Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Help EFF Test a New Tool To Stop Creepy Online Tracking
http://yro.slashdot.org/story/14/05/04/2321259/help-eff-test-a-new-tool-to-stop-creepy-online-tracking
“EFF is launching a new extension for Firefox and Chrome called Privacy Badger. Privacy Badger automatically detects and blocks spying ads around the Web”
Tomi Engdahl says:
EFF “Privacy Badger” plugin aimed at forcing websites to stop tracking users
Advertisers can ignore “Do Not Track,” but they can’t escape the Privacy Badger.
http://arstechnica.com/information-technology/2014/05/eff-privacy-badger-plugin-aimed-at-forcing-websites-to-stop-tracking-users/
Tomi Engdahl says:
What’s that PARASITE wriggling inside my browser?
Nematode sim fanciers open their worm to a Kickstarter
http://www.theregister.co.uk/2014/05/05/nematode_fanciers_open_their_worm_to_a_kickstarter/
The group that last year demonstrated open source software to simulate a nematode has gone on Kickstarter to try and accelerate its OpenWorm project
Their aim is now much more ambitious: to build a complete, open source cloud-hosted WormSim for educators, scientists, supporters – and anyone else who’s interested.
Tomi Engdahl says:
You’ll hate Google’s experimental Chrome UI, but so will phishers
What do you want: Better security or long URLs?
http://www.theregister.co.uk/2014/05/05/chrome_origin_chip_ui_controversy/
Phishers might have a tougher time hooking victims if a new feature introduced into the experimental strain of Google’s Chrome browser makes it into a future full release.
The “origin-chip” feature cleans up Chrome’s omnibox — or address bar — by removing lengthy URLs and replacing them with just the domain name shorn of “htttp://” and “www”. There’s also the “origin chip” that produces the full URL.
Apple introduced a similar arrangement in Safari on iOS 7.
“We’re looking at a few key metrics to see if this change is a net positive for Chrome users. I imagine it may help defend against phishing,”
“Find someone who doesn’t work in tech, show them their bank’s website, and ask them what about the URL tells them they’re on their bank’s site. In my experience, most users don’t understand which parts of the URL are the security signals,” Archibald wrote.
“Browsers stopped showing the username / password part of URLs because it made phishing too easy. This is a natural progression.”
Tomi Engdahl says:
Microsoft: You know we said NO MORE XP PATCHES? Well …
IE vuln forces rethink on mercy bullet for elderly OS support
http://www.theregister.co.uk/2014/05/01/internet_explorer_patch/
“Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded), today,” Hall wrote. “We made this exception based on the proximity to the end of support for Windows XP.”
Tomi Engdahl says:
Google, Facebook, Apple and Microsoft close in on data demand disclosures
Staying mum for now
http://www.theinquirer.net/inquirer/news/2342963/google-facebook-apple-and-microsoft-close-in-on-data-demand-disclosures
BIG TECHNOLOGY FIRMS Microsoft, Apple, Facebook and Google reportedly are changing the way that they report data surveillance requests to their users, in defiance of the authorities.
According to the Washington Post the firms are all getting ready to become more open about government information requests and will go ahead and reveal suchstatistics in their transparency reports, regardless of the authorities’ restrictions.
Tomi Engdahl says:
“Pavlovian password management” aims to change sloppy habits
Policy would reward or penalize people based on the passwords they pick.
http://arstechnica.com/security/2014/05/pavlovian-password-management-aims-to-change-sloppy-habits/
For more than a decade, the virtues of strong passwords have been lost on most end users, despite frequent sermons from security experts and IT administrators over their importance in locking down accounts. Now, a consultant is proposing a system that provides rewards or penalties based on the passcode choices people make.
For instance, a user who picks “test123@#” might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen “t3st123@##$x” (all passwords in this post don’t include the beginning and ending quotation marks), the system wouldn’t require a change for three months.
“We spend a lot of time telling the user to ‘do this because security experts advise it, or it’s part of our policy’ but we don’t really provide an incentive or an understanding of why we tell them to do this,”
Tomi Engdahl says:
Boffins tag Android app privacy fails
Your pocket is leaking data
http://www.theregister.co.uk/2014/05/05/boffins_tag_android_app_privacy_fails/
A group of researchers from universities in Luxembourg, Germany and the US say they can dramatically improve the detection of privacy leaks between Android processes.
They claim that the tool they describe in this paper at Arxiv detected 88.3 per cent of inter-component privacy leaks, and when used in combination with ApkCombiner, also detected inter-application privacy leaks.
As noted in the paper, privacy leaks have been the subject of lots of academic research into Android
The Android components that can contribute to leaks include calls like startActivity, startActivityForResult, query, startService and so on.
Tomi Engdahl says:
Security guru: You can’t blame EDWARD SNOWDEN for making US clouds LOOK leaky
And anyway, people AREN’T switching away
http://www.theregister.co.uk/2014/04/30/mikko_hypponen_infosec_keynote_speech/
Infosec 2014 Accusations that the revelations from rogue National Security Agency sysadmin whistleblower Edward Snowden have damaged the US technology industry are misplaced, according to influential security guru Mikko Hypponen.
Hypponen, chief research officer at security firm F-Secure, said that the disclosure that US tech was either “booby-trapped or monitored” may have had a damaging effect on the US cloud industry. But blaming this on Snowden was misplaced and akin to “blaming Al Gore for global warming”.
Snowden’s action represented the single largest leak of top secret information in history. “Top secret information almost never leaks and that’s why the Snowden leak was extraordinary”, according to Hypponen. All the information leaked by Private Manning, by contrast, was classified either secret or below.
Tomi Engdahl says:
What happens after the launch of cyber-attacks?
Corporate networks are successfully hacked, even if the firewalls and anti-virus programs are in place. It is worth thinking about what needs to be done to minimize the impact of data burglary and other cyber threads.
What happens if kyberrikollinen manages to get past corporate firewalls, virus software and other security protection? How bad is it and for how long the organization is damaged? How expensive will it be? How many staff are bound by a crisis situation?
Those are questions all companies should consider. Data theft is done so much that it is only a matter of time before getting fingered to your door
Tomi Engdahl says:
Microsoft’s sundowning of Windows XP seems to have given cramps to nearly the entire retail banking industry, which finally will move its ATM machines from XP to Windows 7 or to Linux. It’s not going to Windows 8
Source: http://www.linuxjournal.com/content/cool-project-microsoft-adopt-linux
Tomi Engdahl says:
HALF of London has outdated Wi-Fi security, says roving World of War, er, BIKER
And a third simply don’t bother with secured networks at all
http://www.theregister.co.uk/2014/05/05/london_warbiking_lax_security/
Wireless security across London remains flaky despite the well-known risks, according to an infosec bod who has been riding his bike all around town identifying insecure wireless networks and highlighting shoddy user behaviours that could be exploited by rogue hackers.
James Lyne, global head of security research at Sophos, went “warbiking” across the streets of the British capital over the course of two days.
Lyne used a little Raspberry Pi Linux computer in the bag slung under the crossbar, a powerful battery under the seat to provide power for the scanning rig for a whole day, a small GPS unit, small scanners wired into a little Raspberry Pi, and a scanner aerial strapped to the downtube.
Lyne’s exercise revealed that among the more than 81,000 networks surveyed, some 29.5 per cent were using either the insecure Wireless Equivalent Privacy (WEP) algorithm, or no security encryption at all.
A further 52 per cent of networks were using Wi-Fi Protected Access (WPA), a security algorithm that is past its sell-by date and can no longer be trusted as secure, he said.
“Our experiment found a disturbingly large number of people willing to connect to an open wireless network we created, without any idea of who owned it or whether it was trustworthy”
“Incredibly, conventional wireless network security is still a major concern, despite the security industry assuming such issues had been resolved years ago,”
“Even within the security industry there are myths and misunderstanding about what the real risks are with wireless.”
” Unfortunately the standard user doesn’t recognise that major brand XYZ wireless is not encrypted and that their information can be picked up by anyone with a £30 piece of equipment available on Amazon,”
Tomi Engdahl says:
Comment:
Microsoft’s decision to patch Windows XP is a mistake
There will always be one more emergency.
http://arstechnica.com/security/2014/05/microsofts-decision-to-patch-windows-xp-is-a-mistake/
Microsoft officially ended support of the twelve-and-a-half-year-old Windows XP operating system a few weeks ago. Except it apparently didn’t
Emergency patch for critical IE 0-day throws lifeline to XP laggards, too
Explaining its actions, Microsoft says that this patch is an “exception” because of the “proximity to the end of support for Windows XP.”
The decision to release this patch is a mistake, and the rationale for doing so is inadequate.
Bosses who were convinced that they could stick with Windows XP because Microsoft would blink are now vindicated.
After all, if Microsoft can blink once, who’s to say it won’t do so again?
Virtually every time Microsoft updates one of its remaining supported platforms, the company will also simultaneously be disclosing a zero-day vulnerability for Windows XP
People using Windows XP are going to be exploited through known but unpatched vulnerabilities. That is what the end of support means. That is its unavoidable consequence. For as long as Windows XP has a substantial number of users, there will be calls for “one more patch” to be released.
Microsoft is likely smarting from government calls for people to stop using Internet Explorer. The company had three ways it could respond.
It could have done nothing
It could also have relented entirely, extended Windows XP’s support life cycle for another few years
Or it could have claimed that this case is somehow “special,”
None of these options is perfect.
But the option Microsoft took is the worst of all worlds. It undermines efforts by IT staff to ditch the ancient operating system, and undermines Microsoft’s assertion that Windows XP isn’t supported, while doing nothing to meaningfully improve the security of Windows XP users. The upside? It buys those users at best a few extra days of improved security.
Without patches, it’s inevitable that systems are going to get pwned.
Tomi Engdahl says:
Another Security Flaw Gets the Heartbleed Treatment, But Don’t Believe the Hype
http://mashable.com/2014/05/02/oauth-openid-not-new-heartbleed/
Breathless reports of a new security flaw affecting OpenID and OAuth — the technology that powers the identity logins for services such as Facebook, Microsoft, Google and LinkedIn — hit the news Friday. Dubbed “Covert Redirect,” the flaw could enable malicious sites or links to grab a user’s login information.
The announcement of Covert Redirect is straight out of Heartbleed’s marketing manual, coming with both slick website and fancy logo. Coupled with the widespread usage of OAuth and the growing awareness of potential security threats, Covert Redirect certainly sounds bad.
Covert Redirect is not the next Heartbleed
Moreover, classifying Covert Redirect as a vulnerability with OAuth 2.0 and OpenID is incorrect.
companies such as LinkedIn, Facebook and Google are already aware of the potential concerns
The problem comes with how certain companies choose to implement OAuth — not with the framework itself
when Facebook first launched its Facebook login feature, it was relying on a very early draft version of OAuth 2.0
To update their implementation now would mean breaking lots and lots of potential existing client implementations.
For me, the most fascinating aspect of Covert Redirect is the way it attempts to ape the “success” of Heartbleed.
Heartbleed’s infamy came from the solid name, easy-to-read website and enticing logo. Unlike most security vulnerabilities with esoteric naming conventions and difficult-to-comprehend security bulletins, Heartbleed had its own identity, and its own brand.
As it stands, one of the best takeaways from Heartbleed is the role it has played in raising overall security awareness.
This is why I’m troubled by campaigns such as Covert Redirect.
Tomi Engdahl says:
John Kerry Claims US Is On The ‘Right Side Of History’ When It Comes To Online Freedom And Transparency
from the might-still-making-right,-despite-technological-developments dept
http://www.techdirt.com/articles/20140502/11381727100/john-kerry-cant-find-high-ground-during-remarks-about-online-freedom-settles-claiming-government-is-right-side-history.shtml
Now, with the NSA’s programs exposed, along with this administration’s quest to punish whistleblowers and maintain the opacity left behind by the Bush administration, there’s no approaching the high ground. But that didn’t stop John Kerry
“[L]et me be clear – as in the physical space, cyber security cannot come at the expense of cyber privacy. And we all know this is a difficult challenge.”
First off, almost every “cyber security” bill has pushed for security at the expense of privacy. CISPA has done this twice. The new CISPA, being presented by the Senate, does the same thing.
Second, the reforms set up by the administration are hardly “concrete and meaningful.” They’re shallow and limited and do very little to walk back the expansive readings of outdated laws
This administration has prosecuted more whistleblowers — the people who “hold their government to standards” — than all other administrations combined. And this administration isn’t done yet.
a very chilling statement, one that suggests the Freedom Online Coalition needs to side with the US government if it wishes to “wind up on the right side of history.”
Tomi Engdahl says:
Yahoo’s Default = A Personalized Experience
http://yahoopolicy.tumblr.com/post/84363620568/yahoos-default-a-personalized-experience
We fundamentally believe the best web is a personalized one.
As of today, web browser Do Not Track settings will no longer be enabled on Yahoo. As the first major tech company to implement Do Not Track
Tomi Engdahl says:
Download of the Week: Tails OS
http://www.techspot.com/news/56521-download-of-the-week-tails-os.html
Tails received a lot of press a couple of weeks ago when it was disclosed that Edward Snowden was using it to avoid NSA snooping. This portable operating system’s sole purpose is preserving your privacy and anonymity online by relying on the Tor network and other tools to keep your activity secret.
It’s designed to boot from a USB flash drive, CD/DVD or SD card and leaves no trace on the computer you are using unless you ask it explicitly.
If haven’t given Linux a try before, the camouflage feature is also a great way to get acquainted. With this skin Tails not only looks like XP but you have a working start menu, tray, and explorer — all the Windows basics.
Tomi Engdahl says:
Researchers See a Post-Snowden Chilling Effect In Our Search Data
http://search.slashdot.org/story/14/05/05/1712250/researchers-see-a-post-snowden-chilling-effect-in-our-search-data
“How risky is it to use the words “bomb,” “plague,” or “gun” online?”
“According to a new study of Google search trends, searches for terms deemed to be sensitive to government or privacy concerns have dropped “significantly” in the months since Edward Snowden’s revelations in July.”
Tomi Engdahl says:
The government is listening to your internets. Generate a sentence with some of the keywords they’re looking for. Tweet or share and you could earn a new follower in Washington.
Source: http://nsa.motherboard.tv/
Tomi Engdahl says:
Target topples CEO in latest data breach domino
Steinhafel falls on own sword
http://www.theregister.co.uk/2014/05/05/target_topples_ceo_in_latest_data_breach_domino/
The CEO of Target is the latest casualty of the big-box retailer’s disastrous holiday data breach.
The company said that chief exec Gregg Steinhafel would be leaving the company after 35 years,vacating both the CEO and president roles as well as his seat as chairman of the company’s board of directors.
Steinhafel saw Target embarrassed and dangerously exposed when in December federal investigators notified the company of a possible breach in its payment card systems.
The result was the loss of 40 million card numbers and one of the worst retail data breaches ever.
Tomi Engdahl says:
US Government Begins Rollout Of Its ‘Driver’s License For The Internet’
from the seizing-the-(wrong)-moment dept
http://www.techdirt.com/articles/20140503/04264427106/us-government-begins-rollout-its-drivers-license-internet.shtml
An idea the government has been kicking around since 2011 is finally making its debut. Calling this move ill-timed would be the most gracious way of putting it.
A few years back, the White House had a brilliant idea: Why not create a single, secure online ID that Americans could use to verify their identity across multiple websites, starting with local government services. The New York Times described it at the time as a “driver’s license for the internet.”
Sound convenient? It is. Sound scary? It is.
Tomi Engdahl says:
Symantec: Antivirus is ‘DEAD’ – no longer ‘a moneymaker’
Oh, and it’s still 40 per cent of our business
http://www.theregister.co.uk/2014/05/06/symantec_antivirus_is_dead_and_not_a_moneymaker/
Symantec, a company that has made huge amounts of cash as the largest antivirus software vendor for the last quarter of a century, looks to be getting out of that business and into fixing hacking problems rather than stopping them.
“We don’t think of antivirus as a moneymaker in any way,” Brian Dye, Symantec’s senior vice president for information security, told The Wall Street Journal, adding that antivirus was “dead.”
Dye did take the time to say that the security suite for individual devices is still worth buying, as it blocks spam, manages passwords, and spots dodgy links in third-party websites.
But given that endpoint software accounts for around 40 per cent of Symantec’s revenues, it’s still a worrying admission.
Tomi Engdahl says:
US Government To Study Bitcoin As Possible Terrorist Threat
http://news.slashdot.org/story/14/05/05/1926226/us-government-to-study-bitcoin-as-possible-terrorist-threat
The US Department of Defense is investigating whether Bitcoin and other virtual currencies are a potential terrorist threat.
Tomi Engdahl says:
U.S. government to study Bitcoin as possible terrorist threat
http://www.techspot.com/news/56643-us-government-to-study-bitcoin-as-possible-terrorist-threat.html
The US Department of Defense is investigating whether Bitcoin and other virtual currencies are a potential terrorist threat, according to an IBTimes report.
The Combating Terrorism Technical Support Office (CTTSO), a division within DOD that identifies and develops counter terrorism abilities and investigates irregular warfare and evolving threats, has listed Bitcoin among its topics for research and mission critical analysis related to terrorism.
“The introduction of virtual currency will likely shape threat finance by increasing the opaqueness, transactional velocity, and overall efficiencies of terrorist attacks”, the memo said.
The virtual currency came under the scanner after several high profile cases came into light.
In addition to Bitcoin and other virtual currencies, CTTSO’s list of terrorism research topics also included Android, Motorola, social media, virtual reality, and more.
Tomi Engdahl says:
Scariest NSA revelation yet: spooks are RUBBISH at CIPHERS
‘Encrypted’ Tweet takes world+dog a moment or two to solve
http://www.theregister.co.uk/2014/05/06/the_scariest_nsa_revelation_yet_rubbish_ciphers/
The NSA (yes, that NSA) has triggered a bit of a Tweet-storm, followed by helpless fits of giggles among geeks, by posting a job-ad-Tweet that used a simple Roman-style substitution cipher.
tpfccdlfdtte pcaccplircdt dklpcfrp?qeiq lhpqlipqeodf gpwafopwprti izxndkiqpkii krirrifcapnc dxkdciqcafmd vkfpcadf. #MissionMonday #NSA #news
— NSA (@NSACareers) May 5, 2014
Tomi Engdahl says:
Heartbleed-like bug in OpenSSH dismissed as a hoax
http://www.pcworld.com/article/2151560/heartbleedlike-bug-in-openssh-dismissed-as-a-hoax.html
Hackers claiming to have found a critical flaw in a widely used open-source remote login software, OpenSSH, are likely bluffing, according to a developer affiliated with the project.
On Pastebin, the hackers claim that two years ago they found a problem in OpenSSH that can allow data to be remotely accessed from a server. They claim exploiting the flaw can reveal system user hashes, keys and other random data.
The hackers claim to have set up honeypots, or traps researchers set to see if their computers will be attacked, that show another group may have also discovered the vulnerability. As a result, they say they are willing to sell details of the flaw for 20 bitcoins, or around US$8,600.
Similar to OpenSSL, a vulnerability in OpenSSH would pose a high risk. Despite its wide use, OpenSSH is dependent on donations to fund its development.
Tomi Engdahl says:
IETF drops RSA key transport from SSL
Adopts different vehicles for Transport Layer Security
http://www.theinquirer.net/inquirer/news/2343117/ietf-drops-rsa-key-transport-from-ssl
THE INTERNET ENGINEERING TASK FORCE (IETF) has dropped RSA code from TLS 1.3, the next version of SSL.
An email from the IETF had the subject line, “Confirming Consensus on removing RSA key Transport from TLS 1.3″ and contained a short note.
“TLS has had cipher suites based on RSA key transport (aka “static RSA”, TLS_RSA_WITH_*) since the days of SSL 2.0. These cipher suites have several drawbacks including lack of PFS, pre-master secret contributed only by the client, and the general weakening of RSA over time,” said the note.
RSA’s standing in the security industry has been a little shaken recently. Edward Snowden’s revelations exposed that RSA was influenced by the US National Security Agency (NSA).
RSA has admitted to being somewhat burned by the relationship, and said that mistakes were made.
Tomi Engdahl says:
Casino chain Affinity’s credit card system popped AGAIN
The house doesn’t always win
http://www.theregister.co.uk/2014/05/06/hax0rs_pop_us_casino_chain_again_but_forensics_say_cards_safe/
US Casino operator Affinity Gaming has had its credit card processing system hacked for the second time in less than a year.
Affinity, which ran 11 casinos across four US states, recruited security consultancy Mandiant to investigate the breach.
The hack comes after the company’s payment systems were thoroughly popped last year with up to 300,000 credit cards compromised.
Tomi Engdahl says:
Android-based Pwn Phone is prepared to do evil for your network’s own good
Hands on: Pwnie Express takes Ars through its new Android phone for white hat hackers
http://arstechnica.com/security/2014/05/android-based-pwn-phone-is-prepared-to-do-evil-for-your-networks-own-good/
Pwnie Express’ Kevin Reilly gave Ars a personal walk-through of the latest Pwn Phone, the second generation of the company’s mobile penetration testing platform. While the 2012 first-generation Pwn Phone was based on the Nokia N900 and its Maemo 5 Linux-based operating system, the new phone is based on LG Nexus 5 phone hardware. However, it doesn’t exactly use Google’s vanilla Android.
“What we’ve done is taken Android 4.4 Kit Kat and recompiled the kernel,” said Reilly. “On the backend, it runs our own derivative of Kali Linux, called Pwnix. Essentially it’s running a full-blown Debian OS on the back-end of Android.“
One of the benefits of the recompiled Android kernel is that the Pwn Phone can act as a USB host, just as PCs do. That makes it possible for the Pwn Phone to use external USB adaptors for Wi-Fi, Bluetooth, and Ethernet in addition to its built-in Wi-Fi and Bluetooth adapters. The external adapters for Wi-Fi and Bluetooth extend the Pwn Phone’s attack range and capabilities, and the Ethernet adaptor allows the device to jack straight into a facility’s local wired network for additional attacks.
The Pwn Phone comes with a total of 103 network monitoring and attack tools loaded, 26 of which have been configured for launch by touch from the device’s home screen
The Pwn Phone will sell for around $1,295, while the Pwn Pad is priced at $1,095.
Tomi Engdahl says:
Symantec Develops New Attack on Cyberhacking
Declaring Antivirus Software Dead, Firm Turns to Minimizing Damage From Breaches
http://online.wsj.com/news/article_email/SB10001424052702303417104579542140235850578-lMyQjAxMTA0MDAwNTEwNDUyWj
Symantec Corp. SYMC -1.33% invented commercial antivirus software to protect computers from hackers a quarter-century ago. Now the company says such tactics are doomed to failure.
Antivirus “is dead,” says Brian Dye, Symantec’s senior vice president for information security. “We don’t think of antivirus as a moneymaker in any way.”
Antivirus products aim to prevent hackers from getting into a computer. But hackers often get in anyway these days. So Mr. Dye is leading a reinvention effort at Symantec that reflects a broader shift in the $70 billion a year cybersecurity industry.
Rather than fighting to keep the bad guys out, new technologies from an array of companies assume hackers get in so aim to spot them and minimize the damage.
Network-equipment maker Juniper Networks Inc. JNPR +0.20% wants customers to place fake data inside their firewalls to distract hackers. Shape Security Inc., a Silicon Valley startup, assumes that hackers will steal passwords and credit-card numbers so seeks to make it difficult to use the pilfered information. FireEye Inc. FEYE +0.73% created technology that scans networks for malicious-looking computer code that made it past the first line of defense.
Symantec seeks to join the fray this week. It is creating its own response team to help hacked businesses.
Symantec pioneered computer security with its antivirus software in the late 1980s.
But hackers increasingly use novel bugs. Mr. Dye estimates antivirus now catches just 45% of cyberattacks.
Tomi Engdahl says:
Danger, Will Robinson! Beware the hidden perils of BYOD
And we’re so nice, we’re telling you how to dodge them
http://www.theregister.co.uk/2014/05/06/data_security/
Tomi Engdahl says:
The Target Breach, By the Numbers
http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
News that Target’s CEO Gregg Steinhafle is stepping down has prompted a flurry of reports from media outlets trying to recap events since the company announced a data breach on Dec. 19, 2013.
40 million – The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013.
200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.
100 million – The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards.
0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach
1 million – 3 million – The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest
53.7 million – The income that hackers likely generated from the sale of 2 million cards
Tomi Engdahl says:
Review: GFI Cloud eliminates need to nursemaid Windows
Help for the hard-pressed sysadmin
http://www.theregister.co.uk/2014/05/06/gfi_cloud_review/
The purpose of GFI Cloud is simply to manage and secure a Window-based network of desktops and servers. With GFI Cloud, the sysadmin can ensure that they are properly maintained and that nobody has done anything outrageously stupid to them.
There are two different ways to implement a cloud management service: single agent or per-system agent. Talk to various cloud management companies and you will get impassioned speeches about why one method is better than the other.
Tomi Engdahl says:
The latest Verizon Data Breach Investigation Report states that the use of stolen credentials has risen to become the most commonly used threat action in data breaches. Now, with the Heartbleed OpenSSL vulnerability, chances are higher than ever that user accounts will be exploited by attackers trying to enter an organization’s network.
Source: http://information.rapid7.com/Webcast-UserInsight-DetectInvestigateUserAttacks–FM.html
Tomi Engdahl says:
Hackers Can Tinker With Traffic Lights, Other Road Systems
New research shows how easy it is to infiltrate key traffic-control systems
http://autos.aol.com/article/hackers-can-tinker-with-traffic-lights-other-road-systems/
Alarming new research released this week details how cyber hackers can infiltrate and manipulate traffic-control systems that govern traffic lights and other road systems in more than 40 major cities across the United States, including New York, Los Angeles and Washington D.C.
Cesar Cerrudo, a cyber researcher at IOActive, said security measures in the traffic-control devices were practically nonexistent.
“This is a really big problem in security that these devices are not secure,”
“The data goes out over the air without any encryption, so you can basically, with some specific hardware, capture all the information sent over the air,” he said. “At the same time, you could send information over the air and make the access points believe you are a sensor. If you’re an attacker sending fake data, you can manipulate the system. And they don’t have any security.”
What’s worse: Cerrudo said there’s no way for authorities to necessarily detect an attack.
More than 50,000 of the systems have been deployed across the globe, most of them in the U.S.
ncreasingly, cars and traffic systems are both run by computers and wirelessly connected to the online world. Consequently, they’re more vulnerable to cyber security breaches or attacks. The Department of Homeland Security monitors such threats, and last year, the National Highway Traffic Safety Administration opened a division that deals with electronic security.
Tomi Engdahl says:
Watch a bank-raiding ZeuS bot command post get owned in 60 seconds
RC4? Shoddy PHP coding? You VXers should try a little harder
http://www.theregister.co.uk/2014/05/06/zeus_pwned_in_60_seconds/
Web thieves may get more than they bargained for if tech pros follow the lead of one researcher – who demonstrated how to hack the systems remote-controlling the infamous ZeuS crime bot in 60 seconds.
The dangerous Trojan ZeuS infects Windows PCs to, among other things, silently siphon cash from victims’ online bank accounts. Each flavour of the software nasty connects to a control server operated by the various crims distributing it; the bots receive their instructions from this particular server.
Now an infosec researcher known as Xylitol has uploaded a video in which he demonstrates how to exploit a flaw in a command centre for Zeus version 2.1.0.1 in less than a minute.
Tomi Engdahl says:
Symantec And Security Starlets Say Anti-Virus Is Dead
Is anti-virus finally dying? Sort of, say Symantec and its rivals
http://www.techweekeurope.co.uk/news/anti-virus-dead-or-dying-symantec-144954
“The overall detection by anti-virus software in January was disappointing — only 70.62 percent. For February it is even worse — only 64.77 percent was detected. And in March the average detection was 73.56 percent. That might not sound too bad but it means that 29 percent, 35 percent and 26 percent was not detected,” the company’s report read.
“Protecting your data from Internet-based threats is not an easy task – and relying on protection from anti-virus companies, no matter how established their brand, is simply not enough. Comprehensive protection requires an entirely new approach.”
“To be clear, single-iteration malware will continue to persist, and a minor need for AV will remain to provide a layer of reactive protection against these unsophisticated, benign threats. But with high-profile breaches occurring frequently, being driven by fast-moving, advanced threats, it is clear that next generation technologies and approaches are needed,” FireEye’s Zheng Bu and Rob Rachwald said in a blog post.
“Today’s AV model makes everyone a sacrificial lamb.”
Tomi Engdahl says:
In his words: How a whitehat hacked a university and became an FBI target
David Helkowski set out to be a whistle-blower; he now faces the feds and unemployment.
http://arstechnica.com/information-technology/2014/05/why-he-hacked-university-of-maryland-contractor-turned-hacker-tells-all/
Recently let go from his computer consulting job after engaging in some “freelance hacking” of a client’s network, Helkowski was still insistent on one point: his hack, designed to draw attention to security flaws, had been a noble act.
The FBI had a slightly different take on what happened, raiding Helkowski’s home and seizing his gear.
In early March 2014, working from a computer in his Parkville, Maryland home, Helkowski said that he exploited a misconfigured Web server and some poor database security in order to duplicate the results of a recent data breach that exposed the Social Security numbers and personal information for more than 300,000 current and former University of Maryland students and staff.
Based on its creation date in the file system, Helkowski said, the backdoor script had been on the server since 2011—meaning that the server was breached at least once over the last two years. He found another similar script not detected by the malware scanner.
“a full report of how bad I believed that access to be,” including recommendations to correct them such as changing all of the database passwords that were hard-coded into the ColdFusion site.
“I had access for quite a while. I could have escalated my access,
Tomi Engdahl says:
Slow IPv6 adoption is a GOOD THING as IETF plans privacy boost
New ‘SLAAC’ RFC aims to do a better job of hiding hosts
http://www.theregister.co.uk/2014/05/07/rfc_offers_better_privacy_for_ipv6_hosts/
The glacial pace of the worldwide IPv6 rollout might cause hand-wringing among ‘net boffins, but at least it’s leaving time for engineers to pry around for possible problems before the whole world’s on the protocol.
Since the transition is still at an early stage, it’s easy to forget that IPv6 has, as a document, been around since the late 1990s – an era long before ordinary users had learned to fear the NSA, worry about deliberately-compromised cryptography, or wonder if they’d lost their data to the Heartbleed bug.
Back then, the authors of IPv6 were worried about address exhaustion, so the main game was to expand the address space, making it big enough that everyone/thing could get an address. Data confidentiality was considered optional to the operation of the protocol.
With its new-found desire to NSA-proof the Internet, it’s no surprise that there’s an RFC that looks back at IPv6 to propose how addresses could be made more private.
Since v6 doesn’t need to reassign addresses, the device would then keep that address forever – and there’s where the privacy risk arises. This could be tackled by using temporary addresses, but only at the cost of making sys admins’ work a bit of a nightmare.
The new RFC, 7217, offers at least a partial fix: while a host’s address would be stable as long as it stays attached to a given subnet, it would change as the host moves between networks.
Tomi Engdahl says:
Security Cam Maker Dropcam Announces A Location-Based Motion Sensor
http://techcrunch.com/2014/05/06/security-cam-maker-dropcam-announces-a-location-based-motion-sensor/
Dropcam, the makers of a plug and play security camera system, announced a new sensor, called Tabs, to add new functionality to the camera platform. The device, which is about as big as a stick of gum, can be carried around with you, attached to items, or even stuck to windows and doors. The sensors connect to Dropcam Pros via Bluetooth LE and transmit activities that happen around the house. They are battery powered and last for two years.
Tabs will be available in August but they are opening pre-orders today.
Tomi Engdahl says:
Dropbox and Box Leaked Shared Private Files Through Google
http://hardware.slashdot.org/story/14/05/07/009248/dropbox-and-box-leaked-shared-private-files-through-google
“People using shared storage providers such as Box and Dropbox are leaking data, a competitor has discovered. Links to shared files leak out when those links are accidentally put into the Google search box, or if users click links from within the documents.”
Tomi Engdahl says:
Software Entrepreneurs has released a security certification model. The model is designed to provide businesses with the opportunity to show that information security is a firm managed well.
The organization stresses that because Finland has traditionally been known as a country of high security, you should businesses take advantage of the mental image.
Security audits and certifications to implement Second Nature security.
Source: http://www.tietoviikko.fi/kaikki_uutiset/ohjelmistoyrittajat+auttaa+suomalaisfirmoja+osoittamaan+tietoturvansa/a986262
Tomi Engdahl says:
7th May 2014 00:11
Report: Google’s NSA dealings not as bad as you thought – THEY WERE WORSE
Email releases suggest company had better relationship with feds than it let on
http://www.channelregister.co.uk/2014/05/07/googles_nsa_data_dealings_not_as_bad_as_first_thought_theyre_much_worse/
Google and other technology giants were working far more closely with the NSA government than originally thought, if a set of uncovered internal emails are to be believed.
Al Jazeera has posted an email correspondence between NSA director General Keith Alexander and Google’s Eric Schmidt and Sergey Brin discussing cooperation with the company on an industry security framework.
The emails, dated January and June of 2012, discuss participation from Google in the NSA’s Enduring Security Framework (ESF) program.
In the pitch, Alexander notes that the project played a role in the deployment of measures to protect against the BIOS attack plot on US computer systems. The NSA was later found to be using its own BIOS-level malware to target systems.
Al Jazeera’s report is not the first indication that Google was cozying up to the US government prior to the Edward Snowden revelations.
Tomi Engdahl says:
As Domestic Abuse Goes Digital, Shelters Turn To Counter-surveillance With Tor
http://yro.slashdot.org/story/14/05/07/185205/as-domestic-abuse-goes-digital-shelters-turn-to-counter-surveillance-with-tor
“Step one, do not infect yourself. Step two, do not infect others, especially your co-workers. Step three, help others,” he said. In the case of digital infections, like any other, skipping those first two steps can quickly turn caretakers into infected liabilities. For domestic violence prevention organizations that means ensuring their communication lines stay uncompromised.
Tomi Engdahl says:
It’s World Password Day: Change Your Passwords
http://it.slashdot.org/story/14/05/07/1837254/its-world-password-day-change-your-passwords?
Tomi Engdahl says:
It’s World Password Day: Change your passwords
http://www.net-security.org/secworld.php?id=16812
Today (May 7) is World Password Day – a day dedicated to promoting the use of strong passwords and the creation of good habits when it comes to choosing passwords.
There’s no better time than today to change all your passwords. When choosing a new password, choose length over complexity.
“Any complex eight-character password can be cracked in 5.5 hours. The password ‘thunder showers at sunset’ would take more than a million years to crack,” Intel pointed out.
Also, know that changing your passwords regularly significantly reduces your risk of being hacked.
Tomi Engdahl says:
TLS 1.3 Draft Prepares to Drop Static RSA Key Exchange
http://it.slashdot.org/story/14/05/07/1539217/tls-13-draft-prepares-to-drop-static-rsa-key-exchange
The IETF TLS working group has reached consensus on dropping static RSA cipher suites from TLS 1.3, instead requiring the use of Diffie-Hellman Exchange (or the faster ellipitic curve variant). Static DH and not just ephemeral DH key exchange will be supported, so not all connections will have forward secrecy.
Tomi Engdahl says:
Samsung ‘Smart’ Camera Easily Hackable:
“The op-co.de blog has a post about the incredibly poor job Samsung did securing its new NX300 ‘smart camera.’”
Hacking the Samsung NX300 ‘Smart’ Camera
http://op-co.de/blog/posts/hacking_the_nx300/
The Samsung NX300 smart camera is a middle-class mirrorless camera with NFC and WiFi connectivity. You can connect it with your local WiFi network to upload directly to cloud services, share pictures via DLNA or obtain remote access from your smartphone.
the camera provides the Remote Viewfinder and MobileLink modes where it creates an unencrypted access point with wide-open access
Because hardware engineers suck at software security, nothing else was to be expected.
Tomi Engdahl says:
Securo-borg FireEye coughs $70m to buy ‘flight-recorder-for-networks’ tech
First Mandiant, now nPulse – whatever will it swallow next?
http://www.theregister.co.uk/2014/05/07/fireeye_buys_network_forensics_flight_recorder_tech/
nPulse’s forensics will be integrated into FireEye’s Network Threat Prevention Platform and bundled with recently introduced IPS capabilities to create a more capable threat management platform.
“The new reality of security is that every organisation has some piece of malicious code within their network,” said David DeWalt, chairman of the board and chief executive officer of FireEye, in a canned statement.
“The more important question is has that code been able to execute any compromising activity that puts the organisation at risk”
The nPulse buyout deal will allow FireEye to compete with the likes of HP (ArcSight) and IBM (QRadar) in the Security Information and Event Management (SIEM) sub-segment of the security business, as well as going head-to-head with startups such as LogLogic.
Tomi Engdahl says:
Commonwealth Bank in comedy Heartbleed blog FAIL
Bank: ‘We are now safely patched.’ Customers: ‘You were using OpenSSL?’
http://www.theregister.co.uk/2014/04/14/australian_bank_in_huge_heartbleed_blog_fail/
An attempt by Australia’s Commonwealth Bank to reassure customers that they would not be harmed by the Heartbleed vulnerability has backfired spectacularly after tech-savvy customers made mincemeat out of a badly worded blog post.
This incident will doubtless be replayed soon by social media “experts” as the kind of thing one should not do with “owned media”. A hundred corporate websites will become even blander and less interesting as a result.