Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Operation Socialist
The Inside Story of How British Spies Hacked Belgium’s Largest Telco
https://firstlook.org/theintercept/2014/12/13/belgacom-hack-gchq-inside-story/
When the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear that this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking attack was in progress. And the perpetrators were British government spies.
It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on. The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data.
Tomi Engdahl says:
UK banks ill-prepared for return of the rabid POODLE
Only 4,096 requests needed to uncover a 16-character cookie
http://www.theregister.co.uk/2014/12/15/uk_banks_ill_prepared_for_return_of_the_rabid_poodle/
The latest evolution of a high-profile security flaw potentially exposes UK banks’ web site traffic to eavesdropping.
The POODLE (Padding Oracle On Downgraded Legacy Encryption) security flaw first surfaced in October and was thought to affect only the obsolete – but still widely used – Secure Sockets Layer (SSL) 3.0 crypto algorithm. Researchers revealed last week that the POODLE flaw also affects versions of TLS (short for Transport Layer Security).
“The impact of this problem is similar to that of POODLE, with the attack being slightly easier to execute – no need to downgrade modern clients down to SSL 3 first, TLS 1.2 will do just fine,” explained Ivan Ristic, director of engineering at security firm Qualys, in a blog post. “The main targets are browsers, because the attacker must inject malicious JavaScript to initiate the attack.
“A successful attack will use about 256 requests to uncover one cookie character, or only 4096 requests for a 16-character cookie. This makes the attack quite practical,” he warned.
Tomi Engdahl says:
The DIY Tool to Silence Twitter Harassment
http://motherboard.vice.com/read/the-diy-tool-to-silence-harassment-on-twitter?trk_source=popular
Misogyny has become something of a defining feature of social media. It’s like Godwin’s Law but often seems even more inevitable: as a discussion goes on, someone will eventually spew abuse targeted at a woman, or women in general. Bring up certain subjects, and you can speed up that process. One topic in particular has been a no-go zone in the past few months: video games.
Harper is the creator of Good Game Auto Blocker, or ggautoblocker, a tool that is intended to filter out Twitter users who support Gamergate, the online controversy characterised by misogynistic harassment within the video game community.
Good Game Auto Blocker
https://randi.io/wp/good-game-auto-blocker
The current version of Good Game Auto Blocker compares the follower lists for a specific set of twitter accounts that are known to incite the mob campaign to attack a single user. If an account is found to be following more than one of these campaign leader accounts, they are added to a list of problematic users.
Tomi Engdahl says:
Eric Schmidt: To Avoid NSA Spying, Keep Your Data In Google’s Services
http://tech.slashdot.org/story/14/12/15/1243213/eric-schmidt-to-avoid-nsa-spying-keep-your-data-in-googles-services
Edward Snowden’s revelations on NSA spying shocked the company’s engineers
Now, after a year and a half of work, Schmidt says that Google’s services are the safest place to store your sensitive data.
Schmidt: NSA revelations forced Google to lock down data
http://www.itworld.com/article/2859355/schmidt-nsa-revelations-forced-google-to-lock-down-data.html
Google had envisioned a complicated method to sniff traffic, but “the fact that it had been done so directly … was really a shock to the company,” Schmidt said.
After reporters showed Google engineers a diagram of the intelligence agency’s methods to tap links between Google data centers, the engineers responded with a “fusillade of words that we could not print in our family newspaper,” Washington Post reporter Craig Timberg said.
Google responded to the revelations by former NSA contractor Edward Snowden by spending a lot of money to lock down its systems, including 2,048-bit encryption on its traffic, Schmidt said. “We massively encrypted our internal systems,” he said. “It’s generally viewed that this level of encryption is unbreakable in our lifetime by any sets of human beings in any way. We’ll see if that’s really true.”
Schmidt told the audience that the safest place to keep important information is in Google services. “Anywhere else” is not the safest place to keep data, he said.
Schmidt touted the incognito browsing feature in Google’s Chrome browser and Google’s Dashboard feature, which allows its users to set their privacy preferences. He noted that some security experts have questioned his claim that Android is the safest mobile operating system. Both Google and Apple are working “very, very hard” on security features in their mobile OSes, he said.
Tomi Engdahl says:
Forbes Blasts Latests Windows 7 Patch as Malware
http://tech.slashdot.org/story/14/12/14/1937242/forbes-blasts-latests-windows-7-patch-as-malware
If you have Windows 7 set to automatically update every Tuesday, it may be to permanently disable that feature. Microsoft has just confirmed that a recent update — specifically KB 3004394 — is causing a range of serious problems and recommends removing it.
Tomi Engdahl says:
Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar Era
http://www.bloomberg.com/news/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar.html
The pipeline was outfitted with sensors and cameras to monitor every step of its 1,099 miles from the Caspian Sea to the Mediterranean. The blast that blew it out of commission didn’t trigger a single distress signal.
That was bewildering, as was the cameras’ failure to capture the combustion in eastern Turkey. But investigators shared their findings within a tight circle. The Turkish government publicly blamed a malfunction, Kurdish separatists claimed credit and BP Plc (BP/) had the line running again in three weeks. The explosion that lit up the night sky over Refahiye, a town known for its honey farms, seemed to be forgotten.
It wasn’t. For western intelligence agencies, the blowout was a watershed event. Hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident who asked not to be identified because details of the investigation are confidential. The main weapon at valve station 30 on Aug. 5, 2008, was a keyboard.
Tomi Engdahl says:
How Congress Secretly Just Legitimized Questionable NSA Mass Surveillance Tool
from the just-slipped-it-right-in dept
Fri, Dec 12th 2014
https://www.techdirt.com/articles/20141212/07421729414/how-congress-secretly-just-legitimized-questionable-nsa-mass-surveillance-tool.shtml
We recently noted that, despite it passing overwhelmingly, Congress quietly deleted a key bit of NSA reform that would have blocked the agency from using backdoors for surveillance. But this week something even more nefarious happened, and it likely would have gone almost entirely unnoticed if Rep. Justin Amash’s staffers hadn’t caught the details of a new provision quietly slipped into the Intelligence Authorization Act, which effectively “legitimized” the way the NSA conducts most of its mass surveillance.
For a while now, we’ve discussed executive order 12333, signed by President Ronald Reagan, which more or less gives the NSA unchecked authority to tap into any computer system not in the US.
The NSA’s surveillance is almost entirely done under this authority, which has no Congressional oversight. All those other programs we’ve been arguing about — Section 215 of the Patriot Act or Section 702 of the FISA Amendments Act — are really nothing more than ways to backfill the data the NSA has been unable to access under 12333.
Yet, what Amash and his staffers found is that a last minute change by the Senate Intelligence Committee to the bill effectively incorporated key parts of EO 12333 into law, allowing for “the acquisition, retention, and dissemination” of “nonpublic communications.”
This seems particularly nefarious. In trying to claim that they’re putting a limit on this activity (that’s already happening) they can claim that they’re not really expanding the power of the NSA and the surveillance state. But, by putting it in law, rather than just having it in an executive order, they’re effectively legitimatizing the practice, and making it much harder to roll back.
And they did it all quietly without any debate.
Tomi Engdahl says:
Next gen ransomware: Elliptic cryptic, talks on Tor, demands Bitcoin
All the gear and will cost you dear
http://www.theregister.co.uk/2014/12/15/tor_advanced_cryptography_malvertising_the_shape_of_next_gen_ransomware/
Cybercrooks have brewed a strain of ransomware that uses elliptic curve cryptography for file encryption, and Tor for communication.
The malware, dubbed OphionLocker, is spreading using a malicious advertising (malvertising) campaign featuring the RIG exploit kit.
The ransomware encrypts files of particular types on infected systems before using Tor2web URL as a conduit for instructions on how to send the payment and obtain the decryptor tool. The extortionists are asking for a payoff of 1 BTC ($352 at current rates of exchange).
F-Secure reports that if the infection happens on a virtual environment NO ransom payment is requested for a “decryptor tool”, which (perhaps unsurprisingly) doesn’t work. Virtual environments are commonly used by anti-malware researchers.
The tactic of treating them differently appeared geared towards making analysis that bit more difficult, something ultimately aimed at prolonging the longevity of the scam.
Despite the high profile CryptoLocker takedown, ransomware scams remain an all-too-real threat. Crooks are developing more sophisticated encryption schemes to support their fraud. The use of Tor and elliptic curve cryptography places OphionLocker in the top tier of such scams, but is not unprecedented.
Tomi Engdahl says:
Govt Docs Reveal Canadian Telcos Promise Surveillance Ready Networks
http://news.slashdot.org/story/14/12/15/158256/govt-docs-reveal-canadian-telcos-promise-surveillance-ready-networks
Michael Geist reports that Canadian telecom and Internet providers have tried to convince the government that they will voluntarily build surveillance capabilities into their networks. Hoping to avoid legislative requirements
Government Documents Reveal Canadian Telcos Envision Surveillance-Ready Networks
http://www.michaelgeist.ca/2014/12/government-documents-reveal-canadian-telcos-envision-surveillance-ready-networks-2/
After years of failed bills, public debate, and considerable controversy, lawful access legislation received royal assent last week. Public Safety Minister Peter MacKay’s Bill C-13 lumped together measures designed to combat cyberbullying with a series of new warrants to enhance police investigative powers, generating criticism from the Privacy Commissioner of Canada, civil liberties groups, and some prominent victims rights advocates. They argued that the government should have created cyberbullying safeguards without sacrificing privacy.
Perhaps the most notable revelation is that Internet providers have tried to convince the government that they will voluntarily build surveillance capabilities into their networks.
In light of the standardization of the interception capabilities, the memo notes that the Canadian providers argue that “the telecommunications market will soon shift to a point where interception capability will simply become a standard component of available equipment, and that technical changes in the way communications actually travel on communications networks will make it even easier to intercept communications.”
In other words, Canadian telecom providers are telling the government there is no need for legally mandated surveillance and interception functionality since they will be building networks that will feature those capabilities by default.
Tomi Engdahl says:
Report: Mysterious Russian Malware Is Infecting 100,000+ WordPress Sites
http://gizmodo.com/mysterious-russian-malware-is-infecting-over-100-000-wo-1671419522
A Russian malware called SoakSoak has infected over 100,000 WordPress sites since this Sunday, turning blogs into attack platforms. It’s a potential shitshow, and it could’ve been prevented earlier this fall.
Google has already blocked 11,000 domains to try to curb the damage. According to security firm Sucuri, the malware uses a vulnerability in a slideshow plug-in called Slider Revolution. The Slider Revolution team has known about the vulnerability since September, but it looks like they failed to fix it before the security hole got crammed with steaming hot malware.
Researchers at Sucuri are warning that it’ll be hard to completely eradicate the malware as long as so many site owners don’t know it’s there. In addition to removing the malicious code, they will need to update the premium plug-in. If the plug-in came as part of a theme, it won’t update automatically, which means site admins will have to manually update.
Gaming site Dulfy was one of first infected domains to fix the problem by removing code and going behind a firewall, but it may persist on blogs with less diligent administrators indefinitely. And Dulfy’s admin isn’t sure the fix is permanent. “The firewall will be a temporary measure until we can figure out what is doing it,” site owner Kristina Hunter told me.
Over 70 million sites use WordPress as a content management system, from personal blogs to Time.com. This malware attack only affects self-hosted sites that use WordPress, so if you have a personal blog on WordPress.com, you’re okay.
Tomi Engdahl says:
Charlie Warzel / BuzzFeed:
Survey reveals most technology companies’ privacy policies do not cover employee access to user data
We Asked 29 Tech Companies If Their Employees Can Access Your Personal Data
http://www.buzzfeed.com/charliewarzel/we-asked-29-tech-companies-if-their-employees-can-access-you
Privacy policies rarely mention the weakest point in any company’s security infrastructure: its employees.
Traditionally, privacy worries for consumers and tech companies have been limited to keeping information secure from third parties or hackers. But a series of internal abuses show that tech company employees often have universal access to user information, as well as reason — be it pure voyeuristic curiosity or, in the worst cases, a vendetta — to look at our whereabouts, spending, and of the most private corners of our lives.
Fears of employee data abuse are founded, from the highest levels of government intelligence down to car-sharing apps. In 2013, reports revealed over a dozen instances in the past 10 years in which National Security Agency employees abused NSA surveillance to collect data on love interests, referred to internally as “Loveint.” At tech companies, where security measures and training are largely more relaxed, employees surveilling the location histories of ex-lovers, real-time tracking roommates, and looking at activity logs of friends of friends, is not only a plausible fear, but a new reality. Just last month, a New York Uber executive was investigated and reprimanded for tracking the whereabouts of a BuzzFeed News reporter without her permission.
Tomi Engdahl says:
Facebook: We Don’t Call Them ‘Users’ Any More, We Call Them ‘People’
Read more: http://www.businessinsider.com/facebook-says-it-has-dropped-the-term-users-and-has-an-empathy-team-2014-12#ixzz3M38GU3PO
Tomi Engdahl says:
Snowden Leaks Prompt Internet Users Worldwide To Protect Their Data
http://yro.slashdot.org/story/14/12/15/2323242/snowden-leaks-prompt-internet-users-worldwide-to-protect-their-data
A new international survey of internet users from 24 countries has found that more than 39% of them have taken steps to protect their data since Edward Snowden leaked the NSA’s spying practices. The survey, conducted by the Center for International Governance Innovation, found that 43% of Internet users now avoid certain websites and applications and 39% change their passwords regularly. Security expert Bruce Schneier chastised the media for trying to downplay the numbers by saying “only” 39%” have taken action and “only 60%” have heard of Snowden.
After the Snowden leaks, 700M move to avoid NSA spying
http://www.computerworld.com/article/2859477/after-the-snowden-leaks-700m-move-to-avoid-nsa-spying.html
Survey shows 83% believe Internet access should be a basic human right
Tomi Engdahl says:
Chrome devs hatch plan to mark all HTTP traffic insecure
Browsers tell us when content is secure, but not when to feel NAKED AND AFRAID
http://www.theregister.co.uk/2014/12/16/chrome_devs_hatch_plan_to_mark_all_http_traffic_insecure/
The Chromium Project’s security team has kicked off a debate on whether browser will mark all HTTP pages as insecure.
“We … propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure,” the team writes in this post.
The post says the team’s goal “… is to more clearly display to users that HTTP provides no data security” because ““We all need data communication on the web to be secure (private, authenticated, untampered).”
If users aren’t enjoying good security, the team suggests, browsers “… should explicitly display that, so users can make informed decisions about how to interact with an origin.”
The team also point out that HTTPS traffic usually produces a change to the user interfa,ce notification, yet insecure HTTP traffic does not.
The post proposes that browsers instead define, and inform users of, three security levels:
Secure (valid HTTPS, other origins like (*, localhost, *));
Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
Non-secure (broken HTTPS, HTTP).
Tomi Engdahl says:
Over 700 Million People Taking Steps to Avoid NSA Surveillance
https://www.schneier.com/blog/archives/2014/12/over_700_millio.html
There’s a new international survey on Internet security and trust, of “23,376 Internet users in 24 countries,” including “Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States.” Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those “have taken steps to protect their online privacy and security as a result of his revelations.”
The press is mostly spinning this as evidence that Snowden has not had an effect
Even so, I disagree with the “Edward Snowden Revelations Not Having Much Impact on Internet Users” headline. He’s having an enormous impact.
But it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.
CIGI-Ipsos Global Survey on Internet Security and Trust
https://www.cigionline.org/internet-survey
The survey found that:
83% of users believe that affordable access to the Internet should be a basic human right;
two thirds (64%) of users are more concerned today about online privacy than they were compared to one year ago; and,
when given a choice of various governance sources to effectively run the world-wide Internet, a majority (57%) chose the multi-stakeholder option—a “combined body of technology companies, engineers, non-governmental organizations and institutions that represent the interests and will of ordinary citizens, and governments.”
Tomi Engdahl says:
The European Commission, Europarl and Member States will prepare together with the so-called network and the Data Protection Directive (network and information security directive).
Cyber security directive called the bill is intended to progress to the final stage in the coming weeks.
Union legislators the original intention was that the new Directive will only cover the most important sectors, such as energy industries, transport and finance.
Large member states, mainly in Germany and France, under the leadership of the Commission would like the scope of the Directive also cloud service providers, social media, search engines and online marketing platforms suppliers.
The Commission justifies the IT sector regulation, the fact that technology companies have far-reaching effects, as well as EU companies in the daily lives of citizens, Euractiv.com write .
American IT companies are far from satisfied with the Commission’s proposal on a new cyber security directive.
“Online commerce, search engines and social network services such as road did you get are of course useful, but they are not critical. That’s why cyber secuirty legislation aimed at should cover only the most important areas of infrastructure,” lobbying group in the European leader James Waterworth justifies the principals position.
American IT giants agree on EU legislators in the fact that the new directive would only overlapping operations.
EU countries are currently EU-wide data protection legislation only the telecom industry. Telecommunication companies are legally required to report data leaks and service interruptions authorities.
Source: http://www.tivi.fi/cio/eun+kyberturva+ei+kelpaa+usan+itjateille/a1037025
Tomi Engdahl says:
Internet firms push to be left out of EU cybersecurity law
http://www.euractiv.com/sections/infosociety/internet-firms-push-be-left-out-eu-cybersecurity-law-310706
Cisco and Google are seeking to be excluded from a new EU cybersecurity law that would force them to adopt tough security measures and report serious security breaches to national authorities.
The so-called Network and Information Security directive is due to be finalised in talks between the European Parliament, the European Commission and member states over the coming weeks.
EU lawmakers want the law to cover only sectors that they consider critical, such as energy, transport and finance.
But the Commission – the EU executive – and some countries, such as Germany and France, are pushing to include cloud providers, social networks, search engines and e-commerce platforms because of their widespread use by people and businesses.
Internet companies are firmly opposed to such a move, which would incur extra compliance costs.
Tomi Engdahl says:
Banks, UK.gov must work together to beat cyber-nasties
BoE also warns of IT failures ‘exacerbating’ sector instability
http://www.theregister.co.uk/2014/12/16/ukgov_banks_lower_cyber_risks_report/
Government must work closely with UK banks to improve financial institutions’ infrastructure and resilience to cyber attacks, the Bank of England has warned.
Banks currently view cyber attacks as a “technical” problem, rather than an issue which merits “board-level attention,” it said on Tuesday in its Financial Stability Report.
“[This is an issue], given the evolving nature of cyber threats and the key importance of cyber resilience to the continuity of financial services.”
The report cited attackers stealing information from more than 80m customers at a large US bank in August as an example of financial institutions’ vulnerabilities.
Tomi Engdahl says:
US cyber-army’s cyber-warriors ‘cyber-humiliated by cyber-civvies in cyber-games’
‘They were pretty much obliterated’ – report
http://www.theregister.co.uk/2014/08/05/us_military_cyberwarriors_reservists_war_games/
The US military held a series of online war games to pit reservist hackers against its active-duty cyber-warriors – and the results weren’t pretty for the latter, we’re told.
“The active-duty team didn’t even know how they’d been attacked. They were pretty much obliterated,” said one Capitol Hill staffer who attended, Navy Times reports.
The original plan was to draw 80 per cent of CYBERCOM’s forces from the serving army, and the remaining 20 per cent from reservists. Given the skills shown by America’s part-time military in the cyber-bout, held last year, this could be about to change.
While the military is ploughing billions into cyber-warrior training, it’s only to be expected that people working outside the military have more infosec experience than those in the armed forces, and be more aware of the very latest defense and offense techniques.
“I have to hire a great workforce to compete with those cyber-criminals and some of those kids want to smoke weed on the way to the interview,”
Tomi Engdahl says:
Some 100,000 or more WordPress sites infected by mysterious malware
Infected sites load attack code into webpages viewed by visitors.
http://arstechnica.com/security/2014/12/some-100000-or-more-wordpress-sites-infected-by-mysterious-malware/
About 100,000 or more websites running the WordPress content management system have been compromised by mysterious malware that turns the infected sites into attack platforms that can target visitors, security researchers said.
The campaign has prompted Google to flag more than 11,000 domains as malicious, but many more sites have been detected as compromised, according to a blog post published Sunday by Sucuri, a firm that helps website operators secure their servers.
The code causes pages to download the malicious payload from hxxp://soaksoak.ru/xteas/code. Judging from some of the reader comments, some administrators were surprised to find that the sites they oversee were infected. Sucuri’s free site check scanner will detect sites that are actively compromised.
“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner,”
SoakSoak Malware Compromises 100,000+ WordPress Websites
http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html
Tomi Engdahl says:
Free Website Malware and Security Scanner
http://sitecheck.sucuri.net/
Tomi Engdahl says:
Dutch data watchdog threatens Google with £12m fine
http://www.bbc.com/news/technology-30492833
Google has been threatened with a fine of up to 15m euros (£12m) if it does not do a better job of protecting the privacy of Dutch citizens.
The threat was made by the Dutch data protection agency (DPA), which said Google had broken local laws governing what it could do with user data.
The search giant has been given until the end of February 2015 to change the way it handles personal data.
Google said it was “disappointed” by the Dutch data watchdog’s statement.
The row has blown up over the way that Google combines data about what people do online in order to tailor adverts to their preferences.
Information about keywords in search queries, email messages, cookies, location data and video viewing habits are all used by Google to build up a profile on each of its millions of users.
Dutch laws said Google should tell people about this data-gathering activity and get permission from them before it was combined or analysed, said Mr Kohnstamm.
Tomi Engdahl says:
Privacy, Social media
In what color would you like your new Mercedes?
http://safeandsavvy.f-secure.com/2014/12/16/in-what-color-would-you-like-your-new-mercedes/
A new Mercedes. Nice. Or maybe an Audi R8? That would be cool. But hold it! Don’t sell your old car yet! Liking and sharing that giveaway campaign on Facebook will NOT give you a new car. Those prizes doesn’t even exist. They are just hoaxes.
Internet and Facebook is full of crap, junk, rubbish, nonsense and gibberish. Nobody knows how many chain letters there are spreading some kind of unbelievable story. False celebrity news, bogus first-aid advice, phony charity campaigns and this kind of giveaways.
But a car giveaway is probably a harmless and safe prank, even if it’s false? No, not really. These chain letters are actually not traditional hoaxes, they are like-farming scams.
you will participate in building a page with a lot of supporters, which is valuable and can be sold later.
Here’s how it works. Any business has a problem when starting on Facebook. An empty page without likes isn’t trustworthy. So the scammers set up a page containing anything that can go viral. A promise to get a luxury car works well.
he scammers wait until there’s enough likes before they clean out the content, rename it and start looking for a buyer.
A page with 100 000 likes could sell for over $1000.
Tomi Engdahl says:
Have the Snowden revelations changed your attitudes about privacy?
http://safeandsavvy.f-secure.com/2014/12/15/how-have-the-snowden-revelations-changed-your-attitudes-about-privacy/
Tomi Engdahl says:
5 of the best answers from @mikko’s reddit AMA
http://safeandsavvy.f-secure.com/2014/12/05/5-of-the-best-answers-from-mikkos-reddit-ama/
Q: How safe are current smart phones and how secure are their connections? – Jadeyard
The operating systems on our current phones (and tablets) are clearly more secure than the operating systems on our computers. That’s mostly because they are much more restricted.
Q: Lots of people are afraid of the viruses and malware only simply because they are all over the news and relatively easy to explain to. I am personally more afraid of the silently allowed data mining (i.e. the amount of info Google can get their hands on) and social engineering style of “hacking”.
There are different problems: problems with security and problems with privacy.
Companies like Google and Facebook make money by trying to gather as much information about you as they can. But Google and Facebook are not criminals and they are not breaking the law.
Security problems come from criminals who do break the law and who directly try to steal from you with attacks like banking trojans or credit card keyloggers.
Normal, everyday people do regularily run into both problems.
Q: Europol’s cybercrime taskforce recently took down over a hundred darknet servers. Did the news shake your faith in TOR?
People use Tor for surfing the normal web anonymized, and they use Tor Hidden Service for running websites that are only accessible for Tor users.
Both Tor use cases can be targeted by various kinds of attacks. Just like anywhere else, there is no absolute security in Tor either.
Tomi Engdahl says:
How New-Gen MCUs Handle Security in Cars
http://www.eetimes.com/author.asp?section_id=36&doc_id=1325016&
The incessant evolution of communication networks inside vehicles is quickly reducing the capacity of current security measures.
How many of us remember a time when car windows had to be cranked up and there were no seatbelts to secure us in case of an accident? A “secure vehicle” was one with locked doors.
With the introduction of the Advanced Driver Assistant System (ADAS) — with ABS, airbag, brake control, steering control, engine control, cruise control, stop-and-go, autonomous parking, integrated navigation system (GPS and Gallileo) — there is no question that the ecosystem of the automobile is becoming more interconnected and increasingly complex, but electronic devices have also replaced more trivial functions like light control, air conditioning, power windows, engine starting, door opening, adjustable and heated seats… The list of available options goes on.
Though progressing from a purely mechanical environment to the sophisticated universe of electronics has provided an added value in terms of comfort, as well as active and passive safety for driver and passengers, at the same time — because those engine control units (ECUs) are interconnected — significant security issues regarding privacy and data reliability arise.
For example, some decades ago, CAN was not designed to be robust in terms of security. In fact, any CAN message inside the car communication bus was broadcast to any other component and did not support any authorization, authentication, or encryption protocol.
Modern cars exchange messages using the CAN bus to open doors and start the engine. Those messages are swapped between an ECU inside the car and one inside an electronic key. If this system were compromised, a thief could easily steal the car. Also, a hacker could access the GPS inside the car to monitor frequent locations to find out where the driver is and when he leaves the car unattended.
Furthermore, wireless communication channels such as Bluetooth, GPRS, or UMTS for Internet mobile functions like email, SMS, video streaming, video calls, and so on, have enlarged the “attack surfaces” for hackers who could compromise any communication and driving system, or insert malicious software to steal data like a vehicle’s position in real-time, frequently used routes, and full conversations, by remote access.
By definition, an “open system” is exposed to a continuous increase of attacks through several methods. The incessant evolution of internal and external communication networks inside vehicles quickly reduces the capacity of current security measures to provide adequate protection for these systems.
Until now, only theoretical proposals have been suggested to protect cars from internal and external attacks, and the possibility for hackers to control any driving system (brakes, ABS, airbags, navigation), thus risking the vehicle occupants’ lives, is more real than we have suspected.
Those groups have proposed sophisticated software application models using cryptographic communication protocols, and also have proposed some very interesting guidelines, from a hardware point of view, to build more robust microcontrollers that can avoid illegal firmware alterations, unauthorized intrusions, and illicit misuse.
Tomi Engdahl says:
Jessica Plautz / Mashable:
Delta security flaw let passengers access others’ boarding passes — Airlines are moving toward mobile boarding passes, and looking to a paperless future of air travel. But there are still some kinks to work out.
Delta security flaw let passengers access others’ boarding passes
http://mashable.com/2014/12/16/delta-security-flaw/
Airlines are moving toward mobile boarding passes, and looking to a paperless future of air travel. But there are still some kinks to work out.
A passenger found a serious flaw in Delta’s mobile boarding system on Tuesday that revealed anyone can access other passengers’ boarding passes. The airline implemented a fix later in the day.
Tomi Engdahl says:
Clever Gets $30 Million From Lightspeed To Become The Login Layer For Education Apps
http://techcrunch.com/2014/12/16/clever-30m-lightspeed/
It’s not often you hear about companies actually disrupting the education market. Conventional wisdom seems to be that due to the bureaucratic nature of the industry, it’s nearly impossible to get wide-scale adoption at the institutional level.
Clever seems to be an exception. Since launching two-and-a-half years ago, the company has added tens of thousands of schools to its platform. The company has managed to get them on board mostly by providing a free service that provides immense value to teachers and students alike.
App makers integrate with Clever to enable single-sign on among students, which alleviates one of the major pain points for teachers and students alike. Rather than having to manage individual student passwords for each app used in a class, Clever simplifies the process by providing a single place for them to sign in and access learning apps.
Schools and school districts are happy to sign up for the platform because it makes life a lot easier for them — and also because it’s free. Meanwhile, Clever makes money from app developers who benefit from the improved ease-of-use and being a part of the Clever distribution network. They are charged on a per-school basis to connect.
Tomi Engdahl says:
Belkin flings out patch after Metasploit module turns guests to admins
Open guest networks turned on by default
http://www.theregister.co.uk/2014/11/07/belkin_flings_patch_after_metasploit_module_turns_guests_to_admins/
Belkin has patched a vulnerability in a dual band router that allowed attackers on guest networks to gain root access using an automated tool.
The flaw reported overnight targeted the Belkin N750 dual-band router – which was launched in 2011 and is still sold by the company and other commerce sites.
IntegrityPT consultant Marco Vaz published a Metasploit module allowing guests to attack vulnerable routers.
“A vulnerability in the guest network web interface of the [router] allows an unauthenticated remote attacker to gain root access to the operating system of the affected device,” Vaz said.
Tomi Engdahl says:
Creative defense: Crowdsource your hackers
http://www.infoworld.com/article/2859775/security/creative-defense-crowdsource-your-hackers.html
A startup launched by security veterans enables any organization to set up a cost-effective bug bounty program and pay skilled freelance white hats to find vulnerabilities
Tomi Engdahl says:
The European Union funded project to create Ecosia technical means of protection of critical infrastructure threat of cyber attacks to stop. Security Items such as the electricity grid, heat, water supply, waste water treatment and financial activities.
VTT has participated in the development of the project cyber alarm system prototype. Its mission is to, for example, to monitor and alert operators to the production network detected malware and launch cyber-attacks refers to only the data traffic.
Ecosia project started in June and ends in late May 2017. The project involves 19 partners from nine different countries. The project has a total budget of EUR 13 million.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2213:eurooppaan-kehitetaan-kybervaroitusjarjestelmaa&catid=13&Itemid=101
Tomi Engdahl says:
Google bakes W3C malware-buster into Gmail
Content Security Policy standard means non-complying extensions SHALL NOT PASS!
http://www.theregister.co.uk/2014/12/17/google_bakes_w3c_malwarebuster_into_gmail/
If an online service offers even the slightest gap through which miscreants can launch an attack, they will do so. It’s therefore not surprising that Google feels some extensions to its Gmail service may not be entirely friendly to users.
The Chocolate Factory’s, response, announced Tuesday, is to adopt the W3C’s Content Security Policy (CSP_ standard.
The effect of doing so is simple: Gmail extensions that aren’t CSP-compliant won’t work any more as Google’s adoption of the standard means unapproved code won’t load into a browser.
Google warns adopting CSP may mean a few hiccups for users running extensions
Tomi Engdahl says:
Android Apps exploit user data: “Your location is stored in 10 times in a minute”
Android applications using overworked to the user for the authorizations granted, French scientists estimate. According to them, the developers should attempt to minimize the amount of data collected by the applications.
French Cnilin study commissioned by the 10 subjects were monitored phone use Research Inrian developing Mobilitics application. It measured the three-month period a total of 121 application activity.
According to researchers, 30 per cent of applications recorded the location of the user. Two of the three saved personal data. The collection of data limitation is expected to be difficult.
Source: http://www.tivi.fi/kaikki_uutiset/androidsovellukset+riistavat+kayttajan+tietoja+quotsijaintisi+tallennetaan+10+kertaa+minuutissaquot/a1037473
Tomi Engdahl says:
The US Needs To Stop Pretending The Sony Hack Is Anything Less Than An Act Of War
http://www.businessinsider.com/sony-hack-should-be-considered-an-act-of-war-2014-12
The most devastating cyberattack ever on a US-based company wasn’t an act of war, according to established guidelines of cyberwarfare.
NATO’s Tallinn Manual defines an act of cyberwar that permits a military response as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
The world after the Sony Pictures hack may require a new perspective.
Dave Aitel, a former NSA research scientist and CEO of the cybersecurity firm Immunity, argues that while the attack “doesn’t meet the threshold for a response by our military,” it should still be viewed as an act of war.
“We need to change the way we think about cyberattacks,” Aitel told Business Insider in an email. “In many cases, these aren’t ‘crimes’ — they’re acts of war. A non-kinetic attack (i.e., destructive malware, destructive computer network attack) that causes just as much damage as a kinetic attack (i.e., a missile or bomb) should be viewed at the same level of urgency and need for US government/military response.”
Nevertheless, one proactive move the US should consider, according to Aitel, is “declaring certain cyberattacks terrorist acts and the groups behind them terrorists,” which would “set in motion a wider range of legal authority, US government/military resources, and international options.”
One way to bolster US cyber defenses, according to Aitel, would be for the government to provide companies “with the option to have their web hosting and security provided by the federal government itself.”
And even though turning over the “IT keys” to the government would be an unpopular idea — especially after the revelations by Edward Snowden — Aitel calls it “the most effective model the cybersecurity industry would have to protect against state-sponsored attacks like the one that hit Sony or the millions of cyber-espionage attacks that occur yearly against other key US entities.”
That’s because a critical attack on a US-based company would be treated, legally and politically, as an attack on the US itself.
Tomi Engdahl says:
Get Ready For The Hack Attack That Drives A Big Company Out Of Business
http://www.businessinsider.com/hack-attack-will-drive-some-big-company-out-of-business-2014-12
I had an interesting conversation with a person in the computer security industry a few weeks ago.
This person is absolutely convinced that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack.
Normally, I’m skeptical about these kinds of stories from companies that sell security products. They have a vested interest in making things sound as bad as possible, and there’s a long history of security companies hyping up remote threats in press releases.
Then the Sony hack happened. There have been estimates that Sony could suffer a loss of more than $100 million — and that was before a couple of former employees sued the company.
The Sony hack is different from most past hacks on this scale because the people who got the information don’t seem to be out for personal gain. Instead, they’re actively trying to embarrass and perhaps even destroy the company.
So I got back in touch with this person to ask why we suddenly seem to be at a breaking point. Here’s what he told me:
The motives of sophisticated hackers have changed from self-gain to destruction. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations.
Company officers are only now becoming aware of the threat. Boards of directors and C-level officers are most directly responsible for risk mitigation. They have traditionally been focused on other threats — competitive threats, regulatory threats, and so on. Only in the last year or so, starting around the time of the Target hack, have they become aware of how much damage a computerized attack can cause.
Tomi Engdahl says:
Microsoft, Google, Adobe Leave Russia Due to Putin’s New Laws
http://news.softpedia.com/news/Microsoft-Google-Adobe-Leave-Russia-Due-to-Putin-s-New-Laws-467521.shtml
Tech companies Microsoft, Google, and Adobe are all giving up on their Russian operations amid a new law requested by President Vladimir Putin and which requires companies to store collected user data on local servers which would obviously become accessible to authorities.
The retreat was started by Microsoft last month, when the company decided to move its Skype development team from Moscow to Prague. Adobe, on the other hand, ceased its Russian operations entirely, explaining that it doesn’t actually need a local headquarters because everything can be performed through the power of cloud.
Now Google is doing the same thing, ITWire writes, so the Mountain View-based search giant is giving up on its Russian R&D center and relocating all engineers based in the country.
And these aren’t the only companies that might be forced to leave Russia, as both Facebook and Twitter are expected to follow the same trend, but neither has made any decision on this. As the aforementioned source notes, these two social networks would need millions of dollars every year to set up servers in Russia that would be used to store data in the country.
Tomi Engdahl says:
NY premiere of The Interview cancelled after hackers’ terrorist threats
GoP hint at 9/11-style attack for screenings of Nork assassination movie
http://www.theregister.co.uk/2014/12/17/the_interview_ny_premiere_cancelled_after_hacker_terrorist_threats/
The New York premiere of Sony Pictures’ movie about a fictional assassination attempt on Kim Jong-Un has been cancelled in the wake of hacker threats invoking 9/11.
The Interview was due to debut on Thursday at Landmark’s Sunshine Cinema in Manhattan, but a spokesperson confirmed to Variety that the screening was off late on Tuesday, US time. There are rumours that other theatres are also pulling their showings, after a group calling itself Guardians of Peace (GOP) threatened anyone who attended.
Sony Pictures in the UK refused to comment when contacted by The Reg.
The threatening message was mixed in with further leaks of Sony files stolen from the systems by GOP. So far, the cyber criminals have released tens of gigabytes of sensitive information, including employee salaries and personal identity data, credit card numbers, movies and their scripts and email correspondence between executives that’s proved hugely embarrassing for the studio.
GOP warned that anyone who went to see The Interview, including at the premiere, would see “how bitter fate those who seek fun in terror should be doomed to”. The group also said “remember the 11th of September 2001”.
Tomi Engdahl says:
No bail for ‘Silk Road boss’ as SIX MURDER-FOR-HIRE CHARGES filed
Allegedly ordered contract killings to protect drugs market
http://www.theregister.co.uk/2013/11/22/silk_road_more_contract_killing_charges/
A federal judge has denied bail to Ross Ulbricht, the alleged mastermind behind the Silk Road online drugs marketplace, amid charges that Ulbricht contracted the murders of six people.
Ulbricht, who is accused of founding Silk Road under the moniker of “the Dread Pirate Roberts,” appeared in a federal court on Wednesday in New York City, where he is being held on charges of computer hacking, money laundering, and narcotics conspiracy.
Joshua Dratel, Ulbricht’s attorney, said his client denied all these charges, arguing that 29-year-old Ulbricht was not the person known as the Dread Pirate Roberts, that he has no criminal record, and that he had “never committed a violent act in his life.”
Tomi Engdahl says:
Microsoft BEATS Apple, Google … to accepting limited Bitcoin payments
Oh yeah, and you can’t actually pay for anything. Oh well.
http://www.theregister.co.uk/2014/12/11/microsoft_beats_apple_and_google_to_accepting_limited_regional_bitcoin_payments/
Microsoft has quietly added Bitcoin as a payment method for digital content – games and music – thanks to a deal with Bitpay that allows customers to use the cryptocurrency to add money to their MS account.
Trouble is, the synthetic dosh still can’t be used to pay for physical goods directly, and initially at least, it’s Bitcoin holders who seem to be benefiting, with a single Bitcoin soaring $20 overight to $360 on the back of the Microsoft agreement.
Whether Microsoft (one of the first big tech companies to embrace the currency, ahead of Apple and Google) will also see a financial benefit is too early to tell, it certainly can’t hurt.
Tomi Engdahl says:
Bitcoin is GREAT and SAFE, says, er, the Bitcoin Foundation
Gros fromage: As long as operators aren’t in jail, digital cash is the future
http://www.theregister.co.uk/2014/11/06/bitcoin_remittance_unstable_currency_regulation/
Web Summit Bitcoin will have its biggest impact in unstable regimes and foreign currency transfers, according to the Bitcoin Foundation’s chief scientist Gavin Andresen.
Speaking at Web Summit 2014, the head boffin said the online virtual current offered a great way to sidestep unstable government-issued currencies when they were suffering from issues such as hyperinflation.
“Those are the places where having an alternative, where you can kind of go around the government currency, where Bitcoin will have the biggest societal impact,” Andresen told press at the event, while brandishing a hundred trillion Zimbabwean dollar he carries around.
“The Foundation works on keeping transaction fees inexpensive. We don’t want a world where Bitcoin remittance costs the same amount as wire transfers,” he said.
Tomi Engdahl says:
Manufacturer’s Backdoor Found On Popular Chinese Android Smartphone
http://it.slashdot.org/story/14/12/17/1815250/manufacturers-backdoor-found-on-popular-chinese-android-smartphone
“A popular Android smartphone sold primarily in China and Taiwan but also available worldwide, contains a backdoor from the manufacturer that is being used to push pop-up advertisements and install apps without users’ consent. The Coolpad devices, however, are ripe for much more malicious abuse, researchers at Palo Alto Networks said today”
Manufacturer’s Backdoor Found on Popular Chinese Android Smartphone – See more at: http://threatpost.com/manufacturers-backdoor-found-on-popular-chinese-android-smartphone/109929#sthash.FL6arFFk.dpuf
Tomi Engdahl says:
NSA-Approved Samsung Knox Stores PIN in Cleartext
http://threatpost.com/nsa-approved-samsung-knox-stores-pin-in-cleartext/109018
A security researcher has tossed a giant bucket of ice water on Samsung’s thumbs up from the NSA approving use of certain Galaxy devices within in the agency.
The NSA’s blessing, given under the agency’s Commercial Solutions for Classified Program, meant that the Samsung Galaxy 4, 5 and Galaxy Note 3 and note 10.1 2014 Edition cleared a number of security stipulations and could be used to protect classified data.
The agency’s approval was also seen as a solid endorsement for Samsung’s Knox technology, which provides for separate partitions, or containers, on the Android devices in order to keep personal and business data from co-mingling. The containers have their own encrypted file systems as well, keeping secured apps separate from applications outside the container.
An unnamed researcher, however, on Thursday published a lengthy report that claims a PIN chosen by the user during setup of the Knox App is stored in clear text on the device. Specifically, a pin.xml file stored in the ContainerApp stored on the device during setup contains the unencrypted PIN number.
- See more at: http://threatpost.com/nsa-approved-samsung-knox-stores-pin-in-cleartext/109018#sthash.ADldz0IX.dpuf
Tomi Engdahl says:
Privileged Account Access
Most Targeted Attacks Exploit Privileged Accounts
We all like to write and talk about flashy zero-day vulnerabilities. However, a new threat report cautions enterprises not to flatter themselves, because the majority of criminals are not using valuable zero-days exploits to penetrate corporate networks: they’re phishing privileged account credentials from executives and IT staffs, or simply guessing passwords for automated service accounts and, in turn, exploiting that access to gather valuable information.
“Everyone thinks about the zero-day vulnerability, but they’re rarely exploited in a widespread pattern in the wild. They’re so valuable that attackers apply them in very limited way,” said Craig Williams, senior technical leader and security outreach manager for Cisco Talos Security Intelligence and Research Group. “For every zero day you hear about, there are millions of known vulnerabilities that are far more likely to be used against you.”
- See more at: http://threatpost.com/most-targeted-attacks-exploit-privileged-accounts/109514#sthash.sgSZJ9hY.dpuf
Tomi Engdahl says:
Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign
Researchers have discovered a group of attackers who have published a variety of compromised WordPress themes and plug-ins on legitimate-looking sites, tricking developers into downloading and installing them on their own sites. The components then give the attackers remote control of the compromised sites and researchers say the attack may have been ongoing since September 2013.
The incident came to light through an investigation by researchers at Fox-IT in the Netherlands, who discovered it after noticing a compromised Joomla plug-in on a customer’s site. After a little investigation, they discovered that the plug-in had been downloaded from a site that offers a list of pirated themes and plug-ins.
- See more at: http://threatpost.com/attackers-using-compromised-web-plug-ins-in-cryptophp-blackhat-seo-campaign/109505#sthash.aMPvZ1x0.dpuf
Tomi Engdahl says:
ICANN hackers sniff around global DNS root zone system
Timing couldn’t be worse for domain name overseer
http://www.theregister.co.uk/2014/12/17/icann_hacked_admin_access_to_zone_files/
Domain-name overseer ICANN has been hacked and its root zone administration system compromised, the organization has said.
Attackers sent staff spoofed emails appearing to coming from icann.org. The organization notes it was a “spear phishing” attack, suggesting employees clicked on a link in the messages, and then typed their usernames and passwords into a bogus webpage, providing hackers with the keys to their accounts. No sign of two-factor authentication, then.
“The attack resulted in the compromise of the email credentials of several ICANN staff members,” the announcement reads, noting that the attack happened in late November and was discovered a week later.
With those details, the hackers then managed to access a number of systems within ICANN, including the Centralized Zone Data System (CZDS), the wiki pages of the Governmental Advisory Committee (GAC), the domain registration Whois portal, and the organization’s blog.
While the hack is nowhere near the same level as the hack on, say, Sony that has seen gigabytes of information leaked onto the internet, it will prove extremely embarrassing to ICANN, which hopes to be handed control of the critical IANA contract next year.
If there is a positive to the news it is that ICANN has matured in how it deals with security.
Tomi Engdahl says:
Can’t stop Home Depot-style card pwning, but suppliers will feel PCI regulation pain
Third parties must comply to new standard
http://www.theregister.co.uk/2014/12/17/pci_revamp_after_target_home_depot_breach/
Third-party providers will face more stringent regulations as part of a revamp in payment card industry regulations due to go into full effect in the new year.
The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers.
The changes follow a string of high profile breaches, several of which including the most serious Target and Home Depot breaches were subsequently traced back to lax security controls at third party providers. In the case of Target, its heating and air conditioning subcontractor was implicated in the subsequent hack and the retail chain.
Hackers tricked workers at a Pennsylvania air conditioning firm to open a malware-laced email attachment, the first stage in a multi-stage hack that ultimately allowed crooks to plants malware on point-of-sale terminals at Target.
The similar Home Depot hack – which exposed 56 million customer credit and debit card accounts – was also enabled by credentials stolen from an unnamed third-party vendo
The new standard will oblige third party service providers to use a unique password when accessing each business to which they remotely connect as well as mandating the use of two-factor authentication for those connections. Or, as the PCI Council, puts it: “service providers with remote access to customer premises, [need to] use unique authentication credentials for each customer”.
“Version 3.0 has been effective since January 2014, but organizations were given an extended deadline through the year as long as they met version 2.0 compliance requirements,”
Tomi Engdahl says:
How A Hacker Gang Literally Saved Christmas For Video Game Players Everywhere
http://uk.businessinsider.com/lizard-squad-hack-playstation-and-xbox-2014-12
At the start of December, a notorious hacker gang named “Lizard Squad” issued a threat: it would take down over Christmas the PlayStation and Xbox Live networks, the online services that some video games need in order run from a home console.
In the weeks following Lizard Squad’s threat, another gang of hackers formed. It had two aims: 1. Keep the video game services running. 2. Take down Lizard Squad.
Lizard Squad is one of the most well-known online hacker groups and has a history of attacking popular video game services. In August, Lizard Squad claimed to have caused disruption to the PlayStation Network , as well as servers run by Blizzard, the company behind World of Warcraft.
In the same month, the group took their campaign one step further by tweeting a bomb threat against Sony executive John Smedley, which forced his flight to be diverted.
But Lizard Squad’s hacking campaign against video games didn’t end there. They returned in September to wreak havoc against popular games such as Call of Duty, FIFA, Destiny, Madden, and The Sims 4.
The hackers resurfaced, taking the PlayStation and Xbox networks offline at the start of December.
A group known as “The Finest Squad” emerged in December with the intention of bringing “cyber-criminals to justice.”
Sure enough, Finest Squad managed to break into the public Twitter accounts and websites of Lizard Squad’s members, releasing their names and photographs of them online. For any hacker, that’s a nightmare scenario. Being doxxed (having your private information posted online) will generally either lead to an arrest or to sustained harassment from people you have wronged.
To make sure that no gang of mischievous teenagers would be able to do the same as Lizard Squad, Finest Squad even submitted information about the vulnerabilities discovered to the video game networks that were under attack.
Tomi Engdahl says:
New York Times:
U.S. Said to Find North Korea Ordered Cyberattack on Sony — WASHINGTON — American intelligence officials have concluded that the North Korean government was “centrally involved” in the recent attacks on Sony Pictures’s computers, a determination reached just as Sony on Wednesday canceled …
U.S. Said to Find North Korea Ordered Cyberattack on Sony
http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html?_r=0
American officials have concluded that North Korea was “centrally involved” in the hacking of Sony Pictures computers, even as the studio canceled the release of a far-fetched comedy about the assassination of the North’s leader that is believed to have led to the cyberattack.
Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was debating whether to publicly accuse North Korea of what amounts to a cyberterrorism attack. Sony capitulated after the hackers threatened additional attacks, perhaps on theaters themselves, if the movie, “The Interview,” was released.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
ICANN e-mail accounts, zone database breached in spearphishing attack — Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts …
ICANN e-mail accounts, zone database breached in spearphishing attack
Password data, other personal information of account holders exposed.
http://arstechnica.com/security/2014/12/icann-e-mail-accounts-zone-database-breached-in-spearphishing-attack/
Tomi Engdahl says:
Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware
http://yro.slashdot.org/story/14/12/17/2237248/over-9000-pcs-in-australia-infected-by-torrentlocker-ransomware
Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia
Over 9,000 PCs in Australia infected by TorrentLocker ransomware
http://www.cso.com.au/article/562658/over-9-000-pcs-australia-infected-by-torrentlocker-ransomware/
If you’re a Windows user in Australia who’s had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.
TorrentLocker is one of several ransomware threats that have emerged in the wake law enforcement action against CryptoLocker earlier this year.
Like CryptoLocker, TorrentLocker is a shakedown operation, demanding payment of up to $1,500 in Bitcoin to unlock victim’s encrypted files. Whether victims pay depends on how much they value files, which all too often are not backed up.
According to a new research by security vendor ESET, the hackers behind TorrentLocker put extra effort into defrauding Australian computer users via a several bogus websites for Australia Post and the NSW Office of State Revenue used to deliver the malware.