Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Privacy mistakes can become expensive for companies:
The operator of a dating site for people with sexually transmitted diseases (STDs) faces paying out $16.5m (£10.4m) after losing a privacy case.
The owner of PositiveSingles was accused of sharing photos and profile details from its site with other dating services, despite promising a “confidential” service.
Source: http://www.bbc.com/news/technology-29912279
Tomi Engdahl says:
Malicious Software Campaign Targets Apple Users in China
http://bits.blogs.nytimes.com/2014/11/05/malicious-software-campaign-targets-apple-users-in-china/?_r=0
Researchers at a Silicon Valley security company said on Wednesday that they had found a new manner in which hackers can infect Apple products.
The company, Palo Alto Networks, reported that it had uncovered a malware campaign called WireLurker targeting Apple mobile and desktop users and said it was “the biggest in scale we have ever seen.”
Though the malware — malicious software designed to cause damage or steal information — is aimed at users in China and can be avoided, the campaign demonstrates new ways that attackers are targeting Apple iOS mobile devices.
The security company, based in Santa Clara, Calif., said that WireLurker had infected more than 400 applications designed for Apple’s Mac OS X operating system through the Maiyadi App Store, a third-party Mac application store in China.
The company said users’ iOS devices could also become infected if they connected their mobile device to their Macs through a USB wire.
WireLurker: A New Era in OS X and iOS Malware
http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/
a new era in malware attacking Apple’s desktop and mobile platforms based on the following characteristics:
Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen
It is only the second known malware family that attacks iOS devices through OS X via USB
It is the first malware to automate generation of malicious iOS applications, through binary file replacement
It is the first known malware that can infect installed iOS applications similar to a traditional virus
It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning
WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.
Tomi Engdahl says:
Raytheon acquires cyber firm for $420 million
http://www.reuters.com/article/2014/11/05/blackbird-techonologies-ma-raytheon-idUSL1N0SV24Z20141105
Nov 5 (Reuters) – Raytheon Co announced on Wednesday that it has acquired privately held Blackbird Technologies, which provides cybersecurity, surveillance and secure communications to spy agencies and special operations units, for $420 million.
It said the acquisition would make Raytheon one of the top providers to U.S. Special Operations Command, expanding its capabilities in tactical intelligence, surveillance and reconnaissance, secure tactical communications and cybersecurity around the world.
“The cyber business is heading for a shakeup, and Raytheon is determined to be one of the survivors that controls substantial market share,”
Tomi Engdahl says:
Former NSA lawyer: the cyberwar is between tech firms and the US government
http://www.theguardian.com/technology/2014/nov/04/nsa-cyberwar-stewart-baker-cloudflare-snowden
Stewart Baker said that Apple and Google could be restricting their business in markets like China and Russia by encrypting user data
The battle over encryption of consumer internet users’ data has pitched US technology companies against the US government itself, former NSA general counsel Stewart Baker said on Tuesday.
Speaking at Web Summit in Dublin, Baker claimed that moves by Google and Apple and others to encrypt user data was more hostile to western intelligence gathering than to surveillance by China or Russia.
“The state department has funded some of these tools, such as Tor, which has been used in Arab Spring revolutions or to get past the Chinese firewall, but these crypto wars are mainly being fought between the American government and American companies,” he said, in conversation with Guardian special projects editor James Ball.
Baker said encrypting user data had been a bad business model for Blackberry, which has had to dramatically downsize its business and refocus on business customers. “Blackberry pioneered the same business model that Google and Apple are doing now – that has not ended well for Blackberry,” said Baker.
He claimed that by encrypting user data Blackberry had limited its business in countries that demand oversight of communication data, such as India and the UAE and got a bad reception in China and Russia. “They restricted their own ability to sell. We have a tendency to think that once the cyberwar is won in the US that that is the end of it – but that is the easiest war to swim.”
Tomi Engdahl says:
Myth of malware-less Mac MURDERED: WireLurker-hit boxen infect all the iThings
Phones popped after VXer applies research to attacks
http://www.theregister.co.uk/2014/11/06/wirelurker_makes_mockery_of_mac_malwareless_myth/
The largest-scale attack of its kind on OS X devices, believed the first to maliciously target non-jailbroken iPhones, has been detected on thousands of devices in the wild.
WireLurker infects OS X machines, and monitors USB connections for connected Apple fondleslabs and iPhones. It then installs malicious third-party apps on the Jesus mobes through existing techniques.
Victims have been told to phone friends who had plugged their devices into their diseased boxes.
Tomi Engdahl says:
NSA director: We share most of the [crap] bugs we find!
Crypto, crypto everywhere, ’til all the boards databases did shrink
http://www.theregister.co.uk/2014/11/06/nsa_share_bugs/
The National Security Agency (NSA) is only holding back a teeny, tiny number of code secrets, with director Admiral Mike Rogers promising the world the spook collective shares ‘most’ of the vulnerabilities it finds.
The agency head made the remarks on his second visit to Silicon Valley since his appointment in April this year.
Admiral Rogers told students delegates that US President Barack Obama asked the agency that it should share more of its vulnerabilities with the public.
“The president has been very specific to us in saying ‘the balance I want you to strike will be largely focused on when you find vulnerabilities, we’re going to share them’,” Admiral Rogers said Monday.
“By orders of magnitude, when we find new vulnerabilities, we share them.”
Tomi Engdahl says:
158 new malware created EVERY MINUTE
One for YOU and YOU and YOU and YOU
http://www.theregister.co.uk/2014/11/06/158_new_malware_born_every_minute/
Malware monitors PandaLabs says 227,747 new malware samples are released every day.
The findings from its recent survey found 20 million samples were created in the third quarter of 2014.
Three quarters of infections were trojans while only 9 percent were viruses and 4 percent worms.
China topped the list of the highest infection rates followed by Peru and Bolivia.
“Corporate environments are also under attack … in the last three months many large companies have been drawn into numerous scandals, including the so-called celebgate, where nude photos of actresses and models hosted on Apple’s iCloud service were leaked, or the theft of passwords for Gmail and Dropbox,” Corrons said.
The large number of detected malware samples was filled by production line manufacturing kits, rather than dedicated loving handcraft.
Tomi Engdahl says:
Huffy BlackEnergy vxers cry: ‘f*ck U Kaspersky’, thank Cisco for 0-days
‘U never get a fresh Black En3rgy!’
http://www.theregister.co.uk/2014/11/05/huffy_blackenergy_vxers_cry_fck_u_kaspersky_thank_cisco_for_0days/
Developers of the maturing malware weapon BlackEnergy have written a personal message for Kaspersky reverse engineers and Cisco developers in new code that targets Linux and router kit.
Pesky malware researchers have kept an eye on BlackEnergy since it evolved from a denial-of-service attack tool to version two kit used by advanced financial and alleged state-sponsored attackers.
The ware was upgraded with attack features including a plug-in Ciscoapi.tcl targeting The Borg’s kit.
The latest detected BlackEnergy variant also received the ability to wipe drives in the event intruders were caught or felt particularly vindictive, and various port-scanning and certificate pinching plug-ins. One plugin grc used Google Plus accounts to download obfuscated command and control data from an encrypted image file.
Tomi Engdahl says:
The Fight Over the EFF’s Secure Messaging Scoreboard
http://yro.slashdot.org/story/14/11/05/2252244/the-fight-over-the-effs-secure-messaging-scoreboard
The Electronic Frontier Foundation (EFF)’s new Secure Messaging Scorecard is designed to answer one important question: Which apps and tools actually keep your messages secure and safe from prying eyes? The results have been mixed.
The fight to find the perfect secure messaging app
http://www.dailydot.com/politics/eff-secure-messaging-scorecard-critics/
Tomi Engdahl says:
Still Spamming After All These Years
http://krebsonsecurity.com/2014/11/still-spamming-after-all-these-years/
A long trail of spam, dodgy domains and hijacked Internet addresses leads back to a 37-year-old junk email purveyor in San Diego who was the first alleged spammer to have been criminally prosecuted 13 years ago for blasting unsolicited commercial email.
Last month, security experts at Cisco blogged about spam samples caught by the company’s SpamCop service, which maintains a blacklist of known spam sources. When companies or Internet service providers learn that their address ranges are listed on spam blacklists, they generally get in touch with the blacklister to determine and remediate the cause for the listing (because usually at that point legitimate customers of the blacklisted company or ISP are having trouble sending email).
Spammers sometimes hijack Internet address ranges that go unused for periods of time. Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works
So who’s benefitting from the Internet addresses wrested from the Irish hosting company? According to Cisco, the addresses were hijacked by Mega-Spred and Visnet, hosting providers in Bulgaria and Romania, respectively. But what of the spammers using this infrastructure?
Tomi Engdahl says:
KrebsOnSecurity Honored for Fraud Reporting
http://krebsonsecurity.com/2014/10/krebsonsecurity-honored-for-fraud-reporting/
The Association of Certified Fraud Examiners today announced they have selected Yours Truly as the recipient of this year’s “Guardian Award,” an honor given annually to a journalist “whose determination, perseverance, and commitment to the truth have contributed significantly to the fight against fraud.”
Tomi Engdahl says:
Chip & PIN vs. Chip & Signature
http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/
The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.
emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.
Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).
The United States is the last of the G20 nations to move to more secure chip-based cards. Other countries that have made this shift have done so by government fiat mandating the use of chip-and-PIN. Requiring a PIN at each transaction addresses both the card counterfeiting problem, as well as the use of lost or stolen cards.
Here in the States, however, the movement to chip-based cards has evolved overwhelmingly toward the chip-and-signature approach. Naturally, if your chip-and-signature card is lost or stolen and used fraudulently, there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers. Nor will a signature card stop thieves from using a counterfeit card at automated payment terminals (think gas pumps).
But just how broadly adopted is chip-and-signature versus chip-and-PIN in the United States? According to an unscientific poll that’s been running for the past two years at the travel forum Flyertalk, only a handful of major U.S. banks issue chip-and-PIN cards; most have pushed chip-and-signature.
Tomi Engdahl says:
PaaS security considerations
http://embeddedexperience.blogspot.fi/2014/10/paas-security-considerations.html
Security is the first concern which arise when talking about cloud services. Let’s take a closer look.
Cloud services are usually categorized as SAAS, PAAS, and IAAS. What comes to security, I personally trust PaaS most.
Summary: IAAS – You’re on your own. PAAS – Limited but protected. SAAS – You just got to trust.
Let’s dig into some details of security mechanisms of PaaS service. I’m using IBM Bluemix as an example here.
Control of external communication
Only HTTP/S and WebSocket/S connections are allowed. All other connection attempts are discarded. All external connections go through external appliance for improved security.
API isolation
Only selected set of application programming interfaces are provided to developer. Even if the application is behaving badly, it can not do much harm.
Data protection
Data is proven to be available to given application only. However, several instances may share the same data store, if configured so.
Platform instantiation
Each application runs in its own container that has specific resource limits for processor, memory, and disk.
Tomi Engdahl says:
Security policy and EU data protection: Don’t waste a good crisis
http://www.theregister.co.uk/2014/11/06/security_policy_and_eu_data_protection_dont_waste_a_good_crisis/
Websense research finds that 40 per cent of UK security professionals never speak to their executive board about cybersecurity issues. But we all know there are things that they really need to hear. Now there’s a way to get their attention: 2015 looks like the year that the long-feared EU data protection regulations will become law, and that’s going to affect everyone’s cybersecurity policy and practice.
So, when you get their attention, what should you tell them? Can you use the threat of data protection regulation to retool your operation and security policy – and what should you be doing?
Tomi Engdahl says:
Hackers use DRAFT emails as dead-drops for running malware
Python bite opens doors to get into Gmail, Yahoo! accounts
http://www.theregister.co.uk/2014/11/06/hackers_use_gmail_drafts_as_dead_drops_to_control_malware_bots/
Sneaky hackers are using Gmail and Yahoo! drafts to control compromised devices, with the tactic designed to make detection of malware-related communications more difficult to pick up in enterprise environments.
Attacks occur in two phases. Hackers first infect a targeted machine via simple malware that installs Python onto the device, enabling simple attack scripts to run.
Using Gmail (or Yahoo! Mail), hackers then use draft emails to run command and control prompts on these compromised systems, allowing them to siphon data from infected devices.
“Since command and control traffic is one of the most important indications of a breach, this vulnerability is especially dangerous because the hacker uses drafts to ensure no mail ever crosses the firewall,” Shape Security warns.
Tomi Engdahl says:
Users Can’t Distinguish Scams From Facebook’s Features
http://yro.slashdot.org/story/14/11/06/1345206/users-cant-distinguish-scams-from-facebooks-features
Anyone who’s seen social media sites like Facebook has probably also seen scam ads that promise new features or insider accesss to the sites themselves.
Zdnet reports that a new whitepaper from antivirus company Bitdefender, which examined 850,000 Facebook scams over two years, shows that Facebook’s own user experience enables these scams to flourish
Users can’t tell Facebook from a scam
http://www.zdnet.com/users-cant-tell-facebook-from-a-scam-7000035440/
Summary: A new whitepaper from Bitdefender examined victims targeted in 850,000 Facebook scams. It turns out Facebook’s user experience makes it easy for scammers to exploit users.
Tomi Engdahl says:
A GLANCE INTO THE PSYCHOLOGY OF FACEBOOK SCAM VICTIMS – WHO IS STILL
YEARNING TO SEE WHO VIEWED THEIR PROFILE?
http://www.bitdefender.com/media/materials/white-papers/en/Bitdefender_WhitePaper_Facebook_Scams_web.pdf
At the beginning of 2014, Facebook passed 1.23 billion monthly active users who share their thoughts, pictures and
videos with their friends and the public. This huge mass of people forms a very alluring market for advertisers and
companies, competing for creating communities of future clients. But when the “security lights” go off, this audience is
also targeted by
thousands of cyber-criminals
. Facebook itself
reported
that between 5 and almost 15 million of its
accounts are “undesirable” fakes created for spam or other purposes that violate its terms of service.
A Bitdefender study on over 850,000 Facebook scams revealed
the top five bait categories
that affect users worldwide
through malware, spam and fraudulent attacks. To tackle the mystery behind the higher and higher numbers of social
scam victims, a team of behavior analysts and psychologists working for the antivirus software provider offered insights
on human psychology and explained who the most gullible users are.
Tomi Engdahl says:
Is new EU digi chief Oettinger starting a war with his boss?
Gaffe-prone Gunther H. calls EC Vice President Ansip a ‘leftover’
http://www.theregister.co.uk/2014/11/06/is_new_eu_digi_chief_oettinger_starting_a_war_of_words_with_his_boss/
Things not to do in the first week of your new job: slag off the boss. It seems this memo bypassed the EU’s new digital chief Gunther H. Oettinger.
Oettinger described his VP, Andrus Ansip, as a “leftover”.
Officially, Ansip’s job is to oversee all aspects of the “Digital Single Market” but Oettinger claimed he wouldn’t get a look in on any sections of his portfolio unless it intersected with other commissioners.
According to Oettinger, all digital competences lie with him and Ansip is a mere coordinator.
he won’t tolerate any interference from “upstairs”.
Tomi Engdahl says:
Terrorists used false DMCA claims to get personal data of anti-islamic youtuber
http://beta.slashdot.org/submission/3961131/terrorists-used-false-dmca-claims-to-get-personal-data-of-anti-islamic-youtuber
Later, the channel staff got a mail containing a death threat by “FirstCrist, Copyright”
Tomi Engdahl says:
Silk Road 2.0 seized by FBI, DHS, Europol; alleged operator Blake Benthall arrested in SF, charged with narcotics trafficking, money laundering, hacking —
Feds Seize Silk Road 2 in Major Dark Web Drug Bust
http://www.wired.com/2014/11/feds-seize-silk-road-2/
Not Just Silk Road 2: Feds Seize Two Other Drug Markets and Counting
http://www.wired.com/2014/11/dark-web-seizures/
A full-blown dark web drug crackdown is in the works, and it’s not stopping with the Silk Road.
Tomi Engdahl says:
What You Need to Know About WireLurker
http://www.zdziarski.com/blog/?p=4140
Mobile Security company Palo Alto Networks has released a new white paper titled WireLurker: A New Era in iOS and OS X Malware.
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
Tomi Engdahl says:
Spyware exports will need a licence under new EU rules
http://www.theguardian.com/technology/2014/nov/06/spyware-exports-licence-new-eu-rules-military-applications
‘Intrusion software’ joins nuclear reactors and rocket fuel on the EU’s list of technologies that may have military applications
Companies which make spyware will have to apply for permission to export the software once new EU regulations come into effect in late December.
Officially referred to as “intrusion software”, the software will now be included on the EU’s list of “dual use” items, defined as “goods, software and technology normally used for civilian purposes but which might have military applications or contribute to the proliferation of weapons of mass destruction.”
The restriction means that companies will have to apply for a licence to export spyware, although it doesn’t affect the sale of the software within the UK. Inclusion on the dual-use list places the technology alongside nuclear reactors, ultra-high-resolution cameras, and rocket fuel.
Tomi Engdahl says:
Home Depot Hackers Exposed 53 Million Email Addresses
Hackers Used Password Stolen From Vendor to Gain Access to Retailer’s Systems
http://online.wsj.com/news/article_email/home-depot-hackers-used-password-stolen-from-vendor-1415309282-lMyQjAxMTA0NzAzNjMwMjY5Wj
Home Depot Inc. said hackers got into its systems last April by stealing a password from a vendor, opening a tiny hole that grew into the biggest retail-credit-card breach on record.
On Thursday, the company announced the breach was worse than earlier thought. In addition to the 56 million credit-card accounts that were compromised, Home Depot now says around 53 million customer email addresses were stolen as well.
Those addresses are by their nature semipublic, but they can be used by hackers hoping to trick people into giving away more sensitive information, and Home Depot warned its customers to be on guard.
The findings—which come after more than two months of investigations by the company, law-enforcement agents and hundreds of security personnel—show the home-improvement retailer fell victim to the same type of infiltration tactics as Target Corp. , where hackers gained access last year via a Pennsylvania-based refrigeration contractor’s electronic billing account.
Tomi Engdahl says:
Microsoft releases free Antimalware for Azure
http://www.zdnet.com/microsoft-releases-free-antimalware-for-azure-7000035467/
Summary: The service, using the same engine and signatures as Microsoft’s other offerings, is now available to most Azure virtual machines. The software is free, but use of it may cost money.
Tomi Engdahl says:
Europe’s cyber security agency wants pick your infosec BRAINS
Reg readers… anyone… Bueller?
http://www.theregister.co.uk/2014/11/07/europes_cyber_security_agency_is_after_your_brraaaaiinsss/
Do you work in the ICT sector? If so, Europe’s top cyber security agency wants you. ENISA (The European Union Agency for Network and Information Security) is looking for 20 experts to join its “Permanent Stakeholders’ Group”.
Self-declared experts who work in the ICT sector for fixed and mobile electronic communications providers, internet service providers, network and information security service providers or in the hardware and software industries are invited to apply by 5 January. There are also places for representatives of consumer organisations and academic institutions.
Tomi Engdahl says:
British Spies Are Free To Target Lawyers and Journalists
http://yro.slashdot.org/story/14/11/07/0225218/british-spies-are-free-to-target-lawyers-and-journalists
British spies have been granted the authority to secretly eavesdrop on legally privileged attorney-client communications, according to newly released documents.
British Spies Are Free to Target Lawyers and Journalists
https://firstlook.org/theintercept/2014/11/06/uk-surveillance-of-lawyers-journalists-gchq/
Tomi Engdahl says:
Shove over, 2FA: Authentication upstart pushes quirky login tech
All login tech is hackable (except ours, natch) claims securo-upstart
http://www.theregister.co.uk/2014/11/07/liveensure_authentication_upstart/
Security upstart LiveEnsure is trying to shake up the authentication market with technologies that verify users by device type, location and user behaviour, as an alternative to established authentication systems.
The firm is pushing its smartphone-based services as an alternative to security tokens, biometrics, one-time-passwords or SMS messages. All these older techniques are both invasive and ineffective because they are hackable, according to LiveEnsure. “Passwords, dongles, cookies and even biometrics can all be had, somehow,” said Christian Hessler, founder and chief exec of LiveEnsure.
“All modern hacks happen when identity factors or credentials can be taken out of context and used in another context to assume the identity of the hacked victim,” Hessler said. “When this can be done over and over, or on a mass scale, it speaks directly to the problem of relying on identity to perform the job of authentication.”
Tomi Engdahl says:
We’re familiar with features like Siri or Microsoft’s Cortana which grope at a familiar concept from science fiction, yet leave us doing silly things like standing in public yowling at our phones. Amazon took a new approach to the idea of an artificial steward by cutting the AI free from our peripherals and making it an independent unit that acts in the household like any other appliance.
The device is little more than the internet and a speaker stuffed into a minimal black cylinder the size of a vase, oh- and six far-field microphones aimed in each direction which listen to every word you say… always.
With that said, inviting a little WiFi probe into your intimate living space to listen in on everything you do will take some getting over… your thoughts?
Tomi Engdahl says:
Google Wants to Store Your Genome
For $25 a year, Google will keep a copy of any genome in the cloud.
http://www.technologyreview.com/news/532266/google-wants-to-store-your-genome/
Google is approaching hospitals and universities with a new pitch. Have genomes? Store them with us.
The search giant’s first product for the DNA age is Google Genomics, a cloud computing service that it launched last March but went mostly unnoticed amid a barrage of high profile R&D announcements from Google, like one late last month about a far-fetched plan to battle cancer with nanoparticles
Google Genomics could prove more significant than any of these moonshots. Connecting and comparing genomes by the thousands, and soon by the millions, is what’s going to propel medical discoveries for the next decade. The question of who will store the data is already a point of growing competition between Amazon, Google, IBM, and Microsoft.
Google began work on Google Genomics 18 months ago, meeting with scientists and building an interface, or API, that lets them move DNA data into its server farms and do experiments there using the same database technology that indexes the Web and tracks billions of Internet users.
“We saw biologists moving from studying one genome at a time to studying millions,”
Tomi Engdahl says:
Federal sites leaked the locations of people seeking AIDS services for years
http://www.washingtonpost.com/blogs/the-switch/wp/2014/11/07/federal-sites-leaked-the-locations-of-people-seeking-aids-services-for-years/
Two federal government Web sites that help people find AIDS-related medical services have begun routinely encrypting user data after years in which they let sensitive information — including the real-world locations of site visitors – onto the Internet unprotected.
Until the change, these sites had risked exposing the identities of visitors when they used search boxes
The sites and apps did not themselves track visitors, but their data was handled in ways that could have enabled monitoring by employers, universities or others with access to the data flowing between individual devices – such as computers and smartphones – and the Internet. Even using a public wifi signal, offered by a coffee shop or airport, could have allowed a nearby hacker to learn that an individual user, wielding a particular type of smartphone, was seeking treatment for HIV or drug addiction.
Privacy advocates long have argued that routine encryption – using a popular protocol called SSL – should be standard for Web sites or apps handling potentially sensitive information, especially when it relates to personal medical concerns. Government officials, in response to questions posed by The Washington Post, said they came to agree that their sites created privacy risks for those seeking AIDS-related services.
“We started requiring SSL for the [services] Locator because we understood that information should be encrypted to protect privacy,”
Another site, which helps users locate HIV testing sites and is run by the federal Centers for Disease Control and Prevention, switched to automatic encryption on Tuesday, after months of planning, officials said.
The lack of routine encryption on AIDS.gov was first highlighted by security researcher Steve Roosa, a partner at law firm Holland & Knight, who discovered the issue when he was studying what privacy features are common for Web sites that handle information related to personal health concerns. He had guessed that AIDS.gov, given the history of stigma for people with the disease, would have protections that could be considered the gold standard in personal privacy. Roosa soon discovered he was wrong.
Tomi Engdahl says:
EU cyber-cop: Dark-net crooks think they’re beyond reach (until now)
G-men all smiles after this week’s raid on Tor hidden servers
http://www.theregister.co.uk/2014/11/07/euro_cyber_cops_darknet_arrests/
Hundreds of websites shut down, 17 arrested and $1m in Bitcoin seized – Thursday was, apparently, a busy day for the West’s cyber-cops.
Operation Onymous, in which police and g-men in more than a dozen European countries as well as the US, has claimed some big scalps including the Silk Road 2.0, Hydra and Cannabis Road websites – plus sites such as Doxbin, which is where miscreants could publish people’s personal information for nefarious uses.
According to a statement from Eurojust, which coordinated the judicial part of the investigation in Europe, dark-net buyers and traders believed they were safe from prosecution “until now.” An indication of this is that Silk Road 2.0 was up and running about a month after the original Silk Road was shut down.
“This case is a landmark in the continuing battle against cybercrime; it marks the beginning, not the end, of the pursuit of those who abuse the internet for illegal profit,” said Koen Hermans, leader of the Eurojust coordination centre.
Tomi Engdahl says:
Unfollow Your Most Annoying Facebook Friends And Pages With “News Feed Settings”
http://techcrunch.com/2014/11/07/news-feed-settings/
Face it. You’ve accepted friend requests from some weirdos and over-sharers. Luckily, today Facebook’s launched a News Feed Settings tool that shows the friends and Pages taking up the most space in your Feed, and lets you quickly unfollow them without unfriending. There’s also a new flow for hiding specific posts from your Feed that lets you tell Facebook whether it’s the author, or a person, Page, or app mentioned that you want to see less of, and then unfollow them if necessary.
Tomi Engdahl says:
AVG expands in Scandinavia with Norman-purchase
Dutch security company AVG buys Norman Safe Ground, in a fierce focus on cloud and mobile services in the Nordic Region.
Through the acquisition, the company has a crucial contribution to expand locally on their target markets with new mobile and cloud-based services, he said.
The end of 2012 was divided security Norman in Norman Safe Ground and Norman Shark, the last of which was sold to Blue Coat Systems last year.
AVG acquires also Location Labs, which specializes in mobile security, just over 1.5 billion.
According to data on Thursday in the Wall Street Journal, several other security companies approached AVG to discuss a takeover
Source: http://it24.idg.se/2.2275/1.593080/avg-expanderar-i-norden-med-norman-kop
AVG Technologies Approached by Potential Buyers
Approach Comes Amid a Wave of Deals for Security-Software Makers
http://online.wsj.com/articles/avg-technologies-approached-by-potential-buyers-1415316140
Tomi Engdahl says:
NCA shutters 400 ‘dark web’ sites in operation Project Protein
Six people arrested as part of crackdown
http://www.theinquirer.net/inquirer/news/2380237/nsa-shutters-400-dark-web-sites-in-operation-project-protein
THE UK NATIONAL CRIME AGENCY (NCA) has helped to close 400 ‘dark web’ sites involved in various illegal activities under an operation dubbed Project Protein.
The takedowns were part of the NCA’s involvement in the shut down of the Silk Road 2.0 website by the FBI.
“Those arrested by the NCA in this phase of the operation are suspected of setting up Silk Road 2.0, or of being significant vendors of illegal drugs.”
Tomi Engdahl says:
cURL/libcURL CVE-2014-0138 Remote Security Bypass Vulnerability
http://www.securityfocus.com/bid/66457
cURL/libcURL CVE-2014-0139 SSL Certificate Validation Security Bypass Vulnerability
http://www.securityfocus.com/bid/66458
Tomi Engdahl says:
Big Bad Data
http://www.linuxjournal.com/content/big-bad-data
Obsession with Big Data has gotten out of hand. Here’s how.
I’m writing this on September 11, 2014, 13 years after the famous day when terrorist hijackers flew planes into buildings, killing thousands and changing the world for the worse. I also spent the last three days getting hang time with Bill Binney, who says the 9/11 attacks could have been prevented. Bill makes this claim because he led an NSA project designed to find clues and put them together. It was called ThinThread. The NSA discontinued ThinThread three weeks before the attacks, opting eventually to go with another project called Trailblazer. Bill says ThinThread would have cost $9 million to deploy. Trailblazer ended up costing hundreds of millions of dollars and sucked.
Like its successors, such as PRISM, Trailblazer was all about collecting everything it could from everywhere it could. “At least 80% of all audio calls, not just metadata”, Bill tells us, “are recorded and stored in the US. The NSA lies about what it stores.” At the very least, revelations by Bill and other sources (such as Edward Snowden and Chelsea Manning) make it clear that the Fourth Amendment no longer protects American citizens from unreasonable searches and seizures. In the era of Big Data everywhere, it’s reasonable to grab all of it.
Tomi Engdahl says:
Suicide prevention charity suspends tweet-scanning service over ethical concerns
https://gigaom.com/2014/11/07/suicide-prevention-charity-suspends-tweet-scanning-service-over-ethical-concerns/
The Samaritans suicide prevention charity in the U.K. has suspended its controversial Samaritans Radar Twitter app, which scanned the tweets of people that subscribers follow, in order to find signs of heavy depression and alert the subscribers. Critics, many of whom have experience of mental health issues, pointed out that the app was a gift to stalkers and trolls, and a disincentive to using Twitter to vent. Consent was a major issue, with the people being monitored not even receiving notifications when their tweets were flagged.
Tomi Engdahl says:
Berlin’s Digital Exiles: Where Tech Activists Go To Escape the NSA
http://yro.slashdot.org/story/14/11/09/1913249/berlins-digital-exiles-where-tech-activists-go-to-escape-the-nsa
An anonymous reader writes with this story about how Berlin has become a haven for Laura Poitras and other journalists who want to limit the amount of NSA disruption in their lives.
“She needed somewhere else to go, somewhere she hoped would be a safe haven. And that somewhere was Berlin.”
Berlin’s digital exiles: where tech activists go to escape the NSA
http://www.theguardian.com/world/2014/nov/09/berlins-digital-exiles-tech-activists-escape-nsa
With its strict privacy laws, Germany is the refuge of choice for those hounded by the security services. Carole Cadwalladr visits Berlin to meet Laura Poitras, the director of Edward Snowden film Citizenfour, and a growing community of surveillance refuseniks
Laura Poitras on the roof of Archimedes Exhibitions in Berlin. Poitras moved to Berlin to escape the attentions of the US security services.
Tomi Engdahl says:
Operator of Silk Road 2.0 Website Charged in Manhattan Federal Court
http://www.fbi.gov/newyork/press-releases/2014/operator-of-silk-road-2.0-website-charged-in-manhattan-federal-court
Silk Road 2.0, Launched in November 2013 After Its Predecessor was Shut Down by Law Enforcement, Has Enabled More Than 100,000 People to Buy and Sell Illegal Drugs Anonymously Over the Internet
FBI Assistant Director-in-Charge George Venizelos said: “It’s been more than a year since the FBI made an arrest of the administrator of the black-market bazaar, Silk Road, and here we stand again, announcing the arrest of the creator and operator of Silk Road 2.0. Following a very close business model to the first, as alleged, Blake Benthall ran a website on the Tor network facilitating supposedly anonymous deals of drugs and illegal services generating millions of dollars in monthly sales. Benthall should have known that those who hide behind the keyboard will ultimately be found. The FBI worked with law enforcement partners here and abroad on this case and will continue to investigate and bring to prosecution those who seek to run similar black markets online.”
Tomi Engdahl says:
This is a funny comic related to security:
http://ars.userfriendly.org/cartoons/?id=20141109
Tomi Engdahl says:
Someone has broken into your systems. Now what?
Never let a good crisis go to waste
http://www.theregister.co.uk/2014/11/10/data_security/
So, you’ve been hacked. Compromised. Breached and violated. Some criminal Goldilocks has been inside your network and found that your data was neither too hot nor too cold but just right. What are you going to do about it?
This could happen to any organisation and what you do to mitigate the problem could define your public image and legal position for years to come.
Here is a playbook to help you get through the worst of it – and maybe even come out wiser on the other side.
Be prepared
If a CIO has been doing it right, the incident response process will have begun long before a system compromise was detected. Good preparation is key to eliminating headaches later on.
Follow the drill
“The army puts you through drills. It gets you to understand what high-level scenarios you should follow because there are certain steps that will remain the same across all incidents,” he says.
“You should get the big things right and stick to the plans, even if each incident should be slightly different at the sharp end.”
Spot the culprit
You have your plan and your team but one day, in spite of your best efforts, someone prises open your network and causes some damage. This is where the identification and investigation phase kicks in.
“The realisation might come days, weeks or months after the event,” says Osborn.
Damage limitation
Containment is where things get really interesting. The aim, of course, is to mitigate any damage that has already been done and to stop the attacker doing any more.
Throttling attackers involves understanding how they work. Experts explain that they gain access to a system and then escalate their privilege to gain access to more sensitive information.
Companies should take forensic backups of infected machines to preserve evidence
Waiting game
Von Roessing has his own take on the containment phase, which he calls “response”. In addition to mitigating damage, he advocates secret observation to find out as much about the intruder as possible.
“Resist the temptation to beat them over the head because you will lose a lot of intelligence if you do that,” he says.
“You must set up a honeypot to keep them distracted, while having your forensics team secure the evidence.”
Eradicate, eradicate
With the containment taken care of, it is time to eradicate the threat from your network entirely. When taking this step, document human resources and other costs that go into the effort.
This will help you to understand how much this part of the breach cost you, says SANS, while also providing proof that the toxins were removed from your systems.
Wiping and re-imaging systems is important, as is patching the re-imaged systems against the vulnerabilities that allowed the attack to happen in the first place.
Von Roessing’s team treats this as an exercise in disaster recovery because companies are taking systems out of operation, at least for a short while.
Restored to health
The final two steps in the incident response process are recovery and improvement. Ensuring that the systems are clean and working properly involves a set period of monitoring them for abnormal behaviour.
The improvement process is your way to potentially come out ahead. Reviewing how the incident response was managed will hone your skills so that next time (and let’s not fool ourselves here) you will be able to act even faster and more decisively.
The improvement phase goes beyond refining your incident response into an analysis of your security protections.
Tomi Engdahl says:
Behind enemy lines in our war against account hijackers
http://googleonlinesecurity.blogspot.fi/2014/11/behind-enemy-lines-in-our-war-against.html
A recent poll in the U.S. showed that more people are concerned about being hacked than having their house robbed. That’s why we continue to work hard to keep Google accounts secure. Our defenses keep most bad actors out, and we’ve reduced hijackings by more than 99% over the last few years.
We monitor many potential threats, from mass hijackings (typically used to send lots of spam) to state-sponsored attacks (highly targeted, often with political motivations).
Manual hijackers often get into accounts through phishing: sending deceptive messages meant to trick you into handing over your username, password, and other personal info.
Simple but dangerous: Most of us think we’re too smart to fall for phishing, but our research found some fake websites worked a whopping 45% of the time. On average, people visiting the fake pages submitted their info 14% of the time, and even the most obviously fake sites still managed to deceive 3% of people. Considering that an attacker can send out millions of messages, these success rates are nothing to sneeze at.
Quick and thorough: Around 20% of hijacked accounts are accessed within 30 minutes of a hacker obtaining the login info.
Personalized and targeted: Hijackers then send phishing emails from the victim’s account to everyone in his or her address book. Since your friends and family think the email comes from you, these emails can be very effective. People in the contact list of hijacked accounts are 36 times more likely to be hijacked themselves.
Learning fast: Hijackers quickly change their tactics to adapt to new security measures.
Tips
Stay vigilant: Gmail blocks the vast majority of spam and phishing emails, but be wary of messages asking for login information or other personal data.
Get your account back fast: If your account is ever at risk, it’s important that we have a way to get in touch with you and confirm your ownership. That’s why we strongly recommend you provide a backup phone number or a secondary email address
2-step verification: Our free 2-step verification service provides an extra layer of security against all types of account hijacking.
Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild
http://services.google.com/fh/files/blogs/google_hijacking_study_2014.pdf
Online accounts are inherently valuable resources—both for the data
they contain and the reputation they accrue over time. Unsurpris-
ingly, this value drives criminals to steal, or hijack, such accounts.
In this paper we focus on manual account hijacking—account hi-
jacking performed manually by humans instead of botnets. We
describe the details of the hijacking workflow: the attack vectors,
the exploitation phase, and post-hijacking remediation. Finally we
share, as a large online company, which defense strategies we found
effective to curb manual hijacking.
Tomi Engdahl says:
Home Depot -rautakauppayhtiö was forced intrusion in April and September between. Were taken for breaking 53 million e-mail addresses, as well as 56 million debit card information.
Burglar cost multiplied by a whopping $ 62 million, which includes, inter alia, lawyers and client counseling expenses. They go mainly to Home Depot, the money, the insurance covers only a small part of them.
The Wall Street Journal has reported the details of the transition. Multiplied by hackers to have reached an adventure of stores open and closed network referred to in the range of Windows vulnerabilities by using.
Burglary came to light, Microsoft provided a patch to Home Depot for the opening, but the damage had already been done. It seems that the company’s confidence in the Microsoft products collapsed: they started immediately buying MacBook and iPhone for Home Depot’s top managers use.
Source: http://www.tivi.fi/kaikki_uutiset/kuppi+meni+nurin+windowsaukko+syyna+jattitietovuotoon+johtajat+vaihtoivat+applelaitteisiin/a1027363
Home Depot Hackers Exposed 53 Million Email Addresses
Hackers Used Password Stolen From Vendor to Gain Access to Retailer’s Systems
http://online.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282
Tomi Engdahl says:
Texas Man Arrested For $4.5 Million Bitcoin Ponzi Scheme
http://www.forbes.com/sites/jordanmaglich/2014/11/06/texas-man-arrested-for-4-5-million-bitcoin-ponzi-scheme/
Shavers, known as Pirateat40 on popular Bitcoin ForumBitcointalk.org, began soliciting investors to park their Bitcoins (“BTC“) in Bitcoin Savings and Trust (“BST“), a digital hedge fund that promised weekly returns of up to 7%. When asked how he was able to achieve such lucrative returns, Shavers told investors that he was involved in bitcoin arbitrage activity that included acting as a middleman for individuals who wished to purchase large quantities of BTC ”off the radar.”
However, according to authorities, Bitcoin Savings and Trust was nothing more than an elaborate scam that Shavers used to take in millions of dollars in BTC. In total, Shavers took in more than 700,000 BTC – which at one point constituted approximately seven percent of all Bitcoin then in public circulation.
Tomi Engdahl says:
Don’t assume public trusts you, MI5. ‘Make a case’ for surveillance – Former security chief
‘Do you trust us… Snowden or …the Islamic State’?
http://www.theregister.co.uk/2014/11/10/chief_spooks_must_make_case_for_surveillance_says_former_mi5_head/
Spooks and security agencies must openly debate the public’s concerns over surveillance following the Snowden revelations, former head of MI5 and current thriller writer Stella Rimington has said.
“It is not enough nowadays for intelligence services to say we have your best interests at heart,” she told delegates at Microsoft’s Future Decoded event in London.
Last week Hannigan slammed US technology companies for improving the security of their products.
“However much they may dislike it, they have become the command and control networks of choice for terrorists and criminals, who find their services as transformational as the rest of us,”
Tomi Engdahl says:
Voteware source code seeker found not to be vexatious
Hobart lawyer wins next round in EasyCount code battle
http://www.theregister.co.uk/2014/10/20/oz_info_commish_senate_count_foi_requests_arent_vexatious/
Michael Cordover, the Hobart lawyer who has been pressing the Australian Electoral Commission (AEC) to release the source code of its vote-counting software, has had a win courtesy of the Office of the Australian Information Commissioner (OAIC).
It doesn’t mean that the AEC has to release the documents in question – the source code of software used to count Senate elections in Australia. But it does leave Cordover free to try and craft a further FOI request.
Tomi Engdahl says:
Plan Long Term for Industrial Internet Security
http://www.eetimes.com/author.asp?section_id=36&doc_id=1324538&
With industrial control systems becoming network-connected, security risks rise and will need a long-term solution.
Tomi Engdahl says:
Russian internet traffic detours through China’s Frankfurt outpost
A tale of twisted traceroutes
http://www.theregister.co.uk/2014/11/10/russian_data_routed_through_china/
Russian domestic internet traffic has in the past year sailed through Shanghai due to routing errors by China Telecom, network boffin Doug Madory says.
The apparent networking gaffe appeared to stem from a BGP peering deal between the telco and top Russian mobile provider Vimpelcom to save money on transit operators.
Dyn research internet analysis director recapped instances of Ruskie data funneling through China.
“During [one] incident, over 7000 routes from Vimpelcom’s customer cone were globally announced by China Telecom,” Madory said in a post.
Traceroutes from Moscow to other Russian locales were also pushed through China Telecom infrastructure in Frankfurt and back to Russia.
While human error appeared to be the most likely cause of the gaffe, privacy and security concerns from wire snoops remained, Madory said.
Tomi Engdahl says:
BrowserStack HACK ATTACK: Service still suspended after rogue email
Admits breach, but only within email address list
http://www.theregister.co.uk/2014/11/10/browserstack_hack_attack_service_still_suspended_after_rogue_email/
Browser testing service BrowserStack has temporarily suspended its services while it recovers from a “hack attack” by someone apparently bent on discrediting the security of the widely used tool.
“We did get hacked. Currently sanitising entire BrowserStack, so service will be down for a while. We’re on top of it and will keep you posted,”
The admission came hours after developers who used the service received a weird email from BrowserStack suggesting that the service is shutting down.
“We will post a post-mortem of the attack. Currently efforts are focused on getting the service back on track, and protecting user interests,”
Tomi Engdahl says:
Boffin imagines WiFi-defined no-shoot zones for wireless weapons
Is that an Internet of Things in your pocket, or are you just glad to see me?
http://www.theregister.co.uk/2014/11/10/boffins_imagine_wifienforceable_noshoot_zones/
What if, instead of trying to control the sale of guns – a political impossibility in America – weapon use were enforced by a complex combination of electronics, WiFi communications and policy enforcement?
That’s what researchers from the University of Delaware are proposing, asking in essence whether technology offers a way to hack around the Second Amendment. In this paper at Arxiv, Marcos Portnoi and Chien-Chung Shen of the university’s Department of Computer and Information Science propose a combination of wireless security and encrypted broadcast to enforce gun safety.
Wireless-Delimited Secure Zones with Encrypted Attribute-Based Broadcast for Safe Firearms draws on the idea that if computers are now reliable enough for cars, medicine and fly-by-wire aircraft, they are probably reliable enough to provide a framework to cut down mass shootings.
The idea isn’t brand-new, as the authors note. Their addition to the research is to propose what they call a “context-aware system in the firearm” that can draw on information from sensors in the environment to make safety decisions.