Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Netflix Open-Sources Security Incident Management Tool
http://developers.slashdot.org/story/15/05/06/2253253/netflix-open-sources-security-incident-management-tool
Netflix has released under an open-source license an internal tool it developed to manage a deluge of security alerts and incidents. Called FIDO (Fully Integrated Defense Operation),
Netflix open-sources security incident management tool
http://www.networkworld.com/article/2918673/security/netflix-opensources-security-incident-management-tool.html
Netflix has released under an open-source license an internal tool it developed to manage a deluge of security alerts and incidents.
Called FIDO (Fully Integrated Defense Operation), the tool is designed to research, score and categorize threats in order to speed up handling of the most urgent ones.
Netflix started developing FIDO four years ago after finding it took from a few days to more than a week to resolve issues that were entered into its help-desk ticketing system, the company wrote in a blog post Monday.
It was a largely manual and labor intensive process. “As attacks increase in number and diversity, there is an increasing array of detection systems deployed and generating even more alerts for security teams to investigate,” it said.
Netflix has often opted to built its own tools to deal with specific problems with its massive delivery of video across the web. FIDO potentially competes with security information and event management systems on the market.
Tomi Engdahl says:
Introducing FIDO: Automated Security Incident Response
http://techblog.netflix.com/2015/05/introducing-fido-automated-security.html
We’re excited to announce the open source release of FIDO (Fully Integrated Defense Operation – apologies to the FIDO Alliance for acronym collision), our system for automatically analyzing security events and responding to security incidents.
The typical process for investigating security-related alerts is labor intensive and largely manual.
Netflix, like all organizations, has a finite amount of resources to combat this phenomenon, so we built FIDO to help. FIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.
The idea for FIDO came from a simple proof of concept a number of years ago. Our process for handling alerts from one of our network-based malware systems was to have a help desk ticket created and assigned to a desktop engineer for follow-up – typically a scan of the impacted system or perhaps a re-image of the hard drive. The time from alert generation to resolution of these tickets spanned from days to over a week.
Our help desk system had an API, so we had a hypothesis that we could cut down resolution time by automating the alert-to-ticket process. The simple system we built to ingest the alerts and open the tickets cut the resolution time to a few hours, and we knew we were onto something – thus FIDO was born.
Detection
FIDO’s operation begins with the receipt of an event via one of FIDO’s detectors. Detectors are off the shelf security products (e.g. firewalls, IDS, anti-malware systems) or custom systems that detect malicious activities or threats. Detectors generate alerts or messages that FIDO ingests for further processing. FIDO provides a number of ways to ingest events, including via API (the preferred method), SQL database, log file, and email. FIDO supports a variety of detectors currently (e.g. Cyphort, ProtectWise, CarbonBlack/Bit9) with more planned or under development.
Analysis and Enrichment
The next phase of FIDO operation involves deeper analysis of the event and enrichment of the event data with both internal and external data sources. Raw security events often have little associated context
In addition to querying internal sources, FIDO consults external threat feeds for information relevant to the event under analysis. The use of threat feeds help FIDO determine whether a generated event may be a false positive or how serious and pervasive the issue may be.
Correlation and Scoring
Once internal and external data has been gathered about a given event and its target(s), FIDO seeks to correlate the information with other data it has seen and score the event to facilitate ultimate disposition. The correlation component serves several functions – first – have multiple detectors identified this same issue? If so, it could potentially be a more serious threat. Second – has one of your detectors already blocked or remediated the issue (for example – a network-based malware detector identifies an issue, and a separate host-based system repels the same item)? If the event has already been addressed by one of your controls, FIDO may simply provide a notification that requires no further action.
Notification and Enforcement
In this phase, FIDO determines and executes a next action based on the ingested event, collected data, and calculated scores. This action may simply be an email to the security team with details or storing the information for later retrieval and analysis. Or, FIDO may implement more complex and proactive measures such as disabling an account, ending a VPN session, or disabling a network port. Importantly, the vast majority of enforcement logic in FIDO has been Netflix-specific.
Open Items & Future Plans
Netflix has been using FIDO for a bit over 4 years, and while it is meeting our requirements well, we have a number of features and improvements planned.
Tomi Engdahl says:
FBI Releases Its Files On DEF CON: Not Amused By Spot-the-Fed
http://it.slashdot.org/story/15/05/06/2117251/fbi-releases-its-files-on-def-con-not-amused-by-spot-the-fed
Not surprisingly, the FBI has compiled reports on notorious hacker gathering DEF CON, now released thanks to a Freedom of Information Act request. The files detail the lack of amusement at the Spot-the-Fed game,
https://www.muckrock.com/foi/united-states-of-america-10/pet-15589/#comm-144789
Tomi Engdahl says:
F*cking DLL! Avast false positive trashes Windows code libraries
Avast there indeed, matey, wail admins as rogue guard dog savages their jugular
http://www.theregister.co.uk/2015/05/07/avast_false_positive_snafu/
A misfiring signature update from anti-virus developer Avast triggered all sorts of problems on Wednesday.
Avast acted promptly by withdrawing the definition update but not before numerous users had fallen foul of the problem. The withdrawn update incorrectly labelled various libraries (dlls) on Windows PCs as potentially malign, crippling software installations in the process. More specifically, legitimate programs were classified as something called the “Kryptik-PFA” trojan, shuffled off to quarantine and blocked.
Tomi Engdahl says:
Security bods gagged using DMCA on eve of wireless key vuln reveal
Somebody’s got a problem and doesn’t want it known
http://www.theregister.co.uk/2015/05/05/ioactive_security_research_gagging_order/
Researchers at IOActive have been slapped with a DMCA (Digital Millennium Copyright Act) gagging order a day before they planned to release information about security vulnerabilities in the kit of an as-yet unidentified vendor*.
A redacted version of the legal notice – posted on Google+ – has reignited the long standing debate about security vulnerability disclosure. The legal notice was issued by San Francisco lawyers Jones Day.
“To assert the DMCA there would have to be a credible case that IOActive has/is seeking to circumvent the protections on a copyrighted work. I think that’s a hard case to make,” said Matthew Green, in a series of updates to his Twitter account.
Tomi Engdahl says:
Choc Factory finds 84,000 ad injectors targeting Chrome
Policy crackdown sends slimeballs packing
http://www.theregister.co.uk/2015/05/07/google_ad_injectors/
Google spam abuse researcher Kurt Thomas says some 84,000 injectors and apps are targeting its Chrome web browser with dodgy advertising.
Thomas says the apps include 50,000 browser extensions and 34,000 applications which target Chrome to display revenue-generating ads within the sites that victims browse.
About a third of these identified in the study Ad Injection at Scale: Assessing Deceptive Advertisement Modifications [PDF] by boffins at universities California, Berkeley, and Santa Barbara were “outright malicious”, he says.
“Upwards of 30 percent of these packages were outright malicious and simultaneously stole account credentials, hijacked search queries, and reported a user’s activity to third parties for tracking,” Thomas says.
“In total, we found 5.1 percent of page views on Windows and 3.4 percent of page views on Mac that showed tell-tale signs of ad injection software.
New Research: The Ad Injection Economy
http://googleonlinesecurity.blogspot.com.au/2015/05/new-research-ad-injection-economy.html
Ad injectors’ businesses are built on a tangled web of different players in the online advertising economy. This complexity has made it difficult for the industry to understand this issue and help fix it. We hope our findings raise broad awareness of this problem and enable the online advertising industry to work together and tackle it.
Considering the tangle of different businesses involved—knowingly, or unknowingly—in the ad injector ecosystem, progress will only be made if we raise our standards, together. We strongly encourage all members of the ads ecosystem to review their policies and practices so we can make real improvement on this issue.
Tomi Engdahl says:
IETF updates TLS/SSL best practice guidance
Staunch HEARTBLEED, kick POODLE and make it to lunch on time
http://www.theregister.co.uk/2015/05/07/ietf_updates_tlsssl_best_practice/
Do: start rolling TLS 1.3, support TLS 1.2, and DTLS 1.2. Don’t: negotiate sessions using TLS 1, TLS 1.1, SSL 2 or SSL 3.
Those are the Internet Engineering Task Force’s latest recommendations, set out in RFC 7525, Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS).
The document (authors Yaron Sheffer of Intuit, Ralph Holz of National ICT Australia and Peter Saint-Andre of &yet) is a response to attacks on TLS and SSL (including the notorious Heartbleed and POODLE bugs).
As the document states, “These are minimum recommendations for the use of TLS in the vast majority of implementation and deployment scenarios, with the exception of unauthenticated TLS”.
Recommendations for Secure Use of Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS)
https://www.rfc-editor.org/rfc/rfc7525.txt
Tomi Engdahl says:
Santa Clara County Opts Against Buying Stingray Due To Excessive Secrecy
http://yro.slashdot.org/story/15/05/07/0310221/santa-clara-county-opts-against-buying-stingray-due-to-excessive-secrecy
The Santa Clara County (California) Board of Supervisors voted in February to acquire a Stingray device for the sheriff’s office. However, the subsequent negotiations with Harris Corp. required such a level of secrecy that the county announced that it will forego the $500,000 grant and not buy the device.
Santa Clara County drive to acquire cellphone tracker derailed
http://www.mercurynews.com/bay-area-news/ci_28062742/santa-clara-county-drive-acquire-cell-phone-tracker
After officials pressed for more disclosure about top-secret cellphone tracking technology — including a call to publicly draft a policy regarding its use — Santa Clara County could not reach a contract agreement with its manufacturer and will not be purchasing the device.
In a memo released Wednesday, the County Executive’s Office said “after lengthy negotiations regarding contract terms, including business and legal issues,” an agreement could not be reached with the manufacturer, the Harris Corp.
As a result, “the system will not be purchased at this time,” and the work group focused on drafting a use policy will be disbanded.
Tomi Engdahl says:
Apple security program, MacKeeper, celebrates difficult birthday
http://www.itworld.com/article/2919295/apple-security-program-mackeeper-celebrates-difficult-birthday.html
MacKeeper, a utility and security program for Apple computers, celebrated its fifth birthday in April. But its gift to U.S. consumers who bought the application may be a slice of a $2 million class-action settlement.
ted talks logo
Six TED Talks that can change your career
These talks will help you reshape how you approach work and see your career in a new light.
Read Now
Released in 2010, MacKeeper has been dogged by accusations that it exaggerates security threats in order to convince customers to buy. Its aggressive marketing has splashed MacKeeper pop-up ads all over the web.
Under the settlement terms, ZeoBIT would put $2 million into a fund for those who want a refund, but admit no fault, which is customary in such settlements. It has yet to be approved by a judge.
MacKeeper was wildly lucrative for ZeoBIT. As many as 650,000 consumers bought it in the U.S., according to documents filed in the suit. At $39.95 per copy, ZeoBIT would have made $26 million in revenue in the U.S. alone.
Tomi Engdahl says:
Researcher: Drug Infusion Pump Is the “Least Secure IP Device” He’s Ever Seen
http://it.slashdot.org/story/15/05/06/2215205/researcher-drug-infusion-pump-is-the-least-secure-ip-device-hes-ever-seen
This is a bad month for the medical equipment maker Hospira. First, security researcher Billy Rios finds a raft of serious and remotely exploitable holes in the company’s MedNet software, prompting a vulnerability alert from ICS CERT. Now, one month later, ICS CERT is again warning of a “10 out of 10″ critical vulnerability, this time in Hospira’s LifeCare PCA drug infusion pump. The problem? According to this report by Security Ledger the main problem was an almost total lack of security controls on the device.
“The only thing I needed to get in was an interest in the pump,”
a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump’s operation using fairly simple scripts. Also: The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device.
Vulnerability Summary for CVE-2015-3459
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3459
Hospira Lifecare PCA infusion pump running “SW ver 412″ does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23.
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
Tomi Engdahl says:
Researcher: Drug Pump the ‘Least Secure IP Device I’ve Ever Seen’
Posted by: Paul May 5, 2015 11:42
https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/
In-brief: A researcher studying the workings of a wireless-enabled drug infusion pump by the firm Hospira said the device utterly lacked security controls, making it “the least secure IP enabled device” he had ever worked with. His research prompted a warning from the Department of Homeland Security.
The warning (CVE-2015-3459), which DHS rated “10 out of 10″ for severity is just the latest involving serious software flaws in Hospira infusion pumps and could allow someone with physical access to a Hospira LifeCare PCA 3 model pump and minimal technical knowledge to gain total control over the device. The quantity and severity of the flaws prompted the researcher who discovered them, Jeremy Richards, to call the PCA 3 pump “the least secure IP enabled device” he has ever worked with.
Hospira did not respond to requests for comment prior to publication.
What he found was shocking. Among other things, Richards noted that the device was listening on Telnet port 23. Connecting to the device, he was brought immediately to a root shell account that gave him total, administrator level access to the pump.
“The only thing I needed to get in was an interest in the pump,” he said.
the security ledger “medical device”
https://securityledger.com/?s=medical+device
University of Minnesota’s Technological Leadership Institute, released a draft Use Case document (PDF) on December 18 to help health care providers “secure their medical devices on an enterprise networks.”
Tomi Engdahl says:
Age guessing with Microsoft is FUN! Now give us your metadata
Netizens snigger as MS boffins advertise services on the back of data slurp
http://www.theregister.co.uk/2015/05/01/microsoft_facial_recognition_age_estimation_metadata_harvesting
Microsoft has unwrapped a metadata-slurping website powered by user-uploaded pictures which pretends to be a fun age-guessing game.
While the page’s inability to accurately guess users’ ages might seem an amusing cock-up on Redmond’s part, the machine learning boffins who set up the page are content to slurp up the JavaScript Object Notation metadata of the photographs users are uploading, and process it to advertise Microsoft’s services.
An invitation extended to the internet-at-large to help Satya Nadella sell his services to all comers has been duly answered by social media users, ever-keen to jump on the new meme bandwagon as early as possible.
Fun with ML, Stream Analytics and PowerBI – Observing Virality in Real Time
http://blog.how-old.net/
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Actively exploited WordPress bug puts millions of sites at risk
http://arstechnica.com/security/2015/05/actively-exploited-wordpress-bug-puts-millions-of-sites-at-risk/
XSS vulnerability allows attackers to take full control of unpatched sites.
Millions of websites running WordPress are at risk of hijacking attacks thanks to a vulnerability that is actively being exploited in the wild and is present in the default installation of the widely used content management system, security researchers warned Wednesday.
The cross-site scripting (XSS) vulnerability resides in genericons, a package that’s part of a WordPress theme known as Twenty Fifteen that’s installed by default, according to a blog post published Wednesday by security firm Sucuri. The XSS vulnerability is “DOM based,” meaning it resides in the document object model that’s responsible for how text, images, headers, and links are represented in a browser. The Open Web Application Security Project has much more about DOM-based XSS vulnerabilities here.
DOM-based XSS attacks require the target to click a malicious link, a limitation that greatly lowers their severity. Still, once an administrator takes bait while logged into a vulnerable WordPress installation, the attackers can gain full control of the site.
Tomi Engdahl says:
Wall Street Journal:
US federal appeals court rules NSA’s bulk collection of telephone metadata is not authorized by Patriot Act
http://www.wsj.com/article_email/appeals-court-rules-nsa-phone-program-not-authorized-by-patriot-act-1431005482-lMyQjAxMTA1MDA2NzcwNTc0Wj
Tomi Engdahl says:
Oracle has finished the Java 7′s updates and security fixes. Normal users, this is not just swing, but the developers cessation of support can be a problem. However, Oracle also sells technical support for Java 7 of the developers.
Basic Users java is updated automatically from the beginning of the year. Oracle now encourages all users to upgrade to Java 8
Java is imported next year for 9 version. Oracle, the release takes place in September next year. The biggest change in Java will be the fact that the source code becomes modular.
Source: http://etn.fi/index.php?option=com_content&view=article&id=2797:java-7-ei-saa-enaa-korjauksia&catid=13&Itemid=101
Tomi Engdahl says:
9 things you may be doing that make you the perfect target for a hacker
http://uk.businessinsider.com/9-things-youre-doing-that-make-you-a-perfect-target-for-hackers-2015-5?op=1
Your password is too obvious
You don’t use two-step authentication
You use free Wi-Fi
You enter private data on unsecure websites
You made a purchase from a questionable online auction
You opened an attachment
You clicked a link and entered personal information without checking the URL
You use the same password for multiple services
You’re human
Tomi Engdahl says:
Defenders of the web: The people behind 7 influential security companies
Read more: http://www.businessinsider.com/7-important-cybersecurity-companies-2015-5?op=1#ixzz3ZXTexZ7B
Kaspersky Lab: Eugene Kaspersky
FireEye: Dave DeWalt
Palo Alto Networks: Nir Zuk
Cylance: Stuart McClure
Group-IB: Dmitry Volkov
Trustwave: Robert McCullen
Avast: Vincent Steckler
Tomi Engdahl says:
Advance network security, support system monitoring
http://www.controleng.com/single-article/advance-network-security-support-system-monitoring/d3aac1b93404c2a5995503167fb43c41.html
Cyber security: Applications can improve power reliability and reduce energy costs by advancing network security and supporting system monitoring. Allowing network access raises cyber security concerns. Five defense-in-depth measures can help.
“Defense in depth” is a strategy to establish variable barriers across multiple levels in the organization to secure the ICS. These barriers include electronic countermeasures such as:
1. Establish firewalls to add stringent and multifaceted rules for communication between various network segments and zones in the ICS network.
2 . Create demilitarized zones from the established firewall by grouping critical components and isolating them from the traditional business IT network.
3. Deploy intrusion detection and prevention systems that focus on identifying possible incidents in an ICS network.
4. Establish well-documented and continuously reviewed policies, procedures, standards, and guidelines regarding IC network security.
5. Implement continuous assessment and security training to ensure the security of the ICS and the safety of the people who depend on it.
Tomi Engdahl says:
Security in automation: Smartphone might be the greatest threat
http://www.controleng.com/single-article/security-in-automation-smartphone-might-be-the-greatest-threat/a2832ec148cdfc6c98b64785b396592e.html
Smartphones have made access to information easy and thus increase security risk for critical information. It requires constant and holistic attention to understand the patterns of attacks and raise awareness with organizations.
Attack precedents and patterns
A certain pattern can be identified from both of these attacks, which are quite similar in execution. For example, in case of the Dragonfly, Symantec outlines three phases of the attack:
1. “The first phase of Dragonfly’s attacks consisted of the group sending malware in phishing emails to personnel in target firms.
2. In the second phase, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in the energy sector in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer.
3. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.”
Guy walks into his workplace—with a smartphone!
The diagram outlines one of the many attack scenarios where a smartphone infected by a dedicated hacker can cause damage to the enterprise systems. Courtesy: Intech Process AutomationAnd amidst this chaos, imagine an oil and gas (or for that matter, any industrial) employee walking into his work place with a smartphone in his hand!
One can’t deny the utility of these marvels of technology. Smartphones have become prolific in industrial enterprises, and with the constant flow of data, staying up to date with critical information has become significant. With the advent of emerging mega-trends in the industry like industrial Internet, digital oilfield, and Internet of Things (IoT), more and more data is being generated and floated by instruments rather than people. Solutions providers have now begun to furnish customized mobile applications that give instant access to energy, production, and related critical information and analytics where real-time and historical data, KPIs, alarms, trends, scorecards, and GEO SCADA visualization is made available on almost all platforms.
So in essence, smartphones are no different from the personal computer, and that magnifies the threat in comparison to a PC. All the work-related tasks that you can perform on a PC can be performed easily on a smartphone. There is no difference between the two for the user. And there is no difference between the two for the attacker. The higher frequency of accessing and sending information from a smartphone (as compared to a PC), and the disregard for security measures on the smartphone from the user as well as the enterprise, makes the smartphone an ideal target for the attackers to infiltrate your enterprise and threaten your systems.
o ensure better security, adopt a strategy composed of the following key elements:
1. The right policies: Ask yourself whether your organization has the right policy (or a policy at all) that provides guidelines to employees about smartphone usage. Are your employees aware of the threat to their smartphones and, consequently, to your enterprise’s systems?
2. The right plans: What is your strategy to implement the policy and ensure that the implementation is consistent throughout? Is your smartphone security plan designed to protect and support the technologies of today and the future?
3. The right products: Do you have the right products to implement your smartphone security plan? Can they provide the desired level of security, performance, and quality of service that you desire?
4. The right processes: How will you manage your smartphone security infrastructure and ensure constant monitoring, testing, and adaptation?
5. The right people: Do you have the right people who have the skill set that forms a strategic fit between your policies and plans and your products and processes?
Smartphone security remains a tricky issue for organizations. Attackers can only be battled by instigating an organization-wide cultural drive that promotes smartphone security consciousness, responsibility, and responsiveness. It requires constant and holistic attention because hackers are relentlessly following where the money and information are.
Tomi Engdahl says:
Validation among insecurities
http://www.controleng.com/single-article/validation-among-insecurities/9b60eb2efad86aeb80a125d5092771f0.html
Network security: Implement a secure patch management approach for industrial controls. Today’s industrial control system (ICS) threats can target outdated systems or careless errors on the network. Securing connected machines in the industrial sector has complexities that differ from protecting a business datacenter.
Cyber security risk: Operations, reputation
Patching ICS vulnerabilities
Do-it-yourself patch management
Validated patch management
Failed patch strategies
Securing connected machines
Key concepts
Industrial control systems (ICS) need a different approach to patch management than IT systems.
Cyber security risk assessment should include cost of operational downtime and to reputation.
A validated patch management system while managing outdated hardware and software can be part of a proactive lifecycle management plan to avoid costly forced downtime.
Tomi Engdahl says:
Wireless security: Port-based security, EAP, AKM
http://www.controleng.com/single-article/wireless-security-port-based-security-eap-akm/edad8ac45ba2c02d5cb9303f534ca08e.html
Tutorial on cyber security for wireless networks: Authentication and key management (AKM) is the term used to describe the process of IEEE 802.1X/EAP authentication and subsequent encryption key generation and is a major component of extensible authentication protocols (EAP) and IEEE 802.1X. Each time a client associates or re-associates, the entire AKM process must occur, which results in an extremely secure and robust wireless network. Learn the 4-way authentication handshake.
Tomi Engdahl says:
NSA domestic dragnet NOT authorised by Patriot Act, rules US Appeals Court
Act isn’t a get-out-of-jail-free card for NSA
http://www.theregister.co.uk/2015/05/07/nsa_metadata_snooping_legal_reversal/
The NSA’s bulk collection of Americans’ phone call records may be illegal, a US federal appeals court has ruled.
The US Second Circuit Court of Appeal unanimously ruled that the NSA’s bulk telephone metadata1 program was not authorised by section 215 of the Patriot Act, voiding an earlier ruling by a lower court. The US District Court for the Southern District of New York dismissed a legal challenge to the NSA dragnet surveillance program. Judge Vernon S Broderick ruled that section 215 of the Patriot Act was a statutory scheme that precludes judicial review.
Tomi Engdahl says:
$7500 DDoS extortion hitting Aussie, Kiwi enterprises
Pay up or we’ll send up to 400Gbps your way
http://www.theregister.co.uk/2015/05/08/ddos_hitting_oz_nz/
New Zealand Internet Task Force (NZITF) chair Barry Brailey is warning Australian and New Zealand enterprises to be on the look out for distributed denial of service extortion attacks demanding payment of up to AU$7500.
Brailey says criminals are hitting big organisations on both sides of the Tasman that have a large online presence with payment gateways at gaming outfits and retail shops a favourite target.
Net scum are to date failing to deliver the promised 400 Gbps DDoS payloads with mere 10 Gbps attacks being received by non-payers.
“They seem to be targeting enterprises with large online direct cash-generating payment gateways,” Brailey says.
Tomi Engdahl says:
Cisco plugs remote code execution flaw in UCS Central control freak
No workarounds means you’ll patch or die trying
http://www.theregister.co.uk/2015/05/08/cisco_ucs_vulnerability/
Cisco has patched a remote code execution bug that could give attackers root privileges on its Unified Computing System (UCS) Central software used by more than 30,00 organisations.
The UCS data centre server platform joins hardware, virtualisation, networking and software into one system. Versions 1.2 and below are affected.
The Borg says the vulnerability (CVE-2015-0701) rates the maximum 10 severity rating due to its low exploitation requirements and “complete” impact to confidentiality, integrity and availability.
“A vulnerability in the web framework of Cisco UCS Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device,” it says in an advisory.
The Borg says patches for the bug are available but warns there are no workarounds.
Tomi Engdahl says:
Almost EVERY SAP install hackable, researchers say
Even worse when you tinker with it.
http://www.theregister.co.uk/2015/05/08/sap_95_percent_vulnerable/
A staggering 95 percent of enterprise SAP installations contain high-severity vulnerabilities that could allow systems to be hijacked, researchers say.
Researchers from SAP security tools vendor Onapsis say attackers can target the SAP installs to pivot from low to high integrity systems, execute admin privilege commands, and create J2EE backdoors.
Onapsis chief executive Mariano Nunez says the 250,000 SAP customers are exposed for an average of 18 months from when vulnerabilities surface, with SAP taking some 12 months to develop patches.
“The big surprise is that SAP cyber security is falling through the cracks at most companies due to a responsibility gap between the SAP operations team and the IT security team,” Nunez says.
“The truth is that most patches applied are not security-related, are late or introduce further operational risk.”
Tomi Engdahl says:
Google survey finds more than five million users infected with adware
http://www.theverge.com/2015/5/6/8557843/google-adware-survey-ad-injectors-security-malware
Ad-injecting malware is one of the most reliable scams on the web. Once a computer’s infected, the virus will drop new ads into any site it visits, sending ad revenue back to the scammers who control it. Users may even know the name of the program, but they’re powerless to remove it. According to new research from Google and UC Berkley, the scam is still going strong, despite more than a decade of work to stamp it out.
Tomi Engdahl says:
Security is an Industry of Priorities
http://www.securityweek.com/security-industry-priorities
For many reasons you’ve heard and read about, security is a very difficult space. Prioritizing is an unenviable job many security professionals must do every day – do you go live with a product on time, or do you hold it to fix that security bug which could cause a catastrophic failure? The answer is nuanced, as well all know well, and while I think we all would love it if we never had to answer that question, it’s a reality. Sure, security should have been built into the thing well before release was even within sight – but you know, time, money, priorities …
When I think about security on the endpoint I put these tools into their functional categories. Prevention, detection, response and recovery are the four functional categories that most easily define the space, most any space. Prevention is self-evident, as is detection. Response focuses on what happens after you’ve detected something malicious and recovery focuses on restoration of steady state. Given that there are nearly no tools that do recovery well, that category falls to the wayside (for now). As it turns out, nearly none of the tools out there perform effectively across the three remaining categories! Most are concentrated either on prevention, or detection and response. This is very distressing.
If I put myself in the shoes of the enterprise buyer who is faced with staffing and talent challenges (I won’t call it a shortage, for now) my head starts to spin. Of course I want to buy tools that automate as much of the defensive cycle as possible, intelligently, while extending my few precious human resources. Do I spend my budgetary dollars on prevention – knowing that is not 100% (or even close) and I’ll need to buy additional tools for detection, response and recovery?
This is an impossible choice.
While I love the innovation that happens when a product space micro-segments like this, I long for the days of consolidation when many of these stand-alone products become features in a larger suite of tools.
There is a Mike Tyson quote that goes something like “Everyone has a plan until they get punched in the face” and at first blush that sounds like a strategy is worthless in the face of an incident. I think it’s quite the opposite. Once we understand our priorities, have the right people and tools that suit our strategy, there is a framework for how we will react when we get punched in the face. Sure, incidents are the equivalent of a sucker-punch you never expect, but your strategy should account for things you can’t plan for.
Tomi Engdahl says:
CyberLock, IOActive Argue Over Disclosure of Electronic Lock Flaws
http://www.securityweek.com/cyberlock-ioactive-argue-over-disclosure-electronic-lock-flaws
Security firm IOActive has published an advisory detailing some vulnerabilities in electronic locks from CyberLock. The lock maker is not happy about it and even attempted to prevent the disclosure of the security bugs with a DMCA notice.
The CyberLock key-centric access control system consist of electronic lock cylinders and programmable smart keys, or CyberKeys. The product can be used to secure doors, gates, trucks, shipping containers, and other assets.CyberLock CyberKey
IOActive researcher Mike Davis has identified several security issues in CyberLock’s product. After some reverse engineering, the expert discovered that keys can be cloned using a site key obtained by intercepting communications between the key and the lock. These site keys, which can be recovered from the cylinder, are stored in clear text.
Tomi Engdahl says:
Where is the Android DDoS Armageddon?
http://www.securityweek.com/where-android-ddos-armageddon
This January, I won a long-standing bet with my colleague, Pete Silva, about the Android Armageddon. Every year since 2010, industry pundits have been predicting an apocalypse of Android malware that would wreak havoc on the Internet, with DDoS attack bots numbering in the tens of millions. With a billion Android devices now connected to the Internet, there is certainly potential for mischief on a massive scale. However, the predictions have perennially missed the mark.
2015 won’t be the year of the Android DDoS Armageddon, either.
For those interested in mobile DDoS, the Google report includes just one tiny mention (in a graph on page 27), indicating that just 0.25% of the malware detected outside the Google Play store had DDoS abilities.
So, according to Google, mobile DDoS isn’t a thing. Of course, because Google owns Android, it is in their interest to present its security in the best possible light.
The most recent Verizon report validates Google’s claims even while damning it with faint praise. First, let it be clear that in spite of Google’s lofty claims in their 40+ page report, there is a ton of Android malware out there. With regard to malware, the 2015 Verizon Data Breach Investigation Report states, “Android wins so hard that most of the suspicious activity logged from iOS devices was just failed Android exploits.”
But, according to the report, the vast majority of that malware is adware. Once this “low-grade” type of malware is removed, only 0.03% of mobile devices per week are getting infected with truly malicious malware.
Tomi Engdahl says:
Attackers Actively Exploiting Flaw That Exposes Millions of WordPress Sites
http://www.securityweek.com/attackers-actively-exploiting-flaw-exposes-millions-wordpress-sites
Malicious actors are actively exploiting a DOM-based cross-site scripting (XSS) vulnerability that could potentially affect a large number of WordPress plugins and themes, Sucuri has warned.
According to the security firm, the flaw exists in the genericons icon font package. WordPress plugins and themes that use this package are vulnerable if the “example.html” file that comes with the package is present.
One of the affected plugins is JetPack, which has over one million active installs. TwentyFifteen, a WordPress theme that is installed by default is also impacted, Sucuri reported.
In order to exploit the DOM-based XSS vulnerability, an attacker needs to trick the victim into clicking on an exploit link. However, this aspect doesn’t seem to discourage malicious actors since they are already exploiting the zero-day flaw in the wild.
Fixing the bug is an easy task, Sucuri said. Website administrators simply need to remove the “example.html” file or block access to it via their web application firewall (WAF) or intrusion detection system (IDS).
https://wordpress.org/plugins/jetpack/
Tomi Engdahl says:
Robotic surgery: How safe is it?
http://phys.org/news/2010-06-robotic-surgery-safe.html
Researchers hack a teleoperated surgical robot to reveal security flaws
May 07, 2015 by Jennifer Langston
Real-world teleoperated robots, which are controlled by a human who may be in another physical location, are expected to become more commonplace as the technology evolves. They’re ideal for situations that are dangerous for people: fighting fires in chemical plants, diffusing explosive devices or extricating earthquake victims from collapsed buildings.
Outside of a handful of experimental surgeries conducted remotely, doctors typically use surgical robots today to operate on a patient in the same room using a secure, hardwired connection. But telerobots may one day routinely provide medical treatment in underdeveloped rural areas, battlefield scenarios, Ebola wards or catastrophic disasters happening half a world away.
In two recent papers, UW BioRobotics Lab researchers demonstrated that next generation teleoperated robots using nonprivate networks—which may be the only option in disasters or in remote locations—can be easily disrupted or derailed by common forms of cyberattacks. Incorporating security measures to foil those attacks, the authors argue, will be critical to their safe adoption and use.
Read more at: http://phys.org/news/2015-05-hack-teleoperated-surgical-robot-reveal.html#jCp
Tomi Engdahl says:
Engineers hacked this robot ‘surgery’
University of Washington
Posted by Jennifer Langston-Washington on May 8, 2015
http://www.futurity.org/hacking-robotic-surgery-916672/
Like safety testers who crash cars with the goal of improving their safety, engineers have hacked a next-generation teleoperated surgical robot.
The researchers hacked the robot—one used only for research purposes—to test how easily a malicious attack could hijack remotely controlled operations in the future and to make those systems more secure.
Outside of a handful of experimental surgeries conducted remotely, doctors typically use surgical robots today to operate on a patient in the same room using a secure, hardwired connection.
In two recent papers, University of Washington’s BioRobotics Lab researchers demonstrated that next generation teleoperated robots using nonprivate networks—which may be the only option in disasters or in remote locations—can be easily disrupted or derailed by common forms of cyberattacks.
By mounting “man in the middle” attacks, which alter the commands flowing between the operator and robot, the team was able to maliciously disrupt a wide range of the robot’s functions—making it hard to grasp objects with the robot’s arms—and even to completely override command inputs. During denial-of-service attacks, in which the attacking machine flooded the system with useless data, the robots became jerky and harder to use.
Tomi Engdahl says:
Photobucket Hackers Nabbed, Face Serious Charges From US Authorities
http://slashdot.org/story/15/05/10/0133218/photobucket-hackers-nabbed-face-serious-charges-from-us-authorities
The U.S. Department of Justice said in a statement released Friday that two men, Brandon Bourret, and Athanasios Andrianakis, of Colorado Springs, Colorado and Sunnyvale, California, respectively, were arrested for their sale of software designed to breach the security of photo-sharing site Photobucket.com; their “Photofucket” app, says the linked Register report, was used “to plunder Photobucket’s users’ private and password-protected information, images and video”
Two Men Who Breached Photobucket.com Indicted and Arrested on Conspiracy and Fraud Related Charges
http://www.justice.gov/opa/pr/two-men-who-breached-photobucketcom-indicted-and-arrested-conspiracy-and-fraud-related
The conspirators developed, marketed and sold a software application called Photofucket, which allowed viewers to circumvent the privacy settings of the image and video hosting website at Photobucket.com and to access and copy users private and password protected information, images and videos without authorization. The conspirators used Photofucket to obtain guest passwords to access users’ password protected albums. They also transferred, or caused to be transferred, guest passwords to others who paid to use the Photofucket application.
“It is not safe to hide behind your computer, breach corporate servers and line your own pockets by victimizing those who have a right to protected privacy on the internet,” said U.S. Attorney Walsh. “The U.S. Attorney’s Office is keenly focused on prosecuting those people for their theft — and for the wanton harm they do to innocent internet users.”
“Unauthorized access into a secure computer system is a serious federal crime,” said Special Agent in Charge Ravenelle. “The arrest of Brandon Bourret and his co-conspirator reflects the FBI’s commitment to investigate those who undertake activities such as this with the intent to harm a company and its customers.”
Tomi Engdahl says:
Ex-NSA bloke: ‘I love Apple products, I just wish they were secure’
Plus: Chocolate Factory is still hanging on to stale pale males
http://www.theregister.co.uk/2015/05/10/quotw_ending_8_may/
Infosec bod Patrick Wardle laid into Apple for its lame security practices. The former NSA, researcher when asked to describe Sir Jony’s darlings, had this to say:
The state of OS X malware is amateur, even basic. It relies on trivially detectable persistence mechanisms and generally relies on infecting users via social engineering tricks such as offering “free [but infected] copies of PhotoShop”.
Tomi Engdahl says:
Malvertising strikes on dozens of top adult sites
https://blog.malwarebytes.org/malvertising-2/2015/05/malvertising-strikes-on-dozens-of-top-adult-sites/
We have been observing a very large malvertising campaign affecting dozens of top adult sites over the past week. All these attacks have a common element, a Flash based infection via a rogue advertiser abusing the AdXpansion ad network.
Flash exploit
It consists of ActionScript3 code containing deceiving module names (i.e. _SafeStr_1). This Flash file is also quite different from most Flash exploits we see and could easily be overlooked as legitimate.
The malware payload may vary but could result in multiple different malicious binaries dropped via a Neutrino-like EK (credit Kafeine).
It is interesting to see the trend of exploit kits taking the appearance of advertisers by leveraging Flash for serving the ‘creative’ and exploit in one single package. It is a minimalist type of approach which seems to work quite efficiently.
Tomi Engdahl says:
Smart grid security WORSE than we thought
OSGP’s DIY MAC is a JOKE
http://www.theregister.co.uk/2015/05/11/smart_grid_security_worse_than_we_thought/
Don’t try crypto at home, kids: the Open Smart Grid Protocol project rolled its own crypto and ended up with something horribly insecure.
This paper at the International Association for Cryptologic Research explains big issues with the OSGP crypto protocol deployed in as many as four million smart meters and devices.
The digest has a bunch of flaws, they write:
Zero-byte message padding “results in messages with any number of trailing zeroes sharing the same tag”; and
The relationship between the OMA digest’s state and the message is fully reversible.
The upshot is that the OMA digest is “extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever”.
One attack needed just 13 queries to an OMA oracle to recover the 96-bit secret key; ; “a more sophisticated version breaks the OMA digest with only 4 queries and a time complexity of about 225 simple operations”
Dumb Crypto in Smart Grids:
Practical Cryptanalysis of the Open Smart Grid Protocol
https://eprint.iacr.org/2015/428.pdf
Tomi Engdahl says:
Small WordPress sites leaking like sieves
Login-stealing C&C server spotted
http://www.theregister.co.uk/2015/05/11/small_wordpress_sites_leaking_like_sieves/
WordPress admins hoping for some feet up time after last week’s Twenty Fifteen XSS plugin vulnerability appear to have yet another vulnerability to handle.
Researchers at Zcaler have identified a bunch of compromised sites that are all leaking user credentials to the same target domain – conyouse.com hosts the command and control.
The researchers haven’t yet identified which particular vulnerability is being used to invade the WordPress sites under attack. Most of the domains in their list look to El Reg like they’re managed by individuals or small community groups
Zscaler’s blog post notes: “The compromised sites run backdoor code, which activates when the user submits login credentials. The credentials are encoded and sent to an attacker website in the form of a GET request. Till now, we have identified only one domain “conyouse.com” which is collecting all the credentials from these compromised sites.”
The vulnerable sites serve up login pages with JavaScript injected to do the credential-stealing. The code is in a wp.js file,
Get patching.
Tomi Engdahl says:
Michael Mimoso / Threatpost:
Numerous security holes found in Open Smart Grid networking protocol used by over 4M smart power meters — Weak Homegrown Crypto Dooms Open Smart Grid Protocol — In the three years since its inception, the Open Smart Grid Protocol has found its way into more than four million smart meters and similar devices worldwide.
Weak Homegrown Crypto Dooms Open Smart Grid Protocol – See more at: https://threatpost.com/weak-homegrown-crypto-dooms-open-smart-grid-protocol/112680#sthash.nSYyw9E5.dpuf
Tomi Engdahl says:
Nicole Perlroth / New York Times:
Obama’s 2013 plan to curb online espionage falls short as most prosecutions under Economic Espionage Act involve passing trade secrets without hacking
An Obama Plan to Stop Foreign Hackers Has Mixed Results
http://bits.blogs.nytimes.com/2015/05/10/an-obama-plan-to-stop-foreign-hackers-has-had-mixed-results/?_r=0
Two years ago, the Obama administration announced a new strategy to curb online espionage.
The five-point strategy came after a 2013 article in The New York Times about how the newspaper had been breached by Chinese hackers. The Times, working with a security company, also concluded that thousands of other American companies had been hacked by a Chinese military unit in Shanghai.
The White House said it would increase public awareness of the threat, encourage the private sector to increase its defenses, focus diplomacy on protecting trade secrets overseas, improve trade secret theft legislation and make investigations and prosecutions of corporate and state-sponsored trade secret theft a top priority.
Since then, public awareness is up and so is spending. But the hacking continues.
The private sector spent $665 million on data loss prevention last year, according to the technology research firm Gartner, with a 15 percent increase expected this year. On the legislative front, Congress strengthened penalties for those convicted under the Economic Espionage Act, raising the maximum fine for individuals convicted to $5 million from $500,000. And in terms of law enforcement, the F.B.I. lists digital crime, including intrusions that result in trade secret theft, as its third priority, just behind terrorism and counterintelligence. The agency reported a 60 percent increase in trade secret investigations from 2009 through 2013.
Tomi Engdahl says:
Automation eases the pain of software patching
Cure your fear of updates
http://www.theregister.co.uk/2015/05/11/how_to_ease_the_pain_of_software_patching/
The three biggest challenges for IT managers are security, reliability and performance. Ideally, an organisation’s software will excel at all three but in practice we know that isn’t true.
Even the best-laid software development plans let bugs through which can cause problems in all these areas. So patching the organisation’s software is key.
Patching application and operating system software is often seen just as a way to eliminate security flaws, but it can also create a more efficient system by preventing performance bugs and memory leaks. It is a crucial part of any corporate IT security strategy, but unfortunately for IT managers it is also difficult to do.
The Australian Government Department of Defence found that operating system and application patching could have stopped 85 per cent of all security incidents it experienced, when used alongside application whitelisting and restricting administrative privileges.
It identified application and operating system patching as essential for security, but also ranked them as medium or high in terms of upfront cost (including equipment and technical complexity) and maintenance. Staff costs figured heavily in both these areas.
Simply put, patch management is complex, time consuming and hard to document when carried out manually.
One of the biggest is support for a larger variety of devices. The hardware and software landscape is getting ever more complex and everything from VoIP phones to IP cameras and barcode scanners must be managed in a modern environment.
That can be difficult because the standards to identify and deploy patches for such a broad array of devices don’t exist. In many cases, it may involve direct, scripted interaction through a Linux or Unix command line terminal.
For now at least, this is the cutting edge of the patch management landscape and it is where organisations will rely heavily on human interaction.
Strategies to Mitigate Targeted Cyber Intrusions
http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm
Tomi Engdahl says:
America and Europe could be coming to terms on mutual data sharing
PRISM being primed for permanence
http://www.theinquirer.net/inquirer/news/2407875/us-and-europe-could-be-coming-to-terms-on-mutual-data-sharing
THE US AND EUROPEAN UNION may be close to a mutually acceptable relationship on citizens’ data and its sharing.
The current situation is not really mutually acceptable, and pretty much everyone knows it. German chancellor Angela Merkel knows it. The courts know it, and the community knows it. Heck, even president Obama knows it.
“There’s no doubt that the Snowden revelations damaged the impressions of Germans with respect to the US government and our intelligence cooperation,”
Tomi Engdahl says:
Shannon Pettypiece / Bloomberg Business:
Report: Cyber attacks costs US healthcare system $6B annually; nearly 90% of healthcare providers were hit by breaches in the past two years
Rising Cyber Attacks Costing Health System $6 Billion Annually
http://www.bloomberg.com/news/articles/2015-05-07/rising-cyber-attacks-costing-health-system-6-billion-annually
A rise in cyber attacks against doctors and hospitals is costing the U.S. health-care system $6 billion a year as organized criminals who once targeted retailers and financial firms increasingly go after medical records, security researchers say.
Criminal attacks against health-care providers have more than doubled in the past five years, with the average data breach costing a hospital $2.1 million, according to a study today from the Ponemon Institute, a security research and consulting firm. Nearly 90 percent of health-care providers were hit by breaches in the past two years, half of them criminal in nature, the report found.
While intrusions like ones exposing millions of consumers at health insurer Anthem Inc. and hospital operator Community Health Systems Inc. have increased risk awareness, most of their peers are still unprepared for sophisticated data attacks, security experts have said.
“The health-care industry is being hunted and hacked by the elite financial criminal syndicates that had been targeting large financial institutions until they realized health-care databases are more valuable,”
Thieves can use that information to take out a loan or open up a line of credit in the victim’s name, or for medical identity theft, where the victim’s insurance ID is used by an impostor seeking free medical care.
About half of health-care organizations surveyed by Ponemon said they didn’t have sufficient technology to prevent or quickly detect a breach, or the personnel with the necessary technical expertise.
“The organizations are getting better, but it is a slow-moving train,”
The numbers this year are already in excess of last year’s, after hackers accessed almost 80 million records from Anthem and 11 million from the health insurer Premera Blue Cross.
Data is resold on private forums that specialize in selling stolen credit cards or Social Security numbers, or on the dark web, where users’ identities are hidden and transactions are done anonymously in Bitcoins
Tomi Engdahl says:
Ariana Eunjung Cha / Washington Post:
As fitness wearables and sensors become more pervasive, important questions remain about privacy and the usefulness of health data tracking
The Human Upgrade
The revolution will be digitized
http://www.washingtonpost.com/sf/national/2015/05/09/the-revolution-will-be-digitized/
Spearheaded by the flood of wearable devices, a movement to quantify consumers’ lifestyles is evolving into big business with immense health and privacy ramifications
Once, Smirr was most renowned as the head of the research lab where Marc Andreessen developed the Web browser in the early 1990s. Now 66, Smarr is the unlikely hero of a global movement among ordinary people to “quantify” themselves using wearable fitness gadgets, medical equipment, headcams, traditional lab tests and homemade contraptions, all with the goal of finding ways to optimize their bodies and minds to live longer, healthier lives — and perhaps to discover some important truth about themselves and their purpose in life.
In the aggregate data being gathered by millions of personal tracking devices are patterns that may reveal what in the diet, exercise regimen and environment contributes to disease.
“As we have more and more sophisticated wearables that can continuously measure things ranging from your physical activity to your stress levels to your emotional state, we can begin to cross-correlate and understand how each aspect of our life consciously and unconsciously impacts one another,”
Most extreme are “life loggers,” who wear cameras 24/7 , jot down every new idea and record their daily activities in exacting detail. Their goal is to create a collection of information that is an extension of their own memories.
Some physicians, academics and ethicists criticize the utility of tracking as prime evidence of the narcissism of the technological age — and one that raises serious questions about the accuracy and privacy of the health data collected, who owns it and how it should be used.
Critics point to the brouhaha in 2011, when some owners of Fitbit exercise sensors noticed that their sexual activity — including information about the duration of an episode and whether it was “passive, light effort” or “active and vigorous” — was being publicly shared by default.
“Health and fitness have become the new social currency, spawning a ‘worried well’ generation,” he wrote in an opinion piece in the April issue of BMJ, the former British Medical Journal.
Until about three years ago, it was nearly impossible for ordinary people to get a readout about the state of their bodies on a regular basis.
Tomi Engdahl says:
lso, an open source software are susceptible to new network dangers, such as Heartbleed-bug last year showed. The code quality is an important factor in how errors – and thus disadvantages – you fight. This field linux stacks up very well.
Normally, high-quality code boundary is considered that a thousand line of code gets lost in the ranks of one mistake. Linux kernel code, the error number is 0.55. Linux is thus almost twice higher quality than the kind of code, which is usually considered the highest quality.
This has not always been so.
In 2007, the linux-kernel consisted of nearly 3.5 million lines of code. The bugs were identified and 425 of them were repaired 217. Now, at the core of lines of code almost 20 million
Source: http://etn.fi/index.php?option=com_content&view=article&id=2803:linux-koodissa-on-vahan-virheita&catid=13&Itemid=101
Tomi Engdahl says:
Martin Beck / Marketing Land:
TweetDeck Adds Tweet Confirmation To Help Prevent Social Media Misfires — Optional extra step should help social media professionals avoid accidental tweets to the wrong account. — It’s a social media pro’s worst nightmare: posting a personal tweet on a brand account.
TweetDeck Adds Tweet Confirmation To Help Prevent Social Media Misfires
Optional extra step should help social media professionals avoid accidental tweets to the wrong account.
http://marketingland.com/tweetdeck-installs-a-backstop-128335
Tomi Engdahl says:
The Best-Paying IT Security Jobs of 2015
http://it.slashdot.org/story/15/05/11/1616220/the-best-paying-it-security-jobs-of-2015
It’s no secret that tech pros with extensive IT security backgrounds are in high demand, especially in the wake of last year’s high-profile hacks of major companies such as Sony and Home Depot. Which security-related job pays the most? According to a new analysis of Dice salary data, a lead software security engineer can expect to earn an average of $233,333 in 2015, followed by a director of security, who can expect to earn $200,000
While many subfields of IT security prove quite lucrative, there are also other jobs that earn below the average for tech pros. Security analysts will make an average of $59,880 this year, for instance, while security installation technicians—because somebody needs to install the cameras and sensors—can expect to earn $31,680.
Best-Paying IT Security Jobs of 2015
http://insights.dice.com/2015/05/11/best-paying-it-security-jobs-of-2015/
Tomi Engdahl says:
Worker fired for disabling GPS app that tracked her 24 hours a day [Updated]
“This intrusion would be highly offensive to a reasonable person,” lawsuit says.
http://arstechnica.com/tech-policy/2015/05/worker-fired-for-disabling-gps-app-that-tracked-her-24-hours-a-day/
A Central California woman claims she was fired after uninstalling an app that her employer required her to run constantly on her company issued iPhone—an app that tracked her every move 24 hours a day, seven days a week.
The suit, which claims invasion of privacy, retaliation, unfair business practices, and other allegations, seeks damages in excess of $500,000 and asserts she was monitored on the weekends when she was not working.
Arias’ boss “scolded” her for uninstalling the app shortly after being required to use it, according to the suit. Her attorneys said the woman made $7,250 per month and that she “met all quotas” during a brief stint with Intermex last year.
“This intrusion would be highly offensive to a reasonable person,”
Tomi Engdahl says:
Hackers cook up Breaking Bad themed ransomware to fire attacks down under
Malware demands Oz-based users pay £500 to unencrypt own files
http://www.theinquirer.net/inquirer/news/2407998/hackers-cook-up-breaking-bad-themed-ransomware-to-fire-attacks-down-under
Tomi Engdahl says:
A New Role in IT – The Mobile Strategist
http://www.securityweek.com/new-role-it-mobile-strategist
Today, the average number of mobile apps accessed daily is more than double the average number of times an employee logs into legacy systems each day. Clearly, mobile adoption in the enterprise is not plateauing any time soon, nor is the threat associated with mobile.
As a wide variety of mobile devices and applications continue to infiltrate the enterprise, organizations have been forced to rethink their approach to security. The issue is so great that many organizations are creating a new role to deal with the era of mobile. Dubbed the mobile strategist,
With 68 percent of organizations having already experienced security breaches as a result of a compromised mobile device, this new role will play a crucial part in mobile data security. The mobile strategist must consider not only how to implement BYO devices and applications in the enterprise, but how to do so in a secure fashion. It’s vital that the mobile strategist maintain visibility throughout the entire organization, considering user experience, mobility, technology integration and security at every step.
This can be a daunting task, especially in the BYOD era, as the mobile strategist is entirely responsible for unifying mobile, securing the data and the meeting end-user productivity needs.
Mobile strategists should prioritize the data over the device, drastically shifting how mobile in the enterprise is approached.
Mobile teams need to deploy a device-agnostic strategy that focuses on business processes and apps used in the enterprise. In an ever-changing mobile landscape, teams must get above the device and incorporate security into the user workflows from day one.
Tomi Engdahl says:
NSA Asked Germany to Spy on Tech Giant Siemens: Report
http://www.securityweek.com/nsa-asked-germany-spy-tech-giant-siemens-report
The US intelligence agency NSA asked its German partner service BND to spy on the European country’s engineering and technology giant Siemens, a German newspaper reported Sunday.
In the latest report on a widening spying scandal, the newspaper said the US National Security Agency (NSA) suspected that Siemens was supplying communications technology to a Russian secret service, said the newspaper, citing unnamed US intelligence sources.
The “BND affair” — in which the German service allegedly also spied on the Airbus Group, the French government and the European Commission for the NSA — has rattled Chancellor Angela Merkel’s government and angered some of Germany’s European partners.
Fugitive US intelligence contractor Edward Snowden, who is living in hiding in Russia, told Germany’s news weekly Spiegel that the latest reports show that “massive surveillance is a reality”.
“Industrial espionage is practiced and the intelligence services are working beyond the control of the representatives of the people and of justice,” said Snowden.