Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Global survey finds 85% of mobile apps fail to provide basic privacy information
http://ico.org.uk/news/latest_news/2014/global-survey-finds-85-percent-of-mobile-apps-fail-to-provide-basic-privacy-information-20140910
A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used.
Tomi Engdahl says:
IDF 2014
The cloud security was speaked on the Moscone Center, ground floor of the exhibition space, which featured a large range of Intel’s large and small partners.
Hytrustin idea is to provide security in the cloud located in the server. Virtual Server and everything is just a file, so protecting it is, in principle, easy. Extremely simplified Hytrustin software to check every startup the host computer’s BIOS, and if the notice changes, refusing to starting.
Especially in Europe, there has been great interest in the possibility of limiting the virtual servers start of the countries borders.
Source: http://www.tivi.fi/blogit/uutiskommentti/dataa+pilvessa+ja+turvassa/a1010711
Tomi Engdahl says:
Research Director Mikko Hypponen discusses the development of the internet
He will take Google for example, how lucrative users profiling can be. Its services are free and expensive to maintain, “alone, Google’s electricity bill is over $ 100 million per year.”
Despite this, Google’s revenue last year was 60 billion dollars and profit of 12 billion. Hypponen calculates that if Google has a billion users, each of them will produce the company $ 12 without paying anything.
“I’d pay like 12 bucks a year to Google, if it does not track or profiled me. Damn, I would pay even a hundred bucks! But this option, Google does not let me, “Hypponen writes.
He notes that Google does not do anything illegal, and users give up their data on a voluntary basis.
“Sometimes I wish that things would have developed in a different way and we would have a simple micro-payment system, in which we could pay for content and services.”
Source: http://www.tivi.fi/kaikki_uutiset/mikko+hypponen+voisin+maksaa+googlelle+satasen+jos/a1010838
Tomi Engdahl says:
This flashlight app requires: Your contacts list, identity, access to your camera…
Who us, dodgy? Vast majority of mobile apps fail privacy test
http://www.theregister.co.uk/2014/09/11/mobile_app_privacy_survey/
A global survey of more than 1,200 mobile apps has discovered that the vast majority (85 per cent) fail to provide basic privacy information.
The global survey faulted apps for accessing large amounts of personal information without adequately explaining how they were collecting, using and disclosing personal information. Almost one in three apps appeared to request an excessive number of permissions to access additional personal information.
More than half (59 per cent) of the apps left users struggling to find basic privacy information. Many (43 per cent) of the apps either providing information in a too small print, or also hide the information in lengthy privacy policies that required scrolling or clicking through multiple pages.
It wasn’t all bad news.
“The issue here is more than just how apps explain how they collect and use data,”
“This [risk] is exacerbated by the fact that, since their business models revolve around user data, many apps store far more information than they need.”
Tomi Engdahl says:
Facebook Is Testing Self-Destructing Posts
http://www.huffingtonpost.com/2014/09/10/facebook-self-destruct_n_5798320.html
Ever wanted to set a self-destruct timer on your Facebook posts? Well, just in case, you may soon be able to do just that.
The social networking site is testing a new feature that will let you schedule a post for deletion. All you have to do is set the length of time, and the post will go poof when you want it to.
But what kind of posts would you want to self-destruct?
Tomi Engdahl says:
Look, people send nude texts to their romantic interests: it’s like a fact of the social media age. When it goes wrong, it’s mortifying
http://live.huffingtonpost.com/r/highlight/the-uniting-force-behind-silicon-valley–china/5410a82a78c90a18030002a8
Tomi Engdahl says:
MH17 plane crash victims exploited by cold-hearted scammers
http://www.welivesecurity.com/2014/09/10/mh17-plane-crash-scam/
Now it appears, the cold-hearted scammers are exploiting the tragic events that befell MH17 over Ukraine too.
Yes, it’s “yet another 419 scam”.
Also commonly known as “Letters from Nigeria” or “Advanced Fee Fraud”, the scams typically involve the promise of a vast fortune – but sooner or later (once you have begun to be sucked in and lost all wariness) you will be told that you need to advance an amount of money for logistical reasons, or share sensitive information such as your passport or banking details.
You might not fool for a scam like this, but unfortunately there are plenty of vulnerable people out there who do. And it only requires one person to fool for the scam for it to be worthwhile to the fraudsters, who have typically spammed it out to thousands.
But what makes this scam particularly sick is that it uses the name of a genuine victim of the MH17 tragedy.
If scammers had any conscience, they wouldn’t compound the misery of those who have been left bereaved and heartbroken by using the names of victims
Tomi Engdahl says:
5 Nigerian gangs dominate Craigslist buyer scams
Likely Lads from Lagos still skilled at parting fools from money
http://www.theregister.co.uk/2014/09/11/nigerian_gangs_dominate_craiglist_scams/
Just five Nigerian criminal gangs are behind a widespread type of fraud targeting sellers on Craigslist.
The researchers discovered that Nigerian scammers have enlisted the help of US-based accomplices as well as getting their hands on professional cheque-creating kit.
The two researchers put up “honeypot” ads for laptops
Many less savoury buyers approached the researchers by email. In response, the researchers sent images of the products. Opening these images revealed info on the IP addresses of scammers. More than half came from Nigeria from what the researchers identified as just five groups of fraudsters.
The Craigslist scam kicks into effect when these “buyers” offer to pay for the advertised kit with a certified cheque.
This overpayment scam works because banks are likely to initially accept the cheque and might even “float” funds from a cheque before it has cleared. Once the cheque is discovered to be fraudulent, banks attempt to claw funds back as well as imposing a surcharge, levying even more pain on defrauded sellers.
Overpayment scams have been around for years and are not particular to Craiglist.
Bank routing numbers used in the scam are legitimate.
Tomi Engdahl says:
Mining iPhones and iCloud For Data With Forensic Tools
http://mobile.slashdot.org/story/14/09/11/1624205/mining-iphones-and-icloud-for-data-with-forensic-tools
SternisheFan points out an article that walks us through the process of using forensic tools to grab data from iPhones and iCloud using forensic tools thought to have been employed in the recent celebrity photo leak.
The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target’s phone. The author concludes, “Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data.”
Tomi Engdahl says:
iPwned: How easy is it to mine Apple services, devices for data?
High-end tools, simple hacks can still make iPhone data less private than we’d like.
http://arstechnica.com/features/2014/09/ipwned-mining-iphones-icloud-for-personal-data-is-terrifying-simple/
Apple executives never mentioned the words “iCloud security” during the unveiling of the iPhone 6, iPhone 6+, and Apple Watch yesterday, choosing to focus on the sexier features of the upcoming iOS 8 and its connections to Apple’s iCloud service. But digital safety is certainly on everyone’s mind after the massive iCloud breach that resulted in many celebrity nude photos leaking across the Internet. While the company has promised fixes to both its mobile operating system and cloud storage service in the coming weeks, the perception of Apple’s current security feels iffy at best.
In light of one high profile “hack,” is it fair to primarily blame Apple’s current setup? Is it really that easy to penetrate these defenses?
The iCloud thefts were likely aided and abetted either by a weakness in iCloud’s authentication for the “Find My iPhone” application interface or by some clever deduction of passwords or security questions based on data about the targets gleaned from public sources (like, for example, Wikipedia). Sadly iCloud backups, because of their nature, often contain data long gone from a phone itself, or at least data that’s gone from what the phone user can see onscreen.
Again, Apple has a number of security fixes coming.
Tomi Engdahl says:
U.S. threatened massive fine to force Yahoo to release data
http://www.washingtonpost.com/business/technology/us-threatened-massive-fine-to-force-yahoo-to-release-data/2014/09/11/38a7f69e-39e8-11e4-9c9f-ebb47272e40e_story.html
The U.S. government threatened to fine Yahoo $250,000 a day in 2008 if it failed to comply with a broad demand to hand over user communications — a request the company believed was unconstitutional — according to court documents unsealed Thursday that illuminate how federal officials forced American tech companies to participate in the National Security Agency’s controversial PRISM program.
The ruling by the Foreign Intelligence Surveillance Court of Review became a key moment in the development of PRISM, helping government officials to convince other Silicon Valley companies that unprecedented data demands had been tested in the courts and found constitutionally sound. Eventually, most major U.S. tech companies, including Google, Facebook, Apple and AOL, complied. Microsoft had joined earlier, before the ruling, NSA documents have shown.
Tomi Engdahl says:
Dropbox transparency report: 268 law enforcement requests, up to 249 national security requests (updated)
http://venturebeat.com/2014/09/11/dropbox-transparency-report-268-law-enforcement-requests-up-to-249-national-security-requests/
Dropbox announced its first six-month transparency report today, revealing 268 law enforcement requests “for user information” and between 0 and 249 national security requests from January to June 2014.
Tomi Engdahl says:
Veracode gets $40M to help companies find security holes in their applications
https://gigaom.com/2014/09/11/veracode-gets-40m-to-help-companies-find-security-holes-in-their-applications/
Veracode’s service hooks into the development tools used by coders so that its cloud-based system can scan their application for vulnerabilities or bugs in the code.
What makes Veracode different than the recent torrent of security startups that have been raising cash is how its technology aims to strengthen the development process of applications rather than providing network-monitoring services like RiskIQ or identity management features like Okta. Brennan said he believes that many of the security breaches today occur by taking advantage of holes in the design and source code of the application itself, especially as these apps are dealing with lots of data flowing in and out.
“The world views of security and development are different; one is focussed on building things and one is focussed on monitoring,” Brennan said.
After scanning the application, Veracode can tell whether or not a development team has been introducing SQL injection errors and other common security bugs. It then reports that information back to the developers so that they can properly patch up their system.
“We run the program to tell them what has been remediated and what hasn’t,”
Tomi Engdahl says:
Hacker publishes tech support phone scammer slammer
Now who’s got a ‘security problem on your computer’?
http://www.theregister.co.uk/2014/09/12/phone_scammer_slammer/
Security pro Matthew Weeks has released a Metasploit module that can take over computers running the Ammyy Admin remote control software popular among “Hi this is Microsoft, there’s a problem with your computer” tech support scammers.
Weeks’ day job is director at Root9b, but he’s taken time to detail a zero-day flaw in Ammyy Admin he hopes will be used to fight back against tech support scammers.
This one is personal
“So I set out to find out if I could counter an attempted scam with a full fledged remote exploit, and turn the tables on the scammers.”
“I don’t normally release zero day exploits, but I made an exception in this case because given the reporting and usage of Ammyy Admin I consider it highly unlikely to be used to compromise innocent victims … hopefully, it will be a deterrent to those who would attempt to compromise and take advantage of innocent victims.”
The hack works from the end-user, meaning victims can send scammers the hijacking exploit when they request access to their machines.
Charla says:
Very nice post. I just stumbled upon your weblog
and wished to say that I’ve truly enjoyed surfing around
your blog posts. After all I will be subscribing to your feed and I hope you write
again soon!
Tomi Engdahl says:
Security Tops CIO Worries; IT Budgets, Turnover on the Rise
http://www.cio.com/article/2606957/cio-role/security-tops-cio-worries-it-budgets-turnover-on-the-rise.html
CIOs are spending more on IT, worrying most about security and privacy, and staying on the job a little longer, according to the latest data from the Society for Information Management (SIM).
When asked about the most important IT management concerns for the organization, the most pressing issue cited is a familiar one: alignment of IT with the business. IT pros also said the organization is concerned about security and privacy; business agility and flexibility; business productivity; and IT time-to-market or speed of delivery.
Meanwhile, when CIOs were asked about their own IT management concerns, security and privacy ranked first.
Tomi Engdahl says:
Ethiopian kids hack OLPCs in 5 months with zero instruction
http://www.dvice.com/archives/2012/10/ethiopian-kids.php
What happens if you give a thousand Motorola Zoom tablet PCs to Ethiopian kids who have never even seen a printed word? Within five months, they’ll start teaching themselves English while circumventing the security on your OS to customize settings and activate disabled hardware. Whoa.
Tomi Engdahl says:
Illiterate Ethiopian children manage to hack Android
http://www.humanipo.com/news/2256/illiterate-ethiopian-children-manage-to-hack-android/
In an interesting statement, One Laptop Per Child (OLPC) founder Nicholas Negroponte has revealed that the illiterate Ethiopian children they had given the locked down Motorola Xoom tablets earlier this year have within five months not only started teaching themselves English, but managed to bypass the security on the tablet’s operating system to customize settings and to activate disabled hardware such as the camera.
One needs to remember and put into context that these are Ethiopian villages, where the children and some adults have never read a written word. The type of rural villages where there are no books, no newspapers and no street signs.
Tomi Engdahl says:
Cities scramble to upgrade “stingray” tracking as end of 2G network looms
Oakland is latest city confirmed seeking Hailstorm upgrade, targeting 4G LTE.
http://arstechnica.com/tech-policy/2014/09/cities-scramble-to-upgrade-stingray-tracking-as-end-of-2g-network-looms/
OAKLAND, CA—Documents released last week by the City of Oakland reveal that it is one of a handful of American jurisdictions attempting to upgrade an existing cellular surveillance system, commonly known as a stingray.
Stingray is a trademark of its manufacturer, publicly traded defense contractor Harris Corporation, but “stingray” has also come to be used as a generic term for similar devices.
The cellular surveillance system’s upgrade, known as Hailstorm, is necessary. Existing stingray devices will no longer work in a few years as older phone networks get turned off.
Relatively little is known about how stingrays are precisely used by law enforcement agencies nationwide, although documents have surfaced showing how they have been purchased and used in some limited instances.
One of the primary ways that stingrays operate is by taking advantage of a design feature in any phone available today. When 3G or 4G networks are unavailable, the handset will drop down to the older 2G network. While normally that works as a nice last-resort backup to provide service, 2G networks are notoriously insecure.
So the stingray takes advantage of this feature by jamming the 3G and 4G signals, forcing the phone to use a 2G signal.
“Stingray II to Hailstrom Upgrade, etc. The Hailstorm Upgrade is necessary for the Stingray system to track 4G LTE Phones”
He explained that the new upgrade will continue to provide existing surveillance capability even after major cellular providers turn off support for the legacy 2G network, which is expected to occur in upcoming years. In 2012, AT&T announced that it would be shutting down its 2G network in 2017. Without the forced downgrade to 2G, a 4G phone targeted by a stingray would not be susceptible to the same types of interception at present, but it likely would still be susceptible to location tracking.
“Presumably, at some point after, new phones sold by AT&T will no longer support 2G,” Soghoian added. “Once new phones stop working with 2G, Stingrays won’t work any more. At that point, the Hailstorm will be the only way.”
For now, 4G LTE stingray-like devices appear relatively rare.
“We haven’t seen any 4G LTE IMSI catchers from any of the brochures from companies that we’ve picked up yet, so this will be the first,” Eric King, the deputy director of Privacy International, told Ars, using another name for stingrays.
Tomi Engdahl says:
Apple Pay Details: Apple Gets 0.15% Cut of Purchases, Higher Rates for Bluetooth Payments
http://www.macrumors.com/2014/09/12/more-apple-pay-details/
Apple’s ambitious new mobile payment initiative, Apple Pay, was announced on Tuesday during the company’s iPhone event. Many questions still linger about the service, but information is beginning to trickle out from various sources as retailers, banks, and credit card companies prepare for the service’s October launch.
According to a new report from The Financial Times, Apple stands to make quite a bit of money from its payments service. Banks and payment networks will be forking over 0.15 percent of each purchase to Apple, which equates to 15 cents out of a $100 purchase.
According to bank executives, Apple was able to negotiate with so many partners and receive choice deals because the industry didn’t see anything threatening in Apple Pay.
Along with the cryptogram generated between a standard debit or credit card and a point of sale terminal, Apple Pay takes advantage of a token system that encrypts every step of the payment process. Tokenization is already built into the standard NFC specification, so what Apple is really doing is utilizing existing technology and further securing it with its own Touch ID fingerprint authorization system.
Every card added to Apple Pay (and located in Passbook) is assigned a token, which Apple calls a Dynamic Account Number. Each Dynamic Account Number is stored in the secure element of the iPhone and accompanied by a unique cryptogram for each transaction.
The token system essentially provides an extra layer of security to payments made through NFC, which, as mentioned earlier, allows merchants to pay a lower “card present” rate for NFC purchases. Merchants still pay the higher “card-not-present” rate when payments are made over Bluetooth LE rather than NFC, however, or when a purchase is made in-app using Apple Pay.
Tomi Engdahl says:
Justice Sotomayor Warns Against Tech-Enabled “Orwellian” World
http://yro.slashdot.org/story/14/09/13/171232/justice-sotomayor-warns-against-tech-enabled-orwellian-world
U.S. Supreme Court Justice Sonia Sotomayor spoke on Thursday to faculty and students at the University of Oklahoma City about the privacy perils brought on by modern technology. She warned that the march of technological progress comes with a need to enact privacy protections if we want to avoid living in an “Orwellian world” of constant surveillance.
Tomi Engdahl says:
Justice Sotomayor says technology could lead to “Orwellian world”
“We are capable of being in that Orwellian world,” Supreme Court Justice says.
http://arstechnica.com/tech-policy/2014/09/justice-sotomayor-says-technology-could-lead-to-orwellian-world/
Supreme Court Justice Sonia Sotomayor says that without proper privacy safeguards, the advancement of technology could lead to a world like the one portrayed in “1984″ by George Orwell.
Speaking to Oklahoma City University faculty and students, the justice said Thursday that technology has allowed devices to “listen to your conversations from miles away and through your walls.” She added: “We are in that brave new world, and we are capable of being in that Orwellian world, too.”
The justice’s remarks about drones comes as California is close to joining 10 other states requiring the police to get a court warrant to surveil with a drone.
In an opinion by Chief Justice John Roberts, the court ruled that the authorities generally may not search the mobile phones of those they arrest unless they have a court warrant.
It was the biggest digital-age privacy decision that the high court had rendered following its 2012 ruling that the authorities generally need warrants to affix GPS trackers to a suspect’s vehicle.
Tomi Engdahl says:
Addon Domains: A Hacker’s Best Friend
http://codegarage.com/blog/2012/05/addon-domains-a-hackers-best-friend/
Essentially all of the major shared hosting providers offer addon domain schemes – to the point that this is an expected feature of hosting. The gist is: You buy a hosting plan, and you can host large (sometimes unlimited) numbers of domains on them – as long as you fit inside the disk space, bandwidth, and CPU limits set by your host, there’s no problem. Unsurprisingly, people take advantage of this. I know, because we see these servers when we go to clean malicious code off of them.
What’s wrong with 100 sites on a shared host?
So what’s the big deal? It’s permitted by the host, you’re within your expected limits, so what’s the problem? The problem (ok – one big problem) is Cross Site Contamination.
In most cases, when a host sells an “addon domain” (Note: I’m specifically not referring to “reseller” plans, which generally don’t suffer from this), the setup works like this:
Your host has a server (which is just a computer, not *that* unlike the one you work on), which is running special software to partition it into hundreds or thousands of “accounts”. These accounts are segregated from each other, so you can’t access the files on other customers’ sites. However, when you set up on addon domain, this site is going into your account, along with all your other sites. These sites have access to each other
I want to make this absolutely clear, so I’ll spell it out: A hacker with access to one domain will infect every addon domain on the server.
Here’s the deal: Your website is inherently insecure. For the majority of sites today, it’s a safe bet that at some point, you’re going to get malicious code. That’s cynical, but it’s true, and you should recognize it. Over time, the likelyhood that you’ll forget to upgrade WordPress, or install a plugin that wasn’t vetted properly, or miss an email about a vulnerability discovered in the theme you use goes up. Odds are, you’ll get caught with your pants down at some point.
So, if the odds are that you’re going to experience trouble on any given site, say, once a year (Hypothetically. Don’t quote me as saying that any given site will get hacked once a year), what happens when you have 2 sites that have access to each other? And, each time a hacker hits either one of them, they both get infected? Your sites are now infected twice as often. What happens when you have 20 sites on a server? 100? You end up spending as much time dealing with hacks as you do building your business. This can literally sink you.
You can make sure your sites don’t have access to each other. For most site owners, the best way to do this is to move over to a reseller plan. Reseller plans segregate your sites enough that hackers no longer have ludicrously easy access to every site on the server if they manage to find a hole in any one of them.
Tomi Engdahl says:
New Snowden leak: US and Brit spooks ‘tap into German telco networks to map end devices’
Deutsche Telekom: ‘completely unacceptable, if true’
http://www.theregister.co.uk/2014/09/14/snowden_leaks_alleged_treasure_map_programme_for_nsa_and_gchq_to_spy_on_german_telecoms/
An NSA and GCHQ surveillance programme – dubbed Treasure Map – grants US and British spooks access to the networks of German telcos such as Deutsche Telekom, according to a new stash of leaked documents from Edward Snowden.
Der Spiegel published the latest revelations today. However, Deutsche Telekom reportedly said it had found no evidence of such tampering on its system.
Der Spiegel said today that the latest leaked documents from the former NSA sysadmin showed that spooks planned to map routers, smartphones, fondleslabs and computers on its massive snooping system.
Analysts are apparently told to “map the entire internet – Any device, anywhere, all the time.” And surveillance agencies who are part of the so-called FiveEyes fraternity from the UK, Canada, Australia and New Zealand work with the US on Treasure Map.
Tomi Engdahl says:
NSA Metadata Collection Gets 90-Day Extension
http://yro.slashdot.org/story/14/09/14/0415200/nsa-metadata-collection-gets-90-day-extension
Foreign Intelligence Surveillance Court has authorized a 90-day extension to the NSA’s ability to collect bulk metadata about U.S. citizens’ phone calls.
Tomi Engdahl says:
Spy court renews NSA metadata program
http://thehill.com/policy/technology/217618-spy-court-renews-nsa-program
With a surveillance reform bill stuck in the Senate, the federal court overseeing spy agencies on Friday reauthorized the National Security Agency’s controversial bulk collection of Americans’ phone records.
“Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program,” the Justice Department and Office of the Director of National Intelligence said in a joint statement, referring to the section of the Patriot Act that authorizes the program.
Tomi Engdahl says:
Be your own Big Brother: Monitoring your manor, the easy way
IP cameras and the quantified shelf
http://www.theregister.co.uk/2014/09/14/weekend_review_guide_home_camera_security_monitoring/
The growth of Wi-Fi and power-line networking have made connectivity almost ubiquitous within many homes, while advances in other areas such as power consumption and processing speed have helped make it possible to miniaturise, speed up, and generally improve all manner of gadgets.
It is, in short, easier than ever to become your own Big Brother, monitoring what you want to keep an eye on, from wherever you are, with a lot less trouble than in the past.
So, whether you want to monitor the humidity of your greenhouse, check in on an elderly relative, find out what the dog really does when you’re at work, or just be sure that everything’s safe and secure, for many people it’s now easier than it’s ever been to keep an eye on things – you just have to find the right way to do it.
One of the most obvious ways of monitoring is with a camera. Indeed, plenty of software exists to use with webcams, but unless you have a router with USB webcam support you’ll usually have to have them connected to a PC to be able to access them. Hardly convenient
A camera to which you connect directly from your phone or PC is, for many people, the best solution for casual monitoring. However, if you want to be able to record lots of images to check later, something more sophisticated may be in order.
One option is to use a NAS box – for instance, Synology’s Surveillance Station brings network cameras together with monitoring and recording tools.
Tomi Engdahl says:
School Installs Biometric Fingerprint System For Cafeteria
http://news.slashdot.org/story/14/09/14/1324250/school-installs-biometric-fingerprint-system-for-cafeteria
An anonymous reader writes with news about a school in England that has introduced a cashless cafeteria system that is raising some privacy concerns among some.
Tomi Engdahl says:
NSA employees increasingly leave the agency to start security companies like Synack, Virtru, and Morta Security
The NSA Gives Birth To Start-Ups
http://www.forbes.com/sites/kashmirhill/2014/09/10/the-nsa-gives-birth-to-start-ups/
Former NSA chief Keith Alexander has been sweating it out in the spotlight this summer for converting his spy cred into a lucrative security consulting business shortly after stepping down from the National Security Agency. The Atlantic’s Conor Friedersdorf calls Alexander’s new IronNet Cybersecurity firm an “unethical get-rich quick plan” because it will charge hundreds of thousands of dollars a month for “ new” technologies the firm is patenting. “What could make [Alexander] so valuable, save the highly classified secrets in his head?” wrote Friedersdorf.
But Alexander is far from the first to realize that the NSA’s area of expertise is in high demand in the commercial sector these days as more and more of our information is being digitized and concerns about security and privacy mount.
“Historically, everyone was fearful of the NSA, but no one actively disliked ex-NSAers. Snowden changed that,”
“Before Snowden, I think Alexander’s transition would have been viewed positively.”
“NSA engineers are highly talented and smart people with deep experience with how to battle bad forces. The portrayal of the NSA doing things that are bad is not making it the hot place to work inside the intelligence community. Instead of the NSA being the final destination for these young talented engineers, it’s becoming a training ground. As a VC, I think it’s wonderful. As a citizen of the US, I’d make a different argument.”
Tomi Engdahl says:
New Zealand Launched Mass Surveillance Project While Publicly Denying It
https://firstlook.org/theintercept/2014/09/15/new-zealand-gcsb-speargun-mass-surveillance/
The New Zealand spy agency, the Government Communications Security Bureau (GCSB), worked in 2012 and 2013 to implement a mass metadata surveillance system even as top government officials publicly insisted no such program was being planned and would not be legally permitted.
Tomi Engdahl says:
Treasure Map: The NSA Breach of Telekom and Other German Firms
http://www.spiegel.de/international/world/snowden-documents-indicate-nsa-has-breached-deutsche-telekom-a-991503.html
According to top-secret documents from the NSA and the British agency GCHQ, the intelligence agencies are seeking to map the entire Internet, including end-user devices. In pursuing that goal, they have broken into networks belonging to Deutsche Telekom.
Tomi Engdahl says:
JPMorgan hack investigation finding dozens of the company’s servers breached over two months; one source says SSNs and account data not stolen:
After Breach, JPMorgan Still Seeks to Determine Extent of Attack
http://www.nytimes.com/2014/09/13/technology/after-breach-jpmorgan-still-seeks-to-determine-extent-of-attack.html
The headache caused by the attack on JPMorgan Chase’s computer network this summer may not go away anytime soon.
Over two months, hackers gained entry to dozens of the bank’s servers, said three people with knowledge of the bank’s investigation into the episode who spoke on the condition of anonymity. This, they said, potentially gave the hackers a window into how the bank’s individual computers work.
They said it might be difficult for the bank to find every last vulnerability and be sure that its systems were thoroughly secured against future attack.
The hackers were able to review information about a million customer accounts and gain access to a list of the software applications installed on the bank’s computers. One person briefed said more than 90 of the bank’s servers were affected, effectively giving the hackers high-level administrative privileges in the systems.
Hackers can potentially crosscheck JPMorgan programs and applications with known security weaknesses, looking for one that has not yet been patched so they can regain access.
Tomi Engdahl says:
H1 2014 Threat Report
http://www.f-secure.com/weblog/archives/00002741.html
Tomi Engdahl says:
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
http://www.theregister.co.uk/2014/09/15/hackers_pop_brazil_paper_to_root_home_routers/
A popular Brazilian newspaper has been hacked by attackers who used code that attacked readers’ home routers, says researcher Fioravante Souza of web security outfit Sucuri.
Attackers implanted iFrames into the website of Politica Estadao, which when loaded began brute force password guessing attacks against users.
Souza says the attackers aimed to change the DNS settings on hacked routers, writing that ” … the payload was trying the user admin, root, gvt and a few other usernames, all using the router default passwords.
“[The] script is being used to identify the local IP address of your computer. It then starts guessing the router IP by passing it as a variable to another script,”
“iFrames were trying to change the DNS configuration on the victim’s DSL router by brute forcing the admin credentials”.
The attack code was manipulated to target Internet Explorer
The attack could be most easily foiled if users changed the administrative credentials on their routers which left usernames and passwords often set both to admin.
Tomi Engdahl says:
Hey, scammers. Google’s FINE with your dodgy look-a-like apps
Google Apps scripts could fool ANYONE, warns engineer
http://www.theregister.co.uk/2014/09/15/attention_scammers_googles_fine_with_your_dodgy_lookalike_apps/
Attackers can easily craft third party scripts to imitate Google to trick users into granting authorisation to their email accounts, says infosec chap Andrew Cantino.
The Mavenlink engineer said Mountain View did not make it sufficiently clear when users were approving third party access to their data, thus making social engineering attacks easy.
“A malicious person could make a [Google] Apps Script that performs almost any action against a user’s Google data, then share the link in the guise of a helpful tool,” Cantino said.
“Since the URL will be to script.google.com, it looks legitimate and even savvy users will likely be fooled.
He said Google “in no way” made clear that his app was the product of a third party, adding that Mountain View did not intend on fixing what he said was a flaw.
Cantino created an app dubbed ‘Google Security Upgrader’ to demonstrate how attackers could compromise Google accounts without being flagged as a third party.
Tomi Engdahl says:
Malware Distributed Through Twitch Chat Is Hijacking Steam Accounts
http://games.slashdot.org/story/14/09/15/0124253/malware-distributed-through-twitch-chat-is-hijacking-steam-accounts
If you use Twitch don’t click on any suspicious links in the video streaming platform’s chat feature.
According to f-secure, the link leads to a Java program that asks for your name and email. If you provide the info it will install a file on your computer that’s able to take out any money you have in your Steam wallet
New malware piggybacks on Twitch chat to bleed Steam Wallet dry
http://www.techtimes.com/articles/15556/20140914/new-malware-piggybacks-twitch-chat-to-bleed-steam-wallet-dry.htm
The malicious bot that has been infiltrating Twitch chats may not seem out of place to regular visitors to the streaming site. Live streamers, who earn money through viewer subscriptions, often use bots in the chat area of their channels to encourage donations, attract followers and announce promotions.
“This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry,” says F-Secure. “It even dumps your items for a discount in the Steam Community Market. Previous variants were selling items with a 12 percent discount, but a recent sample showed that they changed it to 35 percent discount. Perhaps to be able to sell the items faster.”
After all of a user’s funds have been used to buy collectibles, the malware will trade all of the victim’s digital items to their new “friends.” The fence then sells the ill-gotten goods at deep discounts.
Because all of the fraudulent activity takes place locally, on the victim’s computer, F-Secure has recommended that Valve add a new security measure to Steam’s marketplace.
Tomi Engdahl says:
Treasure Map: NSA, GCHQ Work On Real-Time “Google Earth” Internet Observation
http://news.slashdot.org/story/14/09/14/214205/treasure-map-nsa-gchq-work-on-real-time-google-earth-internet-observation
According to top-secret documents from the NSA and the British agency GCHQ, the intelligence agencies are seeking to map the entire Internet
Tomi Engdahl says:
Treasure Map: The NSA Breach of Telekom and Other German Firms
http://www.spiegel.de/international/world/snowden-documents-indicate-nsa-has-breached-deutsche-telekom-a-991503.html
Treasure Map allows for the creation of an “interactive map of the global Internet” in “near real-time,” the document notes. Employees of the so-called “FiveEyes” intelligence agencies from Great Britain, Canada, Australia and New Zealand, which cooperate closely with the American agency NSA, can install and use the program on their own computers. One can imagine it as a kind of Google Earth for global data traffic, a bird’s eye view of the planet’s digital arteries.
In addition to monitoring one’s own networks as well as those belonging to “adversaries,” Treasure Map can also help with “Computer Attack/Exploit Planning.” As such, the program offers a kind of battlefield map for cyber warfare.
Treasure Map graphics don’t just provide detailed views of German cable and satellite networks. Red markings also reveal to agents which carriers and internal company networks FiveEyes agencies claim to have already accessed.
Just how far GCHG and NSA go to improve their secret map of the Internet and its users can be seen in the example of Stellar.
The document describing the attack on the business, part of the so-called Mittelstand of small- to medium-sized companies that form the backbone of the German economy,
The attack on Stellar has notable similarities with the GCHQ surveillance operation targeting the half-state-owned Belgian provider Belgacom, which SPIEGEL reported on in the summer of 2013
Any remaining sanguinity is lost at the point the Stellar officials see the password for the central server of an important customer in the intelligence agency documents. The significance of the theft is immense, Fares says. The information, he continues, could allow the agencies to cut off Internet access to customers in, for example, Africa. It could also allow them to manipulate links and emails.
Tomi Engdahl says:
Qualcomm Says Its Chips Can Power a More Secure Smartphone Kill Switch
http://recode.net/2014/09/13/qualcomm-says-its-chips-can-power-a-more-secure-smartphone-kill-switch/
Qualcomm says using its Snapdragon processors can help in the effort to ensure that cellphones can be rendered useless when stolen.
While there has been a big push for so-called “kill switches,” the chipmaker says that adding a hardware component to a kill switch has big advantages over a software-only approach.
“It’s just a lot more secure,” Qualcomm Senior VP Raj Talluri told Re/code. For instance, using the chip can help ensure that thieves can’t just factory-reset a phone, or flash the device with new software.
Qualcomm plans to detail its approach on Sunday, and said the technology should show up in new phones starting next year; it may also be made available for some older phones.
It’s not enough to just add chip-level support, though. Qualcomm will have to work with phone makers and carriers to implement the technology, and Talluri said talks are under way.
Tomi Engdahl says:
5 Computer Hackers Who Stole Millions
http://viralduck.com/5-computer-hackers-who-stole-millions/
Tomi Engdahl says:
“Kyber-environment is the electronic information (data) intended for the treatment, one or more of the information system consisting of the operating environment.”
Actual cyber threats endanger the ICT environment-dependent function. The function can be, for example, the organization’s e-mail system, e-banking, municipal water treatment plant, traffic lights control system, a news site, the Armed Forces operative system or even a patient information system. Cyber threats can be realized, for example, malware, denial of service, falsified information, physical attack, or other affects the functioning of the event through, which is trying to influence the world of bits in our physical world.
And here comes the key difference: While the threats are threats that are intended to affect confidentiality, integrity and availability of the self-expand on this by including continuity of operations-perspective. Some of cyber-threats directed to the attention of, but outside there is a lot of other kinds of influence, for example, (business) continuity of operations, as well as mentally in our attitudes and our consciousness.
Information security is one aspect of a typical organization’s ten-point whole security palette. The development of cyber security is not sufficient data on the safety and continuity of care for the management of an adequate emergency preparedness, business continuity and disaster recovery, but it requires a global organization of business with emphasis on the different priority level of the ten sub-region into consideration. One of the cyber security capabilities to the development of weight range of information security and there’s more detail in, for example, data communications, on the other, it could mean the safety of personnel or commercial development. Cyber security = // = information security.
All intelligence organizations have available a wide range of automated tools for social media influence, as well as some collected through the public data collection
Coincidence or not, but I have a few of my colleagues have come across in recent months increasingly on LinkedIn service to counterfeit, reliable aspect of the Finnish-language profiles that want to link
Source: http://www.tivi.fi/blogit/turvasatama/matkalla+kyberkonfliktiin++valjastetaan+some+kayttoon/a1011431
Tomi Engdahl says:
Navy Guilty of Illegally Broad Online Searches: Child Porn Conviction Overturned
http://news.slashdot.org/story/14/09/14/190218/navy-guilty-of-illegally-broad-online-searches-child-porn-conviction-overturned
In a 2-1 decision, the 9th Circuit Court ruled that Navy investigators regularly run illegally broad online surveillance operations that cross the line of military enforcement and civilian law.
“Agent Logan’s search did not meet the required limitation.”
“specific to US military only, or US government computers.”
Instead, it was his “standard practice to monitor all computers in a geographic area,” here, every computer in the state of Washington.
The record here demonstrates that Agent Logan and other NCIS agents routinely carry out broad surveillance activities that violate the restrictions on military enforcement of civilian law.
Tomi Engdahl says:
Cyborg Unplug – Plug to Unplug
http://plugunplug.net/
Cyborg Unplug is an anti wireless-surveillance system for the home and workplace. ‘Plug to Unplug’, it detects and kicks selected devices known to pose a risk to personal privacy from your local wireless network, breaking uploads and streams. Detected wireless devices currently include: wearable ‘spy’ cameras and microphones, Google Glass and Dropcam, small drones/copters and a variety of popular spy devices disguised as familiar objects.
Tomi Engdahl says:
Very popular exploit nowdays (third most popular PC exploit):
Exploit:Java/Majava.A identifies malicious files that exploit vulnerabilities in the Java Runtime Environment (JRE).
http://www.f-secure.com/v-descs/exploit_java_majava_a.shtml
Exploit:Java/Majava.A is a Generic Detection that identifies exploit files used to target and exploit vulnerabilities in the Java Runtime Environment (JRE).
If successfully used, exploits can provide an attacker with a wide range of possible actions, from viewing data on a restricted-user database to almost complete control of a compromised system.
to prevent successful exploitation, please ensure you install the latest updates available for Java and/or remove any old, unnecessary installations.
Tomi Engdahl says:
Attackers tapping on SNMP door to see if it’s open
SANS spots new, dumb attack
http://www.theregister.co.uk/2014/09/16/attackers_tapping_on_snmp_door_to_see_if_its_open/
Google’s DNS IP address is being spoofed by an attacker, apparently in an attempt to DDoS hosts vulnerable to a flaw in the SNMP protocol.
The SANS Internet Storm Center noticed the traffic trend emerging on September 15, and in this post discusses what’s going on.
The attack is trying to take over SNMP hosts that have left default passwords in place – the default read/write community string “private” – and either comes from a troll, SANS says, or someone genuinely tapping on the door of target systems.
a badly-configured system would: “set the default TTL to 1, which would make it impossible for the gateway to connect to other systems that are not on the same link-layer network”, and “turn off IP forwarding”.
The SANS post says the traffic can be recreated using the command:
snmpset -v 1 -c private [target ip] .1.3.6.1.2.1.4.2.0 int 1 .1.3.6.1.2.1.4.1.0 int 2
Tomi Engdahl says:
Comcast exec: No, we haven’t banned Tor. I use it. You’re probably using it
Keep in mind if, say, your Onion browser craps out on Xfinity
By Iain Thomson, 15 Sep 2014
http://www.theregister.co.uk/2014/09/15/comcast_were_not_blocking_tor_and_use_it_ourselves/
Comcast has denied claims that it will cut off subscribers for using the Tor project’s anonymizing web browser.
“Comcast is not asking customers to stop using Tor, or any other browser for that matter,” said Jason Livingood, VP of internet & communications engineering at Comcast in a blog post titled “Setting the record straight on Tor.”
“We have no policy against Tor, or any other browser or software.”
The ISP felt the need to make a statement after a blog called DeepDotWeb published allegatios from a user who claimed that Comcast representatives had got in contact over the use of Tor on its networks. According to the report a customer service rep called Kelly warned the user about using Tor.
The internet predictably went nuts over the original report.
Tomi Engdahl says:
Cyborg Unplug disconnects drones, Google Glass, spy microphones from WiFi networks
http://www.cablinginstall.com/articles/2014/09/cyborg-unplug.html
Cyborg Unplug is a device costing $50 to $100 that its creators describe as “a wireless anti-surveillance system for the home and workplace,” which “detects and kicks devices known to pose a risk to personal privacy from your local wireless network, breaking uploads and streams. Detected devices currently include: Google Glass, Dropcam, small drones/copters, wireless ‘spy’ microphones and various other network-dependent surveillance devices.”
The product’s development was led by Glasshole writer Julian Oliver
Cyborg Unplug isn’t designed for use in those cases where there is already strict control over who uses the local wireless network. Rather, it’s for those with networks used by many people (school, office, library, bar, café) that either give out the password or provide an open network.
“Wireless devices used to spy and stream images/video/audio/data to the Internet using that network (Territory Mode) or via any network (All Out Mode, which includes tethered connections to phones) will be detected. An alarm is then signaled and the detected device is disconnected by Cyborg Unplug. Please note that no encryption of any kind is a hindrance to the detection and disconnection of wireless (WiFi and Bluetooth) devices by Cyborg Unplug; it operates at a level below the IP network (specifically at Layer 2 of the OSI stack).”
Tomi Engdahl says:
Is your cloud server in the same bit barn as your DR site?
Microsoft will warn you, Amazon zips the lip
http://www.theregister.co.uk/2014/09/16/is_your_cloud_server_in_the_same_bit_barn_as_your_dr_site/
Microsoft is about to launch a “Geo” for Azure in Australia and has decided that the way to do so down under is by co-locating its kit in an as-yet-unidentified third-party bit barn.
There’s nothing new about that: Rackspace and VMware definitely do it for their cloud services. Amazon Web Services is reputed to do so but will never confirm it in public.
Rackspace and VMware even discuss their data centre partners in public.
Steven Martin, Redmond’s GM for Azure yesterday told The Reg that Microsoft will tell you reveal the location of co-located Azure facilities if it impacts on your other data centre decisions.
That’s recognition that Azure users could inadvertently end up with all their eggs in one basket. And seeing as disaster recovery rigs are expected to be geographically distant from primary facilities, Redmond has an interest in making sure that if Azure hiccups you have the chance to carry on elsewhere.
Amazon Web Services wouldn’t address our question about sharing data centre locations directly. It did, however, tell us that “the features of AWS services and infrastructure have been designed in a way to avoid the ‘all-eggs-in-one-basket’ issue if they are followed explicitly and correctly.”
Tomi Engdahl says:
‘Speargun’ program is fantasy, says cable operator
We just might notice if you cut our cables
http://www.theregister.co.uk/2014/09/16/speargun_program_is_fantasy_says_cable_operator/
The washup from yesterday’s Dotcom-Snowden-Greenwald saga rolls on, with Southern Cross Cable Network angrily denying that New Zealand’s spooks, the NSA, or anybody else for that matter has worked a tap into its cables.
“Speargun”, Greenwald clearly believes the taps were inserted underwater.
This, Southern Cross has said in a statement sent to media, is “total nonsense”. CEO Anthony Briscoe notes that to install any such device would mean cutting the cable – something that not only the cable operator would notice, but also any of its customers that weren’t buying a protected service to give them access to both SCCN routes.
“It is a physical impossibility to do it without us knowing”, Briscoe says in the statement. “There isn’t a technology in the world, as far as I am aware, that can splice into an undersea fibre optic cable without causing a serious outage and sending alarms back to our network operations centre that something’s wrong”.
It’s no secret that cable operators have to agree to cooperate with law enforcement as a condition of their licenses
Tomi Engdahl says:
Giganews Is an FBI operation
http://cryptome.org/2014/09/giganews-fbi.htm
Let me explain my history at Giganews in Austin, Texas and how I learned about the FBI connection.
They made subtle references to jeopardizing criminal investigations IN PROGRESS then threatened me with a bad reference for removing the child abuse junk.
Fast forward several months, I turned into a traitor in an effort to remove the abhorrent junk off Usenet – I broke the first and second rules not to talk about it, and told the FBI the truth about the child abuse groups deletion in an email.
The FBI invited me to their unlisted Austin office
It was then that I realized that the fed I was talking to had been my coworker at Giganews since I started in 2009!