Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Heartbleed OpenSSL Vulnerability: A Technical Remediation
http://it.slashdot.org/story/14/04/09/235217/heartbleed-openssl-vulnerability-a-technical-remediation
Tomi Engdahl says:
Heartbleed OpenSSL vulnerability: A technical remediation
http://www.net-security.org/secworld.php?id=16661
eartbleed.com mentions a web based tool and a couple of scripts for testing to see if you are vulnerable to this latest exploit:
A web based test
A Python script to test for the vulnerability from the command line. If you want to scan multiple sites, you can use a modified version with easily parseable output.
We have had a opportunity to review the behavior of the exploit and have come up with the following IDS signatures to be deployed for detection.
Tomi Engdahl says:
Important: openssl security update on Red Hat Linux
2014-04-08
https://rhn.redhat.com/errata/RHSA-2014-0376.html
Updated openssl packages that fix one security issue are now available for
Red Hat Enterprise Linux 6.
All OpenSSL users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.
Tomi Engdahl says:
How to Protect Yourself From the Heartbleed Bug
http://mashable.com/2014/04/09/heartbleed-what-to-do/
You’re likely affected either directly or indirectly by the bug, which was found by a member of Google’s security team and a software firm named Codenomicon. The bad news: There’s not a lot you can do about it now. It’s the responsibility of Internet companies to update their servers to deal with Heartbleed, and once they do, you can take action (see below).
Secure websites — with “https” in the URL (“s” stands for secure) — make up 56% of websites, and nearly half of those sites were vulnerable to the bug.
Tomi Engdahl says:
Cuba: U.S. using new weapon against us — spam
http://edition.cnn.com/2014/04/09/world/americas/cuba-twitter-spam/index.html?hpt=hp_t2
At a news conference Wednesday, Cuban officials said text messaging platforms run by the U.S. government threatened to overwhelm Cuba’s creaky communications system and violated international conventions against junk messages.
The spam, officials claim, comes in the form of a barrage of unwanted text messages, some political in nature.
Just this month, Cuba started a government e-mail service that allows people to receive e-mails on their phones.
Tomi Engdahl says:
Why Heartbleed Is the Ultimate Web Nightmare
http://mashable.com/2014/04/09/heartbleed-nightmare/
Why Heartbleed is so scary
That’s Heartbleed. It’s a vulnerability that, thus far, has operated without detection. Plus, it’s designed in such a way that with enough effort and enough time, lots of information could be accessed by someone else. And you (and the server you talk to) would have no idea.
As bad as that is, the worst part is that this vulnerability has actually been around since December 2011. Lots of software packages started using the vulnerable version of OpenSSL in May 2012. So for two years, any app, website, bank or private messaging app that uses OpenSSL has been vulnerable to this bug.
So not only is every password you’ve used at a vulnerable site at risk — the bigger problem is that although major vendors and websites are scurrying to fix this problem now, smaller apps and sites might take more time. Or worse, they might ignore the problem altogether.
It’s easy to check to see if your email provider or bank has updated its security to protect against Heartbleed, but what about a local restaurant? Your doctor’s office? A company you used once to get a ride to the airport?
Tomi Engdahl says:
Cheat Win XP DEATH: Little-known tool to save you from the XPocalypse
Your handy guide to keeping snubbed operating system ticking over
http://www.theregister.co.uk/2014/04/10/how_to_run_xp_on_new_windows/
Windows XP’s date with destiny has passed. As of Tuesday, Microsoft will NOT be releasing any new security updates.
XP Mode remains a free download, and with a little work, you can get it running on the cheaper editions of Windows 7, on Windows 8.x – and even on Linux (Ubuntu in my case). All you need is a different hypervisor.
the freeware VMware Player will do
Oracle’s VirtualBox is free
The VM is just for your indispensable Windows apps – the idea is to use the host OS for Internet access, email and everything else. Don’t access the internet from the VM. Now Microsoft has stopped updating XP, it won’t be safe
Tomi Engdahl says:
Not just servers hit by OpenSSL’s Heartbleed – your PC and phone may be vulnerable too
Also: Google announces services’ Heartbleed status
http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/
While most attention surrounding OpenSSL’s Heartbleed vulnerability has been given to the server side, the SANS Institute has reminded the world that the client side is also vulnerable.
Williams said the data-leaking bug “is much scarier” than the gotofail in Apple’s crypto software, and his opinion is that it will have been known to black hats before its public discovery and disclosure.
Williams said a malicious server could easily send a message to vulnerable software on phones, laptops, PCs, home routers and other devices, and retrieve a 64KB block of sensitive data from the targeted system. It’s an attack that would probably yield handy amounts of data if deployed against users of public Wi-Fi hotspots, for example.
Writing code to exploit vulnerabilities in clients is “not going to be that difficult to do,” he said.
Security penetration testers are going to find themselves in work “through 2020” with this bug, Williams said
In the OpenSSL RFC, there are two user-supplied inputs that create the problem
This can happen during connection negotiation, which is why the flaw can be exploited by an unauthenticated attacker.
If you’re running VMs in a cloud environment: admins must find their cloud machines and make sure their code base isn’t Heartbleed vulnerable.
Then, he added, there are thousands of “shoestring budget” VPN concentrators in smaller businesses that will be vulnerable and probably won’t be updated.
Williams was critical of vendors, since so few of them have made vulnerability statements (SANS has a list here). “Too many vendors not communicating with their customers,”
Tomi Engdahl says:
Anatomy of OpenSSL’s Heartbleed: How four bytes trigger terrible bug
The code behind the C-bomb dropped on the world
http://www.theregister.co.uk/2014/04/09/heartbleed_explained/
Whoever sends a HeartbeatMessage controls the payload_length but as we will see, this is never checked against the parent SSL3_RECORD’s length field, allowing an attacker to overrun memory.
an attacker sends a four-byte HeartbeatMessage including a single byte payload, which is correctly acknowledged by the SSL3′s length record. But the attacker lies in the payload_length field to claim the payload is 65535 bytes in size. The victim ignores the SSL3 record, and reads 65535 bytes from its own memory, starting from the received HeartbeatMessage payload, and copies it into a suitably sized buffer to send back to the attacker.
The broken OpenSSL code that processes the incoming HeartbeatMessage looks like this, where p is a pointer to the start of the message:
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
Tomi Engdahl says:
Hewlett-Packard Admits to International Bribery and Money Laundering Schemes
https://news.vice.com/articles/hewlett-packard-admits-to-international-bribery-and-money-laundering-schemes?trk_source=homepage-in-the-news
Hewlett-Packard has admitted to creating and using slush funds for bribes, money laundering, and clandestine “bag of cash” handoffs in order to profiteer off of lucrative government contracts in Russia, Poland, and Mexico, according to court documents.
HP’s guilty plea carries with it a $108 million penalty — a combination of SEC penalties, as well as criminal fines and forfeitures paid out to the Department of Justice.
Tomi Engdahl says:
U.S. Officials Urge Firms to Share Cyber-Threat Data
Swapping Threat Information Won’t Violate Antitrust Laws
http://online.wsj.com/news/article_email/SB10001424052702303873604579493980585969834-lMyQjAxMTA0MDEwMDExNDAyWj
Companies that share information with one another about cybersecurity threats aren’t violating U.S. antitrust laws, Obama administration officials said Thursday as part of an effort to promote corporate cooperation against hackers.
“We must encourage companies to rely on each other,” U.S. Deputy Attorney General James Cole said during a briefing with reporters. “To secure the nation’s networks of information and resources, members of the private sector must share information.”
Tomi Engdahl says:
Man who introduced serious ‘Heartbleed’ security flaw denies he inserted it deliberately
http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html
The German software developer who introduced a security flaw into an encryption protocol used by millions of websites globally says he did not insert it deliberately as some have suggested.
In what appears to be his first comments to the media since the bug was uncovered, Robin Seggelmann said how the bug made its way into live code could “be explained pretty easily”.
“On a scale of one to 10, it is an 11,” renowned security expert Bruce Schneier said of the bug.
Dr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.
“In one of the new features, unfortunately, I missed validating a variable containing a length.”
Tomi Engdahl says:
Apple Says iOS, OSX and “Key Web Services” Not Affected by Heartbleed Security Flaw
http://recode.net/2014/04/10/apple-says-ios-osx-and-key-web-services-not-affected-by-heartbleed-security-flaw/
Tomi Engdahl says:
Heartbleed Bug hits at heart of many Cisco, Juniper products
Cisco, Juniper say to expect security advisory updates related to Heartbleed
http://www.networkworld.com/news/2014/041014-heartbleed-cisco-juniper-280593.html
The Heartbleed Bug, a flaw in OpenSSL that would let attackers eavesdrop on Web, e-mail and some VPN communications, is a vulnerability that can be found not just in servers using it but also in network gear from Cisco and Juniper Networks. Both vendors say there’s still a lot they are investigating about how Heartbleed impacts their products, and to expect updated advisories on a rolling basis.
Juniper detailed a long list in two advisories
Cisco acted in similar fashion
“Expect a product by product advisory about vulnerabilities,”
So far, Cisco has carved out a list of about a dozen products listed as confirmed “vulnerable” to exploits based on the Heartbleed Bug, plus another list of over 60 products considered “affected”
Some security experts, including cryptography expert Bruce Schneier, are describing the Heartbleed Bug as a ‘catastrophic’ flaw because the vulnerable version of OpenSSL can be exploited by savvy attackers to eavesdrop on passwords or steal encryption certificates and keys.
In addition to this wide range of network gear impacted by the Heartbleed Bug, some versions of the Android operating system also appear to be subject to Heartbleed, according to mobile security vendor Lookout Security.
the vulnerable versions of Google Android include only versions 4.1.1 and 4.2.2. The current version of Android 4.5 is not impacted
Tomi Engdahl says:
Behind the Scenes: The Crazy 72 Hours Leading Up to the Heartbleed Discovery
http://www.vocativ.com/tech/hacking/behind-scenes-crazy-72-hours-leading-heartbleed-discovery/
From Finland to Silicon Valley, a small team of bug hunters identified and prepared for the worst security flaw in Internet history
Today Heartbleed is a household name—every person who uses the web is terrified of the security glitch. But David Chartier knew about it almost a week ago, before just about anyone else on the planet.
Tomi Engdahl says:
Heartbleed bug: Check which sites have been patched
http://www.cnet.com/news/which-sites-have-patched-the-heartbleed-bug/
We compiled a list of the top 100 sites across the Web, and checked to see if the Heartbleed bug was patched.
Tomi Engdahl says:
Bitcoin Falls Below The $400 Mark, Down More Than 60% From Its All-Time High
http://techcrunch.com/2014/04/10/bitcoin-falls-below-the-400-mark-down-more-than-60-from-its-all-time-high/
The price correction was driven by news from China, as it often has been.
Tomi Engdahl says:
Surveillance is the Business Model of the Internet: Bruce Schneier
http://www.securityweek.com/surveillance-business-model-internet-bruce-schneier
“Surveillance is the business model of the Internet,” Schneier told attendees. “We build systems that spy on people in exchange for services. Corporations call it marketing.”
The data economy—the growth of mass data collection and tracking—is changing how power is perceived, Schneier said in his keynote speech. The Internet and technology has changed the impact a group can have on others, where dissidents can use the Internet to amplify their voices and extend their reach. Governments already have a lot of power to begin with, so when they take advantage of technology, their power is magnified, he said.
“That’s how you get weird situations where Syrian dissidents use Facebook to organize, and the government uses Facebook to arrest its citizens,” Schneier said.
Data is currency, and consumers are willing to hand over their information in exchange for “free or convenience,” Schneier said. Companies such as Facebook and Google want the data so that they can sell more stuff. Users hand it over to play games, to get email, or some other benefit. “I like to think of this as a feudal model. At a most fundamental model, we are tenant farming for companies like Google. We are on their land producing data,” he said.
Tomi Engdahl says:
Cybercrime surge is forcing security vendors to roll out updates every 40 minutes
Hacker siege increasing danger of false positive signature update, says Symantec
http://www.theinquirer.net/inquirer/news/2339249/cybercrime-surge-is-forcing-security-vendors-to-roll-out-updates-every-40-minutes
DUBLIN: A SURGE in cybercrime is forcing security vendors to release security updates every 40 minutes, according to security firm Symantec.
“We’re seeing more sophisticated attacks than ever before and people want security,” she said. “Nowadays we are rolling out virus signature upgrades around every 40-50 minutes. They are rapid response upgrades that go through partial vetting. We then follow them up with three upgrades per day that are fully certified.”
She said Symantec blocked 568,700 web attacks on its customers and detected a massive 1.6 million malware variants per day in 2013.
False positives are updates from security providers that list legitimate files as malware and block them from running. In the past the faulty updates have caused damage to many companies.
Tomi Engdahl says:
The Heartbleed bug is affecting routers, too
http://www.engadget.com/2014/04/10/the-heartbleed-bug-is-affecting-routers-too/
Cisco Systems and Juniper Networks have announced that the Heartbleed bug — a flaw in OpenSSL that lets attackers bypass common security protocols — has been found in their networking products. This news isn’t too surprising, as any device using an older version of SSL is vulnerable, but checking these devices for the flaw is a laborious process.
Tomi Engdahl says:
Who is Robin Seggelmann and did his Heartbleed break the internet?
http://www.smh.com.au/it-pro/security-it/who-is-robin-seggelmann-and-did-his-heartbleed-break-the-internet-20140411-zqtjj.html
German computer programmer Robin Seggelman has been outed as the man whose coding mistake, now known as Heartbleed, has left millions of internet users and thousands of websites vulnerable to hackers.
The discovery, by Google engineers, has prompted experts to call on people to change their passwords to most, if not all, websites they subscribe to after site owners have fixed their vulnerabilities.
His academic research influence index score of two, based on the number of scientific citations of his work, suggests an influential thinker at the early stages of his scientific career.
“It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project,” he said.
In the case of Heartbleed, the review also missed the mistake.
Professor Susilo said that is not unusual. “It was just a development mistake when creating the algorithm. It’s a serious mistake but a normal mistake.”
Author of the GNUPG paper Phong Nguyen noted that “bad cryptography is much more frequent than good cryptography”, and the “fact that a source code can be read does not imply that it is actually read, especially by cryptography experts”.
“There is no one to blame. The code is always evolving,”
Tomi Engdahl says:
Top ten biz software vendors reveal Heartbleed exposure
VMware, Symantec and Citrix are digging, Microsoft and Salesforce are relaxing
http://www.theregister.co.uk/2014/04/11/top_ten_biz_software_vendors_reveal_heartbleed_exposure/
Microsoft Services, were not impacted by the OpenSSL vulnerability.” Nor is “Windows’
IBM
recommends customers keep an eye out for security advice
Oracle’s advisory for its April patch bundle doesn’t mention Heartbleed, but threads like this one suggest some Oracle products may have problems.
Oracle’s advisory for its April patch bundle doesn’t mention Heartbleed, but threads like this one suggest some Oracle products may have problems.
Symantec is “ … still investigating
HP says “… TippingPoint NGIPS, SMS and NGFW platforms, as well as the Threat Management Center (TMC) portal” are not in danger
Citrix
the XenApp stack has problems.
Tomi Engdahl says:
Google Strengthens Android App Security With Continuous Post-Install Scans
http://techcrunch.com/2014/04/10/google-strengthens-android-app-security-with-continuous-post-install-scans/
Google is making a change to its Android security systems today that is meant to ensure that users who install apps from outside of the Google Play store are a bit safer from malicious apps.
Currently, Android users can have Google scan their apps for malicious code at the time of installation. Going forward, Google will expand this program with a more service-based system that will continuously check the device to make sure that apps are “behaving in a safe manner, even after installation.” This means that as Google learns more about mobile malware, it can now check for this kind of code even after you’ve installed an app. Until now, once a malicious app had made it through Google’s security systems, there was no way to detect it later.
Tomi Engdahl says:
Heartbleed coder accepts blame for oversight
Updated Admits New Years Eve slip-up to blame for ‘catastrophic’ bug
http://www.theinquirer.net/inquirer/news/2338750/openssl-security-bug-heartbleed-exposes-two-thirds-of-webservers-to-attack
THE MAN WHO CODED the flaw that let the SSL Heartbleed vulnerability loose in the world has revealed that it was “an oversight”.
There should have been some clues perhaps. The code, which was supposed to enable the SSL heartbeat function, a good thing, was submitted just before midnight on New Years Eve, a time when many people are under the influence of alcohol.
That was probably not the case here, but there was definitely an oversight
Tomi Engdahl says:
Google has taken on the bleeding hearts on a security blog post where it told its users that it is in the process of shoring up its consumer and business facing cloud services.
“We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine,” it said.
“Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this – and encourage others to report them – so that we can fix software flaws before they are exploited.”
Source: http://www.theinquirer.net/inquirer/news/2338750/openssl-security-bug-heartbleed-exposes-two-thirds-of-webservers-to-attack
Tomi Engdahl says:
Has the NSA Been Using the Heartbleed Bug as an Internet Peephole?
By Kim Zetter
04.10.14
http://www.wired.com/2014/04/nsa-heartbleed/
Edward Snowden exposed the NSA’s widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort.
Snowden also warned that crypto systems aren’t always properly implemented. “Unfortunately,” he said, “endpoint security is so terrifically weak that NSA can frequently find ways around it.”
This week, that caveat hit home — in a big way — when researchers revealed Heartbleed, a two-year-old security hole
Though security vulnerabilities come and go, this one is deemed catastrophic because it’s at the core of SSL
Although the NSA could use the Heartbleed vulnerability to obtain usernames and passwords (as well as so-called session cookies to access your online accounts), this would only allow them to hijack specific accounts whose data they obtained. For the NSA and other spies, the real value in the vulnerability lies in the private keys used for SSL that it may allow attackers to obtain.
GCHQ had specifically been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt traffic in near-real time
Now, Heartbleed raises the possibility that in some cases the NSA might not have needed to crack SSL.
So far, though, there’s no evidence to suggest this is the case. And there are reasons why this method wouldn’t be very efficient for the NSA.
First, the vulnerability didn’t exist on every site. And even on sites that were vulnerable, using the Heartbleed bug to find and grab the private keys stored on a server’s memory isn’t without problems.
“It is very likely that it is possible in at least some cases, but it hasn’t been demonstrated to work all the time.”
“I think it is extremely unlikely that a malicious attacker has obtained a private key from an Nginx server of a busy website,
“If it is possible with Apache, it’s going to be difficult,”
Either way, there are now signatures available to detect exploits against Heartbleed, as Dutch security firm Fox-IT points out on its website
Tomi Engdahl says:
OpenSSL ‘heartbleed’ bug live blog
http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
It is possible to detect successful exploitation of this vulnerability by inspecting the network traffic. We have developed 2 sets of Snort signatures to detect succesful exploitation of the ‘heartbleed bug’.
Tomi Engdahl says:
It might be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
http://www.theregister.co.uk/2014/04/11/heartbleed_health_checking_services_may_be_illegal/
Web services that have sprung up to check whether third-party websites might be vulnerable to the Heartbleed mega-vulnerability have thrown up anomalies in computer crime law on both sides of the Atlantic.
Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of third-party websites without permission.
Testing to see what version of OpenSSL a site is running, and whether it is also running the vulnerable Heartbeat protocol, would be legal. But doing anything more active – without permission from website owners – would take security researchers onto the wrong side of the law.
“It’s not legal, but vast numbers of otherwise ethical security professionals are testing every site on the internet,”
Tomi Engdahl says:
NSA Said to Exploit Heartbleed Bug for Intelligence for Years
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
Tomi Engdahl says:
Apparently the NSA Knew About the Heartbleed Bug for Two Years and Never Said Anything
http://www.techvibes.com/blog/nsa-heartbleed-bug-2014-04-11
Tomi Engdahl says:
US government warns of Heartbleed bug danger
http://www.bbc.com/news/technology-26985818
The US government has warned that it believes hackers are trying to make use of the Heartbleed bug.
The Department of Homeland Security advised the public to change passwords for sites affected by the flaw once they had confirmed they were secure.
However, an official added that there had not been any reported attacks or malicious incidents.
Tomi Engdahl says:
U.S. rallied 120 nations in response to 2012 cyberattack on American banks
http://www.washingtonpost.com/world/national-security/us-rallied-multi-nation-response-to-2012-cyberattack-on-american-banks/2014/04/11/7c1fbb12-b45c-11e3-8cb6-284052554d74_story.html
Wary of provoking even more intense attacks, the Obama administration rejected an option to hack into the adversary’s network in Iran and squelch the problem at its source. Instead, officials did something they had never tried on such a scale, appealing to more than 100 countries to choke off the debilitating computer traffic at nodes around the world, according to current and former U.S. officials.
Tomi Engdahl says:
Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed
http://it.slashdot.org/story/14/04/13/0357256/obama-says-he-may-or-may-not-let-the-nsa-exploit-the-next-heartbleed
“The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered”
Tomi Engdahl says:
Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say
http://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html?_r=0
Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.
But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.
The White House has never publicly detailed Mr. Obama’s decision
“reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.
“This process is biased toward responsibly disclosing such vulnerabilities,”
Tomi Engdahl says:
Private crypto keys are accessible to Heartbleed hackers, new data shows
Four people have been able to see server keys and certificates in a test.
http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/
Tomi Engdahl says:
The NSA’s Heartbleed problem is the problem with the NSA
http://www.theguardian.com/commentisfree/2014/apr/12/the-nsas-heartbleed-problem-is-the-problem-with-the-nsa
What the agency’s denial isn’t telling you: it didn’t even need know about the bug to vacuum your privacy and store it indefinitely
The American intelligence community is forcefully denying reports that the National Security Agency has long known about the Heartbleed bug, a catastrophic vulnerability inside one of the most widely-used encryption protocols upon which we rely every day to secure our web communications. But the denial itself serves as a reminder that NSA’s two fundamental missions – one defensive, one offensive – are fundamentally incompatible, and that they can’t both be handled credibly by the same government agency.
It’s exactly the kind of bug you’d expect NSA to be on the lookout for, since documents leaked by Edward Snowden confirm that the agency has long been engaged in an “aggressive, multi-pronged effort to break widely used Internet encryption technologies”.
Tomi Engdahl says:
“Brightest Flashlight” Android app disclosed location of 50 million people, but FTC imposes no fine
http://gigaom.com/2014/04/09/brightest-flashlight-android-app-disclosed-location-of-50-million-people-but-ftc-imposes-no-fine/
What happens if you install secret tracking software on the phones of tens of millions of people and sell their location to advertisers? Not much, if a new FTC order is anything to go by.
Tomi Engdahl says:
US takes out gang that used Zeus malware to steal millions
Zeus malware used to attack Bank of America, First National Bank of Omaha and others
http://www.networkworld.com/community/blog/us-takes-out-gang-used-zeus-malware-steal-millions
The US Department of Justice today charged nine members of a group that used Zeus malware to infect thousands of business computers with Zeus malware and illegally siphon-off millions of dollars into over-seas bank accounts.
According to the SecureWorks report, “Top Banking Botnets of 2013,” Zeus banking Trojan variants accounted for about half of all banking malware seen in 2013. SecureWorks points out that Zeus is now being used not just to attack financial institutions but also stock trading, social-networking and e-mail services, plus portals for entertainment or dating, for example.
Tomi Engdahl says:
NSA Said to Exploit Heartbleed Bug for Intelligence for Years
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
Heartbleed bug denial by NSA and White House
http://www.bbc.com/news/technology-27004713
The US National Security Agency has denied it knew about or exploited the Heartbleed online security flaw.
The denial came after a Bloomberg News report alleging the NSA used the flaw in OpenSSL to harvest data.
Tomi Engdahl says:
Heartbleed exploit, inoculation, both released
File under ‘this is going to hurt you more than it hurts me’
http://www.theregister.co.uk/2014/04/14/heartbleed_exploit_patch_both_released/
As the Heartbleed fallout continues, the good news is that code to protect against similar such attacks has been released. The bad news is that exploit code is also available.
Let’s start with the latter, released by a chap who took up Cloudlare’s challenge to coders in the hope someone, somewhere, would be able to use Heartbleed to extract a private SSL key from an undefended server it erected.
Cloudflare says the winner took just nine hours to crack the server and run off with the SSL certificate.
The availability of that code means world+dog can run it against servers of their choice and see what’s on offer, which is just great.
Tomi Engdahl says:
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won’t call off its hackers
http://www.theregister.co.uk/2014/04/11/mandiant_china_apt_back_to_work/
The Chinese operatives behind two major advanced persistent threat (APT) groups have fully resumed their activities despite being exposed publically last year, in a sign that diplomatic efforts by the US aren’t working, according to Mandiant.
Tomi Engdahl says:
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
http://www.theregister.co.uk/2014/04/14/obama_allows_nsa_to_exploit_0days_report/
The NSA’s denial it knew about or exploited the Heartbleed bug raises an obvious question: does it exploit similar flaws?
The answer, according to The New York Times, is yes.
Tomi Engdahl says:
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
http://www.theregister.co.uk/2014/04/14/microsoft_windows_xp_eol_adware/
Cybercriminals have already seized upon the end of support for Windows XP as a theme for numerous scams and fake software updates.
“Keygens are something you should really avoid, as more often than not you never know quite what you’ll end up with,” Christopher Boyd, a malware intelligence analyst at Malwarebytes, says in a blog post. “As for XP themed ‘setup files’, those links took us to the usual selection of surveys and ringtone offers.”
Tomi Engdahl says:
Google unveils email scanning practices in new terms of service
http://www.reuters.com/article/2014/04/14/us-google-email-idUSBREA3D1RT20140414
Google Inc updated its terms of service on Monday, informing users that their incoming and outgoing emails are automatically analyzed by software to create targeted ads.
The revisions more explicitly spell out the manner in which Google software scans users’ emails, both when messages are stored on Google’s servers and when they are in transit, a controversial practice that has been at the heart of litigation.
Tomi Engdahl says:
Guardian and Washington Post win Pulitzer prize for NSA revelations
http://www.theguardian.com/media/2014/apr/14/guardian-washington-post-pulitzer-nsa-revelations
Pair awarded highest accolade in US journalism, winning Pulitzer prize for public service for stories on NSA surveillance
The Guardian and the Washington Post have been awarded the highest accolade in US journalism, winning the Pulitzer prize for public service for their groundbreaking articles on the National Security Agency’s surveillance activities based on the leaks of Edward Snowden.
The award, announced in New York on Monday, comes 10 months after the Guardian published the first report based on the leaks from Snowden, revealing the agency’s bulk collection of US citizens’ phone records.
Tomi Engdahl says:
Google Weighs Boosting Encrypted Sites in Its Search Algorithm
http://blogs.wsj.com/digits/2014/04/14/google-may-push-sites-to-use-encryption/
A powerful voice at Google wants websites to be more secure.
In a move that experts say could make it harder to spy on Web users, Google is considering giving a boost in its search-engine results to websites that use encryption, the engineer in charge of fighting spam in search results hinted at a recent conference.
Tomi Engdahl says:
Heartbleed bug responsible for theft of 900 Canadian tax ID numbers
http://www.theverge.com/2014/4/14/5612904/900-canadian-social-insurance-numbers-stolen-in-first-heartbleed
Canada’s taxpayers may be the first victims of the Heartbleed bug that put the web on high alert last week. According to the Canada Revenue Agency, 900 social insurance numbers (SINs) were stolen by hackers exploiting the security vulnerability. Even on a small scale, the breach is tantamount to identity theft, and is a situation the CRA had worked hard to avoid.
Tomi Engdahl says:
FBI Plans to Have 52 Million Photos in its NGI Face Recognition Database by Next Year
https://www.eff.org/deeplinks/2014/04/fbi-plans-have-52-million-photos-its-ngi-face-recognition-database-next-year
New documents released by the FBI show that the Bureau is well on its way toward its goal of a fully operational face recognition database by this summer.
NGI builds on the FBI’s legacy fingerprint database—which already contains well over 100 million individual records—and has been designed to include multiple forms of biometric data, including palm prints and iris scans in addition to fingerprints and face recognition data.
One of our biggest concerns about NGI has been the fact that it will include non-criminal as well as criminal face images. We now know that FBI projects that by 2015, the database will include 4.3 million images taken for non-criminal purposes.
Tomi Engdahl says:
Out in the Open: Inside the Operating System Edward Snowden Used to Evade the NSA
http://www.wired.com/2014/04/tails/
When NSA whistle-blower Edward Snowden first emailed Glenn Greenwald, he insisted on using email encryption software called PGP for all communications. But this month, we learned that Snowden used another technology to keep his communications out of the NSA’s prying eyes. It’s called Tails. And naturally, nobody knows exactly who created it.
Tails is a kind of computer-in-a-box. You install it on a DVD or USB drive, boot up the computer from the drive and, voila, you’re pretty close to anonymous on the internet. At its heart, Tails is a version of the Linux operating system optimized for anonymity. It comes with several privacy and encryption tools, most notably Tor, an application that anonymizes a user’s internet traffic by routing it through a network of computers run by volunteers around the world.
“The installation and verification has a learning curve to make sure it is installed correctly,” Poitras told WIRED by e-mail. “But once the set up is done, I think it is very easy to use.”
Tails makes it much easier to use Tor and other privacy tools. Once you boot into Tails — which requires no special setup — Tor runs automatically. When you’re done using it, you can boot back into your PC’s normal operating system, and no history from your Tails session will remain.
Tomi Engdahl says:
Millions of Android Devices Vulnerable to Heartbleed Bug
http://www.bloomberg.com/news/2014-04-11/millions-of-android-devices-vulnerable-to-heartbleed-bug.html
Millions of smartphones and tablets running Google Inc. (GOOG)’s Android operating system have the Heartbleed software bug
While Google said in a blog post on April 9 that all versions of Android are immune to the flaw, it added that the “limited exception” was one version dubbed 4.1.1,
Security researchers said that version of Android is still used in millions of smartphones and tablets
“One of the major issues with Android is the update cycle is really long,”
Christopher Katsaros, a spokesman for Mountain View, California-based Google, confirmed there are millions of Android 4.1.1 devices
More than 80 percent of people running Android 4.1.1 who have shared data with mobile security firm Lookout Inc. are affected
Broad Fallout
The reach of the vulnerability continues to widen as Cisco Systems Inc. (CSCO) and Juniper Networks Inc. (JNPR) said earlier this week that some of their networking-gear products are affected and will be patched. The Canadian government has ordered websites operated by the federal government that use the vulnerable version of OpenSSL to be taken offline until they can be fixed.