Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Stop the war between privacy and security – EU data watchdog
And you don’t have to keep data within national borders. Just be careful with it
http://www.theregister.co.uk/2015/04/29/stop_the_phoney_war_between_privacy_and_security_begs_eu_data_protection_watchdog/
Security and privacy are not mutually exclusive says Europe’s privacy watchdog – and people should stop saying they are.
The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, told a Brussels conference he was concerned that “the objective of cyber-security may be misused to justify measures which weaken protection of [data protection] rights.”
“Cyber-security must not become an excuse for disproportionate processing of personal data. Let’s not forget that when the European Court of Justice (ECJ) last year found the Data Retention Directive to be invalid, one of the reasons was concern about the inadequacy of the data security provisions in the directive,” he continued.
Although some commentators interpreted the ECJ ruling to mean that data must be stored within national borders, Buttarelli disagreed.
“Physical location is not the determining factor in security. Rather, it is degree of control, accountability and responsibility which data controllers demonstrate when processing personal information. They must take full responsibility for all the measures they implement, regardless of the technology they use. Responsibility must not vanish in the clouds,” said the newly appointed EDPS.
Tomi Engdahl says:
Researchers Mount Cyberattacks Against Surgery Robot
http://hardware.slashdot.org/story/15/04/28/1758208/researchers-mount-cyberattacks-against-surgery-robot
A group of researchers from University of Washington have tested the security of a teleoperated robotic surgery system created by their colleagues, and have found it severely lacking. “Teleoperated surgical robots will be expected to use a combination of existing publicly available networks and temporary ad-hoc wireless and satellite networks to send video, audio and other sensory information between surgeons and remote robots.”
Security Experts Hack Teleoperated Surgical Robot
http://www.technologyreview.com/view/537001/security-experts-hack-teleoperated-surgical-robot/
The first hijacking of a medical telerobot raises important questions over the security of remote surgery, say computer security experts.
Tomi Engdahl says:
Why Crypto Backdoors Wouldn’t Work
http://it.slashdot.org/story/15/04/28/2126235/why-crypto-backdoors-wouldnt-work
Your devices should come with a government backdoor. That’s according to the heads of the FBI, NSA, and DHS. There are many objections, especially that backdoors add massive security risks.
Would backdoors even be effective, though? In a new writeup, a prominent Stanford security researcher argues that crypto backdoors “will not work.”
You Can’t Backdoor a Platform
http://webpolicy.org/2015/04/28/you-cant-backdoor-a-platform/
According to law enforcement and intelligence agencies, encryption should come with a backdoor. It’s not a new policy position—it dates to the Crypto Wars of the 1990s—but it’s gaining new Beltway currency.
Cryptographic backdoors are a bad idea. They introduce unquantifiable security risks, like the recent FREAK vulnerability. They could equip oppressive governments, not just the United States. They chill free speech. They impose costs on innovators and reduce foreign demand for American products. The list of objections runs long.
I’d like to articulate an additional, pragmatic argument against backdoors. It’s a little subtle, and it cuts across technology, policy, and law. Once you see it, though, you can’t unsee it.
Cryptographic backdoors will not work. As a matter of technology, they are deeply incompatible with modern software platforms. And as a matter of policy and law, addressing those incompatibilities would require intolerable regulation of the technology sector. Any attempt to mandate backdoors will merely escalate an arms race, where usable and secure software stays a step ahead of the government.
The easiest way to understand the argument is to walk through a hypothetical.
This hypothetical is already beyond the realm of political feasibility, but keep going.
Assume the federal government sticks Google with intermediary liability. How will Google (or the government) distinguish between apps that have strong cryptography and apps that have backdoored cryptography?
There isn’t a good solution. Auditing app installation bundles, or even requiring developers to hand over source code, would not be sufficient. Apps can trivially download and incorporate new code. Auditing running apps would add even more complexity. And, at any rate, both static and dynamic analysis are unsolved challenges—just look at how much trouble Google has had identifying malware and knockoff apps.
The only solution is an app kill switch.3 (Google’s euphemism is “Remote Application Removal.”) Whenever the government discovers a strong encryption app, it would compel Google to nuke the app from Android phones worldwide. That level of government intrusion—reaching into personal devices to remove security software—certainly would not be well received. It raises serious Fourth Amendment issues
Designing an effective app kill switch also isn’t so easy. The concept is feasible for app store downloads, since those apps are tagged with a consistent identifier. But a naïve kill switch design is trivial to circumvent with a sideloaded app. The developer could easily generate a random application identifier for each download.
What about browser-based apps? It’s possible to build a secure data store or messaging app that loads entirely over the web, from the user interface to the cryptography library, and gets saved on the user’s device. The requisite web standards are already in place.
In order to prevent secure data storage and end-to-end secure messaging, the government would have to block these web apps. The United States would have to engage in Internet censorship.
In order to believe that backdoors will work,9 we have to believe there is a set of criminals who are smart enough to do all of the following:
That’s quite a tall order. And yet, these same criminals must not be smart enough to do any of the following:
It’s difficult to believe that many criminals would fit the profile.
Tomi Engdahl says:
IBM provides online threats analysis in the cloud
IBM has released an open, cloud-based IBM X-Force Exchange platform, which is a new weapon in the fight against cybercriminals. In addition, IBM will bring threats analytics and technologies for the use of the capacity to accelerate cloud-based service companies to prioritize threats.
IBM X-Force Exchange currently includes more than 700 terabytes of raw data as well as real-time information security attacks assembled in one place, and the number is growing all the time.
IBM X-Force Exchange users can take advantage of IBM’s broad security content
Up to 80 percent of information security attacks carried out by organized criminal organizations, among which the tools, data and know-how are widely shared.
Similarly, the vast majority, up to 65 percent of the security teams use a number of separate and non-trusted sources the help the struggle against attacks.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2725:ibm-tarjoaa-verkkouhkien-analyysia-pilvessa&catid=13&Itemid=101
Tomi Engdahl says:
Smarter DDoS attacks require smarter DDoS defence
http://www.cso.com.au/article/568814/smarter-ddos-attacks-require-smarter-ddos-defence/
If you’re not actively protecting against DDoS attacks, you’re doing your IT security wrong
You may have once thought distributed denial of service (DDoS) attacks only happened to companies big enough or important enough that someone would bother disrupting their services. But with DDoS frequency and intensity increasing, a security expert has warned, it’s now imperative that every CSO consider how it would handle a DDoS – and introduce pre-emptive measures to deal with them.
DDoS attacks have evolved rapidly over the years. While early efforts were used mainly by hackers seeking to spoof a target system – using the DDoS to bring down the real system while the second site took its place.
Today’s DDoS landscape targets a broader range of targets. DDoS capabilities are more casually available through the use of DDoS-as-a-service offerings that allow attackers to rent networks of compromised systems. Their intensity has increased dramatically over the past year due to widespread adoption of reflected and amplified attack techniques that exploit weaknesses in ubiquitous Internet protocols to unleash an avalanche of useless data at targets.
Attackers are sending repeated enquiries modelled after traditional HTTP requests “so none of these devices have a clue”, Hogue warns, noting that others utilise SSL encryption that is likewise carried through network defences and defence platforms are none the wiser.
“DDoS has always been a way to manipulate and take advantage of the way a protocol was written, and to abuse it,” he explains, “and the attackers have become smarter in the way they do the attacks.”
The hybrid defence
Cloud-based DDoS defences are redefining conventional security defences, offering ways of detecting, intercepting and blocking DDoS attacks before they get out of control. Yet while there is value in moving DDoS protection away from the enterprise, it is also important to tie it to conventional on-premises defences.
The result of this conflicting requirement, Hogue says, will increasingly be the emergence of hybrid security solutions that combine on-premises tools for endpoint, access control and other security tools with cloud-based services such as those for blocking DDoS attacks.
“You clearly don’t want to handle everything on premise, but don’t want to handle everything off premise either,” he says. “If it’s a volumetric based attack, the further outside the data centre and closest to the attacker that you can handle it, the better.”
Tomi Engdahl says:
China Censors Facebook.net, Blocks Sites With “Like” Buttons
http://krebsonsecurity.com/2015/04/china-censors-facebook-net-blocks-sites-with-like-buttons/
Chinese government censors at the helm of the “Great Firewall of China” appear to have inadvertently blocked Chinese Web surfers from visiting pages that call out to connect.facebook.net, a resource used by Facebook’s “like” buttons. While the apparent screw-up was quickly fixed, the block was cached by many Chinese networks — effectively blocking millions of Chinese Web surfers from visiting a huge number of sites that are not normally censored.
“Any page that had a Facebook Connect element on it that was unencrypted and visited from within China would instead get this thing which would reload the main page of wpkg.org,”
Tomi Engdahl says:
Mozilla to Remove CA Certificate of Turkish Organization in Firefox 38
http://www.securityweek.com/mozilla-remove-ca-certificate-turkish-organization-firefox-38
Mozilla has decided to remove the certification authority (CA) certificate of Turkey-based E-Guven Elektronik Bilgi Guvenligi A.S. due to its failure to provide audit statements.
Mozilla says CAs must be audited by an independent party every year. However, E-Guven was last audited in October 2013 and even then the verification wasn’t performed as dictated by Mozilla’s CA Certificate Inclusion Policy.
“I have been communicating these problems to E-Guven for a few months, and I have seen no progress in remediation,”
The Mozilla community has decided to remove the E-Guven CA certificate in Firefox 38, which is scheduled to be released on May 12.
“The integrity of the secure Web depends on CAs issuing certificates that correctly attest to the identity of websites. Mozilla products ship a default list of CA certificates, which may change with each security patch or new version of the product,”
Earlier this month, Mozilla announced its decision to ban new certificates from the China Internet Network Information Center (CNNIC) after the organization issued an unconstrained intermediate certificate to an Egypt-based company that issued unauthorized certificates for several Google domains.
Tomi Engdahl says:
Antivirus Software Weakens HTTPS Security: Researcher
http://www.securityweek.com/antivirus-software-has-negative-impact-https-security-researcher
German journalist and researcher Hanno Böck has analyzed three popular antivirus products and determined that each one of them lowers security when they intercept HTTPS traffic.
Böck was featured in several news articles in February after the world learned that Lenovo had pre-installed a piece of adware known as Superfish on laptops. Superfish came into the spotlight when experts discovered that it broke the security of HTTPS connections in order to inject ads into web pages. After the Superfish incident came to light, Böck revealed that Privdog, a tool promoted by Comodo and designed to replace ads with ones from trusted sources, was “worse than Superfish.”
All of the three solutions analyzed by Böck — Avast, ESET and Kaspersky Lab — are capable of intercepting HTTPS traffic. By default, Avast intercepts all encrypted traffic, Kaspersky intercepts traffic to certain important websites (e.g. banking sites), and ESET doesn’t intercept any traffic unless the user enables this option.
Following reports of TLS vulnerabilities such as BEAST, Lucky 13, and FREAK, organizations, particularly browser vendors, have started paying more attention to HTTPS security. However, many products, including antiviruses, still expose users to attacks due to the improper handling of TLS connections.
The expert also pointed out that none of the security products he tested intercept traffic when Extended Validation (EV) certificates are used, most likely because it would cause browsers not to display the green bar in the address line. Antivirus companies often advise users to check for the presence of the green bar and the padlock icon next to a site’s URL to ensure that a website is legitimate, so causing the security symbol not to be displayed would probably cause concern.
“The message the antivirus companies are sending seems clear: If you want to deliver malware from a web page you should buy an Extended Validation certificate,” Böck said.
The researcher noted that while modern web browsers handle TLS connections properly, the use of these antivirus applications actually lowers HTTPS security.
“I think these technologies are a misguided approach. The problem is not that they make mistakes in implementing these technologies, I think the idea is wrong from the start. Man in the Middle used to be a description of an attack technique,” the researcher said.
Tomi Engdahl says:
OSINT Alone Does NOT Equal Threat Intelligence
http://www.securityweek.com/osint-alone-does-not-equal-threat-intelligence
I heard from Forrester’s Rick Holland this week in his brief “Threat Intelligence is Like Three Day Potty Training,” a couple big insights emerged from the intersection of my data and Rick’s very thoughtful observations:
Cyber Threat IntelligenceMany businesses right now think Open Source Intelligence (OSINT) is the totality of threat intelligence and many are willing to pay handsomely for this latest fashion trend without any real notion of how or why to put it to work.
In other words, as I listened to one after another vendor and solution seeker alike, each seemed to convey that gaining usable intelligence on potential cyber threats facing businesses was best accomplished by focusing on data that’s freely available on the uppermost parts of the internet each and every day. And they seemed very willing to pay for tools to exploit it in spades based almost solely on the shiny labels.
As Rick points out, and as I observed first hand on the floor, many companies get stuck in the immature, “low-hanging-fruit-grab” period of their threat intelligence development. The attractive, available lure of OSINT is all too gratifying to pass up.
In particular, making use of threat intelligence in your cyber defenses to…
• Raise cross-organizational situational awareness
• Manage risks across your internal org and supply chain
• Speed response (and pre-response) to incidents
• Prioritize effective use of tactical cyber solutions
• Collaborate, budget and strategize around cyber defense
• Educate and inform your workforce
…involves a whole lot more than just OSINT.
The web and all its blogs, sites, social media posts, memes and cat videos is a treasure trove of information. Well, sometimes.
Effective threat intelligence involves comprehensive, continuous collection and analysis of the right data sources, from both inside your organization and out, and combining that with a high degree of relevancy to your specific business profile and characteristics. It’s an approach from many levels and angles. It’s the cliched 360 degrees and three dimensions.
OSINT tools and sources alone only give you a limited view into what you need to know to accomplish a proactive, effective cyber risk management function that helps better protect your business, its financial interests, brand and reputation, partners and customers and information technology baselines.
Effective threat intelligence requires a data collection and analysis approach across all the below…just for starters:
• OSINT – Websites, blogs, forums, breach databases, exploit databases, malware, vulnerability, Dark Web sources and myriad others
• Your Own Evaluated Threat Data – Your own team’s low-level data that’s confirmed as “real” or relevant and diligently recorded, analyzed (e.g. found Trojans or confirmed SNORT hits)
• Highly-Focused, Highly-Relevant Data Feeds – Commercial phishing feeds, patch management updates, Spam analytics, AV/AM, Government alerts and indicators
• Partner and Supply Chain Data – Extending reporting, sharing and data collection from your own “Private ISAC”
• SIEM Information – Evaluated events from SIEM analysis and exploration
• TIP Data – HUMINT analysis and other alerts, low-level data from “traditional” Threat Intelligence Platforms that can be confirmed as relevant threat events
The bottom line? If it isn’t comprehensive, perspicacious and relevant, it’s mostly useless.
Tomi Engdahl says:
Mass Email Service SendGrid Confirms Data Breach
http://www.securityweek.com/mass-email-service-sendgrid-confirms-data-breach
Customers of SendGrid, the cloud-based email platform used to deliver over 18 billion emails each month, are advised to change their passwords and enable two-factor authentication (2FA) on their accounts following a data breach.
On April 9, the New York Times reported that the SendGrid account of Bitcoin wallet service Coinbase was hijacked and used to send out phishing emails designed to trick recipients into transferring their Bitcoins to the cybercrooks.
SendGrid revealed that an employee’s account had been compromised and used to access several internal systems on three occasions in February and March.
According to the mass email service, the compromised systems stored usernames, email addresses, and passwords (hashed and salted) belonging to SendGrid employees and customers.
Tomi Engdahl says:
HTTP / 2 comes, are you ready?
The HTTP protocol is the cornerstone of the web, but the truth is that certified already in 1999 the previous protocol, ie HTTP 1.1 is obsolete.
The new protocol promises more speed and better protected connections to Web users.
Currently, HTTP / 2 is nearing completion. IETF or Internet Engineering Task Force promises to soon release a new version of the protocol RFC standard
IDG Research, only 2.4 per cent of Internet sites to use the new protocol at this time. The popularity of a Web developer involved is then a completely different class.
For service providers, and organizations with an HTTP / 2 denotes a large upheaval. Because Internet Explorer, Firefox and Chrome future versions will only support HTTP / 2, the TLS-encrypted version, they need to take to encrypt the traffic, if at all want their content to billions of users to share.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2748:http-2-tulee-oletko-valmis&catid=13&Itemid=101
Tomi Engdahl says:
Hacking a Thin Client to Gain Root Access
http://hackaday.com/2015/04/29/hacking-a-thin-client-to-gain-root-access/
[Roberto] recently discovered a clever way to gain root access to an HP t520 thin client computer. These computers run HP’s ThinPro operating system. The OS is based on Linux and is basically just a lightweight system designed to boot into a virtual desktop image loaded from a server. [Roberto’s] discovery works on systems that are running in “kiosk mode”.
Tomi Engdahl says:
Race Conditions Exploit Granted Free Money on Web Services
http://hackaday.com/2015/04/29/race-conditions-exploit-granted-free-money-on-web-services/
[Josip] has been playing around with race conditions on web interfaces lately, finding vulnerabilities on both Facebook and Digital Ocean. A race condition can occur when a piece of software processes multiple threads using a shared resource.
For example, [Josip] discovered that he was able to manipulate page reviews using just a single Facebook account.
It took Facebook approximately two months to fix this vulnerability, but in the end it was fixed and [Josip] received a nice bounty.
The Digital Ocean hack was essentially the exact same process. This time instead of hacking page reviews, [Josip] went after some free money. He found that he was able to submit the same promotional code multiple times
Tomi Engdahl says:
‘Security has failed’: Exclusive preview of RSA president’s conference keynote
http://fortune.com/2015/04/21/rsa-conference-amit-yoran-keynote/
RSA president Amit Yoran’s first RSA Conference keynote address calls the industry to arms.
“The security industry is failing,” Yoran tells Fortune, taking a pause before delivering a knockout blow. “It has failed.”
Indeed, it’s hard to argue otherwise. Last year there were 738 data breaches, according to the Identity Theft Resource Center, which represents a more than 25% increase over the year prior. Those figures don’t exactly indicate a success.
“If I could come up with a theme for this year’s conference it would be: No More of the Same,” Yoran says. In fact, the theme of this year’s conference is—as though pulled from another presidential campaign playbook—Change.
“Let’s do things differently; let’s think differently; let’s act differently. Because what the security industry has been doing has not worked.”
Now he’s fed up, it seems. Companies have failed to adapt to today’s assiduous threats, he says.
“If we don’t succeed and turn the current paradigm around, I think there is a catastrophic situation for technology in general,” Yoran says. “We have to win. There is no alternative.”
“We need to stop thinking of taller castle walls and deeper moats,” he says. Complex passageways and nifty windows won’t work either—no matter how high one builds or how deep one digs, attackers will still get through. “At the end of the day, even if you use next generation protective measures, focused adversaries with the resources, with the time, with the skill, and that have a defined objective of breaking into your organization are still going to get in,” he says.
Not to alarm anyone, but they’re probably already inside, he adds.
So should we all just roll over and accept defeat? Yoran answers with an emphatic No.
Clearly knowing his audience, Yoran supplies his guidance in the form of “5 things to know”—a favorite Fortune format. Here they are:
1.) Know your environment.
2.) Know your users.
3.) Know your adversaries.
4.) Know your priorities.
5.) Know your weaknesses.
Of course, do that. But don’t lull yourself into a false sense of security by believing the marketing or hype.—that just because you’ve done X, Y, Z, you can sleep well at night.
Tomi Engdahl says:
Broadcasting Your Attack: Security Testing DAB Radio in Cars
https://www.blackhat.com/us-15/briefings.html#broadcasting-your-attack-security-testing-dab-radio-in-cars
Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are in most cases integrated into an IVI (In-Vehicle Infotainment) system, which is connected to other vehicle modules via the CAN bus. Therefore, any vulnerabilities discovered in the DAB radio stack code could potentially result in an attacker exploiting the IVI system and pivoting their attacks toward more cyber-physical modules such as those concerned with steering or braking.
complex protocol capabilities of DAB and DAB+
Software Defined Radio in conjunction with open source DAB transmission software to develop our security testing tool (DABble).
Tomi Engdahl says:
Internet Plumbing for Security Professionals: The State of BGP Security
https://www.blackhat.com/us-15/briefings.html#internet-plumbing-for-security-professionals-the-state-of-bgp-security
The underbelly of the Internet has been in a precarious condition for a while now. Even with all the knowledge about it’s weaknesses, we only make slow progress in implementing technology to secure it. We see BGP routing leaks on a regular basis. It almost feels like we take it for granted but at the same time it undermines our trust in the Internet.
If we want to keep trust in “The Internet of Things,” we first have to build trust in the network that powers it.
Tomi Engdahl says:
Secret Sunset
https://medium.com/secret-den/sunset-bc18450478d5
After a lot of thought and consultation with our board, I’ve decided to shut down Secret.
This has been the hardest decision of my life and one that saddens me deeply. Unfortunately, Secret does not represent the vision I had when starting the company,
product that was used by over 15 million people and pushed the boundaries of traditional social media.
I believe in honest, open communication and creative expression, and anonymity is a great device to achieve it. But it’s also the ultimate double-edged sword, which must be wielded with great respect and care.
Building a safe, anonymous community
https://medium.com/secret-den/building-a-safe-anonymous-community-a234071aed64
Tomi Engdahl says:
JP Morgan bank bod accused of flogging customer account info
FBI snitch exposes alleged account-emptying scam
http://www.theregister.co.uk/2015/04/29/jp_morgan_banker_charged/
The FBI has charged a former JP Morgan employee with selling customer information to thieves who wanted to empty accounts without triggering any alarms.
Tomi Engdahl says:
Google polishes Chrome security with Password Alert
Hang out the ‘Gone Phishing’ sign and relax
http://www.theregister.co.uk/2015/04/30/google_polishes_chrome_security_with_password_alert/
Google’s seen way too much phishing, it seems, so the Chocolate Factory has pushed out a Chrome extension to catch attacks against accounts on Google domains.
Mountain View reckons two per cent of Gmail messages are phishing attempts, and a well-constructed attack can have a 47 per cent success rate.
Outlined here, the Password Alert extension will warn users if they type their Google password into a non-Google domain. There’s also a Google for Work server which, among other things, would help alert sys admins if someone mounts a targeted attack campaign against their business.
If a user is successfully phished, Password Alert tells them they need to reset their password, as illustrated in the image at the top of the story.
The extension needs to remember a hashed version of the user’s password (referred to as a fingerprint), but Google promises that it won’t ever share the password (and, after all, storing it locally means there’s no need for the extension to phone home).
Tomi Engdahl says:
Facebook serves up shaved, pierced, tattooed ‘butterfly’ as CAPTCHA
A devilish failure of image recognition algos at The Social NetworkTM
http://www.theregister.co.uk/2015/04/30/facebook_serves_up_shaved_pierced_tattooed_butterfly_as_captcha/
“We sometimes use visual CAPTCHAs to help people validate their activity on Facebook more easily than text versions, and we use a set of filters to help remove objectionable images from appearing. One of those images mistakenly appeared in this case”
Tomi Engdahl says:
How One Tweet Wiped $8bn Off Twitter’s Value
http://news.slashdot.org/story/15/04/29/1830243/how-one-tweet-wiped-8bn-off-twitters-value
Someone mistakenly published earnings information on a Nasdaq-run investor relations page for Twitter before the company officially released the news and it sent the stock into a tailspin.
How one tweet wiped $8bn off Twitter’s value
http://www.bbc.com/news/technology-32511932
By any measure, Twitter hit particularly rough conditions on Tuesday night, which sent its share price into a tailspin.
At one point in the final hours of trading, the stock had lost more than $8bn (£5bn), or 25% of its opening price.
It seems investors were spooked by the early and unintended publication of earnings results that should have been presented after the markets had closed.
So how did that happen, and why did it result in Twitter’s worst day on the markets since its flotation?
somebody thought it would be a good idea to release this information early, on the technology-led Nasdaq-run investor relations page for Twitter.
Initially it seemed no-one really noticed the error, until a well-placed tweet highlighted the mistake and revealed Twitter’s disappointing results.
The markets were still trading, and Twitter had not had the chance to formally present its results in a statement that would have bathed them in a more flattering light.
How come Selerity got the news early, and who are they anyway?
Shares in Twitter lost 6% before trading in the stock was momentarily suspended.
So who is to blame?
Well, it seems that Nasdaq slipped up here after Twitter furnished the exchange with earnings details ahead of time ready for official publication.
It is like someone breaking an embargo on a news story.
The key factor in Tuesday evening’s fiasco was that Selerity’s automatic computer programs, called bots, which scan the web for juicy financial details, were able to find the mistake so quickly.
Selerity then made sure that everyone knew about it through Twitter’s own platform, but it did not break any rules in doing so as the results had already been published and were effectively in the public arena.
Nasdaq blamed the error on a division of its business called Shareholder.com, which provides investor relations services.
Was the tweet the only reason Twitter stock crashed?
No. The results were fairly disappointing
Tomi Engdahl says:
Topic Teardown: Connected Cars’ Pros & Cons
http://www.eetimes.com/document.asp?doc_id=1326452&
When it comes to potential threats posed by connectivity, security experts and industry analysts are no longer mincing their words. Unauthorized access or remote hijacking of a vehicle might be only a theoretical risk for today’s cars. But in the connected car of the future, it’s a distinct, real-world threat.
“But those of us who have been around the block know” the industry’s drive for higher integration will eventually take over. Vendors want to cut cost, Williams said. “We’ve seen [the trend for integration] happen in airplanes, medical devices and other connected system designs.” As a result, he cautioned, “Many of the features and controls will be hosted by one computer, and those functions — traditionally separated by physical knobs and air gaps — are being replaced by software.”
Once that happens, a hacker who gets into a trivial system like the car radio could seize control of the brakes, or any other system, he explained. At that point, the risk of connected cars no longer hypothetical.
Tomi Engdahl says:
Secret Shuts Down Because Anonymity Makes People Mean
http://www.wired.com/2015/04/secret-shuts-down/
Just 16 months after founding the anonymous message board app Secret, founder David Byttow seems to have realized what the rest of us have known all along: anonymity online turns people into total assholes. Guess some of us just need $35 million in funding to figure that out.
And so, in a brief post on Medium today, Byttow announced he would be shutting down the app, which struck a nerve with the Silicon Valley set when it launched early last year but has struggled to keep pace with fellow anonymity apps like Yik Yak in recent months.
“I believe in honest, open communication and creative expression, and anonymity is a great device to achieve it,” Byttow wrote. “But it’s also the ultimate double-edged sword, which must be wielded with great respect and care.”
Tomi Engdahl says:
Internet Explorer is cracking down on misleading ads before it dies
http://www.theverge.com/2015/4/29/8518723/internet-explorer-microsoft-misleading-ads
Even as it readies to effectively kill the brand, Microsoft is trying to make Internet Explorer a more palatable browsing option, yesterday detailing plans to crack down on misleading ads. As of June 1st, the browser will notify users with a warning when a site features an ad that contains malicious code, content that pretends to be part of the site itself, or directs them towards misleading downloads. In a blog post, Microsoft detailed its new unwanted software evaluation criteria, explaining how it determined whether ads were designed with the intention to mislead or deceive users.
Cleaning up misleading advertisements
http://blogs.technet.com/b/mmpc/archive/2015/04/28/cleaning-up-misleading-advertisements.aspx
Advertisements: The advertisement should not mislead you into visiting another site or downloading files.
Advertisements shown to a user:
Must not mislead or deceive, or confuse with the intent to mislead or deceive
Must be distinguishable from website content
Must not contain malicious code
Must not invoke a file download
Tomi Engdahl says:
SHA-1 crypto hash retirement fraught with problems
Bumbling duffers using WinXP and old Android releases aren’t helping
http://www.theregister.co.uk/2015/04/30/sha_2_migration_headaches/
The road towards phasing out the ageing SHA-1 crypto hash function is likely to be littered with potholes, security experts warn.
The ageing SHA-1 protocol – published in 1995 – is showing its age and is no longer safe from Collision Attacks, a situation where two different blocks of input data throw up the same output hash. This is terminal for a hashing protocol, because it paves the way for hackers to offer manipulated content that carries the same hash value as pukka packets of data.
Certificate bodies and others are beginning to move on from SHA-1 to its replacement, SHA-2. Microsoft announced its intent to deprecate SHA-1 in Nov 2013.
More recently, Google joined the push with a decision to make changes in he latest version of its browser, Chrome version 42, so that SHA-1 certificates are flagged up as potentially insecure.
Ken Munro, a director at security consultancy Pen Test Partners, warned that this type of behaviour creates the danger that while SHA-2 is being phased in, trust in certificates will suffer. “The risk of not updating could see users learn not to trust your site (reduced custom) or could encourage them to accept less-than-perfect encryption or even invalid certificates,” Munro explained.
Just updating to SHA-2 is not as simple as it might seem, because of compatibility issues with Android and Windows XP. More specifically, Android before 2.3 and XP before SP3 are incompatible with the change
Around one per cent of devices used for Google Play are still <2.3 (Froyo) or below.
"The fact that SHA-2 can’t be used with older browsers and OS’s means that untrusted certificate warnings are going to become commonplace,"
"There are plenty of other systems out there that are unlikely to ever accept SHA-2: what about the web interfaces for SCADA and other industrial control systems? What about other highly customised environments in the military: fire control systems built on old hardened versions of Windows XP?"
Tomi Engdahl says:
Windows XP Support Deal Not Renewed By UK Government, Leaves PCs Open To Attack
http://news.slashdot.org/story/15/04/30/0156245/windows-xp-support-deal-not-renewed-by-uk-government-leaves-pcs-open-to-attack
The government’s one-year £5.5m Windows XP support deal with Microsoft has not been extended, sources have told V3
Windows XP support deal not renewed by government, leaves PCs open to attack
http://www.v3.co.uk/v3-uk/news/2406304/windows-xp-government-support-deal-ends-leaving-pcs-open-to-attack
The government has not renewed its £5.5m Windows XP support deal with Microsoft despite thousands of computers across Whitehall still running the ancient software, leaving them wide open to cyber attacks.
The contract was negotiated last year between Microsoft and the Crown Commercial Service (CCS), which is part of the Cabinet Office, to provide one year’s additional support after the general support deadline for XP expired.
The CCS made it plain at the time that it would not renew the deal, and urged all departments to ensure that they migrated in time.
“It is important to note that there are no plans to negotiate a further national extension of XP support beyond April 2015,”
“It is therefore essential that all NHS organisations put in place robust plans to migrate away from Windows XP, Office 2003 and Exchange 2003 by that date.”
the source said, indicating that many government computers are still running Windows XP and risking the inherent security threats.
This Metropolitan Police Service (MPS) is currently negotiating a support deal after it was revealed that the organisation still has 35,000 laptops and desktops running XP.
“The failure by government to move on from Windows XP shows a troubling lack of regard for security.”
Tomi Engdahl says:
Facebook’s forced API switch could bork devs’ connected apps
Move comes as social network looks to gain more trust from users
http://www.theinquirer.net/inquirer/news/2406523/facebooks-forced-api-switch-could-bork-devs-connected-apps
THE SOCIAL NETWORK Facebook is migrating to Graph API v2.0 today, giving users more granular control over the data they give to developers.
Users were previously forced to share details, such as information about friends, when signing up to a new Facebook-connected app.
Graph API v2.0, which comes with the slogan ‘Your Facebook. You’re in charge,’ means that it’s no longer a requirement to share such details, in a sign that the social network is looking to gain more trust.
Apps do not have to delete data they have already collected, but Facebook will have to comply if someone asks that their data be removed.
Facebook said that the new API, which was announced a year ago, has already resulted in apps asking for half as many permissions, and an 11 percent increase in log-ins to apps through Facebook.
Tomi Engdahl says:
The CISO’s Worst Nightmare: Data Breach
http://www.cio.com/article/2914837/data-breach/the-ciso-s-worst-nightmare-data-breach.html
A data breach may be the worst thing any CISO could imagine for their business.
There are certain words and phrases that strike fear in particular situations. For the parent, it is a phone call that begins, “There’s been an accident.” For a person in a relationship, it is the conversation that starts, “We need to talk.” For the politician running for president, it is hearing, “There’s a video.” And for the CISO, there are two words that create panic: “Data breach.”
The term “data breach” is pretty broad, however, and is used to cover almost any kind of cyber security incident.
Who discovers the data breach?
The first concern is the person who is delivering the news about the data breach. The majority of companies learn of their data breach from an outside source, Krehel explained. “The company is either unable to detect the breach on its own, or the security tools aren’t doing their job,” he said.
The corollary to who discovers the breach is in what department the breach occurred.
How do we handle the data breach?
The second concern is cyber intelligence. “When a breach happens, your main goal is to get rid of the enemy who has entered your network,” Krehel said. Most companies have the cyber security tools and technology supposed to prevent a breach, but too many don’t have the cyber intelligence necessary to respond to the emergency. Too often, in the act of responding to a security crisis, the situation ends up being made worse because employees don’t have the skillset to handle it. “People are trained on what to do when a network goes down, but they aren’t trained on what to do if a network is breached.”
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Mozilla wants to deprecate non-secure HTTP, will make proposals to W3C ‘soon’
http://venturebeat.com/2015/04/30/mozilla-wants-to-deprecate-non-secure-http-will-make-proposals-to-w3c-soon/
Mozilla today announced its intent to phase out non-secure HTTP, and that it will be making some proposals to the W3C WebAppSec Working Group soon. Specifically, the company says it is committed to “new development efforts on the secure web and to start removing capabilities from the non-secure web.”
Richard Barnes, Firefox’s security lead, emphasized the company needs to work with the broader Internet community to achieve this ambitious objective. “Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community,” Barnes said, and then outlined Mozilla’s plans as two-fold, though details on how exactly Firefox will be impacted are still unclear.
First, Mozilla is hoping to set a date after which all new browser features will be available only to secure websites. Barnes notes that the community a definition for what features are considered “new,” but the general gist is to only allow them for HTTPS sites.
Secondly, Mozilla wants to gradually phase out access to browser features for non-secure websites (especially those that pose risks to users’ security and privacy). This will naturally need to be driven by trade-offs between security and web compatibility,
Tomi Engdahl says:
Transition to IP network creates cybersecurity challenges for FAA
http://www.networkworld.com/article/2910457/security0/transition-to-ip-network-creates-cybersecurity-challenges-for-faa.html
FAA needs to bolster cybersecurity of Nation’s air traffic control system
The Internet hasn’t totally invaded the nation’s air traffic control system, but as it does the Federal Aviation Administration faces a growing challenge to make sure the network is locked down secure.
The security issues arise as the agency moves from a point-to-point legacy air traffic control structure to a new IP-based system commonly known as NextGen or Next Generation Air Transportation System. NextGen in a nutshell will move the current radar-based air traffic system to one that is based on satellite navigation and automation.
According to FAA, so far, approximately 36% of the air traffic control systems in the national airspace system (NAS) are connected using IP, and FAA officials expect the percentage of NAS systems using IP networking to grow to 50 to 60% by 2020.
According to researchers with MITRE and other experts, this hybrid system is the FAA’s first challenge as a system made up of both IP-connected and point-to-point subsystems increases the potential for the point-to-point systems to be compromised because of the increased connectivity to the system as a whole provided by the IP-connected systems, the GAO stated.
Tomi Engdahl says:
Facebook admits it tracks non-users, but denies claims it breaches EU privacy law
http://www.theguardian.com/technology/2015/apr/10/facebook-admits-it-tracks-non-users-but-denies-claims-it-breaches-eu-privacy-law
Social network claims privacy report commissioned by the Belgian privacy watchdog ‘gets it wrong multiple times’ over what Facebook does with user data
Facebook has admitted that it tracked users who do not have an account with the social network, but says that the tracking only happened because of a bug that is now being fixed.
The social network hit out at the report commissioned by the Belgian data protection authority, which found Facebook in breach of European data privacy laws, saying that the report “gets it wrong multiple times in asserting how Facebook uses information”.
“The researchers did find a bug that may have sent cookies to some people when they weren’t on Facebook. This was not our intention – a fix for this is already under way,” wrote Richard Allan, Facebook’s vice president of policy for Europe in a rebuttal.
“Cookies tell us when people are logged into Facebook. That’s why you don’t have to enter your name and password every time you visit, and so we can alert you in case someone else is trying to log in as you from an unknown computer,” said Allan.
Tomi Engdahl says:
Nikhil Pahwa / MediaNama:
Internet.org allows partnering telcos to track users, doesn’t support secure connections
http://www.medianama.com/2015/05/223-facebooks-internet-org-privacy/
Tomi Engdahl says:
Maritime Cybersecurity Firm: 37% of Microsoft Servers On Ships Are Vulnerable
http://it.slashdot.org/story/15/05/04/227217/maritime-cybersecurity-firm-37-of-microsoft-servers-on-ships-are-vulnerable
A report from maritime cybersecurity firm CyberKeel claims that spot checks at 50 different maritime sites revealed that 37% of the servers running Microsoft were still vulnerable because they had not been patched. But what’s most interesting is what happens when hackers can breach security in shipping environments, including one case in which “drug gangs were able to smuggle entire container loads of cocaine through Antwerp, one of Belgium’s largest ports, after its hackers breached the port’s IT network,”
Maritime cybersecurity firm: 37% of Microsoft servers on ships vulnerable to hacking
http://www.networkworld.com/article/2917856/microsoft-subnet/maritime-cybersecurity-firm-37-of-microsoft-servers-not-patched-vulnerable-to-hacking.html
After running spot checks, a maritime cybersecurity firm found 37% of servers running Microsoft did not patch in April and are vulnerable to attack.
A recent Department of Homeland Inspector General report (pdf) focused mostly on U.S. Coast Guard insider threats, stating, “Trusted insiders could use their access or insider knowledge to exploit USCG’s physical and technical vulnerabilities with the intent to cause harm.”
The audit also found numerous issues involving thumb drives and removable media that could be connected to Coast Guard IT systems and used to remove sensitive info, as well as issues allowing sensitive info to be sent via email. The IG also found unlocked USCG network equipment and server rooms, unsecured wireless routers and laptops.
But a real current threat, according to CyberKeel, a Copenhagen-based firm which focuses on maritime cybersecurity, is unpatched servers running Microsoft that attackers could exploit to take control of the servers. Although Microsoft released a patch in April, spot checks at 50 different maritime sites reveals that 37% of the servers running Microsoft were still vulnerable because they had not been patched.
“Complex systems, such as those provided by Microsoft, are often in need of software patching to plug security holes. Companies need their IT departments to be able to quickly install software patches, as the hacker community operates on decidedly short timeframes,” CyberKeel CEO Lars Jensen told Splash24/7. “As an example, it took less than 12 hours from the point where Microsoft released the patch, until you could find simple instructions on the internet as to exactly how to exploit this weakness to cause a denial of service.”
Rear Adm. Marshall Lytle, assistant commandant responsible for USCG Cyber Command, explained how the cyber threat is very rea
He added, “Modern ships are completely computerized. Everything is connected on networks. Today’s modern ships have complex cargo operations that are entirely connected through cyber space. Cranes are moved by GPS. Most everything happens through automation and it’s all connected in cyber space.” Lytle gave a “real-world example” of cyber threats, saying “drug gangs were able to smuggle entire container loads of cocaine through Antwerp, one of Belgium’s largest ports, after its hackers breached the port’s IT network.”
Michel later testified again about USCG priorities. “In 2016, we will remain in lockstep with other components of DHS and Department of Defense (DOD) efforts to enhance cybersecurity to defend our own network and work with port partners to protect maritime critical infrastructure and operators.”
Tomi Engdahl says:
The Computers are Listening
How the NSA Converts Spoken Words Into Searchable Text
https://firstlook.org/theintercept/2015/05/05/nsa-speech-recognition-snowden-searchable-text/
Most people realize that emails and other digital communications they once considered private can now become part of their permanent record.
But even as they increasingly use apps that understand what they say, most people don’t realize that the words they speak are not so private anymore, either.
Top-secret documents from the archive of former NSA contractor Edward Snowden show the National Security Agency can now automatically recognize the content within phone calls by creating rough transcripts and phonetic representations that can be easily searched and stored.
The documents show NSA analysts celebrating the development of what they called “Google for Voice” nearly a decade ago.
Tomi Engdahl says:
Tech Data: UK accounting errors cost us $27m
Distie giant restates 3 years worth of profits, beefs up fraud prevention weaponry
http://www.theregister.co.uk/2014/02/05/tech_data_restatement_february/
Tech Data (TD) has turned to “external experts” to beef up fraud detection measures after it emerged that righting accounting wrongs at its UK sub had wiped $27m (£16.55m) off net profits for the last three years.
The restatement equates to three per cent of income made during fiscal ’11, ’12 and ’13, the periods that forensic bean counters probed since the mistakes in vendor accounting surfaced in March. The reduction came in at the lower range of initial estimates of between $25m to $33m.
The Audit Committee of independent investigators, and outside counsel, found systemic failings in the UK and two European country operations
“These adjustments primarily correct errors from improper vendor accounting, improper use of manual journal entries, and improper recognition of foreign currency exchange transactions,” said TD.
Tomi Engdahl says:
UK rail comms are safer than mobes – for now – say infosec bods
Industry told to harden systems to prevent future train smash carnage
http://www.theregister.co.uk/2015/04/30/uk_rail_comms_safety_analysis/
Analysis Last week’s warning that Britain’s railway systems could be susceptible to hacking has triggered a debate among security experts.
Prof David Stupples of City University London made headlines last week with a warning that plans to replace the existing (aging) signalling system with the new European Rail Traffic Management System (ERTMS) could open up the network to potential attacks, particularly from disgruntled employees or other rogue insiders. “Major disruption” or even a “nasty accident” could ensue if miscreants were able to plant malware on the system, the computer scientist warned.
The Station Agent
ERTMS is made up of on-board train, trackside and GSM mobile telephony equipment. The system is intended to replace legacy trackside signalling and voice systems with a modern in-cab signalling and voice communications system, based on a European standard.
The technology is designed to help lay the tracks towards faster, safer trains and more efficient use of the existing rail network. Similar technology is being adopted around the world and not just in Europe. UK testing has already begun ahead of a roll-out expected to take place over five years into the 2020s.
Chris Day, ICS security researcher at security consultancy MWR Infosecurity, commented: “ERTMS has been rightly recognised by the UK government and railway operators as critical infrastructure that is potentially susceptible to computer attack and there are ongoing investigations and remedial actions to mitigate identified risks against ERTMS. The fact this process is already in progress prior to the system being deployed in the UK is an important, proactive step forward in Industrial Control System (ICS) security management.”
“This will benefit both rail users and operators, as security issues are cheaper and more likely to be fixed if they are discovered prior to a systems deployment,” he added.
“Exploiting ICS will require a different approach and toolset to successfully execute attacks,” Day explained. “Just as security researchers and black hat hackers retooled to attack mobile devices in the early 2000′s, there will need to be a similar retooling period before we see a dramatic increase in ICS exploitation.”
“Unlike the mobile sector, there is currently a lack [the sort of] commonality between different ICS vendors which would facilitate widespread ICS exploitation. However, this appears to be changing, as ICS vendors are also slowly converging on delivering products using the ARM architecture and Commercial Off The Shelf (COTS) software to reduce the development costs of ICS equipment and remain competitive. The use of COTS technologies without appropriate security hardening remains a high-risk security weakness for ICS,” Day concluded.
Countries need to address the problem of cyber-criminal activity, not only on transport systems, but on critical infrastructure as a whole, according to Kaspersky Lab.
Attacks against industry control and traffic management systems are becoming more than the staple of Hollywood hacker movies, according to Emm, who said isolated incidents of real attacks are already occurring.
“We’re already seeing examples of cyber-criminals exploiting new technology. For example, in Moscow, speed cameras and traffic monitoring systems were infected with an unidentified Trojan which stopped authorities catching traffic offenders. A seemingly minor attack, which had huge effects on function and revenue collection.
Security should be built into systems from the onset rather than added as an afterthought, according to Emm.
“We should view the recent warning as a wake-up call, not only for the transport industry, but for critical infrastructure as a whole.”
Tomi Engdahl says:
French Version of ‘Patriot Act’ Becomes Law
http://yro.slashdot.org/story/15/05/06/0258222/french-version-of-patriot-act-becomes-law
Thanks to the Charlie Hebdo massacre and other instances of terrorism, the French legislature has voted 438 to 86 in favor of the “Intelligence Service Bill,” essentially a French version of the Patriot Act. It awards the French intelligence services sweeping powers to tap and intercept any kind of digital correspondence, including phone conversations, emails, and social media.
The bill decrees that hosting providers and Internet service providers in France must be equipped with a “black box” that can retain all digital communications from customers.
French parliament approves new surveillance rules
http://www.bbc.com/news/world-europe-32587377
The French parliament has approved a controversial law strengthening the intelligence services, with the aim of preventing Islamist attacks.
The law on intelligence-gathering, adopted by 438 votes to 86, was drafted after three days of attacks in Paris in January, in which 17 people died.
The Socialist government says the law is needed to take account of changes in communications technology.
But critics say it is a dangerous extension of mass surveillance.
They argue that it gives too much power to the state and threatens the independence of the digital economy.
Tomi Engdahl says:
More than 22 Thousand Finns Clicked WhatsApp Spam Today
https://www.f-secure.com/weblog/archives/00002809.html
Daavid, a senior researcher on our Threat Intelligence team, received two “Samsung Galaxy Pro” themed spam messages to his WhatsApp account this morning.
Tomi Engdahl says:
Updated: PC maker Lenovo exposes users to “massive security risk”
http://www.scmagazineuk.com/updated-pc-maker-lenovo-exposes-users-to-massive-security-risk/article/412902/
World number one PC maker Lenovo has been accused of running a “massive security risk” because flaws in its online product update service allow hackers to download malware onto its users’ systems through a man-in-the-middle (MiTM) attack.
The problems have been revealed by security firm IOActive – just weeks after Lenovo was found to be shipping PCs with pre-installed ‘Superfish’ adware that also left its users open to MITM attacks.
IOActive researchers Michael Milvich and Sofiane Talmat say in an advisory that they discovered the latest “high-severity” privilege escalation vulnerabilities in Lenovo’s System Update service, which enables users to download the latest drivers and other software, including security patches, from Lenovo’s website.
The researchers found the flaws in February, and have now gone public on them after giving Lenovo time to develop a patch, issued last month.
But while the patch fixes the problems, users have to download the security update to protect themselves.
Milvich and Talmat say that one of the vulnerabilities, CVE-2015-2233, allows local and remote hackers to bypass the device’s signature validation checks and replace trusted Lenovo applications with malware.
Another bug, CVE-2015-2219, is a weakness in Lenovo’s security token system, which means least-privileged users could gain high-level access to Lenovo PCs, laptops and other devices and run their own malicious commands and programs.
Lenovo, based in China and North Carolina USA, is the world’s largest PC manufacturer and began evolving from a Chinese-only company when it acquired IBM’s global PC business 10 years ago.
But the company has been plagued by security problems in recent months and the latest privilege escalation flaws have drawn criticism from independent cyber-security experts.
http://www.ioactive.com/labs/advisories.html
Tomi Engdahl says:
Mumblehard–Let’s End Its Five-Year Reign
http://www.linuxjournal.com/content/mumblehard-lets-end-its-five-year-reign
Linux has a well deserved reputation as being one of the most secure platforms for individuals and businesses. This is largely due to the way security is integrated into the system, but there is a great risk in being too complacent. Recent events serve to remind us that there is no such thing as an uncrackable system.
In this case, the culprit is a trojan known as Mumblehard, and it has been hitting Linux and BSD Web servers hard. The Mumblehard trojan has a specific purpose: to turn a Web server into a zombie relay for spam e-mail, usually for pharmaceutical goods–yep, Viagra spam.
This hurts Web site owners in several ways:
1. They must pay for the bandwidth consumed by the spam.
2. They run the risk of having their domain and IP blacklisted by spam filters, which can prevent their legitimate e-mail from being delivered.
The most alarming aspect of Mumblehard is that is has been operating undetected for at least five years.
Mumblehard has an unusual anatomy. It’s written in Perl code, but then it’s packed into an ELF binary executable. Analysis shows that these ELF libraries were written in assembly (as opposed to compiled).
Mumblehard has two components. First there is a backdoor, which runs via a cron task. This component contacts a “Command and Control” server and downloads a file to execute–it polls a list of servers every 15 minutes. It reports the results of the job to all the servers on the list.
The commands are cleverly hidden in the HTTP header, disguised as an innocent PHP session cookie. In actual fact, the “session id” is a hex-encoded URL for the command file (the white paper covers the full details).
The next component of Mumblehard is a mail spam daemon, also written in Perl. It also requests jobs from the Command and Control servers, and either sends e-mail messages directly or sets itself up as an e-mail proxy.
The infection can be detected by checking for unexpected cron tasks. In all cases, these tasks were set to run once every 15 minutes.
Tomi Engdahl says:
Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure
http://it.slashdot.org/story/15/05/05/2335223/cyberlock-lawyers-threaten-security-researcher-over-vulnerability-disclosure
Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company’s security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA
Lawyers threaten researcher over key-cloning bug in high-security lock
“CyberLock” securing police and airports has critical vulnerabilities, report warns.
http://arstechnica.com/security/2015/05/lawyers-threaten-researcher-over-key-cloning-bug-in-high-security-lock/
Critical vulnerabilities in a market-leading line of digital locks securing hospitals, airports, and water treatment facilities makes it possible for rogue employees or outside attackers to clone digital keys, researchers reported late last week.
Thursday’s advisory from security firm IOActive is notable not only for the serious security issues it reported in the CyberLock line of access control systems, which are certified to meet a wide range of US governmental requirements and certifications. The report is also the topic of a legal threat from CyberLock attorneys
“Of course, as you know, the public reporting of security vulnerabilities can have significant consequences,” Jeff Rabkin, a partner at the Jones Day law firm wrote in a letter dated April 29, one day before IOActive published the advisory.
The Digital Millennium Copyright Act of 1998 makes it a felony to circumvent technology intended to prevent access to copyrighted material. It also provides substantial civil penalties copyright holders may recover.
“Unclonable” no more
IOActive’s five-page advisory warns that some of the bugs undermine fundamental assurances about the security of the product, which looks and acts like a traditional lock, but is locked and unlocked with a programmable digital key known as a CyberKey.
CyberLock marketing materials also stress assurances that a CyberKey can’t be duplicated or changed.
The advisory went on to say that “site keys” are stored in unencrypted, “cleartext” form that can be recovered from the lock cylinders. Attackers may also obtain the site keys by intercepting communications between any previously authorized CyberKey and any CyberLock. Once extracted, the site key can be used to create cloned keys that can be modified to remove time-of-day or one-time access restrictions.
Tomi Engdahl says:
IOActive Security Advisory
http://www.ioactive.com/pdfs/IOActive_Advisory_CyberLock.pdf
CyberLock CyberKey based access control solutions
Tomi Engdahl says:
Bitcoin giant Coinbase accused of spying on a Dark Net researcher
http://www.dailydot.com/politics/coinbase-bitcion-dark-net-researcher/
Bitcoin was supposed to be a currency beyond the control of financial institutions and, through strong cryptography, allow individuals to spend their money without being spied on.
That utopian dream may be over.
As large companies have formalized trade of the currency and governments have patched together regulations, the ideals of a purely independent Bitcoin are quickly being challenged. Now, it appears that Coinbase, one of the largest bitcoin wallet hosts, is monitoring its users who have been sending donations to a security researcher.
Tomi Engdahl says:
Net admins: the white box world HASN’T forgotten you
Big Switch upgrades monitoring, turns on bigger Big Tap
http://www.theregister.co.uk/2015/05/07/net_admins_the_white_box_world_hasnt_forgotten_you/
Pervasive security and deeper monitoring: that’s what Big Switch Networks is pitching as the centrepiece of the next iteration of its Big Tap Monitoring Fabric, version 4.5.
This system is designed to fit in the network packet broker (NPB) space – the out-of-band sniffer network that raises alerts admins if something’s going wrong.
Big Switch is hoping that network admins who have already put white box switches (such as those from partner Dell) in their data centre will like the idea of using Big Tap as a white-box replacement for proprietary NBPs.
CMO Gregg Holzrichter told The Register’s networking desk that to compete with incumbents like Gigamon (a leader in the network packet broker – NPB – space), the company had to develop Big Tap towards feature parity.
With the exception of “a couple of specialised features like time stamping and packet slicing”, the company reckons it’s achieved that, while keeping the white-box pricing advantage in place.
Putting a Big Tap controller in line, Gandhi said, means “we can intelligently route traffic to these different tools, because not every tool needs to see all of the traffic.”
Features of Big Tap 4.5 include:
Either out-of-band (data centre monitoring) or in-line (DMZ) deployment modes;
Service chaining in in-line mode – this allows multiple tools to be processed in a service chain, under user policy control;
sFlow generation;
DNS and DHCP tracking, for better security visibility;
MPLS header stripping provides service provider WAN monitoring; and
Granular control of load balancing between tools in the DMZ.
Tomi Engdahl says:
LinkedIn Used To Create Database of 27,000 US Intelligence Personnel
http://yro.slashdot.org/story/15/05/07/032250/linkedin-used-to-create-database-of-27000-us-intelligence-personnel
A new group, Transparency Toolkit, has mined LinkedIn to reveal and analyze the resumes of over 27,000 people in the U.S. intelligence community. In the process, Transparency Toolkit said it found previously unknown secret codewords and references to surveillance technologies and projects.
Currently, our primary focuses are investigating surveillance and human rights abuses.’”
LinkedIn serves up resumes of 27,000 US intelligence personnel
http://www.zdnet.com/article/linkedin-serves-up-resumes-of-27000-us-intelligence-personnel/
Summary:A new transparency project has mined LinkedIn to create a database of the US intelligence community – complete with codewords.
The group said the resumes frequently mention secret codewords and surveillance programs.
Transparency Toolkit said the database, called ICWatch, includes the public resumes of people working for intelligence contractors, the military and intelligence agencies.
“These resumes include many details about the names and functions of secret surveillance programs, including previously unknown secret codewords,” Transparency Toolkit said.
“We are releasing these resumes in searchable form with the hopes that people can use them to better understand mass surveillance programs and research trends in the intelligence community.”
The data was collected from LinkedIn public profiles using search terms like known codewords, intelligence agencies and departments, intelligence contractors, and industry terms, the group said.
“We build free software to collect and analyze open data from a variety of sources. Then we work with investigative journalists and human rights organizations to turn that into useful, actionable knowledge. Currently, our primary focuses are investigating surveillance and human rights abuses.”
Tomi Engdahl says:
Robinson Meyer / The Atlantic:
Mobile Justice CA app uploads all video footage as it’s being captured to servers owned by ACLU, available for iOS and Android for now
Film the Police
A new app makes it easier.
http://www.theatlantic.com/technology/archive/2015/05/film-the-police/392483/?google_editors_picks=true
Last month, video footage emerged that appeared to show something illegal: A U.S. marshal approached a woman who was filming him on duty, snatched her smartphone, and smashed it on the ground.
That incident only became news because someone else was filming the encounter. But not every bystander filming a police encounter can have a backup. What should a person do when there’s no one else on the scene?
A new app tries to answer this question by offering, in effect, a different kind of backup. Called Mobile Justice CA, the app uploads all video footage as it’s being captured to servers owned by the American Civil Liberties Union (ACLU). Even if the phone is destroyed, the video will survive.
The app was co-released Friday by the ACLU of Southern California and the Oakland-based Ella Baker Center for Human Rights, and it’s available now for iOS and Android devices.
Within a year, Cullors told me, the Center plans to debut a “web-based platform” that will help communities track behaviors—both positive and negative—among law-enforcement agencies and individual police officers. Cullors described the platform as “a Facebook for challenging criminalization in your community.”
For now, there’s the app. Video uploaded to ACLU servers will be reviewed by the organization’s lawyers, but it will still belong to the person who captured it.
Body cameras have been hailed as a solution to police brutality, and in that they’ve proven popular but fraught: They improve officer accountability while functioning as one more surveillance tool in communities often already riddled with them.
Tomi Engdahl says:
Craig Hockenberry / furbo.org:
Apple hasn’t fixed or even acknowledged widely-reported networking issues on OS X Yosemite and iOS 8 related to discoveryd
discoveryd Clusterfuck
http://furbo.org/2015/05/05/discoveryd-clusterfuck/
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
PayIvy is an open web marketplace for stolen account credentials and license keys using PayPal to carry out transactions
PayIvy Sells Your Online Accounts Via PayPal
http://krebsonsecurity.com/2015/05/payivy-sells-your-online-accounts-via-paypal/
Normally, if one wishes to buy stolen account credentials for paid online services like Netflix, Hulu, XBox Live or Spotify, the buyer needs to visit a cybercrime forum or drop into a dark Web marketplace that only accepts Bitcoin as payment. Increasingly, however, these accounts are showing up for sale at Payivy[dot]com, an open Web marketplace that happily accepts PayPal in exchange for a variety of stolen accounts.
Marketed and sold by a Hackforums user named “Sh1eld” as a supposed method of selling ebooks and collecting payments for affiliate marketers, PayIvy has instead become a major conduit for hawking stolen accounts and credentials for a range of top Web services.
It’s not clear how or why PayPal isn’t shutting down most of these merchants, but some of the sellers clearly are testing things to see how far they can push it
Update, 10:33 a.m. ET: PayIvy just sent the following message to all of its sellers: “Starting May 15th, PayIvy will be banning all netflix accounts.”
Tomi Engdahl says:
Andy Greenberg / Wired:
Cody Wilson, inventor of the 3D printable gun, files countersuit against US State Department claiming the blueprints are protected free speech
3-D Printed Gun Lawsuit Starts the War Between Arms Control and Free Speech
http://www.wired.com/2015/05/3-d-printed-gun-lawsuit-starts-war-arms-control-free-speech/
This week marks the two-year anniversary since Cody Wilson, the inventor of the world’s first 3-D printable gun, received a letter from the State Department demanding that he remove the blueprints for his plastic-printed firearm from the internet. The alternative: face possible prosecution for violating regulations that forbid the international export of unapproved arms.
Now Wilson is challenging that letter. And in doing so, he’s picking a fight that could pit proponents of gun control and defenders of free speech against each other in an age when the line between a lethal weapon and a collection of bits is blurrier than ever before.
Wilson’s gun manufacturing advocacy group Defense Distributed, along with the gun rights group the Second Amendment Foundation, on Wednesday filed a lawsuit against the State Department and several of its officials, including Secretary of State John Kerry.
the group’s lawsuit now argues that whether or not the Liberator is a weapon, its blueprints are “speech,” and that Americans’ freedom of speech is protected online—even when that speech can be used to make a gun with just a few clicks.
“The internet is available worldwide, so posting something on the internet is deemed an export, and to [the State Department] this justifies imposing a prior restraint on internet speech,” says Alan Gura, the lawyer leading the lawsuit, using the legal term “prior restraint” to mean censorship of speech before it’s published. “That’s a vast, unchecked seizure of power over speech that’s…not authorized by our constitution.”
Tomi Engdahl says:
Self-Destructing Virus Kills Off PCs
http://it.slashdot.org/story/15/05/06/2251227/self-destructing-virus-kills-off-pcs
“A computer virus that tries to avoid detection by making the machine it infects unusable has been found. If Rombertik’s evasion techniques are triggered, it deletes key files on a computer, making it constantly restart. Analysts said Rombertik was ‘unique’ among malware samples for resisting capture so aggressively. On Windows machines where it goes unnoticed, the malware steals login data and other confidential information.”
Self-destructing virus kills off PCs
http://www.bbc.com/news/technology-32591265
A computer virus that tries to avoid detection by making the machine it infects unusable has been found.
If Rombertik’s evasion techniques are triggered, it deletes key files on a computer, making it constantly restart.
Analysts said Rombertik was “unique” among malware samples for resisting capture so aggressively.
On Windows machines where it goes unnoticed, the malware steals login data and other confidential information.
Rombertik typically infected a vulnerable machine after a booby-trapped attachment on a phishing message had been opened, security researchers Ben Baker and Alex Chiu, from Cisco, said in a blogpost.
Some of the messages Rombertik travels with pose as business enquiry letters from Microsoft.
The malware “indiscriminately” stole data entered by victims on any website, the researchers said.
And it got even nastier when it spotted someone was trying to understand how it worked.
“Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,” the researchers said.