Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Hackers use Ebola outbreak to trick users into downloading malware
Bogus World Health Organisation emails loaded with malware
http://www.theinquirer.net/inquirer/news/2377496/hackers-use-ebola-outbreak-to-trick-users-into-downloading-malware
CYBER CRIMMINALS are taking advantage of the recent Ebola outbreak to trick unsuspecting web users into downloading malware sent in emails that purport to come from the World Health Organisation (WHO).
Uncovered by security researchers at Trustwave, the malware was flagged when it appeared that criminals had crafted bogus WHO emails encouraging people to open a .RAR attachment to find out how they can protect themselves against Ebola.
“Upon closer inspection, the RAR compressed file attachment is not a document file but an executable file of a DarkComet Remote Access Trojan,”
Tomi Engdahl says:
Spam Campaign Taking Advantage of Ebola Scare May Lead To Malware Infections
http://blog.spiderlabs.com/2014/10/spam-campaign-taking-advantage-of-ebola-scare-may-lead-to-malware-infections.html
Cybercriminals have inevitably taken advantage of the publicization of the Ebola virus in the news for several months. We’ve spotted a couple of malicious spam samples
Upon closer inspection, the RAR compressed file attachment is not a document file but an executable file of a DarkComet Remote Access Trojan (RAT). This Trojan makes use of its heavily obfuscated AutoIt-based script to run undetected by antivirus software.
The Backdoor Trojan saves key logs to a folder in the Application data directory
Other than keylogging, it is capable of the following backdoor functionalities:
Webcam Capture
Sound Capture
Remote Desktop
Upload and Execute files
Get System Information
Modify system host files
Execute shell commands
Steal passwords and torrent files
List processes
Remote scripting
The RAT then sends all of this stolen information to a remote server with the IP address of 5.254.112.46 at port 3030.
Tomi Engdahl says:
Why You Should Hold On to Your Encryption Keys
http://www.saasintheenterprise.com/author.asp?section_id=2801&doc_id=275217&
Who needs encryption? It’s tough to do, it slows things down, and it costs a lot of effort to manage it, and there’s more than a suspicion that the NSA compromised it anyway. Unfortunately, despite all of this, it is truly crucial to encrypt key data that is stored anywhere in your computer portfolio.
One reason to encrypt has been hitting news headlines recently. Target, Home Depot, Kmart, and JPMorgan all got hacked. It seems clear that, once the hackers penetrated the firewall, they had open access to all the data in the system.
It’s been argued that moving data to the cloud makes it more vulnerable. That’s an urban myth. All four failures I listed above were failures of inhouse systems. The reality is that large public cloud providers can afford to spend a lot more on security than even these major corporations. The public cloud may be more secure than your own shop.
Protecting data from hackers is difficult. Systems software is so complex that vulnerabilities abound. Keeping the black hat guys out is near impossible, so the best solution for protecting important data is to make it unreadable by encryption.
Data needs to be protected both while it is at rest on storage and while it is in transit in any public networks. The first is obvious. A static target is an easy target. In transit, risk comes from man in the middle attacks, where a node in the communications path is subverted.
SDN is the new wave on the near horizon for networking. The dispersion of the software stacks for networking over a farm of virtual machines, coupled with the much wider range of software vendors delivering control code for networking, will likely make networks more prone to attack, at least for a while. There could be a pressing need to encrypt in-transit data while on in-house networks, too.
SaaS has its own needs. Providers will run SaaS in public clouds, which means that data must be decrypted in the cloud. This raises the question of key ownership, and life gets complicated. Most CSPs offer an encryption-at-rest service. This works by using self-encrypting drives, and the key management is controlled completely by the service.
This approach has limited value. Key privacy can be broken by CSP staff, or by the SaaS vendor’s people, making the data vulnerable. It’s a fact that a large number of data breaches are inside jobs, so this isn’t a minor risk.
Data in transit remains unprotected with this method. The alternative is that the user of the SaaS service carries the keys, and provides them to open up the service. Ideally, this would allow data to be kept encrypted until it is read into the server(s) running the SaaS application.
With keys in a user’s hands, the requirements of compliance laws and regulations can be properly met. Still, no one wants to remember a 16-digit key, and be called in the middle of the night to restart a service. The answer is to deploy a key manager designed to service this type of setup.
Tomi Engdahl says:
Amazon’s AWS opens data center in Germany – just as we said
Scalability away from Uncle Sam, in theory
http://www.theregister.co.uk/2014/10/23/aws_frankfurt_region/
Amazon’s European mainland customers wary of US spies can now build scalable clouds on AWS and stay entirely on the Continent. The giant today announced the opening of a data centre in Frankfurt, Germany – just as we reported it would in July.
The data centre – or “region” as Amazon calls them – is the company’s second in the EU; the first was built in Dublin, Ireland. The region is Amazon’s 11th worldwide.
Opening the data centre, Amazon stressed data privacy, saying customers’ content can now fall entirely under the umbrella of European Union data protection laws and outside the reach of some United States regulations
Tomi Engdahl says:
Moscow, Beijing poised to sign deal on joint cyber security ops
Russian, Chinese security projects on the horizon
http://www.theregister.co.uk/2014/10/24/moscow_beijing_poised_to_sign_deal_on_joint_cyber_security_ops/
Moscow and Beijing will next month sign a deal to commence joint information security projects and operations, and to increase cooperation in the space, according to a popular Russian newspaper with ties to President Vladimir Putin.
A draft treaty apparently outlines mutual agreement to the use of online operations to interfere with independent states in a bid to undermine sovereignty or disrupt social, economic or political order.
Tomi Engdahl says:
Tracking a Bitcoin Thief
http://yro.slashdot.org/story/14/10/23/2216201/tracking-a-bitcoin-thief
A small group of researchers were able to publish an investigative report on the hacking of a popular Bitcoin exchange earlier this year by the name of CryptoRush.in. Close to a million dollars stolen in crypto currency lead the group to discover evidence, track down the attacker and put together a timeline of what exactly happened.
Tracking a Bitcoin Thief pt. I:
Oct 22, 2014 8:37 am (Edited: Oct 24, 2014 12:50 am)
The Philippine Connection
and the Truth behind CryptoRush.in
https://bitcomsec.true.io/bitcomsec/tracking-a-bitcoin-thief-cryptorush-hack/
Tomi Engdahl says:
Bitcoin Sites, WordPress and Security.
https://bitcomsec.true.io/bitcomsec/bitcoin-sites-wordpress-and-security_48ab/
I’ve come to realize that many Bitcoin merchants, exchanges and projects all tend to follow a criteria – 1) boostrap 2) cloudflare 3) wordpress (for blog). Don’t get me wrong, this setup works but what does not work are default installations with no security hardening.Many of these setups are done automatically through control panels, and use installation scripts made to automate the entire process. What happens next is a slew of bugs will come to haunt you as your site grows and gets broader attention.
Your first step to hardening WordPress is to make sure your setup is completely updated. This goes for themes, and plugins as well. Since the team over at WordPress have invested a lot of time into securing their base project they’ve been plagued indirectly through theme and plugin vulnerabilities.
Only install themes and plugins you will actually use. Remove those that you will not use. Even disabled extensions remain in their respective directories and can still remain an attack vector to your operation.
Hardening your Web Server (Apache)
It is important to note that hardening your web server entails a few small changes and despite the inconvenience of having to modify configuration files, the end goal is legit – securing your infrastructure.
Hardening PHP
Although PHP is a very useful and powerful language it is not without faults – especially by default. Hardening its configuration requires locating your php.ini file
Tomi Engdahl says:
NSA-Approved Samsung Knox Stores PIN in Cleartext
http://threatpost.com/nsa-approved-samsung-knox-stores-pin-in-cleartext/109018
A security researcher has tossed a giant bucket of ice water on Samsung’s thumbs up from the NSA approving use of certain Galaxy devices within in the agency.
The NSA’s blessing, given under the agency’s Commercial Solutions for Classified Program, meant that the Samsung Galaxy 4, 5 and Galaxy Note 3 and note 10.1 2014 Edition cleared a number of security stipulations and could be used to protect classified data.
The agency’s approval was also seen as a solid endorsement for Samsung’s Knox technology, which provides for separate partitions, or containers, on the Android devices in order to keep personal and business data from co-mingling. The containers have their own encrypted file systems as well, keeping secured apps separate from applications outside the container.
An unnamed researcher, however, on Thursday published a lengthy report that claims a PIN chosen by the user during setup of the Knox App is stored in clear text on the device. Specifically, a pin.xml file stored in the ContainerApp stored on the device during setup contains the unencrypted PIN number.
The report goes on to explain that the PIN can be used to retrieve a password hint.
“Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule,” the report says.
Tomi Engdahl says:
On Backups
http://www.eetimes.com/author.asp?section_id=182&doc_id=1324376&
Recently I wrote about losing some files from the laptop while traveling. Some readers responded with suggestions like using git or some cloud solution. Those are not really realistic options when working on an airplane, though more and more flights are now WiFi-enabled.
And I am quite suspicious of the cloud. While it surely has its merits and uses, it is yet another example of a new technology that we really don’t understand. The technology is clear, but legal and other implications are not.
Where is the data stored? If any copy is stored in an out-of-country data center are you violating Federal laws regulating the export of technology? Data files are subject these regulations, depending on their content.
We know at least some cloud providers scan files looking for illegal material. A scan of a binary could incorrectly appear to be a forbidden .JPG. Are you willing to engage the FBI in an expensive legal battle even when they are wrong?
Our backup strategy is multi-pronged and is designed to preserve files stupidly deleted or changed, to handle hard disk failures, and to be strong enough to survive some catastrophic event like a fire or zombie attack.
Tomi Engdahl says:
EU Court Rules Embedding YouTube Videos Is Not Copyright Infringement
http://yro.slashdot.org/story/14/10/27/0051224/eu-court-rules-embedding-youtube-videos-is-not-copyright-infringement
“The Court of Justice of the European Union has ruled that embedding a copyrighted YouTube video in your site is not copyright infringement.”
Embedding Is Not Copyright Infringement, EU Court Rules
By Ernesto
on October 25, 2014
Breaking
http://torrentfreak.com/embedding-copyright-infringement-eu-court-rules-141025/
The Court of Justice of the European Union handed down a landmark verdict this week. The Court ruled that embedding copyrighted videos is not copyright infringement, even if the source video was uploaded without permission.
One of the key roles of the EU’s Court of Justice is to interpret European law to ensure that it’s applied in the same manner across all member states.
This week the Court of Justice issued a landmark ruling on one such case that deals with a crucial and integral part of today’s Internet. Is it legal to embed copyrighted content without permission from the rightsholder?
While EU law is clear on most piracy issues, the copyright directive says very little about embedding copyrighted works. The Court of Justice, however, now argues that embedding is not copyright infringement.
The full decision has yet to be published officially by the Court’s website but TorrentFreak has received a copy (in German) from the defendants’ lawyer Dr. Bernhard Knies, who describes it as a landmark victory.
The Court argues that embedding a file or video is not a breach of creator’s copyrights under European law, as long as it’s not altered or communicated to a new public. In the current case, the video was already available on YouTube so embedding it is not seen as a new communication.
“The embedding in a website of a protected work which is publicly accessible on another website by means of a link using the framing technology … does not by itself constitute communication to the public within the meaning of [the EU Copyright directive] to the extent that the relevant work is neither communicated to a new public nor by using a specific technical means different from that used for the original communication,” the Court’s verdict reads.
The Court based its verdict on an earlier decision in the Svensson case, where it found that hyperlinking to a previously published work is not copyright infringement. Together, both cases will have a major impact on future copyright cases in the EU.
Tomi Engdahl says:
Tor exit node mashes malware into downloads
Windows update haxors saved by Microsoft FixIt
http://www.theregister.co.uk/2014/10/27/tor_exit_node_mashes_malware_into_downloads/
A Tor exit node has been found slapping malware onto downloads as users exit the hidden network and enter the public web.
Leviathan Security Group researcher Josh Pitts found the operator of the Russia-based node compromising binaries only a month after raising concerns of the possible attack.
“I had only circumstantial evidence until recently,” Pitts said.
“If an adversary is currently patching binaries as you download them, these FixIt executables will also be patched,” Pitts said.
Tomi Engdahl says:
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/
“Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue,” Möller said.
Tomi Engdahl says:
Bitly says links are no longer blocked, blames Google Safebrowsing
http://thenextweb.com/insider/2014/10/25/chrome-firefox-flag-bit-ly-links-malware/
Having issues accessing Bit.ly links? You’re not alone. It seems many internet users are being greeted with this following message when accessing links that emanate from the popular link-shortening service.
Bitly says that the root of the problem was Google Safebrowsing, a service provided by the internet giant to browsers such as Firefox and Chrome, that highlights URLs that contain malware or phishing content. It says that Bitlinks are now no longer blocked, and no data/bitlinks were compromised.
Tomi Engdahl says:
An ‘embed’ link isn’t a new infringement, says EU Court of Justice
No change, no new audience, no offence
http://www.theregister.co.uk/2014/10/27/an_embed_link_isnt_a_new_infringement_says_eu_court_of_justice/
Tomi Engdahl says:
The Risks Digest
Forum on Risks to the Public in Computers and Related Systems
http://catless.ncl.ac.uk/Risks/28.31.html
Tomi Engdahl says:
Internet-Exposed Energy Control Systems Abound
http://spectrum.ieee.org/energywise/energy/the-smarter-grid/thousands-of-control-systems-connected-to-the-internet
Infracritical remotely identified over 2.2 million unique IP addresses linked to industrial control systems at energy-related sites including electrical substations, wind farms, and water purification plants
Tomi Engdahl says:
Secure messaging platform
https://tox.im/
Tomi Engdahl says:
Apple Eyes New Uses for NFC Beyond iPhone Payments
https://www.theinformation.com/Apple-Eyes-New-Uses-for-NFC-Beyond-iPhone-Payments
Consumers are just starting to use Apple Pay to make purchases at cash registers and online stores. But Apple representatives have also talked to potential partners about using the technology behind Apple Pay for other sorts of transactions, including building security access and accepting tickets at public transit turnstiles.
Tomi Engdahl says:
Zero-day in Samsung ‘Find My Mobile’ service allows attacker to remotely lock phone
http://www.computerworld.com/article/2839240/zero-day-in-samsung-find-my-mobile-service-allows-attacker-to-remotely-lock-phone.html
NIST warned that if an attacker exploits the zero-day vulnerability in Samsung’s ‘Find My Mobile’ service, then the hacker can remotely lock, unlock and ring the phone.
Samsung’s Find My Mobile remote control “features” include lock my device, ring my device, locate my device, wipe my device, unlock my screen, call logs, SIM change alert and register a personal guardian. The service is not enabled by default; instead it is automatically enabled after registering for a Samsung account.
According to the National Institute of Standards and Technology (NIST):
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.
Tomi Engdahl says:
5 best practices to improve building management systems’ cybersecurity
http://www.cablinginstall.com/articles/2014/10/bms-cybersecurity-best-practices.html
A recent technical brief from Schneider Electric notes that cybersecurity threats and attacks have become a common occurrence and pose a global problem, that data breaches and other cyber crime cost companies billions each year worldwide, and that “the damage to brand reputation can be incalculable.” Since hackers look for weakly defended systems to attack, the white paper outlines 5 cybersecurity best practices to mitigate system vulnerabilities in intelligent building management systems.
Tomi Engdahl says:
Security is top concern for enterprise access networks, finds Infonetics
http://www.cablinginstall.com/articles/2014/10/infonetics-security-wlan-access-survey.html
“Our annual study of WLAN deployments shows that enterprise access networks are undergoing a major transformation, driven by an influx of new devices, greater device diversity, and new application models,”
“Not only are companies upgrading and expanding coverage to accommodate their growing needs, they’re also rethinking their approach to network operations and are looking to unify network silos and implement more flexible management approaches,”
Significantly, he adds, “But the biggest change of all over the next year is improving the security of access networks. The last year has seen a number of high profile data breaches, and companies can’t afford to become the next victim.”
Tomi Engdahl says:
Book Review: Measuring and Managing Information Risk: a FAIR Approach
http://books.slashdot.org/story/14/10/27/1257241/book-review-measuring-and-managing-information-risk-a-fair-approach
It’s hard to go a day without some sort of data about information security and risk. Research from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources. The current panic around Ebola shows how people are ill-informed about risk. While stressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like. When it comes to information security, it’s not that much better. With myriad statistics, surveys, data breach reports, and global analyses of the costs of data breaches, there is an overabundance of data, and an under abundance of meaningful data. In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have written a magnificent book that will change the way (for the better) you think about and deal with IT risk.
The book details the factor analysis of information risk (FAIR) methodology, which is a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. An Open Group standard, FAIR is a methodology and a highly effective quantitative analysis tool.
The power of FAIR is immense: it enables the risk practitioner to make well-informed decisions based on meaningful measurements. While that seems obvious, in practicality, it is a challenging endeavor.
FAIR is invaluable in that it helps the risk professional understand the language that the corporate board and senior executives speak. Understanding that and communicating in their language can make it much easier for information security to be perceived as a valued asset, as opposed to using Chicken Little statistics.
The authors write that risk decision making quality boils down to the quality of information decision makers are operating from, and the decision makers themselves. The book does a remarkable job of showing how a person can become a much better decision maker.
Tomi Engdahl says:
Taking the Census, With Cellphones
http://mobile.slashdot.org/story/14/10/28/003200/taking-the-census-with-cellphones
If you want to figure out how many people live in a particular part of your country, you could spend years conducting home visits and mailing out questionnaires. But a new study describes a quicker way. Scientists have figured out how to map populations using cellphone records — an approach that doesn’t just reveal who lives where, but also where they go every day.
Taking the census, with cellphones
http://news.sciencemag.org/math/2014/10/taking-census-cellphones
“This is the first time people have provided statistical evidence that population data produced from cellphone records are of really good quality,” says applied mathematician Renaud Lambiotte of the University of Namur in Belgium, who was not involved in the study.
Ninety-six percent of the world’s people have active cellphone subscriptions. In developed countries, the number of mobile phone subscribers has surpassed the total population as some individuals own more than one phone, and subscription rates continue to rise in developing countries, reaching as high as 90%. That’s great news for census scientists, because they can locate the calls by identifying the cellphone towers that send and receive them and use call density around the phone towers to estimate the local population density.
As part of WorldPop, an open-source project mapping detailed population information from countries around the world, a team of researchers led by geographer Catherine Linard of the Université Libre de Bruxelles and data scientist Pierre Deville of the Université Catholique de Louvain in Belgium used mobile phone data to estimate population density in France and Portugal. For each country, they obtained aggregate, anonymized call records from major carriers containing more than a billion calls.
Using the call records, the researchers developed a model to estimate population density around every phone tower from call density, taking into account variations in phone usage between high-coverage and low-coverage areas.
But for low-income countries, where census data are likely outdated and unreliable, mobile phone records present an easy and efficient alternative, Linard says. In the Democratic Republic of the Congo, for example, the most recent census took place in 1984. In contrast, about 70% of the people subscribe to mobile phones.
With the ongoing Ebola outbreak, cellphone records could provide a valuable tool for tracking population movements, says co-author Andrew Tatem
Tomi Engdahl says:
Report: Criminals use Shellshock against mail servers to build botnet
Oct 27, 2014
http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html
However unlikely, their stab in the dark approach is working
Targeting message transfer agents (MTAs), and mail delivery agents (MDAs), criminals are using Shellshock as a means to create botnets. The process is slow, but working, thanks to unpatched installations of Bash or certain implementations of it.
“We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise,” FireEye wrote at the time.
How right they were. Among the findings from FireEye was a proof-of-concept script that created an IRC-based (Internet Relay Chat) botnet, capable of sending spam, initiating a DDoS attack, or performing remote command execution on the compromised host.
On Friday, CSO became aware of a Shellshock-based campaign targeting organizations in Europe and the United States. It spreads via email, using Shellshock exploitation code in the message header fields. If successful, it delivers a simple Perl script as the payload, which adds the host to a botnet commanded form IRC.
The Shellshock campaign targets mail servers, searching for vulnerable MTAs / MDAs. The messages themselves are blank, but the code needed to exploit the Shellshock vulnerability is placed into the message’s headers.
The script that powers the botnet behind this recent campaign is called Legend, and it has existed for several years now. The Legend script is simplistic, but effective once installed on a system.
Once installed, Legend will connect the compromised host to a pre-configured IRC server, where the attacker can issue commands individually or as a group.
The following MTAs / MDAs are directly impacted by Shellshock in some cases, depending on their configuration.
Courier Mail Server
Exim
QMail
Postfix / Procmail
There is at least one Shellshock exploit for Postfix circulating online
Tomi Engdahl says:
EFF Rates Which Service Providers Side With Users
http://yro.slashdot.org/story/14/10/28/0630201/eff-rates-which-service-providers-side-with-users
The Electronic Frontier Foundation has issued a report grading online service providers for how well they side with users over intellectual property disputes. They looked at sites like YouTube, Imgur, tumblr, and Twitter.
https://www.eff.org/pages/who-has-your-back-copyright-trademark-2014
Tomi Engdahl says:
Internet service users they like often get in front of him or the terms of use agreement, which must be accepted to use the service. Although the texts are in many cases not affect the read-Communications Agency Kyberturvallisuuskeskus advised to read the terms and conditions. Services is moving more and more users privacy-related information, so it is not the same, what will accept.
“Contracts can sometimes seem like a lengthy and difficult to understand.”
Services are divided into a lot of privacy-related information, and therefore their data sharing should be paid attention to. As the use of Internet services has become an integral part of daily life, the risks associated with violating someone’s privacy, have increased.
Privacy composed of the rights of the individual to know as well as his capacity to influence their own data processing. The home address or phone number is not necessary for all service providers to inform, even if they ask for it.
In general, the user’s data processing services for the Internet is based on consent. Consent may be given in standard contracts. In practice, contracts are created in such a way that the user is registered to the Service, accepts the terms and conditions by clicking to accept or just use the services.
It is essential that the user is aware of how and for what purposes their data are used.
What? Where? Why? When? At least these questions the user is good to get the answer before accepting internet service terms and conditions, and having access to the service. It is appropriate also to find out what the various privacy issues related to Internet service contract may agree at all.
Sources:
http://www.tivi.fi/kaikki_uutiset/kyberturvallisuuskeskus+kaikkeen+ei+ole+pakko+suostua/a1023706
https://www.viestintavirasto.fi/tietoturva/tietoturvanyt/2014/10/ttn201410280921.html
Tomi Engdahl says:
EvilToss and Sourface hacker crew ‘likely’ backed by Kremlin – FireEye
US intel firm reports on ‘APT28′
http://www.theregister.co.uk/2014/10/28/us_mandiant_claims_moscow_sponsoring_apt_28_hacker_group/
The Russian government is “likely” sponsoring a hacking outfit that has been targeting foreign governments and security organisations, claims a recent report from US intelligence firm FireEye.
The company issued a report alleging it was likely that a group operating for possibly more than a decade was being bankrolled to attack governments in Georgia, Eastern Europe, and entities including NATO and the Organisation for Security and Co-operation in Europe.
FireEye claimed the group, known as “APT28″, had twice attempted to hack Georgia’s Ministry of Internal Affairs, which is responsible for counter-terrorism and security, as well attacking its Ministry of Defence and an unnamed affiliated US defence contractor. It also claimed the group had targeted a journalist covering the Caucasus.
The governments of Hungary and Poland, the World Bank, European Commission, APEC and UN were others targeted by the group, which appears to have become more sophisticated since mid 2007, said the securobods.
Almost all of the tools were developed during regular Moscow and St Petersburg work hours between mid-2007 and last month, the securobods point out.
“Given the available data, we assess that APT28′s work is sponsored by the Russian government.”
Tomi Engdahl says:
LAX To London Flight Delayed Over “Al-Quida” Wi-Fi Name
http://tech.slashdot.org/story/14/10/28/1221228/lax-to-london-flight-delayed-over-al-quida-wi-fi-name
A flight from LAX to London was delayed after a passenger reported seeing “Al-Quida Free Terror Nettwork” as an available hotspot name and reported it to a flight attendant.
LAX flight delayed after WiFi hotspot name prompts concerns
http://abc7.com/news/lax-flight-delayed-after-wifi-hotspot-name-prompts-concerns/367110/
“After an hour, (the captain) said there was a security threat and that we didn’t have clearance to take off,”
“After further investigation, it was determined that no crime was committed and no further action will be taken,”
Tomi Engdahl says:
Tor users advised to check their computers for malware
http://www.theguardian.com/technology/2014/oct/28/tor-users-advised-check-computers-malware
Users of the anonymising service may have accidentally downloaded malware thanks to a malicious Russian hacker
Users of internet anonymiser Tor are being advised to secure their connections and check their computers for malware, after a security researcher discovered that the service was being used to inject potentially malicious code into downloads over the service.
Tor allows users to surf the web anonymously by bouncing their connection between “relay” nodes before it exits back on to the open internet through an “exit” node, of which slightly more than 1,000 exist dotted around the world.
But for an unknown length of time, at least one exit node, based in Russia, has been silently altering programs downloaded through Tor, according to Josh Pitts, a security researcher for Leviathan Security.
Programs for Windows, when downloaded through the malicious node, were silently wrapped in malware, malicious code, rendering them dangerous to any computer running them. Concerningly, even files downloaded through Windows update were affected.
The attack is a particular type of “man in the middle” attack
The Tor Project has flagged the malware-spamming Russian node as malicious, ensuring that properly updated users won’t encounter it again. But, says the project lead, Roger Dingledine, “it seems like a tough arms race to play … the better approach is to have applications not blindly trust unauthenticated bits they get from the internet.”
Tomi Engdahl says:
What’s worse than your mom seeing your web history? The NSA, Google
https://www.survata.com/blog/whats-worse-than-your-mom-seeing-your-web-history-the-nsa-google/
While the federal government and your significant other may have very different interests in scouring your personal data, the potential privacy breach is troublesome in both cases. With data security and government surveillance perpetually in the news, we at Survata decided to gauge public concern about data snooping in various forms.
Survey: Internet users afraid of Google handling personal data more than the NSA
http://bgr.com/2014/10/28/google-vs-nsa-personal-data/
In light of the many detailed reports based on Edward Snowden’s leaks that revealed the sophisticated technologies the NSA and other spying agencies can employ for mass surveillance purposes, a new survey from Survata seems to indicate that Internet users are more afraid of their personal data being used by Google than the NSA.
“We’ve all seen the ongoing news about data privacy fears regarding the NSA, and their alleged involvement with data collection from large tech companies,”
The survey was conducted between October 9 and October 12 on 2,556 online respondents who were asked “to rate on a scale of 1 to 10 how upset they would be if a certain entity saw their personal data.”
Google scored an average of 7.39 points (with 10 being the score for ‘most upset’) followed by the NSA (7.06 points), “your boss” (6.86 points), “your parents” (5.93) and “your spouse or significant other” (4.55 points).
Tomi Engdahl says:
Feds seek potential ‘second Snowden’ gov doc leaker – report
Hang on, Ed wasn’t here when we compiled THIS document
http://www.theregister.co.uk/2014/10/28/feds_identify_second_leaker/
A worker at a US government contractor is suspected of being the second leaker who turned over sensitive documents on the US government’s terrorist watch list to journalist Glenn Greenwald, according to recent reports.
Last year, it emerged that prosecutors had secretly subpoenaed phone records from the Associated Press as well as threatening an Espionage Act prosecution against a Fox New reporter as part of leak investigation.
The case stems from an article in August published by investigative news outlet, The Intercept, that revealed nearly half the people on the US government terrorists watch-list database had “no recognised terrorist affiliation”.
Tomi Engdahl says:
Guns don’t scare people, hackers do: Americans fear identity theft more than shooting sprees
Citizens know their stats
http://www.theregister.co.uk/2014/10/22/americans_more_afraid_of_identity_theft_that_getting_killed_in_a_shooting/
A survey into what Americans fear most has shown that fears of identity theft and being unsafe online outweigh the fear of being shot.
The poll of 1,500 Americans conducted by Chapman University in Orange, California, found that walking alone down a dark street is the situation that has Americans most fearful – beating the fear of identity theft in second place, and the fear of being unsafe online in third place.
Fourth on the list was getting shot in a mass shooting or by a random gun owner. Fear of public speaking came in fifth.
When survey participants were asked about things that concerned them, however, rather than what actually induced fear, identity theft got the top spot.
Another unusual finding was that Americans fear crime much more than they should. Fears of violent crime are increasing
“When we looked at statistical data from police and FBI records, it showed crime has actually decreased in America in the past 20 years. Criminologists often get angry responses when we try to tell people the crime rate has gone down.”
A lot of this is the media’s fault, the study concluded. Survey participants who watched a lot of television were generally more fearful than those who didn’t, and this was particularly true if they watched a lot of true crime programming and talk TV.
That said, even educated Americans are being very dumb about other fears. When it comes to natural disaster
Tomi Engdahl says:
Help a Journalist With An NFC Chip Implant Violate His Own Privacy and Security
http://yro.slashdot.org/story/14/10/29/005243/help-a-journalist-with-an-nfc-chip-implant-violate-his-own-privacy-and-security
this guy got an NFC chip implanted in his arm, where it will stay for at least a year. He’s inviting everyone to come up with uses for it. Especially ones that violate his privacy and security. There must be something better to do than getting into the office or unlocking your work PC.
“The chip we are using is the xNTi, an NFC type 2 NTAG216, which is about the size of a grain of rice and is manufactured by the Dutch semiconductor company NXP”
Getting chipped: Why I will live with an NFC chip implant for a year
http://www.computerworld.com/article/2839441/getting-chipped-why-i-will-live-with-an-nfc-chip-implant-for-a-year.html
What happens when you get an NFC chip implant? IDG Netherlands News Editor René Schoemaker is testing that out.
I got chipped together with nine other volunteers during the IT Innovation Day organized by IDG Netherlands. The other volunteers and I will spend the next 12 months testing the use of an NFC chip in our daily lives to see whether having the chip implanted in our bodies is more useful than using a chip embedded on a card or in a smartphone.
So far, it has been pretty useless though. We are still in the process of coming up with possible applications such as using the chip to pay for public transportation or in shops and restaurants.
I have already had contact with a well-known global IT-security firm about a program that can install malware on smartphones by using the chip in my hand. If you can get spyware on a phone, you can easily snoop on people, for example, your spouse or your boss. But perhaps we will try to get our hands on our secretary of Justice and Homeland Security to show how easy it is to breach security.
The chip is a showcase to make people think more about security when it comes to new technology.
The chip we are using is the xNTi, an NFC type 2 NTAG216, which is about the size of a grain of rice and is manufactured by the Dutch semiconductor company NXP, maker of the NFC chip for the new iPhone. It is a glass transponder with an operating frequency of 13.56MHz, developed for mass-market applications such as retail, gaming and consumer electronics.
The chip’s storage capacity is pretty limited, the UID (unique identifier) is 7 bytes, while the read/write memory is 888 bytes. It can be secured with a 32-bit password and can be overwritten about 100,000 times, by which point the memory will be quite worn. Data transmission takes place at a baud rate of 106 kbit/s and the chip is readable up to 10 centimeters, though it is possible to boost that distance.
Tomi Engdahl says:
Cisco: We made UCS secure but need your help to finish the job
New hardening guide suggests shutting old services, expiring admins and locking logs
http://www.theregister.co.uk/2014/10/29/cisco_releases_unified_computing_hardening_guide/
Cisco has released a hardening guide for its unified computing system (UCS) that reveals the company’s servers do most things right – all manner of potentially-insecure services are off by default – but also offers plenty of suggestions to make sure risks don’t increase during production.
The document centres on hardening the three network planes of management, control, and data including access rights through the UCS client manager, deploying encryption and secure logging including nvram and system event logs.
Tomi Engdahl says:
Snowden revelations effect: people’s online behavior to change
More than half of network users would be willing to change to Google’s services such as the user’s privacy better protection services, security survives house in F-Secure’s new report.
The recently released video interview tietovuotaja Edward Snowden called for all put an end to Dropbox, Facebook, and Google’s use of the services.
56 percent of survey respondents stated that they were more aware of the US online drawbacks such as possible disclosure of information-state actors. The same number of respondents said the internet has changed the use of methods Snowden news as a result.
Almost half of the respondents said they were willing to pay up in order to not communicate personal information through the United States.
68 percent of respondents said they use applications that encrypt message traffic, or allow the use of the internet anonymously.
F-Secure’s report said a total of 4800 people in six countries.
Source: http://www.tivi.fi/kaikki_uutiset/snowdenin+paljastusten+vaikutus+ihmisten+kayttaytyminen+verkossa+muuttui/a1024125
Tomi Engdahl says:
Inside the EYE of the TORnado: From Navy spooks to Silk Road
It’s hard enough to peel the onion, are you hard enough to eat the core?
http://www.theregister.co.uk/2014/10/29/history_of_tor/
TOR is the most widely used system for the provision of anonymity for internet users. I’ll look at how TOR came about: its beginnings in the US Navy; growth and use by both pro-democracy freedom fighters and the less savoury elements of the internet; and how the NSA may have managed to peel the onion router for the FBI to help it collar its suspects.
TOR started as an onion-routing project under the stewardship of the US Navy back in the 1990s. Its purpose was – and still is – to provide secure communications over insecure networks. It was originally designed for US spies abroad trying to get data back to spook HQ.
As encryption and communication methods evolved, TOR was no longer required by the government. The Navy let go of the technology in late 2002
TOR still receives funding from the State Department along with various other sponsors including the National Science Foundation and the Swedish International Development Cooperation Agency.
Initially, non-military use of TOR was limited to geeks and people who had a Big Brother complex. Eventually it was adopted by more average but technically literate users.
Today TOR provides a way for citizens to securely communicate across the globe using internet services such as chat and web browsing. Anyone can download it, and installation is simple. A word to the wise, though: read the disclaimers and the notes. Privacy is not at zero cost.*
Tomi Engdahl says:
Hacking Trail Leads to Russia, Experts Say
Malicious Code Found at U.S. Firm Where Military Secrets Were Kept
http://online.wsj.com/news/article_email/hacking-trail-leads-to-russia-experts-say-1414468869-lMyQjAxMTI0MjI4ODMyODg1Wj
Earlier this year, investigators for Silicon Valley security company FireEye Inc. visited a U.S. firm to determine who, and what, sneaked into the firm’s network harboring military secrets.
There they found what they call a sophisticated cyberweapon, able to evade detection and hop between computers walled off from the Internet. The spy tool was programmed on Russian-language machines and built during working hours in Moscow. FireEye’s conclusion, in a report to be released Tuesday: The cyberspying has a “government sponsor—specifically, a government based in Moscow.”
The report is one of four recent assessments by cybersecurity companies, buttressed by reports from Google Inc. and U.S. intelligence agencies, pointing to Russian sponsorship of a skilled hacking campaign dating back to 2007. Targets included NATO, governments of Russia’s neighbors, and U.S. defense contractors Science Applications International Corp. and Academi LLC, the U.S. security firm previously known as Blackwater.
Collectively, the new research offers evidence supporting a view long expressed privately by U.S. officials and American security researchers: Moscow commands the A-team of Internet adversaries.
Tomi Engdahl says:
EFF Ranks Service Providers For Who Stands Up To Copyright/Trademark Bullies
https://www.techdirt.com/articles/20141027/17000528958/eff-ranks-service-providers-who-stands-up-to-copyrighttrademark-bullies.shtml
Tomi Engdahl says:
CPJ: In almost all cases, journalists are still being killed with no consequences
http://www.poynter.org/latest-news/mediawire/277219/cpj-in-almost-all-cases-journalists-are-still-being-killed-with-no-consequences/
On Tuesday, the Committee to Protect Journalists released a report entitled “The Road to Justice: Breaking the Cycle of Impunity In the Killing of Journalists.”
Those first two lists contain 361 names.
The third list, with the names of those whose killers were prosecuted, has just nine names.
Breaking the Cycle of Impunity in the Killing of Journalists
http://www.cpj.org/reports/2014/10/the-road-to-justice-killing-journalists-impunity.php
The lack of justice in hundreds of murders of journalists around the world is one of the greatest threats to press freedom today. While international attention to the issue has grown over the past decade, there has been little progress in bringing down rates of impunity. States will have to demonstrate far more political will to implement international commitments to make an impact on the high rates of targeted violence that journalists routinely face. A special report by the Committee to Protect Journalists
Tomi Engdahl says:
Google Details Android 5.0 Lollipop’s Major Security Improvements
http://techcrunch.com/2014/10/28/android-5-lollipop-security-features/
Android’s newest update is coming soon, with devices running 5.0 Lollipop beginning to ship November 3. While the visual update might be the one that most users pay the most attention to, Android 5.0 also has a number of under-the-hood changes, including some major updates to the overall security of the platform. Google has put a lot of effort into addressing the biggest threats to Android user security, which still overwhelmingly represent lost or stolen devices, and today the company is detailing a few of these efforts.
Lollipop adds some new lock methods that make it easier to keep your device secure, which is a huge boon to the overall integrity of the platform. The biggest roadblock to mobile device security is actually user apathy, which sees people skipping basic security practices like implementing a lock screen pin code because it’s inconvenient when you’re checking your device every few minutes. Lollipop offers Smart Lock to help address this, which uses paired devices to let you tell your device it’s okay to open up without requiring a password or other means of authentication.
Face unlock is also redesigned here, and has been rebuilt to analyze a user’s image continually, as more of a background security process than a device unlocking mechanism.
“Rather than pretending to take a picture, and analyze it, it’s analyzing a user’s face on an ongoing basis,” explained Android security engineering lead Adrian Ludwig in a briefing call. “If a user’s opted in and is using this method, at the moment it detects that a user isn’t the one that it’s expecting, it locks. That’s very different from the previous model.”
Security is also more robust by default, thanks to automatic whole-phone encryption for newly activated devices. In Lollipop, when you power on a new smartphone or tablet, it encrypts all data automatically, and creates a unique key that remains on the device to decrypt the data. Android introduced its encryption features three years ago, but now it’s on by default on new devices, though anyone upgrading on an older device will still have to go into settings to enable it, should they want that additional level of protection.
“The question we’re posing is not ‘does the feature exist,’” Ludwig said. “The question is ‘how do we make sure that [the feature] is available and as easy to use as possible.”
The encryption key is also wrapped in your device unlock password
Finally, Google is pointing to its use of Security Enhanced Linux (SELinux) to enable even further clarity around the isolation of individual apps. This really just means that users have to worry less about apps containing vulnerabilities that allow them to read info from other apps – basically it offers better visibility about how sandboxing works on the platform.
“Our goal with the security model of Android is that you should never have to care, honestly,” Ludwig explained.
Tomi Engdahl says:
FBI created fake Seattle Times Web page to nab bomb-threat suspect
http://seattletimes.com/html/localnews/2024888170_fbinewspaper1xml.html
The FBI created a fake news story on a bogus Seattle Times Web page to plant software in the computer of a suspect in a series of bomb threats to Timberline High School in 2007, documents reveal.
Tomi Engdahl says:
Google on Android Lollipop security: Set it and forget it
http://www.cnet.com/news/google-on-android-lollipop-security-set-it-and-forget-it/
Google’s lead security engineer on Android thinks you shouldn’t have to be a tech whiz to keep your phone secure.
The head of Google’s Android mobile software security team has a little secret: Although he lives in urban San Francisco, “most days” he doesn’t lock the front door to his house.
And he’s not worried about it. While it’s not clear whether Adrian Ludwig is arrogant, trusts his neighbors too much, or just has a really good insurance policy, his message is that he doesn’t think about securing his home when he’s not there.
Now Ludwig, the man with the unlocked door, wants you to feel just as safe using your mobile phone and “not think” about Android security, either.
Google is about to release the latest version of its Android mobile operating system with several major security improvements that Ludwig says will help keep user’s data safer, even as Android expands from phones and tablets into cars, watches, and other devices.
With its newest release, Android 5.0 Lollipop, Google is changing the way Android security works. This time around, the company said, security will be set automatically.
“I don’t think it’s realistic that the average person should care about security,” Ludwig said in a conference call with reporters during which he highlighted what he considered to be the most important new and updated security features in Lollipop.
Tomi Engdahl says:
WHITE HOUSE network DOWN: Nation-sponsored attack likely
‘Unclassified systems only’, claim Presidential residentials
http://www.theregister.co.uk/2014/10/29/white_house_cyberattack_russia_blamed/
Hackers have disrupted computer operations at the White House after breaking into its unclassified internal network.
The attack, blamed by US government sources on Russian hackers, has resulted in the disruption of some services while incident response teams work to contain the intrusion.
The White House network is under constant attack but the latest assault is more serious both because of its intensity and persistence. Reports suggest the attack has been going on for around three weeks.
Tomi Engdahl says:
China Planning to Remove Windows from All Government Computers
http://news.softpedia.com/news/China-Planning-to-Remove-Windows-From-All-Government-Computers-463265.shtml
Microsoft’s trouble in China continues with another chapter, this time coming from a local IT expert with strong ties to the government, who recommended the local authorities to remove Windows as soon as possible from their computers.
In a report published by state-controlled newspaper Jinghua.cn, Ni Guangnan, academician of the Chinese Academy of Engineering, is quoted as saying that replacing Windows with a locally developed operating system must be done “urgently,” but no other specifics as to the reasons behind this recommendation were provided.
Most likely, China wants to step away from Microsoft software because of security concerns, as some local officials have already accused the Redmond-based giant of bundling keyloggers in its operating system to help the United States government spy on Chinese PCs.
Tomi Engdahl says:
Natural defenses: 8 IT security tactics found in nature
http://www.itworld.com/article/2840077/natural-defenses-8-it-security-tactics-found-in-nature.html
IT security professionals would do well to study the ways of fish, insects and fungus for inspiration in defending against predators
If you’re an IT security professional, you probably don’t spend a whole lot of time thinking about bugs, plants or fungus, at least not during your work day. However, researchers from the Warsaw Institute of Technology think that you should. In a recently published paper, “Security – a perpetual war: lessons from nature,” they draw analogies in nature to approaches taken by hackers and those defending against them in the digital world.
Security – a perpetual war: lessons from nature
http://arxiv.org/ftp/arxiv/papers/1410/1410.4795.pdf
Tomi Engdahl says:
Drupalocalypse! Devs say it’s best to assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins even knew it needed patching
http://www.theregister.co.uk/2014/10/30/drupal_sites_considered_hosed_if_sqli_hole_unclosed/
Drupal websites that had not patched seven hours after the disclosure on a ‘highly critical’ SQL injection (SQLi) hole disclosed 15 October are hosed, the content management tool’s developers say.
Attacks against the vulnerability (CVE-2014-3704) in version seven of the content management system began “hours” after announcement detailing how the easily exploitable bug granted full control including the execution of malicious code to attackers.
Tomi Engdahl says:
Dangerous bug fixed w g e t
http://m.slashdot.org/story/209125
A critical flaw has been found and patched in the open source W g e t file retrieval utility that is widely used on UNIX systems. The vulnerability is publicly identified as CVE-2014-4877.
“susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP,”
Tomi Engdahl says:
Big Retail’s Apple Pay killer CurrentC HACKED, tester info stolen
Listen for the sound of chuckling from Cupertino
http://www.theregister.co.uk/2014/10/29/apple_pay_rival_currentc_suffers_hacking_attack_tester_info_stolen/
CurrentC, the mobile payments system being pushed by some of the biggest retailers in the US, has been hacked – even though the system isn’t fully up and running yet.
“Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who had expressed interest in the app,” a spokeswoman for the Merchant Customer Exchange (MCX) told El Reg.
Tomi Engdahl says:
Bad dog: Redmond’s new IE tool KILLS POODLE with one shot
Azure and Office 365 to end SSL 3.0 support, too
http://www.theregister.co.uk/2014/10/29/microsoft_poodle_fixit_for_ie/
Microsoft has issued new guidance on the POODLE (Padding Oracle On Downgraded Legacy Encryption) SSL vulnerability, including a one-click utility that can automatically disable SSL 3.0 in Internet Explorer.
The Fix It utility, which was released on Wednesday, is a reversible workaround for all versions of Redmond’s browser from IE6 through IE11 – although sticking with buggy, ancient IE6 still really isn’t a good idea.
“If you are currently using older versions of IE, such as IE 6, we recommend you upgrade to a newer browser as soon as possible, in addition to using the Fix it released today,” Redmond said in a security advisory, while throwing in a plug for its latest, IE11.
In addition, Microsoft says it is planning to issue updates that will disable fallback to SSL 3.0 in IE, then disable SSL 3.0 in IE altogether by default, within the coming months.
Tomi Engdahl says:
Naked and afraid: that’s how Telstra’s WiFi security makes you feel
http://www.theregister.co.uk/2014/10/29/naked_and_afraid_thats_how_telstras_wifi_security_makes_you_feel/
Sit down, open up the laptop, join the advertised SSID, and go online.
How great is free WiFi?
A free WiFi network almost never has a password. That makes it easy to log on – and easy to read the network traffic of everyone using that ‘open’ network. Transmitted in the clear, every packet of data can be read right off the airwaves.
When Telstra recently announced that its soon-to-be-introduced public WiFi hotspots (read: repurposed redundant phone booths) would offer a free trial period to the public, they indicated these WiFi hotspots would be open. No need for a password to log on.
When some pointed out that this meant all the people using these hotspots would be transmitting all of their network traffic in the clear, Telstra indicated they’d put some warnings on the login screen, informing users not to perform sensitive tasks while connected. All well and good, right?
Maybe not so much.
Our smartphones these days are terrifically smart. They do all sorts of things without asking, such as checking the weather forecast, grabbing the latest batch of emails, downloading a podcast, etc.
You can not tell your smartphone to stop anticipating your needs. When it logs onto WiFi it’s going to do all the things it knows it needs to do in order to keep you well fed and watered. It’s going to do that in full view of hundreds of others. Including that script kiddie with Wireshark and root.
Although Telstra makes their money mostly from mobiles, they – and many others – seem to be unaware how these devices work, or why people need secure connections – especially in public.
I am not a security paranoid. I know plenty of folks who are (the world needs more like them), but I am will to assume some risks. Requiring WPA2 authentication to access a public WiFi network isn’t a panacea – if you really need to be secure, you probably shouldn’t be using WiFi at all – but it’s infinitely better than sending all network traffic in the clear.
The urge to create unsecured WiFi networks is entirely understandable. Many people fumble over their own WiFi passwords. Putting a password on a public WiFi hotspot will limit the number who use it. But just as people learned how to lock their cars when they park them in a public lot, we now need to learn how to use shared electronic resources. The people and organizations offering these resources must consider the safety of their users. Open networks represent an unacceptable and unnecessary risk.
Whenever you see an open network, consider ask those providing that service if they honestly meant to make all of their patrons’ data visible to world. Most would have no idea that’s what they’ve done – and might even be horrified by the risky environment they created. Suggest they secure the network with an SSID named something like ‘Cafe password is XXXXXXXXX’, in order to make it as easy as possible for users to chart the safer course.