Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
So Far, So Good for TrueCrypt: Initial Audit Phase Turns Up No Backdoors
http://threatpost.com/so-far-so-good-for-truecrypt-initial-audit-phase-turns-up-no-backdoors/105433
A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase.
Tomi Engdahl says:
Apple, Google, Microsoft, Samsung and Carriers Back Anti-Theft Measures for Smartphones
http://recode.net/2014/04/15/apple-google-microsoft-samsung-and-carriers-back-anti-theft-measures-for-smartphones/
With several states and municipalities considering various mandatory “kill-switch” laws for mobile devices, the wireless industry announced a voluntary commitment to include new anti-theft technology on phones starting next year.
The commitment, announced Tuesday, has the backing of the five largest U.S. cellular carriers as well as the key players in the smartphone device and operating system markets, a list that includes Apple, Google, HTC, Huawei, Motorola, Microsoft, Nokia and Samsung.
Those signing the pledge agree that devices going on sale after July 2015 will have the ability to remotely wipe data and be rendered inoperable, if the user chooses, to prevent the device from being reactivated without the owner’s permission. Lost or stolen devices could later be restored if recovered. The carriers also agreed they would facilitate these measures.
Tomi Engdahl says:
Mt. Gox Files for Liquidation
Defunct Bitcoin Exchange Gives Up On Plan to Rebuild
http://online.wsj.com/news/article_email/SB10001424052702303663604579504691512965308-lMyQjAxMTA0MDEwNTExNDUyWj
Tomi Engdahl says:
Apr 14
Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach
http://krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-long-credit-card-breach/
Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.
Tomi Engdahl says:
Eugene Kaspersky: Ukraine conflict hurts enterprise security
With governments occupied, criminals could capitalize
http://www.theregister.co.uk/2014/04/16/kaspersky_ukraine_conflict_hurts_enterprise_security/
As governments around the world continue to wrangle for a peaceful solution to the political tensions in the Ukraine, cybercriminals could catch governments off guard with online attacks, warns Kaspersky Lab CEO Eugene Kaspersky.
“It is good news for the local IT projects, but the international projects will have less budgeted,” Kaspersky said.
“When the governments don’t talk to each other and cooperate, that damages traditional industry and economies, but also cyberspace.”
As for the unrest in the Ukraine Kaspersky said that the company, whose presence in the region includes an office in Kiev, has for the most part seen cyberattacks in the region as the work of small hactivist groups rather than full-scale cyberwarfare waged directly by government organizations.
Tomi Engdahl says:
Lack of US Cybersecurity Across the Electric Grid
http://hardware.slashdot.org/story/14/04/15/2032239/lack-of-us-cybersecurity-across-the-electric-grid
“Meghan McGuinness of the Bipartisan Policy Center writes about the Electric Grid Cybersecurity Initiative, a collaborative effort between the center’s Energy and Homeland Security Projects. She points out that over half the attacks on U.S. critical infrastructure sectors last year were on the energy sector.”
Tomi Engdahl says:
A new organization for cybersecurity across the electric grid
http://thebulletin.org/new-organization-cybersecurity-across-electric-grid7046
Cyber attacks are an increasing risk for the US electric sector and have eclipsed terrorism as the primary threat, according to the Federal Bureau of Investigation. The Industrial Control Systems Cyber Emergency Response Team responded to 256 incidents that targeted critical infrastructure sectors in fiscal year 2013, and 59 percent of those incidents involved the energy sector.
A large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.
It is probably impossible to protect the electric grid from all cyber attacks, particularly given the rapid pace at which cyber threats evolve. Therefore, industry and policymakers must consider how to most effectively manage the risks, taking steps to reduce the likelihood of cyber attacks and to limit the impacts of a successful attack.
Beyond mandatory standards. In many ways, the electric power sector is in a stronger position than other critical infrastructure sectors to address cyber threats, because it already has mandatory, federally enforceable standards: The North American Electric Reliability Corporation, with oversight from the Federal Energy Regulatory Commission, develops and enforces standards that apply to the bulk power system (generally, generation and transmission), and the Nuclear Regulatory Commission develops and enforces standards for nuclear power plants. However, while these standards provide a useful baseline level of cybersecurity, they do not create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. Furthermore, focus on compliance with standards may draw attention and resources away from comprehensive security.
Tomi Engdahl says:
Snowden Used the Linux Distro Designed For Internet Anonymity
http://yro.slashdot.org/story/14/04/15/1940240/snowden-used-the-linux-distro-designed-for-internet-anonymity
“When Edward Snowden first emailed Glenn Greenwald, he insisted on using email encryption software called PGP for all communications. Now Klint Finley reports that Snowden also used The Amnesic Incognito Live System (Tails) to keep his communications out of the NSA’s prying eyes.”
Tomi Engdahl says:
How Does Heartbleed Alter the ‘Open Source Is Safer’ Discussion?
http://news.slashdot.org/story/14/04/15/2045250/how-does-heartbleed-alter-the-open-source-is-safer-discussion
Tomi Engdahl says:
Exclusive: Special Ed. Student Records Audio Proof of Bullying, Threatened With Charges of Felony Wiretapping
Principal Milburn advised her that her son was “facing felony wiretapping charges” because he made a recording in a place with an expectation of privacy, and that Officer Kurta agreed.
Read more: http://benswann.com/exclusive-special-ed-student-records-audio-proof-of-bullying-threatened-with-charges-of-warrentless-wiretapping/#ixzz2z3O3Z8Kr
Follow us: @BenSwann_ on Twitter
Tomi Engdahl says:
The Security of Popular Programming Languages
http://developers.slashdot.org/story/14/04/15/1857258/the-security-of-popular-programming-languages
“A new WhiteHat Security report approaches application security not from the standpoint of what risks exist on sites and applications once they have been pushed into production, but rather by examining how the languages themselves perform in the field.”
http://www.net-security.org/secworld.php?id=16694
Tomi Engdahl says:
All Packages Needed For FreedomBox Now In Debian
https://wiki.debian.org/FreedomBox
The FreedomBox Project is a community project to develop, design and promote personal servers running free software for private, personal, communications.
Vision Statement
We live in a world where our use of the network is mediated by organizations that often do not have our best interests at heart. By building software that does not rely on a central service, we can regain control and privacy. By keeping our data in our homes, we gain useful legal protections over it. By giving back power to the users over their networks and machines, we are returning the Internet to its intended peer-to-peer architecture.
Tomi Engdahl says:
Hackers attempt to BLACKMAIL plastic surgeons
Nip, tuck and pwn
http://www.theregister.co.uk/2014/04/16/hackers_attempted_extortion_plastic_surgeons/
Cybercrooks attempted to extort a chain of cosmetic surgeons after hacking into its systems and stealing an estimated 480,000 files stuffed with info about prospective nip-’n’-tuck customers.
“Such information could be used not just to embarrass an individual, but also – potentially – to extort money from them. Furthermore, the private information could be sold to tabloid newspapers or entertainment websites which are scrabbling for some showbiz tittle tattle to fill their pages,”
Tomi Engdahl says:
Heartbleed Bug Hacker Charged by RCMP
http://www.rcmp-grc.gc.ca/ottawa/ne-no/pr-cp/2014/0416-heartbleed-eng.htm
Ottawa – April 16, 2014 – The RCMP’s National Division Integrated Technological Crime Unit (ITCU) has charged a 19 year old London, Ontario man in relation to the malicious breach of taxpayer data from the Canada Revenue Agency (CRA) website.
It is believed that Solis-Reyes was able to extract private information held by the CRA by exploiting the security vulnerability known as the Heartbleed Bug.
Tomi Engdahl says:
Heartbleed shrinks Tor by an eighth
And that’s before they look at all the nodes and what version of OpenSSL they’re running
http://www.theregister.co.uk/2014/04/17/heartbleed_shrinks_tor_by_an_eighth/
Tor, the sometimes-controversial internet-traffic-anonymising service, is bleeding thanks to Heartbleed.
“we’ll lose about 12% of the exit capacity and 12% of the guard capacity.”
The reason for the degradation is that some Tor nodes are running compromised versions of OpenSSL.
Tomi Engdahl says:
Lavabit Loses Its Appeal For Mucking Up Basic Procedural Issues Early On
http://www.techdirt.com/articles/20140416/06454126931/lavabit-loses-its-appeal-mucking-up-basic-procedural-issues-early.shtml
This won’t come as a huge surprise, but Ladar Levison and Lavabit have now lost their appeal on whether or not they were in contempt for failing to compromise the security of every one of Lavabit’s customers in complying with the DOJ’s demands to get access to who Ed Snowden had been emailing.
Let this be a massive reminder that, if you’re dealing with this kind of stuff, getting a good lawyer on your side immediately is important.
Tomi Engdahl says:
‘Kill switch’ may be standard on U.S. phones in 2015
http://edition.cnn.com/2014/04/16/tech/mobile/ctia-phone-kill-switch/index.html?hpt=hp_c2
The “kill switch,” a system for remotely disabling smartphones and wiping their data, will become standard in 2015, according to a pledge backed by most of the mobile world’s major players.
Apple, Google, Samsung and Microsoft, along with the five biggest cellular carriers in the United States, are among those that have signed on to a voluntary program announced Tuesday by the industry’s largest trade group.
Tomi Engdahl says:
Heartbleed Bug—Mobile Apps are Affected Too
http://blog.trendmicro.com/trendlabs-security-intelligence/heartbleed-bug-mobile-apps-are-affected-too/
The severity of the Heartbleed bug has led countless websites and servers scrambling to address the issue. And with good reason
All the extended coverage of the flaw begs the question, “Are mobile devices affected by this?” The short answer: yes.
Mobile apps, like it or not, are just as vulnerable to the Heartbleed Bug as websites are because apps often connect to servers and web services to complete various functions. As our previous blog entry has shown, a sizable number of domains are affected by this vulnerability.
Suppose you’re just about to pay for an in-app purchase, and to do so you need to input your credit card details. You do so, and the mobile app finishes the transaction for you.
Suppose you decide to do so, and tap ‘OK’. Chances are your app will open the website on their own, through their own in-app browser, and have you log into the social network there.
We scanned around 390,000 apps from Google Play, and found around 1,300 apps connected to vulnerable servers. Among them are 15 bank-related apps, 39 online payment-related, and 10 are online shopping related. We also found several popular apps that many users would use on a daily basis, like instant messaging apps, health care apps, keyboard input apps–and most concerning, even mobile payment apps.
Tomi Engdahl says:
These Android, iOS, and WP8 apps are affected by the Heartbleed Bug (updated)
Read more: http://www.digitaltrends.com/mobile/heartbleed-bug-apps-affected-list/#ixzz2z7uXcSls
Tomi Engdahl says:
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
http://www.theregister.co.uk/2014/04/15/dlr_attacked_china_apt_trojans/
Germany’s space research centre in Cologne has been the victim of a co-ordinated and covert targeted attack carried out by state-sponsored hackers, according to a Der Spiegel report.
The attack was “co-ordinated and systematic” with some of the Trojans used designed to self-destruct on discovery, while other malware lay silent for several months before being activated, according to the report.
Tomi Engdahl says:
Ask Slashdot: System Administrator Vs Change Advisory Board
http://ask.slashdot.org/story/14/04/17/0129226/ask-slashdot-system-administrator-vs-change-advisory-board
“Now a Change Advisory Board (CAB) is wanting to manage every patch that will be installed on the OS and approve/disapprove for testing on the development network. Once tested and verified, all changes will then need to be approved for production”
These change review rigmarole is often done for reasons of security and operational stability. This is a laudable goal, but often the added red tape make the entire system more vulnerable when they want to decide which security fixes get applies.
You need to hammer it home that each second between the time the security fix is published and the time the fix is applied the systems are vulnerable. This is because, once the security fix is published, every hacker knows about the issue too.
you do not want add more time to that time window
I have to do a risk analysis for each change that gets made to a system (not just patches).
There are still a few people in our organisation who see the CAB as a barrier to getting work done, but for me it is really a check to make sure we’re delivering changes in a proper way.
Tomi Engdahl says:
Researchers uncover likely author of original Bitcoin paper
http://www.aston.ac.uk/about/news/releases/2014/april/researchers-uncover-likely-author-of-original-bitcoin-paper/
The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students and researchers at Aston University’s Centre for Forensic Linguistics.
Tomi Engdahl says:
Financial services firms are focused on investing in the cyber security protection more than last year, predicts consulting firm PwC.
According to PwC many financial players are now more aware of the risks involved.
Information attacks are caused extensive damage and risks to banks and other financial firmoille in recent years.
Investment companies, 76 per cent said the PwC survey, to increase its security budget.
“Cyber crimes are the biggest threat to Britain’s financial services,”
At the same time, however, the banks reacted coolly to security investments (only 8% planned to increase).
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/finanssiyritykset+akkasivat+tietoturvaan+on+laitettava+enemman+rahaa/a982631
Tomi Engdahl says:
Burnt out on patches this month? Oracle’s got 104 MORE fixes for you
Mass patch for issues across its software catalog
http://www.theregister.co.uk/2014/04/16/burnt_out_on_deploying_patches_this_month_oracles_got_104_more_fixes_for_you/
Oracle has released a hefty load of security updates that address a total of 104 different vulnerabilities across its product lines.
latest Critical Patch Update includes fixes for its middleware and database platforms
In total, the Java update addresses 37 security flaws in the platform and it is considered to be a critical fix and top deployment priority
Tomi Engdahl says:
Google begins to poke around all the user data:
Search giant Google puts new user terms questioned his own motto “Do not be evil.” The new terms give Google permission to analyze the content of all users, including e-mail. By accepting Google’s new terms give the company permission to analyze all the Google services transmitted through, received or stored the data.
Google Privacy & Terms
http://www.google.com/intl/en/policies/terms/archive/20131111-20140414/
Tomi Engdahl says:
Street View and reCAPTCHA technology just got smarter
Wednesday, April 16, 2014 8:31 AM
Posted by Vinay Shet, Product Manager, reCAPTCHA
http://googleonlinesecurity.blogspot.fi/2014/04/street-view-and-recaptcha-technology.html
we’ve been working on a new system to help locate addresses even more accurately, using some of the technology from the Street View and reCAPTCHA teams.
This technology finds and reads street numbers in Street View, and correlates those numbers with existing addresses to pinpoint their exact location on Google Maps.
These findings have surprising implications for spam and abuse protection on the Internet as well.
Turns out that this new algorithm can also be used to read CAPTCHA puzzles—we found that it can decipher the hardest distorted text puzzles from reCAPTCHA with over 99% accuracy.
Tomi Engdahl says:
Police Grapple With Cybercrime
State, Local Law Enforcement Struggle to Keep Up as Online Cases Grow; FBI Lends a Hand in Utah
http://online.wsj.com/news/article_email/SB10001424052702304626304579508212978109316-lMyQjAxMTA0MDIwMTEyNDEyWj
As crime is increasingly moving online, state and local police—who have spent decades refining how to track down murderers, thieves and drug dealers—are having a hard time keeping up.
“It probably is one of the most perplexing questions right now in terms of state and local policing: How do they handle this stuff?”
In 2012, consumers reported $525 million in damages to the Internet Crime Complaint Center, a group run partly by the FBI that collects data on cybercrimes, including fraud, hacking and identity theft. That was an 8% increase from the prior year.
The FBI and Secret Service have advanced tools to investigate cybercrime.
Now, the FBI is attempting to bolster local capabilities.
Tomi Engdahl says:
Intelligence Directive Bars Unauthorized Contacts with News Media
http://blogs.fas.org/secrecy/2014/04/media-contacts/
The Director of National Intelligence has forbidden most intelligence community employees from discussing “intelligence-related information” with a reporter unless they have specific authorization to do so, according to an Intelligence Community Directive that was issued last month.
“IC employees… must obtain authorization for contacts with the media” on intelligence-related matters, and “must also report… unplanned or unintentional contact with the media on covered matters,” the Directive stated.
Tomi Engdahl says:
The top spook’s stupid gag order
http://blogs.reuters.com/jackshafer/2014/04/21/the-top-spooks-stupid-gag-order/
The nation’s top spy has prohibited all of his spies from talking with reporters about “intelligence-related information” unless officially authorized to speak. Intelligence Community Directive 119, signed by Director of National Intelligence James R. Clapper last month and made public Monday in a report by Steven Aftergood of the Federation of American Scientists, threatens to reduce the flow of information from the national security establishment to the press — and hence the public.
As Aftergood notes, Directive 119 does not merely bar intelligence community employees from sharing classified intelligence information with reporters. It also bars the discussion with the media of unclassified intelligence information “related” to intelligence.
Directive 119 increases the insularity of the national security state, making the public less safe, not more.
Tomi Engdahl says:
Google is researching ways to make encryption easier to use in Gmail
http://venturebeat.com/2014/04/21/google-is-researching-ways-to-make-encryption-easier-to-use-in-gmail/
In response to Edward Snowden’s mass surveillance revelations, Google is working to make complex encryption tools, such as PGP, easier to use in Gmail.
Google has “research underway to improve the usability of PGP with Gmail,” according to a person at the company familiar with the matter.
Google has a fighting chance of significantly boosting PGP’s adoption if it can pull off integrating it into Gmail.
Tomi Engdahl says:
CEO Of “Russian Facebook” Says He Was Fired And That The Social Network Is Now In The Hands Of Putin Allies
http://www.buzzfeed.com/miriamelder/ceo-of-russian-facebook-says-he-was-fired-and-that-the-socia
So ends the slow unravelling of independence at VKontakte, Russia’s most popular social network.
Durov said: “Today, VKontakte goes under the complete control of Igor Sechin and Alisher Usmanov.”
“Probably, in the Russian context, something like this was inevitable, but I’m happy we lasted seven and a half years,” Durov continued.
Tomi Engdahl says:
Information security is part of the national security
“If the private sector is suffering from cyber attacks, it’s all about national security policy,” National Security Director Tom Ridge said, taking as examples the energy sector, telecommunications and transport networks.
“So the security boundaries of private firms and nation-states are becoming increasingly blurred.”
“Cyber security is a team game where all the players want to share their experiences,”
Source: http://www.tietoviikko.fi/cio/tietoturva+on+osa+kansallista+turvallisuutta/a983077
Tomi Engdahl says:
IT Security is National Security — but You’re Not Alone
Managing the danger of cyberattacks has to involve all parts of an enterprise, speakers tell a Kaspersky conference
http://www.cio.com/article/751671/IT_Security_is_National_Security_but_You_39_re_Not_Alone?taxonomyId=600007
“If the private sector goes down, and critical infrastructure, [then] more often than not … you have national security at risk as well,” said Tom Ridge, who led the new Department of Homeland Security in the wake of the Sept. 11, 2001, terror attacks. Because government relies so much on critical infrastructure such as power grids, communications networks and transportation, and because of the way malware spreads, the line between attacks against states and attacks against companies is blurry.
Companies and governments face a broad range of active threats, some of which are probably being perpetrated by hackers with nation-states behind them, according to Kaspersky, which researches cybercrime and sells technology to counter it.
“Everybody has a role to play, particularly the private sector.”
“It’s equally a business process problem,” Richey said. “You have to be on it seven days a week, 24 hours a day,” handling mundane tasks such as access controls, patches and passwords.
Companies trying to get a grip on security can turn to industry standards that have been forged and proven in previous incidents
Tomi Engdahl says:
Comcast bills lowered $2.4 million by scammers who accessed billing system
Men plead guilty, face prison and have to pay money back to Comcast.
http://arstechnica.com/tech-policy/2014/04/comcast-bills-lowered-2-4-million-by-scammers-who-accessed-billing-system/
“Buchanan bought the login identification from a Comcast employee and was able to login to the system remotely and change the accounts to lower monthly bills,”
Tomi Engdahl says:
Digging for answers: The “strong smell” of fraud from one Bitcoin miner maker
A Butterfly Labs exec loses a probation hearing, but details from the case are worse.
http://arstechnica.com/tech-policy/2014/04/digging-for-answers-the-strong-smell-of-fraud-from-one-bitcoin-miner-maker/
For many crypto-minded libertarians, Bitcoin is the future of money. But that dream hasn’t been helped much by the numerous high-profile legal cases involving the currency in recent years: The Bitcoin Savings and Trust hedge fund collapsed; uncertainty fueled the implosion of Mt. Gox, the currency’s largest exchange; and the high-profile Silk Road takedown is a treacherous story combining Bitcoin, drugs, and alleged murders.
Butterfly Labs.
For the past year, the Kansas-based Bitcoin miner maker has been embroiled in numerous accusations of fraud.
Despite the “strong smell” coming from the Vleisides’ probation hearing, it’s still not exactly clear whether BFL is an out-and-out scam.
Tomi Engdahl says:
Whaddaya mean, NO REFUND? But I paid in Bitcoins! Oh I see…
http://www.theregister.co.uk/2014/04/22/whaddaya_mean_no_refund_but_i_paid_in_bitcoins_oh_i_see/
His startup, XBTerminal, has created an NFC-based, handheld terminal for handling Bitcoin transactions in bricks-and-mortar retail locations
The undeniable strength of his product lies in the fact that he and his team thoroughly understand crypto-currency tech rather than just evangelise about potentials – what we used to call “bullshitting”.
Given that an electronic terminal handling a virtual currency does not print receipts and that Bitcoin’s exchange rate sometimes fluctuates wildly from one minute to the next, how do refunds work? Teddy-bear’s answer was that retailers would probably just refuse refunds on Bitcoin transactions.
Someone spoke up and said that Bitcoins were usually spend on food, in which case refunds were irrelevant.
Another suggestion was that we should treat Bitcoin like a foreign currency.
My argument is with crypto-currencies themselves, not in the future but right now. They are worrisome, awkward, complicated and unmanageable.
Frankly, I don’t like them and I don’t trust them. Some people have become millionaires simply by sitting on Bitcoins, while others make their fortunes by shifting them around a bit
Tomi Engdahl says:
Steam vulnerability allows hackers to bypass security and swipe account data
Malwarebytes says scammers can change users’ email addresses, passwords, profiles and more
http://www.theinquirer.net/inquirer/news/2340660/steam-vulnerability-allows-hackers-to-bypass-security-and-swipe-account-data
Tomi Engdahl says:
Intentional Backdoor In Consumer Routers Found
http://tech.slashdot.org/story/14/04/22/001239/intentional-backdoor-in-consumer-routers-found
“Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access.”
Easter egg: DSL router patch merely hides backdoor instead of closing it
Researcher finds secret “knock” opens admin for some Linksys, Netgear routers.
http://arstechnica.com/security/2014/04/easter-egg-dsl-router-patch-merely-hides-backdoor-instead-of-closing-it/
First, DSL router owners got an unwelcome Christmas present. Now, the same gift is back as an Easter egg. The same security researcher who originally discovered a backdoor in 24 models of wireless DSL routers has found that a patch intended to fix that problem doesn’t actually get rid of the backdoor—it just conceals
Vanderbecken disclosed that the “fixed” code concealed the same communications port he had originally found (port 32764) until a remote user employed a secret “knock”—sending a specially crafted network packet that reactivates the backdoor interface.
The packet structure used to open the backdoor, Vanderbecken said, is the same used by “an old Sercomm update tool”—a packet also used in code by Wilmer van der Gaast to “rootkit” another Netgear router.
Just how widely the old, new backdoor has been spread is unknown.
Tomi Engdahl says:
12 ethical dilemmas gnawing at developers today
http://www.infoworld.com/d/application-development/12-ethical-dilemmas-gnawing-developers-today-240574
As software takes over more of our lives, the ethical ramifications of decisions made by programmers only become greater
Tomi Engdahl says:
Google to refund buyers of ‘fake’ anti-virus app
http://www.theregister.co.uk/2014/04/22/google_to_refund_buyers_of_fake_antivirus_app/
Google has decided that a smallish (for The Chocolate Factory) wad of cash is a trivial price to pay for maintaining its reputation, and has begun refunding punters who fell for the fake “virus shield” scam.
Tomi Engdahl says:
Activists want net neutrality, NSA spying debated at Internet governance conference
http://www.pcworld.com/article/2146100/activists-want-net-neutrality-nsa-spying-debated-at-brazil-internet-conference.html
A campaign on the Internet is objecting to the exclusion of issues like net neutrality, the cyberweapons arms race and surveillance by the U.S. National Security Agency from the discussion paper of an Internet governance conference this week in Sao Paulo, Brazil.
A significant section of the participants are also looking for concrete measures and decisions at the conference rather than yet another statement of principles.
The proposed text “lacks any strength,” does not mention NSA’s mass surveillance or the active participation of Internet companies, and fails to propose any concrete action, according to the campaign called Our Net Mundial.
“But there have been so many Internet principles released in recent years that it is hard to see what the Brazil conference could add,” Mueller and Wagner wrote.
Tomi Engdahl says:
Cyber espionage and web app attacks were top security threats in 2013
As point-of-sale attacks decline in popularity, says Verizon
http://www.theinquirer.net/inquirer/news/2340887/cyber-espionage-and-web-app-attacks-were-top-security-threats-in-2013
Tomi Engdahl says:
How Silk Road Bounced Back From Its Multimillion-Dollar Hack
http://news.slashdot.org/story/14/04/22/2316201/how-silk-road-bounced-back-from-its-multimillion-dollar-hack
“Silk Road, the online marketplace notable for selling drugs and attempting to operate over Tor, was shut down last October. Its successor, Silk Road 2.0 survived for a few months before suffering a security breach.”
“Silk Road appears to be trying to rebuild, and to repay users’ lost Bitcoins.”
Tomi Engdahl says:
Ask Slashdot: How Can We Create a Culture of Secure Behavior?
http://ask.slashdot.org/story/14/04/22/1746211/ask-slashdot-how-can-we-create-a-culture-of-secure-behavior
” employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people.”
Comments:
Users are gonna do stupid things when it comes to security. Trying to fix that is a noble goal, but good luck.
The direction we need to keep going towards is idiot proofing. Assume the user will screw up and mitigate or eliminate the impact.
Preach it! You cannot try to fix a software problem by fixing the users. Requirements for strong passwords have no place in modern security. A 4-digit PIN works great for my ATM card, because of the combination of:
* Two-factor auth
* Good, fast system for repudiation and reclamation
* Many, many back-end processes in place to limit harm
Is your IT system set up this way? Why not? Two-factor auth is easy, off-the-shelf stuff these days. Sharply limit password tries before account lockout, and abandon any thought of strong passwords, changing passwords, and so on – all of that is accomplished by the certs (and rotation thereof) on the second factor. The user’s password is just there to make it OK if the second factor is stolen, during the time before the user reports it.
Tomi Engdahl says:
Even the Most Secure Cloud Storage May Not Be So Secure, Study Finds
http://www.cio.com/article/751756/Even_the_Most_Secure_Cloud_Storage_May_Not_Be_So_Secure_Study_Finds?taxonomyId=3024
Some cloud storage providers who hope to be on the leading edge of cloud security adopt a “zero-knowledge” policy in which vendors say it is impossible for customer data to be snooped on. But a recent study by computer scientists at John Hopkins University is questioning just how secure those zero knowledge tactics are.
Zero knowledge cloud services usually work by storing customer data in an encrypted fashion and only giving customers the keys to unencrypt it, rather than the vendor having access to those keys.
But the researchers found that if data is shared within a cloud service, those keys could be vulnerable to an attack allowing vendors to peer into customer data if they wanted to.
The study casts doubt over these zero-knowledge clouds and reinforces advice from experts that end users should be fully aware of how vendors handle their data.
It’s common for these vendors to rely on a middle-man service which verifies users before providing keys to unencrypt the data.
This presents an opportunity for vendors to potentially issue fake credentials
It’s similar to a traditional “man in the middle” security attack.
Spider Oak encourages customers to use a desktop application to transfer files instead of doing so through the company’s web portal.
Tomi Engdahl says:
Apple splats ‘new’ SSL snooping bug in iOS, OS X – but it’s no Heartbleed
Triple-handshake flaw stalks Macs and iThings
http://www.theregister.co.uk/2014/04/23/apple_ssl_update/
Apple has squashed a significant security bug in its SSL engine for iOS and OS X as part of a slew of patches for iThings and Macs.
The so-called “triple handshake” flaw quietly emerged yesterday amid panic over OpenSSL’s Heartbleed vulnerability, and soon after the embarrassing “goto fail” blunder in iOS and OS X.
Tomi Engdahl says:
Win XP, 7 & 8.1: Internet Security Suites Complete an Endurance Test Lasting 6 Months
http://www.av-test.org/en/news/news-single-view/artikel/win-xp-7-81-internet-security-suites-complete-an-endurance-test-lasting-6-months-1/
Between September 2013 and February 2014, the laboratory experts at AV-TEST subjected 24 Internet security suites to a multitude of complex tests. This endurance test carried out on protection packages quickly shows which packages are always on the ball, even in a stressful testing situation, and which packages fail to impress.
22 of the 24 packages involved in the test were awarded the AV-TEST certificate for tested security.
The basic protection from Microsoft, namely Windows Defender or Security Essentials, combined with the Windows Firewall, is an insecure option.
Tomi Engdahl says:
Quantum Cryptography
http://www.linuxjournal.com/content/quantum-cryptography
Classical cryptography provides security based on unproven mathematical assumptions and depends on the technology available to an eavesdropper. But, these things might not be enough in the near future to guarantee cyber security. We need something that provides unconditional security. We need quantum cryptography.
Classical cryptographic algorithms mostly rely on mathematical approaches to secure key transmission. The security they offer is based on unproven assumptions and depends on the technology available to an eavesdropper. But, rapidly growing parallel and quantum technologies may be a threat to these classical cryptography techniques in the near future. One of the solutions to these threats is quantum cryptography.
What is quantum cryptography? Quantum cryptography is a complex topic, because it brings into play something most people find hard to understand—quantum mechanics. S
Tomi Engdahl says:
Pavel Durov, the founder of VKontakte.com, Russia’s top social network with over 100 million users, is now out for good from the company
“I’m out of Russia and have no plans to go back,” he wrote in the exchange. “Unfortunately, the country is incompatible with Internet business at the moment.”
“I’m afraid there is no going back,” he said of VK.com, “not after I publicly refused to cooperate with the authorities. They can’t stand me.”
Source: http://techcrunch.com/2014/04/22/durov-out-for-good-from-vk-com-plans-a-mobile-social-network-outside-russia/
Tomi Engdahl says:
Kill dodgy RNG says NIST
But you already knew that, right?
By Richard Chirgwin, 23 Apr 2014
http://www.theregister.co.uk/2014/04/23/kill_dodgy_rng_says_nist/
NIST has said what we already knew: the Dual Elliptic Curve Deterministic Random Bit Generator, Dual_EC_DRBG, is a dead duck and should be abandoned by anyone still using it.
NIST’s recommendation merely formalises advice it gave in 2013 when debate over the weak random number generator first emerged, courtesy of the “RSA scandal”
NIST notes that ditching Dual_EC_DRBG is mandatory for any vendors that want their products to comply with US federal government guidance
The alternative random number modules endorsed by NIST are Hash_DRBG, HMAC_DRBG, or CTR_DRBG