Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
PUF promises to protect all with absolute certainty
The recent extensive data breaches have prompted the debate about which is the best and surest way to protect the encryption keys, for example. The only completely safe technique is PUF (physically unclonable function). There is nothing to digitally stored encryption key, which could be copied.
PUF in a number of different ways and in many different device. For example, magnetic cards use magnetic fields of random variation in leave of unique keys. Last week, at electronica Microsemi introduced its own PUF, a technology that the bottom of the FPGA SRAM blocks.
When the FPGA is started, the SRAM memory anomalies produced by a form of electronic fingerprint.
This electronic fingerprint is converted to an encryption key. It is not stored on any SRAM block outside. Key is generated only when it is needed. Used as the key is removed from all internal registers and memory.
Quiddikey function can be used to generate the user’s own encryption keys, as well as AES, RSA and ECC keys for storage.
According to Tim Morin security in IoT solutions of becoming a more important role. – Software-based firewalls and other solutions are broken all the time. Only the hardware based protection can protect your sensitive data.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2078:puf-suojaa-kaiken-taysin-varmasti&catid=13&Itemid=101
Tomi Engdahl says:
Hewlett Foundation lays out MEELLIONS on security
Cyber ALL the boffins
http://www.theregister.co.uk/2014/11/19/hewlett_foundation_lays_out_meelions_on_security/
The Hewlett Foundation has found US$45m in its other jacket, and has anointed three lucky US universities to spend on security research.
MIT, Stanford and UC Berkeley will share the simoleons, in a program MIT says is designed to generate a “robust marketplace of ideas”, whatever that is. On a more pragmatic basis, the universities will respectively work on “quantitative metrics and qualitative models” (MIT’s Cybersecurity Policy Initiative); policy frameworks (Stanford, via its Cyber Initiative); and predictions of the future (UC Berekeley’s Center for Long-Term Cybersecurity).
Stanford’s announcement focuses on “how to resolve trust and security problems endemic to networked information technologies, how to govern the Internet in a world where people often disagree about what they value, and how to anticipate unexpected developments in information technologies that could affect national security, intellectual property, civil liberties and society”.
Tomi Engdahl says:
SMS pwnage on MEELLIONS of flawed SIM cards, popular 4G modems
Bootkits for everyone!
http://www.theregister.co.uk/2014/11/19/sms_pwnage_on_meellions_of_flawed_sim_cards_popular_4g_modems/
A Russian research team has found vulnerabilities in millions of the world’s SIM cards, and separate flaws in common 4G modem platforms. Together, the bugs could allow attackers to send crafted SMS text messages to gain access to critical systems and install malware on connected computers.
In one dramatic and hypothetical example, the research team of six from outfit SCADA StrangeLove showed how track switching mechanisms in the European Rail Traffic Management System could be altered by remote attackers targeting computers and devices on trains and tracks.
Attackers would need four flaws to align to take advantage of the remote Kc disclosure, including as Nohl explained to Vulture South:
A network that allowed binary SMS to reach the SIM card;
One of the millions of SIM cards that have an unprotected or weakly protected TAR;
The TAR allows execution of file system commands, and
An easily guessable SIM card PIN.
“Only if all four hold, can a decryption key (Kc) be queried remotely,” Nohl explained of the work. “Given that there billions of SIMs out there, the attack still affects many millions of them.”
Tomi Engdahl says:
NYT: Privacy Concerns For ClassDojo, Other Tracking Apps For Schoolchildren
http://yro.slashdot.org/story/14/11/18/2120256/nyt-privacy-concerns-for-classdojo-other-tracking-apps-for-schoolchildren
The NY Times’ Natasha Singer files a report on popular and controversial behavior tracking app ClassDojo, which teachers use to keep a running tally of each student’s score, award virtual badges for obedience, and to communicate with parents about their child’s progress. “I like it because you get rewarded for your good behavior — like a dog does when it gets a treat,” was one third grader’s testimonial.
Privacy Concerns for ClassDojo and Other Tracking Apps for Schoolchildren
http://www.nytimes.com/2014/11/17/technology/privacy-concerns-for-classdojo-and-other-tracking-apps-for-schoolchildren.html?_r=0
Tomi Engdahl says:
NSA mass spying reform KILLED by US Senators
Democrats needed just TWO more votes to keep alive bill reining in some surveillance
http://www.theregister.co.uk/2014/11/19/nsa_reform_bill_dies_in_the_us_senate_killed_by_two_votes/
A law bill to reform some of the NSA’s mass surveillance of innocent Americans died in the US Senate this evening.
Democrats pushing through the proposed overhaul were two votes short of the 60 needed to break a Republican filibuster.
Tomi Engdahl says:
EU Ryanair ‘screen-scraping’ case could affect biz models
Our database is NOT FREE (the toilets, on the other hand*)
http://www.theregister.co.uk/2014/11/12/cjeu_case_on_screenscraping_has_potential_to_affect_business_models_says_expert/
Some price comparison websites and other online businesses could be forced to alter their business models if the EU’s highest court takes steps to prevent unauthorised “screen-scraping” of data, an expert has said.
The Court of Justice of the EU (CJEU) is due to hear arguments today from Ryanair and a Dutch price comparison business about the extent to which rules contained in the EU’s Database Directive apply to data that is not protected by copyright or a “sui generis” database right.
The CJEU’s judgment on the matter, which is unlikely to be issued for many months, will determine the extent to which businesses can apply contractual restrictions, in the absence of having copyright or database rights protection for their data, to prevent others from using that data. Screen scraping involves the use of software to automatically collect information from websites and systems.
Can DB owners STOP YOU if you access their data legally?
The CJEU has been asked, however, to determine whether owners of online databases that neither qualify for database rights or copyright protection can use contractual restrictions to prevent the copying or use of their databases by those who can access them lawfully.
Tomi Engdahl says:
Asian mobiles the DDOS threat of 2015, security mob says
Beware traffic from hacked Vietnam, India and Indonesia fondleslabs
http://www.theregister.co.uk/2014/11/19/asian_mobiles_the_ddos_threat_of_2015_security_mob_says/
Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles, according to DDoS security bod Shawn Marck.
Vietnam clocked in fifth place in the firm’s latest threat report, in which India and Indonesia did not feature, outpaced by China, the US, Russia and Germany.
“The new up-and-coming countries of origin for DDoS attacks identified by the Black Lotus mitigation team are Vietnam, India and Indonesia,” the company said in the report.
Tomi Engdahl says:
Cisco Releases OpenSOC Security Analytics Framework as Open Source
http://www.securityweek.com/cisco-releases-opensoc-security-analytics-framework-open-source
In an effort to help organizations create an incident investigation tool that meets their specific requirements, Cisco announced on Monday the availability of the company’s OpenSOC big data security analytics framework as an open source solution.
Recent data breaches have resulted in a large number of organizations having customer details and intellectual property compromised. The incident investigation process of such breaches can be time-consuming when traditional techniques are used. The OpenSOC framework can speed up the process by providing data breach victims with all the tools and information they need in a single platform, Cisco said.
“The OpenSOC framework helps organizations make big data part of their technical security strategy by providing a platform for the application of anomaly detection and incident forensics to the data loss problem,” Cisco’s Pablo Salazar wrote in a blog post.
Tomi Engdahl says:
EFF, Mozilla back new certificate authority that will offer free SSL certificates
http://www.pcworld.com/article/2849412/eff-mozilla-back-new-certificate-authority-that-will-offer-free-ssl-certificates.html
A new organization supported by Mozilla, the Electronic Frontier Foundation and others is working to set up a new certificate authority (CA) that will provide website owners with free SSL/TLS certificates.
The new CA will be called Let’s Encrypt and is expected to become operational in the second quarter of next year. It will be run by the Internet Security Research Group (ISRG), a new California public-benefit corporation.
The goal of this effort is to get as many people as possible to use the TLS (Transport Layer Security) protocol—the more secure successor of SSL (Secure Sockets Layer)—said Josh Aas, executive director of ISRG. Aas is also a senior technology strategist at Mozilla.
The new CA will not only provide certificates for free, but will also automate the certificate issuance, configuration and renewal processes in order to encourage widespread TLS adoption.
The goal is to make getting a certificate as easy as possible, because that’s currently the hardest part of turning on TLS, Aas said. With the new CA “there will be no billing interaction, no need to create an account. You don’t really need to know much at all except that you want to turn on TLS.”
Tomi Engdahl says:
Judge threatens detective with contempt for declining to reveal cellphone tracking methods
http://www.baltimoresun.com/news/maryland/baltimore-city/bs-md-ci-stingray-officer-contempt-20141117-story.html
Baltimore prosecutors withdrew key evidence in a robbery case Monday rather than reveal details of the cellphone tracking technology police used to gather it.
The surprise turn in Baltimore Circuit Court came after a defense attorney pressed a city police detective to reveal how officers had tracked his client.
City police Det. John L. Haley, a member of a specialized phone tracking unit, said officers did not use the controversial device known as a stingray. But when pressed on how phones are tracked, he cited what he called a “nondisclosure agreement” with the FBI.
“You don’t have a nondisclosure agreement with the court,” Baltimore Circuit Judge Barry G. Williams replied. Williams threatened to hold Haley in contempt if he did not respond. Prosecutors decided to withdraw the evidence instead.
Tomi Engdahl says:
WhatsApp rolls out end-to-end encryption using TextSecure code
http://www.theverge.com/2014/11/18/7239221/whatsapp-rolls-out-end-to-end-encryption-with-textsecure
The most recent update to WhatsApp’s Android app includes a surprising feature: strong end-to-end encryption, enabled by default. It’s the strongest security any major texting app has offered, even compared with similar tools from giants like Google, Microsoft, and Apple. WhatsApp partnered with Open Whisper Systems for the launch, using open source code to build in the new features. It’s unclear when the features will come to iOS, but just reaching WhatsApp’s Android users represents a huge step forward for everyday encryption use.
“End-to-end” means that, unlike messages encrypted by Gmail or Facebook Chat, WhatsApp won’t be able to decrypt the messages itself, even if the company is compelled by law enforcement.
Tomi Engdahl says:
CALL THE COMMISH! Ireland dragged into Microsoft dispute over alleged drug traffic data
Plunder your servers, not ours, says Irish govt
http://www.theregister.co.uk/2014/11/19/call_the_commish_ireland_dragged_into_alleged_drug_traffickers_microsoft_data_dispute/
Last Friday, Apple, Oracle, IBM, HP and other cloud bigwigs (represented by DigitalEurope) begged the EU for help in preventing the US seizing emails stored by Microsoft in Ireland. Now Ireland itself has done the same.
On Tuesday night, the Irish authorities formally requested that the European Commission examine whether EU data protection laws had been broken by the US government in its attempt to force Microsoft’s Irish subsidiary to hand over information.
A warrant was issued in the US last December ordering Microsoft to hand over emails allegedly connected to a drug trafficking case that were stored on servers in Ireland. The tech behemoth appealed, but US district judge Loretta Preska ruled in July that the location of the data was immaterial since Microsoft had “control” over it.
Microsoft argues that the data in Ireland does not fall directly under US jurisdiction, and that if the US wants access to it, it had the option of working together with the Irish authorities using the Mutual Legal Assistance Treaty (MLAT).
It appears Ireland also thinks the the US has stepped on its sovereignty toes.
Tomi Engdahl says:
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it’s harming our cloud business, ta
http://www.theregister.co.uk/2014/11/14/save_us_from_the_americans_american_corps_beg_eu/
Apple, Microsoft, HP and other cloud giants are begging Europe for help to stop US feds seizing customers’ data from servers on the Continent.
A policy paper [PDF] published on Friday by DigitalEurope – which represents the above goliaths – urged the European Commission to wade into an ongoing legal fight between Uncle Sam and Microsoft over privacy.
Tomi Engdahl says:
DRaaS-tic action: Trust the cloud to save your data from disaster
Accidents happen…
http://www.theregister.co.uk/2014/11/19/disaster_recovery/
In modern computing, disaster recovery can be thought of in the same way as insurance: nobody really wants to pay for it, the options are complicated and seemingly designed to swindle you, but it is irrational (and often illegal) to operate without it.
All the big IT players are getting into disaster recovery as a service (DRaaS), and many of the little ones are too.
The core concept is simple: someone with a publicly accessible cloud stands up some compute, networking and storage and lets you send copies of your data and workloads into their server farm.
If your building burns down or some other disaster hits your company, you can log into the DRaaS system, push a few buttons and all the IT for your entire business is up and running in moments. If only car insurance were that easy.
But like car insurance, DRaaS comes in flavours. There are so many options from so many vendors that the mind boggles.
Prices and capabilities vary wildly. Perhaps most importantly, the amount of effort required to make the thing work properly, and keep it working, can vary quite a bit too.
Simply using software as a service offerings for critical functions and letting the rest burn is not particularly rational either. Public cloud services still need to be backed up.
Vendors go under. Some putz could hack your account and delete everything. A plane could fall out of the sky and land directly on the storage array containing the only copy of your data.
So you cannot avoid disaster recovery planning. You can, of course, set up your own disaster recovery solution. Go forth and build your own data centre, or even just toss a server in a colo.
Both are excellent options, if the circumstances, requirements and budget of the company are right. For everyone else, there’s DRaaS.
Tomi Engdahl says:
CITY BANKERS, prepare for a TERRORIST CYBER ATTACK – London police chief
Fingers ISIS as likely attacker
http://www.theregister.co.uk/2014/11/19/bank_cyber_attack_warning/
Western financial institutions should prepare themselves for cyber attacks from Islamic militants, the head of the City of London police warns.
Commissioner Adrian Leppard urged preparations ought to be put at hand during a security conference in New York. According to the FT, he singled Islamic State of Iraq and the Levant (aka Isis) as a potential attacker.
“There could be a very serious impact to the financial institutions of the world through a cyber attack and I think it’s a very strong likelihood that it will happen one day in the future, which is why we’ve got to push back and take action now before it happens,”
In your correspondent’s view, it is likely that this latest warning is built on insubstantial foundations that paint a misleading view of the threat landscape (cue scary headlines about Cyber Terror). The warning also overlooks the fact that through exercises such as Waking Shark City financial institutions are already collectively testing their incident response and disaster recovery.
Warnings about a Cyber Pearl Harbour have been going on for 15 years or more.
Tomi Engdahl says:
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
http://www.theregister.co.uk/2014/11/18/lets_encrypt_free_digi_certs/
A new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting next year. The move will make it even more easier for people to run encrypted, secure HTTPS websites.
Let’s Encrypt aims to provide an easier way to obtain and use a digital cryptographic certificates (TLS) to secure web site
Tomi Engdahl says:
Secure Software Needs a Process
http://www.eetimes.com/author.asp?section_id=36&doc_id=1324684&
Processes exist but have yet to be broadly applied for developing reliable and secure software, says Dave Hughes, founder of HCC Embedded.
The steady flow of software security issues making headlines has developed into a torrent. Each case is analyzed and generates similar comments: “If this was tested, or if that check was done, then the issue would not have happened.”
Twenty-twenty hindsight is a very effective tool in working out where you should have stuck your finger in the dam before it burst. After each failure, it is not a difficult job to work out a measure that would have prevented it.
However, after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems.
A sustainable solution — process — is already well known, but the networking industry does not seem ready to adopt it. When something as important as our personal data is at risk, then it would be reasonable to expect that companies using our data develop their software and verify it using a recognizable process.
It is not a coincidence that the complex software controlling an airplane works almost without fail, and yet the relatively simple software that controls the in-seat movie display seems to need reset often. The difference is process — methods that have been well established in aerospace, industrial control, automotive, etc., have yielded fantastic results in terms of safety and reliability.
Traditional methods used to develop software continue to result in high failure rates. These failure rates may not necessarily be significant in some applications, but with security this is not acceptable. Why create insecure security? Why not adopt the same level of care used in safety-related applications for security?
Tomi Engdahl says:
AT&T demands clarity: Are warrants needed for customer cell-site data?
Legal uncertainty surrounds a law compelling disclosure of location information.
http://arstechnica.com/tech-policy/2014/11/att-demands-clarity-are-warrants-needed-for-customer-cell-site-data/
AT&T has entered the legal fracas over whether court warrants are required for the government to obtain their customers’ cell-site location history.
Tomi Engdahl says:
Bang! You’re dead. Who gets the keys to your email, iTunes and Facebook?
Death and the medium
http://www.theregister.co.uk/2014/11/19/death_and_itunes/
Two things in life are certain: death and taxes. Amazon and other international corporations have found ways* around the latter, but no one can avoid the former.
In the age of Facebook and Google accounts, and with the existence of services such as iTunes where people invest considerable sums in entirely virtual goods, the question needs to be asked: What happens to your online profile and assets in the event of your passing?
Social networks are a huge repository of assets – documents and pictures.
There are two parts to dealing effectively with your earthly IT estate: the physical devices and the content of online services. Given the declining cost of hardware, I’d argue the greater value lies in the digital stuff online. Your digital legacy has residual value and it needs to be treated as a valuable asset.
Obtaining access to online accounts of deceased family members has often been a fraught experience.
Google inactive account manager provides a dead-hand mechanism, configurable ahead of time, to allow the contents of an account to either be completely removed or released to up to 10 nominated contacts – assuming they have the required identification for security purposes. To make it crystal clear, your account will not be available for login. Access to the service will not be granted. This process only delivers the content rather than reclaiming the account.
Microsoft’s Outlook.com has no such mechanism. Next of kin can get access to the accounts and have it closed, after proving they have the legal right over the account. No information will be released, though.
Facebook appears the most user-friendly policy with regards to working with relatives and even provides a range of options including memorialising a post or removing the account.
Effectively, that iCloud contract you neglected to read, states that upon death, the contract becomes null and void and the account is deleted. No options to retrieve files. This policy is the same with every i-related cloud offering, including iTunes!
Most tech firms running online services have remarkably little time for the dying or deceased.
Tomi Engdahl says:
Security warning: do not ever lend your mobile phone charger!
Information security pioneer, Harri Hurst of the USB devices lies in the huge security problem, which may require drastic action to stop.
The internationally acclaimed Finnish security expert Harri Hurst had to give Slushin audience a warning that would make wide use of this technology difficult.
- Never allow a mobile phone charger or any other USB-enabled device from others, Hursti advises.
Such a drastic advice Hursti distributes the fact that USB devices lies in this, the huge security issue. USB interface can be found on almost all computers that work with digital devices, including modern mobile phones, chargers, and memory sticks.
USB devices are Hurst basically small computers that are programmable and can be contaminated with malware. The danger lies in the fact that current technology does not Hurst maintains that there is no way to even contaminated USB devices to detect, let alone to clean.
- We rely blindly on these sticks, which lie all the time! We have no way to know whether they are contaminated or not.
Ap to half of the available USB devices can be bent to attack piece. Infected USB stick can make different kinds of damage to the machine, for example, infected flash drive can pretend to be a keyboard, and thus gives the machine commands.
Source: http://www.iltalehti.fi/digi/2014111918850834_du.shtml
Tomi Engdahl says:
Fake antivirus scams: It’s a $120m business – and alleged ringleaders have just been frozen
FTC, Florida lob sueball at ‘two massive operations’
http://www.theregister.co.uk/2014/11/19/ftc_hits_backers_of_120_meeellion_tech_support_scam/
Two groups of companies accused of raking in $120m from fake antivirus scams have been put on ice by a court.
The Florida-based businesses distributed free software that scanned computers for malware or performance issues. That software would then make bogus or misleading claims that the machines were infected or broken, urging marks to buy a “full” package to repair the damage, US watchdog the FTC claims.
Anyone who bought the full antivirus application would be told by the software to call a toll-free number to activate it – but users would end up on the line to a high-pressure sales team who would bully victims into ordering repairs and other stuff they did not need, the FTC added.
Tomi Engdahl says:
CAPTCHA rapture as ‘thousands’ affected by seven year-old bug
Fix committed for JQuery validation plugin demo script
http://www.theregister.co.uk/2014/11/20/captcha_rapture_as_thousands_affected_by_seven_yearold_bug/
A reflected cross site scripting flaw patched overnight may affect millions of websites due to a seven-year-old flaw in a jQuery validation plugin demo script used for CAPTCHA, Dutch penetration tester Sijmen Ruwhof says.
The “severe” vulnerability appeared to have existed in CAPTCHA since 2007 and could lead to session hijacking through reflected cross-site scripting attacks on exposed sites that used the demo script.
Ruwhof stumbled on the then unpatched flaw in jQuery Validation Plugin during an August client penetration test which he claimed had not been patched despite his repeat disclosures over different email addresses linked to jQuery maintainers, all which allegedly fell on deaf ears.
“This security bug seems to have spread to tens of thousands of web sites since its creation,” Ruwhof said in a public disclosure.
jQuery developer Jorn Zaefferer committed a fix overnight.
“The flaw wasn’t in the plugin itself, just in one of the demo files”
Tomi Engdahl says:
GOTCHA: Google caught STRIPPING SSL from BT Wi-Fi users’ searches
Choc Factory to build crypto bridge ‘soon’
http://www.theregister.co.uk/2014/11/20/gotcha_google_caught_stripping_ssl_search_from_bt_wifi_users_searches/
Google’s “encryption everywhere” claim has been undermined by Mountain View stripping secure search functions for BT WiFi subscribers piggy-backing off wireless connections, sysadmin Alex Forbes has found.
The move described as ‘privacy seppuku’ by Forbes (@al4) meant that BT customer searches were broadcast in clear text and possibly open to interception.
Customers were told that the network, rather than the Chocolate Factory, “has turned off SSL search”, a statement Forbes proved to be false.
Tomi Engdahl says:
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
http://www.theregister.co.uk/2014/11/17/meet_onerng_a_fullyopen_entropy_generator_for_a_paranoid_age/
One of the many bits of technology that attracts paranoia in a post-Snowden era is random number generation, and a New Zealand developer hopes to help solve that with an all-open entropy generator.
As often happens in Middle Earth New Zealand these days, Paul Campbell of Moonbase Otago is invoking Tolkien by naming the project OneRNG, but it’s a got a dead-serious aim: to deliver better entropy to crypto systems in such a way that users can verify that they’re getting what they expect.
OneRNG contains two sources of entropy, both of them fairly well-established as offering good randomness.
First, there’s an avalanche diode, which generates entropy from the quantum noise of its own operation.
Second, there’s a radio receiver, which Campbell explained to Vulture South picks up noise, of which OneRNG retains the least significant bit, so as “to guard against a third party generating a signal” to try and defeat the randomness of the entropy.
The main game, Campbell said, is the openness of the system: “Before we release it we will not only release the firmware, but the source for all the software, and all the hardware documentation. Anyone can reproduce it, make their own, look at the board, make sure the traces on the board match the traces on the hardware layout, and make sure the layout matches the schematic”, he explained.
Even if spooks intercepted a unit between Moonbase Otago and the user, the customer would be able to detect any changes. If people are going to do their own crypto, they have to verify everything, he said: “nobody should trust me”.
OneRNG
http://onerng.info/
The OneRNG is a project to create a reliable and open hardware random number generator – one that can be verified by the user and can be trusted.
Tomi Engdahl says:
Android Botnet Evolves, Could Pose Threat To Corporate Networks
http://it.slashdot.org/story/14/11/19/2315241/android-botnet-evolves-could-pose-threat-to-corporate-networks
An Android Trojan program that’s behind one of the longest running multipurpose mobile botnets has been updated to become stealthier and more resilient.
Long-running Android botnet evolves, could pose threat to corporate networks
http://www.computerworld.com.au/article/560036/long-running-android-botnet-evolves-could-pose-threat-corporate-networks/
The ‘NotCompatible’ Android Trojan now uses peer-to-peer encrypted communication, researchers from Lookout said
An Android Trojan program that’s behind one of the longest running multipurpose mobile botnets has been updated to become stealthier and more resilient.
The botnet is mainly used for instant message spam and rogue ticket purchases, but it could be used to launch targeted attacks against corporate networks because the malware allows attackers to use the infected devices as proxies, researchers from security firm Lookout said.
Dubbed NotCompatible, the mobile Trojan was discovered in 2012 and was the first Android malware to be distributed as a drive-by download from compromised websites.
Tomi Engdahl says:
Google Removes SSLv3 Fallback Support From Chrome
http://threatpost.com/google-removes-sslv3-fallback-support-from-chrome/109455
Google has released Chrome 39, fixing 42 security vulnerabilities and removing support for the fallback to SSLv3, the component that was the target of the POODLE attack revealed last month.
When the POODLE attack was disclosed by several Google researchers in October, the company said that it had added a change to Chrome that would disable SSLv3 fallback. The technique involves an attacker to force a server to fall back from a modern version of SSL/TLS to the older SSLv3 and then decrypt the protected traffic by sending a high volume of requests to the server. The company plans to disable support for SSLv3 altogether at some point in the near future.
Tomi Engdahl says:
Google Play Services Update Adds Trusted Places Feature To Lollipop’s Smart Lock
http://www.androidpolice.com/2014/11/18/google-play-services-update-adds-trusted-places-feature-to-lollipops-smart-lock/
Smart Lock in Lollipop encompasses both trusted face and trusted devices, but a new option is joining the party—trusted places. The latest Google Play Services for Lollipop devices is adding this option to the menu automagically. Just choose a trusted place, and your phone will remain unlocked when it’s in that geographic area.
Just like when you use a trusted Bluetooth device connection, trusted location bypasses the secure lock screen, but in this case when the device is within a few dozen meters of the chosen location. You can set multiple locations as well.
Tomi Engdahl says:
Yet more NSA officials whisper of an internal revolt over US spying. And yet it still goes on
Drake, Binney, Snowden were not alone, report reminds us
http://www.theregister.co.uk/2014/11/20/claim_nsa_unrest_went_back_years_before_snowden/
The NSA’s snooping programs aren’t just controversial to the public, it seems: we’re reminded other staff at the US agency also objected to prying into Americans’ phone records.
A group of executives, led by a senior official, revolted over the surveillance of US citizens – but failed to change President Obama’s policy on spying, an Associated Press exclusive claims, citing anonymous NSA employees past and present.
Tomi Engdahl says:
Advanced Variant of “NotCompatible” Android Malware a Threat to Enterprises
http://www.securityweek.com/advanced-variant-notcompatible-android-malware-threat-enterprises
Mobile security firm Lookout has been monitoring the evolution of the Android Trojan dubbed “NotCompatible”, and they say the latest version of the malware is sophisticated enough to pose a threat to protected enterprise networks.
NotCompatible.A, which researchers discovered in 2012, acted as a proxy on infected devices, but it didn’t cause any direct damage. The mobile malware’s authors did not use a complex command and control (C&C) architecture and communications were not encrypted, making it easy for security solutions to detect its activities.
The latest version of the threat, NotCompatible.C, is far more complex. According to Lookout, the authors have made it more difficult to detect and resilient to takedowns by implementing features usually found in mature PC-based malware.
The malware’s authors have also started encrypting all C&C and proxied traffic, making it difficult for network security solutions to identify the malicious traffic. Furthermore, public key cryptography is used for mutual authentication between C&C servers and clients.
NotCompatible.C is distributed through spam campaigns and compromised websites.
Tomi Engdahl says:
CipherCloud Lands $50 Million To Protect All Things Cloud
http://www.securityweek.com/ciphercloud-lands-50-million-protect-all-things-cloud
Cloud security firm CipherCloud today announced that it has closed a massive $50 million round of funding led by Transamerica Ventures.
According to the company, the new funds will be used to fuel its go-to-market activities, support international growth in Europe and Asia Pacific, drive the enterprise adoption of CipherCloud’s cloud security platform, and support product development.
CipherCloud’s platform provides cloud application discovery and risk assessment, data protection, searchable strong encryption, tokenization, data loss prevention, key management and malware detection, and user activity and anomaly monitoring services.
CipherCloud’s cloud encryption and tokenization gateways allow enterprises to securely use cloud applications by securing sensitive data in real-time before it is sent to the cloud—without requiring any changes to the cloud application.
Tomi Engdahl says:
Secure Software Needs a Process
http://www.eetimes.com/author.asp?section_id=36&doc_id=1324684&
Processes exist but have yet to be broadly applied for developing reliable and secure software, says Dave Hughes, founder of HCC Embedded.
Tomi Engdahl says:
New tool for spy victims to detect government surveillance
http://amnesty.org/en/news/new-tool-spy-victims-detect-government-surveillance-2014-11-20
A new tool to enable journalists and human rights defenders to scan their computers for known surveillance spyware has been released today by Amnesty International and a coalition of human rights and technology organizations.
Detekt is the first tool to be made available to the public that detects major known surveillance spyware, some of which is used by governments, in computers.
“Governments are increasingly using dangerous and sophisticated technology that allows them to read activists and journalists’ private emails and remotely turn on their computer’s camera or microphone to secretly record their activities. They use the technology in a cowardly attempt to prevent abuses from being exposed,” said Marek Marczynski, Head of Military, Security and Police at Amnesty International.
“Detekt is a simple tool that will alert activists to such intrusions so they can take action. It represents a strike back against governments who are using information obtained through surveillance to arbitrarily detain, illegally arrest and even torture human rights defenders and journalists.”
Detekt
https://resistsurveillance.org/
Detekt is a free tool that scans your Windows computer for traces of known surveillance spyware used to target and monitor human rights defenders and journalists around the world.
Tomi Engdahl says:
Amnesty launches Detekt tool to scan for state spyware on phones and PCs
Human rights group says software represents ‘a strike back against governments’ over covert surveillance
http://www.theguardian.com/world/2014/nov/20/amnesty-launches-detekt-app-scan-for-spyware
Tomi Engdahl says:
HALF A BILLION TERRORISTS: WhatsApp encrypts ALL its worldwide jabber
Default set to keep texts from prying eyes
http://www.theregister.co.uk/2014/11/18/whatsapp_encryption/
WhatsApp has announced that it will encrypt all its 600m users’ text messages by default, which is a serious stride forward for privacy – and one which will no doubt be criticised by spooks and police worldwide.
The rollout, announced today, was described by the app maker as the “largest deployment of end-to-end encryption ever.” The feature will, it’s hoped, safeguard messages from eavesdroppers by encrypting chats between people.
There are limits to Facebook-owned WhatsApp’s end-to-end encryption. So far, it only covers text messaging (as opposed to group messages or pictures), it only works on Android, and it remains open to potential man-in-the-middle attacks because there’s no way to verify the identity of the person you’re messaging.
Tomi Engdahl says:
After USA FREEDOM Act’s failure, what’s next for mass surveillance?
Patriot Act foes could be in for a disappointment
http://www.theregister.co.uk/2014/11/20/after_usa_freedom_acts_failure_what_next_for_mass_surveillance/
This week the US Senate failed to get the required 60 votes to beat a Republican filibuster on the USA FREEDOM Act, which would have instituted mild controls on the bulk collection of communications data on American citizens.
Tomi Engdahl says:
A life of cybercrime, a caipirinha and a tan: Fraudsters love a Brazilian
School of Crooks in South America
http://www.theregister.co.uk/2014/11/20/brazil_cybercrime_training/
Brazil is the only market that offers training services for cybercriminal wannabes, making it possible to start a new career in cybercrime for just $500.
Training modules, hands-on exercises, interactive guides, instructional videos, as well as post-training support are available, according to a new report of the Brazilian cybercrime underground by Trend Micro. Cybercrime teachers in the soccer-loving Samba-loving South American nation offer FUD (fully undetectable) crypter programming and fraud training through a combination of how-to videos and support services via Skype.
Cybercriminals continued to take advantage of Brazil’s high online and mobile banking penetration to turn a dishonest buck.
Tomi Engdahl says:
Peeping Toms are INSIDE YOUR HOUSE. Time to secure your webcam?
Backdoor to your back door
http://www.theregister.co.uk/2014/11/20/insecure_webcam_peeping_tom_threat/
UK data privacy watchdog the ICO is warning people to secure their web cams and change default passwords.
The warning follows the creation of a website that allows voyeurs to watch live footage from insecure cameras located around the world. The website, which is based in Russia, accesses the information by using the default login credentials, which are freely available online, for thousands of cameras.
The particular site – insecam.cc – at the centre of the security flap claims it has been set up order to show the importance of the security settings. “To remove your public camera from this site and make it private the only thing you need to do is to change your camera default password,” it states.
Tomi Engdahl says:
You think the CLOUD’s insecure? It’s BETTER than UK.GOV’s DATA CENTRES
We don’t even know where some of them ARE – Maude
http://www.theregister.co.uk/2014/11/20/cloud_more_secure_than_government_datacentres_says_maude/
Doing business in the cloud is more secure than owning your own data centre, Cabinet Office minister Francis Maude has claimed.
Speaking at the Cyber Security Summit 2014 in London, he said: “Doing things in the cloud is more secure than doing [it] ourselves. It is comforting to know where your data centres are – although in government we don’t always. But actually cloud providers live or die by their cloud security.”
However, that is not the widespread perception, he said.
On the question of whether most lengthy government contracts predate modern cyber security threats, and consequently have inadequate security provisions, he said additional protection is being built in.
“Often contracts are too big and long.”
The government has set aside £860m in its five-year National Cyber Security Programme, which is intended to develop the UK’s resilience to cyber attacks.
Tomi Engdahl says:
Encryption and Storage Performance in Android 5.0 Lollipop
by Brandon Chester & Joshua Ho on November 20, 2014 8:00 AM EST
http://www.anandtech.com/show/8725/encryption-and-storage-performance-in-android-50-lollipop
Tomi Engdahl says:
YOU are the threat: True confessions of real-life sysadmins
Who will save the systems from the men and women who save the systems from you?
http://www.theregister.co.uk/2014/11/19/the_enemy_within/
Some sysadmins will go to extremes to secure a network, viewing it (wrongly) as their property.
For proof, look no further than Terry Childs, the City of San Francisco sysadmin who lost his job and subsequently refused to give over the system’s virtual keys to his superiors in 2008.
It took just under a million dollars, several weeks, and the concerted efforts of several equipment vendors to put things right.
Childs had configured the equipment (predominantly Cisco) so securely that not only did no other administrator have rights to the switches and routers, but configs were not saved – so any power loss or attempt to reboot the switch or router into recovery mode would not work.
“One admin said that given the right amount, he would compromise the system. Interestingly, the administrator stated that the amount had to be big enough so that they would not have to work again. This decision was based on the fact no one would ever employ them again.”
“Some bigger companies now implement more stringent background checks including financial screening and crime screening. The general view on these checks is that they have limited use.”
Tomi Engdahl says:
Greenwald Advises Market-Based Solution To Mass Surveillance
http://news.slashdot.org/story/14/11/21/0016226/greenwald-advises-market-based-solution-to-mass-surveillance
In his latest Intercept piece Glenn Greenwald considers the recent defeat of the Senate’s USA Freedom Act. He remarks that governments “don’t walk around trying to figure out how to limit their own power.” Instead of appealing to an allegedly irrelevant Congress Greenwald advocates utilizing the power of consumer demand to address the failings of cyber security.
Congress Is Irrelevant on Mass Surveillance. Here’s What Matters Instead.
https://firstlook.org/theintercept/2014/11/19/irrelevance-u-s-congress-stopping-nsas-mass-surveillance/
The boredom of this spectacle was simply due to the fact that this has been seen so many times before—in fact, every time in the post-9/11 era that the U.S. Congress pretends publicly to debate some kind of foreign policy or civil liberties bill. Just enough members stand up to scream “9/11″ and “terrorism” over and over until the bill vesting new powers is passed or the bill protecting civil liberties is defeated.
So watching last night’s Senate debate was like watching a repeat of some hideously shallow TV show. The only new aspect was that the aging Al Qaeda villain has been rather ruthlessly replaced by the show’s producers with the younger, sleeker ISIS model.
There is a real question about whether the defeat of this bill is good, bad, or irrelevant.
All of that illustrates what is, to me, the most important point from all of this: the last place one should look to impose limits on the powers of the U.S. government is . . . the U.S. government. Governments don’t walk around trying to figure out how to limit their own power, and that’s particularly true of empires.
The entire system in D.C. is designed at its core to prevent real reform.
Ever since the Snowden reporting began and public opinion (in both the U.S. and globally) began radically changing, the White House’s strategy has been obvious. It’s vintage Obama: Enact something that is called “reform”—so that he can give a pretty speech telling the world that he heard and responded to their concerns—but that in actuality changes almost nothing, thus strengthening the very system he can pretend he “changed.” That’s the same tactic as Silicon Valley, which also supported this bill: Be able to point to something called “reform” so they can trick hundreds of millions of current and future users around the world into believing that their communications are now safe if they use Facebook, Google, Skype and the rest.
But it has been clear from the start that U.S. legislation is not going to impose meaningful limitations on the NSA’s powers of mass surveillance, at least not fundamentally. Those limitations are going to come from—are now coming from —very different places:
1) Individuals refusing to use internet services that compromise their privacy.
2) Other countries taking action against U.S. hegemony over the internet.
3) U.S. court proceedings. A U.S. federal judge already ruled that the NSA’s domestic bulk collection program likely violates the 4th Amendment
4) Greater individual demand for, and use of, encryption.
Tomi Engdahl says:
HP, Symantec PAIR UP to fight off disaster cloud rivals
DRaaS set to appear late next year
http://www.theregister.co.uk/2014/11/21/hp_symantec_ready_to_fight_disaster_clouds/
HP and Symantec are partnering to develop a cloud-based Disaster Recovery as a Service (DRaaS) offering using Symantec software and HP’s Helion cloud.
This DRaaS software will run on HP’s Helion OpenStack-based cloud environment with HP providing the end-to-end service based on underlying disaster recovery facilities, infrastructure, and operations team.
The two say their DRaaS system will monitor the most widely used applications and databases in the market and support “replication, recovery and automated failover/failback of client IT whether it’s traditional IT on-premises, managed cloud, private cloud, or public cloud”.
It will support “industry specific client standards for disaster recovery, such as PCI in the retail industry, HIPAA in the healthcare industry, or FedRAMP and FISMA in the US public sector”. There will be recovery SLAs for systems and application
Tomi Engdahl says:
Facebook’s plain English data policy: WE’LL SELL YOU LIKE A PIG at a fair
All the rest is just waffle
http://www.theregister.co.uk/2014/11/13/facebook_plain_english_privacy/
Facebook hasn’t actually changed its fine print outside of a few minor tweaks that it has already announced – a proposed new version is here. The new “privacy basics” web page is an attempt to paper over that scary language.
Tomi Engdahl says:
Microsoft Releases Emergency Security Update
http://krebsonsecurity.com/2014/11/microsoft-releases-emergency-security-update/
Microsoft today deviated from its regular pattern of releasing security updates on the second Tuesday of each month, pushing out an emergency patch to plug a security hole in all supported versions of Windows. The company urged Windows users to install the update as quickly as possible, noting that miscreants already are exploiting the weaknesses to launch targeted attacks.
brokenwindowsThe update (MS14-068) addresses a bug in a Windows component called Microsoft Windows Kerberos KDC, which handles authenticating Windows PCs on a local network. It is somewhat less of a problem for Windows home users (it is only rated critical for server versions of Windows) but it poses a serious threat to organizations. According to security vendor Shavlik, the flaw allows an attacker to elevate domain user account privileges to those of the domain administrator account.
The patch is one of two that Microsoft had expected to release on Patch Tuesday earlier this month, but unexpectedly pulled at the last moment.
Tomi Engdahl says:
Nov 14
Link Found in Staples, Michaels Breaches
http://krebsonsecurity.com/2014/11/link-found-in-staples-michaels-breaches/
The breach at office supply chain Staples impacted roughly 100 stores and was powered by some of the same criminal infrastructure seen in the intrusion disclosed earlier this year at Michaels craft stores, according to sources close to the investigation.
Multiple banks interviewed by this author say they’ve received alerts from Visa and MasterCard about cards impacted in the breach at Staples, and that to date those alerts suggest that a subset of Staples stores were compromised between July and September 2014.
Tomi Engdahl says:
Network Hijackers Exploit Technical Loophole
http://krebsonsecurity.com/2014/11/network-hijackers-exploit-technical-loophole/
Spammers have been working methodically to hijack large chunks of Internet real estate by exploiting a technical and bureaucratic loophole in the way that various regions of the globe keep track of the world’s Internet address ranges.
According to several security and anti-spam experts who’ve been following this activity, Mega-Spred and the other hosting provider in question (known as Kandi EOOD) have been taking advantage of an administrative weakness in the way that some countries and regions of the world keep tabs on the IP address ranges assigned to various hosting providers and ISPs.
This is a complex problem to be sure, but I think this story is a great reminder of two qualities about Internet security in general that are fairly static (for better or worse): First, much of the Internet works thanks to the efforts of a relatively small group of people who work very hard to balance openness and ease-of-use with security and stability concerns. Second, global Internet address routing issues are extraordinarily complex — not just in technical terms but also because they also require coordination and consensus between and among multiple stakeholders with sometimes radically different geographic and cultural perspectives. Unfortunately, complexity is the enemy of security, and spammers and other ne’er-do-wells understand and exploit this gap as often as possible.
Tomi Engdahl says:
Nov 14
‘Microsoft Partner’ Claims Fuel Support Scams
http://krebsonsecurity.com/2014/11/microsoft-partner-claims-fuel-support-scams/
You can’t make this stuff up: A tech support company based in the United States that outsources its work to India says its brand is being unfairly maligned by — wait for it…..tech support scammers based in India. In an added twist, the U.S.-based tech support firm acknowledges that the trouble may be related to its admittedly false statements about being a Microsoft Certified Partner — the same false statements made by most telephone-based tech support scams.
Tech support scams are, unfortunately, an extremely common scourge. Most such scams are the telephonic equivalent of rogue antivirus attacks, which try to frighten consumers into purchasing worthless security software and services. Both types of scams try to make the consumer believe that the caller is somehow associated with Microsoft or with a security company, and each caller tries to cajole or scare the consumer into giving up control over his or her PC.
Tomi Engdahl says:
Spy cable revealed: how telecoms firm worked with GCHQ
http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq
One of the UK’s largest communications firms had a leading role in creating the surveillance system exposed by Edward Snowden, it can be revealed.
Cable and Wireless even went as far as providing traffic from a rival foreign communications company, handing information sent by millions of internet users worldwide over to spies.
The firm, which was bought by Vodafone in July 2012, was part of a programme called Mastering the Internet, under which British spies used private companies to help them gather and store swathes of internet traffic; a quarter of which passes through the UK. Top secret documents leaked by the whistleblower Edward Snowden and seen by Channel 4 News show that GCHQ developed what it called “partnerships” with private companies under codenames. Cable and Wireless was called Gerontic.
Tomi Engdahl says:
UK moves to shut down Russian hackers streaming live British webcam footage
http://www.theguardian.com/technology/2014/nov/20/webcam-hackers-watching-you-watchdog-warns
UK to take action to close down Russian website streaming images from British webcams including baby monitors and those in gyms and bedrooms
The UK is to take international action to close down a Russian website that is streaming images from British webcams including baby monitors, bedroom cameras and gym CCTV.
The site features live feeds from households and businesses across the world
Graham said the site highlighted the importance of setting secure passwords on devices that have access to the internet.
Graham said consumers were too complacent about security. “We have got to grow up about this sort of thing,” he said. “These devices are very handy if you want to have remote access to make sure your child is OK, or the shop is alright, but everyone else can access that too unless you set a strong password. This isn’t just the boring old information commissioner saying ‘set a password’. This story is an illustration of what happens if you don’t do that. If you value your privacy, put in the basic security arrangements. It’s not difficult.”
Tomi Engdahl says:
Q&A: Who is watching my home webcam?
http://www.theguardian.com/technology/2014/nov/20/webcam-russians
The UK data protection watchdog warns that thousands of insecure CCTV cameras and baby monitors are broadcasting their streams to the internet without the owners’ knowledge