s high-speed 4G network. This information comes from research carried out in the U.S. into the possibility of using LTE networks as the basis for a next-generation emergency response communications system.”
‘If LTE technology is to be used for the air interface of the public safety network, then we should consider the types of jamming attacks that could occur five or ten years from now”
One Simple Trick Could Disable a City’s 4G Phone Network
http://www.technologyreview.com/news/507381/one-simple-trick-could-disable-a-citys-4g-phone-network/
High-speed LTE networks could be felled by a $650 piece of gear, says a new study.
The high-bandwidth mobile network technology LTE (long-term evolution) is rapidly spreading around the world. But researchers show that just one cheap, battery-operated transmitter aimed at tiny portions of the LTE signal could knock out a large LTE base station serving thousands of people. “Picture a jammer that fits in a small briefcase that takes out miles of LTE signals—whether commercial or public safety,” says Jeff Reed, director of the wireless research group at Virginia Tech.
“This can be relatively easy to do,” and it would not be easy to defend against, Reed adds. If a hacker added an inexpensive power amplifier to his malicious rig, he could take down an LTE network in an even larger region.
If LTE networks were to be compromised, existing 3G and 2G networks would still operate—but those older networks are gradually being phased out.
There are seven other such weak points, the researchers say, any one of which could be used to jam an LTE signal with a low-power transmitter. “There are multiple weak spots—about eight different attacks are possible. The LTE signal is very complex, made up of many subsystems, and in each case, if you take out one subsystem, you take out the entire base station.”
All that would be required is a laptop and an inexpensive software-defined radio unit (which can cost as little as $650). Battery power, including from a car battery, would then be enough to jam an LTE base station. Doing so would require technical knowledge of the complexity of the LTE standard, but those standards—unlike military ones—are openly published. “Any communications engineer would be able to figure this stuff out,” Lichtman says.
All of the latest smartphones and major carriers are heavily promoting a transition to LTE networks. Around the world, nearly 500 million people have access to the signals from more than 100 LTE operators in 94 countries. The technology can be 10 times faster at delivering data, such as video, than 3G networks.
No jamming of LTE networks is known to have happened as a result of the vulnerabilities,
The impact of any LTE vulnerabilities could be enormous. By Ericsson’s estimate, half the world’s population will have LTE coverage by 2017. And many consumer devices—including medical monitors, cameras, and even vehicles—may adopt LTE technology for a new wave of applications
Digital cellular communications were engineered to address another security concern. “Back in the old days, our students used to listen in on cell-phone conversations for entertainment. It was extremely easy to do. And that was actually one of the key motivators behind digital cellular systems,” Reed says. “LTE does a good job of covering those aspects. But unconventional security aspects, such as preventing signal jamming, have been largely overlooked.”
Tomi Engdahl says:
Adobe Connect breach pops lid off ‘Letmein’ logins of gov, army types
Plus: Did someone forget the salt?
http://www.theregister.co.uk/2012/11/16/adobe_forum_breach/
A breach of Adobe’s Connectusers.com forum database has once again exposed password security foibles, as well as website security shortcomings on Adobe’s part.
The software developer stressed in a statement that its Adobe Connect web conferencing service itself was not affected by the breach.
An Egyptian hacker named “ViruS_HimA” has stepped forward to claim he hacked into “one of Adobe’s servers” before extracting a database containing email addresses, password hashes and other information of over 150,000 Adobe customers, partners and employees.
“We reset the passwords of all Connectusers.com forum members and are reaching out to those members with instructions on how to set up new passwords once the forum services are restored.”
“Based on an analysis of the leaked data, the password hashes – encrypted versions of the passwords – stored in the compromised Adobe database had been generated with MD5, a cryptographic hash function that’s known to be insecure. This means that they can easily be cracked to recover the original passwords,”
Tomi Engdahl says:
Kill the Password: Why a String of Characters Can’t Protect Us Anymore
http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/
You have a secret that can ruin your life.
It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.
Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.
No matter how complex, no matter how unique, your passwords can no longer protect you.
Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results.
The age of the password is over. We just haven’t realized it yet.
And no one has figured out what will take its place.
What we can say for sure is this: Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.
Tomi Engdahl says:
Denial of service attacks. Data leaks. System crashes. Malicious code execution. All examples of the impact of exploited memory vulnerabilities in your code. As a diligent and security-conscious software developer, you need to arm yourself with the knowledge to defend your code against these issues.
Source: Electronics Development Bulletin
Tomi Engdahl says:
Computer security experts warn of risks of a planned a big hospital information system Helsinki and its nearby cities in Finland. This system is called Apotti. If the security is not taken into account with the order, the system can become vulnerable.
In a number of public projects, information security is a high price had to be rectified afterwards.
A giant-patient information system is planned to handle patient data of 1.5 million people. The information security field, the companies have been closely monitoring the way the gigantic project will be to ensure that the information does not reach the wrong hands.
For example, in the United States calculated that in a few years 21 million people in the patient information has leaked. Some of the leaks have occurred, the system has been hacked, but to a much greater amount of information has been wrong for you, as the workers have lost their computers or storage media.
Security Company nSense Ltd CEO Jonas Lundberg estimates that the patient information is vulnerable to attack as much as any other Web resource.
There is detailed information about the people, and knowledge is power in these cases. That information can be sold if attacker gets it.
The other side of safety is the fact that the system should detect if it experiences abuse (in Finland there is a known case in which a worker pretended to be a doctor and did different things on hospital system).
Professionals, a key concern is that the system is too large entity that controls can not keep anyone’s hands.
- It seems that it is doing a giant colossus. What is being seen around the world, so Oh well, does not have anywhere else worked, summarized F-Secure, the company’s senior researcher Jarno Niemelä.
F-Secure Niemelä model calls for the credit card and banking systems
- Credit Card World is based on the fact that no one mammoth system, but a number of independent systems, each with its own control, and then they talk to each other, and again, I need control.
- The standard software for information security should be tested before a binding contract award decision, summarized Nixu’s sales and marketing director Petri Kairinen.
In many cases, the systems have not passed the official inspection and data security have had to improve their arrears. In practice, this has meant more programming work.
- The costs are typically 6-10 times higher compared to that security should be taken into account in the construction of the system, says Paananen.
Abbot of the system cost estimated at 350 to 450,000,000 euros over ten years.
Source:
Apotti-järjestelmän tietoturva epäilyttää ammattilaisia
http://yle.fi/uutiset/apotti-jarjestelman_tietoturva_epailyttaa_ammattilaisia/6380564
Tomi Engdahl says:
Facebook Switching To HTTPS By Default
http://it.slashdot.org/story/12/11/19/2359205/facebook-switching-to-https-by-default
“Facebook this week will begin turning on secure browsing be default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks.”
Tomi Engdahl says:
Engineers: It’s BYOD for Life
http://www.designnews.com/author.asp?section_id=1386&doc_id=254426&cid=NL_Newsletters+-+DN+Daily
Not Adams Smith, Tocqueville, or even Milton Friedman himself could have predicted how electronic consumerism would transform the workplace.
the concept of “bring your own device” (BYOD) is causing every type of business to do some restructuring for the sake of security.
The trend is clear. The consulting firm Ovum surveyed 4,000 full-time employees and found that 70 percent use their own smart devices to access corporate information.
The fact that employees never disconnect their devices is where the extra time is picked up. MW stated the 92 percent of people who remain online afterhours and on vacation are “content… [with] the job flexibility.”
Privacy and security are the main concerns with the BYOD movement. These studies have also exposed that IT departments are ineffective, oblivious, or simply ignoring the fact that all these extra network connections pose a security risk for malware infecting their systems or data being lost or stolen.
But, BYOD helps the bottom line (profit) and is so well received by workers that others are calling for IT departments to simply focus on developing adequate strategies and policies that promote each business’s goals and offer interoperability between devices instead of policing workers.
Furthermore, the BYOD trend is helping some businesses expand as they launch services and products to assess and secure companies’ networks.
What’s next?
All of these studies, products, and efforts make it clear that BYOD is here to stay. So the question remains, how will this affect the evolution of engineering alongside BYOD?
Policies to ensure safe and secure use of personal devices will allow engineers to access more corporate data, which has obvious benefits when working in the era where time means everything.
Times are changing. The consumer world and the corporate business structure are inevitably merging.
Tomi Engdahl says:
BT: Olympics cyber attackers were amateurs
No match for exhaustive planning and over-provisioning
http://www.theregister.co.uk/2012/11/21/schneier_bt_olympics_no_cybergeddon/
Twelve year old hacktivists and journalists with infected laptops were the biggest info security threats to the London 2012 Games – an event which in the end was notable for the absence of a major cyber attack, BT has revealed.
The telco giant was in charge of supporting the official London2012.com site and the huge IP infrastructure which carried voice, cable TV, wireless and everything in between around the sites, according to BT’s global head of secure customer advocacy, Phil Packman.
Yet despite the dire warnings from Beijing and Vancouver officials, who told BT they’d “be run ragged”, the predicted massive onslaught never materialised,
“We geared up for complex attacks from various actors and the reality is they were unsophisticated and perpetrated by children,”
“We were geared up specifically to look at something sinister and the reality was much more amateurish,”
“But this brought its own challenges – the attacks were a lot more sporadic and less obvious. On day two or three they attacked the wrong company because they got the URL of a sponsor wrong.”
The only other major security challenge was heralded by the arrival of 25,000 journalists, all of whom required unfettered access to the network on their own devices.
With some of these devices infected and generating spam, that made for some fraught negotiations ensued between BT and some overzealous blacklisting companies worried about the spike in unusual traffic coming from the UK telco’s address space, said Packman.
Some writers were apparently less than enthused by BT’s attempts to locate and clean up any infected machines – valuing their right to privacy on the network more than the impact their infected machines had on others.
Attack traffic averaged less than one per cent of total volumes, with most of that figure accounted for by “background noise” rather than anything specifically targeted at the Games, Packman added.
According to Schneier, every system – be it social, biological, etc. – requires co-operation to work properly, but there will also inevitably be ‘defectors’ – those who choose not to co-operate – and it is security which “keeps defectors down to an acceptable level”.
“Security is a tax on the honest in a very real sense because nothing Phil Packman did in a sense made anything better, it just stopped other people making things worse,” he said.
“This is why our jobs are so difficult, because if you do a good job no-one knows.”
“I’m a short-term pessimist but a long-term optimist.”
Tomi Engdahl says:
Hosting Provider Automatically Fixes Vulnerabilities In Customers’ Websites
http://it.slashdot.org/story/12/11/21/012242/hosting-provider-automatically-fixes-vulnerabilities-in-customers-websites
“Dutch hosting provider Antagonist announced their in-house developed technology that automatically detects and fixes vulnerabilities in their customers’ websites.
Tomi Engdahl says:
Hosting provider Antagonist automatically fixes vulnerabilities in customers’ websites
https://www.antagonist.nl/blog/2012/11/hosting-provider-antagonist-automatically-fixes-vulnerabilities-in-customers-websites/
Dutch hosting provider Antagonist is proud to announce their unique and in-house developed technology that automatically detects and fixes vulnerabilities in their customers’ websites. Antagonist is the first hosting provider on the planet to offer this service, and plans to license the technology to other hosting providers as well.
Automatically detecting and fixing vulnerabilities
Antagonist developed a unique and innovative technology that allows them to support their customers in keeping their websites safe. The software regularly scans the websites for vulnerabilities and automatically fixes the detected security holes. In case the website is compromised, in spite of the security measures, the software automatically cleans up any uploaded malware.
As soon as a vulnerability is detected, we inform the customer. We also explain how the customer can resolve the issue. In case the customer does not respond to our first notice within the next two weeks, we automatically patch the vulnerability.
Today’s announcement makes Antagonist the first hosting provider on the planet to offer this exclusive service to their customers, allowing them to automatically fix vulnerabilities.
63 percent of the webmasters who maintain a hacked website has no idea how their website got hacked. A mere 6 percent actually detects the security breach on their own. These are the findings of a report by StopBadware and security company Commtouch.
Less than half of the webmasters (46 percent) was able to fix the vulnerability themselves through the help of a forum or other external resource. 20 percent consulted the expertise of a security company and 14 percent was only able to fix the problem with help from their hosting provider.
“an ounce of prevention is worth a pound of cure”
Traditional technologies aimed at website security only start responding after the website has been hacked; they treat the damage caused by a successful hack instead of preventing the hack in the first place. Antagonist proactively fixes security vulnerabilities in, for example, Content Management Software.
In cases where the website is compromised, in spite of the security measures, the software automatically cleans up any uploaded malware.
Tomi Engdahl says:
Compromised Websites
An Owner’s Perspective
February 2012
http://www.stopbadware.org/pdfs/compromised-websites-an-owners-perspective.pdf
Tomi Engdahl says:
Security researcher found guilty of conspiracy and identity fraud in ‘hackless’ AT&T iPad hack
http://www.theverge.com/2012/11/20/3673754/att-ipad-hack-email-auernheimer-iccid-goatse
The trial surrounding Goatse Security’s 2010 collection and disclosure of AT&T iPad users’ emails has come to a close
Back in 2010, AT&T was making its iPad 3G users’ email addresses available to anyone with the associated ICC-ID — a unique number that authenticates the user’s SIM card to AT&T. According to chat transcripts posted by Wired, Auernheimer and 27-year-old Daniel Spitler (who accepted a plea bargain last year) wrote a script that randomly pinged AT&T’s website with ICC-IDs, harvesting the email addresses it spit out. In the end, the two compiled a list of about 114,000 users
The 1986 Computer Fraud and Abuse Act, which Auernheimer was found to have violated, predates the web and contains language that is frequently criticized for being unintelligibly vague in an era of ubiquitous networked computers. The Act makes it illegal to “access a computer without authorization or exceed authorized access” on any “protected computer” — for instance, one that is “used in interstate or foreign commerce or communication.” TechNews Daily reports that while the jury was deliberating, Auernheimer said to the press, “the ‘protected computer’ is any network computer. You access a protected computer every day,” before asking rhetorically, “have you ever received permission from Google to go to Google?”
This story is related to this incident:
Apple’s Worst Security Breach: 114,000 iPad Owners Exposed
http://gawker.com/5559346/
Tomi Engdahl says:
Security firm showcases vulnerabilities in SCADA software, won’t report them to vendors
http://www.networkworld.com/news/2012/112112-security-firm-showcases-vulnerabilities-in-264456.html
The vulnerability information will be sold to private buyers as part of a commercial service, the company says
Malta-based security start-up firm ReVuln claims to be sitting on a stockpile of vulnerabilities in industrial control software, but prefers to sell the information to governments and other paying customers instead of disclosing it to the affected software vendors.
In a video released Monday, ReVuln showcased nine “zero-day” (previously unknown) vulnerabilities which, according to the company, affect SCADA (supervisory control and data acquisition) software from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. ReVuln declined to disclose the name of the affected software products.
“ICS-CERT has just contacted us some minutes ago requesting more details but we don’t release information,” Auriemma said. The vulnerabilities “are part of our portfolio for our customers so no public details will be released; they will remain private,”
Along with French vulnerability research firm VUPEN, ReVuln is among a few companies that openly sell vulnerability information to government agencies and other private customers and refuse to report the vulnerabilities their researchers find to the affected vendors so they can be fixed.
It’s a somewhat controversial business model that has been criticized by digital rights advocates and various people from the IT security industry who argue that it makes the Internet less safe because the vulnerabilities remain unpatched and known to third parties who may be interested in exploiting them for offensive purposes.
However, the practice is not new. It’s been known for years in the security research community that some companies and independent researchers are selling information about unpatched vulnerabilities to governments and other private buyers, but such transactions used to be done discreetly.
“I can’t say I feel comfortable with this, but it may be that legitimized and monetized research will work out better for the online world than multitudes of individuals and unofficial groups working semi-covertly,” the ESET researcher said. “If so, let’s hope too much damage isn’t done while that market stabilizes.”
Tomi Engdahl says:
Cyber Corps program trains spies for the digital age
http://www.latimes.com/news/nationworld/nation/la-na-cyber-school-20121123,0,7345893.story
At the University of Tulsa school, students learn to write computer viruses, hack digital networks and mine data from broken cellphones. Many graduates head to the CIA or NSA.
It may sound like a Jason Bourne movie, but the little-known program has funneled most of its graduates to the CIA and the Pentagon’s National Security Agency, which conducts America’s digital spying. Other graduates have taken positions with the FBI, NASA and the Department of Homeland Security.
The need for stronger cyber-defense — and offense — was highlighted when Defense Secretary Leon E. Panetta warned in an Oct. 11 speech that a “a cyber-terrorist attack could paralyze the nation,” and that America needs experts to tackle the growing threat.
“An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals,” Panetta said. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
Panetta said the Pentagon spends more than $3 billion annually for cyber-security. “Our most important investment is in skilled cyber-warriors needed to conduct operations in cyberspace,” he said.
That’s music to the ears of Sujeet Shenoi, a naturalized citizen from India who founded the cyber program in 1998. He says 85% of the 260 graduates since 2003 have gone to the NSA, which students call “the fraternity,” or the CIA, which they call “the sorority.”
Tomi Engdahl says:
Who would examine it crashes?
Airplane falling from the sky is extremely unlikely. Needed an average of seven simultaneous faults, so that was going to happen. Still, defects are seen in a while.
Few of us is afraid to board. We rely on these cloud services so strongly that they will rise up to pick up on a regular basis. Although the machine fall would be fatal.
Computer World cloud services, we still live in a kind of fear of flying time. Perhaps rightly so.
Cloud services, the reliability is not yet at the level of flying, with more than a hundred years of history. During this period, we have seen a series of devastating accidents.
Aircraft accidents examines the external group of experts. One airline unfortunate accident occurred on the causes and lessons of this will also be informed of other companies.
Traditionally, IT firms have not been reluctant to report in detail to those which occurred in the cottage.
Source: http://www.tietoviikko.fi/blogit/uutiskommentti/kuka+tutkisi+itonnettomuuksia/a859311?s=r&wtm=tietoviikko/-27112012&
Tomi Engdahl says:
Mobile devices can leak from the company’s data in an uncontrolled way.
Mobile devices pose IT administrations of many organizations quite a headache.
The solution to new challenges is a remote management, mdm (mobile device management). It allows IT management software can directly see the console, to whom each of the remote control device is covered, what is the model of what applications are installed, and the most important thing, that is, if the machine and the settings of the company’s IT policies in accordance with or not. That can be automatically forces the company and the workers owned equipment.
Plain device management is, however, already old-fashioned. The trend is to focus on the applications and content management, and mdm for example, may provide an application-level protection. All company data from e-mails can be run on a mobile device isolated sandbox, which for example can not share data with other applications, or even take screen captures.
Mobile device management software, demand is growing at an incredible pace.
it is not easy to choose the one most suitable to your needs
Source: http://www.tietokone.fi/uutiset/alypuhelin_voi_olla_tietoturvan_talvivaara
Tomi Engdahl says:
What does a flightless bird and SCADA software have in common?
http://blog.exodusintel.com/2012/11/25/what-does-a-flightless-bird-and-scada-software-have-in-common/
If you’ve been paying attention to the security industry for any length of time then you’re probably familiar with the non-disclosure vs responsible disclosure vs full disclosure stances researchers take with regard to vulnerabilities they discover. As the value of vulnerabilities has been steadily going up over the years, more and more individuals and organizations are aligning themselves with the non-disclosure crowd and not for the traditional reasons. These days there seem to be an increasing number of cases of individuals hiding behind non-disclosure for reasons that generally tend to end up revolving around them making more money than reputable outlets provide.
When I read that a new company out of Italy Malta called ReVuln has discovered vulnerabilities in SCADA software and decided not to inform the affected vendors, but rather sell the information privately to their customers, I was intrigued.
For those of you who do not know, SCADA systems run things like power plants, airports, manufacturing facilities, and so on (read the wikipedia page for more info). While these may not be defined as “Internet infrastructure”, I would argue that they are even more crucial to the safety and security of the general populace (especially when you think about the national security implications of vulnerabilities in these systems).
Tomi Engdahl says:
Cambridge University center to examine potential threat posed by artificial intelligence
http://www.theverge.com/2012/11/25/3691538/ai-threat-cambridge-university
The UK’s prestigious University of Cambridge is to play host to a new center where experts will analyze the possible dangers of advanced artificial intelligence.
“it seems a reasonable prediction that some time in this or the next century intelligence will escape from the constraints of biology.”
Tomi Engdahl says:
The European Commission is planning to increase cyber security budget 14 per cent by 2020.
The Commission will in due course be budgeted cyber securityresearch to EUR 350 million for 2007-2013. On Monday, the Commission announced that it will continue the budget for 2020 for EUR 50 million.
400 million in the budget can accommodate many projects.
Research company TrendMicro security research director Rik Ferguson believes that security companies and non-profit organizations have already joined their resources.
According to him, the public sector would be reasonable to contribute to the cost for its part – especially when a large part of the cyber security threads are specifically targeted at state and municipal government.
Source: http://www.tietoviikko.fi/kaikki_uutiset/eu+panostaa+vaatimattomasti+verkkorikosten+torjuntaan/a859446?s=u&wtm=tivi-27112012
Tomi says:
Websense predictions for 2013:
Mobile devices are starting to suffer from similar attacks than traditional PCs
Cybercriminals are trying more to break application “sandbox” to get to the operating system
Honest mobile application stores in the future swims more malware
State-sponsored attacks increase
Simple hacktivist methods will not work well and exper hacktivists start to use more complex attacks
Windows 8 will become cyber criminals favorite destination together with Android and iOS. Microsoft developer friendliness will backfire when high-impact minding criminals see the possibilities of the new platform.
Android will be number one target for malware. Pc-wracked attacks on the machines will be converted into Android’s a nuisance.
Source: http://m.tietoviikko.fi/Uutiset/Windows+8+nousee+ensi+vuonna+k%C3%A4rkeen+-+hakkereiden+maalitauluna
Tomi says:
Security Flaw In Common Keycard Locks Exploited In String Of Hotel Room Break-Ins
http://www.forbes.com/sites/andygreenberg/2012/11/26/security-flaw-in-common-keycard-locks-exploited-in-string-of-hotel-room-break-ins/
Two days after the break-in, a letter from hotel management confirmed the answer: The room’s lock hadn’t been picked, and hadn’t been opened with any key. Instead, it had been hacked with a digital tool that effortlessly triggered its opening mechanism in seconds. The burglary, one of a string of similar thefts that hit the Hyatt in September, was a real-world case of a theoretical intrusion technique researchers had warned about months earlier—one that may still be effective on hundreds of thousands or millions of locks protecting hotel rooms around the world.
That security flaw was first publicly demonstrated by Cody Brocious, a 24-year-old software developer for Mozilla, at the Black Hat hacker conference in July. Brocious reverse-engineered Onity’s locks and discovered he could spoof the “portable programmer” device meant to be used for designating master keys and opening locks whose batteries had died.
On stage at Black Hat, Brocious showed it was possible to insert the plug of a small device he built with less than $50 in parts into the port at the bottom of any Onity keycard lock, read the digital key that provides access to the opening mechanism of the lock, and open it instantaneously.
In a statement sent to me, a White Lodging spokesperson says the company became aware of the vulnerability in its Onity locks in August
Following those September incidents, White Lodging resorted to plugging the port at the bottom of its Onity locks with “epoxy putty,” according to the letter it sent to guests at its Houston location.
But even Onity’s official response, late as it may be, has left something to be desired. Rather than pay for the full fix itself, which requires a new circuit board for every affected lock, Onity has asked its hotel customers to cover the cost of those hardware replacements. Its free alternative involves merely blocking the port on the bottom of the lock instead with a plastic plug and changing the screws on the locks to a more obscure model to make it harder to open the locks’ cases and remove the plugs.
Forcing the customer to pay for anything beyond a band-aid-style fix may mean the flaw will remain unpatched in many cases, warns Brocious. ”Given that it won’t be a low cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,”
As the technique spreads, hotels with Onity locks need to either shell out for Onity’s circuit board fix or at least block access to their locks’ ports, says Todd Seiders of Petra Risk Solutions
“We’re expecting incidents in which these devices are used to explode nationally,” says Seiders.
All of which raises the question of whether Brocious should have ever brought his findings to light. Brocious, after all, didn’t alert Onity to its security flaw before his presentation at Black Hat (though I did) and even licensed his technique for $20,000 to the Locksmith Training Institute, which trains law enforcement and others, more than a year before he made it public.
Brocious has countered that Onity’s security bug is so simple it may have already been discovered by other hackers who used it in secret. And he says hotels needed to be made aware of the locks’ flaws so they could switch to a more secure model.
Tomi Engdahl says:
BT website allows anyone to add services to an account with a phone number and postcode
http://www.theverge.com/2012/11/27/3696466/bt-website-insecure-premium-services-order-fraud-bt-vision
The UK’s largest fixed line provider doesn’t seem to understand cybersecurity
The site showed how easy it was to add additional phone packages to a user’s account, but from our testing things may be even worse than initially thought. Using a friend’s postal code and phone number — details that are often discoverable through directory enquiries — we were able to add BT Vision, the company’s pay TV service
Worse still, we used a throwaway email address to order the additional services, meaning he wasn’t notified of his apparent purchase through his account email address.
It’s also worth mentioning that there seems to be no way to cancel the order through BT’s website, although it should be simple enough to arrange via a call to customer services.
BT told The Register that “different levels of security apply to different products.
” It’s not clear what exactly BT considers inappropriate, but we’d imagine most customers wouldn’t be happy with a phantom order for pay TV.”
Tomi Engdahl says:
The Internet’s Best Terrible Person Goes to Jail: Can a Reviled Master Troll Become a Geek Hero?
http://gawker.com/5962159
In June of 2010, just days after the release of Apple’s original iPad, a computer security group Auernheimer was a part of called Goatse Security discovered that AT&T had accidentally made the email addresses of subscribers to its iPad 3G wireless service publicly accessible. Goatse Security collected more than 100,000 email addresses from an AT&T website using a program called an “account slurper” and Auernheimer contacted then-staff writer Ryan Tate with proof of the breach.
By that time, Auernheimer was already something of an internet celebrity, having become the closest thing to a figurehead for the wide-ranging pursuit of fucking things up on the Internet. He was the star of a blockbuster 2008 New York Times magazine profile about internet trolling, the art of provoking online for provocation’s sake.
But then there will always be terrible people, and out of all of the terrible people on the internet Auernheimer is one of the best. The pureness of his awfulness-for-awfulness’ sake is something to marvel at.
Because in the end, Auernheimer’s case is about free speech. He faces ten years in prison for using information accidentally made publicly available by AT&T to embarrass it. Nothing was harmed but a giant corporation’s reputation. (Auernheimer and Spitler destroyed the emails after contacting Gawker.) No doubt the fact that he was a dick about it—that he has made a career of being a dick about it—has a lot to do with the fact he’s going to prison. But if being a dick on the internet was a crime we’d all be headed for the electric chair. Auernheimer plans to appeal his conviction
Tomi Engdahl says:
Dual-identity smartphones could bridge BYOD private, corporate divide
New processors will allow phones to run two OSes — one public and one corporate
http://www.computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_divide
Late next year, consumers will be able to buy smartphones that either come with native hypervisor software or use an app allowing them to run two interfaces on the phone: one for personal use, one for work.
The technology could help address an issue that has cropped up with increasing frequency at work: Employees who bring their personal mobile devices to work and use them to communicate with clients and to access corporate data. The issue can cause friction at companies that need to safeguard their data on employee-owned smartphones and tablets and want to be able to remotely wipe the devices of data if they’re lost or if an employee quits or is fired.
VMware and Red Bend are two of the leading software companies that have already signed OEM agreements with smartphone manufacturers to create dual-identify devices from some of today’s most popular models.
Tomi Engdahl says:
Hardcoded Administrator Account Opens Backdoor Access To Samsung Printers
http://hardware.slashdot.org/story/12/11/27/2221216/hardcoded-administrator-account-opens-backdoor-access-to-samsung-printers
“A new flaw has been discovered in printers manufactured by Samsung whereby a backdoor in the form of an administrator account would enable attackers to not only take control of the flawed device, but will also allow them to attack other systems in the network. According to a warning on US-CERT the administrator account is hard-coded in the device”
Hardcoded Administrator Account Opens Backdoor Access to Samsung Printers
http://paritynews.com/security/item/494-hardcoded-administrator-account-opens-backdoor-access-to-samsung-printers
According to a warning on US-CERT the administrator account is hard-coded in the device in the form of a SNMP community string with full read-write access. The backdoor is not only present in Samsung printers but also in Dell printers that have been manufacture by Samsung. The administrator account remains active even if SNMP is disabled from the printer’s administration interface.
Because of full read-write access, the data that passes through the printer is at risk of being disclosed. Beyond this, attackers can execute arbitrary code on the printer following which they may be able to use the printer as a base to carry out further attack on the network.
Vulnerability Note VU#281284
Samsung Printer firmware contains a backdoor administrator account
http://www.kb.cert.org/vuls/id/281284
Samsung printers (as well as some Dell printers manufactured by Samsung) contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility.
A remote, unauthenticated attacker could access an affected device with administrative privileges. Secondary impacts include: the ability to make changes to the device configuration, access to sensitive information (e.g., device and network information, credentials, and information passed to the printer), and the ability to leverage further attacks through arbitrary code execution.
As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing an SNMP interface using the affected credentials from a blocked network location.
Angelo Mansir says:
Of words and feathers, it takes many to make a pound. – German Proverb
Tomi Engdahl says:
Serious Google security glitch restores Webmaster Tools, possibly Analytics access to revoked accounts
http://thenextweb.com/google/2012/11/28/serious-google-security-glitch-gives-webmaster-tools-possibly-analytics-access-to-revoked-accounts/
Earlier tonight, reports began rolling in of a serious breach in Google accounts security. Some sort of glitch has granted access to Webmaster Tools, Google Analytics and perhaps even more tools to users who previously had access, but then had that access revoked.
This means that ex-employees or contractors which formerly had access to a site’s records, reports and tools that could affect its place on the web have suddenly had their access restored. This is an enormously dangerous situation, obviously, as there is no guarantee that those people won’t do something malicious with that access.
The things that could be accomplished with access to Webmaster Tools alone include some fairly scary stuff
Change preferred domain, redirecting to another site
Drop pages from the index, removing the homepage URL.
Remove all sitemaps from the account.
Remove all users access from the webmaster.
Change parameter handling, and canonicalization.
There have also been reports that Google Talk contacts are reappearing as well. If you’re a site owner, you’re probably going to want to head into your WMT panel to delete those users