Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Your city’s not smart if it’s vulnerable says hacker
Major vendors block hackers from testing insecure IoT kit
http://www.theregister.co.uk/2015/04/20/smart_city_vendors_blasted_for_dumb_security/
“Real world hacker” Cesar Cerrudo has blasted vendors, saying they’re stopping security researchers from testing smart city systems, and as a result they’re being sold with dangerous unchecked vulnerabilities.
The warning will be detailed at RSA San Francisco this week, and comes a year after the IOActive chief technology officer found some 200,000 vulnerable traffic control sensors active in cities like Washington DC, London, and Melbourne.
Vendors don’t want their kit tested, Cerrudo said, although there are now 25 major cities across the world taking the lead in deployment, such as New York, Berlin, and Sydney.
In An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks (pdf), the hacker warns that attack surfaces in smart city technology are plentiful given its complexity and integration with legacy systems, and says the woeful security shortfalls with internet-of-things devices are creeping into city tech.
“In our research at IOActive Labs, we constantly find very vulnerable technology being used … for critical infrastructure without any security testing,” Cerrudo says.
“Technology vendors impede security research: New systems and devices used by smart cities are difficult to acquire by the security research community – most are expensive and are usually only sold to governments or specific companies, making it difficult for systems to be rigorously tested.”
He added that “a simple problem can have a large impact due to interdependencies and associated chain reactions [which] highlights the need for threat modelling.”
Tomi Engdahl says:
Drupageddon: SQL Injection, Database Abstraction and Hundreds of Thousands of Web Sites
http://www.linuxjournal.com/content/drupageddon-sql-injection-database-abstraction-and-hundreds-thousands-web-sites
Drupal is a very widely used open-source content management system. It initially was released in 2001, and recent statistics show Drupal as the third-most popular content management system, with just less than 800,000 Web sites utilizing Drupal as a content management system.
Due to vulnerabilities in the database abstraction layer introduced in version 7 of Drupal, Drupal 7 prior to version 7.32 was vulnerable to an SQL injection attack.
Tomi Engdahl says:
DIA Polygraph Countermeasure Case Files Leaked
http://science.slashdot.org/story/15/04/19/1423208/dia-polygraph-countermeasure-case-files-leaked
AntiPolygraph.org (of which I am a co-founder) has published a set of leaked Defense Intelligence Agency polygraph countermeasure case files along with a case-by-case analysis. The case files, which include polygraph charts and the exact questions used, suggest that the only people being “caught” trying to beat the polygraph are those using crude, unsophisticated methods that anyone who actually understood polygraph procedure and effective countermeasures (like, say, a real spy, saboteur, or terrorist) would ever use.
Leaked Documents Point to DIA’s Inability to Detect Sophisticated Polygraph Countermeasures
https://antipolygraph.org/blog/2015/04/18/leaked-documents-point-to-dias-inability-to-detect-sophisticated-polygraph-countermeasures/
Tomi Engdahl says:
Chrome 43 Should Help Batten Down HTTPS Sites
http://it.slashdot.org/story/15/04/19/2028217/chrome-43-should-help-batten-down-https-sites
The next version of Chrome, Chrome 43, promises to take out some of the work website owners — such as news publishers — would have to do if they were to enable HTTPS. The feature might be helpful for publishers migrating legacy HTTP web content to HTTPS when that old content can’t or is difficult to be modified. The issue crops up when a new HTTPS page includes a resource, like an image, from an HTTP URL. That insecure resource will cause Chrome to flag an ‘mixed-content warning’ in the form of a yellow triangle over the padlock.
Chrome 43 will help batten down HTTPS sites
http://www.cso.com.au/article/572869/chrome-43-will-help-batten-down-https-sites/
In the example Google provides at googlechrome.github.io, clicking on the icon in Chrome 42 and below will deliver the explanation: “Your connection to googlechrome.github.io is encrypted with modern cryptography. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.”
If the same site was accessed in Chrome 43 — which is beta now but should be stable in May — the warning should vanish thanks to a browser Content Security Policy directive known as Upgrade Insecure Resources. The directive “causes Chrome to upgrade insecure resource requests to HTTPS before fetching them”, Google explained today.
“This change allows developers to serve their hard-to-update legacy content via HTTPS more easily, improving security for their users,” it added.
Tomi Engdahl says:
Science can now spot trolls after just five horrible, malicious comments
http://qz.com/386694/science-can-now-spot-trolls-after-just-five-horrible-malicious-comments/
People aren’t very nice to each other online. Everyone has read a comment thread and been annoyed at the vicious remarks, or witnessed a flame war under a YouTube video. Many online communities now have moderators, and they aim to ban trolls—those people who just who can’t stay civil.
But can you identify trolls before they ruin a community? Researchers from Stanford and Cornell think they can (pdf), after analyzing 18 months worth of Disqus threads from the news site CNN, the right-wing political site Breitbart, and the gaming site IGN. That amounted to 1.7 million users, almost 40 million comments, and 100 million up- or down-votes on those comments.
Antisocial Behavior in Online Discussion Communities
http://arxiv.org/pdf/1504.00680v1.pdf
Tomi Engdahl says:
Keeping Your Car Safe From Electronic Thieves
http://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-electronic-thieves.html?_r=1
Let me explain: In recent months, there has been a slew of mysterious car break-ins in my Los Feliz neighborhood in Los Angeles. What’s odd is that there have been no signs of forced entry. There are no pools of broken glass on the pavement and no scratches on the doors from jimmied locks.
But these break-ins seem to happen only to cars that use remote keyless systems, which replace traditional keys with wireless fobs.
I watched as the girl, who was dressed in a baggy T-shirt and jeans, hopped off her bike and pulled out a small black device from her backpack. She then reached down, opened the door and climbed into my car.
When the police arrived, they didn’t have much of an answer.
I called Toyota, but they didn’t know, either (or at least the public relations employee didn’t know).
The Toronto Police Service issued a news release last Thursday warning that thieves “may have access to electronic devices which can compromise” a vehicle’s security system. But the police did not specify what that “device” actually was.
Thieves have been breaking into and stealing cars with the help of electronic gadgets for several years now. Jalopnik, the car blog, has written about a “secret device”used to unlock cars. And dozens of other websites have told stories about burglars hacking into cars.
A more likely answer came from the National Insurance Crime Bureau, a trade group for auto insurers and lenders, which issued a warning last month about a “mystery device” that can emulate a key. In one YouTube video, the group compiled surveillance footage that showed thieves using the gadget to open doors with ease.
When I told him my story, he knew immediately what had happened. The teenagers, he said, likely got into the car using a relatively simple and inexpensive device called a “power amplifier.”
You can buy these devices anywhere for under $100.”
What’s The Secret Device Thieves In California Are Using To Break Into Cars?
http://jalopnik.com/whats-the-secret-device-thieves-in-california-are-using-471782175
Back before the sophisticated car security systems, the “devices” often used to steal cars had the incredible hidden abilities to also hang clothes safely off the floor or drive nails into innocent sheets of plywood. Modern car thieves have been spotted new generation of devices that seem to be able to unlock many cars instantly by simply being held against the vehicle.
Based on what’s happening, I think we can do some speculating. I think it’s safe to say the device is an RF transmitter operating in the 300-400 Mhz range, and using a brute-force method to send the remote-entry codes to the car. I’m guessing the reason for the direct contact with the car is because the device has a very low-power transmitter
Got a BMW? Thicko thieves can EASILY NICK IT with $30 box
Your flash motor – gone in 180 seconds
http://www.theregister.co.uk/2012/09/17/bmw_car_theft_hack/
BMWs and other high-end cars are being stolen by unskilled criminals using a $30 tool developed by hackers to pwn the onboard security systems. The new tool is capable of reprogramming a blank key, and allows non-techie car thieves to steal a vehicle within two or three minutes or less.
On-board diagnostics (OBD) bypass tools are being shipped from China and Eastern Europe in kit form with instructions and blank keys
Would-be car thieves need to grab the transmission between a valid key fob and a car before reprogramming a blank key, which can then be used to either open the car or start it, via the OBD system.
“Crooks only need to monitor a person using the key or interrogate the key fob to get enough information to decipher the key,”
Weak cryptography combined with a security-through-obscurity approach in the OBD specification allows the tactic to succeed.
The German car giant added that the issue was not limited to BMW, and promised to help mitigate the attack, in a statement published last Wednesday.
BMW prides itself on its vehicle security systems and all BMWs meet all UK and global security standards. Our engineers and technicians review all aspects of our vehicles constantly, including security systems.
Fraud Files: The Mystery Device
https://www.youtube.com/watch?v=oqYJi6DV21A
It’s a growing trend lately and it has many law enforcement agencies scratching their heads. Thieves are using high-tech electronic devices to break through the keyless-entry systems that lock up modern cars.
Tomi Engdahl says:
Hacked uni’s admins hand ID theft prevention reward to data burglars
http://www.theregister.co.uk/2015/04/01/uni_admins_hand_reward_to_data_burglars/
An Illinois university’s sysadmins have seemingly handed data burglars a year-long subscription to LifeLock, an identity alert and credit monitoring system, following a data breach at the US institution which left thousands vulnerable to identity theft.
With the best of intentions, Bradley University reacted to being hacked by informing its employees that they, and members of their family, may have had “personally identifiable information, including Social Security Numbers (SSN), compromised as a result of a breach of system data security”.
The private institution then attempted to mitigate the fallout from a data breach by offering a free LifeLock subscription to those whose information may have been compromised.
Should the criminals manage to use the identity protection system (intended to detect fraudulent applications) to manage the proceeds of heists, it could net them stalker privileges or even allow full-on identity theft.
LifeLock, intends to protect against identity theft by providing “enrolled” users with alerts whenever their registered details, such as SSNs, are used for credit reports.
LifeLock was fined $12m in 2010 by the Federal Trade Commission, which forced the company to refund almost 960,000 customers over allegedly false claims that it made.
Tomi Engdahl says:
Now TV and BT Sport viewers scuppered by Google’s Silverlight snub
Broadcasters advise to ‘ditch Chrome’ in favour of Firefox
http://www.theinquirer.net/inquirer/news/2383624/google-will-kill-microsoft-silverlight-in-chrome-by-disabling-npapi-plug-in
STREAMING SERVICES including BT Sport and Now TV have gone to borksville as Google presses ahead with plans to kill off support for Microsoft Silverlight in its Chrome browser.
The Microsoft runtime depends on an ageing plug-in protocol called Netscape Plugin Application Programming Interface (NPAPI), which Google is currently phasing out support for in its browser.
However, Silverlight remains popular with broadcasters due to its level of encryption, and although the news has been around since November, many are sticking to their guns instead of migrating to HTML5.
“With each step in this transition, we get closer to a safer, more mobile-friendly web,” said Justin Schuh, software engineer and plug-in retirement planner at Google.
Tomi Engdahl says:
Anonymous unleashes online petition against US info-sharing bills
CISA and CISPA bills ‘undermine the Fourth Amendment’
http://www.theregister.co.uk/2015/04/20/anonymous_operation_cispa_cisa_us/
Activist and hacktivist collective Anonymous has launched an online awareness-raising operation opposing pending controversial US information-sharing bills.
Critics from across the political spectrum, including libertarian-minded technologist Robert Graham, argue that the Cybersecurity Information Sharing Act sacrifices privacy without improving security.
Anonymous goes further still in arguing that the measures threaten Fourth Amendment protections against unwarranted searches and seizures, hence their decision to launch #OperationCISPA.
“The CISA and CISPA bills directly attack the Fourth Amendment by letting the NSA monitor your private information without a warrant,” a member of the group told El Reg.
Tomi Engdahl says:
Light the torches! NSA’s BFF Senator Feinstein calls for e-book burning
DiFi wants Anarchist Cookbook, Al Qaeda mag scrubbed from the internet
http://www.theregister.co.uk/2015/04/02/sen_feinstein_calls_for_digital_book_banning/
Senator Dianne Feinstein is calling for a pair of controversial instructionals to be banned from the internet.
Feinstein (D-CA) did not say exactly how she plans to scrub The Anarchist Cookbook and Inspire magazine from every server, desktop and notebook on the planet, but none the less she wants both titles pulled from circulation.
The comments come after two women were arrested in New York City on charges of plotting terrorist attacks.
Difficult as it may be to have a book permanently “removed” from the internet, Feinstein shares the opinion of at least one prominent figure: the author of the Anarchist Cookbook. William Powell now says that the book should be taken out of circulation, calling its underlying premise “profoundly flawed.”
Tomi Engdahl says:
Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack
https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
FireEye Labs recently detected a limited APT campaign exploiting zero-day vulnerabilities in Adobe Flash and a brand-new one in Microsoft Windows. Using the Dynamic Threat Intelligence Cloud (DTI), FireEye researchers detected a pattern of attacks beginning on April 13th, 2015. Adobe independently patched the vulnerability (CVE-2015-3043) in APSB15-06. Through correlation of technical indicators and command and control infrastructure, FireEye assess that APT28 is probably responsible for this activity.
Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows (CVE-2015-1701). While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous. We have only seen CVE-2015-1701 in use in conjunction with the Adobe Flash exploit for CVE-2015-3043. The Microsoft Security Team is working on a fix for CVE-2015-1701.
Exploit Overview
The high level flow of the exploit is as follows:
1. User clicks link to attacker controlled website
2. HTML/JS launcher page serves Flash exploit
3. Flash exploit triggers CVE-2015-3043, executes shellcode
4. Shellcode downloads and runs executable payload
5. Executable payload exploits local privilege escalation (CVE-2015-1701) to steal System token
The Flash exploit is served from unobfuscated HTML/JS. The launcher page picks one of two Flash files to deliver depending upon the target’s platform (Windows 32 versus 64bits).
Tomi Engdahl says:
Jon Southurst / CoinDesk:
Report: most or all of Mt. Gox’s missing bitcoins stolen between early 2011 and May 2013, long before the exchange collapsed in February 2014 —
Most Mt Gox Bitcoins Were Gone by May 2013, Report Claims
http://www.coindesk.com/most-mt-gox-bitcoins-were-gone-by-may-2013-report-claims/
Mt Gox’s missing bitcoins were stolen from the exchange over a period of time beginning in 2011, according to a new report released today by a group investigating its collapse.
They were gone long before the company’s collapse in February 2014, the report said. Gox had therefore been operating on a fractional reserve basis for most of that time, either knowingly or unknowingly.
Tomi Engdahl says:
Wink smart home hubs knocked out by security certificate (update)
http://www.engadget.com/2015/04/19/wink-home-automation-hub-bricked/
Now for the downside of a house loaded up with “smart” devices to allow remote control and monitoring: turning your home into a computer means computer-like problems.
Update: We’ve confirmed what several Wink users have reported — it appears that an expired certificate is at the root of the problem. The update pushed out was an attempt to fix the issue, and judging by responses on the Facebook group it did work for some owners.
Update 2: There’s a way to fix the problem! Quirky founder Ben Kaufman tells us that Wink is currently testing it with a small group of users
Tomi Engdahl says:
Check Point found a big gap in eBay’s e-commerce platform
Millions of buyers’ credit card information was compromised, the world’s leading e-commerce site was to go to the hacker’s hole.
San Carlos, CA – Monday 20 April 2015 – Security company Check Point® Software Technologies Ltd. . announced today that its research team has discovered a critical RCE (remote code execution) vulnerabilities eBay using the Magento webstore platform. The vulnerability affects nearly 200 000 e-commerce activities, for Magento is a very widely used.
If a hacker to find an opening in his grasp of any of the Magento e-commerce platform to work with all the information, including the customers’ credit card information and personal data. The vulnerability allows an attacker to security mechanisms through which this may be the rights management e-commerce and database.
“Hackers are attacking the online stores more often, as they have become more common e-commerce credit card information to the gold mines,” says Check Point Software Tehchnologiesin research director Shahar Tal.
“We found a vulnerability is a major threat to eBay in addition to all the other companies that have built their online store in Magento platform. We estimate that about 30 percent of online retailers use Magento, Tal says.
Source: http://www.epressi.com/tiedotteet/turvallisuus/check-point-loysi-ison-aukon-ebayn-verkkokauppa-alustasta.html
Magento
https://www.magentocommerce.com/products/downloads/magento/
Tomi Engdahl says:
Kremlin hackers exploited TWO 0-day Flash, Windows vulns
Operation RussianDoll smelled like Russian miscreants, say infosec bods
http://www.theregister.co.uk/2015/04/20/russian_cyberspies_two_zero_days/
A hacking group probably backed by Russia has been making use of two zero-day exploits to target foreign governments.
The so-called “Operation RussianDoll” attackers used zero-day exploits in Adobe Flash and Windows to target a specific foreign government organisation.
Tomi Engdahl says:
Raytheon borgs Websense to create cybersecurity behemoth
What’s the new firm going to be called? Raysense? Webtheon?
http://www.theregister.co.uk/2015/04/20/raytheon_merges_websense_cybersecurity_behemoth/
Defence giant Raytheon has agreed a deal with Vista Equity Partners to form a new company combining Websense with Raytheon Cyber Products. The new joint venture (Raysense? Webtheon?) will combine Raytheon Cyber Products with Websense’s TRITON line of web filtering and other enterprise security products.
Raytheon – known for the Patriot missile, among other arms – will invest $1.57bn in net cash for majority ownership of the new company. Vista will also invest into the new joint venture firm.
Raysense – or whatever the new firm is called – aims to provide “defence-grade cybersecurity to combat the evolving cyber threat environment” characterised by “sophisticated threats posed by well-funded, nation-state adversaries and criminal networks”.
The cloud, mobility and other trends are making organisations even more vulnerable, according to the security firms.
Tomi Engdahl says:
Federal investigators say in-flight Wi-Fi could be hacked to access planes’ flight controls
http://www.cablinginstall.com/articles/2015/04/gao-inflight-wifi-hackable.html
The BBC’s US & Canada News site is reporting that “a federal watchdog agency has warned [that] wireless systems used by passengers on planes in the US could be hacked to access flight controls.”
“A report by the US Government Accountability Office (GAO) said it is one of several emerging security threats not being dealt with properly, [which] comes as air traffic control is modernized to use satellite technology,” states the BBC’s report.
The reporting adds: “GAO investigators spoke to cyber security experts who said onboard firewalls intended to protect avionics from hackers could be breached if flight control and entertainment systems use the same wiring and routers. One expert told investigators ‘a virus or malware’ planted on websites visited by passengers could provide an opportunity for a malicious attack.”
Tomi Engdahl says:
Alex Chitu / Google Operating System:
Google now allows you to download your saved search history
Export Google Search History
http://googlesystem.blogspot.co.uk/2015/04/export-google-search-history.html
Tomi Engdahl says:
Mortgage data splashed all over the net. Thanks HSBC Finance
Not a hack, just a massive balls up!
http://www.theregister.co.uk/2015/04/21/hsbc_dump_customers_mortgage_data_on_web/
HSBC Finance in the US is notifying customers that it has inadvertently been publishing their mortgage data online since last year.
HSBC is believed to have exposed customer names, account numbers, social security numbers, and telephone details, in a move which isn’t being attributed to hackers, and as such is almost definitely a corporate cock-up.
The leak, discovered on 27 March, is believed to have begun towards the end of last year. A number of subsidiary firms have also been affected, and the damage outside of New Hampshire is expected to be substantial.
“We are conducting a thorough review of the potentially affected records and have implemented additional security measures designed to prevent a recurrence of such an incident,” the bank writes.
Troy Gill, Manager of Security Research at Appriver, said:
“With so many of the banks subsidiaries being named, the number of those affected will likely be quite substantial.”
“Since HSBC does not appear to be claiming that it suffered a breach by hackers it seems that it may have inadvertently stored the data in a manner that made it accessible on the internet.”
“In this case it is the data could have potentially been compromised by countless groups/individuals to be used for nefarious purposes. With personal information including social security numbers being involved, this could have a severe impact for their account holders.”
HSBC add that it has now closed the stable door: “We have ensured that the information is no longer accessible publicly. The company has notified law enforcement and the credit reporting agencies of the incident.”
Tomi Engdahl says:
JavaScript CPU cache snooper tells crooks EVERYTHING you do online
New research sends browser kingpins scurrying for fixes
http://www.theregister.co.uk/2015/04/21/cache_creeps_can_spy_on_web_histories_for_80_of_net_users/
Four Columbia University boffins reckon they can spy on keystrokes and mouse clicks in a web browser tab by snooping on the PC’s processor caches.
The exploit is apparently effective against machines running a late-model Intel CPU, such as a Core i7, and a HTML5-happy browser – so perhaps about 80 percent of desktop machines.
Yossef Oren, Vasileios Kemerlis, Simha Sethumadhavan, and Angelos Keromytis came up with this side-channel attack, which can be performed by JavaScript served from a malicious web ad network. It works by studying the time it takes to access data stored in the last-level cache – the L3 cache shared by all cores in a PC – and matches it to user activity.
The research has prompted Google, Microsoft, Mozilla, and Apple to upgrade their browsers to smother the attack vector. Nothing has yet been released.
“Our attack, which is an extension of the last-level cache attacks of (Adelaide University’s) Yuva Yarom, allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser,” they say.
The research is very academic in nature, and not terribly practical, but challenges the assumption that most side-channel attacks require snoopers to be in close proximity to their victims, and be able to execute arbitrary native code.
Tomi Engdahl says:
How Tor is building a new Dark Net with help from the U.S. military
http://www.dailydot.com/politics/next-generation-tor-darpa/
The Dark Net is under attack.
Actually, it’s always under attack. That’s the smart attitude to take as the spotlight has been turned up on technology like the Tor-anonymizing network. Threats from governments and hackers around the world have pushed Tor’s decade-old hidden service technology to its limits.
To stay ahead in the security race, Tor is building the next-generation Dark Net in part with funding from the Defense Advanced Research Projects Agency, the U.S. military agency charged with inventing the cutting edge of new technology.
DARPA is funding multiple projects focused on improving Tor’s hidden services across “1-3 years,”
These attacks, which started in March, targeted several hidden services with a simple-but-effective cyberattack that slowed the entire Tor network and took the sites offline for more than a week, inspiring no small amount of worry about the security of many Tor users. Some of the sites are still struggling to return to normalcy.
Tor plans to double the encryption strength of hidden service’s identity key and to allow offline storage for that key, a major security upgrade.
Tomi Engdahl says:
Exclusive: BlackBerry acquires Israel’s WatchDox, to open R&D center in Israel
http://www.geektime.com/2015/04/21/exclusive-blackberry-acquires-israels-watchdox-to-open-rd-center-in-israel/
According to Geektime sources, BlackBerry has acquired Israeli WatchDox for an estimated $150 million. Both companies provide secure solutions that are favored by government leaders and Hollywood moguls
WatchDox is a fast-growing startup in the $10 billion security market, reportedly taking business away from the likes of EMC.
WatchDox is available as SaaS, a virtual appliance or a hybrid. Employees or business partners can transfer files from their personal mobile devices to company computers and vice versa. The enterprise can also track and audit who accessed the file and allow creators to wipe files from any device, even after they have left the network.
It’s like Dropbox with an extra layer of watchfulness. Cloud applications like Google Drive can also be integrated with WatchDox.
WatchDox has gained traction with governments and banks, enterprises that need an extra level of security in the cloud. The company reportedly has close to $10 million in annual revenue. It claims that its customers include “over 150 of the Fortune 1000, including the largest civilian federal agencies, 6 of the top 12 private equity firms and most of the 6 major Hollywood studios.”
Favored by Hollywood
For a movie producer, there is no worse fate than someone leaking a movie script or plot before a movie gets into theaters. Studios rely on hype and anticipation to get people to shell out close to $10 for a movie ticket. It’s not a hypothetical threat. That’s what happened to Sony Pictures last year, when more than 50 movie scripts were leaked.
As a result, Hollywood has become one of WatchDox’s major clients, and the company heavily markets itself to the industry.
Tomi Engdahl says:
Sean Gallagher / Ars Technica:NEW
Pwnie Express demos new tool to detect stingray devices and other monitoring hardware used by law enforcement — This machine catches stingrays: Pwnie Express demos cellular threat detector — An exclusive first look at Pwnie’s new tool for catching cellular network attacks.
This machine catches stingrays: Pwnie Express demos cellular threat detector
http://arstechnica.com/information-technology/2015/04/this-machine-catches-stingrays-pwnie-express-demos-cellular-threat-detector/
At the RSA Conference in San Francisco today, the network penetration testing and monitoring tool company Pwnie Express will demonstrate its newest creation: a sensor that detects rogue cellular network transceivers, including “Stingray” devices and other hardware used by law enforcement to surreptitiously monitor and track cell phones and users.
In an exclusive demonstration for Ars, Pwnie Express CTO Dave Porcello and Director of Research and Development Rick Farina showed off the company’s new cell network threat detection capabilities, which integrate into Pwnie’s Pulse security auditing service. The capability will give companies the ability to monitor cellular networks around them and detect anomalies caused by rogue cellular base stations, IMSI catchers, and devices used to extend cellular coverage into areas where it may not be authorized.
“The real thing that scares people the most is that we have no visibility into these things,” Porcello said. “Nobody knows how many of them are out there.” But they definitely are out there. Last September, ESD America—which manufactures the CryptoPhone secure cell phone—reported that more than a dozen rogue cell “towers” had been discovered in Washington DC. It’s not clear if all of these were being operated by law enforcement.
Another threat faced by companies in highly regulated industries is the unauthorized use of microcells or femtocells—small base stations often sold by cell carriers to extend cellular network coverage in places where towers might not have coverage. If a company is trying to prevent personal cell phone usage within a facility through passive means, for example, an employee might plug a femtocell base station in at their desk to make outbound calls that aren’t through the company’s call logging system. This also introduces the potential threat of cellular jamming by someone seeking to block service for malicious reasons.
Cellular base stations aren’t the only mobile network-based attack vector faced by many companies. Cheap and readily available GSM-based devices have found their way into a number of criminal activities. “You’re seeing all sorts of rogue devices moving to GSM,” Porcello said. “Hackers and criminals are taking advantage of this like crazy because they know you can’t legally monitor them.”
“The credit card skimmer of choice now is a GSM-connected skimmer. You don’t have to be near it and never have to collect it; it can just dump all the credit card numbers by SMS message back to a throwaway phone number.”
Eventually, Porcello said, the FCC will have to give companies a way of spotting these sorts of devices without breaking the law.
Tomi Engdahl says:
Hands-on: Pwn Pro and Pwn Pulse, mass surveillance for the rest of us
Pwnie Express’ latest penetration testing offerings step up the power.
http://arstechnica.com/information-technology/2014/08/hands-on-pwn-pro-and-pwn-pulse-mass-surveillance-for-the-rest-of-us/
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Over 1,500 iOS apps, including apps by Citrix, Alibaba, Rotten Tomatoes, still have HTTPS-crippling bug, weeks after it was first disclosed
1,500 iOS apps have HTTPS-crippling bug. Is one of them on your device?
Apps downloaded two million times are vulnerable to trivial man-in-the-middle attacks.
http://arstechnica.com/security/2015/04/1500-ios-apps-have-https-crippling-bug-is-one-of-them-on-your-device/
Tomi Engdahl says:
Athena Security IPs Designed to Mend Holes in SoCs
Zooming in on differential power analysis
http://www.eetimes.com/document.asp?doc_id=1326395&
The need to protect connected systems — cars, mobile phones, smart grids, connected factories and any other IoT devices — by using security chips with crypto keys is growing rapidly, while not clearly answering a critical question: How do we know if the security chips designed into such connected systems aren’t leaking key information?
The Athena Group, Inc. (Gainesville, Florida) hopes to answer the $64 billion question on Monday (April 20) by rolling out a portfolio of security IP cores with side-channel attack countermeasures, based on advanced differential power analysis (DPA) countermeasure approaches pioneered by the Rambus Cryptography Research Division.
It’s widely known that cyber-attackers can exploit an extra source –from timing information, power consumption or electromagnetic leaks of chips — to break a cryptosystem.
DPA — which involves statistically analyzing power consumption measurements from a cryptosystem — is believed to be one of the biggest challenges for designers of countermeasures. “DPA attacks are extremely difficult to detect,
DPA-resistant IP cores for ASICs and FPGAs
Athena is seeking to level the playing field by making available “a full set of DPA-resistant off-the-shelf and custom IP core solutions — for the first time — for ASIC targets as well as FPGA devices from Microsemi, Altera, and Xilinx,” according to the company.
Tomi Engdahl says:
See Everything You’ve Ever Googled in One Terrifying Place
Here’s how to find your search history—and delete it
http://time.com/3829686/google-search-history/
http://googlesystem.blogspot.co.uk/2015/04/export-google-search-history.html
Tomi Engdahl says:
White House cyber-general says US must be able to cyber-nuke the worst of the cyber-worst
Threaten America, and you’ll regret it
http://www.theregister.co.uk/2015/04/21/white_house_hackers/
RSA 2015 The US government must hone its offensive capabilities to electronically attack those who menace America’s interests, said the White House’s Cybersecurity Coordinator Michael Daniel, quickly adding global ground rules for cyber-war have to be worked out first.
On April 1, President Obama signed an executive order that would allow Uncle Sam to impose economic sanctions against people, or nation states, that threaten America. Daniel, who is the special assistant to the President on cybersecurity matters, told the RSA conference in San Francisco today that the US also needs ways to terminate enemies online.
“We need to have a larger toolset to go after what the bad guys are doing,” he said.
Tomi Engdahl says:
‘Aaron’s Law’ Introduced To Curb Overzealous Prosecutions For Computer Crimes
http://news.slashdot.org/story/15/04/21/2154218/aarons-law-introduced-to-curb-overzealous-prosecutions-for-computer-crimes
“Aaron’s Law would change the definition of ‘access without authorization’ in the CFAA so it more directly applies to malicious hacks such as sending fraudulent emails, injecting malware, installing viruses or overwhelming a website with traffic.”
Tomi Engdahl says:
New Iris Scanning Tech Could Identify You from 40 Feet Away
https://www.yahoo.com/tech/new-iris-scanning-tech-could-identify-you-from-40-116671805404.html
Eye-scanning technology could be the new “license and registration, please.”
Carnegie Melon’s Biometrics Center has developed technology that can identify a human from 40 feet away just by scanning the person’s irises. In a video showing off the new tech, Biometrics Center director Marios Savvides sits in the driver seat of a van while colleagues from about a car-length behind him detect his identity by simply pointing a camera at his rearview mirror. The computer system attached to the camera compares the image of Savvide’s iris against its database and correctly pulls up his name and information.
CMU’s description of the projects claims it can work up to 12 meters in distance, or about 40 feet.
Tomi Engdahl says:
Apple failed to fix “rootpipe” backdoor flaw, researcher warns
http://www.zdnet.com/article/apple-failed-to-fix-rootpipe-backdoor-flaw-warn-researchers/
Summary:The bug should’ve been squashed in the latest update of OS X 10.10.3, but researchers say it persists. Every Mac is at risk from this “backdoor” bug.
Phoenix: RootPipe lives! …even on OS X 10.10.3
https://objective-see.com/blog.html
Tomi Engdahl says:
Google guru: Android doesn’t have malware, it has Potentially Harmful Applications™ instead
And who installs five AV apps on their mobes?
http://www.theregister.co.uk/2015/04/21/google_android_malware/
RSA 2015 Malware doesn’t exist on Android, Google says, but Potentially Harmful Applications™ do.
That linguistic flip is one of many at play in the Chocolate Factory’s Android security division, which has dumped various general infosec terms overboard. Lead Android engineer Adrian Ludwig told the RSA Conference in San Francisco today that spyware is also a garbage term.
“There is so much structure and connotation around the word malware that internally we don’t use that word; it just creates too much confusion … we have something like 20 different subcategories of [Potentially Harmful Applications™] things like trojans, fraud and abuse,” he said.
“I regret that we use the word spyware. When we say it, we mean that it grabs too much data and sends it off the device. There is a profound difference between grabbing all your SMS, and grabbing all your installed apps to send off your device. It’s often called ‘aggressive advertising’.”
In illustrating the low exploitation figures, he said of two “beautiful” exploits in wild, one was leveraged less than eight times per one million devices, and the other once per million, even though 99 and 82 percent of Android users, respectively, were at risk at the time of disclosure – and that’s according to stats from BlueBox.
But that didn’t stop users from freaking out. He says a whopping 40 per cent of users have antivirus installed, while a few security fanatics have five or more versions of the battery-sucking software installed.
Tomi Engdahl says:
Lawyer: Cops dropped robbery case rather than detail FBI’s StingRay phone snoop gizmo
Cell tracker kept secret at expense of criminal complaint
http://www.theregister.co.uk/2015/04/21/st_louis_stingray/
Prosecutors in St Louis, Missouri, have dropped a criminal robbery case to avoid revealing details of a controversial mobile phone surveillance program, a defense attorney has claimed.
The St Louis Post-Dispatch reported that the state dropped more than a dozen charges against three defendants just one day before police were scheduled to testify as to how they were able to pull data from the accused’s mobile phones.
Public defender Megan Beesley, who represented the accused, told the paper she was convinced the charges were dropped so that the officers would not be forced to disclose information about the secretive phone tapping devices used in the investigation, which are often known by the brand name StingRay.
Tomi Engdahl says:
Some tech firms being ‘friendly to terrorists’ says UK police chief
http://uk.reuters.com/article/2015/04/21/uk-britain-security-tech-idUKKBN0NC1HX20150421
(Reuters) – Some technology and communication firms are helping militants avoid detection by developing systems that are “friendly to terrorists”, Britain’s top anti-terrorism police officer said on Tuesday.
Mark Rowley, the national police lead for counter-terrorism, said companies needed to think about their “corporate social responsibility” in creating products that made it hard for the authorities to access material during investigations.
“Some of the acceleration of technology, whether it’s communications or other spheres, can be set up in different ways,” Rowley told a conference in London.
“It can be set up in a way which is friendly to terrorists and helps them … and creates challenges for law enforcement and intelligence agencies. Or it can be set up in a way which doesn’t do that.”
Tomi Engdahl says:
When you use Windows Phone, you accept the 51-page agreement
“We give terminals more rights than our spouses,”
“When you turn on the Windows Phone version 8.1, at the same time you will be the approval of a 51-page user agreement and you also provide a wide range of applications, manufacturers of rights, such as, inter alia, the right to take and view videos or photos on your device,” recalls Rousku
According to him, the same is true of other important mobile ecosystems.
“Similarly, when you use a variety of applications, you give them the right to collect information. When you download, say, a flashlight app, you might give it permission to use the phone’s microphone, and locate yourself.”
Source: http://www.tivi.fi/Kaikki_uutiset/2015-04-22/Kun-otat-Windows-Phonen-k%C3%A4ytt%C3%B6%C3%B6n-hyv%C3%A4ksyt-51-sivuisen-sopimuksen-3220333.html
Tomi Engdahl says:
White House Seeks Silicon Valley Help on Strong Yet Breakable Encryption
http://www.nbcnews.com/tech/security/white-house-seeks-silicon-valley-help-strong-yet-breakable-encryption-n345886
The Obama administration hopes Silicon Valley technologists can think of a system with strong encryption that could be pierced legally by one party without opening the door to others, a government official said on Tuesday. White House cybersecurity policy coordinator Michael Daniel said at the annual RSA Conference on security that he is trying to set starting principles for a broad public discussion on the issue, which has been a major source of tension with technology companies and other cyber experts.
Tomi Engdahl says:
Can I get information, kyber- or digital security?
Information security is designed to ensure the confidentiality of information storage, the integrity and availability of the guarantee. It should be emphasized that the public unclassified information may be operation of the organization very important. However, the information security is emphasized classified, to be kept secret within the meaning of the confidentiality concerns.
This can not be stressed too much staff continuing education and the importance of clear instructions. Personnel accused of famous weakest link in, I think, often without reason, but the reason lies in general in the fact that the organization has not been able to instruct, inform and educate
Cyber is information security and continuity management!
It may be best described by saying that the cyber security taken care of (business) safety of the operation, which consists of information security and continuity management.
Action is primarily an organization of business-related ICT, services, processes and automation necessary to safeguard the SLA service levels. Service levels should agree on the operational criticality and importance of which, respectively, the organization’s business needs to decide.
What about digital security?
In fact, I put digital security a priority to guarantee the personal safety-related factors, such as privacy, your identity management and organization from the perspective of data protection in the implementation of the sub-areas. What a wider spreads digitalization, the most significant of these things are coming! The digital security is an area that can take care of digitalisation and, hence, the birth of new large-scale integrated services security.
1 + 1 + 1 = 3
In practice, nothing herein described three areas is not enough in itself. For example, in all things (business) activities to take care of the information and cyber security, and if there is any way personal information or individuals as users etc., In the digital security. Thus, the data + cyber + digital security – we need them all!
Source: http://www.tivi.fi/blogit/2015-04-22/Saako-olla-tieto–kyber–vai-digiturvallisuutta-3220270.html
Tomi Engdahl says:
It’s official: David Brents are the weakest link in phishing attacks
Middle managers are infosec’s biggest problem, says study
http://www.theregister.co.uk/2015/04/22/proofpoint_phishing_study/
Middle management are increasingly becoming the focus of phishing attacks, according to a new study.
Managers received more malicious emails and doubled their click rates year-on-year, according to a study by security company ProofPoint.
Senior staff seemed more clued up about dodgy emails, meaning managers and staff clicked on links in malicious messages two times more frequently than executives.
ProofPoint’s Human Factor Report study provides details on the percentage of malicious links in emails that actually get clicked on, and the industries and job roles that are most heavily targeted with phishing.
On average, one of every twenty-five malicious messages delivered are clicked by users. The volume of messages an organisation receives has little to no impact on the click rate: every organisation clicks, and the rate of clicking for an organisation was never zero.
All industries are being targeted with malicious messages, but workers in banking and finance received more then their fair share (41 per cent more than the average).
Intellectual property theft and the opportunity for direct financial transfers means cybercriminals are attacking previously untouched sectors such as manufacturing, shipping, energy, utilities and even construction.
The majority of malicious messages are delivered during business hours
Tomi Engdahl says:
Network needs security in all elements (video)
http://www.edn.com/education-training/edntv?bclid=870126318001&bctid=4104978346001&_mc=NL_EDN_EDT_EDN_video_20150422&cid=NL_EDN_EDT_EDN_video_20150422&elq=070c1891712648689a2c5ded539681bc&elqCampaignId=22667&elqaid=25497&elqat=1&elqTrackId=f5e4025bb78742839dc91f10b805d262
Tomi Engdahl says:
House Bill Slashes Research Critical To Cybersecurity
http://news.slashdot.org/story/15/04/22/2149253/house-bill-slashes-research-critical-to-cybersecurity
A U.S. House bill that will set the nation’s basic research agenda for the next two years increases funding for computer science, but at the expense of other research areas. The funding bill, sponsored by Rep. Lamar Smith (R-Texas), the chair of the Science, Space and Technology Committee, hikes funding for computer science, but cuts — almost by half — social sciences funding, which includes the study of human behavior. Cybersecurity uses human behavior research because humans are often the weakest security link.
The insight into human behaviors that comes from the social science research, “is critical to understanding how best to design and implement hardware and software systems that are more secure and easier to use,”
Tomi Engdahl says:
Fukushima nuke plant owner told to upgrade from Windows XP
48,000 PCs at TEPCO still run Microsoft’s unloved child
http://www.theregister.co.uk/2015/04/23/fukushima_nuke_plant_owner_told_to_upgrade_from_windows_xp/
The Tokyo Electric Power Company (TEPCO), operator of the Stricken Fukushima Daiichi nuclear energy complex, has been told to migrate 48,000 internet-connected PCs off Windows XP sooner rather than later.
TEPCO was recently probed by Japan’s Board of Audit, an organisation that oversees the finances of Japan’s government and government agencies. The Board of Audit is interested in TEPCO because Japan is keen to see the company pay for cleanup of the Fukushima mess.
One of the things the Board found was that TEPCO operates about 48,000 PCs running Windows XP, and decided not to upgrade in order to save money. Upgrades may even have been deferred to 2019, according to this TEPCO press release from 2014.
Tomi Engdahl says:
New Javascript Attack Lets Websites Spy On the CPU’s Cache
http://it.slashdot.org/story/15/04/22/1645226/new-javascript-attack-lets-websites-spy-on-the-cpus-cache
Bruce Upbin at Forbes reports on a new and insidious way for a malicious website to spy on a computer. Any computer running a late-model Intel microprocessor and a Web browser using HTML5 (i.e., 80% of all PCs in the world) is vulnerable to this attack. The exploit, which the researchers are calling “the spy in the sandbox,” is a form of side-channel attack.
New Browser Hack Can Spy On Eight Out Of Ten PCs
http://www.forbes.com/sites/bruceupbin/2015/04/20/new-browser-hack-can-spy-on-eight-out-of-ten-pcs/
A group of Columbia University security researchers have uncovered a new and insidious way for a hacker to spy on a computer, Web app or virtual machine running in the cloud without being detected. Any computer running a late-model Intel microprocessor and a Web browser using HTML5 (i.e., 80% of all PCs in the world) is vulnerable to this attack.
All a hacker has to do is lure a victim to an untrusted web page with content controlled by the attacker. Once there, the software inside the bogus content launches a program that manipulates how data moves in and out of a victim PC’s cache, which is the part of the CPU
The exploit then records the time it takes for the victim’s PC to run various operations in the cache memory, using the browser’s own high-resolution timers (we’re talking nanoseconds here). By studying the time it takes for memory access to take place, the hacker can get an accurate picture about a user’s browser history, keystrokes and mouse movements. The attack is more for spying than theft: it doesn’t steal any data or passwords or corrupt the victim’s machine.
The “spy in the sandbox” is what’s known as a side-channel attack, which is one of the older tricks in the hacker’s black bag. Such an attack usually involves interpreting what’s going inside a computer guts by measuring physical outputs such as sound, electromagnetic radiation or power consumption.
Modern-day side-channel attacks now take the form of reading the activity of processors, memory or networking ports. The recent and massive shift of computing to cloud services such as Amazon EC2 or Microsoft Azure initially raised fears that hackers would be able to spy among virtual machines shared on the same servers
While it’s difficult to launch a side-channel attacks in a secured cloud, it would be far easier on the open web.
The Columbia researchers created this exploit to prove it could work and shed some light on vulnerabilities in common browser and cache memory architecture. In doing so, they point to a couple of ways to thwart the attack. One would be to restrict access to the high-resolution timer to only those applications that gain the user’s consent
The Spy in the Sandbox – Practical Cache Attacks in Javascript
http://arxiv.org/pdf/1502.07373v2.pdf
Tomi Engdahl says:
Banking trojan scourge gallops on, despite more fences
New threats evolved in 2014, mainly aimed at the US
http://www.theregister.co.uk/2015/04/23/banking_trojan_study_dell_secureworks/
RSA 2015 Banking botnets persist as a threat despite recent high-profile takedowns which only achieve a temporary calming effect, according to a new study from Dell SecureWorks.
Between mid-2014 and early 2015, coordinated efforts involving law enforcement and private-sector industry disrupted three of the most active banking botnets (Gameover ZeuS, Shylock, and Ramnit).
Dyre, Bugat v5 (also known as Dridex), and Vawtrak (a Gozi variant) emerged after the Gameover ZeuS and Shylock takedowns. Activity from ZeuS and its variants decreased in the second half of 2014, while Dyre, Gozi/Vawtrak, and Bugat v5 activity steadily increased.
“Cybercriminals quickly adapt to countermeasures and takedowns by improving their software and establishing new sophisticated banking botnets,” Dell SecureWorks warns.
“New threats arise with emerging technologies, and attacks on mobile banking platforms and advancements in bypassing standard authentication mechanisms evolved in 2014,” it added.
Takedowns and arrests temporarily reduced banking botnet activity in 2014 and early 2015. More banking trojans are using hidden network services, such as Tor or the Invisible Internet Project (I2P), to resist surveillance and takedowns, the security intelligence outfit warns.
Tomi Engdahl says:
Nork hackers no pantomime villains, but a hugely unpredictable menace
Modest resources but still able to launch a debilitating attack
http://www.theregister.co.uk/2015/04/21/north_korea_hacker_sony_analysis_rsa/
North Korea’s cyber attack on Sony Pictures revealed two uncomfortable truths about cybersecurity: businesses don’t have to be an obvious target to get hacked, and their aggressors don’t have to be superpowers.
Despite the US government’s insistence, the tech world is less than completely convinced that North Korea was behind last November’s Sony megahack, which saw thousands of computers on the entertainment giant’s network scribed with wiper malware, as well as the theft and subsequent release of all manner of confidential information, ranging from corporate emails and employee data to unreleased films.
A group of hackers named Guardians of Peace claimed responsibility for the megahack.
The (main) alternative theory — backed by most IT security experts up until fairly recently — is that disgruntled ex-employees, possibly in co-operation with hacktivists types, are the most likely culprits1.
“Sloppy” North Korean Sony attackers let their real IP addresses slip on occasion, according to the Feds.
Infosec pros characterised that particular strain of evidence as flimsy and circumstantial. IP addresses are, after all, easily fake or spoofed.
Politically motivated hacking isn’t new, and the Sony hack is sadly far from unprecedented. Anonymous did something similar to the internet security company HBGary Federal, exposing corporate secrets and internal emails, back in 2011.
The Sony hack does however differ from previous assaults as it has become the first to create a diplomatic row, leading directly to the imposition of tougher sanctions against North Korea and an unconfirmed reprisal cyber attack against North Korea’s internet on-ramp and flimsy internet infrastructure.
Politically motivated hacking isn’t new, and the Sony hack is sadly far from unprecedented. Anonymous did something similar to the internet security company HBGary Federal, exposing corporate secrets and internal emails, back in 2011.
North Korea has had extensive offensive cyber capabilities for years, as covered by Voice of America (here), Al Jazeera (here), and news.com (here). And it has extensive support from China, its primary (if not only) ally on the world stage.
Reuters reports that North Korea has poured the country’s scant resources into creating a cyber warfare cell called Bureau 121, made up of a “handpicked and pampered elite” of computer science majors around 1,800 strong.
Nation state V US company
“We routinely see attacks of 10-20Gbps against our commercial clients, with those of 100Gbps no longer uncommon,” said Ofer Gayer, a security researcher at DDoS mitigation firm Incapsula. “Even if North Korea had ten times its publicly reported bandwidth, bringing down its connection to the net would not be difficult from a resource or technical standpoint.”
Attribution of the Sony Pictures hack to North Korea may have taken the general public by surprise but security intelligence firms have been tracking the mendacious actives of the North Koreans for some time.
For example, South Korea banking and TV station networks were hit by wiper malware in March 2013 during the so-called Dark Seoul attacks.
Adam Meyers, CrowdStrike’s VP of intelligence, told El Reg that while Russian attacks employed sophisticated trade-craft, Chinese attacks were of a far greater volume. “Chinese attacks are like a giant vacuum cleaner” for confidential data, according to Meyers. The security intelligence expert added that slinging computer wiper malware is a standard modus-operandi for North Korean cyber operations.
CrowdStrike is confident that North Korea attacked Sony Pictures
Security response firm Mandiant, which was called in to help Sony Pictures in the aftermath of the breach, said that “neither [Sony] nor other companies could have been fully prepared”.
“Sony was not an attack on our critical infrastructure,” Sorebo writes in a blog post. “While Sony will suffer, neither our infrastructure nor our economy will feel any noticeable impact. What the attack does demonstrate is the lengths that a rogue state or terrorist group will go to achieve a seemingly limited aim, to stop the release of a movie.”
Tomi Engdahl says:
Whoops! AVG data centre KO’d by ‘unplanned’ outage
Anti-spam software hit, firm says all will be well again ‘soon’
http://www.theregister.co.uk/2015/03/09/avg_data_centre_outage/
Security biz AVG has been hit by an outage at its US data centre, possibly affecting its customers’ email security services across all regions.
The US data centre hosting the AVG Business CloudCare Email Security Service was the subject of an unplanned maintenance outage this morning, the company confirmed in a statement.
“[The] anti-spam portion of the AVG Business CloudCare service could have been disrupted as a result, possibly affecting email security services customers in all regions,” said a spokesman.
The company has 197 million active users and 101 million mobile users.
Tomi Engdahl says:
Sony Hack Was Not an Inside Job, Says Security Expert Kevin Mandia
http://recode.net/2015/04/21/sony-hack-was-not-an-inside-job-says-security-expert-kevin-mandia/
Last year’s Sony hack was clearly the work of North Korea and not that of a disgruntled insider, according to FireEye president Kevin Mandia.
“Definitely not an insider,” Mandia said at Code/Enterprise in San Francisco. “Nope.”
While he said it is governments, not security firms, that are in the best position to assign blame, Mandia said the Sony hack was clearly the work of a government. Mandia noted that this was the first time a U.S. president publicly blamed another country for a cyber attack.
Over the course of several weeks as details in last year’s Sony hack emerged, critics questioned whether it was possible for North Korea to carry out the attack as the FBI has alleged.
FireEye’s Mandiant incident response unit was called in to help the company investigate the attack and begin the process of recovering. Mandia likened it to his aunt being attacked by a UFC fighter. “It was an unfair fight.”
He said the Sony attack represented a combination of factors not seen all at once in prior attacks. He said you had a government attacking a private sector company, releasing private information and then “blowing up the house” on the way out.
That was a wake-up call to all companies. “Everyone in this room recognizes the risk profile just changed.”
Tomi Engdahl says:
Samsung Galaxy S5 Flaw Allows Hackers To Clone Fingerprints, Claim Researchers
http://www.forbes.com/sites/thomasbrewster/2015/04/21/samsung-galaxy-s5-fingerprint-attacks/
Biometric information is about as personal as data gets. But Google’s Android partners are still failing to protect it, as researchers from security firm FireEye will discuss this week at RSA, pointing to failures in the Samsung Galaxy S5 and other unnamed Android devices. Though the affected phone makers have tried to separate and encrypt the information in a separate secure zone, it’s possible to grab the biometric data before it reaches that protected area and create copies of people’s fingerprints for further attacks, said Tao Wei and Yulong Zhang from FireEye.
The issue appears startlingly straightforward: an attacker could focus on collecting data coming from the Android devices’ fingerprint sensors rather than trying to break into the trusted zone,
“If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored int he trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” Zhang told FORBES. “You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”
“Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims,” a Samsung spokesperson said over email
Despite manifold security concerns, biometrics are set to take over mobile devices as the primary form of authentication. Alongside Samsung’s devices, Apple’s TouchID is one of the more famous, and infamously bypassed, forms of biometrics on the market.
Microsoft is testing out a range of biometric options for its upcoming Windows 10 operating system. Security researcher Jan “Starbug” Krissler, who recently claimed he could bypass iris scanners just by holding up high-resolution print outs to the camera, said he’d been doing some work with Microsoft to test their ocular logins for Windows 10.
Tomi Engdahl says:
Report: IT managers not best leaders in breach crisis
http://www.cio.com/article/2912443/data-breach/report-it-managers-not-best-leaders-in-breach-crisis.html
Technology managers are typically expected to take the point when a company is hit by a major cyber security crisis, but a more business-oriented leader might be more effective, says a new report from Booz Allen Hamilton.
Technology managers are typically expected to take the point when a company is hit by a major cyber security crisis, but a more business-oriented leader might be more effective, says a new report from Booz Allen Hamilton.
“In a crisis, it doesn’t work that way,” he said. “The roles get flipped.”
But a technology manager is going to focus on the technology — on fixing the things that are broken and getting the adversary out of the systems.
But crisis management also involves legal issues, crisis communications, and other strategic decisions, that an IT manager might be unprepared for, or not have time to deal with.
In addition, technological solutions may sometimes be in conflict with what’s best for a company as a whole.
“They may have to shut the systems down, reconfigure things, and do other things that will affect the business,” Stewart said. “And they might not be in a situation where they understand the broader business objectives. Having someone who understands the broader business, helps them make better decisions.”
However, it may not make good financial sense for a company to have a full specialized crisis management team standing by at all times, ready to jump into action.
The looming Internet of Things
Another major change Booz Allen focused on in the report is the coming Internet of Things.
The combination of an increasing IP address space and falling technology prices, means that a networked devices will soon be showing up everywhere.
The number of cyber breaches occurring now will seem small in comparison.
“The Internet of Things is going to change the scale of things drastically,” Stewart said. “The exposure is going to be much greater.”
The problem is that the ordinary way of doing things puts security last, he said.
“Our tendency in developing IT infrastructure has been to build it so that it works as efficiently and as cheaply as possible,” he said. “And the result is that it doesn’t include security. Security has an operational cost.”
But with the rising scale and price tag of breaches, companies are starting to recognize the importance of security, and the value of building it in right from the start, he said.
“If you do embedded security, you can actually get to a better, more secure solution more cheaply than if you have to add it on at the end,” he said.
Tomi Engdahl says:
A Photograph Can Help Fool Your Phone’s Fingerprint Sensor
Well, several photographs, really
http://www.popsci.com/photograph-can-help-fool-your-phones-fingerprint-sensor
We already knew it was possible to trick a fingerprint sensor — such as the Touch ID system on the iPhone — into believing that you’re the owner of said phone. Now, a German hacker has shown that it’s possible to acquire a fingerprint simply from a photograph of the digit in question.
However, if you’re rushing off to disable the fingerprint authentication on your smartphone, you might want to wait just a moment. Despite the impressive nature of Krissler’s feat, there are a few caveats. For one thing, reconstructing the whole fingerprint took several photographs of Von der Leyen from different angles.
For another, the chances of this vulnerability affecting the average user is pretty low; this is more of a risk for high profile people who are being actively targeted.
Plus, you still need physical access to the target’s smartphone in order for this to work.
Tomi Engdahl says:
How to Detect Sneaky NSA ‘Quantum Insert’ Attacks
http://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/
Among all of the NSA hacking operations exposed by whistleblower Edward Snowden over the last two years, one in particular has stood out for its sophistication and stealthiness. Known as Quantum Insert, the man-on-the-side hacking technique has been used to great effect since 2005 by the NSA and its partner spy agency, Britain’s GCHQ, to hack into high-value, hard-to-reach systems and implant malware.
Quantum Insert is useful for getting at machines that can’t be reached through phishing attacks. It works by hijacking a browser as it’s trying to access web pages and forcing it to visit a malicious web page, rather than the page the target intend to visit. The attackers can then surreptitiously download malware onto the target’s machine from the rogue web page.
Quantum Insert has been used to hack the machines of terrorist suspects in the Middle East, but it was also used in a controversial GCHQ/NSA operation against employees of the Belgian telecom Belgacom and against workers at OPEC, the Organization of Petroleum Exporting Countries. The “highly successful” technique allowed the NSA to place 300 malicious implants on computers around the world in 2010, according to the spy agency’s own internal documents—all while remaining undetected.
How to Catch a Quantum Insert
But hidden within another document leaked by Snowden was a slide that provided a few hints about detecting Quantum Insert attacks, which prompted the Fox-IT researchers to test a method that ultimately proved to be successful. They set up a controlled environment and launched a number of Quantum Insert attacks against their own machines to analyze the packets and devise a detection method.
According to the Snowden document, the secret lies in analyzing the first content-carrying packets that come back to a browser in response to its GET request. One of the packets will contain content for the rogue page; the other will be content for the legitimate site sent from a legitimate server. Both packets, however, will have the same sequence number. That, it turns out, is a dead giveaway.
But when the NSA or another attacker launches a Quantum Insert attack, the victim’s machine receives duplicate TCP packets with the same sequence number but with a different payload. “The first TCP packet will be the ‘inserted’ one while the other is from the real server, but will be ignored by the [browser],”