Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Google to Make Security Guards Employees, Rather Than Contractors
http://blogs.wsj.com/digits/2014/10/03/google-to-make-security-guards-as-employees-rather-than-contractors/
In a move that could reverberate around Silicon Valley, Google GOOGL +0.92% plans to hire more than 200 security guards as its own employees, rather than through an outside contractor.
“Building an in-house security team is something we are excited to do,” said a Google spokeswoman in a statement. “This is a process we started over a year ago and are looking forward to making these valued positions both full- and part-time Google employees.”
Tomi Engdahl says:
Password Managers are not life partners; you can change them!
http://www.zoho.com/vault/blog/password-managers-are-not-life-partners-you-can-change-them.html
Breaking free from a bad relationship can be painful but is sometimes the best thing to do, even in enterprise IT. When you know that your password manager has failed you and you can’t trust it any longer, it is only logical that you want to replace it with a strong, trustworthy and secure application that you can count on for life. In other words, you find a ‘ life partner ‘ password manager software that meets your needs and expectations.
But, the mere thought of switching them (password managers, I mean) might seem daunting as you have so much baggage – user IDs, passwords, URLs, notes and other data, that it becomes a tedious task to shift them manually to another password manager.
Tomi Engdahl says:
3 Ways Retailers Can Protect Themselves
http://www.csc.com/cscworld/publications/109393/109025-3_ways_retailers_can_protect_themselves?utm_campaign=0914-GDC-Outbrain30&utm_source=outbrain&utm_medium=ocpc
No retailer wants to be the next poster child for cyberattacks. Yet retail security breaches, such as those that affected Target and other retailers during the 2013 winter holidays, continue to succeed. Hackers are showing higher levels of innovation and expertise while inflicting damage to retail brands and bottom lines.
The good news is a lot of that pain and suffering can be avoided if retailers take steps to protect themselves and their customers. Retail security measures include better incident planning, a more secure payment card security architecture and increased advanced-detection capabilities. By applying advances in cybersecurity, retailers can better prepare to respond, reduce their risks of payment card loss and more quickly detect threats — before an attack causes real damage.
ONE: Plan your incident response in advance.
TWO: Add end-to-end encryption and tokenization.
THREE: Start real-time, sophisticated threat detection.
Tomi Engdahl says:
JPMorgan CYBER-HEIST: 9 US financial firms snared by ‘Russian hackers’, says report
‘Culprits have loose links to Putin’s government’: NYT
http://www.theregister.co.uk/2014/10/05/report_says_russians_behind_jpmorgan_chase_cyber_attack/
Russian hackers with “loose connections” to Vladimir Putin’s government were reportedly behind the massive JPMorgan cyber-heist understood to have hit 83 million households and businesses in the US.
According to the New York Times, nine other Stateside financial institutions were also targeted by wrongdoers involved in the huge data breach.
The identities of those banks and brokerage outfits was not disclosed, however.
US spooks and policy-makers based in Washington are said to be deeply concerned by the attacks, even though they have publicly kept their cool about the successful hacks, the NYT added.
Tomi Engdahl says:
Microsoft’s Windows 10 has permission to watch your every move
http://www.techworm.net/2014/10/microsofts-windows-10-permission-watch-every-move.html
As more and more users are jumping the queue to download the Windows 10 through the Windows Insider Program, almost all of them have forgotten to check the Privacy Policy and Terms and Conditions users accept while downloading the Windows 10. If you study the privacy policy you will be startled at the amount of freedom you are giving Microsoft to spy on you.
In a way by accepting the Windows 10 Technical Preview installation you are giving Microsoft unhindered access to your behavioural habits
In simple words, Windows 10 Technical Preview is a collecting your voice, your chats, and your voice. Albeit it is doing so with your permission.
In absolute terms you are giving permission for Microsoft to screen your files and keep a log of your keyboard and other inputs.
Microsoft’s Windows 10 Preview has permission to watch your every move
Its ‘privacy’ policy includes permission to use a keylogger
http://www.theinquirer.net/inquirer/news/2373838/microsofts-windows-10-preview-has-permission-to-watch-your-every-move
MICROSOFT COULD BE giving members of its Windows Insider Programme for Windows 10 more attention than they might like.
The programme gives users access to a Technical Preview edition of its upcoming operating system Windows 10 that Microsoft announced on Tuesday, befuddling everyone by skipping Windows 9.
The Windows Insider Programme seemed like a gesture of openness and willingness to collaborate with developers on a peer level. But a closer look at the privacy policy of the Windows 10 preview reveals some startling permissions that you grant by installing and using it.
that’s pretty standard stuff, though a bit disconcerting. However, if you go on a bit, it also says:
“We may collect information about your device and applications and use it for purposes such as determining or improving compatibility” and “use voice input features like speech-to-text, we may collect voice information and use it for purposes such as improving speech processing.”
In other words, Windows can collect your voice and anything you say, which is quite intrusive.
In other words, in effect, you are giving permission for Microsoft to screen your files, and in effect keylog your keyboard input. Renowned Windows blogger Mary Jo Foley recently said, “I’ve heard Microsoft built a new real-time telemetry system codenamed ‘Asimov’ (yes, another Halo-influenced codename) that lets the OS team see in near real-time what’s happening on users’ machines.”
Tomi Engdahl says:
Microsoft’s Windows 10: More on the ‘under the covers’ security, Store features
http://www.zdnet.com/microsofts-windows-10-more-on-the-under-the-covers-security-store-features-7000034305/
Summary: Microsoft’s Windows 10 will include more than just user interface tweaks. Here are some of the expected security, manageability and Store changes coming to the next version of Windows client.
According to Niehus, Microsoft is doing a lot of work on the security front with Windows 10. Microsoft has made Azure Active Directory a “first class citizen” with Windows 10, so that customers can use Azure AD identities to log into their devices “so users can get the same benefits as using an MSA (Microsoft Account) such as Store access, settings, sync and live tiles.” Business also can use their existing Active Directory, federated in the cloud with Azure Active Directory, no Microsoft Account needed. Windows 10 also includes “next generation user credentials,” like password alternative, which enables single sign-in everywhere.
“Threshold (Windows 10) builds data protection into the natural flow (and) integrates data protection at the platform level,” Niehus blogged. It also enables per-application VPN, meaning it only allows specific apps to be on the VPN.
“The (new) Windows Store will also support more than just modern apps. It will add desktop apps, as well as other types of digital content. We will provide many different ways to pay for apps. And we’ll provide an organization store within the public Windows Store, where an org can place their own curated list of public apps as well as specific line-of-business apps that their employees need.”
Tomi Engdahl says:
A Year After the Death of Silk Road, Darknet Markets Are Booming
http://www.theatlantic.com/technology/archive/2014/10/a-year-after-death-of-silk-road-darknet-markets-are-booming/380996/
They’re not safe, they’re full of scams, and they’re entirely fractured—but online places to buy drugs and weapons aren’t going away any time soon.
At DeepDotWeb, an anonymous editor chronicles everything darknet related, from the latest in cryptocurrencies to the rise of fall of new darknet markets. In an email interview, the editor (who asked to remain anonymous) predicts that the crazy explosion of smaller markets may be on the wane. “The market was pretty stable for the last few month unlike first six months of 2014,” he writes. “I believe that it will stay pretty much the same with some markets popping up and some shutting down from this reason or another until we will see some new technology—probably one that will offer decentralization of the markets.”
http://www.deepdotweb.com/
Tomi Engdahl says:
This is what happens when 911 fails
Our most important lifeline isn’t always there when you need it
http://www.theverge.com/2014/10/3/6414949/911-call-failures-fcc
On a June morning in Washington, William Leneweaver, the state’s E911 IT projects and operations manager, was alerted to a call. A man had been attempting to dial emergency responders, but he couldn’t get through. He was left listening to a “fast busy” — a pre-recorded tone.
Wireless carriers have a strong incentive to play down any 911 outages: no company wants be the one that fails to send emergency calls. The FCC, meanwhile, receives a steady stream of complaints from consumers, according to documents obtained by The Verge through a Freedom of Information Act request, and reserves enforcement for the most egregious infractions. Years into the slow demise of the landline and ubiquity of the smartphone, it seems, calling 911 on mobile is a much riskier move than from a wired phone.
Leneweaver’s team tried canvassing the counties to see if anyone was injured because of the outage. As far as they could tell, no one was; but, he says, “it only takes one to make the evening news.”
Since January 1st, 2011, more than 400 formal consumer complaints about wireless 911 calls have been sent to the FCC.
Many are technical glitches with unclear resolutions.
The FCC files 911 consumer complaints into two categories: the immediately life-threatening, and the not immediately life-threatening.
The FCC is now considering new rules that may curb a related problem: location tracking.
Meanwhile, for purposes unrelated to public safety, other private-sector companies are zipping ahead of wireless carriers in location tracking, largely thanks to Wi-Fi accuracy.
Carriers have been fighting those regulations, as they have attempted several times to forcefully regulate 911 calls.
problems with tracking callers are a daily issue. It’s difficult to pin the incidents on any specific service provider — many share towers, or “ride a different carrier’s backbone” — but it keeps happening.
Tomi Engdahl says:
DARPA Delving Into the Black Art of Super Secure Software Obfuscation
http://it.slashdot.org/story/14/10/05/1257252/darpa-delving-into-the-black-art-of-super-secure-software-obfuscation
Given enough computer power, desire, brains, and luck, the security of most systems can be broken. But there are cryptographic and algorithmic security techniques, ideas and concepts out there that add a level of algorithmic mystification that could be built into programs that would make them close to unbreakable.
DARPA delving into the black art of super secure software obfuscation
http://www.networkworld.com/article/2691617/security0/darpa-delving-into-the-black-art-of-super-secure-software-obfuscation.html
DARPA program seeks to develop security schemes that keep potential villains from the all-important code
From DARPA: “The goal of the SafeWare research effort is to drive fundamental advances in the theory of program obfuscation and to develop highly efficient and widely applicable program obfuscation methods with mathematically proven security properties.”
The basic (and I mean basic) idea of software obfuscation is to make the important underlying code or intelligence of an application untouchable (or as untouchable as possible) by an intruder or anyone else looking to access its information.
Tomi Engdahl says:
Mastercard offers banks and payment processors a cyber Safetynet
Should nip hacker attacks in the bud
http://www.theinquirer.net/inquirer/news/2373729/mastercard-offers-banks-and-payment-processors-a-cyber-safetynet?utm_source=Outbrain&utm_medium=Cpc&utm_campaign=Inquirer%252BReferral&WT.mc_is=977=obinsource
FINANCIAL SERVICES COMPANY Mastercard is offering its payment processing and finance customers Safetynet, a prophylactic security system for thwarting cyber attacks and data breaches.
The firm is probably reacting to the tens of millions of customer accounts that have been revealed as falling victim to hackers in the last few months. It is definitely looking to persuade its users that it has the silver bullet for keeping ahead of the hackers.
“With Safetynet we are really fast tracking the next generation of security solutions, which are designed to stop fraud or attacks before many of our partners have even noticed it is happening,” said Ajay Bhalla, president of enterprise security solutions at Mastercard .
“We can do this because Mastercard’s Safetynet operates as intelligent technology which can identify fraud in real time and decline a transaction before any exposure takes place.”
Tomi Engdahl says:
Smart gun inspires smart mouse
http://www.computerworld.com/article/2691597/smart-gun-inspires-smart-mouse.html
A new method for authenticating users via a mouse wins patent
Kaufman was recently awarded a patent for a biometric pressure grip that describes how a mouse can be used to authenticate someone.
“Today’s world is based on layers of security, so the more layers that you can add to your system the better,” said Kaufman, in an interview. “This is just an added layer to basically authenticate you to the system.”
In environments with high security, authentication may include use of a smartcard with embedded chips, as well as fingerprint recognition to authenticate users. There are also options for facial recognition and retina scans.
But smartcards can be stolen, fingerprints lifted off surfaces, passwords cracked and photographic substitutes used to defeat facial recognition and retina scans. The information needed for a retina scan, for instance, can be stolen from a doctor’s office.
A pressure sensitive mouse “is a lot harder to defeat” because it works from a neurological pattern versus a physical pattern, such as a facial scan. The way people hold a mouse, along with the amount of pressure they apply, is unique.
Tomi Engdahl says:
Online dating scams: new tricks that fleece victims of an average ‘£9,589′
A 60-year-old’s tale of losing £60,000 through an online dating scam is a stark warning to others
http://www.telegraph.co.uk/finance/personalfinance/11113769/Online-dating-scams-new-tricks-that-fleece-victims-of-an-average-9589.html
Singletons sign up to online dating sites in the hope of finding love, but they are increasingly being targeted by fraudsters.
Someone you have started to develop a relationship with online might first ask for money for travel costs, or say they have lost their plane ticket so need to borrow some cash for a new one. They might say a family member is ill and they need funds for urgent medical treatment.
According to recent figures, these requests for cash appear to be working. There were 651 dating scams reported in the three months to August this year, with the average victim paying out £9,589. In July, the average payout was as high as £10,882.
With one in four British adults using a dating website at some point in their life, according to Which?, users are being warned to be vigilant while online, particularly as the fraudster’s tactics are becoming more elaborate.
Action Fraud UK, the country’s fraud and internet crime reporting centre, says it has been alerted to new methods used by dating fraudsters.
Online dating scams are nothing new, but they are on the rise.
The online dating websites say there is little they can do to restrict this type of fraud. A spokesman for Match.com, Britain’s most well-known dating site, said people should apply the same common sense as if in a bar or a pub. “This includes never giving money to anyone – just as you would never give money to someone you recently met in a pub or café – and not sharing personal contact details that take conversations off the site,” he said.
Tomi Engdahl says:
Uni boffins: ‘Accurate’ Android AV app outperforms most rivals
…Don’t sweat, VXers, it’s STILL no use against obfuscated kit
http://www.theregister.co.uk/2014/10/06/uni_bods_say_accurate_android_av_app_blasts_rivals/
German researchers have built an Android app capable of detecting 94 percent of malware quick enough to run on mobile devices they say bests current offerings in effectiveness and description.
Daniel Arp, Konrad Rieck, Malte Hubner and Hugo Gascon of the University of Gottingen – together with Michael Spreitzenbarth of Siemens computer emergency response team – pitted their DREBIN tool against 123,453 benign applications from different Android app stores and 5560 new malware samples, the largest set yet used.
It took the app 10 seconds to analyse five modern Android phones making it suitable for screening downloaded apps on the device. Older phones took about 20 seconds to scan while on a 2.26Ghz core duo desktop with 4Gb of RAM the tool could scan a whopping 100,000 apps a day.
Dynamically loaded and obfuscated malware – the bane of anti-malware offerings – could still give DREBIN the slip, the authors concede.
Various platforms had been proposed to help save users who blindly OK app permissions from themselves. Existing systems such as TaintDroid, DroidRanger and RiskRanker were effective, but relied on manually crafted detection patterns that would miss some new malware and may come with large device performance cost.
Rival antivirus tools running at a one perc ent false-positive rate detected between 10 to 50 per cent of malware, while DREBIN found 94 per cent.
Tomi Engdahl says:
Will we ever can the spam monster?
An unending battle against email-borne nasties and botnets
http://www.theregister.co.uk/2014/10/06/email_spam/
Spam may be the best known security threat in the world. Anyone with email or a Facebook account has experienced it, despite providers’ best efforts to block it from their inboxes.
And although the world’s cyber warriors have taken down large chunks of infrastructure hosting massive spam campaigns, it remains a huge problem.
As soon as businesses started spamming people’s email accounts, it was inevitable that criminals would adopt the model and turn it to their gain.
The primary method for disseminating these irksome messages became botnets, some of which grew to a massive size. Millions of infected machines became relays from which messages would spread and spread.
Malicious hackers realised they could lump their command-and-control (C&C) servers on bulletproof hosting services and operate with little chance of arrest.
Meanwhile, spam filters have got better at keeping nasty messages out of inboxes, with a 99 per cent success rate today, according to antivirus firms Sophos and Kasperksy.
“Spam is an interesting example of how over time security threats can be reduced or managed more effectively by technology,” says Brian Honan, founder of security advisory firm BH Consulting.
“In the mid-2000s spam was the big security threat, with experts predicting that email would cease to work because of it. However, what we have seen is that the threat of spam has been effectively managed for many organisations, and indeed for individuals.
“Most companies and personal email providers now provide built-in filters, which has reduced the level of spam that users receive.”
But none of this has led to complete victory.
“However, the current spammer organisations have learned from the mistakes of the older campaigns,” Chang says.
“While the botnets may not be as prolific as before they are still effective so we have to continue to be on our toes. It’s a never-ending escalation of tactics.”
Spam is also being used for delivery of ransomware, which locks up people’s files and demands payment to unlock them.
“I am aware of a number of cases where social media spam has caused users’ computer to be infected with ransomware,” says Honan.
Tomi Engdahl says:
Anti-Facebook Ello: Here’s why we’re still in beta. SPAMGASM!
Whack-a-mole play against abusers
http://www.theregister.co.uk/2014/09/30/ello_says_spammy_accounts_follow_everybody_with_reckless_abandon/
Humblebrag site Ello, which has positioned itself as a worthy Web2.0rhea antiserum to the ad-poisoned Facebook, has come under attack from spammers.
The site went titsup for roughly 30 minutes
But Ello, which is still in beta, has been heavily exposed to abuse, predictably.
Ello, which was founded by Paul Budnitz, has claimed it wants to do things differently. But it could be argued that by attempting to market the idea of a sanitised network to keep all the nasties at bay (be they ads or spammers), Ello may already be writing its own obituary.
After all, who’s going to pay for all those servers now that the site is being supposedly flooded with thousands of signup requests?
Tomi Engdahl says:
Professor Kevin Fu Answers Your Questions About Medical Device Security
http://science.slashdot.org/story/14/10/05/2026230/professor-kevin-fu-answers-your-questions-about-medical-device-security
Almost a year ago you had a chance to ask professor Kevin Fu about medical device security. A number of events (including the collapse of his house) conspired to delay the answering of those questions.
Fu: I apologize for the year-long delay,
Medical device security is a challenging area because it covers a rather large set of disciplines including software engineering, clinical care, patient safety, electrical engineering, human factors, physiology, regulatory affairs, cryptography, etc. There are a lot of well meaning security engineers who have not yet mastered the culture and principles of health care and medicine, and similarly there are a lot of well meaning medical device manufacturers who have not yet mastered the culture and principles of information security and privacy. I started out as a gopher handing out authentication tokens for a paperless medical record system at a hospital in the early 1990s, but in the last decade have focused my attention on security of embedded devices with application to health and wellness.
Fu: Classic cochlear implants are mostly analog circuits with some external supporting software. However, newer implants on the drawing board are looking at how to enable audiologists to adjust implant settings remotely from the cloud. There are, of course, some significant security and privacy issues that need to be resolved.
Fu: Pumps for medicine are amazing.
A PCA pump is short for a patient-controlled analgesia. I believe this question is referring to a bed-side pump rather than an implant. For instance, a patient may receive a PCA pump to deliver controlled pain medication such as morphine. Typical user interfaces consist of a “more please” button that delivers a bolus of drug via an IV.
A number of researchers have analyzed the attack surfaces for insulin infusion pumps, a special kind of externally worn pump for diabetics.
I think it’s fair to say that manufacturers initially underestimated the importance of security requirements engineering during the early concept phases of product engineering. That said, the manufacturers are doing some amazing engineering. There is a game of catch-up, but I am optimistic that the manufacturers will improve by following the new U.S. FDA guidance on cybersecurityin good faith.
Now on to the real question: what about the backdoor of the pump? No one likes to advertise the unsavory backdoors built into products—some by design and some by accident. It’s out of sight, out of mind. On old CAT scans, you’ll sometimes even find an “lp” Unix account enabled without a password.
Fu: I find a good rule of thumb to measure security of a clinical environment: count the number of Windows XP boxes. Why? Because these devices are more vulnerable to run-of-the-mill, conventional malware. At one large hospital, medical devices based on Windows XP were re-infected about every 12 days if the box is not protected. With “bandaid” approaches like firewalls and anti-virus, the devices can last longer before re-infection.
That said, Linux ain’t no picnic either. All operating systems have risks and benefits. I believe the root of the problem is that software security lifecycles for consumer grade operating systems do not align well with the product lifecycles of medical devices. Medical devices need to remain safe and effective for a very long time.
Fu: I think patients can take comfort in knowing that FDA has written meaningful guidance on cybersecurity that is likely a game changer for manufacturing. Also, I find that engineers at most medical device manufactures sincerely want to improve the security of their products.
Tomi Engdahl says:
Bugzilla Bug Exposes Zero-Day Bugs
http://it.slashdot.org/story/14/10/06/1413200/bugzilla-bug-exposes-zero-day-bugs
Bugzilla Zero-Day Exposes Zero-Day Bugs
http://krebsonsecurity.com/2014/10/bugzilla-zero-day-exposes-zero-day-bugs/
A previously unknown security flaw in Bugzilla — a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions — allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.
Tomi Engdahl says:
Rise of the Machines: FIRST HUMAN VICTIM – 2015
Internet of Things robots WILL break 1st law – EU top cops
http://www.theregister.co.uk/2014/10/06/top_eu_cops_internet_of_things_devices_could_soon_become_instruments_of_murder/
Death via internet, online contract killers and crime-as-a-service were just three of the scarier elements discussed by international top cops at the Interpol-Europol cybercrime summit in Singapore last week.
The Internet Organised Crime Threat Assessment, a report prepared by Europol’s cybercrime division, warns that the so-called Internet of Things has created a target for new forms of blackmail, ransomware and “possible death”.
Thanks to machine-to-machine communication, more and more critical every day devices are becoming connected, and it’s apparently only a matter of time before a rogue smart car or hacked pacemaker kills someone.
Europol estimates that there are 10 billion internet-enabled devices. “Cybercriminals need not be present in target countries and are able to conduct crime against large numbers of victims across different countries simultaneously with minimum effort and risk,” says the report.
It also warns that traditional organised crime is morphing into a crime-as-a-service industry, with contract killers available for hire on the darknet.
Tomi Engdahl says:
Facebook has sued spammers for nearly $2 billion
“We will fight back to prevent abuse on our platform”
http://www.theverge.com/2014/10/3/6901293/facebook-has-sued-spammers-for-nearly-2-billion
Facebook is in a constant battle against spammers trying to take advantage of its network, and it’s been fighting back against them in a number of different ways — including in the courts. In total, Facebook says that it’s now “obtained nearly $2 billion in legal judgments” against various spammers.
In particular, Facebook appears to be focused on spammers who sell fake Likes, generally to businesses interested in boosting their popularity. In its post today, Facebook explains that its tools generally make this ineffective — in fact, Facebook says that buying Likes will “do more harm than good” for a business’ page.
Keeping Facebook activity authentic
https://www.facebook.com/notes/facebook-security/keeping-facebook-activity-authentic/10152309368645766
Tomi Engdahl says:
Hackers Compromised Yahoo Servers Using Shellshock Bug
http://tech.slashdot.org/story/14/10/06/1712211/hackers-compromised-yahoo-servers-using-shellshock-bug
Hackers were able to break into some of Yahoo’s servers by exploiting the recently disclosed Shellshock bug over the past few weeks. This may be the first confirmed case of a major company being hit with attacks exploiting the vulnerability in bash.
Hackers Compromised Yahoo Servers Using Shellshock Bug
http://www.securityweek.com/hackers-compromised-yahoo-servers-using-shellshock-bug
Attackers have figured out a way to get onto some of Yahoo’s servers via the Shellshock bug over the past few weeks. This may be the first confirmed case of a major company being hit with attacks exploiting the vulnerability in bash.
At least two servers for Yahoo Games have been breached, Jonathan Hall, a security researcher and a senior engineer with Future South Technologies, wrote on Reddit. The servers were vulnerable because they were using an older version of bash, Hall said. Yahoo confirmed the breach over email
“This breach is very serious, and jeopardizes every consumer that uses Yahoo! in any manner, from shopping to email, and even game playing,” Hall wrote in a detailed technical post on Future South Technologies website.
Hall noted that millions of people visit Yahoo Games per day, and the games themselves are Java-based. Considering that Shellshock give attackers full control of the compromised server, there are many things attackers can do, such as stealing user information, harvesting financial data, and infecting visitor computers with malware.
“Romanian hackers are currently working on further infiltrating the Yahoo! Network, and also have infiltrated Lycos and WinZip.com,” Hall wrote.
Tomi Engdahl says:
Online flight and hotel booking sites fooling consumers cunning trick – thus avoid paying inflated prices.
You may have planned the trip and used for the preliminary online through various airlines offering your destination.
At the same time to check out what is your destination of hotels. The website advertises that promotions have found there are only a few, but the plan is still open. You do not want to make reservations immediately.
After some time, return to the case. Travel dates are confirmed and you are ready to make your reservation.
Re looking for flights and hotels in the same destination. Unfortunately for you will find that the prices have already increased.
Prices have risen through the pool or the booking system indicates that the lower room and ticket type places have already been sold out. You are disappointed and frets his own procrastination.
Your vacation is, however, already been agreed upon, so you buy the more expensive the price of flights to ignore. Does this sound familiar?
It is not a coincidence, but the travel booking sites commonly used by legitimate scam.
The rise in prices is not always true, but is based on the web browser automatically stored by cookies and the cache data.
When you return once again to look for the same items, the web site to recognize you as a visitor coming back, and will automatically show the new, higher prices.
Cheaper rates can easily be restored to the search results when you clear your browser cache and delete cookies from your data before applying. Another option is to use the browser’s private browsing in incognito mode.
Source: http://www.iltalehti.fi/matkajutut/2014100718721896_ma.shtml
Tomi Engdahl says:
Yahoo confirms its servers were breached via a Shellshock exploit, but says no user data was accessed — Shellshock: Romanian hackers are accessing Yahoo servers, claims security expert — Hackers are exploiting Yahoo’s bash bug vulnerability, according to technology consultant Jonathan Hall
Shellshock: Romanian hackers are accessing Yahoo servers, claims security expert
http://www.independent.co.uk/life-style/gadgets-and-tech/news/shellshock-romanian-hackers-are-accessing-yahoo-servers-claims-security-expert-9777753.html
Yahoo servers have been infiltrated by Romanian hackers exploiting the Shellshock bug discovered last month, according to cyber security expert Jonathan Hall.
Hall had Google-searched a range of codes designed to identify which servers were vulnerable to Shellshock, and found that Romanian hackers had breached two Yahoo servers and were exploring the network in search of access points for Yahoo!Games, which has millions of users.
A Yahoo told The Independent: “A security flaw, called Shellshock, that could expose vulnerabilities in many web servers was identified on September 24.
Before releasing this information, Hall emailed Yahoo and tweeted at its engineering team and CEO Marissa Mayer.
It was confirmed to him that its servers had been infiltrated but Yahoo refused to pay him for alerting them as it was not part of the company’s bug bounty programme. Yahoo is notorious for its disregard of bug bounty hunters
In a blog post on his website Future South, Hall detailed the process by which he discovered Yahoo, Lycos and WinZip websites had all been infiltrated by a group of Romanian hackers.
http://www.futuresouth.us/wordpress/
Tomi Engdahl says:
In Romania, A Quiet City Has Become The Global Hub For Hackers And Online Crooks
http://www.worldcrunch.com/tech-science/in-romania-a-quiet-city-has-become-the-global-hub-for-hackers-and-online-crooks/hacking-hacker-romania-pirate-scam-internet-website/c4s10532/#.VDOm_BZsUil
To the tourist eye, Râmnicu Vâlcea is a quiet, leafy city. Located at the bottom of the Carpathian mountain range, in central Romania, no one would guess this town’s secret, buried in its working-class neighborhood, Ostroveni.
Râmnicu Vâlcea and its Ostroveni neighborhood, is nicknamed “Hackerville.” It is the world capital for online theft. Internet shoppers from all over the world have been had by the Romanian hacking network: French, British, Germans, Italians and mostly Americans. According to the Romanian police, around 80% of their victims reside in the U.S. “Last year, one billion dollars was stolen in the U.S. by Romanian hackers,” says American ambassador in Bucharest, Mark Gitenstein.
“It’s a big world we live in and it’s full of idiots ready to buy anything on the Internet,”
The Romanian hackers have understood that it is better for them to work in networks. This is their difference and their strength, compared to other hackers.
“Yes, stealing on the Internet is easy,” he says, “there are hundreds of websites where you can learn how to become a hacker.” A few clicks later: “There you go, I found credit cards for sale with associated codes for Italy, France, the U.S., the UK and Spain.” His screen shows classified ads where everything is for sale: credit cards and their codes, blank cards, lists of accounts from large email companies and many programs to access servers.
“Last year, one billion dollars was stolen in the U.S. by Romanian hackers,” says American ambassador in Bucharest, Mark Gitenstein.
Tomi Engdahl says:
Overstock.com Assembles Coders to Create a Bitcoin-Like Stock Market
http://www.wired.com/2014/10/overstock-com-assembles-coders-build-bitcoin-like-stock-market/
Overstock.com is building software, based on the bitcoin digital currency, that could allow the big-name etailer to issue corporate stock over the internet, sidestepping traditional stock exchanges such as the NASDAQ and the New York Stock Exchange.
Code-named “Medici,” the project aims to democratize Wall Street in much the same way bitcoin seeks to democratize currency and payments. By operating separate from traditional stock exchanges and the big corporate banks, it could eliminate certain loopholes in the system and reduce the costs associated with issuing and juggling stock.
Tomi Engdahl says:
AT&T hit by insider breach
http://threatpost.com/att-hit-by-insider-breach/108705
AT&T is warning consumers about a data breach involving an insider who illegally accessed the personal information of an unspecified number of users. The compromised data includes Social Security numbers and driver’s license numbers.
In a letter sent to the Vermont attorney general, AT&T officials said that the breach occurred in August and that the employee in question also was able to access account information for AT&T customers.
As a result of the breach, AT&T is offering affected customers a year of free credit monitoring, as has become customary in these incidents. The company also is recommending that customers change the passwords on their accounts.
Tomi Engdahl says:
Windows 10′s ‘built-in keylogger’? Ha ha, says Microsoft – no, it just monitors your typing
YOU said it was OK when you installed that Technical Preview
http://www.theregister.co.uk/2014/10/07/windows_10_data_collection/
Don’t want Microsoft tracking you online and collecting data on your computing habits? Then you probably shouldn’t install the Windows 10 Technical Preview, Redmond says.
The interwebs were abuzz on Monday over concerns about the Terms of Use and Privacy Policy of Microsoft’s newly released, not-even-beta-yet OS, with some sites going as far as to claim that Windows 10 comes with a “built-in keylogger” to watch users’ every move.
Turns out these Chicken Littles were right – sort of – but according to Microsoft they should have known about the data collection from the get-go, because they agreed to it.
Tomi Engdahl says:
Andrus Ansip, the new EU super-commissioner for all things digital, says he will work to completely abolish geo-blocking of media in Europe – and urged telcos to get on with pushing out high-speed mobile broadband.
More predictable were his comments that protecting privacy is the “cornerstone” of the digital single market, that EU-funded software should be open-source, and that the European Commission should lead by example and put digital government into practice with e-invoices, e-procurement, e-signatures and so on.
On the question of Europe’s “right to be forgotten”, the commissioner-designate was less clear. “The right to be forgotten is good for democracy,” said Ansip before adding, “the right to be forgotten has to stay as an exception.” Got that? No, nor did most of the MEPs present at the hearing.
Source: http://www.theregister.co.uk/2014/10/07/new_eu_super_commissioner_for_all_things_tech_impresses_european_parliament/
Tomi Engdahl says:
Monster banking Trojan botnet claims 500,000 victims
This ain’t your father’s ZeuS
http://www.theregister.co.uk/2014/10/07/monster_banking_trojan_botnet_claims_500000_victims/
Security researchers have uncovered the infrastructure behind one of largest and most voracious banking Trojan networks uncovered to date.
The Qbot (aka Qakbot) botnet apparently infected 500,000 systems before sniffing “conversations” – including account credentials – for a whopping 800,000 online banking transactions. More than half (59 per cent) of sniffed sessions were reportedly from accounts at five of the largest US banks.
The researchers said online banking credentials for banks in Europe were also targeted by the Russian-speaking cybercrime group behind the scam, which was uncovered by email security outfit Proofpoint.
The security firm said the attackers launched the assault from compromised WordPress sites using drive-by-download style attack tactics. Windows XP clients comprised 52 per cent of the infected systems in the cybercrime group’s botnet.
Tomi Engdahl says:
Exclusive: Hundreds Of Devices Hidden Inside New York City Phone Booths
http://www.buzzfeed.com/josephbernstein/exclusive-hundreds-of-devices-hidden-inside-new-york-city-ph#4eg99hn
Beacons can push you ads — and help track your every move. Update: Hours after BuzzFeed News exposed the devices, the city ordered the removal of the devices.
A company that controls thousands of New York City’s phone booth advertising displays has planted tiny radio transmitters known as “beacons” — devices that can be used to track people’s movements — in hundreds of pay phone booths in Manhattan, BuzzFeed News has learned.
And it’s all with the blessing of a city agency — but without any public notice, consultation, or approval.
Titan, the outdoor media company that sells ad space in more than 5,000 panels in phone kiosks around the five boroughs, has installed about 500 of the beacons, a spokesman for the city’s Department of Information Technology and Telecommunications (DoITT), Nicholas Sbordone, confirmed to BuzzFeed News
Beacons are Bluetooth devices that emit simple signals that smartphones can pick up. They’re best known for their growing use in commercial settings: in stores, for example, to alert customers to sales, or in stadiums, to tell patrons which entrances are least crowded.
But the spread of beacon technology to public spaces could turn any city into a giant matrix of hidden commercialization
Beacons are Bluetooth devices that emit simple signals that smartphones can pick up. They’re best known for their growing use in commercial settings: in stores, for example, to alert customers to sales, or in stadiums, to tell patrons which entrances are least crowded.
But the spread of beacon technology to public spaces could turn any city into a giant matrix of hidden commercialization
update
Hours after BuzzFeed News published this report, City Hall asked Titan to remove the devices, which could have been used to push ads — and track phones.
Titan, which is also active in San Francisco, Los Angeles, and other cities, said it has installed Gimbal beacons in other markets, but declined to provide details about those programs to BuzzFeed News.
Tomi Engdahl says:
Adobe Digital Editions (v.4) is spying on users
http://www.reddit.com/r/books/comments/2iic3n/adobe_digital_editions_v4_is_spying_on_users/
Adobe is Spying on Users, Collecting Data on Their eBook Libraries
http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/#.VDPqURZsUik
Adobe has just given us a graphic demonstration of how not to handle security and privacy issues.
A hacker acquaintance of mine has tipped me to a huge security and privacy violation on the part of Adobe. That anonymous acquaintance was examining Adobe’s DRm for educational purposes when they noticed that Digital Editions 4, the newest version of Adobe’s Epub app, seemed to be sending an awful lot of data to Adobe’s servers.
My source told me, and I can confirm, that Adobe is tracking users in the app and uploading the data to their servers. (Adobe was contacted in advance of publication, but declined to respond.)
Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.
I am not joking; Adobe is not only logging what users are doing, they’re also sending those logs to their servers in such a way that anyone running one of the servers in between can listen in and know everything,
But wait, there’s more.
Adobe isn’t just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.
In. Plain. Text.
And just to be clear, this includes not just ebooks I opened in DE4, but also ebooks I store in calibre and every Epub ebook I happen to have sitting on my hard disk.
This is a privacy and security breach so big that I am still trying to wrap my head around the technical aspects, much less the legal aspects.
I am sharing these details not to excuse or justify Adobe, but to show you that this was a massively boneheaded stupid mistake that Adobe would have seen coming had they had the brains of a goldfish.
As for the legal aspects, I am still unsure of just how many privacy laws have been violated. Most states have privacy laws about library books, so if this app was installed in a library or used with a library ebook then those laws may have been violated. What’s more, Adobe may have also violated the data protection sections of FERPA, the Family Educational Rights and Privacy Act, and similar laws passed by states like California. (I’m going to have to let a lawyer answer that.)
And then there are the European privacy laws, some of which make US laws look lax.
Rather than use Adobe DE 4, I would suggest using an app provided by Amazon, Google, Apple, or Kobo.
None of those 4 platforms are susceptible to Adobe’s security hole.
Tomi Engdahl says:
Why do contextual ads fail?
http://www.computerworld.com/article/2690822/security0/why-do-contextual-ads-fail.html
Companies like Google, Facebook and Amazon violate our privacy in order to show us relevant ads. So why do their ads miss the mark?
Hackers take our privacy away when they breach the companies we do business with.
Governments take our privacy away when they conduct mass surveillance or industrial espionage.
And companies like Google, Facebook and Amazon take our privacy away when they harvest our personal data and monitor our online and offline actions to serve contextual ads and content to us.
Tomi Engdahl says:
Twitter sues U.S. government over limits on ability to disclose surveillance orders
http://www.washingtonpost.com/world/national-security/twitter-sues-us-government-over-limits-on-ability-to-disclose-surveillance-orders/2014/10/07/5cc39ba0-4dd4-11e4-babe-e91da079cb8a_story.html
Twitter, the world’s largest microblogging platform, on Tuesday sued the U.S. government, alleging that the Justice Department’s restrictions on what the company can say publicly about the government’s national security requests for user data violate the firm’s First Amendment rights.
Tomi Engdahl says:
Symantec Said to Explore Split Into Security, Storage Cos
http://www.bloomberg.com/news/2014-10-07/symantec-said-to-explore-split-into-security-storage-cos.html?alcmpid=breakingnews
Symantec Corp. (SYMC) is exploring a breakup, according to people with knowledge of the matter, joining other large technology companies that are trying to make their businesses more focused and nimble.
The Mountain View, California-based software company is in advanced talks to split up its business into two entities, with one that sells security programs and another that does data storage, said the people, who asked not to be identified because the conversations are private. An announcement may be a few weeks away, one of the people said.
Tomi Engdahl says:
Adobe’s e-book reader sends your reading logs back to Adobe—in plain text [Updated]
Digital Editions even tracks which pages you’ve read. It might break a New Jersey Law.
http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/
Adobe’s Digital Editions e-book and PDF reader—an application used by thousands of libraries to give patrons access to electronic lending libraries—actively logs and reports every document readers add to their local “library” along with what users do with those files. Even worse, the logs are transmitted over the Internet in the clear, allowing anyone who can monitor network traffic (such as the National Security Agency, Internet service providers and cable companies, or others sharing a public Wi-Fi network) to follow along over readers’ shoulders.
Ars has independently verified the logging of e-reader activity with the use of a packet capture tool. The exposure of data was first discovered by Nate Hoffelder of The Digital Reader, who reported the issue to Adobe but received no reply.
Update, 6:23 PM ET: An Adobe spokesperson now says the company is working on an update. “In terms of the transmission of the data collected, Adobe is in the process of working on an update to address this issue,” the spokesperson said in an email to Ars Technica. “We will notify you when a date for this update has been determined.”
Tomi Engdahl says:
Secret ad beacon network uncovered, shut down in New York City
http://www.networkworld.com/article/2691964/opensource-subnet/secret-ad-beacon-network-uncovered-shut-down-in-new-york-city.html
The discovery of secret beacons installed in New York City pay phone booths opens up some questions.
For almost a year, a company called Titan has operated a network of advertising beacons, devices that are capable of identifying nearby smartphones and which are often used to push advertisements and information to them, installed within pay phone booths throughout New York City without the knowledge of its residents, BuzzFeed News reported today.
BuzzFeed discovered the beacons with an Android app called iBeacon Detector, which shows information about beacons operating within reach of the device on which the app is installed. With the app, BuzzFeed uncovered more than 13 of Titan’s beacons operating “on a 20-block stretch along Broadway and Sixth Avenue” in Manhattan. A spokesman for New York City’s Department of Information Technology and Communications (DoITT) told BuzzFeed that Titan had installed about 500 of the devices throughout the city.
Since the report was published this morning, a spokesman for New York Mayor Bill de Blasio told BuzzFeed that the city of New York has ordered Titan to remove the beacons from the phone booths.
Tomi Engdahl says:
Credit card thieves setting up safe seller certifications
Researchers hit Tor, find sophisticated self-regulating market
http://www.theregister.co.uk/2014/10/08/carder_reputation_key_to_cop_crackdown/
Breakpoint In the world of carding, you get what you pay for: stolen cards are cheaper on riskier public trading forums and more pricey on closed more reliable markets, according to recent analysis.
research presented at DEF CON this year revealed that the price of stolen credit cards dropped as the risk of bogus sales increased, a reference to the difference between public carder sites and vetted, invite-only underground stores.
“The idea of signals to identify who may be a more or less reputable seller is vital for law enforcement and extra-legal market disruption, so our findings should be useful in that respect,”
Tomi Engdahl says:
Infected ATMs Give Away Millions of Dollars Without Credit Cards
http://it.slashdot.org/story/14/10/07/215222/infected-atms-give-away-millions-of-dollars-without-credit-cards
Kaspersky Lab performed a forensic investigation into cybercriminal attacks targeting multiple ATMs around the world. During the course of this investigation, researchers discovered the Tyupkin malware used to infect ATMs and allow attackers to remove money via direct manipulation, stealing millions of dollars.
Infected ATMs gave away millions of dollars
http://blog.kaspersky.com/tyupkin-atm-malware/
What do you need in order to withdraw cash from an ATM? First, you need to have a debit or credit card, which acts as a key to your bank account. Second, you must know the PIN code associated with the card; otherwise, the bank wouldn’t approve the transaction. Finally, you need to have some money in your account that you can withdraw. However, hackers do things differently: they don’t need cards, PIN codes or bank accounts to get money. In reality, all they need is an ATM with some cash in it and a special piece of software.
Infected ATMs give away millions of dollars without credit cards
http://www.net-security.org/malware_news.php?id=2880
Posted on 07.10.2014
Kaspersky Lab performed a forensic investigation into cybercriminal attacks targeting multiple ATMs around the world. During the course of this investigation, researchers discovered the Tyupkin malware used to infect ATMs and allow attackers to remove money via direct manipulation, stealing millions of dollars.
“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software. Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure,”
Tomi Engdahl says:
Facebook, Twitter and Google to attend EU anti-extremist meeting
http://www.bbc.com/news/technology-29505103
A “private” dinner between tech firms and government officials from across the EU is to take place on Wednesday.
The purpose of the meeting is to discuss ways to tackle online extremism, including better cooperation between the EU and key sites.
Twitter, Google, Microsoft and Facebook will all be attending in Luxembourg.
Governments are becoming increasingly concerned over how social media is being used as a recruitment tool by radical Islamist groups.
In particular, it said the meeting would focus on:
“the challenges posed by terrorists’ use of the internet and possible responses: tools and techniques to respond to terrorist online activities, with particular regard to the development of specific counter-narrative initiatives”
“internet-related security challenges in the context of wider relations with major companies from the internet industry, taking account due process requirements and fundamental rights”
“ways of building trust and more transparency”
The BBC understands this is the second time since July that the firms have been called in to discuss possible measures.
Tomi Engdahl says:
Revealed: The malware used to drain ‘MILLIONS of dollars’ from ATMs
This is what happens if you don’t lock down your cash machines
http://www.theregister.co.uk/2014/10/08/atm_hack_report/
Thieves are using malware dubbed Tyupkin to empty cash machines and make off with millions of dollars, we’re told.
The crims don’t need to use stolen or cloned cards. Instead, fraudsters infect the ATM’s on-board PC, and then later type a special combination of digits on the PIN keypad to drain the machine of banknotes, according to researchers at Kaspersky Lab.
Scams of this type were first recorded in Mexico, but they have now expended in scope. Kaspersky Lab is calling on banks to review their physical security measures to stamp out the thefts.
Experts at the Russian security firm were called in by a financial institution to investigate the disappearance of cash from its ATMs around the world. During this probe, the researchers discovered a piece of malware installed on the machines that allowed criminals to loot the devices. Some 50 infected ATMs were found in eastern Europe. Policing agency Interpol is now involved.
First, the crims must gain physical access to the inside of the 32-bit Windows-powered ATM, and insert a bootable CD to install the Tyupkin malware. After they reboot the system, the infected cash machine is under their control.
The malware runs unseen in the background while awaiting instructions. Tyupkin only accepts commands at specific times on Sunday and Monday nights.
When a command to wake up the malware is typed at the keypad, a random number is shown. To proceed, the thief must must type into the keypad a valid key value derived from the random number.
If the thief doesn’t know how to calculate the unlock key from the random seed, he or she can phone a crime boss who knows the algorithm and does the maths: this ensures the boss’s money-collecting mules are unable to carry out the scam alone – they need help in converting the random numbers into unlock keys.
“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,”
Tomi Engdahl says:
What’s happened since Beijing’s hacker unit was exposed? Nothing
Snowden gets PLA 61398 off the hook, but it’s now hacking harder than ever
http://www.theregister.co.uk/2014/10/08/whats_happened_since_beijings_hacker_unit_was_exposed_nothing/
Chinese hacker unit PLA 61398 is hacking US companies harder than ever after bilateral talks between Beijing and Washington were interrupted by Snowden leaks, according to Mandiant boss Kevin Mandia.
The hack squad, also known as APT1, was subject to a high profile exposure by the company in February last year. Its state-sponsored members were revealed to have leached hundreds of terabytes of data from hacked US companies from a Shanghai office block surrounded by restaurants and massage parlours.
Western media coverage of the hacks was plentiful, prompting US President Barack Obama to state on TV that the US was engaged in “tough talks” with China over state-sponsored attacks, and a US bill to be signed banning the acquisition of Chinese state-owned technology by US Government agencies.
But those talks had no effect, chief executive Kevin Mandia says.
“Seven years of history, 141 victim companies, a tonne of evidence, and we published,” Mandia said. “Fast forward a year later, and here’s what happened: Nothing.”
Tomi Engdahl says:
Want the EU to work on making cloud snoop-proof? Speak up, my good ‘stakeholder’
That means you
http://www.theregister.co.uk/2014/10/06/want_the_eu_to_work_on_making_cloud_snoopproof_nows_your_chance_to_say_so/
The public has less than two weeks to respond to one of the vaguest European Commission consultations ever… but one that will decide where the Commish spends its money.
The deadline for submissions to the public consultation on Cloud Computing and Software has been extended by a week to 17 October. But unlike many consultations, there are no questions or specific guidelines, so anyone (known in Commissionspeak as “stakeholders”) can say whatever they want… within 3,600 characters.
The consultation will “help define future research priorities in the areas of cloud computing and software (including Open Source)”,
According to the Commission, cutting through the “jungle” of technical standards, developing safe and fair contract terms and conditions, and establishing a European Cloud Partnership could result in 2.5 million new jobs as well as an annual EU GDP boost of €160bn by 2020.
Tomi Engdahl says:
Russian-speaking cyber-criminal mistake helped the security company Proofpoint’s significant criminal series of clues, which allows 800 000 was stolen online banking account. Of stolen online banking there were a number of large American and European banks’ names. It is not known how much money has been seized criminal codes. Proofpoint estimates that this amount may be very significant.
Proofpoint report published by the company says cyber criminals have planted a large number of WordPress sites malicious code. It allows website visitors on the unsuspecting user devices loaded with Qbot called malware. More than half of malware infected computers used Windows XP and
most of the browsers were Internet Explorer.
Qbot use hooking method: Internet banking connection is encrypted using SSL / TLS technology, but Qbot reads the contents of the browser after the browser has canceled the encryption.
Proofpoint got wind of the operation of a network of criminals reaching access to the unprotected control panel server (this was a stupid criminals, but not a rare mistake).
WordPress pages are popular with many cyber-criminals, since updating of the site is often neglected.
Source: http://www.tivi.fi/kaikki_uutiset/kyberrikolliset+mokasivat++800+000+uhria+vaatinut+operaatio+paljastui/a1017966
Tomi Engdahl says:
Adobe spies on reading habits over unencrypted web because your ‘privacy is important’
Is Adobe facing its Sony rootkit moment?
http://www.theregister.co.uk/2014/10/08/adobe_says_it_slurps_ebook_data_in_plain_text_because_privacy_is_important/
Adobe confirmed its Digital Editions software insecurely phones home your ebook reading history to Adobe – to thwart piracy.
And the company insisted the secret snooping is covered in its terms and conditions.
Version 4 of the application makes a note of every page read, and when, in the digital tomes it accesses, and then sends that data over the internet unencrypted to Adobe.
This Orwellian mechanism was spotted by Nate Hoffelder of The Digital Reader blog
“All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers,” Adobe said in a statement.
“User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.”
This statement raised a number of questions – chiefly that if privacy is so important, why is the information is being sent in plaintext so that anyone along the network can read it?
Hoffelder claimed Digital Editions 4 slurped and leaked the metadata of all the ebooks on his system – not just the ones read using the application. Adobe said this shouldn’t possible, but has its developers checking again to make sure this isn’t a bug.
While the EULA does appear to give Adobe the authority to collect this data, it’s clear from our comments section that readers aren’t happy with the situation. Neither is the EFF, which is calling ADE 4 spyware.
“Sending this information in plaintext undermines decades of efforts by libraries and bookstores to protect the privacy of their patrons and customers,” said Corynne McSherry, the EFF’s intellectual property director.
But, she says, there may be a silver lining to Adobe’s data grab. It’s possible that Adobe could be facing the kind of PR fiasco that followed Sony’s 2005 decision to build a rootkit into its CDs for DRM purposes.
Tomi Engdahl says:
McAfee Reveals Jimmy Kimmel As the Most Dangerous Cyber Celebrity of 2014
http://www.mcafee.com/us/about/news/2014/q4/20141001-01.aspx?culture=EN-US&cid=157736
Jimmy Kimmel, comedian and late night host of Jimmy Kimmel Live, replaces Lily Collins (Mirror, Mirror) as McAfee’s most dangerous celebrity to search for online.
“Most consumers are completely unaware of the security risks that exist when searching for celebrity and entertainment news, images and videos online, sacrificing safety for immediacy,” said Gary Davis, chief consumer security evangelist at McAfee. “Cybercriminals capitalize on consumers’ attention to breaking celebrity news and leverage this behavior to lead them to unsafe sites that can severely infect their computers and devices and steal personal data.”
“Celebrity names coupled with the terms ‘video’ and ‘picture’ are some of the most-searched terms on the Internet,
Tomi Engdahl says:
US Says It Can Hack Foreign Servers Without Warrants
http://yro.slashdot.org/story/14/10/08/0432240/us-says-it-can-hack-foreign-servers-without-warrants
Advocatus Diaboli tips news that the U.S. government is now arguing it doesn’t need warrants to hack servers hosted on foreign soil. At issue is the current court case against Silk Road operator Ross Ulbricht. We recently discussed how the FBI’s account of how they obtained evidence from Silk Road servers didn’t seem to mesh with reality.
US says it can hack into foreign-based servers without warrants
Feds say it would have been “reasonable” for FBI to hack into Silk Road servers.
http://arstechnica.com/tech-policy/2014/10/us-says-it-can-hack-into-foreign-based-servers-without-warrants/
The US government may hack into servers outside the country without a warrant, the Justice Department said in a new legal filling in the ongoing prosecution of Ross Ulbricht. The government believes that Ulbricht is the operator of the Silk Road illicit drug website.
Monday’s filing in New York federal court centers on the legal brouhaha of how the government found the Silk Road servers in Iceland. Ulbricht said last week that the government’s position—that a leaky CAPTCHA on the site’s login led them to the IP address—was “implausible” and that the government (perhaps the National Security Agency) may have unlawfully hacked into the site to discover its whereabouts.
Tomi Engdahl says:
Department of Defense May Give Private Cloud Vendors Access To Top Secret Data
http://yro.slashdot.org/story/14/10/08/0247227/department-of-defense-may-give-private-cloud-vendors-access-to-top-secret-data
An anonymous reader sends news that the U.S. Department of Defense is pondering methods to store its most sensitive data in the cloud. The DoD issued an information request (PDF) to see whether the commercial marketplace can provide remote computing services for Level 5 and Level 6 workloads,
U.S. Department of Defense considers giving private Cloud vendors access to top secret data
http://thestack.com/department-of-defense-considers-private-cloud-vendors-top-secret-data-071014
The U.S. government is reviewing two possible scenarios whereby private cloud suppliers and facilitators would receive access to Level 5 and 6 information workloads – the most sensitive of government data.
A newly published Request For Information document reveals that the U.S. Department of Defense [DoD] is particularly interested in collaborating with the private sector on block storage systems and virtual machine management.
In the first scenario, a Data Centre Leasing Model (DCLM), cloud vendors would lease rack space in data centres run by the DoD, and provide services entirely from within that secure facility.
Tomi Engdahl says:
Europol Predicts First Online Murder By End of This Year
http://yro.slashdot.org/story/14/10/07/2336229/europol-predicts-first-online-murder-by-end-of-this-year
The world’s first “online murder” over an internet-connected device could happen by the end of this year, Europol has warned. Research carried out by the European Union’s law enforcement agency has found that governments are not equipped to fight the growing threat of “online murder,” as cyber criminals start to exploit internet technologies to target victims physically.
First online murder to happen by the end of 2014, warns Europol
http://thestack.com/first-online-murder-by-end-of-2014-europol-071014
The world’s first ‘online murder’ over an internet-connected device could happen by the end of this year, Europol has warned.
Research carried out by the European Union’s law enforcement agency has found that governments are not equipped to fight the growing threat of ‘online murder,’ as cyber criminals start to exploit internet technologies to target victims physically.
The study, which was published last week, analysed the possible physical dangers linked to cyber criminality and found that a rise in ‘injury and possible deaths’ could be expected as computer hackers launch attacks on critical connected equipment.
In addition to potential physical damage, the Europol report predicted that an increase in new ways of blackmail and extortion could ensue as we move into an IoT-led economy. People targeted by criminals could be locked out of their homes and cars before they hand over a ransom.
“The Internet of Everything represents a whole new attack vector that we believe criminals will already be looking for ways to exploit,” the Europol threat assessment stated.
“The IoE is inevitable. We must expect a rapidly growing number of devices to be rendered ‘smart’ and thence to become interconnected. Unfortunately, we feel that it is equally inevitable that many of these devices will leave vulnerabilities via which access to networks can be gained by criminals,” the report said.
“There’s already this huge quasi-underground market where you can buy and sell vulnerabilities that have been discovered,” explained Rod Rasmussen, the president of IID.
Tomi Engdahl says:
Sir Tim Berners-Lee defends decision not to bake security into www
‘The idea that privacy is dead is hopelessly sad’
http://www.theregister.co.uk/2014/10/08/sir_tim_bernerslee_defends_decision_not_to_bake_security_into_www/
Sir Tim Berners-Lee has defended his decision not to build in security at the onset of the world wide web.
It’s easy to be wise in hindsight, but Sir Tim explained that at the point he invented the world wide web 25 years ago, he wanted to create a platform that developers would find familiar and easy to use. Baking in security at that point might have worked against that goal, he said.
“[The web] might not have taken off if it had been too difficult,” he told an audience at IPExpo Europe this morning.
Sir Tim’s views are in contrast with those of another internet pioneer, Vint Cerf, who recently said he regretted not building in security to basic internet protocols. Berners-Lee strongly supported the current push towards always-on crypto (https) for websites now underway, so his differing views are more to do with timing and priorities than principles.
“The idea that privacy is dead is hopelessly sad,” Sir Tim Berners-Lee said. “We have to build systems that allow for privacy.”
“People have the right to see how their data is being used,” he said, adding that he prefer to talk about “rich data” rather than Big Data.
“We should build a world where I have control of my data and sell it to you. Users should have control, access to and ownership of their data,” Berners-Lee said.
Tomi Engdahl says:
Sophos gulps down hot Mojave, will puff out more secure clouds
Safer cloudy stuff for ALL. Except non-Sophos customers
http://www.theregister.co.uk/2014/10/08/sophos_absorbs_mojave_sticks_head_in_the_clouds/
Sophos has slurped up the security firm Mojave Networks in a bid to develop the world’s strongest and most secure cloud.
You should probably now get excited about data security.
“Mojave Networks is a young innovative company that has built a leading platform right at the intersection of three cutting-edge areas of security: cloud, web security, and mobile,” gushed Kris Hagerman, Sophos CEO.
Here’s a list of benefits Sophos customers can expect to receive when Mojave’s technology is integrated into its cloud, at some point during 2015:
A cloud-based web filtering engine enabling full protection for web interactions without requiring additional on-site technology
Near instantaneous protection from emerging threats by supplying real-time threat intelligence from the cloud
A zero-compromise approach to security across Windows, Mac, iOS, and Android devices, delivering context-awareness, visibility and seamless protection
“We are proud of the work we’ve done at Mojave to pioneer a cloud-based approach to mobile and web security that offers unrivaled protection from malicious threats, security for mobile workers, and uniform policies across platforms,”
Tomi Engdahl says:
Cryptolocker takes down Australian news channel
Airs rocked by virus which can burrow into playout computers
http://www.theinquirer.net/inquirer/news/2374558/cryptolocker-takes-down-australian-news-channel
AN AUSTRALIAN ROLLING NEWS channel was taken abruptly off air last night after the Cryptolocker ransomware virus was accidentally let loose in the company’s computer systems.
The Australian Broadcasting Company (ABC), along with a number of other Australian public services, has been targeted recently by coordinated phishing emails.
A member of staff appears to have opened one, possibly relating to a utility bill or delivery, and chaos ensued with ABC News 24 off the air for a time on Tuesday morning.
The station broadcasts east coast and west coast feeds, and the Sydney studios were pulled offline.
It is understood that the attacks began with Australian postal service Auspost before progressing to utility providers and then the media.