Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Prosecutors suspect man hacked lottery computers to score winning ticket
Former security director may have tampered with number generator to win $14.3M.
http://arstechnica.com/tech-policy/2015/04/prosecutors-suspect-man-hacked-lottery-computers-to-score-winning-ticket/
Prosecutors say they have evidence indicating the former head of computer security for a state lottery association tampered with lottery computers prior to him buying a ticket that won a $14.3 million jackpot, according to a media report.
Eddie Raymond Tipton, 51, may have inserted a thumbdrive into a highly locked-down computer that’s supposed to generate the random numbers used to determine lottery winners, The Des Moines Register reported, citing court documents filed by prosecutors. At the time, Tipton was the information security director of the Multi-State Lottery Association, and he was later videotaped purchasing a Hot Lotto ticket that went on to fetch the winning $14.3 million payout.
Prosecutors: Evidence indicates lottery vendor employee tampered with equipment
http://www.desmoinesregister.com/story/news/2015/04/11/prosecutors-evidence-indicates-lottery-vendor-employee-tampered-equipment/25629733/
Tomi Engdahl says:
Critical Updates for Windows, Flash, Java
http://krebsonsecurity.com/2015/04/critical-updates-for-windows-flash-java/
Get your patch chops on people, because chances are you’re running software from Microsoft, Adobe or Oracle that received critical security updates today. Adobe released a Flash Player update to fix at least 22 flaws, including one flaw that is being actively exploited. Microsoft pushed out 11 update bundles to fix more than two dozen bugs in Windows and associated software, including one that was publicly disclosed this month. And Oracle has an update for its Java software that addresses at least 15 flaws, all of which are exploitable remotely without any authentication.
Tomi Engdahl says:
Cracking Passwords With Statistics
http://it.slashdot.org/story/15/04/14/2249249/cracking-passwords-with-statistics
When users are asked to create a “secure” password, most sites simply demand things like “must contain 1 uppercase letter and one punctuation character.” But those requirements often lead to users picking exactly 1 uppercase letter, and using it to begin their password.
The author then describes his method for cracking passwords at scale, efficiently, stating that many attackers approach this concept headfirst
Statistics Will Crack Your Password
http://www.praetorian.com/blog/statistics-will-crack-your-password-mask-structure
Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure.
When hackers or penetration testers compromise a system and want access to clear text passwords from a database dump, they must first crack the password hashes that are stored. Many attackers approach this concept headfirst: They try any arbitrary password attack they feel like trying with little reasoning. This discussion will demonstrate some effective methodologies for password cracking and how statistical analysis of passwords can be used in conjunction with tools to create a time boxed approach to efficient and successful cracking.
Tomi Engdahl says:
Metadata retention to cost AU$3.98 a year per customer
Australian attorney-general George Brandis says Budget will reveal gov contribution to data retention costs
http://www.theregister.co.uk/2015/03/24/metadata_retention_to_cost_au398_a_year_per_customer/
The PricewaterhouseCoopers report provided to Australia’s attorney general on the likely cost of metadata retention has suggested a median figure of AU$3.98 per subscriber, per year.
“The question of cost is a matter of discussion, and has been for some months now a matter of discussion, between government and industry … In relation to the ongoing costs, a PricewaterhouseCoopers review has estimated that, even if there were to be no government funding, the average cost over 10 years would equate to between $1.83 and $6.12 per customer per annum, with a median price of $3.98 per customer per annum.”
Brandis went on to say “That is not, it seems to me … a vast cost for what this legislation seeks to do to preserve — not to extend; in fact, in important ways to limit—an important investigative capability.”
Tomi Engdahl says:
Finally, Mozilla looks at moving away from ‘insecure’ HTTP. Maybe
HTTPS is the future, says security engineer, to the surprise of nobody
http://www.theregister.co.uk/2015/04/15/mozilla_looking_at_deprecating_insecure_http/
Calls to finally move away from HTTP and on to HTTPS
Posting to the Mozilla dev platform, security engineer Richard Barnes said: “In recent months, there have been statements from IETF, IAB, W3C and even the US Government calling for universal use of encryption, which in the case of the web means HTTPS.”
“Having an overall program for HTTP deprecation makes a clear statement to the web community that the time for plaintext is over — it tells the world that the new web uses HTTPS, so if you want to use new things, you need to provide security,” said Barnes.
Tomi Engdahl says:
Troubleshooting feature on Cisco routers is open to data-slurp abuse
Mad skillz + $10k = DIY NSA
http://www.theregister.co.uk/2015/04/15/cisco_routers_easily_abused/
Infiltrate A default feature of Cisco routers can readily be abused to collect data, security researchers warn.
Embedded Packet Capture (EPC) was designed by Cisco as a troubleshooting and tracing tool. The feature allows network administrators to capture data packets flowing through a Cisco router.
Brazilian security researchers Joaquim Espinhara and Rafael Silva were able to abuse the feature and build a system to hoover up massive volumes of data.
Silva told El Reg that the hack was possible by exploiting the EPC feature rather than taking advantage of a vulnerability as such. Both Cisco and the researchers agree that abuse of the feature would need privileged user access (ie admin control), a hurdle that would-be abusers would need to overcome, through some other attack or social engineering ruse.
Nonetheless, because the troubleshooting feature is enabled by default it presents a risk, according to Silva.
“There is no disable mode for this feature. Because this feature is commonly used for troubleshooting network problems,” Silva explained. “Cisco have to implement some features that would stop OR [make] difficult this approach to abusing EPC.”
Tomi Engdahl says:
Tears of a cloud: Don’t be let down by backup and disaster recovery
A quick redundancy can be a good thing
http://www.theregister.co.uk/2015/03/24/risk_window_cloud_backups_dr_risk/
For many, the advent of cloud storage was a blessing. Cherished pictures and videos, contact lists, documents and more could be automatically put online and saved (theoretically) forever.
Enterprises took notice as well and now, cloud backups are fairly standard practice. However, business and individuals have one significant difference: the amount of data they have to back up.
For an individual user, backing up their archive of photos takes no more than a few minutes.
For a business, this process can take days or even weeks to establish redundancy – and you can add more days to pull that back down.
Between you and your target data centre there are several variables at play, including both your ISP and those your backup service gets their connectivity from. Maybe the data centre burns down during the transfer, leaving you high and dry.
Perhaps the ISP on the other side of the country is getting swallowed by a hurricane, or maybe someone drove into your node and your ISP can’t get out to repair it until after the weekend.
If anything goes wrong somewhere on the way, not only is it out of your control as the administrator, but you’re also at fault for not planning for that possibility. That’s not healthy for your career, nor is the downtime good for productivity.
Maybe some day the net will be fast and robust enough that an entire lifetime of business data can be uploaded to the cloud and backed up in a small enough window of time that nothing can conceivably go wrong, but that is simply not the case today – at least not for everyone.
Fortunately, disaster-proof recovery offerings do exist that let you to maintain an internal focus of control in your data centre.
Tomi Engdahl says:
Does Your Whole Home Need Antivirus Now?
Bitdefender Box has the right idea about smart-home security, but it still needs work
http://www.wsj.com/articles/does-your-whole-home-need-antivirus-now-1429036789
Lots of people spend money on a home security system. So why are we leaving more and more of our digital property defenseless?
If you’re diligent, you’ve kept the bad guys at bay by running antivirus software on a home PC. These days, though, we’ve also got phones, e-readers and smart TVs. And what about connected thermostats, security cameras and garage doors? They’re all secret passageways into our living rooms.
We know these security and privacy threats lurk all over the house because good-guy hackers have found plenty. These vulnerabilities just haven’t turned into major criminal targets. Yet.
A new type of Internet security product is designed to stand guard over the whole smart home full of gadgets. Rather than counting on antivirus on every device, they scan all the activity in your house for signs of trouble. If you click on a malicious link, or your thermostat starts sending a thousand emails per hour, your sentry will hoist a red flag.
One of the first products comes from Bitdefender, a company known for excellent antivirus software. For the past week, I’ve been using Box, a slim, $200 device that attaches to your Wi-Fi router to make it more security conscious. (Two startups, Itus Networks and Nodal Industries, have announced similar products. They aren’t yet shipping, though
Box is a breakthrough idea. I just wish it worked better—especially for its price, which requires an additional $100 annual subscription after the first year.
It found most malware—malicious software designed to disrupt or spy on you. But its filters can’t identify evil lurking in traffic that’s been encrypted (locked behind a secret code) and in some other situations.
If you let it, Box can install additional security software onto computers, phones and tablets. On PCs and Macs, for example, local protection software can detect a USB stick infected with malware.
For wide-ranging attacks that might involve turning your devices into spambots, there’s a chance Box could defend your device, or evolve to do it. But Box’s defenses are far from 100%, security experts warn.
The most important thing now is to make sure the lock on your home network is as secure as the one on your front door. Here’s a checklist:
• Update the software on your router. Routers themselves have vulnerabilities
• Use a strong password for your network—and for your router’s administrative controls. It’s important to use a WPA2-secured Wi-Fi network, protected by a good password.
• Don’t give out your Wi-Fi password to friends and visitors. Instead, create a guest network with its own password.
• Antivirus software still matters on your most important devices, like PCs and smartphones
Finally, amid the flurry of new kinds of connected devices it’s worth taking stock of which ones are really worth the risk to you.
Tomi Engdahl says:
Multi-invest in information security, but the weakest link is often forgotten
Corporate employees are to blame for most of the leaks of information, survives two new report. The old wisdom that man is ultimately the weakest link in the security, therefore, likely to hold still true.
Information leaks 52 percent caused by the fault of the employee, evaluates the IT organization CompTIA report. 48 per cent of information leaks reason is technology.
At the same time, the report surveyed, less than one-third had a human error a major reason for the leak of information.
SANS Institute’s survey, 51 percent of respondents considered the lack of training due to security problems.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-04-15/Moni-panostaa-tietoturvaan-mutta-heikoin-lenkki-unohtuu-3219742.html
Tomi Engdahl says:
Microsoft Takes Pirated Windows NT 4.0 Source Code Offline
http://torrentfreak.com/microsoft-takes-pirated-windows-nt-4-0-source-code-offline-150415/?utm_source=dlvr.it&utm_medium=twitter
Windows NT 4.0 may be nearly two decades old but that doesn’t mean that Microsoft wants its sensitive source code out in public. After ignoring a copy of the partially leaked code for several years, the company recently asked GitHub to take an unauthorized copy offline, with success.
Tomi Engdahl says:
Safety is a matter of attitude – “There are larger forces in game than us”
Some companies assume that the information has already been reached break. As an overnight business environment threats have changed, above all, cyber threats. Data and privacy concerns are still not in vain, says Dell security issues evangelist Ramses Gallego.
“There are larger forces than us,” Gallego said, referring to the state-sponsored hacker groups. “International law does not help, but it does not mean that therefore there is need to protect yourself. I do not leave all the doors open just because someone can break into my house. “This is to minimize the risks.
Gallego says the Spanish Caixa Bank, for example, to leave the premise that someone has already entered into the system. This attitude change what information technologies and focus on what approach designed security. System Monitor is monitoring the situation, and when something is found, we are ready to analyze the deviation occurred in any of the application in use, the system or platform.
Safety is first and foremost about the attitude of the Gallego. Recruit personnel administration should note thing. The way a person communicates on the network and store their own data says about how he sees others’ expectations of privacy.
Employers need to realize what the stakes of the game is and how their behavior affects your security and privacy. Security Technologies will not help if the workers do not realize that the company and your job is in jeopardy, for example, if a company secrets stolen. Gallego believes that the matter should organize regular training sessions.
Gallego believes that cloud services, employees’ own devices in the workplace and other security revolutionize trends do not go away. They are here to stay.
New technologies, it is advisable to do a risk analysis.
Evaluate what the company may win or lose financially grabbing trendy technology.
Source: http://summa.talentum.fi/article/tv/uusimmat/151798
Tomi Engdahl says:
You can now Google your lost Android phone
http://venturebeat.com/2015/04/15/you-can-now-google-your-lost-android-phone/
Despite all its efforts in various markets, Google is still primarily a search company. So the fact that you can now use the search engine on your desktop computer to find your lost phone is really just business as usual.
If you’ve lost your Android phone, there is still an important requirement: You need to know where your computer is. The company also emphasizes you need the latest version of its main Android app for this to work. Once you’ve updated, just type in “find my phone” and let Google do what Google does best.
Google doesn’t explain the feature in depth, but we presume you also have to be signed in to Google for this feature to work.
If your phone is nearby, Google can ring it for you. If it’s further away, Google will show you it on a map.
If this sounds familiar, that’s because Google introduced a tool called Android Device Manager in August 2013. The website and app can find lost phones and tablets (running Android 2.2 Froyo and above) by ringing them or showing them on a map.
Tomi Engdahl says:
Drupageddon: SQL Injection, Database Abstraction and Hundreds of Thousands of Web Sites
http://www.linuxjournal.com/content/drupageddon-sql-injection-database-abstraction-and-hundreds-thousands-web-sites?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
Drupal is a very widely used open-source content management system. It initially was released in 2001, and recent statistics show Drupal as the third-most popular content management system, with just less than 800,000 Web sites utilizing Drupal as a content management system.
Drupal is written in PHP, and it is architected to use a database back end to store Web site content and settings, whether a full-fledged database management system (such as MySQL) or an embedded DBMS (such as SQLite). In recent versions, Drupal has provided a database abstraction layer in order to facilitate the use of any of a number of database management systems to support a given Drupal installation.
Due to vulnerabilities in the database abstraction layer introduced in version 7 of Drupal, Drupal 7 prior to version 7.32 was vulnerable to an SQL injection attack. This article provides an introduction to SQL injection attacks, an examination of the Drupageddon vulnerability specifically and an explanation of a number of potential defenses against SQL injection attacks.
Tomi Engdahl says:
9 trends for RSA security conference
https://www.youtube.com/watch?v=PfzV4CAFdc4
1. Machine learning
2. Continuous monitoring
3. Cloud and mobile security is maturing
4. Internet of Thing (they will not be secure and will not be updated)
5. DevOps
6. Being hacked does not mean you loose
7. Collaboration
8. Education awareness
9. Substance not flash on the floor
Look at the start-ups that innovate
Tomi Engdahl says:
Oracle Security Update Contains Critical Patches for MySQL, Java SE
http://www.securityweek.com/oracle-security-update-contains-critical-patches-mysql-java-se
Oracle released a security update with a whopping 98 fixes, including 17 for Oracle Fusion Middleware and 26 for Oracle MySQL.
The fixes arrived on Tuesday – the same day as a bevy of patches from Microsoft and Adobe Systems. MySQL is home to the largest number of security fixes in the update. Of the 26, four can be exploited remotely without authentication. The most severe of these bugs holds a CVSS rating of 10.0 – the highest criticality rating – and affects MySQL Enterprise Monitoring.
Tomi Engdahl says:
Popular AirDroid App Vulnerable to Authentication Flaw: Researchers
http://www.securityweek.com/popular-airdroid-app-vulnerable-authentication-flaw-researchers
Researchers from security consultancy Bishop Fox have discovered a flaw in the popular Android app AirDroid that allows a remote attacker to secretly take control of a victim’s smartphone.
Used to help people organize their mobile life by providing the remote ability to send text messages, edit files, and manage other apps, AirDroid for Android has more than 20 million downloads from GooglePlay and currently has more than 385,000 reviews, with an overall rating of 4.5 stars of the maximum 5 stars.
Unfortunately, AirDroid’s web application is vulnerable to a pretty serious authentication bug, the researchers claim, saying the flaw can be exploited even when the app isn’t operating.
Once an attacker gains access to a victim’s phone, an attacker can perform actions such as taking photos via the phone’s camera, track the victim via GPS, send messages and harass the victim’s contacts, Bishop Fox’s Matt Bryant explained in a blog post.
Tomi Engdahl says:
Disrupting the Disruptor: Security of Docker Containers
http://www.securityweek.com/disrupting-disruptor-security-docker-containers
Docker Security: How Secure are Containers and Will Security be a Hurdle to Container Adoption?
In the digital age, we have brought forward similar primitives into our computing clouds: virtual versions of desktop operating systems from the 90s: Windows, BSD and Linux. It’s bizarre because these bulky, inefficient virtual guest operating systems are just supporting apparatus for an application.
But now a form of virtualization called containers may obsolete virtual operating systems. Containers are host processes that have advanced support for multi-tenancy and privilege isolation. Applications can run inside a container more efficiently than inside a whole virtual operating system.
And just as VMware rode the wave of operating system virtualization to fame and fortune, there’s a new company named Docker riding the popularity of containers. Docker is fast becoming synonymous with container technology and as a result is the new open-source debutante that everyone wants to date.
So will containers replace traditional operating system virtualization in the same way that virtualization has replaced much of the physical, bare-metal world? And how secure are containers, anyway? Will that be a stumbling block to container adoption?
A recent Gartner analysis of Docker security largely gives Docker security a thumbs up (while noting shortcomings in management and maturity).
The Gartner analysis for Docker security reiterates some of the main points from Docker’s own security page.
• Virtualization security has migrated into the host operating system. Linux and Microsoft kernels have been providing more support for virtualization in every release. The LXC (Linux container) and userspace file systems secure the containers at the host operating system level. This helps traditional virtualization as well and enables containers to focus on efficiency.
• A container system has a smaller threat surface than the traditional virtualization system. Because containers consolidate redundant shared resources, there will be fewer versions of Apache (and its entire mod ecosystem) to attack, and fewer processes to manage. A smaller attack surface is always a good thing.
• Process security controls will be applied to containers. Process security is an ancient black art: easy to misconfigure, often disabled, and it often doesn’t do what you think it should. But the underlying technology should only get better.
On a fundamental level, container security is equivalent to hypervisor security.
Sure, Docker is not as mature as VMware, but that’s just one parameter in your equation—as container security matures, the reduced threat surface may lead to fewer vulnerabilities than full virtual machines.
Docker is already supported by the major cloud infrastructures: Google, Amazon Web Services, IBM, and now Microsoft. The promise of container efficiency is leading some to predict that containers will eventually replace traditional virtualization systems. The ability to spin up containers in a second or less means they will proliferate to deliver their value and then disappear, allowing the underlying operating system to boost the efficiency of the application’s circulatory system.
Tomi Engdahl says:
Why ‘designed for security’ is a dubious designation
http://www.itworld.com/article/2910453/why-designed-for-security-is-a-dubious-designation.html
Recent events suggest that pushing enhanced privacy- and security wares brings risks with few rewards
As Wired.com reported last week, Anonabox’s parent company, Sochule Inc., had to recall devices it shipped to customers after an independent researcher discovered serious security flaws in the product. Those flaws would make it easy for anyone within wireless range of the Anonabox to connect to- and take control of the device. Quite simply: Anonabox – designed to offer extra security for Internet users- was actually proved less secure even than the consumer broadband routers its was supposed to supplant.
From security-enhanced smart phones and web browsers to broadband routers, consumers who want to cloak their identity online, lock down their data and protect their privacy have more choices than ever. But recent events suggest that the label ‘security enhanced’ often denotes the opposite, as products designed to be ultra secure cough up head-slapping security flaws.
Likewise, researchers at Columbia University published a paper in 2014 that described a method for unmasking users of the ToR anonymizing service using downstream routers that process traffic from ToR users.
“Here’s the problem. You have to be as good as the other, less secure tool and you have to be secure. That’s a bridge too far for many products.” – John Dickson, a Principal at the Denim Group
“What you’re seeing is a different standard,” said Bruce Schneier, the CTO at Resilient Systems. “If you call your browser ‘secure by design’ and it ends up having vulnerability, then you failed. If you call it ‘just a regular browser’ and it ends up with 1,000 vulnerabilities, everyone says ‘look at how good it is!’”
Dickson, of Denim Group, agrees. “The threshold for mockery is low. The threshold for sustained credibility is high,” he said.
There’s a cost to that, of course. Promising projects or products that may be shelved or lose momentum in the face of harsh criticism.
A bigger threat may be that secure products are not pursued for fear of ending up in the crosshairs of fellow security researchers.
“That sort of attitude is to the advantage of people like me,” said Callas of Silent Circle, which makes privacy-enhancing communications tools. “You get a Twitter storm going of ‘ha ha you made a mistake!’ … I know how to respond to that kind of criticism because I’ve been there before. But you have new people coming up who are brilliant and passionate, and they won’t necessarily deal with it well.”
Anonabox Recalls 350 ‘Privacy’ Routers for Security Flaws
http://www.wired.com/2015/04/anonabox-recall/
Tomi Engdahl says:
Microsoft Security Bulletin MS15-034 – Critical
Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)
https://technet.microsoft.com/library/security/ms15-034
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.
This security update is rated Critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. For more information, see the Affected Software section.
The security update addresses the vulnerability by modifying how the Windows HTTP stack handles requests.
Tomi Engdahl says:
CNN:
US government report: planes with avionics and passengers on same network could theoretically be vulnerable to hackers
GAO: Newer aircraft vulnerable to hacking
http://edition.cnn.com/2015/04/14/politics/gao-newer-aircraft-vulnerable-to-hacking/
Washington (CNN)Hundreds of planes flying commercially today could be vulnerable to having their onboard computers hacked and remotely taken over by someone using the plane’s passenger Wi-Fi network, or even by someone on the ground, according to a new report from the Government Accountability Office.
One of the authors of the report, Gerald Dillingham, told CNN the planes include the Boeing 787 Dreamliner, the Airbus A350 and A380 aircraft, and all have advanced cockpits that are wired into the same Wi-Fi system used by passengers.
“Modern communications technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems,” according to the report, which is based on interviews with cybersecurity and aviation experts.
The government investigators who wrote the report say it is theoretically possible for someone with just a laptop to:
– Commandeer the aircraft
– Put a virus into flight control computers
– Jeopardize the safety of the flight by taking control of computers
– Take over the warning systems or even navigation systems
Dillingham says although modern aircraft could be vulnerable, there are a number of redundancy mechanisms built into the plane systems that could allow a pilot to correct a problem.
The report explains that as the air traffic control system is upgraded to use Internet-based technology on both the ground and in planes, avionics could be compromised. Older planes systems aren’t highly Internet-based, so the risk for aircraft 20 years and older is less.
Commercial pilot John Barton told CNN, “We’ve had hackers get into the Pentagon, so getting into an airplane computer system I would think is probably quite easy at this point.”
Experts told investigators, “If the cabin systems connect to the cockpit avionics systems and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin.”
He says that the Federal Aviation Administration “must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger Wi-Fi system. That’s a serious vulnerability.”
Washington went on to say “It is also important to note that the FAA had already initiated a comprehensive program to improve the cybersecurity defenses of the NAS (National Airspace System) infrastructure, as well as other FAA mission-critical systems. We are significantly increasing our collaboration and coordination with cyber intelligence and security organizations across the federal government and in the private sector.”
“The Dreamliner and the A350 were actually designed to have the technology in it going forward to be able to have remote control intervention between the pilot and the ground or if an emergency were to happen in the air,” Barton said. But he quickly added, “It’s going to take a long time before we get to the point where that technology is safe and secure.”
Boeing said it is committed to designing secure aircraft.
“Boeing airplanes have more than one navigational system available to pilots,”
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Virginia e-voting systems relied on weak hard-coded passwords, trivial Wi-Fi security, unpatched OS — Meet the e-voting machine so easy to hack, it will take your breath away — Virginia decertifies device that used weak passwords and wasn’t updated in 10 years.
Meet the e-voting machine so easy to hack, it will take your breath away
Virginia decertifies device that used weak passwords and wasn’t updated in 10 years.
http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/
Virginia election officials have decertified an electronic voting system after determining that it was possible for even unskilled people to surreptitiously hack into it and tamper with vote counts.
The AVS WINVote, made by Advanced Voting Solutions, passed necessary voting systems standards and has been used in Virginia and, until recently, in Pennsylvania and Mississippi. It used the easy-to-crack passwords of “admin,” “abcde,” and “shoup” to lock down its Windows administrator account, Wi-Fi network, and voting results database respectively, according to a scathing security review published Tuesday by the Virginia Information Technologies Agency. The agency conducted the audit after one Virginia precinct reported that some of the devices displayed errors that interfered with vote counting during last November’s elections.
The weak passwords—which are hard-coded and can’t be changed—were only one item on a long list of critical defects uncovered by the review. The Wi-Fi network the machines use is encrypted with wired equivalent privacy, an algorithm so weak that it takes as little as 10 minutes for attackers to break a network’s encryption key. The shortcomings of WEP have been so well-known that it was banished in 2004 by the IEEE, the world’s largest association of technical professionals. What’s more, the WINVote runs a version of Windows XP Embedded that hasn’t received a security patch since 2004, making it vulnerable to scores of known exploits that completely hijack the underlying machine. Making matters worse, the machine uses no firewall and exposes several important Internet ports.
And finally, he wrote:
So how would someone use these vulnerabilities to change an election?
1. Take your laptop to a polling place, and sit outside in the parking lot.
2. Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
3. Connect to the voting machine over WiFi.
4. If asked for a password, the administrator password is “admin” (VITA provided that).
5. Download the Microsoft Access database using Windows Explorer.
6. Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.
7. Use Microsoft Access to add, delete, or change any of the votes in the database.
8. Upload the modified copy of the Microsoft Access database back to the voting machine.
9. Wait for the election results to be published.
It’s good that Virginia will no longer use this machine.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
DEA has been buying spyware produced by Italian surveillance tech firm Hacking Team since 2012
http://motherboard.vice.com/read/the-dea-has-been-secretly-buying-hacking-tools-from-an-italian-company
Tomi Engdahl says:
Ukraine conflict spilling over into cyber-crime, warns former spy boss
Russian spooks are arming crooks, says Canadian ex-agent
http://www.theregister.co.uk/2015/04/16/cyber_war_keynote_infiltrate/
Russian intelligence has begun sharing advanced malware developed for cyber-espionage with cyber-criminals, a former Canadian spy boss warns.
Ray Boisvert, former assistant director and head of intelligence for the Canadian Security Intelligence Service (CSIS), told El Reg that Russian security agencies are sharing advanced hacking tools and malware with organised crime gangs.
Worsening relations between the West and Russia over Ukraine have provoked the change.
“Russian nationalism and organised crime are being assisted by Russian state security,” Boisvert told El Reg. “The red lines have gone because of Ukraine. Organised crime is being told they can disrupt Western interests.”
“Hijacks were a manageable cost for the airline industry – until about the late 1980s where they began destroy aircraft after the highjacking – and certainly prior to 9/11 but not after,”
Boisvert agrees with estimates from Eric Rosenbach, US assistant secretary of defence for Homeland Defense and Global Security, that up to 60 nations are engaged in cyber-espionage associated with the development of so-called APT (advanced persistent threat) style attacks. “Even Hezbollah has an intel capability,” Boisvert noted.
“Cyber is a weapon of war,” Boisvert said. “The Nasdaq and Home Depot hacks are examples of this.”
Cyber-attacks are a “soft, scalable tool” during conflicts, according to Boisvert, who added that “difficulties in attribution mean that cyber-attacks can be done in stealth”.
Tomi Engdahl says:
Intrusion price rises: store to pay Mastercard for 19 million
The department store chain Target and MasterCard indicate their agreement to the 2013 data break-compensation. Target system was stolen at the time of up to 40 million credit and debit card information.
Target pays MasterCard cards complained of banks and credit cooperatives up to 19 million dollars, says Phys.org. Money will be compensation for the card company clearing up the mess and fraud cost incurred.
The Company all expenses will rise a total of 252 million dollars (about 224 million euros) – insurance covers $ 90 million of that.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-04-16/Tietomurron-hinta-nousee-kauppaketju-maksaa-MasterCardille-19-miljoonaa-3219878.html
Target settles data breach lawsuit with MasterCard for $19M
http://phys.org/news/2015-04-breach-lawsuit-mastercard-19m.html
Target and MasterCard say they’ve agreed to settle lawsuits over the discounter’s pre-Christmas 2013 massive data breach.
Target said late Wednesday it has set aside up to $19 million for banks and credit unions issuing MasterCards that were caught in the data breach that compromised 40 million credit and debit card accounts between Nov. 27 and Dec. 15, 2013.
MasterCard Inc. said the money will be available to banks and credit unions for operating costs and fraud-related losses on cards believed to have been affected.
Target’s high-profile breach pushed banks, retailers and card companies to increase security by speeding the adoption of microchips in U.S. credit and debit cards. Supporters say chip cards are safer, because unlike magnetic strip cards that transfer a credit card number when they are swiped at a point-of-sale terminal, chip cards use a one-time code that moves between the chip and the retailer’s register. The result is a transfer of data that is useless to anyone except the parties involved. Chip cards are also nearly impossible to copy, experts say.
Tomi Engdahl says:
IBM’s 700TB security threat database enters the cloud. Look to the heavens, hackers
‘Think of it as Pinterest for security’
http://www.theregister.co.uk/2015/04/16/ibm_700tb_security_threat_database_cloud_hackers/
IBM is putting its massive threat database up into the cloud for researchers, IT administrators, and anyone else to access in the hope of fundamentally changing how security companies defend against attackers.
“Information sharing is something that has been discussed in legislation, within the industry, and between companies but very little action has been taken,” Caleb Barlow, veep at IBM Security, told The Register.
“The reality is that attackers are well educated and they collaborate like crazy but the defenders aren’t collaborating to a level we want and we can’t wait any more. So we thought if we’re really going to solve the problem we have to step up and lead.”
The project, which started about a year ago, will see Big Blue’s 700 terabyte archive of security data go online in an archive dubbed the ‘IBM X-Force Exchange’.
This includes malware threat intelligence from 270 million end users, threat information on 25 billion websites, and images and details of more than a million IP addresses linked to hacking.
In addition, the firm is including a library of APIs and software tools to allow third parties to either use the data to harden up their own defenses, or add to it.
Researchers will be able to annotate data and, hopefully, other companies will also add to the ever-increasing databases to make it more useful for others.
“Think of it as Pinterest for security,”
Tomi Engdahl says:
POS Providers Feel Brunt of PoSeidon Malware
http://krebsonsecurity.com/2015/04/pos-providers-feel-brunt-of-poseidon-malware/
“PoSeidon,” a new strain of malicious software designed to steal credit and debit card data from hacked point-of-sale (POS) devices, has been implicated in a number of recent breaches involving companies that provide POS services primarily to restaurants, bars and hotels. The shift by the card thieves away from targeting major retailers like Target and Home Depot to attacking countless, smaller users of POS systems is giving financial institutions a run for their money as they struggle to figure out which merchants are responsible for card fraud.
One basic tool that banks use to learn the source of card data theft involves determining a “common point-of-purchase” (CPP) among a given set of customer cards that experience fraud. When a new batch of cards goes on sale at an online crime shop, banks will often purchase a very small number of their stolen cards to determine if the victim customers all shopped at the same merchant across a specific time period.
This same CPP analysis was critical to banks helping this reporter identify some of the biggest retail breaches on record in recent years, and it is a method heavily relied upon by law enforcement agencies to identify breach victims.
But the CPP approach usually falls flat if all of the cards purchased from the fraud shop fail to reveal a common merchant.
Card breaches involving POS devices sold by the same vendor are notoriously hard for financial institutions to diagnose because the banks very often have a direct relationship with neither the POS vendor nor the breached restaurant or bar whose customers’ cards were stolen.
POS-specific breaches frequently tie back to a subset of customers of a POS vendor who in turn rely on local IT company to install and support the POS systems.
A few weeks ago, this reporter broke the news that multiple systems run by POS vendor NEXTEP had experienced a breach.
More recently, KrebsOnSecurity has heard from multiple banks about suspicions that systems sold and maintained by another POS vendor – Naples
“Was Bevo POS ever breached? No, however, Windows was. Bevo POS is Point of Sale application (not cloud based) that is both PCI compliant and encrypts all credit card data,” he explained.
The malware identified, PoSeidon, which pushes itself with DLL injection and backdoor Trojans, is a keylogger with memory scraping that breached Windows
“So to prevent future possibilities of this ‘gap’ in the system being tapped again by relentless hackers, we have made an agreement with Comodo to create a new-age containment software that includes anti-virus,”
Security vendors have long recommended “end-to-end” or “point-to-point” encryption products and services to sidestep threats like PoSeidon. The idea being that if the card data never traverses the local network or point-of-sale device in an unencrypted format, any card-stealing malware that makes its way to the point-of-sale systems will have nothing to steal but worthless gibberish.
Tomi Engdahl says:
Meet the e-voting machine so easy to hack, it will take your breath away
Virginia decertifies device that used weak passwords and wasn’t updated in 10 years.
http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/
Virginia election officials have decertified an electronic voting system after determining that it was possible for even unskilled people to surreptitiously hack into it and tamper with vote counts.
The AVS WINVote, made by Advanced Voting Solutions, passed necessary voting systems standards and has been used in Virginia and, until recently, in Pennsylvania and Mississippi. It used the easy-to-crack passwords of “admin,” “abcde,” and “shoup” to lock down its Windows administrator account, Wi-Fi network, and voting results database respectively, according to a scathing security review published Tuesday by the Virginia Information Technologies Agency.
Tomi Engdahl says:
SPEAR – Redirect to SMB
http://blog.cylance.com/redirect-to-smb
We’ve uncovered a new technique for stealing sensitive login credentials from any Windows PC, tablet or server, including ones running previews of the yet-to-be-released Windows 10 operating system. Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability, which we have dubbed Redirect to SMB.
The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word “file” (such as file://1.1.1.1/) to Internet Explorer would cause the operating system to attempt to authenticate with a SMB server at the IP address 1.1.1.1. It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network. These “file” URLs could be provided as an image, iframe, or any other web resource resolved by the browser.
We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews.
We identified four commonly used Windows API functions that allow for redirection from HTTP/HTTPS to SMB. Early testing found that they are used by a wide range of software features such as updaters and usage reporting tools.
Tomi Engdahl says:
Microsoft downplays new report of Windows flaw
http://www.cnet.com/news/microsoft-downplays-new-report-of-windows-flaw/
Researchers say a new variation on an old flaw could allow hackers to steal log-in credentials from users of every version of Windows. Microsoft doesn’t seem too worried.
Tomi Engdahl says:
Miscreants rummage in lawyers’ silky drawers at will, despite warnings
173 UK law firms found hackers had their fingers in briefs last year
http://www.theregister.co.uk/2015/04/16/law_office_breaches_rife_foia/
UK data privacy watchdogs at the ICO investigated 173 UK law firms for reported breaches of the Data Protection Act (DPA) last year.
A total of 187 incidents were recorded last year, with 173 firms investigated for a variety of DPA-related incidents, of which 29 per cent related to “security” and a similar 26 per cent related to incorrect disclosure of data.
Hackers target solicitors in order to get their hands on the confidential data of their clients for identity fraud or other reasons. Accountants and other professional services firms are also on the front line of attacks, with cyber-spies as well as profit-motivated criminals all having a pop.
Recently published US research by incident response outfit Mandiant uncovered that at least 80 per cent of the country’s 100 biggest firms had been involved in a breach since 2011.
Separate US research revealed that 89 per cent of US law firms use unencrypted email as a primary means of communication. Almost half of American law firms use free, cloud-based file-sharing services like Dropbox for “privileged information”, according to LexisNexis Legal & Professional.
Tony Pepper, chief exec at Egress, commented: “The warning signs regarding data security within the legal sector have been clear for people to see for some time now.
Tomi Engdahl says:
Cyber Attacks Upend Attorney-Client Privilege
Security experts say law firms are perfect targets for hackers
http://www.bloomberg.com/news/articles/2015-03-19/cyber-attacks-force-law-firms-to-improve-data-security
A security breach is one of the last things a lawyer wants to admit to a client.
Law firms of all sizes are vulnerable. Cybersecurity firm Mandiant says at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011.
80%
Share of the country’s top 100 law firms that have had a security breach
Rival law firms are even banding together to address the problem.
To mitigate potential damage, some firms are buying cyberinsurance in the event of a major data breach. The market is relatively small, but more firms are asking for quotes and demand is picking up
Even the most sophisticated security systems will never be completely hackerproof, says Shane McGee, chief privacy officer at Mandiant parent company FireEye, especially if the hackers are backed by a foreign government. “When you’re dealing with state actors, if they want in, they’re going to get in.”
Law firm file sharing – there’s a disconnect Jim and I don’t like the look of it!
http://www.legaltechnology.com/latest-news/law-firm-file-sharing-theres-a-disconnect-jim-and-i-dont-like-the-look-of-it/
LexisNexis Legal & Professional has just published the results of its 2014 Law Firm File Sharing Survey of US based law firms and their usage of file sharing tools. More than 70% of law firms report that file sharing is increasingly important and there is a heightened awareness that if privileged information is compromised, the fall out for the law firm could spell disaster. However, unencrypted email (89%) remains the dominant means for sharing privileged communications.
More than 80% of respondents said that if someone other than a client or privileged party accessed confidential documents – the results would be consequential or very consequential to the firm. Even so, an overwhelming 77% of law firms report that their primary means of securing documents is a confidentiality statement below the body of an email. Astonishingly, in response to an open ended question, 4% of law firms reported they take no measures at all to protect privileged communications shared by email.
“There’s clearly a disconnect between expressed security concerns – and measures law firms employ to protect their clients and themselves,”
Key findings in the survey include:
• File sharing gaining importance in privileged communications. 73% of law firms say file sharing is more important this year than in previous years.
• Confidentiality statements are the most common shield against compromise. Most law firms include a confidentiality statement below the body of their emails as the primary means to protect privileged communication.
• Free commercial file sharing services proliferate. (Such as Dropbox ..Ed) About half of law firms say they have used free commercial file sharing services to transmit privileged information.
• Top three features law firms’ demand in file sharing services. The ability to add a watermark to documents was the most popular feature law firms said they wanted in a file sharing service, which identifies the sender, but provides little security on the recipient’s end.
“Law firms are caught in a bit of a bind because their clients demand a simple way to collaborate, but the risks, as this survey found, are exceptionally high,”
Tomi Engdahl says:
IBM releases hive mind of cyber threat information to save us all
Cloud-based real-time threat analysis could help beat the baddies
http://www.theinquirer.net/inquirer/news/2404404/ibm-releases-hive-mind-of-cyber-threat-information-to-save-us-all
IBM HAS MADE a huge library of cyber threat intelligence available with the launch of IBM X-Force Exchange, the Huggy Bear of malware, powered by the company’s cloud offering.
The collaborative platform offers access to historical and real-time threat information presented in an actionable format, meaning that it can be used to prevent cyber attacks.
This big data approach to cyber threats is, it is hoped, a way to proactively nip them in the bud using a network of peers, security analysts from IBM’s Managed Security Services and third parties.
The data includes a catalogue of every vulnerability recorded, threat information based on the monitoring of over 15 billion events daily, threat intelligence from 270 million endpoints, threat information from 25 billion web pages and images, intelligence on more than eight million spam and phishing attacks, and reputation data on nearly one million malicious IP addresses.
This comes to a total of 700TB of raw aggregated data which will grow in real time as the network increases in size, and the contributions and threats continue to rise.
The X-Force Exchange supports the new STIX and TAXII intelligence sharing formats, and will also work seamlessly with existing security systems.
Tomi Engdahl says:
IBM’s X-Force Exchange to make decades worth of cyber-threat data public
http://www.zdnet.com/article/ibm-opens-up-decades-worth-of-threat-data-to-combat-cybercrime/
Summary:IBM’s X-Force Exchange aims to be one of the largest and most thorough catalogs of vulnerabilities in the world, helping companies to defend against cyber-crimes in real-time.
Tomi Engdahl says:
New York Times:
China suspends policy requiring audits, source code, and backdoors from foreign tech companies serving banks
China Halts New Policy on Tech for Banks
http://www.nytimes.com/2015/04/17/business/international/china-suspends-rules-on-tech-companies-serving-banks.html?_r=0
China has suspended a policy that would have effectively pushed foreign technology companies out of the country’s banking sector, according to a note sent by Chinese regulators to banks.
Dated Monday, the letter called for banks to “suspend implementation” of the rules, which have been at the center of a brewing trade conflict between the United States and China. The rules, put into effect at the end of last year, called for companies that sell computer equipment to Chinese banks to turn over intellectual property and submit source code, in addition to other demands.
Tomi Engdahl says:
The Rise of Cyber Extortion
http://www.securityweek.com/rise-cyber-extortion
Over the last couple of years, cyber extortions have revolved around the most valuable aspect of the digital age – data. The first case of cyber extortion, as reported by Thomas Whiteside in his book Computer Capers, occurred in 1971 when two reels of magnetic tape belonging to a branch of the Bank of America were stolen at Los Angeles International Airport. The thieves demanded money for their return, but the ransom was not paid because tape backup was available.
But things have escalated since.
Cyber extortions have taken on multiple forms, all focused on data – encrypting data and holding it hostage, stealing data and threatening exposure, and denying access to data:
• Ransomware – Once the victim’s device is infected, the ransomware begins to encrypt private files the data, before popping up a message demanding a ransom in exchange for the encryption key.
• Denial-of-service attacks – A denial-of-service attack is when an organization’s website or online business is flooded by so much traffic that legitimate users are denied access. In an extortion situation, the cyber extortionists demand money to stop the DDoS.
• Holding sensitive data hostage – Stealing data and threatening exposure is nothing new. In 2007, Nokia paid millions of euros to ensure that an encryption key for their Symbian OS would not be released to the public
• Holding AWS accounts hostage – In June of last year, an attacker took over Code Spaces’ AWS administrative panel, and offered to return controls for a price.
One of the reasons these attacks have grown exponentially is because of the availability of digital currency. Instead of having to deal with physical cash and paper trails, extortionists now benefit from anonymized digital transactions with Bitcoin.
Is there anything that can be done to prevent cyber extortion? Quite simply, identify and categorize your data. Spend your efforts protecting the most critical data. The easiest way to do this is by moving your data to the cloud.
As long as companies continue to pay ransoms when attacked, we should expect cyber extortion to continue in 2015.
Tomi Engdahl says:
Sysadmins, patch now: HTTP ‘pings of death’ are spewing across web to kill Windows servers
Patch Tuesday bug reverse engineered by Thursday
http://www.theregister.co.uk/2015/04/16/http_sys_exploit_wild_ms15_034/
The SANS Institute has warned Windows IIS web server admins to get patching as miscreants are now exploiting a flaw in the software to crash websites.
The security bug (CVE-2015-1635) allows attackers to knock web servers offline by sending a simple HTTP request. Microsoft fixed this denial-of-service vulnerability yesterday in a patch numbered MS15-034.
However, within hours of the update going live, people reverse engineered the patch to find out where the hole is and how to exploit it, and have started sending out the pings of death.
Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 systems running Microsoft’s IIS web server are affected. The component at fault is HTTP.sys, a kernel-level driver that forwards requests for webpages and the like to the user-space server software, and caches static files.
Tomi Engdahl says:
Google to support Chrome for Windows XP until the end of 2015
http://www.engadget.com/2015/04/17/google-chrome-windows-xp-support/
If you have no choice but to use an XP computer (workplace or school just can’t let go, huh?), at least load it with a third-party browser, like Chrome. Why? Google has decided to continue supporting Chrome for XP until the end of 2015, so you can keep the machine safe from browser-based attacks a bit longer. And yes, that means you’re getting all upcoming features and security patches.
Tomi Engdahl says:
Netflix’s house of cards to be fortified with HTTPS appliance
Crypto overheads could have cost video attic ‘hundreds of millions’ of dollars
http://www.theregister.co.uk/2015/04/17/netflix_house_of_cards_fortified_with_https/
Netflix will this year roll out HTTPS to keep customer’s viewing habits secret.
The streaming company’s April earnings letter (PDF) says it will make the move because it “helps protect member privacy, particularly when the network is insecure, such as public wifi, and it helps protect members from eavesdropping by their ISP or employer, who may want to record our members’ viewing for other reasons.”
Netflix regularly opens the kimono to reveal its engineering efforts, and explained just how it will do HTTPS in a post to the
“We now believe we can deploy HTTPS at a cost that, whilst significant, is well justified by the privacy returns for our users.”
Netflix has battled with the overheads HTTPS incurs; Watson estimated a capacity hit between 30 to 53 percent thanks to encryption computational overheads and a lack of optimisations to avoid data copies to and from user space.
Such a hit would cost Netflix potentially hundreds of millions of dollars a year.
Re: [EME] HTTPS performance experiments for large scale content distribution
https://lists.w3.org/Archives/Public/www-tag/2015Apr/0027.html
Tomi Engdahl says:
‘Right to be forgotten’ prompts more French privacy concerns
Fewer than 100 incidents actually reported to Google, however
http://www.theregister.co.uk/2015/04/17/right_to_be_forgotten_french_data_protection_google/
French data protection authority CNIL received 260 complaints last year related to the so-called ‘right to be forgotten’ ruling.
Tomi Engdahl says:
Match.com’s HTTP-only login page puts millions of passwords at risk
HTTPS error has been active for weeks, but few seem to have noticed.
http://arstechnica.com/security/2015/04/match-coms-http-only-login-page-puts-millions-of-passwords-at-risk/
Tens of millions of Match.com subscribers risk having their site password exposed each time they sign in because the dating site doesn’t use HTTPS encryption to protect its login page.
Amazingly, the page uses an unprotected HTTP connection to transmit the data, allowing anyone with a man-in-the-middle vantage point—say, someone on the same public network as a Match.com user, a rogue ISP or telecom employee, or a state-sponsored spy—to pilfer the credentials.
It’s unclear exactly how long the site has failed to encrypt user credentials.
Tomi Engdahl says:
Transparency thrust sees Met police buying up to 30,000 bodycams
Less police complaints, quicker convictions, say plods
http://www.theregister.co.uk/2015/04/17/met_police_to_start_buying_up_to_30000_body_cams/
The Metropolitan Police is to begin buying up to 30,000 body cameras, as part of its ambition to become “the most transparent police force in the world”, The Register has learned.
In the next couple of months, the Met will begin the process of procuring 10,000-30,000 cameras, he said. “Our ambition is to become the most transparent police in the world.”
The Met has just completed a trial of 1,000 body cameras
Deakin said the Met has had a bad reputation for a perceived lack of transparency, but with the camera pilot, the number of police complaints has gone down. The use of bodycams also led to the conviction of one malicious complainant, he said.
Tomi Engdahl says:
Lack of secure protocol puts US whistleblowers at risk, says ACLU
Quick, implement a HTTPS-Only standard
http://www.theregister.co.uk/2015/04/17/no_https_on_at_least_29_us_gov_whistleblower_sites_aclu_complains/
Responding to the recent proposal for a “HTTPS-Only Standard”, the American Civil Liberties Union has stressed the value of a more thorough and timely implementation of functional transport encryption.
The non-profit organization noted that at least 29 US federal websites do not currently use HTTPS to protect sensitive information submitted through their online “hotlines”.
The US’ Chief Information Officer (CIO) has now proposed a HTTPS-Only Standard, which would require HTTPS transport encryption on all publicly accessible federal websites and web services.
The Obama-appointed CIO, Tony Scott, formely of VMWare, has sent out a call for public comment.
ACLU has responded [PDF] by welcoming the new policy, as well as the office’s recognition that “the American people expect government websites to be secure and their interactions with those websites to be private”.
Tomi Engdahl says:
The new spam: interactive robo-calls from the cloud as cheap as e-mail
Cloud-based “outbound interactive voice response” is being embraced by telemarketers.
http://arstechnica.com/information-technology/2015/04/the-new-spam-interactive-robo-calls-from-the-cloud-as-cheap-as-e-mail/
Outbound IVR is the latest evolution of the robo-call—a telemarketing system that uses the technology of voice response systems we’ve used to navigate through the call queues of insurance agencies and banks and turns it around to make pitch calls. These calls can be on voice-over-Internet protocol (VoIP) lines or other connections that mask the source of the call. We’re getting used to talking to computers, thanks to voice response systems that act as the guardians of many organizations’ phone systems.
Because of the relatively low cost of some of these cloud-based IVR systems, fly-by-night telemarketers (and legitimate companies as well) can set up these script-driven pitch calls nearly as easily as they can send out spam e-mails, without having to own a call center or VoIP server of their own. And the IVR providers have new-found legal protection courtesy of a recent federal court ruling. CallFire was ruled to be a “common carrier” by the US District Court for the Western District of Washington, giving it the same protections against litigation that phone companies have when they deliver an unwanted call.
Scam telemarketers operate in a legal fringe, skirting things like do-not-call lists and call blocking by frequently changing numbers.
Developers can use CallFire’s application programming interface to build their own outbound IVR applications
Tomi Engdahl says:
PayPal Wants You to Inject Your Username and Eat Your Password
http://blogs.wsj.com/digits/2015/04/17/paypal-wants-you-to-inject-your-username-and-eat-your-password/
Biometric identification systems, like fingerprints and eye scans, are old hat. Try this on –or in– for size: a PayPal executive who works with engineers and developers to find and test new technologies, now says that embeddable, injectable, and ingestible devices are the next wave in identification for mobile payments and other sensitive online interactions.
In a presentation called Kill all Passwords that he’s recently started giving at various tech conferences in the U.S. and Europe, PayPal’s global head of developer evangelism Jonathan Leblanc argued that technology has taken a huge leap forward to “true integration with the human body.”
Leblanc said that identification of people will shift from “antiquated” external body methods like fingerprints, toward internal body functions like heartbeat and vein recognition, where embedded and ingestible devices will allow “natural body identification.”
These devices include brain implants and attachable computers, which “put users in charge of their own security,” he said. Ingestible devices could be powered by stomach acid, which will run their batteries, he added.
Tomi Engdahl says:
Exploit for crashing Minecraft servers made public
Posted on 17 April 2015.
http://www.net-security.org/secworld.php?id=18235
After nearly two years of waiting for Mojang to fix a security vulnerability that can be used to crash Minecraft servers, programmer Ammar Askar has released a proof of concept exploit for the flaw in the hopes that this will force them to do something about it.
Tomi Engdahl says:
Eduard Kovacs / SecurityWeek:
Recently patched Windows flaw seen exploited in the wild for DDoS attacks; web servers of 70M sites at risk
http://www.securityweek.com/recently-patched-windows-flaw-exploited-wild-dos-attacks
SANS Institute researchers advise system administrators to update their Windows operating systems as soon as possible because one of the critical vulnerabilities patched by Microsoft earlier this week is being exploited in the wild.
The vulnerability in question, CVE-2015-1635 or MS15-034, plagues the HTTP protocol stack (HTTP.sys). The component is used in Internet Information Services (IIS) versions found in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.
Rated “critical” by Microsoft, the security hole can be exploited by sending specially crafted HTTP requests to an affected system. According to Microsoft, the flaw can be exploited for remote code execution.
While so far no one appears to have been able to develop an exploit for remote code execution, a denial-of-service (DoS) exploit was made publicly available
Tomi Engdahl says:
Anthony Ha / TechCrunch:
Google Says “Vast Majority” Of Ads On Its Platforms Will Be Encrypted By June 30 — Google has been gradually moving all of its online services to HTTPS encryption — you may even remember the excitement wayyyy back in 2008, when Gmail switched to HTTPS.
Google Says “Vast Majority” Of Ads On Its Platforms Will Be Encrypted By June 30
http://techcrunch.com/2015/04/17/google-ads-https/
Tomi Engdahl says:
Google has an ingenious way to find your lost phone
http://uk.businessinsider.com/google-find-my-phone-android-search-map-call-update-2015-4
Google has a new way to find your lost phone, and it’s so on-brand: Just Google it.
Just head over to Google and search “find my phone.”
Tomi Engdahl says:
Washington Post:
ACLU: at least 28 inspector general websites for whistleblower reports and the State Department terrorist tip site do not use HTTPS
Why confidential tips to the government may not be confidential after all
http://www.washingtonpost.com/blogs/the-switch/wp/2015/04/16/why-confidential-tips-to-the-government-may-not-be-confidential-after-all/
Got a hot tip about federal waste, fraud or corruption? You should think twice about using the government’s own online systems for collecting such complaints.
Many of them promise confidentiality but for years have sent sensitive data – including names, addresses and phone numbers of whistleblowers, as well as the details of their allegations – across the Internet in a way that could be intercepted by hackers or snoops. Or, perhaps worse still, by the agencies named in the complaints.
Twenty-nine of these sites, set up by inspectors generals who in many cases are required by federal law to protect the identities of whistleblowers, do not use encryption technology that has become a standard privacy protection across much of the Internet, according to a review by the ACLU. A State Department site offering up to $10 million rewards for terrorism tips has the same weakness, exposing the identities of tipsters to a range of potentially interested parties, including operators of cyber cafes or government spies in the countries where the tipsters live.
A new initiative from the federal chief information officer, Tony Scott, is pushing for encryption of all federal government Web sites within two years.
Sites that are secure start with the letters “https,” rather than “http.” Most browsers also display icon, such as lock, to signal that the connection is secure.
“Really what’s happened is Edward Snowden,” said Waldo Jaquith, director of U.S. Open Data Institute, a nonprofit group pushing for better government data practices. “A new norm really has come along in the last year.”
The amount of warning about the privacy risks of using such sites varies widely.
Strict confidentiality is impossible if the information is transmitted over the Internet without encryption, experts say. Anyone with access to the Web site’s data as it flows across cyberspace – including wifi providers such as a coffee shop or hotel, or system administrators overseeing a company, government agency or university computer system – can view all unencrypted data easily. Many governments also routinely monitor Internet flows within their countries.
Tomi Engdahl says:
Nasty JPG pops corporate locks
Bad validation leads to total pwnage, hacker shows
http://www.theregister.co.uk/2015/04/20/nasty_jpg_pops_corporate_locks/
Penetration tester Marcus Murray says attackers can use malicious JPEGs to pop modern Windows servers, to gain expanded privileges over networks.
In a live hack set down for RSA San Francisco this week, the TrueSec boffin shows how he used the hack to access an unnamed US Government agency that ran a buggy photo upload portal.
A key part of the stunt is achieved by inserting active content into the attributes of a jpg image, such that the file name read image.jpg.aspx. “I’m going to try to compromise the web server, then go for back end resources, and ultimately compromise a domain controller,” Murray said, adding the hack is not that difficult.
“Even in mixed environments, when you own the domain controller you usually own the entire infrastructure of that company and that is true because they have Linux server you usually use Windows clients for connect to them.
“From this point (compromising the domain controller) we can do anything; we can upload domain admin tools, and manage it like it was our own.”
Some uploading portals so weak, he says, malicious dynamic content will be accepted merely because it carries a .jpg extension.