Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
UK cops: Give us ONE journo’s phone records. Vodafone: Take the WHOLE damn database!
Telco spaffed info on 1,700 staffers, watchdog says
http://www.theregister.co.uk/2014/11/26/met_police_we_need_a_phone_record_vodafone_take_the_whole_database/
Blundering Vodafone leaked the phone records of 1,760 Brit journalists and their colleagues to London’s Met Police, a UK watchdog confirmed on Tuesday.
The cops had used surveillance laws to demand information on one particular journo’s calls.
But after realizing Vodafone had instead handed over a huge cache of information, the capital’s plod used the files to build up a picture of everyone the hacks had called over three years, it’s reported.
The journalists in question worked for News UK, publisher of The Sun and The Times, which on Tuesday night announced that Scotland Yard had obtained hundreds of staffers’ outgoing-call records from Vodafone – which provides the Rupert Murdoch-run publisher’s comms.
Tomi Engdahl says:
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds…
FYI this isn’t just going to target Windows, Linux and OS X fans
http://www.theregister.co.uk/2014/11/26/symantec_explains_why_regin_fingering_took_so_long_and_who_its_coming_for_next/
After Symantec published its report on the Regin super-spyware, there were many questions raised. Who coded it? What can it do? And – above all – why did it take so long for security vendors to notice it?
Regin is a sophisticated piece of software. It can be customized for particular missions by inserting into its framework plugins that provide individual bits of functionality. If a copy is captured, only parts of the malware are revealed rather than its full capabilities.
It uses multiple levels of encryption to obfuscate itself, hides itself on disk, and runs at the kernel level to stay out of sight. It can eavesdrop on network traffic and infiltrate mobile phone networks. On the face of it, Regin should have set alarm bells ringing much sooner when it was first detected in the wild.
It was injected into systems at Belgian telecoms outfit Belgacom around 2010, and builds of the spyware are said to have been floating around for years – since 2011, 2008 or 2004 depending on which antivirus vendor you talk to. On Sunday, Symantec went public with its dissection of the code.
Tomi Engdahl says:
Bloke fighting Facebook in court says ad network claims its users lack ‘legal capacity’ to sue it
Austrian campaigner baffled by latest turn in privacy battle
http://www.theregister.co.uk/2014/11/26/facebook_drives_its_users_mentally_insane_according_to_its_own_legal_arguments/
Austrian Facebook-botherer-in-chief Max Schrems says the US social network appears to be saying its users are either too young or too insane to file a class-action lawsuit against it.
In August, Schrems filed a legal complaint in Austria against Facebook with a long list of alleged violations of EU privacy laws. Some 25,000 FB users have joined the class-action lawsuit
Facebook is accused of unlawfully analyzing people’s information, tracking netizens across websites, and participating in the NSA’s global spying efforts.
The social network has this month filed a motion to the court
Tomi Engdahl says:
New Snowden Docs Show GCHQ Paid Telcos For Cable Taps
http://news.slashdot.org/story/14/11/26/0125238/new-snowden-docs-show-gchq-paid-telcos-for-cable-taps
The documents show British intelligence agency GCHQ had a deep partnership with telecommunications company Cable & Wireless (acquired later by Vodafone). The company allowed GCHQ to tap submarine cables around the world, and was paid millions of British pounds as compensation.
Tomi Engdahl says:
6300 people billion company fell launch cyber-attacks: the workers hand with pen and paper
Sony Pictures Entertainment, it has been paralyzed for the second day. Systems after the fall of the company’s employees are now dependent on pen and paper, says the LA Times. Phone calls are wire line.
Source: http://www.tivi.fi/kaikki_uutiset/6300+hengen+miljardiyritys+kaatui+kyberhyokkaykseen+tyontekijoille+kateen+kyna+ja+paperia/a1032032
Hack at Sony Pictures shuts computer system
http://www.latimes.com/entertainment/envelope/cotown/la-fi-sony-hack-20141125-story.html
Sony Pictures Entertainment suffered a widespread hack that rendered the film studio’s computer systems useless, in a twist right out of a cybersecurity thriller movie.
“It’s obvious from the scope of what’s been done that the intruders owned the entire environment,” Lieberman said. “Sony lost control of their environment.”
He said similar attacks have unfolded in this way: A hacker gains access to login information for an IT administrator, then uses those credentials to sniff around the network. “Ransom-ware,” like that appearing on Sony employees’ computers, is installed.
Elsewhere on social media, speculation over the #SonyHack and the #GOP group was buzzing. Workers worried that the system could be down for days.
Sony Pictures hackers say they want ‘equality,’ worked with staff to break in
http://www.theverge.com/2014/11/25/7281097/sony-pictures-hackers-say-they-want-equality-worked-with-staff-to-break-in
The hackers who took down Sony Pictures’ computer systems yesterday say that they are working for “equality” and suggest that their attack was assisted or carried out by Sony employees. In an email responding to inquiries from The Verge, a person identifying as one of the hackers writes, “We Want equality [sic]. Sony doesn’t. It’s an upward battle.” The hackers’ goals remain unclear, but they used the attack yesterday to specifically call out Sony Entertainment CEO Michael Lynton, referring to him as a “criminal” in a tweet.
Tomi Engdahl says:
Facebook hosted Lee Rigby death chat ahead of soldier’s murder
http://www.bbc.com/news/technology-30199131
Facebook was the firm that hosted a conversation by one of Fusilier Lee Rigby’s killers five months ahead of the attack, the BBC has learned.
Michael Adebowale said he wanted to kill a soldier and discussed his plans in “the most graphic and emotive manner”, according to the UK’s Intelligence and Security Committee.
The ISC said the social network did not appear to believe it had an obligation to identify such exchanges.
Facebook said it does tackle extremism.
The ISC does not identify Facebook as the host service in the edition of its report released to the public, but the BBC understands it does do so in the complete version given to the Prime Minister.
In it, the committee states that the company’s failure to notify the authorities about such conversations risked making it a “safe haven for terrorists to communicate within”.
It highlights that the UK’s security agencies say they face “considerable difficulty” accessing content from Facebook and five other US tech firms: Apple, Google, Microsoft, Twitter and Yahoo.
The companies in question have said in the past that they have a duty to protect their members’ privacy.
Tomi Engdahl says:
Lee Rigby murder: Internet firms must do more on terror, says PM
http://www.bbc.com/news/uk-30200311
The big internet companies have a “social responsibility” to act on terrorist material posted online, Prime Minister David Cameron has said.
It comes after a report into Fusilier Lee Rigby’s murder found one of his killers spoke online about murdering a soldier five months before the attack.
Facebook said it did not allow terrorist content and aimed to stop it.
Human rights organisations accused the inquiry of shifting the blame on to internet companies and away from the intelligence agencies.
The report comes a day before the government outlines plans to increase powers for police and security services.
Tomi Engdahl says:
Parliamentary committee says data retention should need a warrant
Australia’s ‘Brandistan’ under fire
http://www.theregister.co.uk/2014/11/16/parliamentary_committee_says_data_retention_should_need_a_warrant/
An Australian parliamentary committee has taken aim at the nation’s proposed data retention regime, saying it fails tests of privacy, necessity and proportionality on several grounds, and called on the government to require warrants for data collection.
Tomi Engdahl says:
Look out: That data protection watchdog can bite
Regulation set to get tougher
http://www.theregister.co.uk/2014/11/26/data_protection/
Despite all the furores, calamities and Snowden-related shenanigans of recent years, the UK’s privacy watchdog remains something of a pussycat, and a lean one at that.
But the ICO is not happy with the the status quo.
The question CISOs have to ask themselves is this: how should the business alter its information security strategy to face the changes and the current laws?
Getting to grips with the demands of the Data Protection Act and the nuances of the ICO’s enforcement of the law are an obvious place to start. The first part would not appear too difficult; it is simply a matter of reading the law and deciding what coverage is necessary.
“Organisations need to see the value of scenario-based risk assessments”
Tomi Engdahl says:
Tech firms urged to stop exporting software that helps human rights abuse
TechUK issues advice for businesses on ethical IT exporting
http://www.theinquirer.net/inquirer/news/2383453/tech-firms-urged-to-stop-exporting-software-that-helps-human-rights-abuse
TECHUK HAS RELEASED guidance to help businesses ensure that their technology innovations are not misappropriated for human rights abuses.
The industry body has set out best practice and risk assessment to allow companies to make intelligent decisions on exports. It looks at potential uses for software, including ‘off-label’ uses that may not be as benign as the publisher or author intended.
Tomi Engdahl says:
The CIA and Homeland Security want to delete almost all their emails
http://www.engadget.com/2014/11/26/cia-homeland-security-emails/
Usually, deleting emails is a no-fanfare, one-click affair — but not when you’re the Central Intelligence Agency or the Department of Homeland Security. Both agencies have recently submitted proposals to the National Archives and Records Administration that outline their plans to delete years’ worth of emails, which the Archives has already tentatively approved. The CIA apparently turned one in to comply with the administration’s directive, ordering federal agencies to conjure up viable plans to better manage government emails by 2016.
Tomi Engdahl says:
Case Suggests How Government May Get Around Phone Encryption
http://blogs.wsj.com/digits/2014/11/25/case-suggests-how-government-may-get-around-phone-encryption/
The Justice Department is turning to a 225-year-old law to tackle a very modern problem: password-protected cellphones.
Prosecutors last month persuaded a federal magistrate in Manhattan to order an unnamed phone maker to provide “reasonable technical assistance” to unlock a password-protected phone that could contain evidence in a credit-card-fraud case, according to court filings. The court had approved a search warrant for the phone three weeks earlier.
The little-noticed case could offer hints for the government’s strategy to counter new encryption features from Apple Inc. and Google Inc., say privacy advocates and people familiar with such cases say.
“It’s part of what I think is going to be the next biggest fight that we see on surveillance as everyone starts to implement encryption,” said Jennifer Granick, director of civil liberties at Stanford University’s Center for Internet and Society. Pointing to the phrase “technical assistance” in the order, she asked, “Does this mean you have to do something to your product to make it surveillance friendly?”
Tomi Engdahl says:
EU Regulators Want ‘Right to be Forgotten’ Ruling Extended to Google.com
http://www.ibtimes.co.uk/eu-regulators-want-right-be-forgotten-ruling-extended-google-com-1476758
Regulators in Brussels have announced they believe links removed from search engines under the so-called Right to be Forgotten ruling should extend worldwide, and in particular to ‘.com’ domains such as Google.com.
The new set of guidelines will likely be met with hostility from web indexing companies such as Google, Yahoo and Microsoft, as well as free speech advocates. However, privacy advocates will likely welcome the news as many of them believe Google has been limiting the impact of the original ruling by showing the links in search results outside the EU.
Tomi Engdahl says:
The Supreme Court is about to tackle online threats for the first time
A case about violent Facebook posts could change how internet speech is prosecuted
http://www.theverge.com/2014/11/26/7292755/supreme-court-tackle-online-threats-elonis
On December 1st, the Supreme Court will hear oral arguments in Elonis v. United States, the first case about online threats to reach the highest level of judicial review.
The case centers on Anthony Elonis, who was convicted after writing graphic, gory fantasies about mutilating and killing his wife and other women and posting them to Facebook. The issue before the Supreme Court is whether “a true threat” requires finding that the threatener subjectively intended to be threatening. Elonis is arguing for a subjective intent requirement, claiming that his posts were meant as rap lyrics and not as threats, while the prosecutors are arguing for an “objective” standard—a threat counts as a threat if a “reasonable person” would think the statement is a threat.
The government is arguing that it’s enough to use an objective standard, with an exception for “idle or careless talk, exaggeration, something said in a joking manner or an outburst of transitory anger.” However, when it comes to the Internet, where context or tone may be more difficult to perceive, this objective standard has obvious drawbacks: is the “reasonable person” going to be a teenager who plays League of Legends or a grandfather posting on a fly fishing forum?
Tomi Engdahl says:
Adobe Reader sandbox popped says Google researcher
Yet another reason to make sure you’ve patched promptly and properly
http://www.theregister.co.uk/2014/11/27/adobe_reader_sandbox_popped/
The Acrobat Reader Windows sandbox contains a vulnerability that could allow attackers to break out and gain higher privileges, Google security bod James Forshaw claims.
The NTFS junction attack is a “race condition” in the handling of the MoveFileEx call hook Forshaw said.
While unpatched, subsequent September updates made the flaw very difficult to exploit.
“While this bug technically isn’t fixed, a defence in depth change in 11.0.9 effectively made this difficult if not impossible to exploit,” Forshaw said in an advisory for version 11.0.8.
Tomi Engdahl says:
Google’s whois results say it’s a lousy smut searcher
Run whois google.com or whois microsoft.com. We dare you, you PIG◙◙◙◙ER
http://www.theregister.co.uk/2014/11/27/googles_whois_results_say_its_a_lousy_smut_searcher/
Naughty domain owners are still playing nasty tricks on the whois domain lookup service to tease the likes of Google and Microsoft.
Microsoft’s had trouble with this stuff for years,
A clue about the origin of the odd Whois results is the fact that all refer to another domain.
That this is possible is one of the many things for which we can applaud the open architecture of the internet, but probably also among the reasons ICANN is keen to bin whois and start again.
Tomi Engdahl says:
Hacker dodges FOUR HUNDRED YEARS in cooler for SCANNING sites
Junk filled forms and auto-bot Acunetix scams showcases absurd computer crime laws
http://www.theregister.co.uk/2014/11/27/hacker_dodges_half_a_millennium_in_cooler_for_scanning_sites/
A US hacker has dodged 440 years in prison for computer crime offences that amount to scanning sites with automatic tools and filling in web forms with junk data.
The charges, since reduced to a misdemeanor, could have seen Fidel Salinas, 28, spending his remaining days working off a 440-year sentence.
Prosecutors said the scans slowed the site’s performance while the brute force attempts locked administrators out of the site.
“he made more than 14,000 access attempts with wrong passwords,” the document said.
The statement omitted that Salinas faced 10 years for each of the 44 felony counts of computer fraud.
Tomi Engdahl says:
Three security practices that IoT will disrupt
http://www.networkworld.com/article/2599231/data-protection/three-security-practices-that-iot-will-disrupt.html
As the field of IoT devices continues to grow, so do the threats to well-established security practices
Right now, there are hundreds of companies churning out “Internet of Things” (IoT) devices as fast as they can.
Today we’re seeing IoT devices, even medical devices, ship with:
default passwords such as “1234”
vulnerable services such as “telnet” enabled
firmware updates that depend on (easy to spoof) HTTP calls
web applications that allow users to easily bypass authentication
…and other vulnerabilities that we (as a security community) thought we addressed more than a decade ago.
However, there are some organizations with the courage and foresight to swim against the tide of insecure IoT devices.
For developers and IoT vendors, there is a “Top 10 IoT Vulnerability” guide now available from OWASP (the organization that previously brought you the “Top 10 Web Vulnerability” list) and a resource site called “BuiltItSecure.ly” that digs into security best practices on several popular IoT platforms.
For consumers and businesses, organizations such as the Internet of Things Security Laboratory promise to list and rate devices by their “hackability,” allowing people to make informed decisions before buying insecure devices.
Tomi Engdahl says:
Do not rely too much on cloud security
Finnish Communications Regulatory Authority Kyberturvallisuuskeskus points out that many factors affect the organization of cloud computing security. The complex is composed of both the service provider and the customer’s security practices, and also to the application to the cloud data security.
“Organizations its own security policies should be maintained also when utilizing cloud services. Cloud service provider secure technical implementation only allows secure cloud service implementation, but does not guarantee it,” security expert Tom Kinnari says the release.
“Different countries, the legislation deals with, for example, personal data protection, or electronic communication in different ways. The general rule is that the law imposed responsibilities can not be outsourced cloud service provider, “Kinnari says.
Kyberturvallisuuskeskus has prepared a checklist of things you need to remember the conclusion of the service contract:
data ownership and rights
information on the geographical location of
data security, taking into account the life cycle of information, processing of personal data and backup
procedure of exceptional situations, such as in connection with the service outage
service level agreement
Agreement, the applicable law and the right to place any dispute
Source: http://www.tivi.fi/kaikki_uutiset/ala+luota+liikaa+pilven+tietoturvaan/a1032352
Pilvipalveluiden turvallisuus
https://www.viestintavirasto.fi/attachments/tietoturva/Pilvipalveluiden_tietoturva_organisaatioille.pdf
Tomi Engdahl says:
Voting Machines Malfunction: 5,000 Votes Not Counted In Kansas County
http://tech.slashdot.org/story/14/11/26/2129237/voting-machines-malfunction-5000-votes-not-counted-in-kansas-county
A malfunction in electronic voting machines in Saline County, Kansas, left over 5,000 votes uncounted. That’s roughly one-third of the votes cast.
Malfunction results in missing votes
http://www.salina.com/news/malfunction-results-in-missing-votes/article_4b2fc677-2bb9-5008-abef-5d51ac80ee35.html
Problem the result of electronic voting machine errors
A malfunction of electronic voting equipment left 5,207 votes out of the original Nov. 4 Saline County vote total, but no election outcomes were affected, according to the Saline County Clerk’s Office.
What was affected was a change in the percent of voter turnout, from 35.47 to 50.47 percent, and the total number of votes, 17,532 out of 34,735 registered voters.
“That’s a huge difference,” county Chairman Randy Duncan said when notified by the Journal of the error. “That’s scary. That makes me wonder about voting machines. Should we go back to paper ballots?”
Saline County Clerk Don Merriman said after the meeting that four of the 34 PEBs, or Personal Electronic Ballots, were not reading correctly on election night, which left the votes out of the original count. The problem has been fixed, he said.
He said the missing votes weren’t discovered until after votes were canvassed on Nov. 10. Merriman said he learned of the error during a “triple check” with flash cards from the PEBs.
“We always pull those flash cards and check those final totals to make sure we are OK,”
Tomi Engdahl says:
Ask Slashdot: Best Biometric Authentication System?
http://it.slashdot.org/story/14/11/26/2141224/ask-slashdot-best-biometric-authentication-system
Tomi Engdahl says:
Twitter to Start Tracking Which Apps Its Users Have Downloaded
http://recode.net/2014/11/26/twitters-now-collecting-data-on-which-apps-you-download/
Twitter will soon be peeking in on your smartphone. Literally.
The social network says it will start collecting data on which apps its users have downloaded onto their phones. The update is opt-out, meaning Twitter will start collecting this information from users automatically unless they explicitly tell it otherwise.
Twitter says the reason for the update is simple: It’s trying to learn more about its user base so it can make more money selling ads.
The company’s business model is dependent on targeted advertising
Both Apple’s iOS and Google’s Android operating systems already allow third parties to gather this type of data.
On Android, developers can recall a list of all apps on the phone so long as they disclose their ability to do so within the app’s terms of service, according to a Google spokesperson.
That does not mean, however, that developers can gather data from within those apps, such as how often a person uses them, or what information a person has shared.
Tomi Engdahl says:
Researcher: Uber-device application searches for vulnerabilities and malware
Sensational taxi Uber application has also attracted the interest of security researchers.
Security Researcher Joe Giron write worried that Uberin Android application asks a lot of permissions, the purpose of which origin is unclear. The application wants to, inter alia, access to the camera device, the call information, and the device attached to the accounts.
In addition, Uber check whether the device is rooted and whether it Heartbleed or malware.
Source: http://www.tivi.fi/kaikki_uutiset/tutkija+ubersovellus+etsii+laitteelta+haavoittuvuuksia+ja+haittaohjelmia/a1032362
What the hell Uber? Uncool bro.
http://www.gironsec.com/blog/2014/11/what-the-hell-uber-uncool-bro/
Anyways, I downloaded Uber the other day and its pretty cool and handy. The only qualm I had was with all the permissions it asked for.
here’s some answers: Uber checks to see if your device is rooted. It doesn’t tell you of course, it just wants to know so it can phone home and tell them about it. I also saw checks for malware, application activity and a bunch of other stuff.
Like I said before, there’s a lot of data here to go through. Maybe Uber evil. Maybe Uber isn’t sending a bunch of data off to their collection servers for harvesting. Maybe I’m just paranoid.
Tomi Engdahl says:
Uber’s Android app collects an ‘uncool’ amount of data about users, security pro says
http://venturebeat.com/2014/11/26/uber-app-collects-an-uncool-amount-of-data-about-users-security-pro-says/
Just when one (tech) media firestorm over Uber’s privacy policies starts to subside, another story emerges about the surprising amount of user data collected by the company’s mobile app for Android.
A security researcher in Arizona described in a blog post Tuesday how he decompiled the app’s code, and uncovered a lengthy list of data requests made by the app.
“Christ man! Why the hell would it want access to my camera, my phone calls, my wifi neighbors, my accounts, etc?” Giron says in the blog.
The app accesses voice call and messaging histories, data usage history, Wi-Fi connections, and any kind of Device ID that may be available. Device ID is often used to target ads at specific devices.
The Uber app also asks for information about the other apps running on the user’s mobile device. It wants to know the identities of the apps, when they were installed, if they came as part of a bundle, how much data they use, and other stats.
An Uber spokesperson explains that the code in the app that requests that information from the phone wasn’t put there by Uber.
“Our code lists several features that our mobile security vendor offers, but that we do not use,” the company says in a statement. “For example, ‘whether device is rooted, whether it has any malware on it, and whether it’s vulnerable to the Heartbleed security bug’ are not features that Uber uses.”
Tomi Engdahl says:
Bitcoin Is Not Anonymous After All
http://yro.slashdot.org/story/14/11/26/2121214/bitcoin-is-not-anonymous-after-all
Taco Cowboy points out a new study that shows it is possible to figure out the IP address of someone who pays for transactions anonymously online using bitcoins.
In the network, the user’s identity is hidden behind a cryptographic pseudonym, which can be changed as often as is wanted. Transactions are signed with this pseudonym and broadcast to the public network to verify their authenticity and attribute the Bitcoins to the new owner. In their new study, researchers at the Laboratory of Algorithmics, Cryptology and Security of the University of Luxembourg have shown that Bitcoin does not protect user’s IP address and that it can be linked to the user’s transactions in real-time.
Reference : Deanonymisation of clients in Bitcoin P2P network
http://orbilu.uni.lu/handle/10993/18679
We present an efficient method to deanonymize Bitcoin users, which allows to link user pseudonyms to the IP addresses where the transactions are generated. Our techniques work for the most common and the most challenging scenario when users are behind NATs or firewalls of their ISPs. They allow to link transactions of a user behind a NAT and to distinguish connections and transactions of different users behind the same NAT. We also show that a natural countermeasure of using Tor or other anonymity services can be cut-off by abusing anti-DoS countermeasures of the bitcoin network. Our attacks require only a few machines and have been experimentally verified. We propose several countermeasures to mitigate these new attacks.
Tomi Engdahl says:
Point-of-Sale Malware “d4re|dev1|” is Attacking Ticket Machines and Electronic Kiosks
https://www.intelcrawler.com/news-24
IntelCrawler, a cyber threat intelligence firm from Los Angeles, has identified a new type of Point-of-Sale malware called “d4re|dev1|”. This new strain of malware, which is hitting Mass Transit Systems, acts as an advanced backdoor with remote administration, having RAM scrapping and keylogging features.
This new POS malware find adds to a growing list of POS variants being developed by underground cyber criminals because of the high ROI when they hit payloads like a Target or Home Depot. Variants recently identified and profiled by IntelCrawler include POSCLOUD, Nemanja, JackPOS, BlackPOS, and Decebal.
Some recent POS investigations have revealed organized crime groups distributing malicious code and compromising networking environments of merchants and credit card devices, including ticket vending machines and electronic kiosks installed in public places and mass transport systems. One of the compromised devices was found in Sardinia in August 2014, giving the bad actors unauthorized access to it through VNC.
As this POS malware market is evolving, new security measures are needed to combat the seemingly continuous strains being developed by the underground. In addition to consulting your PCI vendor, IntelCrawler strongly recommends to encapsulate any administration channels to the VPN, as well as to limit the software environment for operators, using proper access control lists and updated security polices.
Tomi Engdahl says:
Uber’s Android App Caught Reporting Data Back Without Permission
http://yro.slashdot.org/story/14/11/27/1451203/ubers-android-app-caught-reporting-data-back-without-permission
Security researcher GironSec has pulled Uber’s Android app apart and discovered that it’s sending a huge amount of personal data back to base – including your call logs, what apps you’ve got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn’t have permission to do. It’s the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.
Uber’s Android app caught reporting data back without permission
http://www.gizmag.com/uber-app-malware-android/34962/
Taxi-busting ride share app Uber might have an operating model that suits customers better than traditional, regulated taxi services – but the company’s aggressively disruptive (and frequently illegal) business practices don’t seem to stop at harming the taxi industry.
These kinds of stories, of course, should be taken with a grain of salt – they’re certainly very beneficial to competing services like Lyft.
Security researcher GironSec decompiled the code of the Uber Android app and found it to be collecting and sending the following information back to Uber
While some people are suggesting it might be an anti-fraud measure to help Uber detect and combat fake accounts set up by its competitors, the fact remains – collecting data without appropriate permission constitutes malware and compromises users’ personal data.
Tomi Engdahl says:
Coming soon: An app to report police brutality
http://edition.cnn.com/2014/11/26/politics/swat-app-seeks-to-reduce-police-violence/
Washington (CNN) — Reporting police brutality could just be a swipe away.
That’s the motivation behind SWAT, a new app designed by college students Joe Gruenbaum and Brandon Anderson to counter excessive uses of force by police officers.
The app, which its creators would like to release by spring, will give witnesses of a police incident the ability to live-stream video from their smartphones to SWAT’s secure servers. Once a video is on the servers, the team at SWAT can forward a copy to authorities, protecting witness recordings from possible destruction or seizure during the incident.
This might sound illegal, but it isn’t. While some states have implemented restrictions on public audio recordings (most notably Illinois), no state in the U.S. prohibits recording video of the police in a public place.
END POLICE VIOLENCE EVERYWHERE
http://theswatapp.com/
Tomi Engdahl says:
Syrian Electronic Army hacks websites via Gigya’s login service
https://gigaom.com/2014/11/27/syrian-electronic-army-hacks-websites-via-gigyas-login-service/
Visitors to some large media and entertainment websites on Thursday — including NBC, The Independent and NHL.com — were greeted by pop-up messages that said those sites had been hacked by the Syrian Electronic Army. According to an analysis by the Independent, the hack used a vulnerability in the DNS settings of Gigya, a service that many large websites use to handle comments and social logins, which the company says it has now repaired.
In a post on its blog, Gigya said that the Syrian Electronic Army modified the WHOIS record for its website and pointed it to a different DNS (domain name system) server, which in turn pointed Gigya’s content delivery network or CDN domain to a server run by the SEA
Gigya, which recently raised $35 million in a round of venture financing led by Intel’s investment fund, is a San Francisco-based company that provides social-login and marketing services to more than 700 firms worldwide, and processed more than a billion logins this year, according to information it provided to the New York Times.
Tomi Engdahl says:
21st century data protection: Get back up to date
http://www.theregister.co.uk/2014/11/28/21st_century_data_protection_get_backup_to_date/
You admit to us that the state of data protection in your company is woeful. But it’s also not a priority to fix it, or so you might think.
But:
1. as storage technology leaps ahead,
2. as users expect more,
3. as more data is stored on mobile devices or in remote locations and
4. oh yes, as the European Commission plans fines in the squillions if you don’t secure your data…
… you might need to think again.
Tomi Engdahl says:
Cryptocurrency cruncher cranks prime number constellation
Riecoin distributed miner claims world record for prime sextuplet generation
http://www.theregister.co.uk/2014/11/28/cryptocurrency_cruncher_cranks_prime_number_constellation/
Bitcoin mining, our own Simon Rockman wrote last January, “is essentially a brute-force attack on the generating algorithm”.
“Bitcoin, and all the other alt-coins, is training a skillset for building password-cracking hardware that is both powerful and portable,” he wrote.
It looks like cryptocurrencies are also helping to spot some useful prime numbers, according to the folks behind Riecoin.
Tomi Engdahl says:
Leaked Syrian log files reveal attempts to starve rebels of information
Users self-censor to avoid arrest
http://www.theregister.co.uk/2014/11/28/syria_regime_filtering_study/
Syria’s Bashar al Assad-led regime blocked scores of legitimate services and entire network regions in its bid to scrub out access to sites such as Reddit, Google and Skype, the first analysis of the nation’s web filtering reveals.
“We find that traffic filtered in several ways: using IP addresses and domain names to block subnets or websites, and keywords or categories to target specific content,” the team wrote in the paper Censorship in the Wild: Analysing Internet Filtering in Syria.
“We show that keyword-based censorship produces some collateral damage as many requests are blocked even if they do not relate to sensitive content. We also discover that Instant Messaging is heavily censored, while filtering of social media is limited to specific pages.”
The group analysed logs stolen by Telecomix activists from seven Blue Coat SG-9000 proxies filtering Syrian web traffic for nine days between July and August 2011.
Since then Syria has invested US$500,000 in surveillance equipment meaning the country’s capabilities may exceed that studied.
Tomi Engdahl says:
A WHOPPING 8 million Windows Server 2003 systems still out there
Refresh activity to be XP-like, biz still pondering next move
http://www.channelregister.co.uk/2014/11/27/windows_server_2003_tech_data_gartner/
Windows Server 2003 refresh activity has yet to show up in a major way across the UK tech channel amid estimates that eight million physical systems are still out there in the wild – not all of which will be replaced like-for-like.
Security updates and fixes for the 11-year-old operating system will no longer be made available by Microsoft from 14 July when extended support expires.
Tomi Engdahl says:
Edward Snowden: best … security … educator … EVER!
Study finds those aware of leaker-at-large harden up and surf smarter
http://www.theregister.co.uk/2014/11/28/the_snowden_effect_not_just_diplomatic_drama/
A good deal of folk aware of NSA leaker Edward Snowden have improved the security of their online activity after learning of his exploits, a large survey has found.
Researchers from think tank The Centre for International Governance Innovation collected responses from 23,376 users between October and November and found 60 percent had heard of Snowden.
among respondents, 39 per cent “have taken steps to protect their online privacy and security as a result of [Snowden's] revelations.” 43 per cent have “now avoid certain websites and applications and 39% now change their passwords regularly,” the survey finds.
Security education is a tough gig: The Reg has been hearing the “better security comes from people, processes and technology” mantra for over a decade. Endless recitation of that message, and education campaigns galore, sometimes seem not to have much effect as weak passwords remain pitifully prevalent and scams proliferate daily.
Snowden prompting four in ten of those surveyed – and more in places like India, Mexico and China – to take security more seriously is therefore a big win.
Tomi Engdahl says:
Twitter will monitor your mobile apps to target adverts
App graph raises eyebrows in the privacy camp
http://www.theinquirer.net/inquirer/news/2383904/twitter-will-monitor-your-mobile-apps-to-target-adverts
TWITTER HAS RUFFLED a few feathers with the announcement of its ‘app graph’, which scans users’ installed apps.
Tomi Engdahl says:
Court Order Shuts Down Alleged $120M Tech Support Scam
http://www.securityweek.com/court-order-shuts-down-alleged-120m-tech-support-scam
A federal court has temporarily shut down and frozen the assets of two telemarketing operations accused by the Federal Trade Commission (FTC) of scamming customers out of more than $120 million by deceptively marketing computer software and tech support services.
According to the FTC, the scams began with computer software that claimed to improve the security or performance of the customer’s computer. Typically, consumers downloaded a free, trial version of the software that would run a computer system scan. The scan always identified numerous errors, whether they existed or not. Consumers were then told that in order to fix the problems they had to purchase the paid version of the software for between $29 and $49.
In order to activate the software after the purchase, consumers were then directed to call a toll-free number and connected to telemarketers who tried to sell them unneeded computer repair services and software, according to the FTC complaint. The services could cost as much as $500, the FTC stated.
Tomi Engdahl says:
Danger sign: Finland still flows more information on attacks
Targeted attacks in Finland will be increasingly knowledge, says a leading expert Kyberturvallisuuskeskus Kauto Huopio.
Targeted attacks Situation Centre has been a clear increase in sightings and a wink information, especially through international cooperation. The amount is Huopio according to at least doubled.
“Targeted Attacks in contact with the phenomenon awfully small set. These observations related to the number of middlemen, however, says something. It does not necessarily mean that the attacks would be more, but perhaps the fact that the international security community has begun to exchange information in a more active, “says Huopio.
Regin is malware heavyweight
Huopio does not admit nor deny whether Kyberturvallisuuskeskuksen known to the observations Reginistä in Finland, but merely general characterization.
“Regin was a textbook example of a very wide range, targeted attack used a malicious program, the conclusion of which has been used so many resources, that is probably a state actor,” says Huopio.
“The average person can hardly ever find Regin from their own computer.”
Huopio says that, in fact, Regin is not a single program, but malware is a concept that includes a lot of different software components.
Kyberturvallisuuskeskus recently published a warning of the need to update WordPress.
“There are tens of thousands still unpatched WordPress sites,”
“WordPress is a concrete example of why the attackers are interested in publishing platforms,” says Huopio.
In many cases, a WordPress site work sites located on servers that have a lot of performance. Contact with the hands of the attackers, they are a powerful tool for spreading malware.
The attacker is relatively easy to capture control of websites that use outdated WordPress 3 series software.
The problem is typical of WordPress users, such as organizations and SMEs that do not have IT expertise. They usually subscribe to our web site layout advertising agency, and then obtain web hotell server space where the site is installed.
“But is the platform no longer be maintained after that?”
In general, he emphasizes Tivin interview with the systems of the active maintenance of significance. The growing concern over the Internet of Things.
“Absolutely the Internet of Things is coming, but it will be interesting to see whether the security services and equipment well thought out”
He is concerned that there is no uniform practice, what kind of an unsecured Internet connection device to be connected basic settings should be.
“There is a great innovation, but feel all the time that the product development, information security is a cost item and the delay, in which companies can easily save.”
Finland and the Finnish security Huopio the big picture is that good – Finland competed with Japan for the title of the world’s cleanest networks. , The greatest threat to end-users, he mentions various online scams.
Source: http://www.tivi.fi/kaikki_uutiset/vaaran+merkki+suomeen+virtaa+yha+lisaa+tietoa+kohdistetuista+hyokkayksista/a1032810
Tomi Engdahl says:
In Europe, Microsoft and Yahoo Have Started to Forget
http://blogs.wsj.com/digits/2014/11/28/in-europe-microsoft-and-yahoo-have-started-to-forget/
Microsoft’s Bing and Yahoo have started to scrub search results for Europeans who want to exercise their “right to be forgotten,” company officials said.
Tomi Engdahl says:
Sony Pictures hackers release list of stolen corporate files
“Guardians of Peace” offer a gigabyte-long list of filenames to share.
by Sean Gallagher – Nov 26 2014, 10:00pm
http://arstechnica.com/security/2014/11/sony-pictures-hackers-release-list-of-stolen-corporate-files/
On Monday, employees at Sony Pictures Entertainment—the television and movie subsidiary of Sony Corp.—discovered that their internal corporate network had been hijacked. A message from an individual or group claiming responsibility appeared on corporate systems, pledging to release sensitive corporate data taken from the network by 11pm GMT on Monday.
Twitter accounts associated with promoting several movies, including Starship Troopers, were briefly hijacked by the attackers.
As of this morning, the network at many Sony offices still appears to be down. Based on information reportedly shared by employees, it could be down for weeks before being restored. The Twitter accounts appear to be back under Sony Pictures’ control.
There were some questions whether this was a hack at all. So far, all Sony has said is that the company is investigating an “IT issue.” However, the file that the hacker or hackers—who call themselves “The Guardians of Peace”—have released is a 217.6-megabyte .ZIP file that contains three text files, two of which allegedly contain lists pulled from Sony Pictures systems.
The extent of the files suggests that the attackers gained access to backups of individual computers as well as SharePoint servers, file servers, and other significant pieces of Sony Pictures’ infrastructure. Considering how broad and deep the exposure appears to be, Sony Pictures’ IT team may especially want to get to two files listed in the file-name dump: “INSURANCE for security breaches.doc” and “Security Breach Course of Action.v1.txt”.
Tomi Engdahl says:
New Snowden docs: GCHQ’s ties to telco gave spies global surveillance reach
Access through “partners” such as Cable & Wireless pulls in gigabits globally.
http://arstechnica.com/tech-policy/2014/11/new-snowden-docs-gchqs-ties-to-telco-gave-spies-global-surveillance-reach/
Documents reportedly from the Edward Snowden cache show that in 2009, GCHQ (and by association, the NSA) had access to the traffic on 63 submarine cable links around the globe. The cables listed handle the vast majority of international Internet traffic as well as private network connections between telecommunications providers and corporate data centers.
Tomi Engdahl says:
Craigslist DNS hijacked, redirected at infamous “prank” site for hours [Updated]
Craigslist CEO: domain registrar was compromised, sending traffic to “various sites.”
http://arstechnica.com/security/2014/11/craigslist-dns-hijacked-redirected-at-infamous-prank-site-for-hours/
Around 5:00pm PST on November 23, the Domain Name Service records for at least some of the sites hosted by the online classified ad and discussion service Craigslist were hijacked. At least some Craigslist visitors found their Web requests redirected toward an underground Web forum previously associated with selling stolen celebrity photos and other malicious activities.
DigitalGangster.com advertises itself as being “dedicated to nothing in particular other than being important. It is responsible for millions of dollars in commerce and millions of terrible pranks on the Internet.
Tomi Engdahl says:
Black Friday traffic brings down Web stores of HP, Best Buy, others
Retailers’ systems buckle under load of post-Thanksgiving Web shopping.
http://arstechnica.com/information-technology/2014/11/black-friday-traffic-brings-down-web-stores-of-hp-best-buy-others/
While content delivery networks (CDNs) have made it possible to push static content out closer to Web and mobile shoppers and reduce overall traffic hitting e-commerce sites, the load on the sites is still causing some to buckle and break, albeit briefly.
Tomi Engdahl says:
In Time to Protect Holiday Shoppers, Security Startup Zenedge Aims to Fight Hackers
http://recode.net/2014/11/26/in-time-to-protect-holiday-shoppers-security-startup-zenedge-aims-to-fight-hackers/
Black Friday is upon us, and if you’re one of 70 million consumers who were affected by the massive breach of credit card data at the retail giant Target last year, it’s an anniversary you’d prefer to forget.
Alp Hug and Leon Kuperman have not forgotten. They are, respectively, the COO and CTO of the new security startup Zenedge. Based in Los Angeles, it aims to fight the specific kind of hacking attack used in the Target breach, as well as one that followed at Home Depot.
Zenedge specializes in securing not just a company’s own internal network, but in securing vendors and partners who may, for one reason or another, be granted access to those networks.
“You have to look at the concentric circles around your network,” Hug said. “You may be very sophisticated about your own security. But the other companies you do business with may not be.”
Target’s heating and air vendor had access to its internal company network, and it had been the victim of an attack by hackers using malware designed to steal passwords. Among those they stole were the passwords used to access Target’s network.
Today, it will launch Zenshield, a cloud-based security service that’s designed to enforce security rules on a company’s third-party vendors and partners.
The service monitors all of a company’s inbound network traffic, adding an additional layer of protection to existing firewalls and other products.
“The best way to mitigate against an attack is to distribute the same rules and information to everyone,” Kuperman said. “Everyone gets a common set of security rules, and gets the same information.”
Tomi Engdahl says:
Samuel Gibbs / Guardian:
European data regulator says “device fingerprinting” requires user consent, like cookiesFind
Europe’s next privacy war is with websites silently tracking users
http://www.theguardian.com/technology/2014/nov/28/europe-privacy-war-websites-silently-tracking-users
European data protection watchdogs publish guidance on web tracking using device fingerprinting that could result in more ‘I agree’ forms
The pan-European data regulator group Article 29 has issued new opinion on how websites and advertisers can track users and the permissions they require.
The new opinion dictates that “device fingerprinting” – a process of silently collecting information about a user – requires the same level of consent as cookies that are used to track users across the internet.
“Parties who wish to process device fingerprints which are generated through the gaining of access to, or the storing of, information on the user’s terminal device must first obtain the valid consent of the user (unless an exemption applies),” the Article 29 Working Party wrote.
It means that some websites, including Google, Facebook and Microsoft, that have used alternative technical processes to try to bypass the need for a “cookie policy notice” will have to show a notification after all.
Until now, device fingerprinting has been considered separate from the European legislation that covers cookies, which requires companies that store small bits of information on a users computer for storing settings and identity to explicitly ask for consent.
Tomi Engdahl says:
Social media terms and conditions are way too complex, say UK MPs
https://gigaom.com/2014/11/28/social-media-terms-and-conditions-are-way-too-complex-say-uk-mps/
A U.K. parliamentary committee has attacked the terms and conditions used by social media services, declaring that they are too complex for users to understand. It said the unsuitability of the T&Cs had been demonstrated by episodes such as Facebook’s emotion-manipulation study, in which Facebook deliberately made some of its users sad as an experiment.
The committee also asked the government to work with business and academia to make sure that apps only request the user data that they need to provide the advertised service, and to better explain to users why they need the permissions they request.
This is all very timely, as proposed EU legislation would also push for standardized information policies for companies that process people’s personal data, so as to make it easier for their users to understand what they’re signing up to.
Tomi Engdahl says:
Web firms face a strict new set of privacy rules in Europe — here’s what to expect
https://gigaom.com/2014/03/12/web-firms-face-a-strict-new-set-of-privacy-rules-in-europe-heres-what-to-expect/
Tomi Engdahl says:
The Obama administration continues to strong-arm journalists into revealing sources — By now, everyone knows the feds have been handing out record numbers of subpoenas to journalists hoping to scare them into giving up their sources. The troubles of New York Times reporter James Risen …
http://www.cjr.org/behind_the_news/press_subpoena_source_obama.php?page=all
Tomi Engdahl says:
‘Right To Be Forgotten’ Guidelines Published By European Regulators
http://techcrunch.com/2014/11/28/rtbf-29wp-guidelines/
Europe’s Article 29 Working Party, the body comprised of data protection representatives from individual Member States of the European Union, has now published guidelines on the implementation of the so-called ‘right to be forgotten’ ruling, which was handed down by Europe’s top court back in May.
The European Court of Justice ruling gives private individuals in Europe the right to request that search engines de-index specific URLs attached to search results for their name — if the information being associated with their name is inaccurate, outdated or irrelevant. The ruling does not generally apply to public figures, so requires search engines to weigh up requests against any public interest there might be to accessing the information in a name search de-listing request.
Tomi Engdahl says:
Patch Windows boxes NOW – unless you want to be owned by a web page or network packet
Someone, come up with a catchy logo for this SSL hole
By Shaun Nichols, 11 Nov 2014
http://www.theregister.co.uk/2014/11/11/november_patch_tuesday/
“Remote code execution if an attacker sends specially crafted packets” is not what many of you want to hear today – nor “remote code execution if a user views a specially crafted webpage using Internet Explorer” – but it’s Patch Tuesday, so what do you expect?
Microsoft has issued a batch of security fixes for Internet Explorer, Windows, and Office software – all of which are vulnerable to hijacking from afar by spies, criminals and other miscreants.
Tomi Engdahl says:
World’s best threat detection pwned by HOBBIT
Forget nation-states, BAB0 is the stuff of savvy crims
http://www.theregister.co.uk/2014/11/28/malware_crushes_advanced_threat_systems_study/
Some of the world’s best threat detection platforms have been bypassed by custom malware in a demonstration of the fallibility of single defence security.
Five un-named top advanced threat detection products were tested against four custom malware samples written by researchers at Crysys Lab, Hungary.
The most capable of the malware samples, dubbed BAB0 (or ‘Hobbit’ in the researchers’ native tongue), slipped past each product having infected through image steganography, a feat within the capabilities of savvy criminals.
“Actually, this test case simulates attackers with moderate resources and some understanding of the state-of-the-art detection tools and how advanced malware work.
BAB0 was written in C++ with a server side in PHP and never appeared in the clear in net traffic due to the use of steganography. Scripts pulled the executable from the image after users clicked. The malware then ducked sandboxes with obfuscated HTML and JavaScript code.