Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Managing BYOD starts with asset management
I think therefore ITAM
http://www.theregister.co.uk/2014/11/10/managing_byod_starts_with_asset_management/
he prevalence of BYOD (bring your own device) activity across the enterprise landscape has seen every IT vendor worth its salt try to offer a solution to the problem of keeping employees’ mobile devices under control.
There are several worthy options, such as CYOD (choose your own device) and managed virtualised desktop solutions, but the best medicine for BYOD might just be right under your nose.
The IT manager tearing his or her hair out wondering when there might be time to implement a BYOD platform is looking at a complex matrix of different device management, system management and, crucially, asset management panes of glass
The IT sub-discipline of asset management is affectionately known as ITAM. In terms of form and function, ITAM is generally defined as a collection of business practices designed to optimise expenditure on IT-related purchases, management and redistribution, based on an agreed inventory process.
Martin Thompson, asset management analyst and owner of The ITAM Review, thinks software and application monitoring are must-haves for any MDM solution.
“Within asset management tools, the IT department has visibility on when, how long and how many times an application on a mobile device has been used,”
“This type of control is aimed at smartphones and tablets and should be viewed just as you would view the data usage for software installed on a machine.”
But the “ITAM for BYOD control” argument needs to go further than simply counting the number, type and form factor of devices – and further too than being able to describe what user has what device with what application.
The next stage is a layer of identity so that we know what data is being accessed and exchanged with the corporate data centre at any moment.
Looking back at our installed base of BYOD devices with an ITAM-focused eye, we must first decide whether we will host the MDM software layer on the company network or buy it in as a cloud software service.
After conducting an audit of all our devices’ lock and wipe capabilities, we then decide how to push out the MDM controls to the devices.
Samsung comes into this technology space with its Knox container offering. This is a virtual Android environment within the mobile device so that the container has its own home screen, launcher, apps and widgets.
Applications (and their data) inside the container are isolated from applications outside the container. This isolation means the Knox container can be used as a secure enterprise workspace, while everything outside the container represents the user’s personal space.
Part of the company’s Samsung Approved For Enterprise (SAFE) programme, Knox (named after the fort if you hadn’t guessed) addresses the security issues faced by enterprises deploying BYOD by providing a “dual-persona environment” which isolates enterprise apps and data from personal apps and data.
According to Simon Townsend, chief technologist for workspace management vendor AppSense, ITAM can help overcome some of the challenges presented by BYOD but it is no silver bullet.
“Any device, any operating system and any application that can interact with enterprise systems needs to be monitored”
“All users really want is access to their apps and data on whichever device they choose, wherever. The challenge for IT is to meet those needs while still meeting the compliance and security needs of the organisation,”
Convergence looms
Is there a danger of moving too close to a containerised approach and forgetting our initial ITAM mantra?
It is true that containerisation helps IT to manage and audit the security and other requirements of a heterogeneous enterprise mobile landscape.
But enterprise mobility has entered a new phase, driven by the combination of advanced mobile devices, improved wireless connectivity and increased adoption of cloud-based services. We therefore need some way of bringing several new worlds together – and quite how we do this is not yet clear.
Tomi Engdahl says:
NHS XP patch scratch leaves patient records wide open to HACKERS
Trusts fail to sign up to extended Windows XP support
http://www.theregister.co.uk/2014/11/10/thousands_of_patient_records_at_risk_from_hackers/
Thousands of patient records could be left exposed to hackers, as up to 20 NHS trusts have failed to put an agreement in place with Microsoft to extend security support for Windows XP via a patch, The Register can reveal.
The majority of trusts still operate Windows XP and have signed up to a £5.5m Cabinet Office agreement with Microsoft to extend support until April 2015. But 18 trusts – including some larger authorities – have failed to sign the agreement, according to 140 Freedom of Information requests responses sent to The Register.
Some trusts in England have more than 4,500 machines running Windows XP, with no security patches in place to provide protection, the FOI responses revealed.
A total of 1.1 million PCs and laptops are estimated to be running Windows at trusts, GPs and other health groups that comprise the NHS in England.
But there are growing concerns that even trusts with extended Windows XP security support in place could be left vulnerable after May 2015, as they have not yet put a Windows 7 migration strategy in place.
Tomi Engdahl says:
Ireland’s data cops: Yes, we probed LinkedIn. Don’t ask what we found
Was career-climbers’ website naughty? Did it get a slap? NOBODY knows
http://www.theregister.co.uk/2014/11/05/linkedin_probe_ireland_data_cops_keep_stumm_over_outcome/
Ireland’s data protection authorities will not publish the results of an audit they carried out on digital CV site LinkedIn.
Ciara O’Sullivan, spokeswoman for the Irish Data Protection Commissioner, said that the watchdog “owes a duty of confidentiality to organisations it investigates”.
She added that it was up to the organisation itself to decide whether or not to make the content of the audit public.
The Facebook-for-career-climbers confirmed that it had received a number of recommendations from Ireland’s data protection watchdog and said it had worked closely with the IDPC “to ensure thoroughness”.
Tomi Engdahl says:
Thoughts and Concerns about Operation Onymous
https://blog.torproject.org/blog/thoughts-and-concerns-about-operation-onymous
Recently it was announced that a coalition of government agencies took control of many Tor hidden services. We were as surprised as most of you.
Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used.
But, more to the point, the recent publications call the targeted hidden services seizures “Operation Onymous” and they say it was coordinated by Europol and other government entities.
Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?
So we are left asking “How did they locate the hidden services?”. We don’t know.
Tor could learn if there are security flaws in hidden services or other critical internet-facing services
Unfortunately, the authorities did not specify how they managed to locate the hidden services. Here are some plausible scenarios:
Operational Security
SQL injections
Bitcoin deanonymization
Attacks on the Tor network
Advice to concerned hidden service operators
As you can see, we still don’t know what happened, and it’s hard to give concrete suggestions blindly.
If you are a concerned hidden service operator, we suggest you read the cited resources to get a better understanding of the security that hidden services can offer and of the limitations of the current system.
“By configuring the EntryNodes option in Tor’s configuration file you can select a relay in the Tor network you trust.”
Tomi Engdahl says:
Start-up entrepreneur – do you forget security?
Only a few start-up firms are able to take care of data security products. A new, convenient solution to the cloud service sold security scans.
American Barricade Company founder David Coallier told the stark story of a young start-up of the Company. It developed the product for six years. One day, the internet-based service had distributed denial of service attack. When the company pondered the situation of survival, the attacker slipped through the back door system.
The next day, slammed the ransom requirement. Requirement is not even taken seriously because of all datanhan had backed up in the cloud. On the third day the ransom unsung attacker destroyed the firm’s data. Happily Ever After.
“Startup almost no one seems to care about security, even if it would be worth”
“Security could very well be one of the distinguishing characteristics between start-ups. Customers are interested in security, and when they ask how it is taken care of, the answer is good to have. ”
Half of the attackers strikes alone, therefore, that it has been given opportunities. The object size does not matter.
Source: http://summa.talentum.fi/article/tv/10-2014/107239
Tomi Engdahl says:
The computer virus is born, November 10, 1983
http://www.edn.com/electronics-blogs/edn-moments/4437117/The-computer-virus-is-born–November-10–1983?_mc=NL_EDN_EDT_EDN_today_20141110&cid=NL_EDN_EDT_EDN_today_20141110&elq=34627a68dbef4c9fada862a68fb6d78d&elqCampaignId=20109
At a security seminar in 1983, Fred Cohen, a USC graduate student, demonstrated a short program that infected a computer, replicated, and spread to other computers. The way it infected the system was compared to a virus and the term “computer virus” was born.
Cohen inserted code into a Unix command which allowed him to gain control of a mainframe computer system in just five minutes. The code was hidden in a legitimate program on a floppy disk.
His academic adviser, Leonard Adleman, pointed out that the self-replicating code worked like a virus, coining the term. Adleman is also known for being a co-inventor of the RSA (the A is for Adleman) cryptosystem, often used in security systems.
Tomi Engdahl says:
To Foil Cyberattacks, Connected Cars Need Overlapping Shields – IEEE Spectrum
http://spectrum.ieee.org/cars-that-think/transportation/self-driving/connected-cars-make-juicy-cybertargets
The electronic systems of a smart car present many weak points to would-be intruders, and the problem will get worse as cars start sharing information with each other and with the roads they drive on, argue two experts in automated automobiles. They recommend far more layers of cyberprotection than manufacturers have thought necessary.
Some of this scullduggery is already possible:
GPS jamming is cheap to perform (around US $20), and some more expensive GPS jammers go even beyond jamming and perform GPS spoofing (medium threat in our system), where they replicate signals and provide false locations. A professional car thief can continue about his/her business of stealing by using a combined GPS/GSM jammer to block the car’s antitheft system from knowing and reporting where the vehicle is.
After analyzing the various means of attack for factors such as the ease of use and the seriousness of consequences, the researchers conclude that the biggest threat to a lone smart car is interference with its global navigation satellite system. “Hence, secure GNSS signal is mandatory,” they say.
Some of this scullduggery is already possible:
GPS jamming is cheap to perform (around US $20), and some more expensive GPS jammers go even beyond jamming and perform GPS spoofing (medium threat in our system), where they replicate signals and provide false locations. A professional car thief can continue about his/her business of stealing by using a combined GPS/GSM jammer to block the car’s antitheft system from knowing and reporting where the vehicle is.
After analyzing the various means of attack for factors such as the ease of use and the seriousness of consequences, the researchers conclude that the biggest threat to a lone smart car is interference with its global navigation satellite system. “Hence, secure GNSS signal is mandatory,” they say.
Tomi Engdahl says:
Aruba’s 802.11ac wireless LAN products certified by NSA for use in federal agencies
http://www.cablinginstall.com/articles/2014/10/aruba-ac-nsa-certified.html?cmpid=EnlCIMNovember102014
Aruba Networks (NASDAQ: ARUN) announced that its 802.11ac wireless LAN (WLAN) products are the first to receive FIPS 140-2 certification and the first to be validated under the Common Criteria Wireless LAN Access System Protection Profile. As a result, Aruba now has a fully compliant listing in the “WLAN Access System” category on the United States National Security Agency/Central Security Service’s (NSA’s) Commercial Solutions for Classified Program Components List.
The Aruba solutions receiving certification include the AP-224 and AP-225 802.11ac access points (APs), featuring Aruba’s patented ClientMatch technology, which matches mobile devices to the best possible access point each time they connect, and the company’s 7200 Series Mobility Controllers. With the new validations, Aruba notes that government agencies in the U.S. and other countries can now take advantage of the faster speeds, improved performance and enhanced security that 802.11ac delivers for both classified and unclassified networks.
Tomi Engdahl says:
Mobile Surveillance Systems: Leveraging the Traditional for the Design of the Future
http://intelligentsystemssource.com/mobile-surveillance-systems-leveraging-the-traditional-for-the-design-of-the-future/
The demand for ruggedness, small size, secure mass storage, sensors, displays, low power and high connectivity in today’s mobile surveillance systems continues to grow. Only by using the latest compact, powerful components and subsystems can these growing demands be met.
Tomi Engdahl says:
Is Open Source Wireless Connectivity Worth the Security Risk?
http://intelligentsystemssource.com/is-open-source-wireless-connectivity-worth-the-security-risk/
The Heartbleed security breach, based on OpenSSL, raises the spectre of attacks across a range of wirelessly connected embedded devices. Rigorous software development processes are critical for protecting wirelessly connected devices in the Internet of Things.
Open Secure Sockets Layer (OpenSSL) is widely used to provide network security in many different kinds of computing systems, including wirelessly connected embedded systems in the emerging Internet of Things. OpenSSL is also the open source security library that allowed the widely publicized security breach called Heartbleed. While there are advantages to open source libraries such as OpenSSL, there are clearly risks as well, many of which stem from the development process itself. The main process used for development of OpenSSL is simple. First a programmer develops code, then a reviewer checks the code, and finally the code is released.
In retrospect, Heartbleed seems to be more of a warning tremor than a full earthquake. It showed the potential scope and depth of harm, but the consequences of this particular fault were relatively mild. Continuing to follow the same path, however, will undoubtedly lead to similar problems, and the ubiquity of the software is in itself a weakness, which can be exploited by those who choose to do harm.
Better Software Development Methods Needed
If the methods of development used by OpenSSL were demonstrably the state-of-the-art in robust software development, then there would not be much to debate. However security problems such as Heartbleed, Apple’s “goto fail” and GnuTLS have been caused by defects in software, not necessarily in the protocols or design. Across various industries there are well-established methods for developing high-quality software. The aerospace, industrial, medical and transport industries use software processes based on the “V” model development defined by IEC 61508, and the data shows that not only does it reduce defects significantly, but in many cases it also reduces the cost of software management over its lifecycle.
How would use of such methods have helped in the OpenSSL Heartbleed bug case? Let’s look at some specific development approaches that can help address security specifically.
“V” Model Development
In the Heartbleed situation, the information available states that the software failed to check the scope of a protocol variable and then processed it blindly. Standard V model development would include unit testing and boundary case analysis/testing that would have instantly alerted developers to the issue
It would be impractical from either a cost or resource point of view to propose that full V model development be used for all software, and it is not the intention of this article to state that open-source methodologies are “bad.”
Verification of Software Components
When a company wants to use any piece of equipment in a highly sensitive application area, you would expect the manufacturer of that equipment to verify that all components used reach the required level of quality. It is unclear how this occurs in companies managing large amounts of potentially sensitive customer data. This always happens in a manufacturing process where they check the supplier history, the strength of components, ISO9001 compliance, etc., but strangely not for security.
The Problem with “Free” Software and Security
If we accept that mistakes will always be made and systems will tend to become more complex, then continuing as things are now will probably result in further problems. Commercial devaluation of software does not help this process. The idea that software can be created and obtained for free is a bizarre concept for commercial companies to believe in. It also appears to focus only on the initial capital cost of software and not the ongoing maintenance costs. If the lifetime cost of development and maintenance of “free” software was truly accounted for, it would probably raise some corporate eyebrows.
It could also be quite difficult for any company involved in a “Toyota style” legal case where the consequences of software errors were much worse than compromised data. Imagine a defect, caused by a mistake by a hobby programmer in Australia and reviewed by a programmer working in his spare time in Argentina, which resulted in injury or loss of life.
The argument that software is open and therefore everyone will fix everything is clearly not sustainable anymore—the Heartbleed bug existed for two years before someone realized the problem. This would not be acceptable in any safety-critical or secure environment. There are several different issues.
Moving to Secure Embedded Software Components
The commercial market for standard software components has been damaged by free software from many sources. How this affects professional companies who need good quality code and support is not obvious. It seems that developers lose the benefits of scale that using specialist providers brings.
Tomi Engdahl says:
Mozilla Updates Firefox With Forget Button, DuckDuckGo Search, and Ads
http://news.slashdot.org/story/14/11/11/0412210/mozilla-updates-firefox-with-forget-button-duckduckgo-search-and-ads
company is launching a new Forget button in Firefox to help keep your browsing history private, adding DuckDuckGo as a search option
Tomi Engdahl says:
EMET 5.0 crashes Patch Tuesday party
Patch this and this and this and this
http://www.theregister.co.uk/2014/11/11/emet_version_5_1_released/
Microsoft has issued a new version of its Enhanced Migration Toolkit (EMET) to address a variety of compatibility issues in the system-hardening environment.
Version 5.1 fixed compatibility and Export Address Table Filtering Plus (EAF+) issues with security updates for 64-bit Internet Explorer version 11, Adobe Reader, Adobe Flash, and Mozilla Firefox on Windows 7 and 8.1
There were also user reports that it was causing security conflicts with older versions of Skype, which have now been fixed.
Users could simply disable EAF+ on EMET 5.0, but only at the expense of security, Microsoft staffer ‘swait’ wrote in a post.
A local telemetry feature was included that allowed memory dumps to be saved when attacks were blocked, they said.
Tomi Engdahl says:
US Postal Service Hacked, 500k+ Employees and Public Data Breached
http://news.slashdot.org/story/14/11/10/2027220/us-postal-service-hacked-500k-employees-and-public-data-breached
“The U.S. Postal Service has admitted that it has suffered a massive security breach, with the disclosure to hackers of the personal details of over 500,000 USPS workers, along with details supplied by members of the public when contacting Postal Service call centers between January and mid-August of 2014.”
U.S. Postal Service data breach may compromise staff, customer details
http://www.reuters.com/article/2014/11/10/us-cybersecurity-usps-idUSKCN0IU1P420141110
The U.S. Postal Service was the victim of a cyber attack that may have compromised the personal information of more than 800,000 employees, as well as data on customers who contacted its call center during the first eight months of this year.
Employee data may include names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contact information, the Postal Service said on Monday.
“The intrusion is limited in scope and all operations of the Postal Service are functioning normally,” USPS spokesman David Partenheimer said in a statement.
Cyber attacks on retail outlets, such as Home Depot Inc (HD.N) and Target Corp (TGT.N), have been much larger, affecting tens of millions of customers.
Tomi Engdahl says:
U.S. Postal Service falls to hackers despite ‘relentless weapon’ of security
http://thestack.com/us-postal-service-hacked-ciso-101114
The U.S. Postal Service today reported that it has been the victim of a data breach which has potentially disclosed personal information not only about 500,000 USPS personnel, but also regarding customers who dealt with its call centre between January and August of 2014.
The details said to have been compromised are not believed to have included credit card or other financial critical information
The USPS has previously vaunted its invulnerability to cyber-attacks because of its use of the ‘relentless weapon’, the Corporate Information Security Office (CISO).
According to the informational page about the Postal Service’s cyber-security, there were over 257 billion unauthorised attempts to access the USPS network, 66,734 attempts to distribute credit-card information, 1,278 attempts to reveal USPS-ordained credit-card transactions and 345,342 attempts to distribute social security numbers.
Tomi Engdahl says:
German Spy Agency Seeks Millions To Monitor Social Networks
http://tech.slashdot.org/story/14/11/11/0214205/german-spy-agency-seeks-millions-to-monitor-social-networks
Germany’s foreign intelligence agency reportedly wants to spend €300 million (about $375 million) in the next five years on technology that would let it spy in real time on social networks outside of Germany, and decrypt and monitor encrypted Internet traffic.
German spy agency seeks millions to monitor social networks outside Germany
http://www.itworld.com/article/2845603/german-spy-agency-seeks-millions-to-monitor-social-networks-outside-germany.html
The prototype real time social media monitor will only look at publicly available data though, according to the plans
A German government spokesman confirmed the existence of the SIT program on Monday and said that its main goal is to build an early warning system for cyber attacks. He declined however to give further details about either the program or its budget.
Tomi Engdahl says:
Book Review: Countdown To Zero Day
http://books.slashdot.org/story/14/11/10/135226/book-review-countdown-to-zero-day
A word to describe the book Takedown: The Pursuit and Capture of Americas Most Wanted Computer Outlaw was hyperbole. While the general storyline from the 1996 book was accurate, filler was written that created the legend of Kevin Mitnick.
Much has changed in nearly 20 years and Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon has certainly upped the ante for accurate computer security journalism.
For those that want to know the basics about Stuxnet, its Wikipedia entry will suffice. The book take a detailed look at how the Stuxnet worm of 2010 came to be, how it was written, discovered and deciphered, and what it means for the future and provides nearly everything known to date about Stuxnet.
While a good part of the book details the research Symantec, Kaspersky Lab and others did to debug Stuxnet, the book doesn’t have any software code, which makes it readable for the non-programmer.
Creating Stuxnet was a huge challenge that took scores of programmers from a nation state many months to create. Writing a highly readable and engrossing book about the obscure software vulnerabilities that it exploited was also a challenge, albeit one that few authors could do efficaciously. In Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon, Kim Zetter has written one of the best computer security narratives; a book you will likely find quite hard to put down.
Tomi Engdahl says:
Controversial anonabox is back, raises $14,000 on Indiegogo in 2 days
http://www.dailydot.com/politics/anonabox-indiegogo-relaunch/
Just under a month after Kickstarter suspended the privacy-centric anonabox for misleading its customers, the controversial router is now on Indiegogo for another go—and it’s already raised almost $14,000.
One anonabox costs $51, with estimated delivery in Feb. 2015
Tomi Engdahl says:
Microsoft posts critical patch for huge Windows vulnerability that affects all modern machines
http://thenextweb.com/microsoft/2014/11/11/microsoft-posts-critical-patch-huge-server-vulnerability/
Remember Heartbleed? You know, the exploit in SSL that was so bad it got its own brand? Microsoft may have an issue of similar scale on its hands with a critical patch issued via Windows Update today.
The patch in question is MS14-066, or otherwise known as the cryptically named “Vulnerability in Schannel Could Allow Remote Code Execution,” which affects Windows Server 2003/2008/2012, Vista, 7, 8, 8.1 and Windows RT.
Microsoft gives few details about the exploit, other than saying that the bug would “allow remote code execution if an attacker sends specially crafted packets to a Windows server.”
This is particularly bad as the hole itself is in the Schannel library, which is the layer that handles encryption and authentication in Windows, particularly for HTTP applications.
In other words, if an attacker modified packets in a particular way and attacked your machine, they may be able to execute whatever code they like remotely without an authorized an account. The attack appears to only affect those running a server on affected platforms.
The bad news? It affects everything running a modern version of Windows, meaning businesses will need to patch a lot of machines as soon as possible.
Tomi Engdahl says:
If it is a software provided, it can be hacked
Infineon Reinhard Ploss began by requiring that the IoT requires a secure channel. – This is my own datastani. Who manages it? It is absolutely essential to the security operation.
Plossin, the user can not install the IoT devices and Iiden security. This is an electronic firms do. – Keep in mind that security should be maintained, even when the internet is not available, Ploss said.
NXP’s Clemmer Rich reminded the security with the mercenary. – If you take the data security, software, it is always possible to hack. An iron-based security is the only possible way to go.
An important issue for the IoT’s case is who owns the data. Infineon Ploss believes that the end user gets to choose what data they share. – Sensor Networks produce a large amount of data, which most do not give a damn. It is the user’s discretion, wishes to share its data and get it to receive a service.
Source: http://etn.fi/index.php?option=com_content&view=article&id=2061:jos-se-on-softaa-se-voidaan-hakkeroida&catid=13&Itemid=101
Tomi Engdahl says:
Drive-by ‘unicorn’ 0day beats EMET, burns Windows from 95 to now
Researcher explains why 19 year old Windows bug is especially nasty
http://www.theregister.co.uk/2014/11/12/driveby_unicorn_0day_beats_emet_affects_all_windows_versions/
Researcher Robert Freeman has identified an 18 year-old critical remotely-exploitable hole affecting all versions back to Windows 95.
The vulnerability (CVE-2014-6332) rated a critical score of 9.3 in all versions of Windows and was described as a rare “unicorn-like” bug in Internet Explorer-dependent code that opens avenues for man in the middle attacks.
The bug bypasses Redmond’s lauded Enhanced Mitigation Experience Toolkit along with Enhanced Protected Mode sandbox in the flagship browser and was patched today some six months after it was reported, IBM’s Freeman said.
“In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years
“In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32).”
“These data manipulation vulnerabilities could lead to substantial exploitation scenarios from the manipulation of data values to remote code execution,”
A separate critical hole (MS14-066) affecting Microsoft’s Secure Channel (SChannel) that implemented Secure Sockets Layer and Transport Layer Security protocols was also patched.
Tomi Engdahl says:
‘Tech giants who encrypt comms are unwittingly aiding terrorists’, claims ex-Home Sec Blunkett
Labour MP is never far away from Fear Agenda script
http://www.theregister.co.uk/2014/11/09/tech_giants_who_encrypt_comms_are_unwittingly_aiding_terrorists_claims_ex_home_sec_blunkett/
Former, draconian Home Secretary David Blunkett – who held the post at the time of the 9/11 attacks in the US – has claimed that technology companies that encrypt communications on their networks are helping terrorists to spread fear.
Tomi Engdahl says:
New Windows Security Bug Leaves PCs Open to Hijackings. Get the Fix from Microsoft Now!
https://www.yahoo.com/tech/new-windows-security-bug-leaves-pcs-open-to-hijackings-102397018454.html
As reported by Gizmodo, a newly discovered security bug leaves some Microsoft Windows PCs open to remote hijackings, meaning that someone else could take control of your computer and do as they wish with the files on it.
Exactly which Windows systems are affected? Well, it’s unfortunately a lot.
According to Microsoft, the “affected software” includes multiple builds of Windows Server (2003 and 2008), Windows Vista, Windows 7, and Windows 8/8.1 (see the full list here).
The fix: To be safe, we recommend that all PC users run the Windows Update program found inside the Windows Control Panel to make sure all available patches have been downloaded and installed.
Windows Has a Huge Vulnerabilty, Get the Patch Now
http://gizmodo.com/your-version-of-windows-has-a-huge-vulnerabilty-get-th-1657517054
As scary as Heartbleed was this past spring, it looks like virtually every Microsoft Windows user is in for a little deja vu. Microsoft just released a critical patch for a huge server vulnerability—one that affects quite a few current versions of Windows out there.
Because at least according to Microsoft, this patch is the only way to fend off any rogue third parties trying to make use of the vulnerability.
Tomi Engdahl says:
Met Police anti-terrorism database holds more than 2,000 records relating to journalists
http://www.pressgazette.co.uk/met-anti-terrorism-database-holds-more-2000-records-relating-journalists
The Metropolitan Police holds more than 2,000 records relating to journalists and photographers on a confidential anti-extemist database, it has been reported today.
The records are held by the National Domestic Extremism and Disorder Intelligence Unit, and the figure of 2,000 was released by the Met under the Freedom of Information Act.
Press Gazette has been told by one well placed source that the Met also holds files on journalists who write about police issues.
The Met searched the terms “reporter”, “journalist”, “photojournalist” and “photographer” on the database, and said that the combined number of records held – without providing a breakdown – was in excess of 2,000.
Tomi Engdahl says:
Introducing Polaris Privacy Initiative to Accelerate User-focused Privacy Online
https://blog.mozilla.org/privacy/2014/11/10/introducing-polaris-privacy-initiative-to-accelerate-user-focused-privacy-online/
At Mozilla, we believe that an individuals’ privacy on the Internet cannot be treated as optional. Our Privacy Principles guide us with the design of each of our products and services. We’ve introduced features to support our privacy focus across desktop and mobile, including: an add-on platform with Firefox Add-ons like LightBeam, Disconnect, Ghostery and Privacy Badger; the Do Not Track preference; Private and Guest Browsing; high levels of encryption with Firefox Sync; an individual approach to apps permissions; and even a new Forget button. But we recognize we need to do better and do more. We want to give our users the Web experience they want through features that create transparency and control. We want our users to trust us and the Web.
In October 2014, Harris Poll conducted a global online survey* on behalf of Mozilla of more than 7,000 online adults ages 18-64. Three quarters (74%) of people feel their personal information on the Web is less private today than it was one year ago. That same figure of adults agree that Internet companies know too much about them. We think we can help with this concern.
Today, we are excited to announce a new strategic initiative at Mozilla called Polaris. Polaris is a privacy initiative built to pull together our own privacy efforts along with other privacy leaders in the industry. Polaris is designed to allow us to collaborate more effectively, more explicitly and more directly to bring more privacy features into our products.
The second experiment (which is our first in-product Polaris experiment) seeks to understand how we can offer a feature that protects those users that want to be free from invasive tracking without penalizing advertisers and content sites that respect a user’s preferences. We’re currently testing this privacy tool in our “Nightly” channel.
Tor Partnering with Mozilla
https://blog.torproject.org/blog/partnering-mozilla
Tomi Engdahl says:
F-Secure’s Hypponen to Yle: Old password instructions do not apply any more – Here’s a new rule of thumb
F-Secure’s Chief Research Officer Mikko Hyppönen according to the traditional instructions for making a good password are incorrect.
- All about these instructions, the other can always choose a password which is a very long and hard to come up with and not to be a normal word, and any may not be used the same password twice, Hypponen said in an interview with YLE .
Hyppönen, these rules were a time when people had to remember to up to five passwords. Today, users can have dozens, even hundred password for different services.
Hyppönen was a new rule of thumb for the development of a good password.
- Not to be used passwords, but the pass phrases, Hypponen said.
The explanation is that the phrase may be easier to remember than a complex password. In addition, the length of the password protection technical breakage.
Memory and data security is also enhanced if the sentence is one that comes to mind first used in the Web site. For example, an online bookstore pass phrase might be “here, I buy all my books.”
- The important thing is that they really are important to you services with its own password, Hypponen said.
- If it is someone web forum or online magazine, which will be forced to register, but that’s not really important to you, then the password can be even “password”.
Services, which is stored in money or credit card information, you should Hyppönen of the course, to protect very well.
Source: http://www.iltasanomat.fi/digi/art-1288767759999.html
Tomi Engdahl says:
Cybersecurity? Nothing to do with us, mate – Google and Facebook
Industry lobby group begs EU to ditch new cyber law
http://www.theregister.co.uk/2014/11/12/cybersecurity_nothing_to_do_with_us_mate_google_facebook_yahoo/
Google, eBay, Facebook, Yahoo! foursquare and Microsoft want nothing to do with the proposed new EU cybersecurity law.
In an open letter to Europe’s telco ministers last week, CCIA (the Computer & Communications Industry Association) said the proposed Network and Information Security (NIS) Directive should excluding internet enabling services and focus on “truly critical infrastructure”.
National ministers, the European Commission and MEPs got together for the first time to try to nail down the wording in the proposed Network and Information Security (NIS) Directive last month.
In the text as it stands, so-called “market operators” are required to notify the authorities about any cybersecurity incidents. H however although it is broadly agreed that critical infrastructure must be included, there is a lot of argument about what should constitute a “market operator”.
The general consensus, as CCIA points out, is that online banking services would be included along with other financial institutions and it adds basic and essential telecom services are already regulated under the EU’s telecoms rules framework. However that still leaves a lot of room for debate on whether “internet enabling services” should be included.
CCIA says many of the requirements envisioned by the NIS Directive are already provided for by commercial contracts and service level agreements. However the new law goes beyond normal data breach notification rules and could require the reporting of major “incidents” even if no data is stolen.
Tomi Engdahl says:
Update your Flash player!
Security updates available for Adobe Flash Player
http://helpx.adobe.com/security/products/flash-player/apsb14-24.html
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions
Tomi Engdahl says:
After Silk Road 2.0 Shutdown, Rival Dark Net Markets Grow Quickly
http://tech.slashdot.org/story/14/11/12/0532223/after-silk-road-20-shutdown-rival-dark-net-markets-grow-quickly
A week ago, Silk Road 2.0 was theatrically shut down by a global cadre of law enforcement. This week, the dark net is realigning.
A new king of the Dark Net emerges after Silk Road 2.0 falls
http://www.dailydot.com/crime/evolution-biggest-dark-net-market-of-all-time/
In the wake of the latest police action against online bazaars, the anonymous black market known as Evolution is now the biggest Dark Net market of all time. One week after the fall of Silk Road 2.0, the Dark Net is already beginning to realign.
Evolution boasts the most diverse set of product listings ever seen on the Dark Net. Drugs, the standard fare in these kinds of markets, account for only half of what’s on sale. In the aisles nearby, counterfeit documents, fraudulent finances, dummy’s guides to cybercrime, hacked media accounts, stolen bank accounts, and more can be purchased without much trouble at all.
In stark contrast to the ideologically-fueled bazaars like Silk Road that launched the era of Dark Net markets, Evolution has even fewer limitations on buyers and sellers.
Compare that to the competition. Silk Road 2.0 peaked at around 17,000 products for sale at its height. Evolution is 26 percent bigger than that today.
Agora, a drug-focused market similar in size and scope to Silk Road, is currently selling 18,800 products, 75 percent of which are illicit substances.
Tomi Engdahl says:
NOAA’s weather system hacked by Chinese, which the agency then covered up, says congressman —
Chinese hack U.S. weather systems, satellite network
http://www.washingtonpost.com/local/chinese-hack-us-weather-systems-satellite-network/2014/11/12/bef1206a-68e9-11e4-b053-65cea7903f2e_story.html
Hackers from China breached the federal weather network recently, forcing cybersecurity teams to seal off data vital to disaster planning, aviation, shipping and scores of other crucial uses, officials said.
The intrusion occurred in late September but officials gave no indication that they had a problem until Oct. 20, said three people familiar with the hack and the subsequent reaction by the National Oceanic and Atmospheric Administration, which includes the National Weather Service. Even then, NOAA did not say its systems were compromised.
Officials also said that the agency did not notify the proper authorities when it learned of the attack.
NOAA officials declined to discuss the suspected source of the attack, whether it affected classified data and the delay in notification.
Determining the origin of cyberattacks is difficult, experts said, and Chinese officials have denied repeated accusations that they intrude in U.S. government computer systems for espionage or other purposes.
Confirmation of the NOAA hack followed an admission Monday by the U.S. Postal Service that a suspected Chinese attack — also in September — compromised data on 800,000 employees, including letter carriers on up through the postmaster general.
Tomi Engdahl says:
91% of US adults say consumers have lost control over how their personal info is collected and used by companies
Public Perceptions of Privacy and Security in the Post-Snowden Era
http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/
Privacy evokes a constellation of concepts for Americans—some of them tied to traditional notions of civil liberties and some of them driven by concerns about the surveillance of digital communications and the coming era of “big data.” While Americans’ associations with the topic of privacy are varied, the majority of adults in a new survey by the Pew Research Center feel that their privacy is being challenged along such core dimensions as the security of their personal information and their ability to retain confidentiality.
Most are aware of government efforts to monitor communications
Widespread concern about surveillance by government and businesses
For example:
91% of adults in the survey “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies.
88% of adults “agree” or “strongly agree” that it would be very difficult to remove inaccurate information about them online.
80% of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.
70% of social networking site users say that they are at least somewhat concerned about the government accessing some of the information they share on social networking sites without their knowledge.
There is little confidence in the security of common communications channels, and those who have heard about government surveillance programs are the least confident
Across six different methods of mediated communication, there is not one mode through which a majority of the American public feels “very secure” when sharing private information with another trusted person or organization:
81% feel “not very” or “not at all secure” using social media sites when they want to share private information with another trusted person or organization.
68% feel insecure using chat or instant messages to share private information.
58% feel insecure sending private info via text messages.
57% feel insecure sending private information via email.
46% feel “not very” or “not at all secure” calling on their cell phone when they want to share private information.
31% feel “not very” or “not at all secure” using a landline phone when they want to share private information.
Americans’ lack of confidence in core communications channels tracks closely with how much they have heard about government surveillance programs.
Tomi Engdahl says:
FBI’s most wanted cybercriminal used his cat’s name as a password
From the department of face-palming opsec blunders.
http://arstechnica.com/security/2014/11/fbis-most-wanted-cybercriminal-used-his-cats-name-as-a-password/
When he was arrested at his Chicago home in 2012 for hacking the website of security think tank Stratfor, the dreadlocked Jeremy Hammond was the FBI’s most wanted cybercriminal. Authorities tracked him down with the help of top LulzSec member Hector Xavier Monsegur. But it has never been known how they managed to search his encrypted computer, the lid of which the hacker was able to close as agents armed with assault rifles were raiding his home.
An Associated Press profile of the 29-year-old’s life behind bars provides a possible answer. Hammond’s password was “Chewy 123.”
Hashing algorithms protecting encryption keys are by design extremely slow, making cracking attacks harder to carry out.
“Chewy 123″ would be among the earlier candidates any experienced cracker would try.
Why passwords have never been weaker—and crackers have never been stronger
Thanks to real-world data, the keys to your digital kingdom are under assault.
http://arstechnica.com/security/2012/08/passwords-under-assault/
Tomi Engdahl says:
Pay-by-bonk chip lets hackers pop all your favourite phones
Think your phone is safe? You’ve got NFC
http://www.theregister.co.uk/2014/11/13/mobile_carnage_as_hackers_pop_your_favourite_phones/
Blood is flowing on the floor of the Pwn2Own challenge slaughterhouse, after whitehats hacked their way through an Apple iPhone 5S, Samsung Galaxy S5, LG Nexus 5 and Amazon Fire, most often by using Near Field Communications.
Contestants had 30 minutes to demonstrate live exploits against the updated and unmodified devices running inside a Faraday cage to isolate signals.
popping Safari on an Apple iPhone 5S.
hacked a Samsung Galaxy S5 over NFC by way of a deserialisation exploit and logical error
used NFC to bust a LG Nexus 5 through forced Bluetooth device pairings, a plot observers noted that was part of TV flick Person of Interest.
Near Field Communications was “clearly the most popular” payload delivery vector for this year’s competition, HP security bod Shannon Sabens writes.
Tomi Engdahl says:
Is your kid ADDICTED to web porn? Twitter? Hint: Don’t blame the internet
New study: What parents worry about – and what they definitely SHOULDN’T worry about online
http://www.theregister.co.uk/2014/11/13/research_reveals_parents_online_views/
Parents’ biggest concern about life online is admen stalking kids across the web, according to new research.
The next biggest concern was children having a social network account. In that case, 43 per cent of parents felt the negatives outweigh the positives, although that figure drops significantly to 26 per cent for those parents that have actually allowed their child to have one. Not all parents were worried though: 26 per cent felt social networks provided more benefits than harms.
That view was backed by an expert panel later in the day looking at the “psychological impact of digital media.”
Why the net is good for you
What were the main benefits and harms of online life? A significant 39 per cent of those surveyed felt that the additional educational benefits that kids derive from the internet are its biggest plus point; likewise 18 per cent quote the ready access to knowledge. On the downside, 22 per cent of parents most feared a stalker or predator online, followed by 13 per cent who said the viewing of inappropriate material was a harming factor.
Despite all that, however parents are pretty relaxed – even ambivalent about the impact of the internet on their kids’ lives.
Only 10 per cent did not think they were able to effectively manage their children’s access to material and 64 per cent were confident they had it under control (although that confidence falls the older the child gets).
The good news is that most parents – 65 per cent – talk regularly to their kids about going online, with just 6 per cent saying they have not talked to them about it.
‘Chill out’
Don’t worry about the internet turning your precious darling into an antisocial sex-obsessed monster. Michael Rich of the Center on Media and Child Health at Harvard told attendees that even though he was getting an increasing number of children referred to him for various cases of “electronic addiction”, it was almost always a symptom of an underlying issue than the entity itself.
There are also big pluses to having the internet over when parents were their kids’ age. They engage is less risky sexual behavior and they get to take risks with their identity in a much safer environment. “Parents needs to chill out,” Junco told the audience. “The modern world is not any scarier than we were kids.”
Tomi Engdahl says:
Hacker Builds a Dark Net Version of the FBI Tip Form
http://news.slashdot.org/story/14/11/12/185259/hacker-builds-a-dark-net-version-of-the-fbi-tip-form
A London-based programmer has set up a new hidden service for anyone using Tor to submit anonymous tips to the FBI.
A Hacker Built a Dark Net Version of the FBI Tip Line
http://motherboard.vice.com/read/anonymous-fbi-tip-line-tor
Tomi Engdahl says:
Europe debates if passenger information can be used for counter-terrorism measures
http://thestack.com/pnr-europe-debate-111114
MEPs are debating today whether to ratify the EU Passenger Name Record (PNR) proposal outlined in 2011, which would oblige Europe-based airlines to share detailed personal information on any passenger entering or leaving Europe, as an aide to investigations into criminal or terrorist activity.
The 2011 proposal was rejected last April, but Civil Liberties Committee rapporteur Timothy Kirkhope (ECR, UK) has emphasised that threats to the security of the European Union have increased over the last 12 months.
“We must put in place our own EU rules and standards […] as soon as possible” said Mr Kirkhope.
Tomi Engdahl says:
UK.gov teams up with moneymen on HACK ATTACK INSURANCE
Cover for biz … but you’ll have to jump through hoops
http://www.theregister.co.uk/2014/11/13/cyber_insurance_analysis/
The UK government last week partnered with 12 insurance companies to develop the “cyber-insurance” market. But experts are split on whether encouraging the development of the nascent market will result in the adoption of improved security practices.
The government is promoting the growth of the cyber insurance market as a means of improving cyber security risk management. It says the insurance sector can improve good practice by asking the right questions of customers in relation to their cyber breach and operational risk policies.
In your correspondent’s opinion, arguing that boosting spending on breach insurance protection improves cyber security is akin to saying that growing the car insurance market will improve road safety.
The UK insurance sector is a global leader and a “natural home for a growing international cyber insurance market”, according to UK government officials.
The government want to use insurance as a driver for improving cyber security practice in UK businesses – SMEs in particular.
“Companies should be assessing their vulnerability to cyber attack and taking advantage of risk management and insurance solutions to mitigate the potential for these events to harm their business,” he added.
“While cyber insurance has been around for a while, the market has been relatively slow to take off,” Brewer explained. “However, as cyber criminals become more sophisticated and we realise the inevitability of attack, it makes sense that businesses would want to have the greatest level of protection as the aftermath of a serious breach could be akin to a large-scale burglary. For insurers it’s not surprising they would want to capitalise on this modern risk facing UK businesses, and working with the government only provides a greater opportunity to get the word out there.”
However some security experts expressed concerns that an insurance safety net might endanger complacency among some companies.
Nearly three-quarters (72 per cent) of senior execs polled believe it is vital that their organisation is insured for data security breaches, but only half (54 per cent) admit their company insurance currently covers the financial impact of both data loss and a security breach. Most senior executives fail to recognise the long-term damage that a data breach might have on their business, according to NTT which polled business leaders (not in an IT role) in Australia, France, Germany, Hong Kong, Norway, Sweden, UK and US.
Cybercrime as a relatively new form of commercial risk and a market that is still evolving with a lack of brokers and insurers with the relevant skills and knowledge. As a result, cyber insurance can be ambiguous with examples of insurers failing to pay out based on small print and complex policy interpretation.
Using cyber-insurance as a means of managing the risk of hacker attacks was earlier suggested by Michael Daniel, one of US President Obama’s top cybersecurity advisers last year.
The US market for cyber insurance was already established even back then, according to industry experts.
“The involvement of the big insurance players, covering big companies against potentially massive losses, is steadily transforming it into a major business though. It’s already raking in an estimated $1.3 billion per year in the US, with the rest of the world lagging some way behind,”
“The cybersecurity insurance market is relatively new and undeveloped”
“Many firms are now focussing on how they protect against the consequential financial impacts of a cyber incident and are turning to insurance as a mechanism to alleviate risk,” Brown said. “However, whilst insurance offers financial protection to businesses, it does not incentivise businesses to invest in enhancing their Cyber Security defences. Consideration should be given to rewarding those businesses who can demonstrate effective Cyber Security through certification schemes such as the Cyber Essentials.”
Tomi Engdahl says:
Denial of service attacks exploit White House press machine
Crooks using White House press releases as a means of gaining network trust
http://www.theinquirer.net/inquirer/news/2380994/denial-of-service-attacks-exploit-white-house-press-machine
SECURITY COMPANY Akamai has updated its State of the Internet report with a warning about a denial of service attack exploiting the White House PR puff machine.
Akamai said that the cads are using content pushed out by the White House as a means of gaining network trust in DNS reflection attacks.
“Attackers are crafting large DNS TXT [text] records to increase amplification, magnifying the impact of the attack,”
“For example, several campaigns observed since 4 October contain fragments of text taken from press releases issued by the White House.”
The attacks lasted for about five hours, according to Akamai, and created a peak bandwidth load of 4.3Gbps.
The entertainment industry took some 75 percent of the attacks, and high tech consulting and education each took a 12.5 percent share.
Tomi Engdahl says:
DDoS Attacks Cost $40,000 / €32,180 per Hour on Average
http://news.softpedia.com/news/DDoS-Attacks-Cost-40-000-32-180-per-Hour-on-Average-464819.shtml
A report seeking to measure the impact of distributed denial-of-service (DDoS) attacks on affected organizations reveals that the average cost per hour of such an assault is $40,000 / €32,180, with half of the surveyed companies recording losses of $500,000 / €402,000 during an incident.
The study was conducted by Incapsula, a company providing protection solutions against DDoS attacks, on 270 organizations in the US and Canada, from different industry sectors. The number of employees for each of them varies from 250 to 10,000.
Financial losses are not tied only to mitigating the incident
As per the information from the surveyed entities, 49% of the recorded DDoS attacks lasted between six to 24 hours. These are the cases where cost estimation is averaged at $40,000 / €32,180 for every hour of the attack. 15% of the respondents declared costs in excess of $100,000 / €80,500 per hour.
Incidents extending over the period of several days and even more than one week have also been reported.
The losses associated with DDoS attacks are not assessed strictly from the event mitigation standpoint and include the overall impact on the company.
“Costs are not limited to the IT group; they also have a large impact on units such as security and risk management, customer service, and sales.
“Additionally, most respondents who had been targeted experienced a variety of non-financial costs. 87% experienced at least one non-financial consequence, such as loss of customer trust, loss of intellectual property,” the report states.
Most companies do not use dedicated anti-DDoS technology
Getting the company back to the normal state of business is also an aspect that has to be taken into consideration because, in most of the cases, recovering from a DDoS attack can take months and sometimes even years, assessing the entire extent of the damage not being possible in all instances. What is certain is the fact that these incidents have a long-term effect.
Tomi Engdahl says:
Typewriters are back, and we have Edward Snowden to thank.
http://www.washingtonpost.com/posteverything/wp/2014/11/12/typewriters-are-back-and-we-have-edward-snowden-to-thank/
In writing, music, photography and other areas, “outdated” technologies have initially been valued for their retro, nostalgic appeal in the hipster culture.
Now people are seeing the security benefits of returning to other so-called anachronistic technologies. Typewriters, for instance, are experiencing a revival in politics. Earlier this year, German politician Patrick Sensburg announced that Germany’s government officials might start using typewriters, as they are seen as being an “unhackable” technology.
While this move might be viewed as somewhat regressive, it’s actually progressive. Let me explain.
Following last year’s NSA leaks, the Russian government is also set to return to typewriters in an effort to avoid hacking.
Initially considered obsolete in the digital age, typewriters are experiencing a slow but noticeable resurgence.
American media theorist Henry Jenkins once claimed that old media never die – they simply transform. In contemporary society, it appears that not only do old media and technology never die, but they return.
Technological determinism and the “doctrine of progress” dictates that society must move in a forward momentum toward digitally efficient technologies that operate faster, better and longer.
The use of old technologies is criticized for being anachronistic and pretentious, but people from politicians to artists are acknowledging the benefits of older technological instruments.
Analog technology is not only valued for its nostalgic, retro value, but for its simplicity in an increasingly digitized world that is vulnerable to hacking and privacy breaches. So while digital technology is heralded as the most efficient in terms of speed and productivity, older technologies offer something perhaps more valuable but under-appreciated.
Tomi Engdahl says:
Finnish Prime Minister Alexander Stubb tells in favor of the defense budget increase.
Cyber security has in his opinion, an area in which abilities should be developed on society as a whole.
“Cyber is a practice of modern warfare, and if the cyber is not in order, the whole society, the operation can be paralyzing. I speak not only banks but, for example, security of supply and energy intake “, he says
He states that this too needed more money, and in addition must have the capacity to change the law.
Source: http://www.tivi.fi/kaikki_uutiset/stubb+lisaa+rahaa+kyberpuolustukseen+lakeja+voitava+muuttaa/a1028432
Tomi Engdahl says:
Web site will be able to secretly take a look at the image of Finnish and USA homes.
An Internet site to convey secret video from a number of Finnish homes. The site has gained control of about 70 Finnish security, or webcam, says the Committee announced the Finnish newspaper Helsingin Sanomat. Globally cameras captured more than 70 000, the highest in the United States.
The site use of the camera manufacturers standard passwords. The website says that if you change the password, captured on camera leaving. The site also highlights the importance of information security.
Source: http://www.iltalehti.fi/uutiset/2014111318834335_uu.shtml
Tomi Engdahl says:
8-Year-Old Indian-Origin CEO to Give Lecture at Cyber Security Summit
http://www.ndtv.com/article/india/8-year-old-indian-origin-ceo-to-give-lecture-at-cyber-security-summit-620044?pfrom=home-lateststories
New Delhi: An eight-year old Indian-origin child prodigy is among experts who will address a cyber security conference starting Thursday, where Minister of State for External Affairs V K Singh is also listed as a keynote speaker.
The organisers said, “8 year old Reuben Paul gives keynote at Houston Security Conference.”
“I started learning about computer languages around one- and-a-half years back. Now I design my own projects,” Reuben told PTI.
“This will be Reuben’s fourth conference where he will be giving lecture on cyber security. He will talk about the need to create awareness about cyber security among young kids as well as demo white page hacking,” Mano Paul said.
Tomi Engdahl says:
Google releases open source Nogotofail network traffic security testing tool
http://venturebeat.com/2014/11/04/google-releases-open-source-nogotofail-network-traffic-security-testing-tool/
Google today introduced a new tool for testing network traffic security called Nogotofail. The company has released it as an open source project available on GitHub, meaning anyone can use it, contribute new features, provide support for more platforms, and do anything else with the end goal of helping to improve the security of the Internet.
The tool’s main purpose is to test whether the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations (it includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, and so on). Nogotofail works on Android, iOS, Linux, Windows, Chrome OS, OSX, and “in fact any device you use to connect to the Internet.”
Introducing nogotofail—a network traffic security testing tool
http://googleonlinesecurity.blogspot.fi/2014/11/introducing-nogotofaila-network-traffic.html
Tomi Engdahl says:
Senate may vote on NSA reform as soon as next week
http://www.dailydot.com/politics/usa-freedom-act-senate-vote/
After last week’s election, it didn’t look like Congress was going to do much legislating during the rest of this year’s lame duck session; however
Introduced by Sen. Pat Leahy (D – Vt.) and Rep. Jim Sensenbrenner (R- Wis.), the USA FREEDOM Act is aimed at reforming the National Security Agency by curtailing some of the agency’s powers to conduct surveillance on the electronic communications of American citizens.
The bill would prohibit the NSA from indiscriminately collecting and storing the cell phone metadata of all Americans—a program revealed by whistleblower Edward Snowden.
The USA FREEDOM Act is an acronym for “Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet Collection, and Online Monitoring” Act.
Tomi Engdahl says:
Lads from Lagos using ‘Predator Pain’ on hapless 419 victims
Emails from thieving RATs contain keyloggers
http://www.theregister.co.uk/2014/11/13/419ers_adopt_cyberspy_tactics_white_paper/
Advanced-fee fraudsters are adopting the tactics of state-sponsored hackers in attacks targeting small- to medium-sized businesses, rather than large corporates, according to research from Trend Micro.
419 gangs are using the Predator Pain and Limitless keyloggers to steal network credentials through spear-phishing attacks, mimicking the tactics of so-called APT-style attacks most associated with state-sponsored hackers.
“The common attack scenarios by cybercriminals using these toolkits involve sending out business-themed messages to publicly listed email addresses,” Trend Micro warns. “The emails contain a keylogger that sends information back to the cybercriminal via email, FTP, or Web panel (PHP): system information, keystrokes, browser-cached account credentials, and screenshots.”
A 419 scam typically involves promising the victim a significant sum of money, for which the fraudster requires a small up-front payment.
Tomi Engdahl says:
Crypto collision used to hijack Windows Update goes mainstream
Final nail in the coffin for the MD5 hash
http://www.theregister.co.uk/2014/11/05/md5_hash_collision/
The cryptographic hash collision attack used by cyberspies to subvert Microsoft’s Windows Update has gone mainstream, revealing that MD5 is hopelessly broken.
Security researcher Nat McHugh created two images of different rock ‘n’ roll icons – James Brown and Barry White – with the same MD5 hash. “The images were just two I lifted from the web … in fact I could have chosen any image or indeed any arbitrary data and created a collision with it,” McHugh reports.
The process of computing padding data to produce the collision between two dissimilar images files was carried out on a mainstream cloud computing instance in a matter of hours at a cost estimated by McHugh as being less than a dollar.
Brute force attempts to find cryptographic hash collisions – where two dissimilar files give the same hash value – are still impractical for anyone without access to a supercomputer.
In a chosen prefix collision, the data preceding the specially crafted collision blocks can be completely different, as is the case of the images of the Godfather of Soul and the Walrus of Love.
Tomi Engdahl says:
Peeping into 73,000 unsecured security cameras thanks to default passwords
http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000-unsecured-security-cameras-thanks-to-default-passwords.html
A site linked to 73,011 unsecured security camera locations in 256 countries to illustrate the dangers of using default passwords.
Yesterday I stumbled onto a site indexing 73,011 locations with unsecured security cameras in 256 countries …unsecured as in “secured” with default usernames and passwords. The site, with an IP address from Russia, is further broken down into insecure security cameras by the manufacturers Foscam, Linksys, Panasonic, some listed only as “IP cameras,” as well as AvTech and Hikvision DVRs. 11,046 of the links were to U.S. locations, more than any other country; one link could have up to 8 or 16 channels, meaning that’s how many different security camera views were displayed on one page.
Truthfully, I was torn about linking to the site, which claims to be “designed in order to show the importance of security settings;” the purpose of the site is supposedly to show how not changing the default password means that the security surveillance system is “available for all Internet users” to view.
Security cameras are supposed to offer security, not provide surveillance footage for anyone to view. Businesses may be fine with that, but cameras that are not truly locked down in homes invite privacy invasions. In this case, it’s not just one manufacturer. Sure, a geek could Google Dork or use Shodan to end up with the same results, but that doesn’t mean the unsecured surveillance footage would be aggregated into one place that’s bound to be popular among voyeurs.
There were lots of businesses, stores, malls, warehouses and parking lots, but I was horrified by the sheer number of baby cribs, bedrooms, living rooms and kitchens; all of those were within homes where people should be safest, but were awaiting some creeper to turn the “security surveillance footage” meant for protection into an invasion of privacy.
The site lists the camera manufacturer, default login and password, time zone, city and state. The results for each camera are also theoretically pinpointed with longitude and latitude on Google Maps. That can be opened in another browser window, zoomed into, converted to Google Earth, then Street View in hopes of seeing an address to take into a reverse phone look-up. It’s slightly easier if it’s a business and you see a name on a building. There may be an easier way, as it was slow and frustrating.
I’m unwilling to say how many calls I made
Managers, don’t shoot the messenger; a person out to hurt you might dig into a Linux box with root, but no exploit or hacking is needed to view the surveillance footage of your unsecured cameras! It’s exceedingly rude to yell or accuse a Good Samaritan of “hacking” you. If your cameras are AVTech and admin is both username and password, or Hikvision “secured” with the defaults of admin and 12345, then you need to change that. Or don’t and keep live streaming on a Russian site.
It would be great if these manufacturers would start wrapping the boxes in tape that yells, Be sure to change the default password! In some security camera models, no password is even required.
I don’t know what else to do if the FTC doesn’t again bring the hammer down on companies that don’t do enough to stop people from having their lives invaded.
Tomi Engdahl says:
Carmakers Promise Not To Abuse Drivers’ Privacy
http://yro.slashdot.org/story/14/11/13/1357256/carmakers-promise-not-to-abuse-drivers-privacy
“Nineteen automakers accounting for most of the passenger cars and trucks sold in the U.S. have signed onto a set of principles they say will protect motorists’ privacy in an era when computerized cars pass along more information about their drivers than many motorists realize. The principles were delivered in a letter Wednesday to the Federal Trade Commission, which has the authority to force corporations to live up to their promises to consumers.”
Tomi Engdahl says:
Judge: Terror bomb victims CAN’T seize Iran’s domain name as compensation
ccTLDs aren’t like cars or houses
http://www.theregister.co.uk/2014/11/13/dc_court_cctlds_not_attachable_property/
A judge in Washington DC has ruled that a country’s entire internet registry cannot be seized, averting a global diplomatic crisis.
Lawyers for nine US citizens injured in an Iran-financed bombing in Jerusalem back in 1997 turned to the internet in an effort to recoup millions of dollars awarded to them against the government of Iran more than a decade ago. They wanted Iran’s dot-ir top-level domain handed over as part payment of that debt.
In other words, because an internet registry does not exist as its own separate entity, like a car or a house, it cannot be assumed to be an asset that can be seized.
Since these are ongoing services, the judge then argues that because a ccTLD is being constantly changed and updated it can be viewed as an “ongoing contractual arrangement that necessarily requires continued work or services to have value”. Because of this it cannot be “attached” to a lawsuit under Washington DC law.
“There is little authority on the question of whether internet domains may be attached in satisfaction of a judgment,” he leads off his rationale
Tomi Engdahl says:
Desktop Linux users beware: the boss thinks you need to be managed
VMware reveals VDI for Linux desktops plan, plus China lab to do the development
http://www.theregister.co.uk/2014/10/31/desktop_linux_users_beware_its_decided_you_need_management/
Desktop Linux users beware: IT has noticed you and decided it’s time you were properly managed.
But VMware says its customers now realise that in this highly-regulated age of the megabreach, unmanaged Linux desktops probably aren’t tenable. It therefore plans to take the bits of its Desktone desktop-as-a-service service – which already handles Linux desktops – and build an on-premises equivalent.
That’s a fair comment: a Linux desktop with an HTML5 browser can do just about anything required by a great many end users.
Don’t wait up late for the VDI product: VMware says is “is expected in 2015”.