Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Inside the ‘DarkMarket’ Prototype, a Silk Road the FBI Can Never Seize
http://www.wired.com/2014/04/darkmarket/
The Silk Road, for all its clever uses of security protections like Tor and Bitcoin to protect the site’s lucrative drug trade, still offered its enemies a single point of failure. When the FBI seized the server that hosted the market in October and arrested its alleged owner Ross Ulbricht, the billion-dollar drug bazaar came crashing down.
If one group of Bitcoin black market enthusiasts has their way, the next online free-trade zone could be a much more elusive target.
At a Toronto Bitcoin hackathon earlier this month, the group took home the $20,000 first prize with a proof-of-concept for a new online marketplace known as DarkMarket, a fully peer-to-peer system with no central authority for the feds to attack. If DarkMarket’s distributed architecture works, law enforcement would be forced to go after every contraband buyer and seller one by one, a notion that could signal a new round in the cat-and-mouse game of illicit online sales.
Tomi Engdahl says:
Steven J. Vaughan-Nichols: Here comes the black market for XP patches
http://www.computerworld.com/s/article/9247873/Steven_J._Vaughan_Nichols_Here_comes_the_black_market_for_XP_patches?taxonomyId=125&pageNumber=2
A Microsoft spokesperson told me that “Custom Support is provided to large enterprise customers whose migration from Windows XP was not completed by April 8, 2014. It is a temporary measure designed to help large customers with complex migrations
the new Custom Support minimums were 750 PCs, with a minimum payment of $150,000 for a year’s worth of support.
What you’ll get for that $150 grand is patches for critical vulnerabilities.
Even at the bargain basement price of $25, many large companies can’t afford Custom Support. But plenty of them are in need of it.
And we know what happens when you have something that’s in short supply and with limited access with a large potential market, right? We’re going to see a black market in XP patches.
Unless, of course, someone “generously” puts XP patches on BitTorrent. The problem with BitTorrented patches is that you can’t really know whether you’re getting the real patch or malware.
Tomi Engdahl says:
US Nuclear Missile Silos Use Safe, Secure 8″ Floppy Disks
http://tech.slashdot.org/story/14/04/29/1256250/us-nuclear-missile-silos-use-safe-secure-8-floppy-disks
“although the missiles have been upgraded numerous times to make them safer and more reliable, the bases themselves haven’t changed much and there isn’t a lot of incentive to upgrade them”
“Cyber engineers found out that the system is extremely safe and extremely secure in the way it’s developed.” While on the base, missileers showed Stahl the 8-inch floppy disks, marked “Top Secret,”
Tomi Engdahl says:
Why U.S. Nuclear Missile Silos Rely on Decades-Old Technology
http://www.slate.com/blogs/future_tense/2014/04/28/huge_floppy_disks_and_other_old_tech_is_common_at_air_force_nuclear_missile.html
The government built facilities for the Minuteman missiles in the 1960s and 1970s, and though the missiles have been upgraded numerous times to make them safer and more reliable, the bases themselves haven’t changed much. And there isn’t a lot of incentive to upgrade them.
8-inch floppy disks they use as part of launch commands for the missiles.
Weinstein explained, “Those older systems provide us some, I will say, huge safety, when it comes to some cyber issues that we currently have in the world.”
Tomi Engdahl says:
New security marketing term:
SOFTWARE-DEFINED PROTECTION
https://www.checkpoint.com/sdp/
To address today’s EVER-CHANGING threat landscape, Check Point has introduced
a MODULAR and dynamic security architecture that envisions a THREE-LAYER infrastructure
that provides operational RESILIENCE and real-time, PROACTIVE protection.
Tomi Engdahl says:
Software Defined Protection white paper
http://www.checkpoint.com/sdp/check_point_sdp_white_paper.pdf
Tomi Engdahl says:
Google Chrome protection for Heartbleed-hacked sites called “completely broken”
Report: Browser is “blind” to 98 percent of potentially compromised certificates.
http://arstechnica.com/security/2014/04/google-chrome-protection-for-heartbleed-hacked-sites-called-completely-broken/
The ability of Google Chrome to block secure website connections compromised by the Heartbleed bug is “completely broken” because the browser by default detects less than three percent of the underlying digital certificates that have been revoked, according to a detailed analysis recently posted online.
Tomi Engdahl says:
Stung by data breach, Target speeds switch to chip-and-PIN card readers
Names former DOD and DHS advisor as CIO to handle transition.
http://arstechnica.com/information-technology/2014/04/stung-by-data-breach-target-speeds-switch-to-chip-and-pin-card-readers/
One month after its last chief information officer resigned, American retailer Target made two security-minded announcements on Tuesday with hopes of assuaging fears about how it handles credit card data.
The company’s plan to upgrade its thousands of sales terminals has been accelerated. Now, shoppers can expect to see chip-and-PIN-enabled credit card kiosks in all of Target’s 1,797 stores by September, a timeframe that’s “six months ahead of schedule” according to a Target statement. That acceleration may have to do with Target’s choice to transfer its entire line of internal credit and debit cards, known as REDcard, to MasterCard’s chip-and-PIN system by “early 2015.”
Tomi Engdahl says:
Mt. Gox Creditors, Investors Agree to Try to Revive Bitcoin Exchange
Deal Would Give Creditors a 16.5% Stake in the Future Company
http://online.wsj.com/news/article_email/SB10001424052702304893404579530262159284736-lMyQjAxMTA0MDIwOTEyNDkyWj
Tomi Engdahl says:
Adobe patches Flash Player zero-day flaw used in watering-hole attacks
Bug could have allowed attackers to take control of affected systems
http://www.theinquirer.net/inquirer/news/2342068/adobe-patches-flash-player-zero-day-flaw-used-in-watering-hole-attacks
ADOBE HAS ISSUED an emergency patch for Flash Player following the discovery of a zero-day vulnerability, which it warned could allow attackers “to take control of affected computer systems”.
Adobe released security updates to cover Flash Player versions 13.0.0.182 and earlier for Windows, 13.0.0.201 and earlier versions for Mac and 11.2.202.350 and earlier for Linux.
Tomi Engdahl says:
New Zero-Day Flash Bug Affects Windows, OS X, and Linux Computers
http://it.slashdot.org/story/14/04/29/1655220/new-zero-day-flash-bug-affects-windows-os-x-and-linux-computers
“Researchers at the Kaspersky Lab have uncovered a zero-day Adobe Flash vulnerability that affects Windows, OS X, and Linux.”
Tomi Engdahl says:
Security company RSA says on the situation of phishing: In March alone, phishing attacks induced by 362 million dollars (about 260 million) a year, according to estimates of RSA. Annual basis, this would amount to about three billion loss.
Sources:
http://www.tietokone.fi/artikkeli/uutiset/nettirikolliset_miljonaareja_kalastelun_lasku_on_kova
http://www.emc.com/collateral/fraud-report/online-fraud-report-0414.pdf
Tomi Engdahl says:
Heartbleed used to uncover data from cyber-criminals
http://www.bbc.com/news/technology-27203766
The Heartbleed bug has turned cyber criminals from attackers into victims as researchers use it to grab material from chatrooms where they trade data.
Tomi Engdahl says:
Opening new evil in SSL encryption – the Finns found again
Finnish based information security and cloud services company developing SafetyLocked has discovered a serious vulnerability in the open source implementation of the encryption, which is commonly used in server and network systems.
Technically, the security hole is a wide range of C + + programming language, and embedded systems applications used by the poco library netssl encryption implementation.
Vulnerability allows an attacker to get to the so-called man in the middle (MITM) attack, where a server or network device can tamper with the encrypted data users to be captured.
Developers make use of the library, for example, embedded software, including server and network equipment manufacturers 454 Life Sciences, HP, Lumiplan, Riverbed, Schneider Electric, Thales and Voltwerk Electronics.
The application is also open-source projects, such as GLUEscript, MITK, open frameworks, Open Game Engine and Ogre use.
Also netssl encryption implementation is based on OpenSSL, but this time the error is not there.
Security hole has been published correction: poco libraries must be updated to version 1.4.6p4 or later.
Source: http://www.tietokone.fi/artikkeli/uutiset/uusi_paha_aukko_ssl_salauksessa_suomalaiset_loysivat_taas
Tomi Engdahl says:
Surveillance court rejected Verizon challenge to NSA calls program
http://www.washingtonpost.com/world/national-security/surveillance-court-rejected-verizon-challenge-to-nsa-calls-program/2014/04/25/78d430c2-ccc2-11e3-93eb-6c0037dde2ad_story.html?wprss=rss_national
Verizon in January filed a legal challenge to the constitutionality of the National Security Agency’s program that collects billions of Americans’ call-detail records, but a surveillance court rejected it, according to newly declassified documents and individuals with knowledge of the matter.
A Verizon spokesman declined to confirm or deny that it was the company that filed the challenge.
Tomi Engdahl says:
OkCupid’s Founders Want to Bring Encrypted Email to the Masses
http://www.wired.com/2014/04/keybase/
Email is a bad place to keep secrets.
Edward Snowden’s revealations that the National Security Agency has many means of acquiring the full text of our emails–even if it doesn’t have a warrant–led to a resurgence of interest in PGP.
The problem is PGP is pretty hard to use. That’s why Krohn and Chris Coyne–who previously founded study guide company SparkNotes and online dating service OK Cupid–launched Keybase, a startup that aims to make PGP easier for average users. The idea is to create an online directory that lets you instantly locate someone online and trade the encryption tools the two of you need to communicate privately. That may sound simple, but it’s a tough nut to crack, and Keybase may have found a way of doing this with a little help from social networks like Twitter.
Crypto-enthusiasts historically have dealt with this through a concept called the “Web of Trust.” When you create a new PGP key, you can upload it to what’s called a key server, which essentially is a database of public keys. To prove the key really is yours, you’d get other people to sign it with their own keys.
“I think the Web of Trust approach is the right one in theory,” Krohn says. “But in practice it hasn’t worked. If you go three links out, what are the chances you get to someone malicious?”
Keybase verifies keys by using the social web to do exactly this type of cross-referencing. When you sign-up for Keybase, you have the option of creating a new public key or importing an existing one. Then you place a PGP signature on your website, Twitter account, or GitHub account to prove you own that key.
One concern is that, unlike the old fashioned key servers, which shared their information with each other in case one went down, Keybase is a centralized directory. If the company runs out of money and shuts off its servers, all that information would be lost. But Krohn says the company soon will make it possible for anyone to mirror the directory.
Tomi Engdahl says:
Ask Slashdot: How To Back Up Physical Data?
http://ask.slashdot.org/story/14/04/30/0236215/ask-slashdot-how-to-back-up-physical-data
“After many years I now have a backup of all my digital data in (at least) two physical locations. But what do people recommend to back up my physical data? And then how to prove my identity?”
FYI: Banks, courts, and the Government issued ID have processes for people who have lost everything. It generally involves someone signing a document that vouches for your identity. It’s not a big deal. If you really want to speed the process, a couple of scans of your documents emailed to yourself will help them simply look up a record and reprint the documents.
While it’s not the best idea to keep all your eggs in one basket, Lastpass (a firefox, chrome, opera addon, plus a standalone app) is an OK way to store this kind of data.
It is all encrypted/decrypted locally .and then uploaded to the DREADED cloud!
While primarily a place to keep your passwords it does have a handy feature for what they call Secure Notes, with premade forms to filling out all of your personal private info, allowing pictures/scans to be added.
Tomi Engdahl says:
MIT sets up Bitcoin student spend study
4,528 undergraduates to get $100 each
http://www.theinquirer.net/inquirer/news/2342343/mit-sets-up-bitcoin-student-spend-study
TWO STUDENTS at the Massachusetts Institute of Technology (MIT) have worked together to raise a half a million dollar fund that will be turned into Bitcoins and shared among their peers for educational purposes.
“Giving students access to cryptocurrencies is analogous to providing them with internet access at the dawn of the internet era,”
Each of the 4,000-plus MIT students will get $100 in Bitcoins to do with as they please. This is part of what is called the MIT Bitcoin Project, and MIT said that this will involve studies of how students spend money, and Bitcoins in particular.
Tomi Engdahl says:
Immigration Dept: we have NO IDEA how many people saw asylum-seeker data
Metadata-slurping Oz gummint can’t read its own logfiles
http://www.theregister.co.uk/2014/04/30/immigration_dept_we_have_no_idea_how_many_people_saw_asylumseeker/
Here’s why Australia’s government wants the telecoms industry to do its metadata collection for it: it can’t read its own syslogs.
“The department is unable to identify how many people may have downloaded the information.”
In other words, the system logs of the Department of Immigration’s Microsoft-based Website apparently don’t collect data about hits on individual publications on the site.
Tomi Engdahl says:
XP Is a Sitting Duck for Cyberattacks
http://www.designnews.com/author.asp?section_id=1386&doc_id=272969&
If you’re still running Windows XP in your plant, you better duck. Microsoft’s support for the XP operating system officially ended on April 8, 2014. Windows will no longer provide users with security updates or technical support for the 12-year-old system. Microsoft stated that “PCs running Windows XP after April 8, 2014, should not be considered to be protected, and it is important that you migrate to a current supported operating system.”
In a research note, IHS Technology noted that cybersecurity is the largest concern related to the continued use of Windows XP in industrial automation.
Tomi Engdahl says:
f8: Introducing Anonymous Login and an Updated Facebook Login
http://newsroom.fb.com/news/2014/04/f8-introducing-anonymous-login-and-an-updated-facebook-login/
Today at f8, we announced Anonymous Login, a brand new way to log into apps without sharing any personal information from Facebook, along with a new version of Facebook Login with even better privacy controls.
Sometimes people want to try out apps, but they’re not ready to share any information about themselves. For this, we’re introducing a way to log in to apps anonymously.
Tomi Engdahl says:
Hip to Heartbleed: 39% of users took steps to protect themselves
http://www.cnet.com/news/hip-to-heartbleed-39-of-users-took-steps-to-protect-themselves/
A Pew Research study also found that 29 percent of Internet users believe their personal information is at risk, while 6 percent of users believe their information was swiped.
Tomi Engdahl says:
White House
Heartbleed: Understanding When We Disclose Cyber Vulnerabilities
http://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities
When President Truman created the National Security Agency in 1952, its very existence was not publicly disclosed. Earlier this month, the NSA sent out a Tweet making clear that it did not know about the recently discovered vulnerability in OpenSSL known as Heartbleed.
While we had no prior knowledge of the existence of Heartbleed, this case has re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public. As with so many national security issues, the answer may seem clear to some, but the reality is much more complicated.
This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities
Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy
Enabling transparency about the intersection between cybersecurity and intelligence and providing the public with enough information is complicated.
Tomi Engdahl says:
OpenSSH No Longer Has To Depend On OpenSSL
http://it.slashdot.org/story/14/04/30/1822209/openssh-no-longer-has-to-depend-on-openssl
“OpenSSH now finally has a compile-time option to no longer depend on OpenSSL. `make OPENSSL=no` has now been introduced for a reduced configuration OpenSSH to be built without OpenSSL, which would leave you with no legacy SSH-1 baggage at all, and on the SSH-2 front with only AES-CTR and chacha20+poly1305 ciphers, ECDH/curve25519 key exchange and Ed25519 public keys.”
Tomi Engdahl says:
British Spy Chiefs Secretly Begged to Play in NSA’s Data Pools
https://firstlook.org/theintercept/article/2014/04/30/gchq-prism-nsa-fisa-unsupervised-access-snowden/
Britain’s electronic surveillance agency, Government Communications Headquarters, has long presented its collaboration with the National Security Agency’s massive electronic spying efforts as proportionate, carefully monitored, and well within the bounds of privacy laws. But according to a top-secret document in the archive of material provided to The Intercept by NSA whistleblower Edward Snowden, GCHQ secretly coveted the NSA’s vast troves of private communications and sought “unsupervised access” to its data as recently as last year – essentially begging to feast at the NSA’s table while insisting that it only nibbles on the occasional crumb.
Tomi Engdahl says:
New secure OS will put Tails between NSA’s legs
Debian-derived OS funnels everything through Tor and HTTPS
http://www.theregister.co.uk/2014/05/01/secure_os_tails_1_released/
Secure Linux distribution Tails has reached the milestone of a version 1.0 release, after its developers crushed a laundry list of bugs.
The Debian-based operating system is a “live OS” – it boots from removable media rather than a hard disk. It also funnels all data through Tor and uses a smattering of cryptography and anonymising tools to help users circumvent censorship and lock out snoops and spooks. For example, Tails encrypts storage devices using the Linux Unified Key Setup, uses the HTTPS Everywhere tool to encrypt web traffic, and locks down emails with OpenPGP and protects instant messages with Off The Record.
Tor is a significant irritant to law enforcement authorities: US agencies have labelled it “the King of high secure, low latency Internet Anonymity” and suggested it has no likely heir.
Tomi Engdahl says:
Today’s bugs have BRANDS? Be still my bleeding heart [logo]
Our code-slinger reviews the rash of groovy-named open-source security vulns
http://www.theregister.co.uk/2014/05/01/stob_bleeding_heart/
Tomi Engdahl says:
Canucks’ ISPs routing data through snoop heaven USA
Does your ISP use a ‘Boomerang route’ to fling data into the NSA’s lap?
http://www.theregister.co.uk/2014/05/01/transparency_researchers_say_canadas_isps_are_too_opaque/
A University of Toronto-led transparency project has criticised Canada’s ISPs for unnecessarily routing user traffic via the US, even when both the origin and destination of the traffic is within Canada.
In a study that mirrors, in part, European concerns about why traffic should traverse the US when it doesn’t need to, the Canadian transparency study blames an unwillingness to peer for sending traffic into the reach of the NSA.
Tomi Engdahl says:
Thanks for nothing, Apple, say forensic security chaps
iPhone factory reset removes all traces of everything, forever
http://www.theregister.co.uk/2014/05/01/thanks_for_nothing_apple_say_forensic_security_chaps/
Felons wanting to best forensic investigators need only perform a factory reset of all current model iPhones, say forensic security experts.
Apple’s decision to encrypt data on the iPhone is responsible for this state of affairs because a factory reset not only wipes data but also erases the decryption key required to reveal the handset’s contents, according to Jason Solomon, a forensics investigator with Sydney-based Klein and Co.
“This means we can’t get a full physical image of the phone,” Solomon said. “The whole phone is encrypted and the keys are stored on the device, so when you erase the phone you erase the key and [forensics] can’t decrypt it.”
Forensics folks’ best hope to get anything out of an iPhone is to jailbreak it
Coutis will also discuss the feasibility of warm and cold boot attacks in which DRAM chips could be read by attackers with physical access to a machine.
Tomi Engdahl says:
XP Systems Getting Emergency IE Zero Day Patch
http://tech.slashdot.org/story/14/05/01/1758244/xp-systems-getting-emergency-ie-zero-day-patch
“Microsoft announced it will release an out-of-band security update today to patch a zero-day vulnerability in Internet Explorer, and that the patch will also be made available for Windows XP machines through Automatic Update.”
Tomi Engdahl says:
Microsoft patches IE zero-day flaw, issues special security update for Windows XP despite end of support
http://thenextweb.com/microsoft/2014/05/01/microsoft-patches-ie-zero-day-flaw-issues-special-security-update-windows-xp-despite-end-support/
Microsoft today announced it is releasing an emergency patch for Internet Explorer to fix a zero-day flaw spotted in the wild. The security hole was found in IE6 through IE11, and the company says its update “is fully tested and ready for release for all affected versions of the browser.”
While this normally means all supported versions, this time is different. Microsoft is issuing a security update for Windows XP users as well, despite the fact that Windows XP is no longer supported by the company.
Tomi Engdahl says:
Attackers have Their Sights Set on the Cloud
The Spring 2014 Alert Logic Cloud Security Report reveals a rise in brute force against cloud infrastructures and services.
http://www.cio.com/article/751881/Attackers_have_Their_Sights_Set_on_the_Cloud?taxonomyId=3024
If you want to catch trout, you have to fish where the trout swim. That same logic applies for cyber criminals–they will focus their efforts wherever there is a fair chance of finding targets to prey on. This is underscored by a new report from Alert Logic that reveals a dramatic rise in cloud-based attacks as more businesses and individuals migrate applications and data to the cloud.
Alert Logic deployed honeypots in the cloud to collect information about emerging malware, identify the sources of attacks, and determine common or unique attack vectors.
There was an increase in almost all types of attacks against both cloud and on-premise infrastructures according to Alert Logic. Two concerning trends are a dramatic rise in cloud-based brute force attacks and a spike in vulnerability scans against cloud environments.
Tomi Engdahl says:
Spring 2014 Alert Logic Cloud Security Report
http://go.alertlogic.com/rs/alertlogic1/images/alert-logic-spring-2014-CSR-pages-04-21-14.pdf?mkt_tok=3RkMMJWWfF9wsRolvKrKZKXonjHpfsX86OkuWqeg38431UFwdcjKPmjr1YAESMt0aPyQAgobGp5I5FEKSbnYRqJ4t6EOUg%3D%3D
As cloud adoption grows, Alert Logic has observed a shift in security concerns.
While cloud security remains a major concern, the business benefits of moving
applications to the cloud are too compelling to resist.
Two interesting observations have emerged. First, there has been an increase
in attack frequency in both on-premises and cloud hosting provider (CHP)
environments. Second, as more enterprise workloads move into cloud-hosted
infrastructure, traditional on-premises infrastructure threats follow.
SUMMARY OF RESULTS
These results demonstrate that organizations moving
to the cloud must implement enterprise-grade
security solutions to protect their cloud workloads.
These solutions must be cloud-deployable, and must
contain advanced security content and analytics
consistent with the attack vectors prevalent in the
cloud. In other words, organizations cannot rely on
legacy approaches to security to support their cloud
infrastructure. They must find solutions that deliver
protection specifically for the cloud.
Tomi Engdahl says:
BYOD was only a small change – the Internet of Things is revolutionizing the information security issues
When the Internet of Things (IOT ) increases, more and more devices connect to network and someone had to take care of data security. So it is no wonder that research firm Gartner paints Internet of Things, the revolutionary computer security industry.
Estimation of number of devices joined the network in 2020 range from 26 billion units (according to Gartner) to shattering 212 billion devices (according to IDC).
” We are only at an early stage of revolution in information security”
Much of the things the Internet -forming device is intended for one particular function, and they use their own communication protocols. Often, the control or operating system is quite closed and, therefore, the IT department may not be opportunities to influence the security of these devices , for example, by adding your own level of security on the system.
It may not be feasible at all to add individual security level in the equipment.
“The market is going to be a slew of different types of security providers”
BYOD forced the IT department to think about things again, IoT forces companies to think about their behavior again, and this time change is much bigger.
Source: http://www.tietoviikko.fi/cio/byod+oli+vasta+pieni+muutos++asioiden+internet+mullistaa+tietoturvan/a985470
Tomi Engdahl says:
Born in the NSA: These former spies are starting companies of their own
http://venturebeat.com/2014/05/01/born-in-the-nsa-former-spies-are-starting-companies-all-over/
National Security Agency alumni are coming to a tech startup near you.
Lots of them.
America’s largest intelligence agency found itself mired in scandal since contractor Edward Snowden stole and leaked some of its darkest secrets last year.
But instead of concealing their backgrounds, many leaving the secretive NSA are proudly promoting their espionage backgrounds. These people have serious chops in Internet security, data-mining, pipeline-tapping, and software development — skills that are quite valuable in the private sector.
It is a massive sea change from the days when former NSA staffers were forbidden from telling friends, family, and prospective employers what they did for a living.
Tomi Engdahl says:
Serious security flaw in OAuth, OpenID discovered
http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
Following in the steps of the OpenSSL vulnerability Heartbleed, another major flaw has been found in popular open-source security software. This time, the holes have been found in the log-in tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.
Attackers can use the “Covert Redirect” vulnerability in both open-source log-in systems to steal your data and redirect you to unsafe sites.
If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.
Beware of links that ask you to log in through Facebook. The OAuth 2.0 and OpenID modules are vulnerable.
Tomi Engdahl says:
Help EFF Test Privacy Badger, Our New Tool to Stop Creepy Online Tracking
https://www.eff.org/deeplinks/2014/04/privacy-badger
EFF is launching a new extension for Firefox and Chrome called Privacy Badger. Privacy Badger automatically detects and blocks spying ads around the Web, and the invisible trackers that feed information to them. You can try it out today
Tomi Engdahl says:
Call for Limits on Web Data of Customers
http://www.nytimes.com/2014/05/02/us/white-house-report-calls-for-transparency-in-online-data-collection.html?_r=0
The White House, hoping to move the national debate over privacy beyond the National Security Agency’s surveillance activities to the practices of companies like Google and Facebook, released a long-anticipated report on Thursday that recommends developing government limits on how private companies make use of the torrent of information they gather from their customers online.
Tomi Engdahl says:
Using Facebook Notes to DDoS any website
http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/
Facebook Notes allows users to include tags. Whenever a tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood.
Of course, the impact could be more than 400 Mbps as I was only using browser for this test and was limited by the number of browser thread per domain that would fetch the images.
I’m not sure why they are not fixing this. Supporting dynamic links in image tags could be a problem and I’m not a big fan of it.
Getting rid of the browser and using the poc script I was able to get ~900 Mbps outbound traffic.
After finding and reporting this issue, I found similar issues with Google which I blogged here. Combining Google and Facebook, it seems we can easily get multiple Gbps of GET Flood.
Tomi Engdahl says:
Using Google to DDoS any website
http://chr13.com/2014/03/10/using-google-to-ddos-any-website/
Google uses its FeedFetcher crawler to cache anything that is put inside =image(“link”) in the spreadsheet.
For instance:
If we put =image(“http://example.com/image.jpg”) in one of the cells of Google spreadsheet, Google will send the FeedFetcher crawler to grab the image and cache it to display.
However, one can append random request parameter to the filename and tell FeedFetcher to crawl the same file multiple times.
Tomi Engdahl says:
Now Your Phone’s Tilt Sensor Can Identify You
http://www.technologyreview.com/news/527031/now-your-phones-tilt-sensor-can-identify-you/
Tiny hardware imperfections in smartphone and tablet accelerometers lead to unique “fingerprints” within the data they produce, researchers find.
The sensor that lets your phone know which way the screen is oriented also—thanks to minute manufacturing variations—emits a unique data “fingerprint” that could allow your phone to be tracked, even if all other privacy settings are locked down, researchers say.
In addition to governing basic things like screen orientation, accelerometer data is widely used by apps such as pedometers and mobile games. Meanwhile, many apps often rely on advertising, which has led advertisers to search for ways to track users and their Web habits.
Tomi Engdahl says:
Interpol, Philippines bust cyber extortion network
http://news.yahoo.com/interpol-philippines-bust-cyber-extortion-network-031528603.html
Philippine police, backed by Interpol, have arrested dozens of suspected members of an online extortion syndicate who duped hundreds of victims worldwide into exposing themselves in front of webcams or engaging in lewd chats, including a Scottish teenager who committed suicide after being blackmailed, officials said Friday.
“This is just the tip of the iceberg,”
“The scale of these ‘sextortion’ networks is massive and run with just one goal in mind, to make money regardless of the terrible emotional damage they inflict on their victims,”
Tomi Engdahl says:
How to Prevent the next Heartbleed
http://www.dwheeler.com/essays/heartbleed.html
This paper discusses specific tools and techniques that could counter Heartbleed and vulnerabilities like it. I will first briefly examine why many tools and techniques did not find it, since it’s important to understand why many previous techniques didn’t work. I will also briefly cover preconditions, impact reduction, applying these approaches, and conclusions.
Tomi Engdahl says:
White House seeks legal immunity for firms that hand over customer data
http://www.theguardian.com/world/2014/may/02/white-house-legal-immunity-telecoms-firms-bill
Obama administration asks legislators drafting NSA reforms to protect telecoms firms complying with court orders
Tomi Engdahl says:
Free Can Make You Bleed: the Underresourced Open Source
http://it.slashdot.org/story/14/05/03/0129250/free-can-make-you-bleed-the-underresourced-open-source
“After the Heartbleed fiasco, John Walsh brings attention to the lack of proper manpower and funding to run various open source projects.”
Free Can Make You Bleed
http://www.ssh.com/blog/makesyoubleed
By now anyone concernedwith internet security has heard about the Heartbleed security vulnerability in OpenSSL. What you may not be aware of is how much money and personal information is riding on this “free” security program and others like it (OpenSSH). Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced.
What you might not be aware of is just how under staffed and underfunded some of these “free” open source programs like OpenSSL and OpenSSH (OpenBSD) are. OpenSSL for example is largely staffed by one fulltime developer and a number of part-time volunteer developers. The total labor pool for OpenSSL maybe adds up to two fulltime developers. Think about it, OpenSSL only has two people to write, maintain, test, and review 500,000 lines of business critical code. Half of these developers have other things to do.
OpenSSH, part of the OpenBSD project, isn’t any better off.
It is ridiculous when you think about all of the business capital that depends on such grossly underfunded applications. OpenSSL has never received more than a million dollar yearly budget and OpenSSH can’t pay its electric bill. The OpenSSL foundation’s president, Steve Marquess, said “The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often.”
When your business critical information is stolen the price of open source products might be free, but the cost could be much higher. There are places to cut costs, but your business security is not one of them.
Tomi Engdahl says:
Secure Programming for Linux and Unix HOWTO — Creating Secure Software
http://www.dwheeler.com/secure-programs/
This book provides a set of design and implementation guidelines for writing secure programs for Linux and Unix systems. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. This document includes specific guidance for a number of languages, including C, C++, Java, Perl, Python, and Ada95. I give this book away in the hope that future software developers won’t repeat past mistakes, resulting in more secure systems.
Tomi Engdahl says:
Europe’s Cybersecurity Policy Under Attack
http://it.slashdot.org/story/14/05/04/2210219/europes-cybersecurity-policy-under-attack
“As Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent’s patchwork of online police was right for the job. The exercise, called Cyber Europe 2014, involved 200 organizations and 400 cybersecurity professionals from both the European Union and beyond. Yet some critics argued that herding together normally secretive national security agencies and demanding that they spend the rest of 2014 sharing information amounted to wishful thinking.”
Tomi Engdahl says:
Europe’s Cybersecurity Policy Settings Under Attack
http://www.securityweek.com/europes-cybersecurity-policy-settings-under-attack
BRUSSELS – Even as Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent’s patchwork of online police was right for the job.
“You can carry out all of the exercises you want, but cybersecurity really comes down to your ability to monitor, and for that, national agencies need to speak to each other all the time,” Preneel said.
The Crete-based office coordinating the EU’s cybersecurity, the European Union Agency for Network and Information Security (ENISA), calls itself a “body of expertise” and cannot force national agencies to share information.
ENISA was established in 2001 when it became clear that cybersecurity in the EU would require a level of coordination. Unlike other EU agencies, ENISA does not have regulatory powers and relies on the goodwill of the national agencies it works with.
What most experts agree on is that European companies and consumers are vulnerable to cybersecurity threats, and that can have an impact on people’s willingness to use online services.
“The problem is nation states wanting to fight cybercrime individually, even when cybercrime does not attack at that level,”
“So it is good to look at this at the European level, but what power does ENISA have? What can they force countries to do?”
Tomi Engdahl says:
‘Covert Redirect’ OAuth floaw more chest-beat than Heartbleed
Phishing for attention with flashy website and logo bait
http://www.theregister.co.uk/2014/05/05/covert_redirect_is_overt_hype_more_heartbleat_than_heartbleed/
A recently reported new “vulnerability” in OAuth appears to be anything but.
That unkind assessment has come from security specialists after a flaw called “Covert Redirect” made headlines that conflated the flaw with the Heartbleed vulnerability, a major security risk that legitimately sent administrators scrambling to fix their websites.
PhD student Wang Jing from Nanyang Technological University reported the flaw Saturday and showed how it allowed attackers to phish users and obtain their tokens.
In videos, he demonstrated how the trick applied to the OAuth implementation in Facebook where OAuth tokens were sent to a malicious site.
OAuth 2.0 websites were affected including Facebook, Google, Yahoo and Microsoft, Jing said
Staid Symantec staffers answered the question of whether Covert Redirect was the “next Heartbleed” with an abrupt “no”.
“Covert Redirect is a security flaw, not a vulnerability [which] takes advantage of third-party clients susceptible to an open redirect,”
Tomi Engdahl says:
Addressing Security Concerns for Connected Devices in the Internet of Things Era
http://rtcgroup.com/oracle/Oracle-BRL-SEC/index.php