Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Sony employees face ‘weeks of pen and paper’ after crippling network hack
Megastars’ details may have been pinched – report
http://www.theregister.co.uk/2014/11/28/sony_staff_reduced_to_pencil_and_paper_as_computers_still_crippled_by_hackers/
Sony Pictures still hasn’t recovered from a comprehensive attack on its computer networks – and staff have been reduced to doing their work by hand – according to insiders.
The infiltration by hackers has left Sony employees “sitting at their desks trying to do their job with a pen and paper,” a staffer told the Financial Times. “It’s the same all over the world.”
Bosses have told their teams that it could take three weeks to clean up the mess and get things get back to normal.
Sony, the parent corporation, is best known for installing rootkits on people’s PCs, back in the mid-2000s.
Earlier this week, miscreants calling themselves the Guardians of Peace claimed responsibility for breaking into computer systems and vandalism the intranet of Sony Pictures – an intrusion that left the firm’s computers and movie-promoting Twitter accounts under outside control.
The trouble at Sony may be worth bringing up the next time your managers question the IT security team’s budget. Saving pennies will make firms look very, very silly when the bill comes in after a comprehensive ransacking of systems by black hats.
Sony Pictures in IT lock-down after alleged hacker hosing
Data caches uploaded as hackers deface internal staff boxes
http://www.theregister.co.uk/2014/11/25/sony_pictures_in_it_lockdown_after_alleged_hacker_hosing/
Tomi Engdahl says:
Author fined $500k in first US spyware conviction
100,000 creeps buy mobe-watching wares
http://www.theregister.co.uk/2014/11/30/stealthgenie_vxer_arrested/
A US man has been handed a US$500,000 fine for selling the StealthGenie malware in the first prosecution of a mobile spyware slinger.
Akbar a Danish citizen, sold the StealthGenie malware capable of intercepting calls, text and media and tracking location on Apple, Android and Blackberry phones to more than 100,000 ‘customers’, according to a YouTube promotional video.
FBI assistant director in charge Andrew McCabe said in a statement Akbar was the first person to cop to selling spyware.
“This illegal spyware provides individuals with an option to track a person’s every move without their knowledge,” McCabe said. “As technology evolves, the FBI will continue to evolve to protect consumers from those who sell illegal spyware.”
Tomi Engdahl says:
IETF takes rifle off wall, grabs RC4 cipher’s collar, goes behind shed
Vulnerable cipher is about to go to crypto heaven
http://www.theregister.co.uk/2014/12/01/ietf_takes_rifle_off_wall_targets_rc4/
The IETF is getting ready to finally kill off the venerable-but-vulnerable RC4 cipher.
The group has issued a last call for comments before humming over a proposal that Internet-standard clients and servers need to quit using RC4 in Transaction Layer Security (TLS).
It’s a simple enough change, but in the wide world of the Internet, it’ll take time to propagate: clients should stop listing RC4 in the ClientHello message, while servers must not select RC4 on client requests. As the document notes, if the client insists on RC4, the TLS server must terminate the handshake, and may send the “insufficient_security” fatal alert back to the client.
The cipher-suite RC4 has been considered risky for some time. Last year, both Microsoft and Cisco advised customers to avoid it. RC4 was also one of the ciphers used in SSL 3.0, which fell to the POODLE bug, but as Google wrote in its analysis of the vuln, POODLE attacked a different cipher.
Tomi Engdahl says:
Sony movies leak online as computer systems remain dark
http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-pictures-hack-20141130-story.html
f Sony Pictures employees return to work Monday after the Thanksgiving weekend without computer or email access, it will mark the beginning of the second week of blackout for the Culver City movie studio after a widespread hack.
And Sony’s headaches do not appear to have lessened. Pirated copies of some Sony movies have begun to appear online on file sharing websites in the days after the attack. It is not known whether the two problems are related.
Sony Pictures Investigates North Korea Link In Hack Attack
http://recode.net/2014/11/28/sony-pictures-investigates-north-korea-link-in-hack-attack/
Sony Pictures Entertainment is exploring the possibility that hackers working on behalf of North Korea, perhaps operating out of China, may be behind a devastating attack that brought the studio’s network to a screeching halt earlier this week, sources familiar with the matter tell Re/code.
Tomi Engdahl says:
Sony hires Mandiant to help clean up after cyber attack
http://www.reuters.com/article/2014/11/30/us-sony-cybersecurity-mandiant-idUSKCN0JE0YA20141130
Sony Pictures Entertainment has hired FireEye Inc’s Mandiant forensics unit to clean up a massive cyber attack that knocked out the studio’s computer network nearly a week ago, three people with knowledge of the matter said on Sunday.
Computer systems at the Sony Corp unit went down last Monday after displaying a red skull and the phrase “Hacked By #GOP,” which reportedly stands for Guardians of Peace, the Los Angeles Times reported.
Tomi Engdahl says:
Coming Soon: Murder By Internet
http://www.cio.com/article/2852589/security0/coming-soon-murder-by-internet.html
Imagine a fleet of quad copters or drones equipped with explosives and controlled by terrorists. Or someone who hacks into a connected insulin pump and changes the settings in a lethal way. Or maybe the hacker who accesses a building’s furnace and thermostat controls and runs the furnace full bore until a fire is started.
Those may all sound like plot material for a James Bond movie, but there are security experts who now believe, as does Jeff Williams, CTO of Contrast Security, that “the Internet of Things will kill someone.”
Williams, whose firm provides application security, doesn’t know exactly how IoT might be used to kill someone or what device will be implicated in the nefarious scheme, but considers it a certainty that a connected device will play a role in a murder.
Similarly, Rashmi Knowles, chief security architect at RSA, said something similar in a recent blog post, imagining criminals hacking into medical devices and starting “a complete new economy” by blackmailing victims.
“Question is, when is the first murder?” wrote Knowles.
Today, there is a new “rush to connect things” and “it is leading to very sloppy engineering from a security perspective, which makes … internet of things devices very attackable — the way web applications were 10 years ago,” said Williams.
Tomi Engdahl says:
Probe Into NSA Activity Reveals Germany Spying On Germans
http://yro.slashdot.org/story/14/12/01/0354239/probe-into-nsa-activity-reveals-germany-spying-on-germans
The Local (DE) reports, “The Bundesnachrichtendienst (BND), Germany’s foreign intelligence service, spied on some citizens living abroad, a former lawyer for the spies told MPs on Thursday. Dr Stefan Burbaum … said that some Germans were targeted as “office holders,” a legal loophole the spies used to circumvent the law that protects Germans citizens from being spied on by its own intelligence agency. …
the German spies argue that a citizen working for a foreign company abroad is only protected in his private life, not in his professional communications ..
BND spied on Germans living abroad
http://www.thelocal.de/20141128/bnd-spied-on-germans-living-abroad
The Bundesnachrichtendienst (BND), Germany’s foreign intelligence service, spied on some citizens living abroad, a former lawyer for the spies told MPs on Thursday.
MPs from the Social Democratic (SPD), Green and Left (Linke) parties all criticized the BND’s ability to operate in a “lawless zone” when it came to spying on foreigners.
Under the “G10 Law” the BND is also allowed access to data from German telecoms firms to search for specifically identified suspicious traffic.
Tomi Engdahl says:
Variety:
Sony’s New Movies Leak Online Following Hack Attack — Brad Pitt’s ‘Fury,’ ‘Annie’ among titles being downloaded — At least five new movies from Sony Pictures are being devoured on copyright-infringing file-sharing hubs online in the wake of the hack attack that hobbled the studio earlier in the week.
http://variety.com/2014/digital/news/new-sony-films-pirated-in-wake-of-hack-attack-1201367036/
Tomi Engdahl says:
Ex-GCHQ boss: Hey, UK.gov, have you heard how crap iPhone biometrics are?
Last year in El Reg? Hmmm, OK. Did I mention I now flog mobile biometrics kit?
http://www.theregister.co.uk/2014/12/01/ex_gchq_boss_iphone_biometrics_shock/
If you’re an ex-GCHQ spook, it seems the BBC will leap to attention when you’ve words of wisdom to impart about mobile security.
Dear old Auntie Beeb has reported that former GCHQ boss Sir John Adye doesn’t trust the biometric security in the iPhone 6. As a story it’s got everything: top spy chief with a knighthood, mistrust of technology and the shiniest bit of electronic bling going at the moment.
It’s not just the iPhone, of course: the Samsung scanner was hacked within days of going on sale.
It seems that Sir John, who was director of GCHQ about 20 years ago, wants to publicise the flaws in older mobile biometrics software that we’ve known about for years. His company, IAS (Identity Assurance System), just happens to sell… mobile biometrics software.
Rogers told us: “Whilst it is in the interests of some to spread fear, uncertainty and doubt – particularly if they have a stake in selling similar technologies – the broad truth is that if we can increase usability and usage of access control through new technologies, we prevent data loss for more people. Usage of PIN-locks on devices is woefully low not because people aren’t interested in securing their data but because the technology is inconvenient and cumbersome.”
Tomi Engdahl says:
Pay with your credit card at station kiosk? ‘Dare Devil’ is targeting YOU
Please collect your ticket and change (& ta for the card data)
http://www.theregister.co.uk/2014/12/01/dare_devil_malware_targets_kiosks_transport_systems/
A financial malware strain has been found targeting payment systems behind transit systems and kiosks sucking up all manner of junk data, researchers say.
The malware dubbed d4re|dev1l (dare devil) has been found in kiosks at Italy’s regional transport company Azienda Regionale Sarda Trasporti, as well as at undisclosed companies – including at least one Australian business running an enterprise point-of-sale terminal.
Payment platforms from QuickBooks, OSIPOS and Gemini were among “many others” affected, IntelCrawler researches said in a post.
Tomi Engdahl says:
Coinbase claims to have a recipe for a Bitcoin breakthrough, “If you mention cryptography, then the game is lost”
American Coinbase growth company believes that bitcoin will rise into the mainstream as long as the business is put in place confidence and ease. They therefore Coinbase cooperates with authorities and banks.
Virtual Currency Bitcoin is the dawning of a new era. The new generation of companies are raising the Bitcoin Internet shady side alleys of exchange means and the gamblers investment from your armchair currency other breast.
One of the most rapidly growing and most successful growth companies Coinbase is an American, who now aspire to a foothold and new growth in Europe. Coinbase has opened its services this fall, inter alia, Finland.
Coinbasen amenities include a browser-used bitcoin wallets or bank accounts and companies referred to in the system, which can be received bitcoin payments. If necessary, Coinbase manage Bitcoin conversion into local currency and the company has to take the risk of exchange rate fluctuations in. The service will be charged a commission of Coinbase, it is, however, cheaper than the fees charged by credit card companies.
In addition, Coinbasella has its own interface targeted at developers, which allows to services such as receiving payments is easy to build in new applications and services.
Coinbasella has 1.7 million customers in the United States. When the number of users exceeded the million mark, the sellers have gone by. Now the company has nine corporate customers with a turnover in excess of one billion dollars. The same is planned to be carried out in Europe.
Armstrong believes that attracting users are key features of the trust and ease of use. Bitcoin is traditionally perceived as complicated, but Coinbase wants to hide the actual users of technology.
“If the service is mentioned private key cryptography, then the game is already lost.”
Confidence in the aim of building users assets acquired insurance. Insurance is Armstrong, the first of its kind and ensures that if the security is broken, a total of hundreds of millions of dollars Coinbasen accounts stored users are not left with nothing.
It happened in the early 2014 MtGox, which lost users’ funds up to 360 million euros.
“Coinbase is to bridge the traditional financial world and the new virtual currencies of the world. We have a foot in both worlds, “Armstrong says.
The difference between the old is big, because Bitcoin has strong roots in anarchy. Bitcoin creator Satoshi Nakamoto wanted to develop a specifically states control policy and an independent monetary system.
Armstrong, the anonymity and freedom can be useful, for example to political activists. Most of the users of the matter is, however, little interest.
Most of the Coinbasen corporate customers take payments account in local currency. According to critics, it is a fundamental problem throughout the bitcoin economy. When companies do not deal with Bitcoin, and they in turn pay their own bills, decent economy will not occur.
Armstrong acknowledges the problem, but keep the current situation a good first step.
In addition to the Bitcoin free money transfers to save money compared to traditional payment systems, they also enable completely new ways to spend money.
Source: http://summa.talentum.fi/article/tv/uutiset/114125
Tomi Engdahl says:
Intel snaps up digital identity manager PasswordBox
Summary: The firm hopes the latest buy will simplify and strengthen Intel’s security offerings.
http://www.zdnet.com/intel-snaps-up-digital-identity-manager-passwordbox-7000036278/
Intel has acquired PasswordBox, a cross-platform identity management service that will be merged with the Intel Security Group portfolio.
Announced on Monday, the IT services provider said the acquisition of Montreal-based PasswordBox will boost the company’s Safe Identity organization talent pool and solutions.
PasswordBox develops identity management solutions that allow users to log in to a number of websites and applications from any device, without needing to type or remember passwords. Instead, an app uses one-tap logins to simplify account security processes.
Intel says new benefits to consumers will be made possible by the deal, including reduced password fatigue. The firm also claims that security will be simplified, as PasswordBox’s technology will be incorporated with “new, user-friendly authentication technologies that enable users to get the benefit of improved security in a manner that is simple to set up and use.”
Tomi Engdahl says:
Anonymous statement: KKK is a terrorist group, KKK responds poorly
http://www.zdnet.com/anonymous-statement-kkk-is-a-terrorist-group-kkk-responds-poorly-7000035890/
Summary: Anonymous has issued a statement regarding its retaliation against the Ku Klux Klan’s Ferguson threats, calling the KKK a terrorist group and vowing to continue the campaign. Meanwhile, the KKK has responded poorly.
The Ku Klux Klan (KKK) threatened to use lethal force against Ferguson protesters; Anonymous successfully retaliated against the Ku Klux Klan’s Ferguson threats by taking over two primary Twitter accounts, keeping KKK websites offline and outing KKK members.
“members of Anonymous who seized the account are continuing to debate if the identities of the people associated with the Klan’s account should be released to the public.”
Anonymous seizes Ku Klux Klan Twitter account over Ferguson threats
http://www.zdnet.com/anonymous-seizes-klu-klux-klan-twitter-account-over-ferguson-threats-7000035836/
Summary: After racial hate group Ku Klux Klan said it would use ‘lethal force’ on Ferguson protesters, a skirmish with Anonymous erupted: Anonymous has now seized two primary KKK Twitter accounts.
Tomi Engdahl says:
Did Nork hackers nobble Sony Pictures’ network? Probe underway – report
Massive attack stung film studio ahead of The Interview release
http://www.theregister.co.uk/2014/11/30/sony_pictures_reportedly_probes_possible_north_korea_link_to_hack_attack/
Sony Pictures has reportedly begun investigating possible hacking links to North Korea, following a savage attack on its network earlier this week.
According to Re/code, which cited insiders, the company was yet to determine whether Nork hackers, possibly operating from within China, were behind the attack.
Sony Pictures hires Mandiant, begs FBI for help after MASSIVE cyber attack
Four upcoming films leaked – is there a connection?
http://www.theregister.co.uk/2014/12/01/sony_pictures_fbi_mandiant_cyber_attack/
Sony Pictures Entertainment (SPE) has hired FireEye’s Mandiant forensics unit to help it clean up the huge cyber attack that knocked out its network and forced its employees to put pen to paper over the last few weeks.
The company has also asked the FBI to investigate the incident and look into the leak of four of its upcoming movies, although it’s unclear if this is directly linked to the hack.
A group called Guardians of Peace was apparently behind the huge bork of Sony’s systems
The hackers said they would leak internal info they had scraped in the attack, unless SPE met its unknown demands, which they had quietly sent to the firm.
Later, internal documents started appearing online, which may have come from individual PCs on the network or the firm’s corporate servers. The docs apparently include passport scans for actors Jonah Hill, Cameron Diaz and Angelina Jolie.
Mandiant is a clean-up crew for these kinds of intrusions and will help SPE to find out how far into the system the hackers breached as well as helping to sort through the networks and restore its systems.
SPE has also approached the FBI about the hack and about the leak of a number of its upcoming movies, including its Christmas remake of the film Annie. The films, which also include Brad Pitt’s WWII drama Fury and Mr Turner, popped up on piracy sites last week.
Tomi Engdahl says:
EVIL researchers dupe EVERY 32 bit GPG print
Keys fall in four seconds
http://www.theregister.co.uk/2014/12/01/evil_researchers_dupe_every_32bit_gpg_print/
Researchers have found collision attacks for 32 bit GPG keys leaving the superseded technology well and truly dead.
Eric Swanson and Richard Klafter used graphical processing units to clone fingerprints for each 32 bit key id in Web of Trust strong set.
“32 bit key IDs were reasonable 15 years ago but are obsolete now,” the duo said in a blog.
“Using modern GPUs, we have found collisions for every 32 bit key id in the Web of Trust’s strong set.
“It is easy to generate and publish a key that looks identical if you only use 32 bits when specifying a key.”
Users are not warned if a given 32 bit ID may have a collision as key servers performed little verification.
Tomi Engdahl says:
Security advice: Protect your identity when downloading torrents!
Your real identity and ip address is visible while downloading torrents. BitTorrent isn’t the safe haven it once was. These days, everyone’s looking to throttle your connection, spy on what you’re downloading, or even send you an ominous letter. If you use BitTorrent, you absolutely need to take precautions to hide your identity.
Tomi Engdahl says:
Exclusive: FBI warns of ‘destructive’ malware in wake of Sony attack
http://www.reuters.com/article/2014/12/02/us-sony-cybersecurity-malware-idUSKCN0JF3FE20141202
The Federal Bureau of Investigation warned U.S. businesses that hackers have used malicious software to launch a destructive cyberattack in the United States, following a devastating breach last week at Sony Pictures Entertainment.
Cybersecurity experts said the malicious software described in the alert appeared to describe the one that affected Sony, which would mark first major destructive cyber attack waged against a company on U.S. soil. Such attacks have been launched in Asia and the Middle East, but none have been reported in the United States. The FBI report did not say how many companies had been victims of destructive attacks.
“I believe the coordinated cyberattack with destructive payloads against a corporation in the U.S. represents a watershed event,” said Tom Kellermann, chief cybersecurity officer with security software maker Trend Micro Inc. “Geopolitics now serve as harbingers for destructive cyberattacks.”
Tomi Engdahl says:
Sony Hack Attack: Studio Has Made Progress in Restoring Critical Business Systems, Insider Says
http://www.thewrap.com/sony-hack-attack-under-investigation-by-law-enforcement-its-a-criminal-matter/
The studio’s computer systems were compromised last Monday by a group that calls itself “Guardians of Peace,” a.k.a. #GOP
Sony Pictures Entertainment is working with law enforcement to combat last week’s hack that paralyzed the studio’s email, phone system and computers, and slowly making progress to get systems back up.
“Sony Pictures continues to work through issues related to what was clearly a cyber attack last week. The company has restored a number of important services to ensure ongoing business continuity and is working closely with law enforcement officials to investigate the matter,” the company said in a statement issued Monday afternoon.
A studio insider told TheWrap that there is still plenty more work to do to rectify the damage
Tomi Engdahl says:
Kevin Roose / Fusion:
Documents from hack of Sony Pictures reveal salaries of over 6k employees, including top execs — Hacked documents reveal a Hollywood studio’s stunning gender and race gap — Sony Pictures Entertainment, one of the largest film studios in Hollywood, appears to have been the subject of a massive, devastating computer hack.
Hacked documents reveal a Hollywood studio’s stunning gender and race gap
http://fusion.net/story/30789/hacked-documents-reveal-a-hollywood-studios-stunning-gender-and-race-gap/
Sony Pictures Entertainment, one of the largest film studios in Hollywood, appears to have been the subject of a massive, devastating computer hack. The hack, which came to light last week, included leaked full-length versions of five upcoming Sony Pictures films, along with a trove of sensitive internal documents, and a hijacking of Sony Pictures’ corporate Twitter account.
This morning, I received a link to a public Pastebin file containing the documents from an anonymous e-mailer, and have spent hours poring through some of them. I’ll spend more time in the days ahead. But one interesting tidbit caught my eye: a spreadsheet containing the salaries of more than 6,000 Sony Pictures employees, including the company’s top executives.
But when I sorted the list by “annual rate,” I noticed something notable: a stark homogeneity among the people earning the most.
Sony Pictures hack appears to have shed light on something the public rarely gets – an unfiltered look at exactly who’s making what within a large corporation.
Tomi Engdahl says:
Here’s What We Know About North Korea’s Cyberwar Army
http://recode.net/2014/12/01/heres-what-we-know-about-north-koreas-cyberwar-army/
It is still not definitively known if the hacking attack that brought the computer network belonging to Sony Pictures to its knees was carried out on behalf of North Korea or not.
U.S. government agencies, however, are considering the possibility. Today, NBC News, citing classified briefings, reported that North Korea is now considered a possible suspect by U.S. law enforcement and intelligence agencies. Separately Reuters reported that the FBI issued a confidential five-page “flash briefing” to US businesses warning of malware attacks that can destroy data on computer hard drives.
North Korea has publicly called for Sony not to release a forthcoming comedy film called “The Interview,” the plot of which involves an attempt to assassinate the country’s leader, and has even called the film “an act of war” in its propaganda.
And while we don’t typically think of North Korea as a serious threat on the cyber warfare front, it has in fact stepped up its game in recent years. Numerous security and intelligence researchers have stitched together a picture of how North Korea’s military hackers operate.
Over the summer, the computer security unit at computing giant Hewlett-Packard did a deep dive on the evolution of North Korea’s personnel and capabilities, and summarized it in a detailed 75-page report, while another report was prepared in 2009 by a U.S. Army intelligence analyst.
http://h30499.www3.hp.com/hpeb/attachments/hpeb/off-by-on-software-security-blog/388/2/HPSR%20SecurityBriefing_Episode16_NorthKorea.pdf
Tomi Engdahl says:
Jon Fingas / Engadget:
Mozilla rolls out Firefox 34 with default Yahoo search for North America, disables support for SSL 3.0 standard
http://www.engadget.com/2014/12/01/firefox-34-moves-to-yahoo/
Tomi Engdahl says:
1.7 billion annually on inundated data loss and operation breaks
EMC storage solutions has announced the global Data Protection Index survey results. Although the business information management is extremely important for businesses, information security is has major shortcomings.
A lot of problems are caused by the current hot trends hybrid cloud applications, big data, and mobile devices. Their protection is difficult, says 62 percent of the respondents.
Murphy’s Law declares that if things can go wrong, they are also likely to go. As many as 71 percent of the respondents were not completely sure that all the data can be, if necessary, to restore the problem after situations.
65 percent of the respondents had more than one security provider and the average of the three. The study showed that the more security vendor company had, the more likely it occurred in disorders such as data loss and downtime. Causes and consequences of relationship research does indeed give an answer.
“Many companies are still clearly challenges in keeping up with the IT environment for the rapid development.”
Financial terms of interruptions and loss of information caused by a total of 1.7 trillion dollars (1.36 trillion euros) losses per year.
The biggest problems were the causes of hardware failures (53%), power problems (39%) and software problems (38%). Security breaches, such as viruses and spyware, were to blame for 23 per cent of cases.
Source: http://www.tivi.fi/kaikki_uutiset/17+biljoonaa+hukkuu+vuodessa+datahavikkeihin+ja+toimintakatkoksiin/a1033268
Tomi Engdahl says:
OpenVPN plugs DoS hole
VPN providers patch! Everyone else relax.
http://www.theregister.co.uk/2014/12/02/openvpn_critical_denial_of_service_vulnerability/
OpenVPN has patched a denial-of-service vulnerability which authenticated users could trigger by sending malicious packets.
The flaw (CVE-2014-8104) is most hurtful to VPN service providers and was reported by researcher Dragana Damjanovic to OpenVPN last month.
Maintainers said in an advisory issued this morning that the flaw affected versions back to at least 2005 and allowed TLS-authenticated clients to crash the server by sending a too-short control channel packet to the server.
“In other words this vulnerability is denial of service only,” they said.
“An OpenVPN server can be easily crashed using this vulnerability by an authenticated client. However, we are not aware of this exploit being in the wild before we released a fixed version.
A fixed version of OpenVPN (2.3.6) was released 1st Dec 2014 at around 18:00 UTC. The fix was also backported to the OpenVPN 2.2 branch and released in OpenVPN 2.2.3, a source-only release.
Tomi Engdahl says:
Device fingerprinting tech: It’s not a cookie, but ‘cookie’ rules apply
EU: You can’t ‘secretly identify or single out users’
http://www.theregister.co.uk/2014/12/02/cookie_rules_apply_to_alternative_device_fingerprinting_technologies_says_privacy_watchdog/
Website operators that turn to new “device fingerprinting” technologies to track internet users’ behaviour in place of “cookies” have to obtain users’ consent in accordance with the same EU legal standards that apply to the use of cookies, an EU privacy watchdog has said.
In a new opinion it has issued, the Article 29 Working Party confirmed that consent rules in the EU’s Privacy and Electronic Communications (e-Privacy) Directive are “applicable to device fingerprinting” (11-page/560KB PDF).
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp224_en.pdf
However, it outlined some examples where device fingerprinting could be deployed without users’ consent.
EU rules require individuals to consent to the placing of cookies on their device by the website operators and advertisers in most circumstances.
An exception to the consent requirements exists where the information stored, often in cookies, is “strictly necessary” for the provision of a service “explicitly requested” by the user.
Device fingerprints can constitute personal data, meaning that the processing of that information is subject to data protection laws, because the combination of “information elements”, which on their own might not be sufficient to identify users, can produce a set of data that is ” sufficiently unique (especially when combined with other identifiers such as the originating IP address) to act as a unique fingerprint for the device or application instance”, the watchdog said.
Tomi Engdahl says:
WARNING! FRAUD ALERT
by Bitcoin Foundation Web Team, December 1, 2014
https://bitcoinfoundation.org/2014/12/warning-fraud-alert/
Over the past few days we have noticed a significant uptick in complaints directed at our help desk about a fraud being perpetrated upon innocent Bitcoin users.
The Bitcoin Foundation’s website is being cloned and spoofed at web addresses and domains that have absolutely nothing to do with the Bitcoin Foundation. The offending websites we know about at this time include bitcompensation.com and bitsecuretransfer.com. Neither of these domains have anything to do with the Bitcoin Foundation.
If you are contacted and directed to a page that looks like the screenshot below, please close your browser as you are about to be scammed out of your Bitcoins.
Tomi Engdahl says:
Mozilla Foundation Security Advisories
https://www.mozilla.org/en-US/security/advisories/
Tomi Engdahl says:
FBI: Watch out for HDD-BUSTING Sony megahack malware
This thing could spread, warn g-men
http://www.theregister.co.uk/2014/12/02/malware_warning_follows_sony_megahack/
The FBI has warned US businesses to maintain a heightened state of alert following a high profile cyber attack on Sony Pictures Entertainment last week.
The malicious software outlined in the alert bears the hallmarks of the malware that affected Sony. Reuters reports that the five-page, confidential “flash” warning was issued by the FBI on Monday.
The unnamed malware is a data wiper that overwrites data on hard drives of computers, including the master boot record. Infected Windows machines are incapable of even booting up after infection.
“The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods,” the warning – which did not directly identify Sony as a victim – said.
The attack on Sony Pictures Entertainment floored corporate email for a week, as well as causing other problems.
Unreleased Sony movies, including The Interview, a spy caper about journalists roped into a plot to assassinate North Korean leader Kim Jong-un, were leaked onto file-sharing sites following the breach. The Pyongyang government denounced the movie as an “undisguised sponsoring of terrorism, as well as an act of war” in a letter to UN Secretary-General Ban Ki-moon back in June.
This, together with evidence that portions of the data writing software were compiled in Korean, has led to suspicions that the Norks might be behind the attack. There are precedents for this sort of malfeasance.
Tomi Engdahl says:
Brits conned out of nearly £24m in phone scams IN ONE YEAR
Folks keep handing out financial data to cold callers
http://www.theregister.co.uk/2014/12/02/phone_scam_losses_triple/
Brits have lost three times as much money in phone scams in the last year than they did the year before, according to Financial Fraud Action UK.
DCI Perry Stokes, head of specialist policing unit the Dedicated Cheque and Plastic Crime Unit (DCPCU), warned people that they always needed to be on their guard when asked for financial details on the phone.
“The bank or the police will never tell you to take such actions, so if you’re asked it can only be a criminal attack. Wait five minutes and call your bank, preferably from a different telephone, if you have even the slightest doubt,” he said.
The DCPCU and other police units, along with financial firms, will be kicking off a national advertising campaign to stop phone scams. Often, the scammers actually pretend that their victim has already been defrauded and use that to request personal and financial data from them.
Tomi Engdahl says:
Obama announces funding for 50,000 police body cameras
http://www.theverge.com/2014/12/1/7314685/after-ferguson-obama-announces-funding-for-police-body-cameras
In an announcement today, the White House has pledged $263 million in new federal funding for police training and body cameras, set aside by executive order. The money includes $75 million allocated specifically for the purchase 50,000 cameras for law enforcement officers across the country.
The cameras are designed to provide a definitive record of police activities, and have become a frequent demand in the wake of the Ferguson protests. The protests began with the death of Michael Brown, an unarmed teenager killed by the police in Ferguson. Community leaders pointed to video taken in the aftermath of Brown’s death as evidence of police misconduct, and the subsequent outcry has triggered a Justice Department investigation.
The new funding push is substantial, but 50,000 cameras will cover only a fraction of the more than 750,000 police officers currently employed in America. Camera proposals have also run into trouble with public records laws in states like Washington, which require the release of all police records not actively tied up in an investigation. With hundreds of hours of video generated by police cameras every day, that would present serious problems for both privacy and simple logistics.
Tomi Engdahl says:
I am Mikko Hypponen, a computer security expert. Ask me anything!
http://www.reddit.com/r/IAmA/comments/2o1il1/i_am_mikko_hypponen_a_computer_security_expert/
Tomi Engdahl says:
mikkohypponen[S] 28 points an hour ago*
There are different problems: problems with security and problems with privacy.
Companies like Google and Facebook make money by trying to gather as much information about you as they can. But Google and Facebook are not criminals and they are not breaking the law.
Security problems come from criminals who do break the law and who directly try to steal from you with attacks like banking trojans or credit card keyloggers.
Normal, everyday people do regularily run into both problems. I guess getting hit by a criminal attack is worse, but getting your privacy eroded is not a laughing matter either.
Blanket surveillance of the internet also affects us all. But comparing these threats to each other is hard.
Source: http://www.reddit.com/r/IAmA/comments/2o1il1/i_am_mikko_hypponen_a_computer_security_expert/
Tomi Engdahl says:
mikkohypponen[S] 67 points an hour ago*
It’s trivial to modify existing malware so that traditional antivirus programs won’t detect it any more. It only takes couple of minutes.
That’s why antivirus programs have been moving towards behaviour-based detection models as well as towards reputation-based detection models.
Do note that testing behaviour-based blocking is hard. That’s why it’s misleading when people post links to sites such as Virustotal as evidence that particular file is ‘not detected by AVs’. There’s no way to know if a particular antivirus would have blocked the file, unless you would try to run it.
I especially like reputation-based detection models. Virus writers go to great lengths to try to create unique, never-before-seen files against every victim, believing that this makes it harder for antivirus to block those files. Reputation-based blocking turns that on it’s head: they will block files which are very rare. So, a program would be blocked on your system with a warning like:
“As far as we can see, this program has never been executed by anyone else anywhere. You are the first person on the planet to run this file. This is highly unusual. We will block this file, even though we can’t find any known malware from the file”
The only problem with this scenario are software developers, who compile their own programs. They obviously are the first persons on the planet to run a particular program – as they made it themselves! They can easily whitelist their output folder to avoid this problem though.
Source: http://www.reddit.com/r/IAmA/comments/2o1il1/i_am_mikko_hypponen_a_computer_security_expert/
Tomi Engdahl says:
Yes, Kaspersky Lab seems to have some ties with the Russian government.
Which is not surprising. Because you know what? Symantec and McAfee have some ties with the US government too.
Does this mean that Russian users should not run American products? And vice versa? I don’t know.
Source: http://www.reddit.com/r/IAmA/comments/2o1il1/i_am_mikko_hypponen_a_computer_security_expert/
Related link:
Russia’s Top Cyber Sleuth Foils US Spies, Helps Kremlin Pals
http://www.wired.com/2012/07/ff_kaspersky/all/
Tomi Engdahl says:
About working in infosec:
You need to pick your focus area. What do you want to do? Penetration testing? Encryption? Malware analysis? Forensics? Underground intelligence? Counter-espionage?
Then you need to find mentors and coaches. The easiest way to do this is via online forums dedicated to your focus area. For example, check forum.infosecmentors.com
SANS has some great online resources for people starting up in this area: check them out.
For a great malware backgrounder, read Peter Szor’s book “Art of Computer virus research” (getting dated) and “Practical Malware Analysis” by Michael Sikorski and Andrew Honig (much newer).
Do you see malware analysis as a growth field for careers? Why?
Good malware analysts will always get a job. And malware isn’t going to go away any time soon.
It’s not just security companies who are hiring people in this field. Many large companies and telcos have their own CERT teams which hire malware analysts.
Is it unethical to release viruses that kill viruses?
The idea of a ‘good virus’ has been discussed to death already years ago. The consensus is that anything good that could be done with self-replicating code could be done better without the replication.
See Dr. Vesselin Bontchev’s seminal paper on this: https://www.virusbtn.com/files/old_papers/goodvir.txt
Source: http://www.reddit.com/r/IAmA/comments/2o1il1/i_am_mikko_hypponen_a_computer_security_expert/
Tomi Engdahl says:
Nicole Perlroth / New York Times:
Phishing attacks against 100+ public companies in biotech, medical devices, other sectors seek insider info that could affect stock prices
Hackers Using Lingo of Wall St. Breach Health Care Companies’ Email
http://www.nytimes.com/2014/12/02/technology/hackers-target-biotech-companies.html
For more than a year, a group of cybercriminals has been pilfering email correspondence from more than 100 organizations — most of them publicly traded health care or pharmaceutical companies — apparently in pursuit of information significant enough to affect global financial markets.
The group’s activities, detailed in a report released Monday morning by FireEye, a Silicon Valley security company, shed light on a new breed of criminals intent on using their hacking skills to gain a market edge in the pharmaceutical industry, where news of clinical trials, regulatory decisions or safety or legal issues can significantly affect a company’s stock price.
Tomi Engdahl says:
Twitter releases improved tools for reporting abuse and harassment
The company has been criticized for weak responses to violent threats
http://www.theverge.com/2014/12/2/7317955/twitter-releases-improved-tools-for-reporting-abuse-and-harassment
After receiving much criticism for its handling of threats on the service, Twitter is announcing some improvements to its process for reporting abuse. Starting today, the company is rolling out what it says is a more streamlined process for reporting accounts that harass or threaten other users. The changes come after several high-profile instances of threats and abuse around the world
The changes announced today include reporting abuse with fewer steps, letting people who are not directly involved in the abuse flag it more easily, giving users a page where they can view and edit those whom they have previously blocked, and preventing blocked users from viewing the profiles of the people who blocked them.
Reporting abuse on Twitter has previously required filling out a nine-part questionnaire.
While complaints are reviewed manually, the process can be slow and opaque.
For example, if 100 users all flag the same tweet, it could receive an expedited response.
Sources familiar with Twitter’s plans say more improvements to abuse-reporting are on the way
Tomi Engdahl says:
Report Connects Iran to Critical Infrastructure Hacks Worldwide
http://threatpost.com/report-connects-iran-to-critical-infrastructure-hacks-worldwide/109666
Iranian state-sponsored hackers have been singled out for attacks on critical infrastructure worldwide, including 10 targets in the United States.
Security firm Cylance today released an 86-page report on Operation Cleaver that lays out Iran’s hacking capabilities and motivations to attack global interests beyond the U.S. and Israel, long thought to be behind Stuxnet, and espionage campaigns using Flame and Duqu malware.
“They have bigger intentions: to position themselves to impact critical infrastructure globally,” the report said. “We believe that if the operation is left to continue unabated, it is only a matter of time before the world’s physical safety is impacted by it.”
A Reuters article quoted a senior Iranian official who dismissed the report.
Operation Cleaver report
http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
Tomi Engdahl says:
FBI Warns US Businesses of Possible Wiper Malware Attacks
http://threatpost.com/fbi-warns-us-businesses-of-possible-wiper-malware-attacks/109662
The FBI issued a five-page flash warning yesterday urging American enterprises to be on the lookout for wiper malware.
The alert, a Reuters report said, described some details about the malware but kept the victim anonymous.
Reuters said the description of the malware in the flash alert said the code overrides data on hard drives making them inoperable.
Flash alerts are confidential and sent to businesses thought to be in harm’s way.
Wiper malware has been used in a number of high-profile attacks, the most infamous being the Shamoon attack against Saudi oil company Aramco in August 2012. Shamoon left tens of thousands of workstations inoperable at the oil facility, but did not hamper oil production. The malware overwrites the Master Boot Record on a hard drive after it probes and steals data from the machine.
In early 2013, wiper malware was used in attacks against businesses and media outlets in South Korea, including major banks and the country’s top television network.
News of the attack against Sony’s systems broke early last week before the Thanksgiving holiday.
Since then, the hackers have been leaking data online, including a number of unreleased movies
Tomi Engdahl says:
More from the Sony Pictures hack: budgets, layoffs, HR scripts, and 3,800 social security numbers — Yesterday, I reported on a spreadsheet apparently taken from Sony Pictures Entertainment, one of the largest and most powerful studios in Hollywood, by a group of hackers calling themselves Guardians of Peace.
More from the Sony Pictures hack: budgets, layoffs, HR scripts, and 3,800 social security numbers
http://fusion.net/story/30850/more-from-the-sony-pictures-hack-budgets-layoffs-hr-scripts-and-3800-social-security-numbers/
Assuming the contents of the leak can be verified – so far, they haven’t been, and Sony Pictures hasn’t responded to numerous requests for comment – the Sony Pictures hack appears to be of a completely different magnitude than the normal DDOS attacks, social media hijackings, and other data breaches we’ve grown accustomed to. In fact, it could be one of the largest corporate hacks in history.
Partly, this is because Sony Pictures doesn’t appear to have made things very hard for the hackers.
Sony Pictures is scrambling to deal with the consequences of the hack. The company has reportedly hired Mandiant, the same security research firm that helped the New York Times deal with an apparent Chinese hack last year. Re/code reported last week that Sony is investigating possible North Korean involvement in the attack. If North Korea is indeed behind the attack, many are speculating it might be an act of retribution for The Interview, a soon-to-be-released Sony comedy starring Seth Rogen that offended North Korean authorities.
Tomi Engdahl says:
How much do you have to pay for a malware that can steal 40 million credit cards?
Payment terminals are operating LusyPOS malware may be purchased for $ 2,000, or about 1,600 euros. A similar program was used to stole last year in the Target department store information about 40 million credit cards. Target the attack as a whole caused hundreds of millions of damage.
Adverse program is traded in VirustTotal site, which also sells the stolen payment card data reveal security company Cbts’s boss Brian Minick. LusyPOS is a new program, so it is not easily detected with virus scanners yet. It utilizes the transmission of information to the Tor network.
Source: http://www.tivi.fi/kaikki_uutiset/halvalla+lahtee++nain+paljon+maksaa+haittaohjelma+jolla+voi+varastaa+40+miljoonaa+luottokorttia/a1033605
Tomi Engdahl says:
Hacker Guru: “The Internet of Things is a new worm can”
All fanatical Internet of Things, IOT to. The renowned security researcher, even hacker guru held Samy Kamkar predicts that the future we will see a lot of attacks against the IOT-products. Over the years, Kamkar has found a number of significant security holes (PHP, credit cards, iOS, Android, Windows phone).
He believes that most of the Internet of Things in the product developers are trying primarily to design and publish products, and ensure safety.
“The Internet of Things will open a new jar of worms,”
Often, the Internet of Things products used in Linux. It can almost imagine itself to confer protection against attacks. Belief is wrong.
“Linux has its own vulnerability and attack vectors which people should pay attention to”
Source: http://summa.talentum.fi/article/tv/uutiset/115176
Tomi Engdahl says:
Question 16 – What issues concern you the most while performing their duties? Select up to five think the most important thing:
17% of the terminals by strikes malware (virus, or something similar)
14% had to be a targeted attack on a victim
12% in the terminal device is stolen
12% on your device to confidential data leaks elsewhere
9% in your username and password to his duties on the important service of theft
8% terminal files are poorly backed up and dissolution of the device you will lose important information
6% of the terminal device security updates are not up-to-date
5% you need to transport and handle a job outside of confidential information
3% no
2% do not know what things are on assignment confidential
2% you are not trained enough information security
2% do not know what are the responsibilities of information security
1% of you do not know how to handle confidential information with the right work equipment
Question 18 – What issues concern you most in your spare time? Select up to five think the most important thing
13% of the username and password you with important services, such as e-mail is stolen
13% of the terminals by strikes malware (virus, or something similar)
12% credit card information is stolen and abused
11% in the terminal device, such as hard drive crashes and you lose important information
10% of someone’s right to use nettipankkiyhteyttäsi
10% of the device that personal data leak elsewhere
9% in the terminal device is lost or stolen
6% of the data flowing through social media services such as sales and marketing purposes
6% terminal files are poorly backed up
6% you will get scammed online shop or online auction
2% terminal device security updates are not up-to-date
2% you will intimidate, for example, through social media
1% other option
Leisure time number one on their own will and passwords safety, followed by the other terminal, its own economy, dealing with services or instruments (bank information, credit cards) threats.
Source: http://www.tivi.fi/blogit/turvasatama/tietoturvakyselyni+tulossatoa+tietoturvaongelmia+puolet+useammin+kotona+kuin+tyopaikalla/a1033707
Tomi Engdahl says:
FBI: Wiper Malware Has Korean Language Packs, Hard Coded Targets
http://it.slashdot.org/story/14/12/02/188233/fbi-wiper-malware-has-korean-language-packs-hard-coded-targets
chicksdaddy sends news that the FBI has issued a warning to U.S. businesses over a “destructive” malware campaign using advanced tools. They don’t name specific targets, but the information fits with the details from last week’s attack on Sony Pictures
Samples of the malware obtained by the FBI were also found to contain configuration files created on systems configured with Korean language packs. The use of Korean could strengthen theories that the destructive cyber attacks have links to North Korea, though it is hardly conclusive.
FBI: Destructive Malware Used Korean Language Packs
https://securityledger.com/2014/12/fbi-destructive-malware-used-korean-language-packs/
Tomi Engdahl says:
MasterCard Rails Against Bitcoin’s (Semi-)Anonymity
http://news.slashdot.org/story/14/12/03/012222/mastercard-rails-against-bitcoins-semi-anonymity
MasterCard has used a submission (PDF) to an Australian Senate inquiry to argue for financial regulators to move against the pseudonymity of digital currencies such as Bitcoin.
MasterCard believes that “all participants in the payments system that provide similar services to consumers should be regulated in the same way to achieve a level playing field for all.”
http://www.aph.gov.au/DocumentStore.ashx?id=76fd5a6f-dfdc-4c45-b998-752b97e09ebd&subId=301946
Tomi Engdahl says:
Mike Fleming / Deadline:
In memo to staff, Sony execs Michael Lynton and Amy Pascal confirm confidential data was stolen
Sony’s Michael Lynton & Amy Pascal On Hacking: “Malicious Criminal Acts”
http://deadline.com/2014/12/sony-michael-lynton-amy-pascal-computer-hacking-malicious-criminal-acts-1201306893/
EXCLUSIVE: Sony Pictures has been largely quiet as it has dealt with a massive pre-Thanksgiving cyberattack that has seen computers frozen, executive salaries revealed and the release of upcoming movies. Tonight, Sony chiefs Michael Lynton and Amy Pascal have addressed in an email to staff a crisis they call “malicious criminal acts.” Essentially, they acknowledge they are still learning the extent of the damage done by this hack attack and that employees could very well find their confidential data exposed. “While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession. While we would hope that common decency might prevent disclosure, we of course cannot assume that.”
“It is now apparent that a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents.”
Yesterday, we told you that we are offering all employees identity protection services with a third-party service provider, AllClear ID, and that you would receive an email tomorrow outlining steps to sign up.
Tomi Engdahl says:
Is Uber’s rider database a sitting duck for hackers?
http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/01/is-ubers-rider-database-a-sitting-duck-for-hackers/
Before #Ubergate recedes entirely from the news, let’s pause on one aspect of the story that hasn’t gotten much attention so far: the cybersecurity risk of collecting massive troves of private travel information in online databases.
Imagine for a second that your job is to gather intelligence on government officials in Washington, or financiers in London, or entrepreneurs in San Francisco. Imagine further that there existed a database that collected daily travel information on such people with GPS-quality precision– where they went, when they went there and who else went to those same places at the same times.
Now add that all this location data was not held by a battle-hardened company with tons of lawyers and security experts, such as Google. Instead, this data was held by a start-up that was growing with viral exuberance – and with so few privacy protections that it created a “God View” to display the movements of riders in real-time and at least once projected such information on a screen for entertainment at a company party.
A person who had a job interview in Uber’s Washington office in 2013 said he got the kind of access enjoyed by actual employees for an entire day, even for several hours after the job interview ended.
“What an Uber employee would have is everything, complete,”
A more sophisticated – and malicious – person with that access could have scraped data on a massive scale, then used powerful analytical software to learn things that Uber users might want to keep private, for professional or personal reasons.
Tomi Engdahl says:
Is EU right to expand ‘right to be forgotten’ to Google.com?
The basic idea might be nuts, but the specific point is spot on
http://www.theregister.co.uk/2014/12/03/the_eus_right_to_expand_the_right_to_forget_to_googlecom/
The European Union is arguing that the so-called “right to be forgotten” (you know, sure, I was a paedophile mass murderer but it was only the once and I’ve been to confession now so nobody should know about it) in Google and other search engine results should be extended to the Google.com domain, as well as those aimed more directly at the European countries.
This means Google will be required to not just clean .co.uk, .de and so on, but also to clean .com. In fact, it’s likely to have to prepare two different versions of .com as a result of this.
Tomi Engdahl says:
GCHQ boffins quantum-busted its OWN crypto primitive
‘Soliloquy’ only ever talked to itself
http://www.theregister.co.uk/2014/12/03/gchq_boffins_quantumbusted_own_crypto_primitive/
While the application of quantum computers to cracking cryptography is still, for now, a futuristic scenario, crypto researchers are already taking that future seriously.
It came as a surprise to Vulture South to find that in October of this year, researchers at GCHQ’s information security arm the CESG abandoned work on a security primitive because they discovered a quantum attack against it.
Presented to the ETSI here, with the full paper here, the documents outline the birth and death of a primitive the CESG called Soliloquy.
Given that improving computer power is one of the ways a primitive can be broken, there’s a constant background research effort into both creating the primitives of the future, and testing them before they’re adopted – and that’s where Soliloquy comes in.
As the researchers drily note in their conclusion, “designing quantum-resistant cryptography is a difficult task”, and while researchers are starting to create such algorithms for deployment, “we caution that much care and patience will be required” to provide a thorough security assessment of any such protocol.
Tomi Engdahl says:
US retail giant Target fails to get banks’ MEGABREACH lawsuit slung out of court
Judge cites its actions and inactions when hackers hit
http://www.theregister.co.uk/2014/12/03/target_bank_lawsuit/
Target has failed in is attempt to persuade a judge to reject lawsuit by banks harmed by losses following the US retail giant’s megabreach.
US District Judge Paul Magnuson ruled that Target played a “key role” in permitting cybercriminals to infiltrate its computer networks. Because of this, a lawsuit by banks seeking to recoup card fraud loss payouts from Target ought to be allowed to proceed towards trial, he maintained.
The lawsuit by five bank plaintiffs, which seek class-action status on behalf of financial institutions across the US, accuses the discount retailer of negligence and violating Minnesota consumer protection laws.
An estimated 40 million credit cards were compromised in the breach at Target in late 2013.
Credit card information was stolen following a successful malware-based attack on Target’s point-of-sale (PoS) machines over the pre-Christmas holiday shopping season.
Tomi Engdahl says:
Dig into Iron Mountain and you’ll find Seagate and EVault
Cloudy DR dares to enter underground data dungeons
http://www.theregister.co.uk/2014/12/03/iron_mountain_supported_by_seagate_evault_cloud_disaster_recovery/
Cloud-based backup, recovery and disaster recovery (DR) services are being offered from an Iron Mountain data dungeon using Seagate kit and EVault software.
Seagate is helping Iron Mountain move into the digital storage business again. Autonomy, in pre-HP days, bought the rusty heap’s cloud archive storage business in 2011 after Iron Mountain threw in the towel on a failed enterprise, prompted by activist investor Elliott Management.
Now, three years later, it is partnering with Seagate to get back into the cloud storage business. Iron Mountain will offer EVault’s Cloud Backup and Cloud Disaster Recovery services.