Security trends for 2015

3,110 Comments

1. March 25, 2015 at 12:09 pm

   Tomi Engdahl says:

   Hilton Honors Flaw Exposed All Accounts
   http://krebsonsecurity.com/2015/03/hilton-honors-flaw-exposed-all-accounts/

   Hospitality giant Hilton Hotels & Resorts recently started offering Hilton HHonors Awards members 1,000 free awards points to those who agreed to change their passwords for the online service prior to April 1, 2015, when the company said the change would become mandatory. Ironically, that same campaign led to the discovery of a simple yet powerful flaw in the site that let anyone hijack a Hilton Honors account just by knowing or guessing its valid 9-digit Hilton Honors account number.

   “Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton HHonors website, and we took immediate action to remediate the vulnerability,”

   Snyder said the problem stemmed from a common Web application weakness called a cross-site request forgery (CSRF) vulnerability, a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

   The CSRF flaw was doubly dangerous because Hilton’s site didn’t require logged-in users to re-enter their current passwords before picking a new one.

   “If they have so much personal information on people, they should be required to do Web application testing before publishing changes to the internet,” Snyder said. “Especially if they have millions of users like I’m sure they do.”

   Snyder said attackers could easily enumerate Hilton Honors account numbers using the company’s Web site, which relies on a PIN reset page that will tell you whether any 9-digit number is a valid account.

   “There are a billion combinations, but this testing on the PIN reset page could be easily automated,”

   Reply
2. March 25, 2015 at 12:10 pm

   Tomi Engdahl says:

   OpenSSL Patch to Plug Severe Security Holes
   http://krebsonsecurity.com/2015/03/openssl-patch-to-plug-severe-security-holes/

   Indeed, while the OpenSSL project plans to issue the updates on Thursday, Mar. 19, the organization isn’t pre-releasing any details about the fixes. Steve Marquess, a founding partner at the OpenSSL Software Foundation, said that information will only be shared in advance with the major operating system vendors.

   “We’d like to let everyone know so they can be prepared and so forth, but we have been slowly driven to a pretty brutal policy of no [advance] disclosure,” Marquess said. “One of our main revenue sources is support contracts, and we don’t even give them advance notice.”

   Advance notice helps not only defenders, but attackers as well. Last year, ne’er-do-wells pounced on Heartbleed, the nickname given to an extremely critical flaw in OpenSSL that allowed anyone to extract passwords, cookies and other sensitive data from servers that were running vulnerable versions of OpenSSL. This Heartbleed disclosure timeline explains a great deal about how that process unfolded in a less-than-ideal manner.

   In the wake of Heartbleed, media organizations asked how such a bug — which many security experts said was a fairly obvious blunder in hindsight — could have gone undetected in the guts of the open-source code for so long.

   “So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often,” said of the Heartbleed bug.

   Reply
3. March 25, 2015 at 12:12 pm

   Tomi Engdahl says:

   BitWhisper: Stealing Data From Isolated Computers Using Heat Emissions and Built-in Thermal Sensors
   http://www.securityweek.com/air-gapped-computers-can-communicate-through-heat-researchers

   Researchers at the Ben Gurion University in Israel have demonstrated that two computers in close proximity to each other can communicate using heat emissions and built-in thermal sensors.

   In an experimental scenario involving two debitvices placed at up to 15 inches from each other, researchers have managed to transmit up to 8 bits of data per hour, which is enough for exfiltrating sensitive data such as passwords and secret keys, and for sending commands. This novel attack method has been dubbed BitWhisper.

   It is not uncommon for organizations that handle highly sensitive information to isolate certain computers in order to protect valuable assets. Air-gap security is often used for industrial control systems (ICS) and military networks. However, as it has been demonstrated before, such as in the case of the notorious Stuxnet worm which targeted Iranian nuclear facilities, air-gap security can be breached.

   Reply
4. March 25, 2015 at 12:13 pm

   Tomi Engdahl says:

   The NIST Cybersecurity Framework Revisited
   http://www.securityweek.com/nist-cybersecurity-framework-revisited

   In February 2014 the National Institute of Standards and Technology (NIST) issued a new set of cyber security guidelines designed to help critical infrastructure providers better protect themselves against attacks.

   The NIST Cybersecurity Framework was born out of the realization that cyber-attacks represent one of the most serious economic and national security threats our nation faces. The framework offers:

   • A set of activities to anticipate and defend against cyber-attacks (the “Core”)

   • A set of measurements to assess to what degree an organization has implemented the core activities and benchmark how prepared they are to protect systems against an attack (the “Implementation Tiers”)

   • A “Profile” that can be used to identify opportunities for improving an organization’s cyber security posture by comparing a current profile with a target profile.

   In addition, the NIST Cybersecurity Framework includes a comprehensive collection of so-called Informative References, which are specific sections of standards, guidelines, and practices common among critical infrastructure sectors.

   Reply
5. March 25, 2015 at 12:16 pm

   Tomi Engdahl says:

   Excessive User Privileges Challenges Enterprise Security: Survey
   http://www.securityweek.com/excessive-user-privileges-challenges-enterprise-security-survey

   It is no secret that enterprises sometimes have trouble keeping a handle on privileged users. In the wrong hands, excessive privileges can lead to data breaches and sleepless nights for IT.

   According to a survey from security firm BeyondTrust, which focuses on privilege management issues, more than 47 percent of the 728 survey participants said users in their organizations have elevated privileges not necessary for their roles. Twenty percent reported that more than three-quarters of their user base run as administrators. In addition, 33 percent said their organizations had no policies for privileged password management.

   “The majority of users do not typically require the ability to install their own software or make changes to system properties,” according to the report. “Providing them with this ability can lead to, at a minimum, inadvertent errors and increased demand on internal IT help desks. Worse, it provides opportunities for malicious employees, or attackers who have compromised employee credentials, to steal sensitive information or disrupt network operations.”

   The survey – dubbed ‘Privilege Gone Wild 2′ – backs the findings of a report from the Independent Oracle Users Group in which 54 percent of respondents reported that abuse of privileges by IT staff was among the top threats to enterprise data. A separate study by research company Ovum found that 59 percent of the U.S. businesses surveyed felt privileged users posed a threat to their organization.

   Reply
6. March 25, 2015 at 12:19 pm

   Tomi Engdahl says:

   Cyberphysical Security: The Next Frontier
   http://www.securityweek.com/cyberphysical-security-next-frontier

   Cybersecurity is positioned as a subset of information security (InfoSec): “Cybersecurity is the process of applying security measures to ensure confidentiality, integrity, and availability of data.” This hierarchy and definition, argues one of our R&D specialists, limits the role of protection to that of information (data) only.

   In fact, in our industrial network experiences, we have found that commands and system controls require deeper defensive measures. Information security is just one facet, and it’s not the same as the term might imply in information technology (IT) situations.

   In operations technology (OT) environments, information protection frequently requires a trade-off among the prioritization of confidentiality, integrity and availability. An example of this prioritization is user account lockout due to failed password attempts. This feature intentionally compromises availability of the system – the user gets locked out – to ensure the confidentiality of data in the case of a password brute-forcing attempt.

   Industrial security policies must apply a different priority. Locking out a user account may be acceptable in an enterprise environment, but locking out those who control a gas turbine or oil wellhead during operation – especially during an emergency – is completely unacceptable. System availability and integrity is always the priority, necessitating a more sophisticated approach to access control and separation of privilege than that of an IT system of similar scope. The term cybersecurity, in these situations, must stretch beyond information security, as well as acknowledge the serious digital-physical trade-off considerations that can affect human safety.

   In reality, as many a penetration tester knows, a simple USB stick coming through the control room door can present as much risk as any Internet browser. In addition, once a system within the perimeter is initially compromised, lateral movement within the system – leveraging control system specific technology and exfilteration using egress communication, such as OPC-DA – is also possible. From the control system, file shares and DNS via the enterprise can connect to the Internet, but that is not historically what the term “cyber” has implied.

   The term “cyber” has been used in at least ten different variants over almost 40 years, reflecting cafes with access to the Internet (cyber cafes) to my company’s raison d’etre (cybersecurity).

   Recently, academics and government institutes have started using the term “cyberphysical security” (which is not yet appearing on Ngrams, in case you were wondering). To me, cyberphysical better aligns to our Wurldtech security approach by going beyond embedded systems and “just IT” or “just OT” analysis, to holistically mitigating risk across industrial environments.

   As the IEEE describes it, “In contrast to cyber security, the goal of cyber-physical security is to protect the whole cyber-physical system, which uses widespread sensing, communication and control to operate safely and reliably.” And from the National Science Foundation, it represents “engineered systems that are built from, and depend upon, the seamless integration of computational algorithms and physical components.”

   Understanding the enormous investment in the Industrial Internet, there is no doubt that previously closed devices, systems and equipment will evolve their connectivity and sensory capabilities. And with this will come advanced levels of risk.

   Reply
7. March 25, 2015 at 12:21 pm

   Tomi Engdahl says:

   Why do Bulldozers Incite DDoS Attacks?
   http://www.securityweek.com/why-do-bulldozers-incite-ddos-attacks

   Normally you wouldn’t think something as mundane as farming equipment could incite a lot of cyber malice, right? But that’s exactly what happened. I’ve recently run into a spate of DDoS attacks against farming equipment manufacturers and resellers.

   Bulldozers and other earth-moving devices are used for all kinds of work besides agriculture. In the conflict between the Israelis and the Palestinians, the former have been accused of bulldozing the housing projects of the latter.

   All it took was someone to tweet a picture of the weaponized bulldozer clearly displaying the manufacturer logo, and cyber activists launched a DDoS attack against the bulldozer’s American manufacturer which, of course, had no impact on the land-clearing project.

   The perceived victims in this second story are trees. An American manufacturer of agricultural and forestry equipment has faced DDoS attacks for another political reason.

   The meta for all of these DDoS stories is that political and financial pressures continue to be the top motivations for cyber-attacks. Nearly any company can find itself in the crosshairs of political activists or someone looking to make a quick buck. Companies that you would not expect to be making these kinds of headlines could find themselves at the center of the next story.

   Reply
8. March 25, 2015 at 1:21 pm

   Tomi Engdahl says:

   Neighborhood watch 2.0
   Nextdoor, the social network for neighbors, is becoming a home for racial profiling
   http://fusion.net/story/106341/nextdoor-the-social-network-for-neighbors-is-becoming-a-home-for-racial-profiling/

   Nextdoor, warning the neighborhood about “sketchy” men

   One neighbor suggested the situation warranted a call to the Oakland Police Department.

   But Ahlberg, who is white, recognized the “suspicious” men: they were her friends, looking for her front door.

   While Nextdoor’s ability to assist in crime-spotting has been celebrated as its “killer feature” by tech pundits, the app is also facilitating some of the same racial profiling we see playing out in cities across the country. Rather than bridging gaps between neighbors, Nextdoor can become a forum for paranoid racialism—the equivalent of the nosy Neighborhood Watch appointee in a gated community.

   For its part, Nextdoor says it doesn’t take an active role in moderating racial profiling by its users. Nextdoor’s guidelines state that users should “refrain from using profanity or posting messages that will be perceived as discriminatory.”

   If Nextdoor’s racial profiling problems can’t be solved through heavier moderation, they’ll need to be addressed by the communities themselves

   “There seems to be a culture of fear on Nextdoor, where anytime someone feels fear, they call the police,”

   Reply
9. March 25, 2015 at 1:26 pm

   Tomi Engdahl says:

   These soft in had the most vulnerabilities – see the surprising list

   Security company Secunia Hole applications (the number of vulnerabilities)

   Google Chrome (504)
   Solaris (483)
   Gentoo Linux (350)
   Microsoft Internet Explorer (289)
   Avant Browser (259)
   IBM Tivoli Endpoint Manager (258)
   IBM Tivoli Storage Productivity Center (231)
   IBM Websphere Application Server (210)
   IBM Domino (177)
   IBM Notes (174)
   Mozilla Firefox (171)
   X.Org Xserver (152)
   Apple Macintosh OS X (147)
   IBM Tivoli Composite Application Manager for Transactions (136)
   VMware vCenter Server (124)
   IBM Tivoli Application Dependency Discovery Manager (122)
   Oracle Java (119)
   VMware vSphere Update Manager (111)
   IBM Websphere Portal (107)
   Microsoft Windows 8 (105)

   Source: http://www.tivi.fi/Kaikki_uutiset/2015-03-25/N%C3%A4iss%C3%A4-softissa-oli-eniten-haavoittuvuuksia-%E2%80%93-katso-yll%C3%A4tt%C3%A4v%C3%A4-lista-3218027.html

   Reply
10. March 26, 2015 at 9:11 am

    Tomi Engdahl says:

    A brilliant Tinder hack made hundreds of bros unwittingly flirt with each other
    #BrosSwipingBros
    http://www.theverge.com/2015/3/25/8277743/tinder-hack-bros-swiping-bros

    Man is a thirsty beast, and nowhere is that thirst more acutely exemplified than on Tinder, the matchmaking app that lets users swipe right in their quest to find love, lust, bots, or viral marketers. Now a California-based programmer has tweaked the app’s API, creating a catfish machine that fools men into thinking they’re talking to women — when in fact they’re talking with each other.

    Like other semi-anonymized digital spaces, Tinder creates a forum for individuals — namely men — to test the limits of aggressive and lewd behavior with seemingly little repercussion.

    Patrick’s program identifies two men who “like” one of his bait profiles (the first used prominent vlogger Boxxy’s image; the second used an acquaintance who had given Patrick consent) and matched them to each other.

    Tinder is notoriously vulnerable to hacks: in 2013, a loophole in the app could be harnessed to reveal users’ locations to within 100 feet. Last summer, Valleywag reported on a number of techies who tweaked the system to automatically “mass-like” every girl they come across.

    Patrick’s exploit reveals the weakness of Tinder’s API — but also shows what happens when men’s desperation is turned on each other: some turn to anger, others are confused, and still others appreciate the humor of it. But above all, over and over, men breeze by every red flag that indicates they’re not speaking with a woman. Evidently, the first symptom of extreme thirst is blindness.

    Reply
11. March 26, 2015 at 9:14 am

    Tomi Engdahl says:

    Ellen Nakashima / Washington Post:
    Top tech firms and privacy groups urge Congress to curb NSA surveillance powers ahead of key Patriot Act provisions expiring
    http://www.washingtonpost.com/world/national-security/tech-firms-and-privacy-groups-press-for-curbs-on-nsa-surveillance-powers/2015/03/24/4d35772c-d249-11e4-ab77-9646eea6a4c7_story.html

    Reply
12. March 26, 2015 at 9:58 am

    Tomi Engdahl says:

    FTC wants to keep closer watch on the Internet of Things
    http://www.cio.com/article/2901386/government/ftc-wants-to-keep-closer-watch-on-the-internet-of-things.html

    As technology plays a bigger role in running our homes, connecting our cars, and handling our finances, the Federal Trade Commission wants to keep a closer watch on the privacy and security implications.

    The agency is creating an Office of Technology Research and Investigation, whose goal is to examine “privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things.”

    The office isn’t entirely new, but is instead the successor to an existing FTC unit that looked at privacy on mobile devices.

    Keep in mind that the new office is strictly for research purposes, and isn’t directly responsible for enforcing privacy laws. Still, the office’s findings can lead to deeper investigations into specific companies, and can help advise FTC staff as they looking into potential consumer protection law violations.

    Why this matters: Privacy and security will become major issues as previously-dumb devices like dishwashers and door locks learn to talk to each other through the Internet. Experts routinely sound the alarm about the potential for security breaches, yet many companies don’t seem to take the matter seriously .

    Reply
13. March 26, 2015 at 10:08 am

    Tomi Engdahl says:

    The 5 Worst Big Data Privacy Risks (and How to Guard Against Them)
    http://www.cio.com/article/2856266/data-protection/the-5-worst-big-data-privacy-risks-and-how-to-guard-against-them.html

    There are enormous benefits from Big Data analytics, but also massive potential for exposure that could result in anything from embarrassment to outright discrimination. Here’s what to look out for – and how to protect yourself and your employees

    The collection and manipulation of Big Data, as its proponents have been saying for several years now, can result in real-world benefits: Advertisements focused on what you actually want to buy; smart cars that can call for an ambulance if you’re in an accident; wearable or implantable devices that can monitor your health and notify your doctor if something is going wrong.

    But, it can also lead to big privacy problems. By now it is glaringly obvious that when people generate thousands of data points every day – where they go, who they communicate with, what they read and write, what they buy, what they eat, what they watch, how much they exercise, how much they sleep and more – they are vulnerable to exposure in ways unimaginable a generation ago.

    1. Discrimination

    According to EPIC, in comments last April to the U.S. Office of Science and Technology Policy, “The use of predictive analytics by the public and private sector … can now be used by the government and companies to make determinations about our ability to fly, to obtain a job, a clearance, or a credit card. The use of our associations in predictive analytics to make decisions that have a negative impact on individuals directly inhibits freedom of association.”

    “Big Data analytics provides the ability for discriminatory decisions to be made without the need for that explicit and obvious evidence,” she said

    2. An embarrassment of breaches

    By now, after catastrophic data breaches at multiple retailers like Target and Home Depot, restaurant chains like P.F. Chang’s, online marketplaces like eBay, government agencies, universities, online media corporations like AOL and the recent hack of Sony that not only put unreleased movies on the web but exposed the personal information of thousands of employees, public awareness about credit card fraud and identity theft is probably at an all-time high.

    3. Goodbye anonymity

    Herold argues that without rules for anonymized data files, it is possible that combining data sets, “without first determining if any other data items should be removed prior to combining to protect anonymity, it is possible individuals could be re-identified.”

    4. Government exemptions

    According to EPIC, “Americans are in more government databases than ever,” including that of the FBI, which collects Personally Identifiable Information (PII) including name, any aliases, race, sex, date and place of birth, Social Security number, passport and driver’s license numbers, address, telephone numbers, photographs, fingerprints, financial information like bank accounts, employment and business information and more.

    5. Your data gets brokered

    Numerous companies collect and sell, “consumer profiles that are not clearly protected under current legal frameworks,” EPIC said.

    There is also little or no accountability or even guarantees that the information is accurate.

    “The data files used for big data analysis can often contain inaccurate data about individuals, use data models that are incorrect as they relate to particular individuals, or simply be flawed algorithms,” Herold said.

    Herold offers several other individual measures to lower your privacy risks:

    Quit sharing so much on social media. “If you only have a few people you want to see photos or videos, then send directly to them instead of posting where many can access them,” she said.
    Don’t provide information to businesses or other organizations that are not necessary for the purposes for which you’re doing business with them. Unless they really need your address and phone number, don’t give it to them.
    Use an anonymous browser, like Hotspot Shield or Tor (The Onion Router) when visiting sites that might yield information that could cause people to draw inaccurate conclusions about you.
    Ask others not to share information online about you without your knowledge. “It may feel awkward, but you need to do it,” she said.

    Reply
14. March 26, 2015 at 11:26 am

    Tomi Engdahl says:

    I helped Amazon.com find an XSS hole and all I got was this lousy t-shirt
    Hacker reports flaw that saw credit cards exposed, web bazaar fixes it
    http://www.theregister.co.uk/2015/03/26/amazon_shutters_xss_hijack_hole/

    Amazon has patched dangerous cross-site scripting (XSS) vulnerability in its website that exposed accounts to hijacking.

    A Brazilian hacker using the handle @BruteLogic published the then-zero-day flaw to XSSposed.org Saturday without tipping off the book giant.

    Amazon swatted the flaws two days later. The time between disclosure and patch opened what the hacker told Beta News was a chance for Amazon accounts to be compromised and web browsers exploited.

    His reasoning for full disclosure was that Amazon did not pay cash for bug bounty reports.

    He says the vulnerability allowed attacks to view Amazon user credit cards and to purchase items in their name, provided a victim clicked on a crafted malicious link.

    The Open Web Application Security Project puts XSS as the third worst application security blunder behind broken authentication and injection.

    Reply
15. March 26, 2015 at 11:33 am

    Tomi Engdahl says:

    Glyn Moody / Ars Technica:
    EU: Don’t use Facebook if you want to keep the NSA away from your data — Court case could make it harder for US companies to take personal data out of EU.

    EU: Don’t use Facebook if you want to keep the NSA away from your data
    Court case could make it harder for US companies to take personal data out of EU.
    http://arstechnica.com/tech-policy/2015/03/eu-dont-use-facebook-if-you-want-to-keep-the-nsa-away-from-your-data/

    In a key case before the European Union’s highest court, the Court of Justice of the European Union (CJEU), the European Commission admitted yesterday that the US-EU Safe Harbor framework for transatlantic data transfers does not adequately protect EU citizens’ data from US spying. The European Commission’s attorney Bernhard Schima told the CJEU’s attorney general: “You might consider closing your Facebook account if you have one,” euobserver reports.

    The case before the CJEU is the result of complaints lodged against five US companies—Apple, Facebook, Microsoft, Skype, and Yahoo—with the relevant data protection authorities in Germany, Ireland, and Luxembourg by the Austrian privacy activist Max Schrems, supported by crowdfunding. Because of the important points of European law raised, the Irish High Court referred the Safe Harbor case to the CJEU.

    The referral was prompted by Edward Snowden’s revelations about the Prism data-collection program, which show that the US intelligence community has ready access to user data held by nine US Internet companies, including the five named in Schrems’ complaints.

    As a post on the International Association of Privacy Professionals site reports, the European Commission admitted in yesterday’s court hearing that “it cannot guarantee adequate protection of EU citizen data at the moment.” But it claimed that “Safe Harbor is a politically and economically necessary framework that is still under negotiation and is best left in the hands of the commission to work toward a better protection of EU citizen rights.” That negotiation has been underway for nearly 18 months, with no signs of an agreement.

    The court’s decision is also politically important, because a new EU Data Protection Directive is being drawn up. Lack of certainty about the legal status of the Safe Harbor framework is making it even harder to find a consensus between companies that want unimpeded data flows covered by self-certification and privacy advocates calling for stricter limits that keep personal data on servers located with the EU.

    Reply
16. March 26, 2015 at 11:38 am

    Tomi Engdahl says:

    Get off Facebook if you value your privacy, EU commish tells court
    Irish data protection shenanigans pop up again
    http://www.theregister.co.uk/2015/03/26/close_your_facebook_account_if_you_want_data_privacy_eu_commish_tells_court/

    If you don’t want your personal info pored over by the US authorities, close your Facebook account – such is the reassuring advice given by the European Commission to the European Court of Justice.

    Judges yesterday grilled the Commish legal service in a case that could topple the 15-year-old EU-US data-sharing agreement known as “Safe Harbour”, a streamlined process developed by the US Department of Commerce and the EU, designed to prevent accidental information disclosure or loss.

    Because the US in general does not meet EU standards for data privacy, the Safe Harbour workaround was dreamed up by the Commish in 2000, with the deal creating a voluntary framework whereby companies promise to protect European citizens’ data.

    In the current case, a group called Europe v Facebook, led by privacy activist and “Angry AustrianTM” Max Schrems, alleges that Facebook violated European citizens’ “fundamental rights” (defined in the European Convention on Human Rights) by transferring their personal data to the US National Security Agency (NSA).

    The EU parliament went further and again called for the Safe Harbour agreement to be suspended.

    Reply
17. March 26, 2015 at 11:41 am

    Tomi Engdahl says:

    Cisco patches IOS to stop automation exploitation
    What could possibly go wrong with self-managing routers? DoS attacks, for starters
    http://www.theregister.co.uk/2015/03/26/automatic_attacks_cisco_patches_ios_vulns/

    Cisco’s turned up vulnerabilities in automation software that open the door to denial-of-service and limited access to devices.

    The company’s Autonomic Network Infrastructure (ANI) feature in IOS provides self-management for various IPv6-supporting routers and Ethernet switches.

    One of the ANI features is to remove the need for pre-staging in network bootstrap, allowing devices join a network on start, so they can be configured over the network rather than through a local port.

    The three vulnerabilities exploit this in various ways

    Devices running Cisco IOS and IOS XE, with ANI enabled, are vulnerable. Cisco has released patches

    Reply
18. March 26, 2015 at 11:56 am

    Tomi Engdahl says:

    The German encryption protects from the NSA spying

    German researchers have developed their own “national encryption”, where anyone can encrypt e-mail communications and files.

    Fraunhofer Institute researchers developed based on public-key encryption utilizing encryption. Its starting point has been ease of use.

    Darmstadt sijiatsevan SIT Unit (Secure Information Technology) researchers are developing the software, which was presented at CeBIT last week.

    The software is imported for use in open source. It generates cryptographic keys, with the emails or files are protected. The keys are kept centrally.

    The software prototype version of the work on Windows computers.

    Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2605:saksalaissalaus-suojaa-nsa-urkinnalta&catid=13&Itemid=101

    Reply
19. March 26, 2015 at 1:41 pm

    Tomi Engdahl says:

    How a hack on Prince Phillip’s Prestel account led to UK computer law
    Thatcher, Buckingham Palace & BT left red-faced by historic techno romp
    http://www.theregister.co.uk/2015/03/26/prestel_hack_anniversary_prince_philip_computer_misuse/

    This week marks the 30th anniversary of arrests in the infamous Prestel hack case. It led to arrests, breached the Royal Family’s security and helped give birth to the UK’s first computer crime law.

    What began as a hack against the Prestel Viewdata system – which opened up access to Prince Philip’s mailbox – later led to the arrest of two tech enthusiast journalists and a prosecution, culminating in the UK’s first computer crime law.

    Prestel started in the late ’70s but was not commercially successful. Live systems were used for home banking, among other applications. There were also dummy systems. Login credentials used by these dummy systems were shared with those that authorised access to live systems.

    Steve Gold and fellow journalist Robert Schifreen managed to hack into BT’s Prestel Viewdata service, famously accessing the personal message box of Prince Philip in the process.

    Schifreen explained: “I came across a Prestel test ID by accident – I was testing a modem and just typed random numbers, basically. That got me into a BT internal Prestel page containing the phone numbers of the dev mainframes.

    Reply
20. March 26, 2015 at 1:42 pm

    Tomi Engdahl says:

    Outbreak! Fake Amazon voucher offer seeds mobile malware attack
    http://www.theregister.co.uk/2015/03/04/fake_amazon_voucher_mobile_malware/

    Spoofed Amazon vouchers are being used to spearhead a campaign to contaminate Android mobiles with malware, messaging security firm AdaptiveMobile warns.

    The attack, dubbed “Gazon”, sends messages to victims’ mobile phone contacts linking to supposed offers for (non-existent) Amazon vouchers fictitiously promising a gift of $200. The messages, if opened on an Android, actually attempt to install malware that restarts the infection cycle and launches a fresh wave of mobile malware scam messages.

    The attack has generated more than 16,000 click-throughs across multiple channels, including Facebook and email, infecting thousands of mobile devices in more than 30 countries,

    Reply
21. March 26, 2015 at 1:51 pm

    Tomi Engdahl says:

    NSA Doesn’t Need to Spy on Your Calls to Learn Your Secrets
    http://www.wired.com/2015/03/data-and-goliath-nsa-metadata-spying-your-secrets/

    Governments and corporations gather, store, and analyze the tremendous amount of data we chuff out as we move through our digitized lives. Often this is without our knowledge, and typically without our consent. Based on this data, they draw conclusions about us that we might disagree with or object to, and that can impact our lives in profound ways. We may not like to admit it, but we are under mass surveillance.

    Much of what we know about the NSA’s surveillance comes from Edward Snowden, although people both before and after him also leaked agency secrets.

    Telephone metadata alone reveals a lot about us. The timing, length, and frequency of our conversations reveal our relationships with each other: our intimate friends, business associates, and everyone in-between. Phone metadata reveals what and who we’re interested in and what’s important to us, no matter how private.

    Reply
22. March 26, 2015 at 2:02 pm

    Tomi Engdahl says:

    Want to hide your metadata? You probably can’t
    How not to hide from George Brandis’ new surveillance laws
    http://www.theregister.co.uk/2015/03/23/want_to_protect_yourself_in_a_snoops_paradise_you_probably_cant/

    With every development in Australia’s data retention debate, the question arises: “how can I stop the government getting its hands on my metadata?”

    Routinely, often non-technical journalists give the glib answer to “use encryption”, rattle off their favourite list of technologies, and over-simplify things to the point of danger.

    The depressing truth is that most people aren’t equipped to do a good job of protecting either their metadata or their content, and it’s irresponsible for anyone to say otherwise without covering all the risks.

    The notion that all you need is encryption and anonymity technologies to get around law enforcement is dangerously simplistic.

    Few people have put this better than Cryptome, the world’s oldest drop site, here: “Consider that the odds are very high that Cryptome or any other disclosure initiative (anonymizer, leak site, paste, doc-drop, torrent) is a deception operation, witting or unwitting, and avoid their use”, and “never trust any method proposed by a receiver of your material”.

    Using Tor: Tor provides limited anonymity. The best-documented and best-tested attacks against Tor have one demanding requirement – that the attacker have access to the network infrastructure carrying the traffic.

    Public WiFi: A public WiFi hotspot, the argument goes, won’t be handing your metadata over to the government, because there’s an exemption of sorts in the legislation. The first problem here is that only one layer of data – your connection to an ISP – is protected.

    Encrypt your e-mails: Plenty of journalists believe that a tool like PGP is a response to the government’s data retention regime, when it’s not. It should be obvious to say this, but it’s not: PGP protects the content of the e-mail, not the “non-content data” the Australian government wants retained.

    Leak via a secure drop site: This is also problematic. The secure drop-site is designed to protect your identity and content at the server end, but it does not intrinsically protect non-content data at your end – your connection to the Internet, your location, the fact that you made a connection to an IP address associated with the drop site, and so on. The business of protecting that non-content data is down to you.

    Where does that leave me? Dangerously insecure, as you always have been; or perhaps, less secure than you might be.

    While The Register is not a subscriber to “nothing to hide, nothing to fear” theory
    ‘

    Reply
23. March 26, 2015 at 3:44 pm

    Tomi Engdahl says:

    As you may know that currently many adware or browser hijackers just flood the Internet to generate pay-per-click advertising profits and spy on various sensitive privacy info.

    There seems to be a trend to try to push malware though adult sites:

    Top Adult Site RedTube Compromised, Redirects to Malware
    http://community.spiceworks.com/topic/799382-top-adult-site-redtube-compromised-redirects-to-malware

    Adult site Xtube compromised, serving exploits
    https://blog.malwarebytes.org/exploits-2/2015/03/adult-site-xtube-serves-malware-via-neutrino-ek/
    Our systems have detected infections coming from popular adult site Xtube, ranked #780 in the US and with an estimated 25 million visits.

    Don’t go to Xtube without protection — the adult site could give you a nasty infection
    http://www.techinvestornews.com/Enterprise/Latest-Enterprise-News/dont-go-to-xtube-without-protection-the-adult-site-could-give-you-a-nasty-i

    Win32/Aibatook: Banking Trojan Spreading Through Japanese Adult Websites
    http://www.welivesecurity.com/2014/07/16/win32aibatook/

    What is adultcameras.info Popup?
    adultcameras.info is a domain used to distribute unwanted programs bundled with fake updates.
    http://forums.anvisoft.com/viewtopic-66-27628-0.html

    Reply
24. March 26, 2015 at 3:48 pm

    Tomi Engdahl says:

    Risk-Driven Security: The Approach to Keep Pace With Advanced Threats
    http://www.securityweek.com/risk-driven-security-approach-keep-pace-advanced-threats

    The catch phrase “intelligence-driven security” has never sat particularly well with me.

    Although intelligence is a critical component of a mature security program, it should not drive security. Why? At a high level, intelligence is about understanding the threat landscape, attacker techniques, and attack methodologies. This is extremely important to a successful security program, but it is only half of the picture. What’s missing? How can we apply that knowledge to the operational problems and strategic and tactical challenges that we face at each of our respective organizations?

    Completing the second half of the picture, not surprisingly, involves understanding those operational problems and strategic and tactical challenges. Where does this understanding come from? It comes from an understanding of the risks we are looking to mitigate. Remember, boiled to its essence, security is about managing, reducing, mitigating, and accepting risk, rather than eliminating it. Intelligence can and must inform this process, but it shouldn’t drive it. It’s just not the right tool for the job.

    So how can an organization practice risk-driven security?

    Create human language goals and priorities – it is helpful to write down, in human language sentences, what you would like to accomplish.

    Identify appropriate data sources

    Identify appropriate technologies

    Throw out the default rule set: This may sound radical, but for each technology, throw out the default or standard rule set. Why? Because it wasn’t written specifically for your organization.

    Write spear alerting: Alerts are a powerful force in security operations and should be leveraged accordingly.

    Streamline the workflow: Regardless of how and where alerts are generated, they should all flow to one unified work queue. Priority should be used to assist the team in identifying what to work on first, second, etc.

    Practice Continuous Security Monitoring (CSM): Once you set up alerting and a work queue, use it. Every alert should be reviewed by the team and investigated appropriately

    Follow a mature process

    Leverage automation where appropriate

    Maintain a communal presence: We can learn a lot from our peers.

    Continuously improve: Never believe that the work has been completed. Technologies, methodologies, and the threat landscape change continuously and quickly.

    Reply
25. March 26, 2015 at 3:50 pm

    Tomi Engdahl says:

    Evolving Security in the Face of Cyber Attacks
    http://www.securityweek.com/evolving-security-face-cyber-attacks

    Hacking and data breaches have become a painful reality for businesses of all sizes and from all industries. Attackers have perfected the art of finding the weak links in an organization, and exploiting them to infiltrate the organization and steal their most important assets.

    Highly distributed organizations are often particularly susceptible to these attacks. Satellite offices, clinics, stores, and remote workers are all potentially security soft spots that an attacker can use to compromise the entire organization. And while there is no silver bullet, there are steps organizations can take to detect and prevent these threats and keep from becoming the next headline.

    Getting Holistic on Security

    The point isn’t to replicate the corporate fortress everywhere, but rather to establish a security context that is shared across all locations.

    Focus on Your Assets

    Information security has traditionally been an exercise in keeping the bad guys out. Trusted areas are separated from untrusted areas, and the boundary is monitored for malicious agents like exploits and malware. These are still good goals, but it is readily evident that this alone is not sufficient. As organizations become more decentralized, there is simply too much perimeter, the perimeter too porous, and too much overlap of trust and distrust to be perfect at prevention.
    To address this, organizations need to begin focusing internally and build processes that put key assets at the center of the security strategy.

    Get Behavioral

    It may seem counterintuitive, but as hacks get more sophisticated, we often see fewer and fewer exploits or obvious malware. Once an individual user is compromised, the attacker will steal the victim’s credentials and continue the attack using the victim’s identity. This is particularly significant in the context of remote offices or distributed organizations.
    As a result, the focus must shift to recognizing a behavioral change on the part of the user or their device. Is the employee trying to access areas of the network that are unusual for that user?

    Reply
26. March 27, 2015 at 8:25 am

    Tomi Engdahl says:

    Josh Stearns / Medium:
    Apps like Periscope and Meerkat could help people understand their right to record — Periscope, Meerkat and the Right to Record — I’ve been playing with Periscope this morning and thinking a lot about how it has simplified the the process of livestreaming but also how it has perfected …

    Periscope, Meerkat and Your Right to Record
    https://medium.com/@jcstearns/periscope-meerkat-and-the-right-to-record-9a9e4cc0baac

    During those Occupy protests livestreams and journalists — both mainstream and indie — were being arrested in alarming numbers when they pointed their cameras and cell phones at police. In the years since the power of cell phone cameras and livestreaming apps has only expanded and more and more people are taking up these tools.

    As such, there is a real opportunity for apps like Periscope and Meerkat to help people understand their right to record. I would love to see a partnership between these apps and an organization like WITNESS to create in app notifications, guides and best practices for safe and secure citizen journalism and eye witness recording.

    Reply
27. March 27, 2015 at 8:26 am

    Tomi Engdahl says:

    Martin Moore / Policy Wonkers:
    Phone hacking report finds 2/3 of victims not celebrities or public figures, hacked politicians seven times more likely to be Labour than Conservative

    Who was hacked? A New Report Investigates
    http://blogs.kcl.ac.uk/policywonkers/who-was-hacked/

    Read coverage of the various hacking trials (News of the World in 2013/14 and now Mirror Group Newspapers) and you could be forgiven for thinking phone hacking was all about celebrities. Celebrities attract attention, attract news interest, and sell papers. This is perhaps why many of the news reports of phone hacking have concentrated on celebrities and are illustrated with photographs of celebrities.

    Yet, if you actually sit down and add up the numbers, it becomes clear that though many celebrities were targets of the News of the World they were not the main victims of phone hacking. Over two thirds of the News of the World phone hacking victims that we know about were not public figures. They were beauticians, receptionists, lawyers, estate agents, nannies, policemen, journalists, priests, sports agents and hairdressers.

    Almost one in ten of those targeted by the paper’s hackers were people coping with dreadful tragedies, for example the families of murder victims. A striking number of targets were people in positions important to national security.

    And it turns out that the News of the World was seven times more likely to hack a Labour politician than a Conservative one.

    Yet the context also shows that phone hacking was just one of a toolbox of methods the News of the World used to find out personal information about its targets. Others included blagging, pinging, paying informants and tailing. Through a combination of these they could find out everything from medical history through to past relationships, to driving records and personal diaries.

    Up till now, no-one has systematically tried to analyse who was hacked and the context of that hacking. A new report – ‘Who was hacked? An investigation into phone hacking and its victims’ – gathers together all the victims of News of the World phone hacking that we know about

    Reply
28. March 27, 2015 at 9:10 am

    Tomi Engdahl says:

    Keeping Your Inbox Safe
    http://www.rackspace.com/blog/keeping-your-inbox-safe-this-holiday-season/?cm_mmc=other-_-email-_-contentnam-_-rse-spam-raxblog&utm_source=taboola&utm_medium=referral

    Step 1: Strong Passwords
    Step 2: Different Passwords For Different Accounts
    Step 3: Avoid Phish
    Step 4: Protect Your Computer
    Step 5: Always Use A Secure Connection

    Reply
29. March 27, 2015 at 9:13 am

    Tomi Engdahl says:

    Josh Taylor / ZDNet:
    Australia passes law requiring telcos to retain customer data for two years for warrantless access
    http://www.zdnet.com/article/mandatory-data-retention-passes-australian-parliament/

    Reply
30. March 27, 2015 at 9:15 am

    Tomi Engdahl says:

    Jimmy Westenberg / Android Authority:
    Samsung to make devices with iris recognition in partnership with SRI
    http://www.androidauthority.com/samsung-devices-iris-recognition-sri-596644/

    Reply
31. March 27, 2015 at 10:14 am

    Tomi Engdahl says:

    ‘Bar Mitzvah Attack’ Plagues SSL/TLS Encryption
    http://it.slashdot.org/story/15/03/26/1924256/bar-mitzvah-attack-plagues-ssltls-encryption

    Once again, SSL/TLS encryption is getting dogged by outdated and weak options that make it less secure. This time, it’s the weak keys in the older RC4 crypto algorithm, which can be abused such that an attacker can sniff credentials or other data in an SSL session, according to a researcher who revealed the hack today at Black Hat Asia in Singapore.

    SSL/TLS Suffers ‘Bar Mitzvah Attack’
    http://www.darkreading.com/attacks-breaches/ssl-tls-suffers-bar-mitzvah-attack-/d/d-id/1319633?

    Researcher at Black Hat Asia shows how attackers could abuse a known-weak crypto algorithm to steal credentials and other data from encrypted communications.

    SSL/TLS encryption once again is being haunted by an outdated and weak feature long past its prime: a newly discovered attack exploits a weakness in the older, less secure RC4 encryption algorithm option in SSL/TLS that’s still supported in many browsers and servers.

    Itsik Mantin, director of security research with Imperva, at Black Hat Asia in Singapore today will detail how an attacker could sniff credentials and other information during an SSL session in an attack he named the “Bar Mitzvah Attack” after 13-year-old weaknesses in the algorithm it abuses. The attack is a glaring reminder that the RC4 algorithm, long known to be breakable, should be put to rest once and for all, according to Mantin.

    Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn’t require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, Mantin says. But MITM could be used as well, though, for hijacking a session, he says.

    Using a sniffer, the attacker can passively spy on the SSL sessions of a targeted organization, for instance, or an application. He then can ferret out the keys being used in the encrypted session of a user logging on to his Facebook account, or a ecommerce transaction. The attacker sees “parts of the encrypted message” that can be used to wage an attack, Mantin says.

    Client machines and servers running SSL/TLS negotiate which algorithm to use for encrypted sessions, he explains. “Today, many still have RC4 in this negotiation process,” he says. RC4 in some cases gets selected for performance reasons, he says.

    The result: if RC4 is an option and gets selected, an attacker can potentially wage the Bar Mitzvah Attack.

    But don’t panic: Mantin says it’s not an imminent threat per se, and fixing it merely requires removing the RC4 algorithm from the mix.

    He says while there’s been a gradual trend to phase out RC4 altogether, the process has dragged on.
    RC4′s troubles have long been in the spotlight, he says, which is frustrating.

    Outdated Features Add Risk

    The Bar Mitzvah Attack is yet another in a series of vulnerabilities in SSL/TLS encryption exposed over the past year due to old, outdated options in the encryption implementation. The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, for example, allowed an attacker to downgrade to the older, less secure SSL Version 3 encryption standard.

    Some one-fourth of SSL-encrypted websites were found to be potentially vulnerable to the so-called Factoring RSA Export Keys (FREAK) attack,

    Meanwhile, the Internet Engineering Task (IETF) is well aware of the problem of too many options in the crypto standards, so the new version of TLS currently under development, TLS 1.3, trims the fat in the specification, eliminating older encryption algorithms and other outdated features.

    Reply
32. March 27, 2015 at 10:18 am

    Tomi Engdahl says:

    Privacy Critics Go 0-2 With Congress’ Cybersecurity Bills
    http://www.wired.com/2015/03/privacy-critics-go-0-2-congress-cybersecurity-bills/

    Over the last month, privacy advocates have slammed the Cybersecurity Information Sharing Act, arguing that it’s surveillance legislation hidden in a security bill’s clothing. But those protests didn’t stop a Senate committee from passing the bill by a vote of 14-1. And now they haven’t stopped the House’s intelligence committee from following in the Senate’s surveillance-friendly footsteps.

    Reply
33. March 27, 2015 at 10:26 am

    Tomi Engdahl says:

    Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk
    http://www.wired.com/2015/03/big-vulnerability-hotel-wi-fi-router-puts-guests-risk/

    Guests at hundreds of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel’s reservation and keycard systems.

    The security hole involves an authentication vulnerability in the firmware of several models of InnGate routers made by ANTlabs, a Singapore firm whose products are installed in hotels in the US, Europe and elsewhere.

    The vulnerability, which was discovered by the security firm Cylance, gives attackers direct access to the root file system of the ANTlabs devices

    The vulnerable systems were found primarily at hotel chains, but the researchers also found some convention centers with internet-accessible vulnerable routers.’

    The InnGate devices function as a gateway for hotels and convention centers to provide guests with internet access.

    The researchers uncovered vulnerable systems at hotels belonging to eight of the world’s top 10 hotel chains.

    the devices are often also connected to a hotel’s property management system, the core software that runs reservation systems and maintains data profiles about guests.

    “In cases where an InnGate device stores credentials to the PMS [property management system], an attacker could potentially gain full access to the PMS itself,”

    Gaining access to a guest room through a compromised key lock system wouldn’t just be of interest to thieves. One of the most famous cases involving the subversion of a hotel’s electronic key system resulted in the assassination of a high-ranking Hamas official in a Dubai hotel in 2011

    How the Hotel Vuln Works

    The vulnerability lies in an unauthenticated rsync daemon used by the ANTlabs devices. The Rsync daemon is a tool often used to backup systems since it can be set up to automatically copy files or new parts of files from one location to another. Although the daemon can be password-protected, the ANTlabs device that uses it requires no authentication.

    As a result, once an attacker has connected to the rsync daemon, “they are then able to read and write to the file system of the Linux based operating system without restriction,” the researchers write in their blog post.

    Reply
34. March 27, 2015 at 10:37 am

    Tomi Engdahl says:

    Cloud security is the biggest obstacle

    IT leaders suspect the transition to cloud services, for two reasons. The second is the protection of privacy and the second, perhaps even greater concern, related to information security.

    Businesses are not able to get IT experts, who are able to monitor and manage cloud services.

    Researchers finger at the service providers in the cloud. Cloud Sellers sometimes make even intentionally services security verification difficult.

    “Companies have been too long only on the assumption that they use service provide products and services are safe. However, the information for breaking the Party suffering is always the customer”

    In the current situation, more and more, the company agrees to move to the cloud for the more important data. This is likely to increase the importance of information security.

    “Data leakage is and will remain our customers’ concerns and number one in the cloud transition to a threshold question”

    Cloud services are a good example of a business, where security solutions are lagging behind other technology strode forward.

    “For many cloud service providers will be security to mind only when companies have already succeeded in selling new technology solutions,”

    Especially for the earlier generations of solutions are not in his view, a very vulnerable when security is applied in layers and afterwards.

    Source: http://www.tivi.fi/CIO/2015-03-27/Pilven-suurin-este-on-tietoturva-3218116.html

    Reply
35. March 27, 2015 at 10:37 am

    Tomi Engdahl says:

    Cloud security still not up to scratch, research warns
    http://www.cloudpro.co.uk/cloud-essentials/cloud-security/4929/cloud-security-still-not-up-to-scratch-research-warns

    Despite being one of the main obstacles to embracing cloud, security hasn’t developed at the same pace as other tech, according to Ovum

    Although security remains one of the main reasons businesses are not moving to the cloud, it is also lagging behind the evolution of cloud technologies, presenting an even bigger problem.

    So claims research by analyst form Ovum and secure managed cloud provider FireHost, which suggested that an IT skills shortage has made it hard for companies to manage cloud services. However, it said such challenges are being exacerbated by the fact that cloud providers are making it hard to implement security measures within these services.

    Reply
36. March 27, 2015 at 10:40 am

    Tomi Engdahl says:

    700,000 beautiful women do the bidding of one Twitter-scamming man
    Weight loss scam used oodles of accounts to get the clueless shelling out for useless beans
    http://www.theregister.co.uk/2015/03/27/one_man_operated_750000_twitter_accounts/

    Satnam Narang of Symantec says one scammer was so taken with Twitter he established 750,000 accounts.

    The senior security response manager found the one man spam plague set up the mind boggling number of Twitter accounts he calls ‘mockingbirds’ to flog Green Coffee Bean Extract earning cash for visitors referrals.

    Media sites like TMZ, MTV, Yahoo! and the Beeb are some of the launched list of mockingbird accounts, while scores of celebrities and random photos of attractive women filled the parrot accounts in a bid to score real followers.

    Narang says more than 700,000 of the accounts are eggs, 40,000 parrots, and about 100 mockingbirds.

    The tactic using obviously fake profiles with avatars of attractive women to score reciprocal follows is sadly “remarkably effective”, Narang says.

    Reply
37. March 27, 2015 at 10:41 am

    Tomi Engdahl says:

    No password or PIN, but I have a fake ID. Sure, take the domain
    GoDaddy security systems under fire
    http://www.theregister.co.uk/2015/03/19/godaddy_no_password_or_pin_but_i_have_a_fake_id_sure_take_the_domain/

    The world’s largest registrar GoDaddy is under fire, after it handed control of a domain name in exchange for no more than a fake ID (and a little bit of good, old-fashioned chutzpah).

    Despite no knowing the account’s PIN or credit card details or having access to its listed email account, GoDaddy handed over login details to another person’s account, giving them the ability to change ownership details or move the domain out of the company’s systems to another registrar.

    The penetration test was carried out by the CEO of security firm Night Lion Security, Vinny Troia, in response to a challenge from journalist Steve Ragan, and it revealed that despite multiple layers of security GoDaddy remains wide open to social engineering.

    Troia was able to get past the request for an account PIN by acting as a frustrated executive and saying he didn’t know it. With the last four numbers of the credit card question, he claimed the domain has been registered by his assistant and he didn’t know.

    And as for the email address, he explained that there was “a lot of office politics at the moment that I didn’t feel like getting into”.

    It did take some effort on Troia’s part: he faked a social media account and set up a Gmail address to lend credibility. And finally he Photoshopped an Indiana driver’s licence, creating a fake ID as evidence of his true identity.

    Although it did require some effort and know-how, it’s troublesome that the world’s largest registrar, which has nearly 60 million domains under management and 13 million customers, could be duped in a similar way to the world’s most valuable domain, Sex.com, which was stolen way back in 1995.

    Reply
38. March 27, 2015 at 1:00 pm

    Tomi Engdahl says:

    Generate Memorizable Passphrases That Even the NSA Can’t Guess
    http://yro.slashdot.org/story/15/03/26/2032259/generate-memorizable-passphrases-that-even-the-nsa-cant-guess

    Micah Lee writes at The Intercept that coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion. But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize

    Passphrases That You Can Memorize — But That Even the NSA Can’t Guess
    https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

    A passphrase is like a password, but longer and more secure. In essence, it’s an encryption key that you memorize. Once you start caring more deeply about your privacy and improving your computer security habits, one of the first roadblocks you’ll run into is having to create a passphrase. You can’t secure much without one.

    In this post, I outline a simple way to come up with easy-to-memorize but very secure passphrases. It’s the latest entry in an ongoing series of stories offering solutions — partial and imperfect but useful solutions — to the many surveillance-related problems we aggressively report about here at The Intercept.

    If you created your passphrase by just trying to think of a good one, there’s a pretty high chance that it’s not good enough to stand up against the might of a spy agency.

    The reason the Shakespeare quote sucks as a passphrase is that it lacks something called entropy.

    Even if you don’t use a quote, but instead make up a phrase off the top of your head, your phrase will still be far from random because language is predictable. As one research paper on the topic states, “users aren’t able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language,”

    Passphrases that come from pop culture, facts about your life, or anything that comes directly from your mind are much weaker than passphrases that are imbued with actual entropy, collected from nature.

    Once you’ve admitted that your old passphrases aren’t as secure as you imagined them to be, you’re ready for the “Diceware” technique.

    First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home.

    Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You’ll need a total of five dice rolls to come up with the first word in your passphrase. What you’re doing here is generating entropy, extracting true randomness from nature and turning it into numbers.

    Using Diceware, you end up with passphrases that look like “cap liz donna demon self”, “bang vivo thread duct knob train”, and “brig alert rope welsh foss rang orb”. If you want a stronger passphrase you can use more words; if a weaker passphrase is ok for your purpose you can use less words.

    The strength of a Diceword passphrase depends on how many words it contains.

    This means that with two words, there are 7,7762, or 60,466,176 different potential passphrases. On average, a two-word Diceware passphrase could be guessed after the first 30 million tries. And a five-word passphrase, which would have have 7,7765 possible passphrases, could be guessed after an average of 14 quintillion tries (a 14 with 18 zeroes).

    if an attacker knows that you are using a seven-word Diceware passphrase
    At one trillion guesses per second — per Edward Snowden’s January 2013 warning — it would take an average of 27 million years to guess this passphrase.
    Not too bad for a passphrase like “bolt vat frisky fob land hazy rigid”, which is entirely possible for most people to memorize.

    Do I really have to use dice?

    This is a longer discussion, but the short answer is: Using physical dice will give you a much stronger guarantee that nothing went wrong.

    How to memorize your crazy passphrase (without going crazy)

    After you’ve generated your passphrase, the next step is to commit it to memory.

    I recommend that you write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn’t take more than two or three days before you no longer need the paper, at which point you should destroy it.
    Typing your passphrase on a regular basis allows you to memorize it through a process known as spaced repetition

    Now that you know passphrases, here’s when to avoid them

    Diceware passphrases are great for when you’re typing them into your computer to decrypt something locally, like your hard drive, your PGP secret key, or your password database.

    You don’t so much need them for logging into a website or something else on the internet. In those situations, you get less benefit from using a high-entropy passphrase. Attackers will never be able to guess a trillion times per second if each guess requires communicating with a server on the internet.

    How we use Diceware to protect our sources

    At The Intercept we run a SecureDrop server, an open source whistleblower submission system, to make it simpler and more secure for anonymous sources to get in touch with us.

    When a new source visits our SecureDrop website, they get assigned a code name made up of seven random words. After submitting messages or documents, they can use this code name to log back in and check for responses from our journalists.

    Reply
39. March 27, 2015 at 1:17 pm

    Tomi Engdahl says:

    Noose around Internet’s TLS system tightens with 2 new decryption attacks
    Exploits pluck passwords and other sensitive data out of encrypted data streams.
    http://arstechnica.com/security/2015/03/noose-around-internets-tls-system-tightens-with-2-new-decryption-attacks/

    The noose around the neck of the Internet’s most widely used encryption scheme got a little tighter this month with the disclosure of two new attacks that can retrieve passwords, credit card numbers and other sensitive data from some transmissions protected by secure sockets layer and transport layer security protocols.

    Both attacks work against the RC4 stream cipher, which is estimated to encrypt about 30 percent of today’s TLS traffic. Cryptographers have long known that some of the pseudo-random bytes RC4 uses to encode messages were predictable, but it wasn’t until 2013 that researchers devised a practical way to exploit the shortcoming.

    Now, researchers have figured out refinements that allow them to recover RC4-protected passwords with a 50-percent success rate using slightly more than 67 million (226) encryptions, a two-order of magnitude reduction over the previous attack used to recover secure cookies.

    Bar-mitzvah attack

    A second exploit targeting RC4 was devised by researchers from security firm Imperva and was presented Thursday at the Black Hat security conference in Singapore. The attack uses new ways to exploit the “invariance weakness,” a key pattern in RC4 keys that can leak plaintext data into the ciphertext under certain conditions. The weakness first came to light in 2001, and led to the fatal exploit against wired equivalent privacy technology used to encrypt Wi-Fi networks. Given the age of the invariance weakness, Imperva researchers are dubbing their new exploit the “bar-mitzvah attack.”

    “The security of RC4 has been questionable for many years, in particular its initialization mechanisms,”

    “RC4 must die”

    The TLS protocol has two significant phases. The first “handshaking” phase uses asymmetric encryption to negotiate the symmetric encryption keys to be used by an e-mail or Web server and the connecting end user. During the later “record” phase, the parties use the agreed-upon keys to encrypt data using either the AES block cipher or RC4 stream cipher. The two attacks unveiled this month, combined with the exploit disclosed in 2013, are a strong indication the security of RC4 can’t be counted on for much longer and should be phased out in favor of alternative algorithms.

    Retiring RC4 is proving a challenging proposition.

    Imperva researchers say Web app developers should strongly consider disabling RC4 in all their TLS configurations and tech-savvy end uses should disable RC4 in their Browser settings.

    Reply
40. March 28, 2015 at 11:11 am

    Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / Motherboard:
    Baidu’s Internet traffic was hijacked to DDoS GitHub and GreatFire in a move that required access to network infrastructure; GitHub DDoS attack continues

    Did China Just Launch a Cyber Attack on GitHub?
    http://motherboard.vice.com/read/did-china-just-launch-a-cyber-attack-on-github

    Late Thursday night, the popular coding site GitHub an​nounced that someone had been attacking the site with a “continuous” distributed denial of service attack for more than 24 hours.

    Hours later, the site was still working to mitigate the attack, and activists as well as computer security experts started pointing the finger at China as the “someone” behind it.

    China was hijacking internet traffic so that everyone who visited any site that contained scripts from Chinese Internet giant Baidu would make a request to visit two specific pages hosted inside GitHub, with the goal of overloading them with traffic, according to a security researcher that goes by the name of A​nthr@x.

    “In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech,” Anthr@x wrote in a blog post analyzing the attack.

    In fact, the two pages targeted were the GitHub page of GreatFire, a well-known group that fights against Chinese censorship

    Girhub’s whole site uses HTTPS encryption, so when a Chinese netizen visits content hosted on the site, Chinese censors can only see that the user is visiting github.com, but not the full URL address within GitHub. So China can’t selectively block just some content on GitHub without blocking the entire site.

    That’s what GreatFire and other Internet Freedom activists call “colla​teral freedom,” and it seems China is determined to find new ways to block websites it doesn’t like.

    Reply
41. March 28, 2015 at 11:15 am

    Tomi Engdahl says:

    Hackers Shut Down Indiana’s Website After Controversial Anti-Gay Law
    http://motherboard.vice.com/read/hackers-shut-down-indianas-website-after-controversial-anti-gay-law?trk_source=recommended

    A group of hacktivists called YourVikingdom launched a distributed denial of service (DDoS) attack on the state of Indiana’s official website on Friday, successfully knocking the government’s homepage offline for less than an hour

    The attack seemed to be motivated by Indiana’s controversial “Religious Freedom” law, which Gov. Mike Pence signed on Thursday. The law could allow business owners to deny services to those who identify as LGBT, according to critics.

    “Indiana, like many other states, has been targeted with a denial of service interruption,”Indy Star. “The website was not hacked”

    Reply
42. March 29, 2015 at 5:47 am

    Tomi Engdahl says:

    Achieve Deeper Network Security and Application Control
    Dell Next-Generation Firewalls
    http://www.sonicwall.com/us/shared/download/Whitepaper-AchieveDeeperNetworkSecurity-US-TD584.pdf

    Abstract
    Next-generation firewalls (NGFWs) have emerged to
    revolutionize network security as we once knew it. Yet to
    safeguard an organization from today’s ever-evolving threats,
    NGFWs must be able to deliver an even deeper level of
    network security. Not only must they ensure that every byte
    of every packet is inspected but also they must maintain
    the high performance and low latency that busy networks
    require. In addition, they must combine high-performance SSL
    decryption and inspection, an intrusion prevention system (IPS)
    that features sophisticated anti-evasion technology, granular
    control over and visibility into application and user activity
    across the network, and a network-based malware protection
    system that leverages the power of the cloud. Only when
    these technologies are working together can organizations
    truly block the sophisticated new threats that emerge on
    a daily basis.

    Reply
43. March 29, 2015 at 5:53 am

    Tomi Engdahl says:

    Stolen Uber Customer Accounts Are for Sale on the Dark Web for $1
    http://motherboard.vice.com/read/stolen-uber-customer-accounts-are-for-sale-on-the-dark-web-for-1

    Active Uber accounts are for sale on a dark web marketplace for as little as $1 each, Motherboard has learned.

    A username and password is all you need to access a user’s trip history, which may include personal details such as a home address. While full credit card information is not exposed, the last four digits and expiration date of the user’s card are viewable in a user’s account.

    “Log in on the Uber mobile website on your phone and book a cab :)”

    He was “extremely surprised” by the revelation, he said. Allan also said that he doesn’t use the internet much for financial transactions, preferring cash “for this very reason.

    When Motherboard asked Courvoisier where the accounts he was selling came from, he replied, simply, “Hacked accounts buddy.”

    Reply
44. March 30, 2015 at 8:43 am

    Tomi Engdahl says:

    News & Analysis
    Linux Seeks Security, Unity
    http://www.eetimes.com/document.asp?doc_id=1326150&

    In IoT, Linux commands the gateway today, with ambitious efforts to pack it into end nodes.

    As Linux squeezes down, security remains a top concern.

    “We are miles away from where we should be [in security] in the embedded world,” said Le Foll. “We have the tools but people only understand them a little — and they don’t want to use them,” he said.

    “There’s a huge amount of effort going into security, but one study said 75% of IoT products have gaping security holes,” said Bryant Eastham, a principal software architect in Panasonic’s new open source effort. “You have people checking master keys into Github — no amount of security we put in can take care of that kind of security flop,” he said.

    While avoiding a security apocalypse, developers also need to unify a still fragmented Linux base.

    Reply
45. March 30, 2015 at 9:31 am

    Tomi Engdahl says:

    Ground control: Analysts warn airplane communications systems vulnerable to hacking
    http://www.foxnews.com/tech/2015/03/22/ground-control-analysts-warn-airplane-communications-systems-vulnerable-to/

    Commercial and even military planes have an Achilles heel that could leave them vulnerable to hackers on the ground, who experts say could conceivably commandeer cockpits and create chaos in the skies.

    For now, terrorist groups are believed to lack the sophistication to bring down a plane remotely, but it is their limitations, and not aviation safeguards, that are keeping the flying public safe, according to security analysts. The flaw lies in the entertainment and satellite communications systems, according to Chris Roberts, founder of OneWorldLabs, a Colorado based cyber security intelligence firm that consults with government agencies, businesses, and nonprofits.

    While commercial planes are potential targets, business, private and military aircraft also are at risk, according to another aviation security analyst who shared his findings with FoxNews.com.

    “I discovered a backdoor that allowed me to gain privileged access to the Satellite Data Unit, the most important piece of SATCOM (Satellite communications) equipment on aircraft,” said Ruben Santamarta, principal security consultant for IOActive. “These vulnerabilities allowed unauthenticated users to hack into the SATCOM equipment when it is accessible through WiFi or In-Flight entertainment networks.”

    There are “multiple high risk vulnerabilities” such as weak encryption algorithms or insecure protocols in SATCOM technologies manufactured by some of the world’s largest

    “These vulnerabilities have the potential to allow a malicious actor to intercept, manipulate or block communications, and in some cases, to remotely take control of the physical device,”

    Four months after Santamarta presented his research, several international aviation organizations signed “The Civil Aviation Cyber Security Action Plan,” a pact aimed at boosting cooperation among the normally competitive industry leaders to improve their cyber security capabilities.

    There was a “disturbing” report back in December of “Operation Cleaver,” an apparent Iranian cyber espionage campaign that aimed to find cyber-enabled ways of bypassing airport physical security, Harrison said.

    “While there don’t appear to have been any actual attacks accomplished this way, Operation Cleaver appears to offer a disturbingly modern cyber alternative to hiding bombs in body cavities,” Harrison said.

    He believes if there was a cyber attack on a plane, it could be stopped midair.

    “I suspect flight crews have an ability to recover from a hack in a variety of ways,” Harrison said. “While computers do a tremendous amount of the flying in modern aviation, humans are still capable of controlling aircraft if the technology fails or is disrupted.”

    Reply
46. March 30, 2015 at 10:41 am

    Tomi Engdahl says:

    Starry-eyed hackers stuff Eurovision’s voting app
    It’s only rock and roll but hackers like it
    http://www.theregister.co.uk/2015/03/30/starryeyed_hackers_stuff_eurovision_ballots/

    The Eurovision Song Contest has been targeted by obsessed hackers who stuffed the voting ballots during the final qualifier song performance.

    Votes flooded into the Melodifestivalen app during the final performance by Jon Henrik Fjällgren, forcing the contest organisers to nix the votes.

    Head mananger Christel Tholse Willers called the surge an “extreme overload”.

    Some boffins claimed Melodifestivalen was not properly audited leaving it exposed to attack.

    The £100,000 app requires users to log into Facebook or Google Plus, or register their mobile phone numbers.

    Online polls are notoriously prone to stuffing and even more serious elections can be targeted: researchers found recent elections in the Australian State of New South Wales used a system that contained components found running the FREAK bug, forcing the affected monitoring tool to be removed.

    Plenty of other voting mechanisms have been tampered with.

    Reply
47. March 30, 2015 at 10:43 am

    Tomi Engdahl says:

    Frayed British Airways plays down mega hack attack on frequent flyer accounts
    In-a-pickle firm insists personal info is safe after breach
    http://www.theregister.co.uk/2015/03/29/british_airways_frequent_flyers_hacked/

    Wrongdoers have hacked into tens of thousands of British Airways’ frequent flyer accounts, however the travel giant claimed on Sunday that no personal information had been swiped.

    Some customers, who are members of BA’s Executive Club, have complained on message forums that their accounts had been breached and claimed that their Avios reward points had been ransacked.

    The hack attack was apparently due to a third party using information slurped elsewhere online.

    Reply
48. March 30, 2015 at 10:54 am

    Tomi Engdahl says:

    Eva Dou / Wall Street Journal:
    As DDoS attack that started on Thursday continues, Github says it has mitigated some of the impact; Baidu denies involvement — U.S. Coding Website GitHub Hit With Cyberattack — Security experts say attack is likely an attempt by China to shut down anticensorship tools

    U.S. Coding Website GitHub Hit With Cyberattack
    Security experts say attack is likely an attempt by China to shut down anticensorship tools
    http://www.wsj.com/articles/u-s-coding-website-github-hit-with-cyberattack-1427638940

    A popular U.S. coding website is enduring an onslaught of Internet traffic meant for China’s most popular search engine, and security experts say the episode likely represents an attempt by China to shut down anticensorship tools.

    The attack on San Francisco-based GitHub Inc., a service used by programmers and major tech firms world-wide to develop software, appears to underscore how China’s Internet censors increasingly reach outside the country to clamp down on content they find objectionable.

    The Cyberspace Administration of China didn’t respond to a request for comment Sunday.

    Security experts said the traffic onslaught—called a distributed denial-of-service attack in Internet circles—directed huge amounts of traffic from overseas users of Chinese search giant Baidu Inc. to GitHub, paralyzing GitHub’s website at times.

    Specifically, the traffic was directed to two GitHub pages that linked to copies of websites banned in China, the experts said. One page was run by Greatfire.org, which helps Chinese users circumvent government censorship, while the other linked to a copy of the New York Times’s Chinese language website.

    Reply
49. March 30, 2015 at 12:11 pm

    Tomi Engdahl says:

    Ad-Fraud Malware Hijacks Router DNS – Injects Ads Via Google Analytics
    http://aralabs.com/blog/2015/03/25/ad-fraud-malware-hijacks-router-dns-injects-ads-via-google-analytics/

    Malware that hijacks router DNS settings is not new. However, exploits developed in recent years that enable hijacking through the use of Javascript alone are making this a widespread problem. Ara Labs has uncovered a new ad-fraud scheme where fraudsters are using hijacked router DNS settings to intercept Google Analytics tags and replace them with pornography and other ads. For victims whose router has been compromised this has the effect of injecting ads and pornography into every site that they browse that uses Google Analytics. In this article, we will expose the fraud scheme and explain how you can protect yourself.

    Malware that changes router DNS settings has been around for a while. In 2013 Team-Cymru published an excellent paper detailing some of these attacks. In 2014 other attacks were documented that used Javascript to guess default router authentication credentials and change the router’s DNS.

    If an attacker controls the DNS server that you are using to lookup an IP they can substitute the correct IP for the IP of a server that is under their control. Then you might connect to this IP thinking that you are connecting to a certain domain when in fact you are connecting to a server controlled by the attacker.

    Google Analytics is a service that provides the ability to track and analyze website traffic. Webmasters enable Google Analytics by embedding the analytics tag on their website.

    When a viewer loads the webpage the Google Analytics tag downloads and runs some Javascript which reports the view. The webmaster can then log into their Google Analytics account and get reports on their site’s traffic.

    Google Analytics is currently the most widely used traffic analytics service. Since this tag is embedded on the majority of websites who are tracking traffic it is a perfect target for the fraudsters to inject into.

    In this case, the fraudsters are using the hijacked DNS to intercept requests to the google-analytics.com domain, then directing the victim to a fake Google Analytics site. When the victim requests the Google Analytics javascript from the fake site they are served malicious Javascript that injects ads into the site they are browsing. This is not a vulnerability with Google Analytics itself, the service was simply targeted due to its widespread use.

    In the fraud scheme investigated by Ara Labs the criminals are using a rogue DNS server located at 91.194.254.105. During a successful router hijacking this DNS server is configured as the router’s primary DNS while Google’s DNS sever (8.8.8.8) is configured as the secondary.

    Reply
50. March 30, 2015 at 12:16 pm

    Tomi Engdahl says:

    Linux security is partly a myth

    Linux are not viruses or malicious effort, they are just stupid Windows users a nuisance. The Swedish data security company Sophos wants to smooth down many of the linux-user false beliefs.

    1. Linux is invulnerable and virus-free. What are safe, in fact, means asking Sophos. Linux has malware and you may end up visiting a phishing site.

    2. Linux viruses are not written, as its market share is so small. This is based on users desktops, but, for example, servers, linux account for over 40 per cent. Smartphones Linux-based Android is a very dominant role.

    3. Windows-cons can not be run linux. This is essentially correct, but platform-independent number of threats is increasing all the time as many environmental work on different operating systems: flash, java, javascript, Perl, PHP, Python, etc.

    4. The Linux version of the archives is only safe programs. Linux update is to download the program to a new version of the repository, or the repository version. Their reliability, however, depends on the archive administrator.

    Sophos points out that for the Linux-threats, the number is still significantly lower than the Macintosh machine and in particular in the Windows environment

    Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2618:linux-turvallisuus-on-osin-myytti&catid=13&Itemid=101

    Reply