Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Don’t be fooled! He’s not from the IT crowd… he’s a CYBERSPY – FireEye
Is that Tom the techie or a Chinese spear-phisherman?
http://www.theregister.co.uk/2015/02/24/fireeye_threat_report/
Impersonating IT departments in spear-phishing attacks is becoming an increasingly popular tactic among hackers, particularly in cyber-espionage attacks.
IT staff themed phishing emails comprised 78 per cent of observed phishing schemes picked up by FireEye in 2014, compared to just 44 per cent in 2013.
The sixth annual FireEye Mandiant M-Trends report, published on Tuesday, reports that organisations are getting slightly speedier at picking up trespassers in their network. Breach detection times dropped from 229 days in 2013 to 205 days last year. The slight improvement still means that successful hacker attacks remain undetected for months.
In some cases breaches can go undetected for years.
Hackers are adopting more sophisticated and stealthy tactics.
More details can be found in the 2015 Mandiant M-Trends report
https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf
Tomi Engdahl says:
LinkedIn values your privacy at ONE WHOLE LOUSY DOLLAR
Password hack suit settled for next to nothing
http://www.theregister.co.uk/2015/02/24/linkedin_values_your_privacy_at_one_lousy_dollar/
LinkedIn, which leaked millions of passwords in 2012, has settled the class action that followed its egregious error.
That led 800,000 American users of LinkedIn premium services to kick off a class action lawsuit which, after being kicked around the legal system for a while, finally got narrowed down to something the social site could live with and it decided to settle: a whole US$1.25 million which leaves everybody with a dollar after the lawyers take their hunk.
It might be more than a dollar. After all, not everybody associate with the original class action will get around to filing a claim.
LinkedIn announced Q4 2014 revenue of US$643 million and annual revenue of $US2,219 million,
Tomi Engdahl says:
Pakistanis Must Provide Fingerprints Or Give Up Cellphone
http://mobile.slashdot.org/story/15/02/24/0537219/pakistanis-must-provide-fingerprints-or-give-up-cellphone
In one of the world’s largest — and fastest — efforts to collect biometric information, Pakistan has ordered cellphone users to verify their identities through fingerprints for a national database being compiled to curb terrorism. If they don’t, their service will be shut off
Tomi Engdahl says:
Insert tab A into slot B
Computers are everywhere, they are in everything. The Internet Of Things is coming and, quite frankly, the day has already come that if IT practitioners are not capable of thinking beyond just the technical aspects of our job then people will die.
Create a wireless pacemaker but forget to secure it against a world filled with madmen? People die. Create a car where electronics systems can be tampered with to override driver input on steering, braking, etc? People die. Create electronic display signage for emergency situations without taking into account people with visual disabilities of various types? People die.
I’m scared of the future. I’m scared of a world of armed drones and cybernetic implants, of self-driving cards and creepy “always on” wearable video cameras. I’m scared of a world where these products and services are designed and overseen by nerds who can’t overcome brand loyalty or make objective judgments about privacy.
Source: http://www.theregister.co.uk/2015/02/24/how_objective_are_you_sysadmins/?page=2
Tomi Engdahl says:
1 in 3 Europeans Lie On Signup Information, Symantec Says
http://blogs.wsj.com/digits/2015/02/23/1-in-3-europeans-lie-on-signup-information-symantec-says/
Europeans are starting to respond to a growing sense of unease over their personal data online, with over half now avoiding posting personal details online, a new report by security company Symantec SYMC -0.28% claims. But despite the extra caution, only 1 in 4 read the terms and conditions in full when buying or signing up to products and services online.
One in 3 consumers across Europe admitted to providing false information to protect their privacy. 36% of Germans and 34% of U.K. and Spanish respondents stated they had given fake details online—the highest across Europe—in a bid to avoid giving out their credentials.
The fake details include email address, phone number, and even a name. Young people aged 18-24 were most likely to provide false details, the report found. Those aged 65 and over were most likely to provide true information when signing up to online services.
Sian John, chief security strategist EMEA at Symantec, said people were beginning to express their mistrust in businesses, especially in the technology space.
Businesses relying on user data need to take into account that some consumers could be falsifying their personal information, she said.
“You may be putting your faith in user data at the expense of truth,” John said.
Tomi Engdahl says:
Apple wants to track iPhones – even when they’re turned off
http://www.independent.co.uk/life-style/gadgets-and-tech/news/apple-wants-to-track-iphones–even-when-theyre-turned-off-10066378.html
Apple could soon be able to track phones even when they’re turned off.
The plan, for which Apple was awarded a patent at the end of January, would allow phones to go into a kind of zombie mode – apparently shut off, but actually tracking the phone’s movements.
But while the feature might sound like a way of Apple and other governments tracking your location, it will likely make the phones more secure.
Apple’s Find My iPhone service allows users to track phones if they’re lost or stolen, allowing them to be traced and found. But at the moment, thieves can simply turn the phones off, stopping the tracking feature.
Tracking features and other innovations such as kill switches have cut smartphone theft in half, and also allow phones to be recovered if they are stolen.
Tomi Engdahl says:
In Privacy Update, Reddit Tightens Restrictions on Nude Photos
http://bits.blogs.nytimes.com/2015/02/24/in-privacy-update-reddit-tightens-restrictions-on-nude-photos/?_r=0
For nearly a decade, Reddit, the huge online message board, has been known for its freewheeling stance on letting its users govern themselves.
Now, Reddit is starting to change its views, if only ever so slightly. Reddit announced a change to its privacy policy on Tuesday that prohibits posting nude photos or videos of people engaged in sex acts without their prior consent to have it posted.
The policy shift will likely upset members of a number of Reddit communities, some of which use the site to trade illicit photos taken of others without their permission.
That is particularly pertinent for Reddit, which was embroiled in a scandal last Fall after hackers stole nude photos of celebrities like Jennifer Lawrence and posted them to online message boards, including Reddit.
“For all of us in social media, we’re all venturing into new territory,” Mr. Ohanian said. “We’ve never seen these platforms — like Reddit, like Twitter — ever before.”
Tomi Engdahl says:
Dennis Fisher / Threatpost:
Google turns annual Pwnium bug-hunting contest into year-round program with unlimited rewards
Google Pwnium Program Now Open All Year
http://threatpost.com/google-pwnium-program-now-open-all-year/111251
Google is expanding its successful Pwnium vulnerability reward program–which has run at various security conferences for a couple of years now–to run continuously and offer an unlimited pool of financial rewards.
Google’s Pwnium has a different set of rules that ask winners to disclose all of the details of a vulnerability in Chromium along with the exploit.
“If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties.”
– See more at: http://threatpost.com/google-pwnium-program-now-open-all-year/111251#sthash.kev17o86.dpuf
Tomi Engdahl says:
U.S. offers highest-ever reward for Russian hacker
http://www.reuters.com/article/2015/02/24/us-usa-cyberattack-russian-idUSKBN0LS2CY20150224
The U.S. State Department and FBI on Tuesday announced a $3 million reward for information leading to the arrest or conviction of Russian national Evgeniy Bogachev, the highest bounty U.S. authorities have ever offered in a cyber case.
Bogachev has been charged by federal authorities in Pittsburgh, Pennsylvania, with conspiracy, computer hacking, wire fraud, bank fraud and money laundering in connection with his alleged role as administrator of GameOver Zeus.
He also faces federal bank fraud conspiracy charges in Omaha, Nebraska related to his alleged involvement in an earlier variant of Zeus malware known as “Jabber Zeus.”
Tomi Engdahl says:
Zeus scumbag infects themselves, buddies, with rival trojan
See what happens when you don’t run antivirus?
http://www.theregister.co.uk/2015/02/25/zeus_scumbag_infects_themselves_buddies_with_rival_trojan/
A Zeus hacker cabal has infected itself and colleagues with a rival malware in an act of poetic justice noticed by RSA researcher Lior Ben-Porat.
The blackhat developed a custom Zeus panel for the infamous trojan by the same name which was found compromised Ramnit worm.
Ben-Porat says the malware muck up happened after the Zeus hacker created the panel on a machine they did not realise was infected with and spreading Ramnit.
Ramnit is a fading piece of internet trash that should be picked up by most antivirus systems, a piece of security defence that vxers might choose not to install for obvious reasons.
Tomi Engdahl says:
NSA Director Wants Legal Right To Snoop On Encrypted Data
http://it.slashdot.org/story/15/02/24/1924234/nsa-director-wants-legal-right-to-snoop-on-encrypted-data
This may not come as a huge shock, but the director of the NSA doesn’t believe that you have the right to encrypt your data in a way that the government can’t access it
NSA director wants gov’t access to encrypted communications
http://www.itworld.com/article/2887795/nsa-director-wants-govt-access-to-encrypted-communications.html
It probably comes as no surprise that the director of the U.S. National Security Agency wants access to encrypted data on computers and other devices.
The U.S. should be able to craft a policy that allows the NSA and law enforcement agencies to read encrypted data when they need to, NSA director Michael Rogers said during an appearance at a cybersecurity policy event Monday.
Asked if the U.S. government should have backdoors to encrypted devices, Rogers said the U.S. government needs to develop a “framework.”
“You don’t want the FBI and you don’t want the NSA unilaterally deciding, ‘So, what are we going to access and what are we not going to access?’”
Justsecurity.org has a transcript of an exchange between Rogers and Yahoo CISO Alex Stamos at Monday’s event.
Tomi Engdahl says:
Can Tracking Employees Improve Business?
http://tech.slashdot.org/story/15/02/24/2058209/can-tracking-employees-improve-business
The rise of wearable technologies and big-data analytics means companies can track their employees’ behavior if they think it will improve the bottom line. Now an MIT Media Lab spinout called Humanyze has raised money to expand its technology pilots with big companies.
Pilots with Bank of America and Deloitte have led to significant business improvements, but workplace privacy is a big concern going forward.
Humanyze Hits Up Investors to Support “People Analytics” in Business
http://www.xconomy.com/boston/2015/02/24/humanyze-hits-up-investors-to-support-people-analytics-in-business/?single_page=true
The startup is called Humanyze—it was formerly known as Sociometric Solutions—and it spun out of the MIT Media Lab in 2011. Since then, the eight-person company has been heads-down developing technology to help businesses improve their performance by understanding how their employees behave on a daily basis.
The key? Gathering and analyzing data on how employees talk to customers, who talks to whom within companies, what times of day people send e-mail, make phone calls, go on break, and so on. If it all sounds a little Big Brother-ish, well, Humanyze has thought carefully about those privacy concerns (more on that below).
The field of data-driven human resources is starting to see a lot of interest—and hype—whether you call it people analytics, reality mining, or “Moneyball” for business. The trend is being driven in part by mobile and wearable technologies, as well as the rise of big-data analytics. Yet, as Waber puts it, it’s surprising “how data-driven companies are about their business, but it never includes their people.”
Tomi Engdahl says:
Lenovo CTO: Hey, look around – we’re not the only ones with a crapware infection
Friday is D-Day for PC lobber to regain trust
http://www.theregister.co.uk/2015/02/25/lenovo_cto_were_not_the_only_ones_with_a_crapware_problem/
On Friday Lenovo is going to tell the world about how it plans to regain the trust of its users in the wake of the Superfish clusterfuck – and may even launch an independent security audit of its products.
“Our goal, in the end, is to make this right,” Lenovo’s CTO Peter Hortensius told The Register on Tuesday. “It’s going to take a long road to earn trust back.”
Lenovo was caught bundling adware Superfish with its cheapo laptops to make a fast buck by injecting adverts into websites, a move that left users vulnerable to online password theft.
Hortensius claims this is an industry-wide problem, and analysts have found other companies slipping software similar to Superfish into people’s PCs.
“Everyone is one step away from disaster and we’re going to make sure that when we’re done we’re several steps away.”
Hortensius said that last Thursday morning was the first he knew of a problem with Lenovo laptops and Superfish, and he initially assumed it was just an adware issue. Within a few hours he realized the problem was more serious, he says, and Lenovo went into crisis management mode.
Lenovo, with the help of Microsoft and antivirus makers, worked to rid its laptops of Superfish, its ad-injection code and its rogue root CA certificate that compromised HTTPS connections, even releasing an open-source uninstall tool.
That was the first step, Hortensius said, but his company recognizes that it’s got a much bigger hill to climb to get trust back from buyers. The firm hadn’t realized that so many of its PCs were used in businesses, he said, and it was clear that it is going to be difficult to reestablish trust.
Tomi Engdahl says:
Superfish: Lenovo ditches adware, but that doesn’t fix SSL megavuln – researcher
Here’s how to zap the ad-injecting crapware
http://www.theregister.co.uk/2015/02/19/superfish_lenovo_analysis/
But the problem only hit the mainstream after security researcher Marc Rogers wrote about it on Wednesday (here), provoking the angriest reaction against a tech firm since the Sony BMG rootkit affair back in 2005.
Lenovo was deliberately breaking secure connections, making it easier in the process for any attackers to spoof any HTTPS website, say researchers. Obtaining a private key from one Lenovo laptop would allow the technically knowledgeable to snoop on the web traffic of any other Lenovo users on the same network.
Tomi Engdahl says:
HP: 10 most common security issues in 2014 were from code over two years old
… and sometimes dating back decades
http://www.theinquirer.net/inquirer/news/2396783/hp-10-most-common-security-issues-in-2014-were-from-code-over-two-years-old
NEARLY HALF of all security breaches come from vulnerabilities that are between two and four years old, according to this year’s HP Cyber Risk Report entitled The Past Is Prologue.
The annual report found that the most prevalent problems came as a result of server misconfiguration, and that the primary causes of commonly exploited software vulnerabilities are defects, bugs and logic flaws.
But perhaps most disturbing of all was the news that Internet of Things (IoT) devices and mobile malware have introduced a significant extra security risk.
The entire top 10 vulnerabilities exposed in 2014 came from code written years, and in some cases decades, previously.
“Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager for enterprise security products at HP.
“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology. Rather, organisations must employ fundamental security tactics to address known vulnerabilities and, in turn, eliminate significant amounts of risk.”
Tomi Engdahl says:
The House Always Wins
http://www.securityweek.com/house-always-wins
In information security, the sample bias results in statements like “all of our people are above average”, “our false positive rates are quite low”, “the maturity of our security program is amongst the most mature in our vertical”, and others. For some organizations, these statements may be partially or wholly true. But, as the law of large numbers teaches us, it simply cannot be that these statements are true for the majority of organizations. Instead, the sample bias can trick an organization into thinking its security is better than it really is.
Or, alternatively, the pressure to exude good security and confidence in one’s security program can cause an organization to be dishonest with itself, its leadership, its board, its peers, its partners, and its customers. In the end, this can have dire consequences, as anyone who reads the news can see.
Given this, what can organizations do to counter the sample bias and its effects to ensure they continue to progress and improve their security posture?
Culture
First and foremost, an organization that successfully counters the sample bias and its effects is one that shies away from groupthink and encourages honesty.
Self-awareness
Self-awareness is an organizational trait that builds on the organizational culture mentioned above. Realizing and acknowledging that capabilities need to improve is often half the battle. Self-awareness comes with a dose of humility that allows us to learn from others that have come before us.
Self-awareness can often be a challenge inside a security organization. Sometimes we become so busy with the day to day that we forget to come up for air and evaluate where we are strategically.
Humility
Of course, identification of issues and weakness inside the security organization is no guarantee that they can be remedied. As the saying goes, the devil is in the details.
Letting one’s guard down and retracting one’s puffed out chest is important when looking to improve. That allows for internalization of constructive criticism and the implementation of ideas that can improve the organization’s security posture.
It may sound counter-intuitive, but admitting weakness is actually a strength. By being truthful, honest, straightforward, and earnest, we empower ourselves to grow and improve, both as individuals and as organizations. This is an important cultural aspect that helps improve an organization’s security posture, and it is one that is often overlooked.
Tomi Engdahl says:
Forced Perspective: Your Cyberdefense Tactics Appear Bigger Than They Are
http://www.securityweek.com/forced-perspective-your-cyberdefense-tactics-appear-bigger-they-are
Over Emphasis, or “Flipping the Landscape”
One of the key techniques involved in most forced perspective construction involves over-emphasizing the position of the object or space you want to be the most important in contrast to features you want to overcome.
In the case of cybersecurity, there is pretty much a conventional wisdom for how you protect yourself against cyber threats. Spend tons of cash, buy firewalls, install and configure IDS/IPS systems, hire lots of staff, send them to conferences, study threat actors, track progress every quarter and accrue monies for when you get sued. It’s what everyone else does, it’s what’s always been done and it feels natural.
All of it may be prudent and necessary to be sure – after all, who leaves their doors open at night. But it does create a false sense of one’s security reality, as it were. A sense that, because the world looks right, everything is. More dangerously, once the image is accepted by the brain, it causes us to ignore further scrutiny and analysis and accept that things are natural and as they should be.
For architecture, this is the intended purpose. Cheat the mind into thinking something’s more than it is; more spacious, more open, bigger or longer. That’s a good thing.
But for our businesses and their security, this effect is lethal. In the face of a threat that demands dynamic attention, it causes lethargy and laziness. We forgo thinking outside the problem, looking at things from fresh perspectives, trying new things or innovating to overcome challenges or fix unsatisfactory conditions. We even ignore fundamental, practical things, such as root-cause analysis, risk management, software patching, access control, training, communications and effective info-sharing. New and old threats become invisible, blending into the landscape.
Thus, insecurity becomes a part of the fabric of our lives. We come to ignore the very real connection of individual elements all around us on our products, our brands and reputation, IT infrastructures and financial bottom lines. As such, any specific measure of effective cyberdefense – already an impossible challenge on the whole – becomes unrealizable.
In the case of enterprise cybersecurity, we do the same things week in and week out in building our cyberdefenses.
For example, across industry, very few companies invest heavily in strategic planning and risk management programs built specifically around cybercrime.
Tomi Engdahl says:
The Future of Cybersecurity Hinges on Boardroom Engagement Today
http://www.securityweek.com/future-cybersecurity-hinges-boardroom-engagement-today
Cyber attacks are increasingly sophisticated and discrete. Nation states and cybercriminal organizations frequently bankroll and mastermind these attacks with the aim of financial or political gain. If attackers have high-powered backing behind them, shouldn’t defenders as well? Isn’t it time that organizations’ top leaders are actively engaged in defense? Granted, the vast majority of enterprises have an executive with direct responsibility for security. But for modern businesses, security leadership needs to ascend even higher in the organization: to the boardroom.
Given that in the modern economy every company runs on IT, an increased focus on cyber risk at the board level is a positive development, but one that is long overdue. Security is the business of every person in the organization, from the chief executive to the newest hire, and not just personnel with “security” in their title or job description. Everyone should be accountable, and learn how to avoid becoming a victim.
A core component of the future of cybersecurity will be greater engagement by the board. Corporate boards of directors across industries need to know what the cybersecurity risks to the business are and their potential impact.
Tomi Engdahl says:
Cyber Security Coming to a Screen Near You
http://www.securityweek.com/cyber-security-coming-screen-near-you
What are we to make of Hollywood’s latest obsession with all things cyber? Between the recently released movie, Blackhat, and the forthcoming CSI CYBER TV series, the powers that be have clearly decided this subject is exciting enough to attract an audience. Security has hit the mainstream.
There are pros and cons to this phenomenon.
Tomi Engdahl says:
Banking Malware Redefined
http://www.securityweek.com/banking-malware-redefined
For several years now, cybercrime in the financial sector was synonymous with banking botnets such as Zeus and Carberp. By and large, these malware families and their many descendants worked by infecting banking customer’s computers and either stealing passwords or manipulating online banking sessions to steal funds.
A recent report from Kaspersky Lab shows that criminals have significantly raised their game with a new strategy focused on infiltrating and stealing directly from more than 100 different banks. Kaspersky named the operation the Carbanak APT and early estimates put losses in the range of $1 billion USD.
As you might expect, robbing a bank can be more lucrative than stealing from its customers. Even highly successful Zeus operations would typically net in the range of $100 million USD or less. Carberp, the banking botnet progenitor of Carbanak, was estimated to have earned a total of $250 million over years of use in the wild. This makes the $1 billion dollar Carbanak heist one of the most successful financial cybercrimes in history.
Attackers Becoming Insiders
Generally speaking, banking networks are highly secure environments with a variety of unique internal processes, software and systems. Infiltrating and stealing in such a labyrinth would seem to be endlessly complicated. However, like most modern malware, Carbanak is not some autonomous bit of code running on its own, but rather a vehicle for a remote human attacker to watch, learn and remotely drive the attack. This approach enabled the attackers to assimilate the knowledge of the infected user and apply that information to further the attack.
Once they successfully infected a bank employee’s computer, the attackers patiently listened and learned. The Carbanak malware recorded the employee’s desktop display and sent video to the remote attacker.
Dangers Hidden in the Whitelist
Every persistent attacker needs the ability to remain in the network for long periods of time without being detected. Unlike previous attacks that relied on specialized custom tools to avoid detection, the Carbanak attackers avoided detection by using the same tools commonly used by bank administrators. As a result, the actions of the attacker were able to blend in with the normal traffic and applications common to the network.
Instead of using the new never-seen-before tool, attackers opted for the obvious tools that were already approved on the network. For instance, attackers used VNC and PuTTY for remote desktop and SSH respectively. Neither of these tools or protocols would seem out of place given that bank administrators commonly use them.
All this means that, going forward, security teams can not rely on a single smoking-gun indicator of compromise and must use context to see reveal the patterns of an attack.
The key to the success of Carbanak was its ability to infiltrate a bank’s network and remain undetected for extended periods of time.
This “low and slow” network intrusion is the same fundamental strategy employed in virtually every major data breach and cyber attack seen in the past few years. The blueprint is disturbingly familiar – employees are initially infected via phishing or watering hole attacks, attackers perform reconnaissance to build a map of the victim’s networks, lateral movement tools extend the attacker’s footprint and durability within the victim’s network, data is accumulated and stolen all while malware provides the attacker with ongoing remote control.
The standard narrative of network breaches in the media is that the attackers were either incredibly sophisticated and targeted, or there was an egregious security failing on the part of the victim that allowed the attack to succeed. In both cases the implication is that the attack was somehow exceptional and rare. When 100 banks all fall to the same approach, we are facing a generalized threat, not an exceptional one.
Tomi Engdahl says:
Time Must Be a Key Consideration for Security Investment and Innovation
http://www.securityweek.com/time-must-be-key-consideration-security-investment-and-innovation
When I talk to security leaders about their most challenging issues, one topic that always seems to come up is how to judge the effectiveness of their technology investments.
As a general rule of thumb, we need to recognize that networks need to be fast and they need to be secure. To truly accomplish this, we need to understand that time is a critical factor. It is the speed in which it takes your network to respond to a threat that means successfully thwarting an attack or getting owned; and unfortunately, the velocity, volume and impact of these threats continues to grow at a rapid rate.
There are several different ways to think about time as it relates to security.
Ensuring the Network is Fast and Secure
First, time relates to the performance of security solutions, especially as they pertain to the network. Even the most innovative security solution is useless if it produces a significant drag on either network or end-user resources.
Response to Threats
When a threat, like newly identified malware, hits the scene and becomes known by security researchers, companies want to know as soon as possible so they can take action at security enforcement points in the network. The amount of time from discovery to enforcement is a key factor affecting whether a company will be compromised or not.
Operations and Maintenance
It takes time to grow, scale and change security and networks. Operational expenses associated with security can add a significant cost to security teams that are often understaffed. Configuring and updating security policies when provisioning new apps, system maintenance and other operational tasks takes time and resources. Finding ways to automate the management of as many of these tasks as possible can significantly reduce the time and operational expense, giving security teams additional time to focus on managing more complex security risks and challenges.
Tomi Engdahl says:
The Great Bank Heist, or Death by 1,000 Cuts?
http://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-by-1000-cuts/
I received a number of media requests and emails from readers over the weekend to comment on a front-page New York Times story about an organized gang of cybercriminals pulling off “one of the largest bank heists ever.” Turns out, I reported on this gang’s activities in December 2014, although my story ran minus many of the superlatives in the Times piece.
The Times’ story, “Bank Hackers Steal Millions Via Malware,” looks at the activities of an Eastern European cybercrime group that Russian security firm Kaspersky Lab calls the “Carbanak” gang. According to Kaspersky, this group deployed malware via phishing scams to get inside of computers at more than 100 banks and steal upwards of USD $300 million — possibly as high as USD $1 billion.
“Most cybercrime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards,” my December 2014 story observed. “But this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.”
“Anunak or Carbanak are the same,”
Certainly, learning that this group stole possibly close to USD $1 billion advances the story, even if the Kaspersky report is a couple of months late, or generous to the attackers by a few hundred million bucks. The Kaspersky report also references (but doesn’t name) victim banks in the United States, although the New York Times story notes that the majority of the targeted financial institutions were in Russia. The Group-IB/Fox-IT report did not mention US banks as victims.
“The cybercriminals sent their victims infected emails — a news clip or message that appeared to come from a colleague — as bait,” The Times’ story reads. “When the bank employees clicked on the email, they inadvertently downloaded malicious code.”
As the Kaspersky report (and my earlier reporting) notes, the attackers leveraged vulnerabilities in Microsoft Office products for which Microsoft had already produced patches many months prior — targeting organizations that had fallen behind on patching. Victims had to open booby trapped attachments within spear phishing emails.
“Despite increased awareness of cybercrime within the financial services sector, it appears that spear phishing attacks and old exploits (for which patches have been disseminated) remain effective against larger companies,” Kaspersky’s report concludes. “Attackers always use this minimal effort approach in order to bypass a victim’s defenses.”
Why should crime groups like this one expend more than minimal effort? After all, there are thousands of financial institutions here in the United States alone, and it’s a fair bet that on any given day a decent number of those banks are months behind on installing security updates. They’re mostly running IT infrastructure entirely based on Microsoft Windows, and probably letting employees browse the Web with older versions of Internet Explorer from the same computers used to initiate wire transfers (I witnessed this firsthand just last week at the local branch of a major U.S. bank). It’s worth noting that most of the crime gang’s infrastructure appears to be Linux-based.
This isn’t intended as a dig at Microsoft, but to illustrate a point: Most organizations — even many financial institutions — aren’t set up to defeat skilled attackers; their network security is built around ease-of-use, compliance, and/or defeating auditors and regulators. Organizations architected around security (particularly banks) are expecting these sorts of attacks, assuming that attackers are going to get in, and focusing their non-compliance efforts on breach response.
“There is evidence indicating that in most cases the network was compromised for between two to four months, and that many hundreds of computers within a single victim organization may have been infected.”
While consumers in the United States are shielded by law against unauthorized online banking transactions, businesses have no such protection.
Russian hacking gangs like this one have stolen hundreds of millions of dollars from small- to mid-sized businesses in the U.S. and Europe over the past five years
In the vast majority of those cyberheists, the malware that thieves used to empty business accounts was on the victim organization’s computers — not the bank’s.
Now, add to that risk the threat of the business’s bank getting compromised from within and the inability of the institution to detect the breach for months on end.
“Advanced control and fraud detection systems have been used for years by the financial services industry,” the Kaspersky report observed. “However, these focus on fraudulent transactions within customer accounts. The Carbanak attackers bypassed these protections”
This “security maturity” graphic nicely illustrates the gap between these two types of organizations.
http://krebsonsecurity.com/wp-content/uploads/2014/11/SecurityMaturity.png
Tomi Engdahl says:
Moxie Marlinspike: GPG Has Run Its Course
http://it.slashdot.org/story/15/02/25/0428229/moxie-marlinspike-gpg-has-run-its-course
Security researcher Moxie Marlinspike has an interesting post about the state of GPG-encrypted communications. After using GPG for much of its lifetime, he says he now dreads getting a GPG-encrypted email in his inbox. “Instead of developing opinionated software with a simple interface, GPG was written to be as powerful and flexible as possible.”
Blog >>
GPG And Me
http://www.thoughtcrime.org/blog/gpg-and-me/
A philosophical dead end
In 1997, at the dawn of the internet’s potential, the working hypothesis for privacy enhancing technology was simple: we’d develop really flexible power tools for ourselves, and then teach everyone to be like us. Everyone sending messages to each other would just need to understand the basic principles of cryptography.
GPG is the result of that origin story. Instead of developing opinionated software with a simple interface, GPG was written to be as powerful and flexible as possible. It’s up to the user whether the underlying cipher is SERPENT or IDEA or TwoFish.
Worse, it turns out that nobody else found all this stuff to be fascinating. Even though GPG has been around for almost 20 years, there are only ~50,000 keys in the “strong set,” and less than 4 million keys have ever been published to the SKS keyserver pool ever. By today’s standards, that’s a shockingly small user base for a month of activity, much less 20 years.
In addition to the design philosophy, the technology itself is also a product of that era. As Matthew Green has noted, “poking through an OpenPGP implementation is like visiting a museum of 1990s crypto.
All of this baggage has been distilled into a ballooning penumbra of OpenPGP specifications and notes so prolific that the entire picture is almost impossible to grasp.
What we have
Today, journalists use GPG to communicate with sources securely, activists use it to coordinate world wide, and software companies use it to help secure their infrastructure. Some really heroic people have put in an enormous amount of effort to get us here, at substantial personal cost, and with little support.
These are deep structural problems. GPG isn’t the thing that’s going to take us to ubiquitous end to end encryption, and if it were, it’d be kind of a shame to finally get there with 1990’s cryptography.
Tomi Engdahl says:
Guidelines for Smart Grid Cyber security
Volume 1 – Smart Grid Cyber security Strategy,
Architecture, and High-Level Requirements
https://scadahacker.com/library/Documents/Best_Practices/NISTIR-7628R1%20-%20Guidelines%20for%20Smart%20Grid%20Cyber%20Security%20%28consolidated%29.pdf
Tomi Engdahl says:
Mic Wright / The Next Web:
Visa announces credit card tech that could speed up Apple Pay’s arrival in Europe
http://thenextweb.com/apple/2015/02/24/visa-announces-credit-card-tech-that-could-speed-up-apple-pays-arrival-in-europe/
Visa Europe has announced that it’s introducing a secure way to pay with your smartphone while keeping your credit card details concealed. Bringing the method to Europe could speed up the arrival of Apple Pay and other new contactless payment services.
Visa says it will introduce “tokenization” by mid-April. The technique substitutes your credit card information with a series of numbers that can be used to authorize payment without revealing your actual account details. When you use your smartphone to make a contactless payment, the token is submitted, instead of your account information.
The introduction of token-based security by Visa and rivals including MasterCard and American Express was a key component in the launch of Apple Pay in the US last year.
Tomi Engdahl says:
A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever
http://www.wired.com/2015/01/german-steel-mill-hack-destruction/
Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos. Unless you follow security news closely, you likely missed it.
I’m referring to the revelation, in a German report released just before Christmas (.pdf), that hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.
This is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment. The first case, of course, was Stuxnet
It’s not clear when the attack in Germany took place. The report, issued by Germany’s Federal Office for Information Security (or BSI), indicates the attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment. The attackers infiltrated the corporate network using a spear-phishing attack
Once the attackers got a foothold on one system, they were able to explore the company’s networks, eventually compromising a “multitude” of systems, including industrial components on the production network.
“Failures accumulated in individual control components or entire systems,” the report notes. As a result, the plant was “unable to shut down a blast furnace in a regulated manner” which resulted in “massive damage to the system.”
“The know-how of the attacker was very pronounced not only in conventional IT security but extended to detailed knowledge of applied industrial controls and production processes,” the report says.
The report doesn’t name the plant or indicate when the breach first occurred or how long the hackers were in the network before the destruction occurred.
The report also illustrates the need for strict separation between business and production networks to keep hackers from leaping from one network to another and remotely accessing critical systems over the internet. Although a network can only be considered truly air-gapped if it’s not connected to the internet and is not connected to other systems that are connected to the internet, many companies believe that a software firewall separating the business and production network is sufficient to stop hackers from making that leap. But experts warn that a software firewall can be misconfigured or contain security holes that allow hackers to break through or bypass them nonetheless.
Tomi Engdahl says:
Kim Zetter / Wired:
Firmware is vulnerable because vendors rarely sign or authenticate the software
Why Firmware Is So Vulnerable to Hacking, and What Can Be Done About It
http://www.wired.com/2015/02/firmware-vulnerable-hacking-can-done/
When Kaspersky Lab revealed last week that it had uncovered a sophisticated piece of malware designed to plant malicious code inside the firmware of computers, it should have surprised no one.
And that’s not just because documents leaked by Edward Snowden have shown that spy agencies like the NSA have an intense interest in hacking the firmware of systems, but also because other researchers have shown in the past how insecure firmware—in nearly all systems—is.
Computers contain a lot of firmware, all of which is potentially vulnerable to hacking—everything from USB keyboards and web cams to graphics and sound cards. Even computer batteries have firmware.
“There’s firmware everywhere in your computer, and all of it is risky,” says security researcher Karsten Nohl, who demonstrated last year how he could embed malicious code in the firmware of USB sticks. There’s also firmware in all of our popular digital gadgets—smartphones and smart TVs, digital cameras, and music players.
Most of it is vulnerable for the same reasons the firmware the Equation Group targeted is vulnerable: it was never designed to be secure. Most hardware makers don’t cryptographically sign the firmware embedded in their systems nor include authentication features in their devices that can recognize signed firmware even if they did.
Although random hackers wouldn’t be able to pull off what the Equation Group did in a consistent and stable manner—developing a single module that can reflash the firmware on more than a dozen different hard drive brands and steal data from them without crashing systems—other forms of firmware hacking have been successfully demonstrated.
There has been a lot of theoretical research done on firmware hacking over the years and a few proof-of-concept demonstrations as well.
The USB research of Nohl and Jakob Lell showed how they could hide attack code on USB sticks to hijack a computer, alter files or redirect a user’s internet traffic to a malicious site.
Countermeasures
So what can you do about these firmware security issues? Unfortunately, there’s very little. Antivirus products currently don’t scan a computer’s firmware for malicious code and doing so is not a simple task. So countermeasures for the firmware insecurities are largely in the hands of hardware and chip makers.
Hardware makers should design any firmware or firmware update they distribute to be cryptographically signed. They should also add authentication capability to hardware devices so they can check and verify those signatures. Another protective measure would be to add a write-protect switch on the device side to prevent anyone who is unauthorized from flashing the firmware.
All of these measures would guard against low-level hackers subverting the firmware, but persistent attackers could simply steal the master keys to sign their malicious code and subvert the authentication or write protection.
If vendors provided a checksum of the firmware and firmware updates they distribute, users could periodically check it to see if it differed from the original.
But security changes for firmware could take years to implement say researchers.
“If everyone started fixing this now, it would probably be fixed on most computers in five to ten years,”
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Kaspersky Labs Launches Online Bootcamp To Eye Security Startups
http://techcrunch.com/2015/02/24/ssc/
More signs that security is rising up the investment agenda: another security-focused accelerator program has launched, hoping to put a clutch of security startups through their paces — this one with backing from veteran security firm Kaspersky Labs, via its educational arm Kaspersky Academy.
The Security Startup Challenge (SSC), as it’s being called (it’s part accelerator, part startup competition), also has Mangrove Capital Partners and Russian VC firm, the ABRT Fund, putting money behind it. It follows the launch last month of another not-for-profit cyber security accelerator in London, called CyLon — with counts Passion Capital’s Eileen Burbidge among its advisors.
VC firms are clearly eyeing up a fattening security pie.
“Technology megatrends such as mobile, cloud computing and the Internet of Things are leaving consumers increasingly, and unwittingly, exposed to cybercrooks. Perhaps more worrying is the fact that criminal syndicates operating on the Internet are as scalable as any other Internet-enabled business,” says Mangrove’s Michael Jackson, commenting on the launch in a statement. “We need to innovate our approach to cybersecurity to meet the demands of this new hyper-connected world.”
“It’s not a secret that the cyber threat landscape is constantly evolving. New threats appear every day… and the industry needs really new approaches, new ideas, new technologies. And I think these young, really intelligent and really talented guys can really contribute,” adds Kaspersky Lab’s Natasha Obelets, in an interview with TechCrunch.
“The first year we’re see how it works. And next year we will cover I think all geographies. Because now we cover the U.S., Europe, Asia, Russia, so we want to cover the whole world. We have ambitious plans!”
Tomi Engdahl says:
Boy amazed car manufacturers: Fourteen-year-old boy stunned the automotive industry by demonstrating how easy it is smart car hacking.
Son managed to fair 13 euro-priced electronics break the network using the car lock, launch it, put the windshield wipers on, play music in the car on their own cell phone and car lights flashes with the music.
The car brand has not been disclosed, but is said to belong to the ranks of the best-known.
The news is troubling car safety and the whole car industry.
Right now, the automotive industry is investing network links operating in cars, and self-driving in cars.
The boy hacked into a car as part of the competition, which tested the car safety.
Battelle-association organized the competition .
Source: http://www.iltalehti.fi/autot/2015022419253756_au.shtml
Tomi Engdahl says:
Interesting Reddit discussion:
Everything you’ve ever said to Siri/Cortana has been recorded…and I get to listen to it.
http://www.reddit.com/r/technology/comments/2wzmmr/everything_youve_ever_said_to_siricortana_has/
I started a new job today with Walk N’Talk Technologies. I get to listen to sound bites and rate how the text matches up with what is said in an audio clip and give feed back on what should be improved.
At first, I though these sound bites were completely random. Then I began to notice a pattern. Soon, I realized that I was hearing peoples commands given to their mobile devices. Guys, I’m telling you, if you’ve said it to your phone, it’s been recorded…and there’s a damn good chance a 3rd party is going to hear it.
Just a heads up Reddit. I’ve heard more text-to-speech sexting than I care to.
Tomi Engdahl says:
It’s the EU and me against the world – Euro digi-chief
Union needs data protection, copyright laws, says Oetti
http://www.theregister.co.uk/2015/02/25/its_the_eu_against_the_world_says_eu_digichief/
Europe must stick together or the US will suck out our brains data; so warned Europe’s digi chief Gunther H-dot Oettinger on Tuesday.
Speaking at the European Commission’s big flagship Digital4EU event, he reiterated the importance of the proposed Data Protection Regulation.
Referring to Google and Facebook, Oetti said: “They will go to the member states where data protection is least developed, they will hoover up our data, transfer it to California and sell it as a service.”
“But if they are going to do business, in Europe they are going to have to abide by our rules,” he said. But although his ire seemed mainly aimed at the US giants, China got a token mention.
He did accept that there are “those who don’t want ‘More Brussels’ or more EU rules”. But “they need to remember that without the EU, in the digital sector we’re going to lose out”, said the Digital Commissioner.
Tomi Engdahl says:
Europol shuts down darn RAMNIT botnet
Cops analysing command and control server … in Hampshire
http://www.theregister.co.uk/2015/02/25/europol_shuts_down_ramnit_botnet_hampshire/
Euro cybercrime cops have taken down the RAMNIT botnet, which has infected 3.2 million computers worldwide, including 33,000 in the UK.
The National Crime Agency’s cybercrime unit worked with cops in the Netherlands, Italy and Germany to shut down command-and-control servers used by the botnet.
RAMNIT spread malware via innocuous-looking links sent in phishing emails or social networking websites, and has mainly been used to take money from bank accounts from people running Windows OSes.
Europol was alerted to RAMNIT by Microsoft, after data analysis showed a big increase in infections.
“This malware effectively gives criminals a back door so they can take control of your computer, access your images, passwords or personal data and even use it to circulate further spam messages or launch illegal attacks on other websites,”
Tomi Engdahl says:
Paul Carsten / Reuters:
Since Snowden leaks, China has dropped Cisco, Apple, McAfee, and others for government purchases
Exclusive: China drops leading technology brands for state purchases
http://www.reuters.com/article/2015/02/25/us-china-tech-exclusive-idUSKBN0LT1B020150225
(Reuters) – China has dropped some of the world’s leading technology brands from its approved state purchase lists, while approving thousands more locally made products, in what some say is a response to revelations of widespread Western cybersurveillance.
Others put the shift down to a protectionist impulse to shield China’s domestic technology industry from competition.
“The Snowden incident, it’s become a real concern, especially for top leaders,”
Tomi Engdahl says:
Moxie Marlinspike / Moxie Marlinspike’s Blog:
GPG, with its old technology, bad design, and small userbase, is dead; it’s time for a more usable encryption system
http://www.thoughtcrime.org/blog/gpg-and-me
Tomi Engdahl says:
Russell Brandom / The Verge:
Lenovo.com has been hacked, possibly by Lizard Squad
http://www.theverge.com/2015/2/25/8110201/lenovo-com-has-been-hacked-apparently-by-lizard-squad
Lenovo.com has been hacked. Starting at 4PM ET, users visiting the site saw a slideshow of disaffected youths, set to the song “Breaking Free” from High School Musical.
The hack comes on the heels of a wave of public criticism of Lenovo, after the company bundled computers with an encryption-breaking adware program known as Superfish. Lenovo eventually released a program to remove the software and restore affected users, but the debacle left many users unhappy with the company. That lingering mistrust may have contributed to the attack.
The attackers seem to have hijacked Lenovo’s domain record, an attack that would have given them the power to redirect the lenovo.com url to a new server under their control.
The attack targets entirely external infrastructure, similar to the Syrian Electronic Army’s attacks against Twitter and The New York Times in 2013.
Tomi Engdahl says:
Firefox 36 swats bugs, adds HTTP2 and gets certifiably serious
Three big bads, six medium messes and 1024-bit certs all binned in one release
http://www.theregister.co.uk/2015/02/26/mozilla_swats_17_bugs_in_firefox_36/
Mozilla has outfoxed three critical and six high severity flaws in its latest round of patches for its flagship browser.
It stomps out memory safety bugs, exploitable use-after-free crashes, and a buffer overflow.
Of the critical crashes, bad guys could potentially craft attacks targeting MP4 video playback through a buffer overflow in the libstagefright library (CVE-2015-0829).
The new version of the browser also adds HTTP2 support
Tomi Engdahl says:
Air gaps: Happy gas for infosec or a noble but inert idea?
Spooks and boffins jump ‘em, but real-world headwinds remain strong
http://www.theregister.co.uk/2015/02/11/air_gap_feature/
Last year Michael Sikorski of FireEye was sent a very unusual piece of malware.
The custom code had jumped an air gap at a defence client and infected what should have been a highly-secure computer. Sikorski’s colleagues from an unnamed company plucked the malware and sent it off to FireEye’s FLARE team for analysis.
“This malware got its remote commands from removable devices,” Sikorski said. “It actually searched for a specific formatted and hidden file that was encrypted, and would then decrypt it to access a series of commands that told it what to do next.”
External network links are the lifeblood of most malware. This sample provided the means for malcode to be implanted on victim machines and served as the command and control link over which stolen data could be shipped off to attackers, allowing additional and further infections.
Those bridged machines allowed Sikorski and his colleagues to retrieve the malware, allowing them to establish that it was part of a wider attack on air gapped machines.
Their analysis showed the malware could be told to conduct reconnaissance, seek out particular pieces of valuable information, list directories and execute new malware carried over on the staff thumb drives.
“Somebody would come by, plug in their stick, pull the drive out, and all the commands would have been run. The malware is still resident on the system so next time a drive is plugged in, it could receive more commands.”
Such attacks are intriguing because it is often assumed that a few feet of air implies extra security: hackers need a network on which to operate, so air’s non-conductive properties (for data) are therefore seen as the last word in security. It therefore generates no shortage of intrigue when that theory is disproved and an isolated computer is breached.
But as Sikorski’s tale proves, air gaps can be beaten.
And around the world, researchers are proving it’s possible, sometimes with outlandish means of bypassing physical security such as sucking data out of monitors and speakers.
It is difficult to say how many of the publicly reported air gap attacks will work outside a lab. Latter’s attack and Sikorski’s malware certainly did, as did the NSA which a year ago was found to have built systems capable of stealing data from air-gapped machines which had a malicious USB device attached. That thumb stick shouted out to an NSA spy some 13 kilometres away using a “covert radio frequency”.
“While this type of research excites a lot of interest, the realities are often impractical and rely on too many variables to yield viable results,”
“Put simply, the fact that an organisation has an air-gapped network in place suggests that it’s likely to represent a high-value target. As such, any organisation with an air-gapped network will probably be aware of the fact that there are ways to breach these gaps, however unlikely some of them are,” Power says. “The main targets will be small pieces of data, such as login credentials and encryption keys that will allow hackers to breach confidential information.”
“Effective physical controls will minimise attacks on air-gapped systems, and they don’t need to be onerous,”
Risk tolerance is critical
Organisations should implement security controls on air gap machines as if it were connected to the internet
Tomi Engdahl says:
Europol cracks down on botnet infecting 3.2m computers
http://www.wired.co.uk/news/archive/2015-02/25/europol-ramnit-crackdown
A joint international operation led by Europol and assisted by Microsoft, Symantec and Anubis Networks has claimed success in clamping down on a cybercrime group suspected of deploying the Ramnit botnet for malicious purposes.
Ramnit is one of the world’s biggest botnets, believed to have infected up to 3.2 million computers worldwide. A botnet is a network of subservient computers which operate under criminal control to send out spam containing malicious links, or which spread viruses.
Cybercriminals deployed Ramnit to gain remote access and control of computers infected by the malware, allowing them to disable antivirus protection, and steal personal and banking information from people.
“This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime,”
The group behind Ramnit have been operating for at least five years.
Featuring six standard modules
Tomi Engdahl says:
Dan Goodin / Ars Technica:
EFF unearths evidence of possible Superfish-style attacks in the wild
EFF unearths evidence of possible Superfish-style attacks in the wild
Crypto-busting apps may have been exploited against visitors of Google and dozens more.
http://arstechnica.com/security/2015/02/researchers-unearth-evidence-of-superfish-style-attacks-in-the-wild/
It’s starting to look like Superfish and other software containing the same HTTPS-breaking code library may have posed more than a merely theoretical danger to Internet users. For the first time, researchers have uncovered evidence suggesting the critical weakness may have been exploited against real people visiting real sites, including Gmail, Amazon, eBay, Twitter, and Gpg4Win.org, to name just a few.
As Ars reported one week ago, ad-injecting software pre-installed on some Lenovo laptops caused most browsers to trust fraudulent secure sockets layer certificates. The software was called Superfish. In the coming days, security researchers unearthed more than a dozen other apps that posed the same threat. The common thread among all the titles was a code library provided by an Israel-based company called Komodia.
The Komodia library modified a PC’s network stack by adding a new root Certificate Authority certificate. Poor choices in both the way the certificate and underlying code were designed caused most browsers to trust fraudulent certificates that otherwise would have generated warnings.
Until now, that danger was nothing more than a troubling hypothetical, but no more. On Wednesday, researchers presented evidence attackers have exploited the weaknesses in Superfish and the other programs to launch real man-in-the-middle attacks on end users as they visited some of the most sensitive HTTPS-protected websites on the Internet.
Dear Software Vendors: Please Stop Trying to Intercept Your Customers’ Encrypted Traffic
https://www.eff.org/deeplinks/2015/02/dear-software-vendors-please-stop-trying-intercept-your-customers-encrypted
Over the past week many more details have emerged about the HTTPS-breaking Superfish software that Lenovo pre-installed on its laptops for several months.
Unfortunately, the security implications have gone from bad to worse the more we’ve learned.
What’s worse is that these attacks are even easier than researchers originally thought, because of the way Komodia’s software handles invalid certificates
an attacker doesn’t even need to know which Komodia-based product a user has (and thus which Komodia private key to use to sign their evil certificate)
To make matters worse, Komodia isn’t the only software vendor that’s been tripped up by this sort of problem.
So what can we learn from this Lenovo/Superfish/Komodia/PrivDog debacle? For users, we’ve learned that you can’t trust the software that comes preinstalled on your computers—which means reinstalling a fresh OS will now have to be standard operating procedure whenever someone buys a new computer.
But the most important lesson is for software vendors, who should learn that attempting to intercept their customers’ encrypted HTTPS traffic will only put their customers’ security at risk. Certificate validation is a very complicated and tricky process which has taken decades of careful engineering work by browser developers.2 Taking certificate validation outside of the browser and attempting to design any piece of cryptographic software from scratch without painstaking security audits is a recipe for disaster.
Tomi Engdahl says:
WANTED: A plan to DESTROY metadata, not just retain it
Australian Police keep leaking or pinching data: if we must have metadata retention, laws must stop their stupidity
http://www.theregister.co.uk/2015/02/25/data_destruction_missing_from_the_retention_debate/
Australia’s data retention proposal suggests the nation’s telcos and ISPs need to store data for two years. But agencies accessing the data can seemingly keep it forever and are not, to date, required to securely store or destroy data they retrieve from the nation’s putative data trove of personal information, miscalled “metadata”.
The absence of discussion on these matters, in public or in the draft legislation, appears a remarkable oversight.
Tomi Engdahl says:
SIM hack scandal biz Gemalto: Everything’s fine … Security industry: No, it’s really not
Why so confident, infosec bods wonder
http://www.theregister.co.uk/2015/02/25/gemalto_everythings_fine_security_industry_hang_on_a_minute/
Six days ago Gemalto, the world’s largest SIM card manufacturer, was told that back in 2010 it had been ransacked by NSA and GCHQ hackers. Today the company gave itself the all-clear: no encryption keys, used to secure phone calls from eavesdroppers, were stolen, it claims.
Yet the IT security industry is not so sure.
At a press conference in Paris on Wednesday the Dutch firm’s CEO, Olivier Piou, said that while its office networks were compromised, the servers holding the SIM card encryption keys weren’t.
That data was and remains secure, Piou said. The keys are sent out to cell network owners using a “secure transfer system,” which should keep the information out of the hands of the spooks.
“Gemalto is surprisingly confident that it now knows exactly the scope of the GCHQ/NSA penetration that it didn’t detect in the first place,” said Matt Blaze, associate professor of computer and information science at the University of Pennsylvania. “Getting compromised by a targeted GCHQ/NSA operation isn’t negligent, but underestimating the implications of it is.”
The firm’s CEO said at his press conference that the intelligence agencies were probably behind various security breaches detected within his company in 2010 and 2011, but he won’t be taking legal action since this is often ineffective.
Tomi Engdahl says:
Lizard Squad Claims Attack On Lenovo Days After Superfish
http://it.slashdot.org/story/15/02/26/1515218/lizard-squad-claims-attack-on-lenovo-days-after-superfish
Lizard Squad has claimed responsibility for a defacement of Lenovo’s website. This follows last week’s revelations that Lenovo installed Superfish adware on consumer laptops, which included a self-signed certificate authority that could have allowed man-in-the-middle attacks.
Lenovo website hacked and defaced by Lizard Squad in Superfish protest
http://www.theguardian.com/technology/2015/feb/26/lenovo-website-hacked-and-defaced-by-lizard-squad-in-superfish-protest
The hacking collective took over the Lenovo site for several hours on Wednesday, redirecting users to a slideshow of bored teenagers
Lenovo, the PC maker at the centre of the Superfish controversy, suffered its own security breach on Wednesday when its main website was defaced, redirecting users to a slideshow of pictures of bored-looking teens (apparently the hackers themselves) set to the song Breaking Free from High School Musical.
The hack was apparently carried out through a “DNS hijack”, an increasingly common method whereby domain name system server, which translates a human-readable web address such as google.cominto a machine-readable IP address such as “8.8.8.8”, redirects visitors to another website – in this case, one controlled by Lizard Squad.
“Two defacements in a single week is normally nothing, but two extremely high-profile defacements from the same registrar in the same week is a definite trend,”
Following the hack, Lizard Squad has been posting screenshots of emails allegedly sent to Lenovo.com addresses, including one discussing Superfish. A DNS hijack can potentially gain access to emails sent during the period the site is taken over, by redirecting the email in the same way as the website. But this would not grant access to the full database of emails.
In a statement, Lenovo said: “Unfortunately, Lenovo has been the victim of a cyber attack.”
Tomi Engdahl says:
OPSEC For Activists, Because Encryption Is No Guarantee
http://it.slashdot.org/story/15/02/26/2159245/opsec-for-activists-because-encryption-is-no-guarantee
“In the wake of the Snowden revelations strong encryption has been promoted by organizations like The Intercept and Freedom of the Press Foundation as a solution for safeguarding privacy against the encroachment of Big Brother. Even President Obama acknowledges that “there’s no scenario in which we don’t want really strong encryption.”
When Strong Encryption Isn’t Enough to Protect Our Privacy
http://www.alternet.org/print/news-amp-politics/when-strong-encryption-isnt-enough-protect-our-privacy
Anyone who reads through privacy recommendations published by the Intercept [4] or the Freedom of the Press Foundation [5] will encounter the same basic lecture. In a nutshell they advise users to rely on open source encryption software, run it from a CD-bootable copy of the TAILS operating system, and route their Internet traffic through the TOR anonymity network.
This canned formula now has a degree of official support from, of all places, the White House. A few days ago during an interview with Re/Code, President Obama assured [6] listeners that “there’s no scenario in which we don’t want really strong encryption.” It’s interesting to note how this is in stark contrast to public admonishments [7] by FBI director James Comey this past October for key escrow encryption, which is anything but strong.
Only there’s a problem with this narrative and its promise of salvation: When your threat profile entails a funded outfit like the NSA, cyber security is largely a placebo.
Anti-Forensics in Theory and Practice
“The only protection against communication systems is to avoid their use.” —Cryptome [33], Communications Privacy Folly, June 13, 2012
Given the reality of mass interception let’s look at mobile phones as a case study. They’re essentially portable Telescreens [21], glorified tracking [38] beacons that double as walkie-talkies.
The best option is to follow the example of WikiLeaks activist Sarah Harrison [40] and simply not carry a cellphone.
Listen to John Young of the web site Cryptome. The only sure-fire way to protect yourself against monitoring on a given communication system is not to use it.
If having a cellphone is an absolute necessity there are shielding cases [44] available. Though removing the battery works just fine in a pinch as does sticking a cellphone in a sealed metal container like a refrigerator. Another thing to remember is that “dumb phones” lacking in bells and whistles tend to accumulate far less information [45] than more elaborate smartphones.
Avoid patterns (geographic, chronological, etc.). Arbitrarily relocate to new spots during the course of a phone call. Stay in motion. Phone calls should be as short as possible so that the amount of data collected by surveillance equipment [47] during the call’s duration is minimized. This will make it more difficult for spies to make accurate predictions.
Tomi Engdahl says:
Facebook Puts Users On Suicide Watch
http://tech.slashdot.org/story/15/02/26/2316209/facebook-puts-users-on-suicide-watch
A few months ago Twitter was criticized for teaming up with suicide prevention charity Samaritans to automatically monitor for key words and phrases that could indicate that someone was struggling to cope with life. Despite the privacy concerns that surrounded Samaritans Radar, Facebook has decided that it is going to launch a similar program in a bid to prevent suicides
Facebook can put users on suicide watch
http://betanews.com/2015/02/26/facebook-can-put-users-on-suicide-watch/
Tomi Engdahl says:
Schneier: Everyone Wants You To Have Security, But Not From Them
http://it.slashdot.org/story/15/02/26/1737215/schneier-everyone-wants-you-to-have-security-but-not-from-them
Bruce Schneier has written another insightful piece about the how modern tech companies treat security. He points out that most organizations will tell you to secure your data while at the same time asking to be exempt from that security. Google and Facebook want your data to be safe — on their servers so they can analyze it. The government wants you to encrypt your communications — as long as they have the keys.
Everyone Wants You To Have Security, But Not from Them
https://www.schneier.com/blog/archives/2015/02/everyone_wants_.html
Tomi Engdahl says:
CloudFlare crypto gets faster on old mobes
Choc Factory ChaCha crypto pairing gets popular
http://www.theregister.co.uk/2015/02/27/cloudflare_crypto_gets_faster_on_old_mobes/
Popular denial of service deflection platform CloudFlare is deploying new speedy cipher suites previously championed by Google, maths boffin Nick Sullivan says.
The ChaCha-Poly1305 cipher is three times faster than the resource heavy AES-128-GCM cipher and was not subject to attacks against RC4, Sullivan (@grittygrease) says, meaning things will speed on CloudFlare for mobes.
“Spending less time on decryption means faster page rendering and better battery life,” Sullivan says.
“Although the cipher part of TLS may not be the biggest source of battery consumption (the handshake is more expensive ), spending fewer CPU cycles on encryption saves battery life, especially on large files.
“… it provides algorithm agility in case someone finds a serious flaw in AES-GCM, which is possible due to its fragility.
Tomi Engdahl says:
Paranoid Android Kaymera smartmobe takes on Blackphone
Super-secure Israeli platform only lacks Mossad bodyguard
http://www.theregister.co.uk/2015/02/27/israelis_take_on_blackphone_with_kaymera/
Security specialist Kaymera – based in Herzliya, Israel – has launched a mobile security platform aimed at paranoid corporations.
The Kaymera 360° software consists of a secure build of Android and accompanying MDM functions. The company describes it as a three-layer approach of protection, prevention and detection.
Using a Samsung Galaxy S5 or Nexus 5, Kaymera reflashes the phone with its own version of Android. There are also plans to support the LG G3 and the company’s COO, Oded Zehavi, told us that the plan is to support four to six high-end phones per year.
“One part of our secret sauce is that we provide military-grade security, while providing an experience as simple as any commercial device,” he told us.
Kaymera has chosen the approach of using branded phones rather than commissioning a device because its customers’ senior staff often want a brand they recognise and which offer better support mechanisms. It’s much easier for a company to get a broken screen on a Galaxy S5 repaired locally than to have it sent back to the manufacturer.
Tomi Engdahl says:
The White House establishes a new agency to collect cyber security intelligence
http://thenextweb.com/insider/2015/02/26/the-white-house-establishes-a-new-agency-to-collect-cyber-security-intelligence/
It’s becoming clearer with every new hack or DDoS that governments need to pay more attention to cyber security, so the White House has now signed for the creation of a new agency to help do just that: the Cyber Thread Intelligence Integration Center (CTIIC).
The FBI, CIA and NSA all deal with cyber security, but as organizations they often operate independently
The CTIIC won’t deal with attacks directly, but it will support the operations of other agencies like the National Cybersecurity and Communications Integration Center and US Cyber Command by providing a “whole-of-government” view on attacks and policy.
Tomi Engdahl says:
Iran hacks America where it hurts: Las Vegas casinos
Digital Pearl Harbour debunked by US director of national intelligence
http://www.theregister.co.uk/2015/02/27/iran_behind_us_casino_hack/
US director of National Intelligence James Clapper has accused Iran of orchestrating a 2014 hack of the Las Vegas Sands casino. The attack crippled the magnificent cultural institution’s IT infrastructure.
Clapper told a US Senate Armed Services Committee Thursday (US time) that the hack of the US$14 billion casino was the handiwork of Iran rather than ordinary hacking groups, Bloomberg reports.
“While both of these nations (Iran and North Korea) have lesser technical capabilities in comparison to Russia and China, these destructive attacks demonstrate that Iran and North Korea are motivated and unpredictable cyber-actors,” Clapper says.
The attacks brought down the casino’s IT systems including email but not the most valuable components of the organisation.
Tomi Engdahl says:
Why China is kicking foreign tech firms off its government procurement list
https://www.techinasia.com/china-kicking-foreign-tech-firms-government-procurement-list/
Yesterday, Reuters published an exclusive report on the banishment of some major US tech firms from China’s approved government procurement list. In short, government-run departments and agencies in China will are no longer allowed to buy equipment from Apple, Cisco, and Intel’s McAfee, among others.
The question many are asking: “Is it a security measure, or is it protectionism?” Reuters gives equal voice to both Chinese authorities, who claim to have eliminated these companies over security concerns stemming from Edward Snowden’s high-profile PRISM leaks, and the western firms, who allege China is using Snowden as an excuse to implement protectionist economic policies.
I’m inclined to side with the latter. China has used similar tactics before, and they’ve proven effective. China has been weening its internet and tech infrastructure off of foreign firms for the past few years, replacing them with homegrown alternatives as they arise. Reuters reports Cisco had 60 items on the procurement list in 2012, which dwindled to zero in 2014.