Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
It’s 2015 and we’re being told not to send credit cards as cleartext
PCI Council policy update lets security admins play with crypto LEGO
http://www.theregister.co.uk/2015/07/03/its_2015_and_we_have_to_be_told_not_to_send_credit_cards_in_cleartext/
The payments card industry (PCI) council has reviewed its guidance to encourage businesses to stop slinging credit card data in cleartext by giving the tick to encryption solutions built from different components, rather than products that handle every step of data’s journey from merchant to banker.
The change is reflected in the latest Payment Card Industry Data Security Standard guidance PCI Point-to-Point Encryption Solution Requirements and Testing Procedures Version 2.0. and means bits and pieces of encryption wares can be certified, rather than only the overarching kit.
Encryption slingers will now also be able to eat their dog food and use their certified point-to-point crypto (P2PE) kit where they operate point of sales systems.
The new security guidance (PDF) is designed to encourage organisations to use point-to-point encryption to enhance security and simplify compliance with the code.
Council chief technology officer Troy Leach says he hopes to devalue credit card data in the eyes of thieves.
“Malware that captures and steals data at the point-of-sale continues to threaten businesses and their ability to protect consumers’ payment information,”
“As these attacks become more sophisticated, it’s critical to find ways to devalue payment card data.”
“PCI point-to-point encryption solutions help merchants do this by encrypting cardholder data at the earliest point of acceptance, making that data less valuable to attackers even if compromised in a breach.”
Tomi Engdahl says:
AT A GLANCE:
Securing Account Data with the
PCI Point-to-Point Encryption Standard v2
https://www.pcisecuritystandards.org/documents/P2PE_At_a_Glance_v2.pdf
A point-to-point encryption (P2PE) solution
cryptographically protects account data from the point
where a merchant accepts the payment card to the
secure point of decryption. By using P2PE, account data
(cardholder data and sensitive authentication data)
is unreadable until it reaches the secure decryption
environment, which makes it less valuable if the data
is stolen in a breach. Merchants using PCI-listed P2PE
solutions also have fewer applicable PCI Data Security
Standard (PCI DSS) requirements, which helps simplify
compliance efforts.
With P2PE v2, large merchants can implement and manage their own P2PE
solutions for their locations – including implementation of requirements for
separation between the merchant’s encryption environment (their retail premises)
and the merchant’s secure decryption and key management environment
Tomi Engdahl says:
Germany says no steamy ebooks until die Kinder have gone to bed
Sour krauts stiffen up with 10pm smutty story watershed
http://www.theregister.co.uk/2015/06/23/germany_ebook_regulation/
A regulator in Germany says websites must only offer downloads of sexually explicit ebooks between 10pm and 6am.
Essentially, the Youth Protection Authority in Bavaria says 2002-era rules that protect kids from blue movies on TV also cover digital books, publishing trade mag Boersenblatt reports. Telly stations in Germany can only broadcast X-rated stuff between 10pm and 6am; that applies to raunchy ebook downloads, too, weirdly enough.
It means erotic thrillers can only be fetched from the web late at night, Berlin time, unless the website hosting the material can verify the reader is an adult
“It is not clear at this time how the ebook retailers will respond,”
“Given the prevalence of adult content on websites outside of Germany, trying to control access on sites in Germany is just nuts.”
Those who flout the law could be fined tens of thousands of euros in Germany.
Tomi Engdahl says:
Paul Mozur / New York Times:
Industry groups say new Chinese security law could force companies to build backdoors, provide encryption keys, or hand over source code
Jitters in Tech World Over New Chinese Security Law
http://www.nytimes.com/2015/07/03/business/international/jitters-in-tech-world-over-new-chinese-security-law.html?_r=0
When a draft of China’s new national security law was made public in May, critics argued that it was too broad and left much open to interpretation.
In the final form of the law, which the government said Wednesday had been enacted, Beijing got more specific, but in a way that is sending ripples through the global technology industry.
New language in the rules calls for a “national security review” of the technology industry — including networking and other products and services — and foreign investment. The law also calls for technology that supports crucial sectors to be “secure and controllable,” a catchphrase that multinationals and industry groups say could be used to force companies to build so-called back doors — which allow third-party access to systems — provide encryption keys or even hand over source code.
As with many Chinese laws, the language is vague enough to make it unclear how the law will be enforced, but it suggests a new front in the wider clash between China and the United States over online security and technology policy.
“I think it’s a perfect storm: The cybersecurity concerns because of Snowden and the techno-nationalist perspective have really gained strength over the past few years,” said Adam Segal, a senior fellow at the Council on Foreign Relations in New York. “China is not particularly swayed by or sympathetic to arguments that the foreign companies have made, and they’re going to push forward on all these fronts.”
“Raising the idea of ‘safeguarding national cybersovereignty’ in the National Security Law is a response to the needs of the development of the Chinese Internet,” Ms. Zheng added. “It provides the legal basis for managing cyberactivity on China’s soil and resisting activities which jeopardize China’s cybersecurity.”
“Since no one knows how you implement that phrase,” he said, “foreign companies are worried about what that’s going to mean. Does it mean they have to give access through back doors, or are they going to have to partner with Chinese firms?”
Tomi Engdahl says:
Oi, Commish. Get off the fence over French snooping law, says MEP
Le Charteur des Snoopeurs interferes with EU rights list, say aggrieved folk
http://www.theregister.co.uk/2015/07/03/commish_scared_of_controversy_over_french_snooping_law_says_mep/
Dutch MEP Sophie In’t Veld has accused the European Commission of fence-sitting over France’s new “Patriot Act”.
In an effort to overcome the controversy surrounding the law, French President François Hollande promised to send it to the national constitutional council (Conseil Constitutionnel) for review before implementing it.
In’t Veld said she was sick of the “security justification; that there has to be a balance between fundamental rights and security … No! Fundamental rights are fundamental.”
Tomi Engdahl says:
Uber app will soon maybe track you 24/7, cry privacy warriors
EPIC fail for taxi app upstart – if claims come true
http://www.theregister.co.uk/2015/06/22/epic_uber_ftc/
Uber’s smartphone app will soon track and report back the whereabouts of its users even when they’re not using the software, the Electronic Privacy Information Center (EPIC) now fears.
The campaign group is also upset that the app may send copies of people’s address books to Uber, and has filed a formal complaint to US watchdog the Federal Trade Commission to block any such snooping.
“In less than four weeks, Uber will claim the right to collect personal contact information and detailed location data of American consumers, even when they are not using the service,”
EPIC reckons Uber’s new terms and conditions, introduced on May 28, will allow the taxi app to collect the location of its users via their smartphones’ GPS tech even if the app is running in the background unused; if someone switches off the satellite service, the Uber app will use the smartphone’s public IP address to get a rough idea of where they are geographically, we’re told.
EPIC wants the FTC to halt the background collection of location data and contact information by Uber
Tomi Engdahl says:
MasterCard to approve online payments using your selfies
http://thestack.com/mastercard-online-payments-selfies-020715
MasterCard could soon introduce facial scanning technologies and fingerprint identification for processing digital payments as it investigates new ways to tackle online shopping fraud.
The financial services giant will launch a small pilot programme involving 500 participants over the next couple of months to help build the infrastructure needed to verify purchase requests without password authentication. MasterCard will be joining forces with tech leaders Apple, BlackBerry, Google, Samsung and Microsoft as well as two major banks to help make the feature a reality.
Currently the international group uses a SecureCode solution which requires a password from its customers at checkout. The system was used across 3 billion transactions last year, the company said. It is now exploring biometric alternatives to protect against unauthorised payment card transactions.
Tomi Engdahl says:
Smartphone ‘kill switch’ law takes effect in California
http://www.cnet.com/news/smartphone-kill-switch-law-takes-effect-in-california/
Starting July 1, smartphones sold in the state must come with software that lets users lock a stolen phone so it can’t be used, making it harder to resell. Crime statistics show the tech is already working.
Thieves, consider yourselves on notice: California is now smartphone “kill switch” territory.
The so-called software is designed to make stealing smartphones essentially pointless by allowing owners to remotely lock their device so no one can use it. The technology, which includes Apple’s “Activation Lock” and Google’s “Device Protection,” has become a key selling point among phone manufacturers that offer peace of mind to protect customers’ information if a phone is stolen, and hopefully discourage thieves from stealing it in the first place.
There’s good reason for these features. In the past several years, government officials have noticed an “epidemic” of phone thefts, particularly in large cities. Thieves often steal phones and sell them to cartels and shops that often shipped them to willing customers overseas.
The technology industry’s answer has been to create software that responds to a theft by requiring users to input a passcode before it can be unlocked or restored to factory settings. The technology looks to be working: In 2013, 3.1 million Americans had their phones stolen, according to a study published by Consumer Reports last month. Last year, that number fell to 2.1 million, according to the report.
Tomi Engdahl says:
Security 4.0
-
Security by Separation
Making Industrial Control Systems More Secure
http://files.iccmedia.com/events/iotcon15/pdf/leopold/12h15_sysgo.pdf
Tomi Engdahl says:
Steve Ragan / CSO Online:
Hacking Team, which sells intrusion and surveillance tools to governments, breached; attackers release 400GB of internal documents, source code, and emails — Hacking Team hacked, attackers claim 400GB in dumped data — Firm made famous for helping governments spy on their citizens left exposed
Hacking Team hacked, attackers claim 400GB in dumped data
http://www.csoonline.com/article/2943968/data-breach/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html
Firm made famous for helping governments spy on their citizens left exposed
On Sunday
one of the world’s most notorious security firms was being hacked.
Specializing in surveillance technology, Hacking Team is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense.
Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies.
The lawful interception tools developed by this company have been linked to several cases of privacy invasion by researchers and the media.
It isn’t known who hacked Hacking Team; however, the attackers have published a Torrent file with 400GB of internal documents, source code, and email communications to the public at large.
n addition, the attackers have taken to Twitter, defacing the Hacking Team account with a new logo, biography, and published messages with images of the compromised data.
Tomi Engdahl says:
Caught in the breach: How a good CSO confronts inevitable bad news
http://www.csoonline.com/article/2606174/infosec-careers/caught-in-the-breach-how-a-good-cso-confronts-inevitable-bad-news.html#tk.cso_nsdr_intrcpt
Breaches are inevitable, but those tasked with detecting and responding to them say there are ways to avoid becoming the ‘Chief Scapegoat Officer’.
What goes through the mind of a CSO/CISO upon being told by his or her team that their organization has been breached?
This is not an idle or theoretical question. It seems that almost every day brings news of yet another breach of a high-profile organization, with the potential number of consumer victims running into the tens of millions, and the costs to the company running into hundreds of millions, or even billions when the long-term cost of brand damage is included.
Tomi Engdahl says:
XKEYSCORE: NSA’s Google for the World’s Private Communications
https://firstlook.org/theintercept/2015/07/01/nsas-google-worlds-private-communications/
Behind the Curtain
A Look at the Inner Workings of NSA’s XKEYSCORE
https://firstlook.org/theintercept/2015/07/02/look-under-hood-xkeyscore/
Tomi Engdahl says:
Malware Abuses Android Accessibility Feature to Steal Data
http://www.securityweek.com/malware-abuses-android-accessibility-feature-steal-data
Researchers at mobile security firm Lookout have come across a piece of malware that abuses the accessibility service in Android to steal sensitive data from infected smartphones.
The threat, detected as “AndroRATIntern” and sold commercially as “AndroidAnalyzer,” is a surveillance tool created with the AndroRAT toolkit. Lookout says it’s the first threat that abuses accessibility features offered by the Android operating system for data theft.
According to Lookout, the malware is utilized to target users in Japan. Once it’s deployed on a smartphone, the Trojan is capable of collecting contact data, SMS messages, videos, photos, call logs, GPS location, SD card changes, and messages from LINE, a popular communications app developed by a Japan-based company.
Android malware that steals SMS messages, contact data, and other files is not uncommon.
“AndroRATIntern’s abuse of the accessibility service highlights the importance of not relying solely on OS-based security to protect mobile data as it is, in fact, a malicious use of a legitimate OS service,”
Tomi Engdahl says:
The Second War of Independence: Wearables vs. Security
http://www.securityweek.com/second-war-independence-wearables-vs-security
The trend of users bringing their own devices and expecting to use them on corporate networks started at the end of the last decade with the release of the iPhone. But like American history, is there is a second BYOD revolution looming with the rise of wearable technology?
Since BYOD is largely mobile, there are unique security concerns, including the unsecured networks they communicate on as well as the potential for the loss of the device itself. Corporate-owned devices came complete with mobile device management (MDM) software, but users rebelled against it on their own devices because:
1. Users don’t want to give IT the ability to wipe their personal photos, data and apps on their own devices.
2. Even with containerization, employees are still giving up some control over their device. That idea is especially unappealing to many users since BYOD is by definition, personal.
These IT challenges have shifted the focus of mobile security to controlling access – mobile application management (MAM) – rather than focus on the most disposable, least secure part (the device).
The second BYOD war – a return to dependence?
Just as things have started to settle out in the BYOD revolution, along comes a new force – wearable devices, led primarily by smart watches, but including fitness bands and now virtual or augmented reality glasses.
The appeal of wearables is hands-free use, or ease-of-data-tracking for personal information. Wearables are typically tethered to another mobile device via Bluetooth, so it would be assumed that they will inherit some security from that device.
Tomi Engdahl says:
Ignoring Mobile Security Doesn’t Make It Go Away
http://www.securityweek.com/ignoring-mobile-security-doesnt-make-it-go-away
Recently I attended Gartner’s Security and Risk Management Summit outside Washington, D.C. Early in the week, I had a discussion with a security professional who asked me, skeptically, if mobile threats were actually something he had to worry about. He explained that mobile malware and mobile breaches were small blips on the security threat horizon. I realized he must have skimmed the new Verizon Data Breach Report and mistakenly thinks he should take ‘mobile security’ off of his to-do list.
On the contrary, and as my friend learned as the week went on, the problem is not mobile malware but that mobile devices and apps are rife with vulnerabilities.
Mobile security continues to be a top priority for CISOs.
Tomi Engdahl says:
A Key Step to Improving Network Security: Challenge the Status Quo
http://www.securityweek.com/key-step-improving-network-security-challenge-status-quo
There are all kinds of leaders in this world. Whether they are political or business leaders, educators or coaches, one common trait the cream of the crop share is a willingness to challenge the status quo and take risks in order to find a better way of doing things.
These outstanding leaders do not surround themselves with yes-men.
In the same way that it’s wise to surround yourself with those who hold you accountable, your security infrastructure should also be tested. It’s not enough just to build up your defensive security measures – you have to actively challenge their effectiveness. Many of our customers rely on penetration testing to fill this function. By scheduling these tests at regular intervals, they force themselves to take an honest and critical look at their security program.
Vulnerability Testing ChallengesIt’s a common misconception that the goal of a penetration test is merely to identify vulnerabilities and report them so they can be addressed. In fact, when performed correctly, these test are also a validation that the various parts of the IT and IS organizations have done what they said they would do. It makes them ask tough questions of themselves such as: are the right controls in place? Are they working the way they’re supposed to? Will they still be in place two weeks from now?
Unfortunately, I’ve noticed a “yes-man” mentality creeping into the otherwise brutally honest world of pen testing.
More and more organizations are being required to carry out pen tests for compliance purposes, and many of these organizations are setting up parameters for the tests that they know they will be able to pass so they can “check the box” with minimal effort and strife.
This may be enough for you to achieve compliance, but compliance should be the floor, not the ceiling. Testing yourself only in areas where you know you’re strong will not produce any actionable information or make your organization any more secure.
Tomi Engdahl says:
Verizon 2015 DBIR: Don’t Sweat Mobile and IoT
http://www.securityweek.com/verizon-2015-dbir-dont-sweat-mobile-and-iot
Verizon on Tuesday released its widely anticipated 2015 Data Breach Investigations Report (DBIR), a must read report compiled by Verizon with the support 70 contributing partners, which analyzed 79,790 security incidents and 2,122 confirmed data breaches across 61 different countries.
In short, Verizon suggested that enterprise security teams don’t freak out over the current risks posed by Mobile and Internet of Things (IoT).
Noting that it was a data-driven conclusion, Verizon said that mobile devices are not a preferred vector in data breaches. Of the tens of millions of mobile devices on the Verizon Network, the number of ones infected with “truly malicious exploits” was negligible. An average of 0.03% of smartphones per week on the Verizon network were infected with what it described as “higher-grade” malicious code.
“We feel safe saying that while a major carrier is looking for and monitoring the security of mobile devices on its network, data breaches involving mobile devices should not be in any top-whatever list. This report is filled with thousands of stories of data loss—as it has been for years—and rarely do those stories include a smartphone,” Verizon said.
While some may raise an eyebrow over this, Verizon is not saying that organizations should ignore the risks associated with mobile devices.
In terms of mobile malware, Android tops the charts to the point that most of the suspicious activity logged from iOS devices was just failed Android exploits, according to the report.
IoT Security Challenges
While the number of non-traditional devices connected to corporate networks may be challenging enterprises, no widely known IoT device breaches have been disclosed–unless you count the spamming refrigerator incident which itself was questioned by many security experts.
So far, most of the breach examples in the news have been proofs of concept, and filtering out the hype and hypotheticals, there were few incidents and little data disclosure to report for 2014, Verizon said.
“When jumping on the IoT bandwagon, perform threat modeling and attack graph exercises to determine who your most likely adversary is, what their motives may be (financial vs. espionage vs. ideology, etc.), and where the most vulnerable components in your IoT services are,” Verizon advised.
Organizations should also determine where sensitive data ultimately resides in the ecosystem. “It may be on very “un-IoT” devices such as cloud-based databases or Hadoop70 clusters.”
“Ensure focus on Internet-visible components.”
According to a study by Atomik Research and security firm Tripwire released in January, 63 percent of executives expect business efficiencies and productivity will force them to adopt IoT devices despite the security risks. Still, 46 percent said the risks associated with IoT have the potential to become the most significant risk on their networks.
Quantify the impact of a data breach with
NEW DATA FROM
THE 2015 DBIR.
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
Tomi Engdahl says:
How XKEYSCORE works under the hood
https://firstlook.org/theintercept/2015/07/02/look-under-hood-xkeyscore/
It is tempting to assume that expensive, proprietary operating systems and software must power XKEYSCORE, but it actually relies on an entirely open source stack.
XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.
John Adams, former security lead and senior operations engineer for Twitter, says that one of the most interesting things about XKEYSCORE’s architecture is “that they were able to achieve so much success with such a poorly designed system. Data ingest, day-to-day operations, and searching is all poorly designed. There are many open source offerings that would function far better than this design with very little work. Their operations team must be extremely unhappy.”
Analysts connect to XKEYSCORE over HTTPS using standard web browsers such as Firefox. Internet Explorer is not supported. Analysts can log into the system with either a user ID and password or by using public key authentication.
When data is collected at an XKEYSCORE field site, it is processed locally and ultimately stored in MySQL databases at that site. XKEYSCORE supports a federated query system, which means that an analyst can conduct a single query from the central XKEYSCORE website, and it will communicate over the Internet to all of the field sites, running the query everywhere at once.
There might be security issues with the XKEYSCORE system itself as well.
When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.”
Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail
The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.
XKEYSCORE extracts and tags metadata and content from the raw data
This is done by using dictionaries of rules called appIDs,
AppIDs are used to identify the protocol of traffic being intercepted, while fingerprints detect a specific type of content.
Tomi Engdahl says:
Leak of ZeusVM malware building tool might cause botnet surge
http://www.computerworld.com/article/2944041/security/leak-of-zeusvm-malware-building-tool-might-cause-botnet-surge.html
The Internet could see a new wave of botnets based on the ZeusVM banking Trojan after the tools needed to build and customize the malware program were published online for free.
security log monitoring
Leak of ZeusVM malware building tool might cause botnet surge
Any wannabe botnet operator can now create his or her own army of ZeusVM-infected computers,
Read Now
The source code for the builder and control panel of ZeusVM version 2.0.0.0 was leaked sometime in June, according to a malware research outfit called Malware Must Die (MMD). The leak was kept under wraps by the researchers as they tried to stop the files from becoming widely available, an effort that ultimately exceeded their resources.
As a result, the group decided to go public with the information Sunday in order to alert the whole security community so that mitigation strategies can be developed.
ZeusVM, also known as KINS, is a computer Trojan that hijacks the browser process in order to modify or steal information from websites opened by victims on their computers. It’s primarily used to steal online banking credentials
The builder is a program that allows attackers to create customized ZeusVM binary files, which can then be used to infect computers. The customization involves modifying things like the URL of the command-and-control server where the Trojan will connect or the key used to encrypt its configuration files.
It’s not clear who or why leaked the two ZeusVM tools
MMD-0036-2015 – KINS (or ZeusVM) v2.0.0.0 tookit (builder & panel source code) leaked.
http://blog.malwaremustdie.org/2015/07/mmd-0036-2015-kins-or-zeusvm-v2000.html
KINS (or ZeusVM to be precised) v2.0.0.0 tookit (builder & panel source code) was leaked and spread in all over the internet.
“Still so many bad guys know about this than good guys..” today we decided to raise warning about this matter by this post.
Together with this warning also we would like to inform that KINS version 3 is on the black market now with the price of 5k according to a certain crook’s affiliated forum.
So what does it mean?
(1) We will see more of ZeusVM (version 2.0.0.0_) botnet operated in our internet since its malware & configuration builder is “FREE as air” and is “go public” now, not only from usual cyber crime crooks, but anyone with this toolkit in hand can generate ZeusVM 2.0.0.0 binaries and set it to botnets via its panel; and ; (2) We also we can expect to see a KINS/ZeusVM new version (version 3) soon too.
This is a very important information for the security community.
It is better for all anti malware and all threat filtration industry to know and request the leaked archive and start to research the blocking and mitigation methods, if you haven’t started it yet.
Tomi Engdahl says:
Steve Ragan / CSO Online:
As more details about Hacking Team’s deals with repressive regimes like Sudan emerge from breach, company responds with vague denials and threats on Twitter
Hacking Team responds to data breach, issues public threats and denials
http://www.csoonline.com/article/2944333/data-breach/hacking-team-responds-to-data-breach-issues-public-threats-and-denials.html
Hacking Team is awake, and the first order of business is to promote fear, uncertainty, and doubt
On Sunday evening, someone hijacked the Hacking Team account on Twitter and used it to announce that the company known for developing hacking tools was itself a victim of a devastating hack.
The hackers released a 400GB Torrent file with internal documents, source code, and email communications to the public at large. As researchers started to examine the leaked documents, the story developed and the public got its first real look into the inner workings of an exploit development firm.
Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies. However, their business has earned them a black mark from privacy and human rights organizations, as the company has been accused of selling tools and services to nations known for violent oppression.
Reporters Without Borders has listed the company on its Enemies of the Internet index due largely to Hacking Teams’ business practices and their primary surveillance tool Da Vinci.
In 2014, a Citizen Lab report revealed evidence that Hacking Team’s RCS (Remote Control System) was being used by the Sudanese government, something the Italian company flat-out denied.
Newly published documents from the cache include invoices for services with Italian law enforcement, Oman, South Korea, UAE, Kazakhstan, Mongolia, Lebanon, Germany, Saudi Arabia, Mexico, Brazil, Singapore, Egypt, and Vietnam. The total value of the invoices is €4,324,350 Euro.
“We are awake. The people responsible for this will be arrested. We are working with the police at the moment,” Pozzi wrote.
“Don’t believe everything you see. Most of what the attackers are claiming is simply not true…The attackers are spreading a lot of lies about our company that is simply not true. The torrent contains a virus…”
“… We simply provide custom software solutions tailored to our customers needs…”
It’s also worth noting that he threatened security researchers with jail for discussing his poorly selected passwords, which were leaked as part of the 400GB cache.
The Hacking Team hack is a developing story.
Tomi Engdahl says:
Chris Dolmetsch / Bloomberg Business:
Court overturns the second conviction of Goldman Sachs programmer Sergey Aleynikov charged with stealing high-frequency trading code
‘Flash Boys’ Programmer in Goldman Case Prevails Second Time
http://www.bloomberg.com/news/articles/2015-07-06/-flash-boys-programmer-in-goldman-theft-has-charges-tossed-out-ibrz5tyj
A former Goldman Sachs Group Inc. programmer who took the firm’s high frequency trading code when he left for another job was exonerated a second time after a judge ruled what he did wasn’t a crime.
Sergey Aleynikov, whose saga helped inspire Michael Lewis’s “Flash Boys,” was tried by New York prosecutors who took up the case after a federal conviction unraveled. His defense both times was that his actions were a disagreement between him and the bank better suited for civil litigation.
A state judge agreed, lining up behind a federal appeals court that found in 2012 existing criminal laws are a bad fit.
“We think this defendant committed a crime,” Joan Vollero, a spokeswoman for Vance, said in an e-mail. “If what Sergey Aleynikov did isn’t a crime, then every company that values its intellectual property should be concerned.”
Both prosecutions raised questions about how intellectual property disputes between companies and employees should be resolved, especially on Wall Street. Defense lawyers argued Aleynikov sought to copy “open-source” or public code, and that he tried to hide his actions only because he knew they violated bank policy.
His subsequent trip through two criminal justice systems has been closely watched by financial firms as they seek to hire ever more programmers to implement their trading strategies.
there was no evidence Aleynikov made a “tangible” reproduction of the code or benefited from having it
Tomi Engdahl says:
Home Office kept schtum on more than 30 data breaches last year
More non-reported incidents; fewer actual reported incidents. Trebles all round!
http://www.theregister.co.uk/2015/07/07/home_office_kept_30_data_breaches_quiet_last_year/
The Home Office suffered 33 data breaches during the last financial year – and did not report any of them to the Information Commissioner’s Office (ICO)
The department’s annual report and accounts 2014-15 (PDF) reveals 33 “Personal Data Related Incidents” that took place in the last financial year, but were not formally reported to the ICO.
Personal data is defined as any data that may be used to identify a living individual. Under the Data Protection Act 1998 there are very strict rules on how “data controllers” may use the data they collect and store.
While the ICO recognises (PDF) that there is “no legal obligation on data controllers to report breaches of security”, the office does encourage such reporting, and provides guidance on what breaches it considers reportable.
Tomi Engdahl says:
BOT-GEDDON coming after ZeusVM leak, hacker warns
Why pay $5k when you can pay $0?
http://www.theregister.co.uk/2015/07/07/bot_geddon_coming_after_zeusvz_leak_hacker_warns/
Former Kaspersky Japan boss now malware researcher Hendrik Adrian is warning of a boom of ZeusVM botnets, after the trojan source code was leaked online.
Version two of the builder and panel source code leaked last month, and spotted by the French malware researcher known as Xylitol
Adrian, who uses the online handle unixfreakjp, says he publicly disclosed the leak because criminals are building botnets based on the stolen toolkit code.
The leak covered only the botnet toolkit, not a disclosure of the Zeus trojan itself which could lead to a rush of Zeus malware variants.
“ZeusVM version two toolkit was leaked and spread all over the internet,” Adrian says.
“Still so many bad guys know about this than good guys [so] today we decided to raise warning.”
Tomi Engdahl says:
XSSposed launches pay-whatever bug bounty
Tick tock clock counts down to Full Disclosure
http://www.theregister.co.uk/2015/07/07/xssposed_launches_paywhatever_bug_bounty/
Cross-site scripting war board XSSposed has opened a pay-whatever bug bounty to help its hackers earn cash and tee-shirts.
Launched overnight, the program lets anyone register their interest in hearing about vulnerabilities for any web property. They then have the opportunity to pay researchers for the finding.
Admins who ignore bug reports could end up on XSSposed’s well-known full disclosure archive of cross-site scripting mirrors.
Disclosures and payments are a matter for individual web admins and researchers. XSSposed says its only role outside of providing the disclosure platform is to verify hacks.
Hackers can mark their XSS findings for a given site as ‘hold’ such that the vulnerability will be made public without the technical details that could allow it to be exploited.
“We support both full disclosure and coordinated disclosure via our open bug bounty program,” the organisers says .
“The idea of open bug bounty is pretty simple: any security researcher can be rewarded by anyone for a vulnerability reported on any web site. We go much further classic bug bounties where only web site owner can thank the researcher: with open bug bounty it can be web site visitor, journalist, or even a security company in charge of protecting the web site.”
Tomi Engdahl says:
Awoogah: Get ready to patch ‘severe’ bug in OpenSSL this Thursday
Heads up for July 9 security vulnerability fix
http://www.theregister.co.uk/2015/07/06/awoogah_get_ready_to_patch_severe_bug_in_openssl_this_thursday/
Sysadmins and anyone else with systems running OpenSSL code: a new version of the open-source crypto library will be released this week to “fix a single security defect classified as ‘high’ severity.”
The bug, we’re told, will be addressed in versions 1.0.2d and 1.0.1p of the software. The vulnerability does not affect the 1.0.0 or 0.9.8 series. OpenSSL is a widely used library that provides encrypted HTTPS connections for countless websites, as well as other secure services.
“These releases will be made available on 9th July. They will fix a single security defect classified as ‘high’ severity. This defect does not affect the 1.0.0 or 0.9.8 releases.”
Tomi Engdahl says:
Lloyds Bank looks to NFC technology to end automated security calls
125 Android smartphone users trialling ‘tap to bank’ authentication
http://www.theinquirer.net/inquirer/news/2416457/lloyds-bank-looks-to-nfc-technology-to-end-automated-security-calls
LLOYDS BANK has been trialling new mobile banking technology that could bring and end to automated security calls and chip and pin readers.
The company announced that it has been experimenting with new technology called ‘tap to bank’ that allows owners of NFC-equipped Android smartphones to set up mobile banking by tapping a debit or credit card against the handset.
Lloyds said that this technology, which is being tested by 125 customers, could bring an end to tedious automated phone calls when it launches in the ‘coming months’, if the trial is well-received.
The firm added that tap to bank could also be used in the future for tasks such as authenticating new payments, perhaps sounding a death knell for chip and Pin readers.
Tomi Engdahl says:
Heart of Darkness: Mass of clone scam sites appear
TOR’s anonymity is just what crims who want to rob crims need
http://www.theregister.co.uk/2015/07/07/dark_web_cloned_site_scam_resurgence/
Security watchers are warning about a fresh wave of cloned sites on the TOR network, evidence that cybercrooks are setting themselves up to fleece other ne’er-do-well on the so-called dark web.
The latest attack of the clones marks the reappearance of an issue that cropped up before. For example, during Operation Ononymous, the exercise that took down Silk Road 2.0 in November of 2014, it emerged that most of the sites affected by this international law enforcement effort were, themselves, cloned sites.
Most of these cloned sites were created with Onion Cloner, a tool that makes it easy to impersonate TOR sites and redirect passwords and Bitcoin.
Rapid7’s security engineering manager, Tod Beardsley, said the potential for cloning is greater on the dark web than the regular internet for architectural reasons.
“Criminals robbing criminals is about as old as crime itself, and it’s an endemic problem with the dark web,” Beardsley explained. “Unlike the case with robbing criminals in person, there is no immediate risk of violence, and the methods by which one can rob Dark Web criminals are both well established and scale easily.”
“While TOR hidden services offer a means for strong anonymity for both users and content providers, actually finding anonymous commerce sites can be tricky,” he added.
“Many don’t want to be found by casual users.”
There are fewer dark web sites in any case. Ahmia.fi, one of the more popular indexers, has less than five thousand sites indexed, a figure that compares to millions of online storefronts on the regular web. “The job of impersonating a sizeable fraction of the entire ‘semi-public’ dark web commerce space looks positively easy,” according to Beardsley.
Tomi Engdahl says:
Tor pedo torpedoed: Ex-US cybersecurity guru jailed for 25 years in abuse pics sting
Maintains innocence, claims he was just trying to ‘defeat Tor’
http://www.theregister.co.uk/2015/01/06/timothy_defoggi_25_year_sentence/
A former US government cybersecurity official who was arrested in 2013 on charges of participating in an online pedophile ring has been sentenced to 25 years in prison.
Timothy DeFoggi, who at the time of his arrest was acting director of cybersecurity for the Department of Health and Human Services, is the sixth person to be convicted in an ongoing FBI investigation into child sex abuse material distributed via the anonymizing Tor network.
Tomi Engdahl says:
Russia claims to have super weapon that disables western satellites and long range arms
http://www.mirror.co.uk/news/world-news/russia-claims-super-weapon-disables-6008370
Russian weapon can zap satellites and switch off long range weapons
Russia is boasting a major advance in electronic warfare technology enabling Vladimir Putin’s armed forces to zap foreign military satellites, and “switch off” enemy weapons.
The new system will muzzle the guidance systems of Western cruise missiles and other high-precision arms, it is claimed.
Its Russian makers say it is a “fundamentally new electronic warfare system” which can be mounted on ground-based as well as air- and sea-borne carriers.
Russia’s Radio-Electronic Technologies Group (KRET) deputy chief Yuri Mayevsky said: “The system will target the enemy’s deck-based, tactical, long-range and strategic aircraft, electronic means and suppress foreign military satellites’ radio-electronic equipment.”
“It will not be based on satellites as this is prohibited by international rules and we comply with this rule.”
“The system will be used against cruise missiles and will suppress satellite-based radio location systems.”
Tomi Engdahl says:
Click-Fraud Trojan Politely Updates Flash On Compromised Computers
http://it.slashdot.org/story/15/07/06/228242/click-fraud-trojan-politely-updates-flash-on-compromised-computers
But one aspect of it is unusual: it updates the victim’s installation of Flash to the most recent version, ensuring that similar malware can’t get in.
Ad fraud Trojan updates Flash Player so that other malware can’t get in
http://www.itworld.com/article/2944275/ad-fraud-trojan-updates-flash-player-so-that-other-malware-cant-get-in.html
Someone call the malware antitrust commission: Recent versions of the Kovter ad fraud Trojan, which infects computers through Web-based exploits, close the door after themselves by updating Flash Player to the latest version.
The new and somewhat surprising behavior was recently observed by a malware researcher known online as Kafeine, who specializes in tracking drive-by download attacks that use exploit kits.
Kovter is used for so-called click or advertising fraud. Once installed on a computer, it hijacks the browser process and uses it to simulate user clicks on online advertisements in order to generate revenue for its creators.
These tools typically exploit known vulnerabilities, so their creators are primarily targeting users who don’t keep the software installed on their computers up to date.
Drive-by download attacks are particularly nasty because they’re usually launched from trusted, legitimate websites that have either been compromised or are loading malicious advertisements uploaded by attackers to ad networks.
This is not the first time a malware program patched the flaws it used to get in. However, such cases are rare today because the cybercriminal underground economy is heavily service-based.
Many malicious programs like Trojans don’t have their own distribution mechanisms. Their creators don’t search for vulnerabilities in software, don’t write their own exploits and don’t go around infecting websites. Instead, they rely on other cybercriminals who specialize in those activities, like the exploit kit creators.
Tomi Engdahl says:
7 things to do when your business is hacked
http://www.itworld.com/article/2938994/security/7-things-to-do-when-your-business-is-hacked.html
Hint: Success of the incident response team will depend heavily on the preparation done before the breach
Tomi Engdahl says:
Hacking Team scrambling to limit damage brought on by explosive data leak
http://www.net-security.org/secworld.php?id=18598
Who hacked Hacking Team, the Milan-based company selling intrusion and surveillance software to governments, law enforcement agencies and (as it turns out) companies?
A hacker who goes by “Phineas Fisher” claims it was him (her? them?)
The hacker has also previously compromised UK-based Gamma International, another provider that sells their spying wares to governments, and which has also been named an “enemy of the Internet.” Phineas Fisher says there will be more similar hacks in the future
In the meantime, Hacking Team is scrambling to minimize the damage this hack and data leak is doing to the company.
According to Motherboard’s Lorenzo Franceschi Bicchierai, the company has sent out emails to all its customers, requesting them to shut down all deployments of its Remote Control System software (“Galileo”) – even though it seems they could do that themselves, as the customer software apparently has secret backdoors.
Perhaps they chose the first route because they hoped to keep that fact hidden from the customers?
One of the reason for this shutdown request is that the data leaked contains source code of the company’s surveillance solutions, and they are worried that this information will allow targeted users to discover who’s spying on them.
“Another concern [by the wider security community] with this breach is that there is now source code available for some pretty nasty malware including what would appear to be functional exploit code,” points out Craig Young, Security Researcher, Tripwire.
“Although most users would not know what to do with the source code release, it would be surprising if we don’t very quickly start seeing underground malware authors branching and repackaging the HT malware and selling it without restriction.”
All the stolen information was likely accessed via the compromised computers of Christian Pozzi and Mauro Romeo, two Hacking Team’s sysadmins.
Also, that they can apparently bypass certificate pinning and the HTTP strict transport security mechanisms and were worried about EFF’s HTTPS Everywhere browser extension spotting their rogue certificates and send them to the EFF SSL Observatory, and that they used public exploits to compromise targets.
Tomi Engdahl says:
Hacking Team-derived Flash exploit is now in the wild hijacking PCs
Turn Flash OFF until the patch arrives
http://www.theregister.co.uk/2015/07/08/hacking_teamderived_0day_is_now_in_the_wild/
It’s the worst-case scenario of the Hacking Team hack: the as-yet-unpatched Flash vulnerability revealed in the trove of source code leaked from the surveillance-ware company is being exploited in the wild.
Two sources, Malwarebytes and Malware Don’t Need Coffee, have documented updates to the Neutrino exploit kit and Angler exploit kit, respectively. Both kits, which are installed on compromised websites by criminals to infect passing web surfers, now exploit the new Flash bug to execute malicious code on victims’ computers.
Malwarebytes, which had already warned the exploit would be weaponised quickly, notes: “This is one of the fastest documented case of an immediate weaponisation in the wild, possibly thanks to the detailed instructions left by Hacking Team.”
Tomi Engdahl says:
Kali Linux 2.0 to launch at DEFCON 23
Hackalicious Debian derivate, version deuce, to debut in August
http://www.theregister.co.uk/2015/07/08/kali_20/
A small cadre of hackers have announced the next version of the Kali hacker arsenal, codenamed Sana, will be released on 11 August.
The popular penetration testing platform brings hundreds of the best open source hacking tools into a Debian-based distribution that is a staple for hackers and forensic analysts.
About the Kali Linux Distribution
https://www.kali.org/about-us/
Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed.
Tomi Engdahl says:
Critical Adobe Flash, Windows zero-days leak from Hacking Team raid
Security teams scramble to patch serious flaws
http://www.theregister.co.uk/2015/07/07/hacking_team_zero_days_flash_windows_kernel/
Confidential source code stolen from Hacking Team, and subsequently leaked online, has revealed new software vulnerabilities that are exploited by the spyware maker to infect victims’ computers.
The security holes are used to inject malicious code into PCs; that code installs surveillance tools to monitor the user’s every move and remote control their machines over the internet.
Hacking Team, which is based in Italy, counts the governments of Saudi Arabia, Oman, Sudan, Egypt, Lebanon, Russia, the US, and others, plus various private organizations, as its customers, past and present, it appears.
From what we’ve seen so far, inside the leaked source code lies an Adobe Flash exploit for which no patch exists: it can be used against Internet Explorer, Firefox, Chrome and Safari, and affects Flash Player 9 to the latest version, 18.0.0.194.
A proof-of-concept exploit uses the flaw to open calc.exe on Windows, proving a malicious Flash file downloaded from the internet can execute arbitrary code on a victim’s computer. Hacking Team describes it as “the most beautiful Flash bug for the last four years” in its internal documentation.
Adobe told us in a statement today that it is working on a patch, which it hopes to release by the end of the week.
According to Trend Micro, the Flash vulnerability is a classic use-after-free() programming cockup that allows the attacker to read and write arbitrary bytes in memory.
Meanwhile, another zero-day has been found in the Hacking Team source code: this one is a vulnerability in atmfd.dll, the Adobe font driver in the kernel level of the Windows operating system.
The vulnerability is not the same as the MS15-021 flaw that Microsoft patched in March.
The hole, for which no patch exists, affects 32-bit and 64-bit Windows XP to Windows 8.1, according to a detailed analysis published in China.
Again, with this exploit in the wild now
Microsoft has been in touch to say it is working on a fix for the kernel-level Windows vulnerability.
Tomi Engdahl says:
An article at Bloomberg relates the story of two IT professionals who reluctantly teamed up with an organized criminal network in building a sophisticated drug smuggling operation.
The Mob’s IT Department
How two technology consultants helped drug traffickers hack the Port of Antwerp
http://www.bloomberg.com/graphics/2015-mob-technology-consultants-help-drug-traffickers/
The device began searching for a secret network inside DP World, a Dubai-based port operator with offices on the third floor of the building.
A few days earlier, small USB drives had been inserted into the company’s computers. They were programmed to intercept the nine-digit PINs that controlled access to DP World’s shipping containers. Besides fruit, metals, and other legitimate cargo, some of these containers carried millions of euros in heroin and cocaine. To get their drugs out of the port, often traffickers use low-tech methods: They hire runners to jump fences, break open containers, and sprint away before guards can catch them, earning as much as €10,000 ($11,200) a trip. Stealing PIN codes is more elegant and less risky. Whoever has the codes can pull into the terminal, enter the PIN into a keypad, wait as robot-controlled loaders put the container on their truck, and drive off—sometimes minutes ahead of the cargo’s legitimate owner.
As the minutes ticked by, Van De Moere could hardly believe what he was doing. He didn’t think of himself as a criminal.
Now he was working with a Dutch drug-trafficking gang, deep into an audacious hacking scheme that authorities say smuggled tons of cocaine and heroin through the port and into cities across the continent. If the antenna worked and he got the codes, he had a chance to get his normal life back. If he screwed up, he could end up in prison or in a coffin.
According to prosecutors in the Netherlands and Belgium, what happened next transformed the pair into masterminds of one of the biggest drug-smuggling operations in Europe. The case, detailed in thousands of pages of police reports and court records, allegedly shows how mobsters and hackers teamed up to commit sophisticated crime, manipulating global logistical and transportation networks for huge gain. The hackers’ version of events, which they laid out as they wait for their fate to be determined later this year by Belgian authorities, differs sharply: a story of two men who became pawns of a violent group through coercion and a series of very bad decisions.
“Obviously, you know we’re not in a legal business. So if you talk to anyone, we know where you and your family live.”
Tomi Engdahl says:
This is why control system security is important. This case it does not seem to be caused by cyber-attack, but anyways a warning what can happen:
Who’s Murdering Thousands of Chickens in South Carolina?
http://www.bloomberg.com/news/features/2015-06-02/who-s-murdering-thousands-of-chickens-in-south-carolina-
Somebody turned the fans off on 300,000 chickens to suffocate them—somebody who knows exactly how the industry works
Nguyen’s farm wasn’t the only one hit that night. Three others also had their control systems sabotaged, killing the birds inside. Over the next week about 320,000 chickens died in attacks on farms throughout Clarendon County, in what appears to be the largest crime against industrial poultry farms in U.S. history. All the birds were owned by Pilgrim’s, which pays Nguyen and other farmers to raise the animals.
attacker used different methods
Whoever disabled the alarms understood the farmers’ different systems, so no one was notified.
On the night of Feb. 20, two more farms were attacked. On one, the attacker tampered with controls at four chicken houses
Tomi Engdahl says:
More on Hacking Team
https://www.schneier.com/blog/archives/2015/07/more_on_hacking_1.html
Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s “crisis procedure,” it could have killed their operations remotely.
To make matters worse, every copy of Hacking Team’s Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it.
It’s one thing to have dissatisfied customers. It’s another to have dissatisfied customers with death squads. I don’t think the company is going to survive this.
Hacking Team Asks Customers to Stop Using Its Software After Hack
http://motherboard.vice.com/read/hacking-team-asks-customers-to-stop-using-its-software-after-hack
After suffering a massive hack, the controversial surveillance tech company Hacking Team is scrambling to limit the damage as well as trying to figure out exactly how the attackers hacked their systems.
But the hack hasn’t just ruined the day for Hacking Team’s employees. The company, which sells surveillance software to government customers all over the world, from Morocco and Ethiopia to the US Drug Enforcement Agency and the FBI, has told all its customers to shut down all operations and suspend all use of the company’s spyware, Motherboard has learned.
“They’re in full on emergency mode,” a source who has inside knowledge of Hacking Team’s operations told Motherboard.
A source told Motherboard that the hackers appears to have gotten “everything,” likely more than what the hacker has posted online, perhaps more than one terabyte of data.
“The hacker seems to have downloaded everything that there was in the company’s servers,” the source, who could only speak on condition of anonymity, told Motherboard. “There’s pretty much everything here.”
It’s unclear how the hackers got their hands on the stash, but judging from the leaked files, they broke into the computers of Hacking Team’s two systems administrators, Christian Pozzi and Mauro Romeo, who had access to all the company’s files, according to the source.
For example, the source noted, none of the sensitive files in the data dump, from employees passports to list of customers, appear to be encrypted.
“How can you give all the keys to your infrastructure to a 20-something who just joined the company?” he added, referring to Pozzi, whose LinkedIn shows he’s been at Hacking Team for just over a year.
“Nobody noticed that someone stole a terabyte of data? You gotta be a fuckwad,” the source said. “It means nobody was taking care of security.”
Pozzi said that Hacking Team was working closely with the police, and warned everyone who was downloading the files and commenting on them.
“Be warned that the torrent file the attackers claim is clean has a virus,” he wrote. “Stop seeding and spreading false info.”
files reveal previously unknown customers, such as the FBI, Spain, Chile, Australia, Russia, as well as new details of known customers such as Sudan, a country where Hacking Team was likely legally barred from selling, due to international sanctions and embargoes.
The future of the company, at this point, it’s uncertain.
Employees fear this might be the beginning of the end, according to sources.
Tomi Engdahl says:
Hacking Team: the Hack on Us Was Not Done by ‘Some Random Guy’
http://motherboard.vice.com/read/hacking-team-the-hack-on-us-was-not-done-by-some-random-guy?trk_source=recommended
Almost 48 hours after an unnamed hacker announced the breach of Hacking Team, exposing more than 400GB of secrets, the Italian surveillance tech company is investigating what happened, and coming out of its radio silence.
The cyberintrusion, which was “quite sophisticated,” was likely the work of people “with a lot of expertise,” according to the company spokesperson Eric Rabe
“We don’t think this was the work of just some random guy,” Rabe said, adding that it was more likely that it was an “organization,” either a criminal group or maybe even a government. “It’s hard to know.”
Rabe questioned that the hacker, who told Motherboard that he was the same one who hacked Hacking Team’s competitor Gamma Group last year, was motivated by human rights issues. “I don’t know if we have any evidence of that.”
The spokesperson, however, hinted that the company knew how the hack had occurred, but declined to share details since two Italian law enforcement agencies are involved in the investigation.
After the hack, the company asked all its customers to shut down their surveillance systems and suspend all operations using Hacking Team’s spyware, Rabe confirmed, after Motherboard first reported it yesterday. He said that they took the precaution to protect operations against terrorist and criminals.
Tomi Engdahl says:
Hacker Claims Responsibility for the Hit on Hacking Team
http://motherboard.vice.com/read/hacker-claims-responsibility-for-the-hit-on-hacking-team?trk_source=recommended
An online anti-surveillance crusader is back with a bang.
Last year, a hacker who only went by the name “PhineasFisher” hacked the controversial surveillance tech company Gamma International, a British-German surveillance company that sells the spyware software FinFisher. He then went on to leak more than 40GB of internal data from the company, which has been long criticized for selling to repressive governments.
That same hacker has now claimed responsibility for the breach of Hacking Team, an Italian surveillance tech company that sells a similar product called Remote Controlled System Galileo.
Tomi Engdahl says:
ICANN’s Plan To End Commercial Website Anonymity Creates Real Problems
http://yro.slashdot.org/story/15/07/08/0239201/icanns-plan-to-end-commercial-website-anonymity-creates-real-problems
An anonymous reader notes that ICANN is closing the comment period for its plan to prevent owners of commercial websites from keeping their personal details out of a site’s public-facing registration information. Digital rights groups are taking the opportunity to explain how real harm can result from this decision. The Online Abuse Prevention Initiative posted an open letter to ICANN pointing out the rise of doxing and swatting
Icann plan to end website anonymity ‘could lead to swatting attacks’
http://www.theguardian.com/technology/2015/jul/07/icann-plan-to-end-website-anonymity-could-lead-to-swatting-attacks
Coalition of free-speech and anti-harassment campaigners, led by the Online Abuse Prevention Initiative, calls for internet governing body not to enact proposal
A coalition of anti-harassment initiatives and digital rights organisations is fighting a proposal from the internet’s governing body, Icann, to strip anonymity from website owners.
Icann’s plan is to require all website owners who use their domains for commercial purposes to provide a direct contact address for their registration records, known as the Whois record. At the moment many use privacy-protecting services, where often the domain name registration company’s details are given instead. If implemented, the proposal would effectively end the ability to run a commercial website without revealing significant personal information such as business address and real name.
Specifically, they argue that the proposals will make it easier to “dox” and “swat” people online.
Doxing refers to the practice of uncovering personal information about someone online, sometimes with the intent to carry out further harassment, and sometimes simply to publish the information.
Swatting, in turn, refers to the practice of using personal information to place hoax calls with law enforcement with the intention of bringing down a squad of armed police. The practice is common among gaming communities, from which the four founding members of OAPI were drawn.
The OAPI’s letter has now been signed by more than 30 separate organisations drawn from a whole host of areas. Internet freedom organisations including the Electronic Frontier Foundation (which spoke out against the proposal independently last week); the Tor project; and Fight for the Future have signed.
The campaign in favour of Icann’s proposal has been backed by a coalition of copyright industry bodies, including the Recording Industry Association of America, Motion Picture Association of America and Entertainment Software Association, the last of which represents the gaming industry in the US.
Tomi Engdahl says:
Welkom in Nederland: Laid-back, chilled, and MONITORING everything
For sure, we’ll have the better oversight thing
http://www.theregister.co.uk/2015/07/08/dutch_snooping_law_revamp/
The Dutch government is pushing changes to its national law to enable bulk data surveillance and compelled decryption.
The proposed update of the Intelligence & Security Act of 2002 would establish bulk interception powers for “any form of telecom or data transfer”.
As well as metadata, the revamp would allow the Dutch intelligence services to compel anyone to help decrypt data, either by providing encryption keys or turning over decrypted data.
Domestic interception is explicitly allowed within the proposals, which if enacted, would look to create the most permissive snooping regime in the Western World. With plans like this it’s little wonder that Edward Snowden described the Dutch as “the Surveillance Kings of Europe” earlier this year.
The Netherlands is a major exchange point for internet traffic. If the plans go through, the Dutch authorities would gain a wide-ranging ability to monitor global communications.
Tomi Engdahl says:
Dutch MEP whacks Hacking Team over embargo-busting
We need to talk about Sudan and human rights …
http://www.theregister.co.uk/2015/07/08/dutch_mep_whacks_hacking_team_over_embargobusting/
The Hacking Team fallout continues, with Dutch member of the European Parliament Marietje Schaake asking for a European Commission (EC) investigation into the outfit.
Schaake wants the EC to decide whether Hacking Team broke various embargo rules by selling products to repressive regimes (she name-checks Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Russia, Saudi Arabia, the UAE and Uzbekistan in this blog post).
She singles out a sale to Sudan as a possible violation of “UN Security Council Resolutions 1556, 1591, 1945, 2091 and 2138”, and that the sale “would also violate Council Decision 2014/450/CFSP of 10 July 2014 concerning restrictive measures in view of the situation in Sudan”.
Blog: Hacking Team company at receiving end of hacks
http://www.marietjeschaake.eu/2015/07/blog-hacking-team-company-at-receiving-end-of-hacks/
Hacking Team, a major Italian manufacturer of malware for governmental use, appears to have been hacked. It is unknown how or by whom, but in theory it is possible it was hacked with help of its own products. Ironically, Hacking Team sells systems that allow its customers to hack. This incident underlines the risk of a boomerang effect as a result of allowing the unregulated sales of intrusion and surveillance technologies. Additionally, it underlines the need for companies to take effective action to ensure protection of data and systems.
400 GB of internal documents, source code and e-mail communications are now publicly available, and they seem to confirm earlier evidence that the company sold software to repressive regimes. Customers including authorities in Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Russia, Saudi Arabia, the UAE and Uzbekistan are mentioned as Hacking Team’s customers that have hacked devices of their citizens. These serious facts should not come as a surprise.
One particularly interesting invoice appears to demonstrate that Hacking Team sold a ‘Remote Control System’ (RCS) for 480.000 Euros to Sudan’s National Intelligence and Security Services in 2012. Before many people in Sudan have ever gone online, the surveillance network is already in place.
Tomi Engdahl says:
Nicole Perlroth / New York Times:
13 top cryptographers issue report opposing US, British proposals for circumventing encryption, say plans would put the world’s digital communications at risk
Security Experts Oppose Government Access to Encrypted Communication
http://www.nytimes.com/2015/07/08/technology/code-specialists-oppose-us-and-british-government-access-to-encrypted-communication.html
An elite group of security technologists has concluded that the American and British governments cannot demand special access to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger.
A new paper from the group, made up of 14 of the world’s pre-eminent cryptographers and computer scientists, is a formidable salvo in a skirmish between intelligence and law enforcement leaders, and technologists and privacy advocates. After Edward J. Snowden’s revelations — with security breaches and awareness of nation-state surveillance at a record high and data moving online at breakneck speeds — encryption has emerged as a major issue in the debate over privacy rights.
That has put Silicon Valley at the center of a tug of war. Technology companies including Apple, Microsoft and Google have been moving to encrypt more of their corporate and customer data after learning that the National Security Agency and its counterparts were siphoning off digital communications and hacking into corporate data centers.
Yet law enforcement and intelligence agency leaders argue that such efforts thwart their ability to monitor kidnappers, terrorists and other adversaries. In Britain, Prime Minister David Cameron threatened to ban encrypted messages altogether. In the United States, Michael S. Rogers, the director of the N.S.A., proposed that technology companies be required to create a digital key to unlock encrypted data, but to divide the key into pieces and secure it so that no one person or government agency could use it alone.
The encryption debate has left both sides bitterly divided and in fighting mode.
The group behind the report has previously fought proposals for encryption access. In 1997, it analyzed the technical risks and shortcomings of a proposal in the Clinton administration called the Clipper chip. Clipper would have poked a hole in cryptographic systems
The government abandoned the effort after an analysis by the group showed it would have been technically unworkable.
Now the group has convened again for the first time since 1997.
In the paper, the authors emphasized that the stakes involved in encryption are much higher now than in their 1997 analysis.
“The problems now are much worse than they were in 1997,”
Keys Under Doormats: Mandating
insecurity by requiring government
access to all data and communications
http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=6
We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago.
Exceptional access would force
Internet system developers to reverse “forward secrecy” design practices that seek to
minimize the impact on user privacy when systems are breached. The complexity of
today’s Internet environment, with millions of apps and globally connected services,
means that new law enforcement requirements are likely to introduce unanticipated,
hard to detect security flaws. Beyond these and other technical vulnerabilities, the
prospect of globally deployed exceptional access systems raises difficult problems
about how such an environment would be governed and how to ensure that such
systems would respect human rights and the rule of law.
Political and law enforcement leaders in the United States and the United Kingdom have
called for Internet systems to be redesigned to ensure government access to information —
even encrypted information. They argue that the growing use of encryption will neutralize
their investigative capabilities. They propose that data storage and communications
systems must be designed for exceptional access by law enforcement agencies. These proposals
are unworkable in practice, raise enormous legal and ethical questions, and would
undo progress on security at a time when Internet vulnerabilities are causing extreme
economic harm.
Tomi Engdahl says:
Dyre times ahead: Zeus-style trojan slurps your banking login creds
List of countries targeted in cash theft scam oddly doesn’t include Greece…
http://www.theregister.co.uk/2015/07/08/dyre_banking_trojan_spam_surge/
UK users of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank and Santander are being targeted by cybercrooks slinging the Dyre banking trojan.
Around 19,000 malicious emails have been sent in three days from spam servers worldwide, inviting users to download an archive containing a malicious .exe file posing as personal financial information.
The file acts as a downloader which fetches and executes the Dyreza banker Trojan, also known as Dyre.
The malicious attachments sometimes pose as a follow-up email from a tax consultant, inviting users to download an attached archive that’s actually riddled with malicious code. Other emails spotted during the latest Dyre distribution campaign pose as financial documentation or, in other cases, fictitious penalty notices. The latter ruse seems geared towards hacking into enterprise computers.
“Dyre is very similar to the infamous Zeus,” explained Catalin Cosoi, chief security strategist at Bitdefender, “It installs itself on the user’s computer and becomes active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service.”
Tomi Engdahl says:
Ellen Nakashima / Washington Post:
Senate Intelligence Committee approves bill requiring social media services to report postings by suspected terrorists
Lawmakers want Internet sites to flag ‘terrorist activity’ to law enforcement
https://www.washingtonpost.com/world/national-security/lawmakers-want-internet-sites-to-flag-terrorist-activity-to-law-enforcement/2015/07/04/534a0bca-20e9-11e5-84d5-eb37ee8eaa61_story.html
Social media sites such as Twitter and YouTube would be required to report videos and other content posted by suspected terrorists to federal authorities under legislation approved this past week by the Senate Intelligence Committee.
The measure, contained in the 2016 intelligence authorization, which still has to be voted on by the full Senate, is an effort to help intelligence and law enforcement officials detect threats from the Islamic State and other terrorist groups.
It would not require companies to monitor their sites if they do not already do so, said a committee aide, who requested anonymity because the bill has not yet been filed. The measure applies to “electronic communication service providers,” which includes e-mail services such as Google and Yahoo.
Companies such as Twitter have recently stepped up efforts to remove terrorist content in response to growing concerns that they have not done enough to stem the propaganda. Twitter removed 10,000 accounts over a two-day period in April.
Google, Facebook and Twitter declined to comment on the measure, but industry officials privately called it a bad idea. “Asking Internet companies to proactively monitor people’s posts and messages would be the same thing as asking your telephone company to monitor and log all your phone calls, text messages, all your Internet browsing, all the sites you visit,”
Tomi Engdahl says:
ndroid is clearly the most popular mobile platform, and it is also reflected in malware statistics. G Data Security Labs, according to statistics will be 4900 new Android malware on the market every day.
This means that this year, Android users threatens up to two million additional harm.
Malicious hackers to understand when you look at how many smart phone users to use banking services on their device. 51 percent of Americans and 40 percent of Europeans use your smartphone or tablet for the treatment of banking affairs, G Data says.
G Data, the Android is in spite of the linux-pohjaisuudesta other platforms easier to sneak malicious software
Source: http://etn.fi/index.php?option=com_content&view=article&id=3059:androidille-4900-uutta-haittaa-joka-paiva&catid=13&Itemid=101
Tomi Engdahl says:
Four out of five e-mail is junk
Last year, the world was sent to about 35 thousand billion trillion, or email. Juniper Research found that 80 per cent of this amount, that is, four out of five e-mail was spam.
This year, all electronic messages – e-mails, tesktiviestien, multimedia messaging and a variety of instant messaging – increasing the amount of 94.2 trillion. In 2019, the volume has increased 160 trillion in the message.
A variety of social media share this message of the pie is growing all the time. For example, Facebook currently sent over 5.8 billion posting, every day. And the number is growing all the time.
Source: http://etn.fi/index.php?option=com_content&view=article&id=3058:nelja-viidesta-sahkopostista-on-roskaa&catid=13&Itemid=101
Tomi Engdahl says:
Also, flight times will soon be saved in passports
Passports, identity cards and other documents containing smart chips can continue to store more and more information. In addition, the information may be updated. Another objective is to better security that passengers are able to more rapidly through the security checks.
Infineon, NXP and smart chips in data security developer Giesecke & Devrient have completed their part of the European-wide newpass project. Companies responded to the new data structures and architecture of the chip card, which will be included in future travel document standards.
New smartchips will allow, for example, visa information and arrival and departure information for recording directly passport. In addition, the e-passport personal data may be in the future to upgrade, so getting married does not mean applying for a new passport.
Source: http://etn.fi/index.php?option=com_content&view=article&id=3045:myos-lentoajat-tallentuvat-pian-passeihin&catid=13&Itemid=101
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Hacker group Morpho attacked Twitter, Facebook, Apple, Microsoft, others to profit from insider info, active since at least 2011
Meet the hackers who break into Microsoft and Apple to steal insider info
Almost 50 companies have been hacked by a shadowy group.
http://arstechnica.com/security/2015/07/meet-the-hackers-who-break-into-microsoft-and-apple-to-steal-insider-info/
In February 2013, Twitter detected a hack attack in progress on its corporate network. “This attack was not the work of amateurs, and we do not believe it was an isolated incident,” a Twitter official wrote when disclosing the intrusion. Sure enough, similar attacks were visited on Facebook, Apple, and Microsoft in the coming weeks. In all four cases, company employees were exposed to a zero-day Java exploit as they viewed a website for iOS developers.
Now, security researchers have uncovered dozens of other companies hit by the same attackers. Alternately known as Morpho and Wild Neutron, the group has been active since at least 2011, penetrating companies in the technology, pharmaceutical, investment, and healthcare industries, as well as law firms and firms involved in corporate mergers and acquisitions. The developers of the underlying surveillance malware have thoroughly documented their code with fluent English, and command and control servers are operated with almost flawless operational security. The take-away: the threat actors are likely an espionage group in a position to profit on insider information.
“Morpho is a skilled, persistent, and effective attack group which has been active since at least March 2012,” researchers from security firm Symantec wrote in a report published Wednesday.
Physical security systems targeted
In at least one case, attackers used the malware to access what is known as the physical security information management system, which is the software for aggregating, managing, and monitoring physical security systems and devices inside the targeted organization.
“The physical security systems could consist of CCTV, swipe card access, HVAC, and other building security,” Symantec researchers wrote. “After compromis[ing] that system, the attackers could have monitored employees through the company’s own CCTV systems and tracked the activities of individuals within the building.”
It still remains unclear exactly how more recent attacks have managed to infect targeted computers.
“Compared to other APT groups, Wild Neutron is one of the most unusual ones we’ve analysed and tracked,” Kaspersky Lab researchers wrote.
Morpho: Profiting from high-level corporate attacks
Multi-billion dollar corporations hit by secretive attack group.
http://www.symantec.com/connect/blogs/morpho-profiting-high-level-corporate-attacks
A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Morpho, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical and commodities sectors. Twitter, Facebook, Apple and Microsoft are among the companies who have publicly acknowledged attacks.
Morpho is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it will clean up after itself before moving on to its next target.
This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high level corporate information. Morpho may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider trading purposes.