Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Finnish Teen Convicted of 50,000 ‘Hacks,’ Receives Suspended Sentence
http://yro.slashdot.org/story/15/07/08/164208/finnish-teen-convicted-of-50000-hacks-receives-suspended-sentence
The BBC reports that Julius Kivimaki was found guilty of 50,700 “instances of aggravated computer break-ins.” Court documents state that his attacks affected Harvard University and MIT among others, and involved hijacking emails, blocking traffic to websites, and the theft of credit card details.”
Finnish teen convicted of more than 50,000 computer hacks
http://www.bbc.com/news/technology-33442419
A teenager involved in series of high profile cyber attacks has been convicted for his crimes in Finland.
Julius Kivimaki was found guilty of 50,700 “instances of aggravated computer break-ins”.
Court documents state that his attacks affected Harvard University and MIT among others, and involved hijacking emails, blocking traffic to websites and the theft of credit card details.
Despite the severity of the crimes, the 17-year-old has not been jailed.
Instead, the District Court of Espoo sentenced the youth – who had used the nickname Zeekill – to a two-year suspended prison sentence.
It also confiscated his PC and ordered him to handover €6,588 (£4,725) worth of property obtained through his crimes.
Lizard Squad member convicted for Christmas attacks on PSN, Xbox Live
http://www.polygon.com/2015/7/7/8909347/lizard-squad-ryan-teenager-kivimaki-psn-attack-xbox-live-finland
A Finnish teenager who claimed responsibility for the cyberattack that brought down Xbox Live and PlayStation Network last year has been convicted of more than 50,000 instances of cybercrime.
His punishment, according to Finnish media, is a two-year suspended prison sentence and a requirement to speak out against cybercrime.
Published reports said Julius Kivimaki, 17, known as “zeekill” online, was part of the Lizard Squad group whose denial-of-service attack over the Christmas holiday culminated a monthlong war with another hacker group. Lizard Squad members justified the attacks saying “chaos is entertainment,” in a short email to Polygon at the time.
Both United Kingdom and Finnish authorities made arrests soon after the attacks, which were substantial enough that PlayStation Network later offered subscription extensions, purchase discounts and other premiums to compensate members for the lost time.
Finnish Decision is Win for Internet Trolls
http://krebsonsecurity.com/2015/07/finnish-decision-is-win-for-internet-trolls/#more-31471
In a win for Internet trolls and teenage cybercriminals everywhere, a Finnish court has decided not to incarcerate a 17-year-old found guilty of more than 50,000 cybercrimes, including data breaches, payment fraud, operating a huge botnet and calling in bomb threats, among other violations.
As the Finnish daily Helsingin Sanomat reports, Julius Kivimäki — a.k.a. “Ryan” and “Zeekill” — was given a two-year suspended sentence and ordered to forfeit EUR 6,558.
Kivimaki vaulted into the media spotlight late last year when he claimed affiliation with the Lizard Squad, a group of young hooligans who knocked offline the gaming networks of Microsoft and Sony for most of Christmas Day.
Kivimaki allegedly also was involved in calling in multiple fake bomb threats and “swatting” incident
“During the trial it became apparent that nobody suffered significant (if any) damages because of the alleged hacks,” he said.
The danger in a decision such as this is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.
Case in point: Kivimaki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimaki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.”
It is clear that the Finnish legal system, like that of the United States, simply does not know what to do with minors who are guilty of severe cybercrimes.
“We’re talking about the Internet equivalent of violent crimes and assault,” James said. “This is serious stuff.”
Kivimaki said he doesn’t agree with the characterization of swatting as a violent crime.
As serious as Kivimaki’s crimes may be, kids like him need to be monitored, mentored, and molded — not jailed, says James.
“Studying his past, he’s extremely smart, but he’s troubled, and definitely needs a better direction,” James said.
Tomi Engdahl says:
Hacking Team Breach Leaks Zero-Days, Renews Fight To Regulate Cyberweapons
http://it.slashdot.org/story/15/07/08/193235/hacking-team-breach-leaks-zero-days-renews-fight-to-regulate-cyberweapons
In the days following a massive hack that confirmed Hacking Team’s dealings with repressive regimes around the world, experts are wondering once again how to stop Western technology companies from equipping certain governments with weapons meant to attack journalists, human rights activists, and ordinary civilians. Regulation’s backers say that “this is an industry that has failed to police itself,” ACLU’s Christopher Soghoian argued, but many including the EFF warn that overly broad legislation would harm more than help.
Several exploits have been discovered, including ones for zero-day vulnerabilities, in the hundreds of gigabytes of data stolen by a hacker from the systems of surveillance software maker Hacking Team. Researchers at Trend Micro analyzed the leaked data and uncovered several exploits, including two zero-days for Adobe Flash Player.
Tomi Engdahl says:
Intel’s Software Chief Out; Botched McAfee Deal To Blame?
http://slashdot.org/story/15/07/09/0118216/intels-software-chief-out-botched-mcafee-deal-to-blame
Renee James, Intel’s president and head of the company’s software group has departed, supposedly to “pursue other opportunities.” But a high-profile heir apparent doesn’t just leave voluntarily, and it seems likely that she is in part taking the fall for Intel’s acquisition of McAfee, the promised synergies of which have failed to materialize.
Why is Renee James leaving Intel?
http://www.itworld.com/article/2945138/business/why-is-renee-james-leaving-intel.html
She could be “pursuing other opportunities,” but there is likely another explanation
There were some fireworks at Intel in advance of the Fourth of July as several Intel executives left the company in a pretty big shakeup by Intel standards.
But according to Citibank research analyst Christopher Danely, James wasn’t doing all that well at her main job. He called her departure a positive, “due to the lack of growth and low profitability of its software business under the leadership of James.”
Danely also said he believed James was largely responsible for leading Intel’s $7.7 billion acquisition of McAfee in 2011, a merger that made absolutely no sense to anyone but a McAfee shareholder. He added that Intel’s software business had grown just 2.5% CAGR in the last three years.
“The McAfee deal has been a major disappointment in our view as there are virtually no synergies between Intel’s core silicon business and McAfee security software. When Intel acquired the McAfee business it generated 2010 revenue of $2.1 billion with operating margins of roughly 11%. We estimate McAfee revenues have remained roughly flat since the company was acquired, while operating margins have declined to the mid-single digit range,” Danely wrote.
When you say “software,” Intel is hardly the first company that comes to mind. It makes chips, first and last and always. It has some compiler technology, which is said to be quite good, but really, you just don’t think of software as a big part of Intel. That’s why the McAfee purchase made absolutely no sense. But Otellini was CEO and he and the board of directors approved it.
Tomi Engdahl says:
Crypto experts slam government encryption backdoor demands
Move will create major security risk and increase number of data breaches
http://www.theinquirer.net/inquirer/news/2416875/crypto-experts-slam-government-encryption-backdoor-demands
A GROUP OF CRYPTOGRAPHERS AND COMPUTER SCIENTISTS has blasted demands from US and British governments for backdoors to encryption systems, saying that it would cause a “major security risk”.
The report from the Massachusetts Institute of Technology (MIT) Computer Science and Artificial Intelligence Lab criticises plans to allow law enforcement agencies unfettered access to encrypted data, following in the footsteps of Apple and Google.
UK prime minister David Cameron, for example, said recently that services such as iMessage and WhatsApp should be banned if British intelligence services cannot access them, while the FBI has argued that access to encrypted communications is crucial in the fight against terrorism.
“If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege.”
Keys Under Doormats: Mandating
insecurity by requiring government
access to all data and communications
http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=6
Tomi Engdahl says:
Even small technical problems can cause lots of problems, this time it does not seem to be caused bu hackers, but could be:
United Flights Resume as Grounding Slows Thousands of Fliers
http://www.bloomberg.com/news/articles/2015-07-08/united-grounds-all-u-s-flights-on-automation-issues-faa-says
United Airlines is resuming flights after a computer fault halted all U.S. departures for about two hours, disrupting travel for thousands of passengers in the second such setback since early June.
“An issue with a router” caused the failure, United said Wednesday in a statement without giving details.
United suffered a similar incident on June 2, when the world’s second-largest airline cited a lack of “proper dispatch information” that forced a halt in U.S. takeoffs for less than an hour. Planes in the air weren’t affected in that episode either.
United fell 2.9 percent to $52.75, joining a retreat among the rest of the U.S. industry and broad equity indexes.
The Chicago-based carrier has struggled with occasional computer faults since the 2010 merger between former parent UAL Corp. and Continental Airlines created the current parent company, United Continental.
Tomi Engdahl says:
High severity bug found in OpenSSL raises fears of another Heartbleed
Patch due to be released on 9 July
http://www.theinquirer.net/inquirer/news/2416825/high-severity-bug-found-in-openssl-raises-fears-of-another-heartbleed
A ‘HIGH SEVERITY’ BUG is currently unpatched in OpenSSL, the open source software used to encrypt internet communications, and a new version is due to be released on 9 July.
OpenSSL is a cryptographic software library used by open source web servers such as Apache and Nginx, which host about 66 percent of all websites.
The popular back-end technology made the headlines last year when a large-scale vulnerability called Heartbleed allowed hackers to steal information that would normally be protected by the SSL/TLS encryption.
The OpenSSL project team, a group of developers responsible for supporting the commonly used OpenSSL encryption protocol, announced the forthcoming patch in a mailing list posting by developer Mark J Cox.
This led to concerns that OpenSSL is currently unpatched against the threat of another Heartbleed-style bug.
Security expert Graham Cluley said that it is impossible to shed light on the vulnerability at this stage as the OpenSSL project is keeping the details under its hat for now.
This is probably because they are concerned that any information shared in advance could be exploited in live hacks.
Tomi Engdahl says:
DARPA’s $4M cyber-threat clash down to seven challengers
http://www.networkworld.com/article/2945443/security0/darpas-4m-cyber-threat-clash-down-to-seven-challengers.html
DARPA competition to yield best fully automatic network defense system
When it began a year ago, there were 104 teams competing for $4 million in prize money in the Defense Advanced Research Projects Agency (DARPA)’s ambitious tournament — known as the Cyber Grand Challenge (CGC) — to see who can build the best fully automatic network defense system.
This week DARPA said that after a couple dry runs and a significant qualifying event the field of CGC teams is down to seven who will now compete in the final battle slated to take place at DEFCON in Las Vegas in August 2016.
That is significant because DEFCON is the home of the longest-running annual capture the flag (CTF) cybersecurity game many security gurus use to test their skills, DARPA said.
Each team will receive $750,000 to help them prepare over the next 13 months for the CGC final competition. They will have the opportunity to access a specialized IT infrastructure, a “digital arena” in which they can practice and refine their systems against dummy opponents that DARPA is providing. The winning team from the CGC final competition will receive $2 million. Second place will earn $1 million and third place $750,000.
he CGC’s goal is to vastly improve the speed and effectiveness of IT security against escalating cyber threats. Today, our time to patch a newly discovered security flaw is measured in days. Through automatic recognition and remediation of software flaws, the term for a new cyber attack may change from zero-day to zero-second, DARPA stated when it first introduced the CGC in 2013.
In fully autonomous defense, a cyber system capable of reasoning about software will create its own knowledge, autonomously emitting and using knowledge quanta such as vulnerability scanner signatures, intrusion detection signatures, and security patches, DARPA stated.
Tomi Engdahl says:
Security gurus deliver coup de grace to US govt’s encryption backdoor demands
Diffie, Rivest, Schneier, and Anderson school FBI
http://www.theregister.co.uk/2015/07/08/security_giants_publish_paper_destroying_government_encryption_plans/
With congressional hearings due on Wednesday to discuss US government plans to force tech companies to install backdoors in their encryption systems, some of the leading minds in the security world have published a paper on how, and if, such a system would work.
The authors of the 34-page paper [PDF] read like a who’s who of computer security: they are Whitfield Diffie (who along with Martin Hellman invented public key encryption); crypto guru Bruce Schneier; Ronald Rivest (the R in RSA), Matt Blaze, the killer of the Clipper Chip; Professor Ross Anderson from Cambridge University; and 11 other senior figures in the field.
The writers examine attempts in the early 1990s to allow the Feds to access to encrypted communications, referring back to the infamous Clipper chip proposed by Bill Clinton’s administration.
The paper also points out that there are massive technical challenges in instituting an encryption key escrow service, such as the one suggested by the director of the FBI, James Comey. Such a system would lock the industry into a specific crypto system and poses a major question – who holds the master decryption key?
Any body, public or private, holding such keys would be an instant target for hacking attacks, the authors point out. As we’ve seen with cases like the Office of Personnel hack, the White House hack, and various successful hacks against US military targets, there are no government servers where such powerful tools would be safe and yet speedily accessible to law enforcement.
http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=6
Tomi Engdahl says:
Evil NSA runs on saintly Linux, Apache, MySQL
If report is correct, Red Hat’s marketing department has a very tricky customer reference
http://www.theregister.co.uk/2015/07/08/evil_nsa_runs_on_saintly_red_hat_enterprise_linux_apache/
The United States National Security Agency’s (NSA’s) XKEYSCORE spookware, revealed by Edward Snowden as capable of sniffing and analysing just about any data from anywhere, runs on Red Hat Enterprise Linux.
So says Snowden amanuensis Glenn Greenwald, who last week wrote that XKEYSCORE “… is a piece of Linux software that is typically deployed on Red Hat servers.”
“It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service.”
The NSA’s a known contributor to some open source projects
News that the NSA uses open source software may, however, dismay those who feel that such efforts promote greater openness and freedmon, seeing as the arguably NSA promotes rather different values.
Greenwald doesn’t say if the NSA uses the free version of MySQL or Oracle’s fee-for-licence version. If the latter, open source advocates may have their escape clause!
Tomi Engdahl says:
Dutch MEP whacks Hacking Team over embargo-busting
We need to talk about Sudan and human rights…
http://www.theregister.co.uk/2015/07/08/dutch_mep_whacks_hacking_team_over_embargobusting/
The Hacking Team fallout continues, with Dutch member of the European Parliament Marietje Schaake asking for a European Commission (EC) investigation into the outfit.
Schaake wants the EC to decide whether Hacking Team broke various embargo rules by selling products to repressive regimes (she name-checks Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Russia, Saudi Arabia, the UAE and Uzbekistan in this blog post).
Tomi Engdahl says:
GhostShell back from the other side with mass data dump
The world isn’t getting better at protecting SQL, it seems
http://www.theregister.co.uk/2015/07/08/ghostshell_back_from_the_other_side_with_mass_data_dump/
The GhostShell hacker group is back in the headlines with a more mass dumps of data from poorly-secured sites.
While Symantec says there’s no particular country or sector targeted in the latest campaign, the South China Morning Post says major Hong Kong universities are among the victims.
“In keeping with its previous modus operandi, it is likely that the group compromised the databases by way of SQL injection attacks and poorly configured PHP scripts; however, this has not been confirmed”, Symantec’s note says.
A Pastebin data dump (The Register has chosen not to link it, but it’s in GhostShell’s Twitter stream) includes Hong Kong Polytechnic, the Chinese University of Hong Kong, HKU Space and the Hong Kong College of Technology.
Tomi Engdahl says:
Technology and the End of Lying
http://tech.slashdot.org/story/15/07/08/2223257/technology-and-the-end-of-lying
The Washington Post reports that lying may soon become a lost art as our digital, data-hoarding culture means that more and more evidence is piling up to undermine our lies. “The research shows the way lies are really uncovered is by comparing what someone is saying to the evidence,” says Tim Levine,”and with all these news analytics that can be done, it’s going to enable lie detection in a way that was previously impossible.”
Just like you can Google a fact to end an argument, instant messaging programs that archive digital conversations make it easy to look back and see exactly who said what — and if it matches up with what a person is saying now. “Lying online can be very dangerous,” says Jeff Hancock. “Not only are you leaving a record for yourself on your machine, but you’re leaving a record on the person that you were lying to.”
Even more alarming for liars is the incorporation of lie detector technology into the facial recognition technology. Researchers claim video-analysis software can analyze eye movement successfully to identify whether or not a subject is fibbing 82.5 percent of the time.
How technology could kill the art of lying
https://www.washingtonpost.com/blogs/the-switch/wp/2015/07/08/how-technology-could-kill-the-art-of-lying/
Lies are a fact of life. But technology may soon make them obsolete.
“Almost everybody lies now and then,” said Tim Levine, chair of the Communications Studies Department at the University of Alabama at Birmingham. “Most people are pretty good at it, in that you can’t tell when they are lying just by watching and listening to them.”
But our digital, data-hoarding culture means more and more evidence piles up to undermine our lies. “The research shows the way lies are really uncovered is by comparing what someone is saying to the evidence — and with all these news analytics that can be done, it’s going to enable lie detection in a way that was previously impossible,” said Levine.
Peoples’ data is already being turned against them.
Tomi Engdahl says:
Ryan Gallagher / The Intercept:
More Hacking Team details emerge from breach: Mexico and Italy top client list, product demo for Bangladeshi death squad, attempts to break UK market, more
Hacking Team Emails Expose Proposed Death Squad Deal, Secret U.K. Sales Push and Much More
https://firstlook.org/theintercept/2015/07/08/hacking-team-emails-exposed-death-squad-uk-spying/
Late Sunday, hackers dumped online a massive trove of emails and other documents obtained from the systems of Italian surveillance firm Hacking Team. The company’s controversial technology is sold to governments around the world, enabling them to infect smartphones and computers with malware to covertly record conversations and steal data.
For years, Hacking Team has been the subject of scrutiny from journalists and activists due to its suspected sales to despotic regimes. But the company has successfully managed to hide most of its dealings behind a wall of secrecy – until now.
For the last few days, I have been reading through the hacked files, which give remarkable insight into Hacking Team, its blasé attitude toward human rights concerns, and the extent of its spyware sales to government agencies on every continent.
Demo for Bangladesh “death squad”
DEA mass surveillance in Colombia
Impressing dictator’s spies
Sales through Israeli company
According to the hacked files, Hacking Team’s top sales in recent years have come from governments and law enforcement agencies in these countries, in descending order of sales: Mexico, Italy, Morocco, Saudi Arabia, Chile, Hungary, Malaysia, UAE, the United States, Singapore, Kazakhstan, Sudan, Uzbekistan, Panama, Ethiopia, Egypt, Luxembourg, Czech Republic, South Korea, Mongolia, Vietnam, Spain, Ecuador, Oman, Switzerland, Thailand, Russia, Nigeria, Turkey, Cyprus, Honduras, Azerbaijan, Colombia, Poland, and Bahrain.
Hacking Team discussed whether it could sell its technology disguised under a different name, “hiding” its full functionality.
Hacking Team’s emails reveal its deceitful attempts to positively spin news reports that have exposed the company’s technology being used against journalists and activists in repressive countries.
Enemies list
A presentation prepared by Hacking Team for a surveillance conference in South Africa later this month shows the company complaining about the “chilling effect” that it claims regulation of surveillance technology is having on the ability to fight crime.
The presentation singles out the organizations Hacking Team views as its main adversaries, noting that it is a “target” of groups such as Human Rights Watch and Privacy International and warning that “democracy advocates” are putting pressure on governments.
Tomi Engdahl says:
Spying on the Internet is Orders of Magnitude More Invasive Than Phone Metadata
https://firstlook.org/theintercept/2015/07/09/spying-internet-orders-magnitude-invasive-phone-metadata/
When you pick up the phone, who you’re calling is none of the government’s business. The NSA’s domestic surveillance of phone metadata was the first program to be disclosed based on documents from whistleblower Edward Snowden, and Americans have been furious about it ever since. The courts ruled it illegal, and Congress let the section of the Patriot Act that justified it expire (though the program lives on in a different form as part of the USA Freedom Act).
Yet XKEYSCORE, the secret program that converts all the data it can see into searchable events like web pages loaded, files downloaded, forms submitted, emails and attachments sent, porn videos watched, TV shows streamed, and advertisements loaded, demonstrates how Internet traffic can be even more sensitive than phone calls. And unlike the Patriot Act’s phone metadata program, Congress has failed to limit the scope of programs like XKEYSCORE, which is presumably still operating at full speed. Maybe Verizon stopped giving phone metadata to the NSA, but if a Verizon engineer uploads a spreadsheet full of this metadata without proper encryption, the NSA may well get it anyway by spying directly on the cables that the spreadsheet travels over.
Tomi Engdahl says:
Julie Hirschfeld Davis / New York Times:
OPM says sensitive information of 21.5M individuals was taken in another hack last year, separate from breach that compromised data of 4.2M federal employees — Office of Personnel Management Says Hackers Got Data of Millions of Individuals
Hacking of Government Computers Exposed 21.5 Million People
http://www.nytimes.com/2015/07/10/us/office-of-personnel-management-hackers-got-data-of-millions.html?_r=0
WASHINGTON — The Obama administration on Thursday revealed that 21.5 million people were swept up in a colossal breach of government computer systems that was far more damaging than initially thought, resulting in the theft of a vast trove of personal information, including Social Security numbers and some fingerprints.
Every person given a government background check for the last 15 years was probably affected, the Office of Personnel Management said in announcing the results of a forensic investigation of the episode, whose existence was known but not its sweeping toll.
The agency said hackers stole “sensitive information,” including addresses, health and financial history, and other private details, from 19.7 million people who had been subjected to a government background check, as well as 1.8 million others, including their spouses and friends. The theft was separate from, but related to, a breach revealed last month that compromised the personnel data of 4.2 million federal employees, officials said.
Both attacks are believed to have originated in China
“This incident that we are talking about today is unfortunately not without precedent,” said Michael Daniel, the White House cybersecurity coordinator. “We have to raise our level of cybersecurity in both the private sector and the public sector.”
Warnings from auditors about serious vulnerabilities are often ignored by agency officials, he added. “That’s been a recurring theme. They believe they’ve taken corrective actions, but when one goes back to check, we find that they haven’t.”
“Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries,” Mr. Chaffetz said. “Such incompetence is inexcusable.”
Tomi Engdahl says:
Adobe Patches Hacking Team’s Flash Player Zero-Day
http://www.securityweek.com/adobe-patches-hacking-teams-flash-player-zero-day
As it promised on Tuesday, Adobe has issued an emergency update for Flash Player to patch a zero-day vulnerability whose existence came to light after hackers breached the systems of surveillance software maker Hacking Team.
The Flash Player vulnerability (CVE-2015-5119), related to the ActionScript 3 ByteArray class, allows a remote, unauthenticated attacker to execute arbitrary code on vulnerable systems. Cybercriminals integrated the flaw into the Angler, Neutrino and Nuclear Pack exploit kits shortly after its existence came to light.
The vulnerability affects Flash Player 18.0.0.194 and earlier versions. Adobe patched the bug with the release of Flash Player 18.0.0.203.
Tomi Engdahl says:
Too Busy For Round Wheels?
http://www.securityweek.com/too-busy-round-wheels
I’m sure most of us have seen one of the many cartoons recently circulated on LinkedIn. This particular cartoon caught my eye due to its profound message. In the cartoon, two people struggle to move a cart with square wheels. A third person comes along offering round wheels, but is told “No thanks! We are too busy.”
While this cartoon is humorous, it can also teach us an important lesson.
Security is most definitely a stressful business. Moreover, this stress is often felt most acutely within the security operations and incident response functions. Risks and threats continue to evolve. Budgets don’t grow nearly as quickly as they need to. There is a shortage of qualified personnel, placing additional pressure on management and personnel already in place. The list of demands from the business grows faster than it can be addressed. Technologies struggle to work together to meet operational needs. Logs come in ever more rapidly, exhausting storage and processing resources. Alert fatigue buries the organization, making any hope of timely detection ever more difficult. Technological, procedural, communications, and bureaucratic obstacles complicate incident response.
As anyone who works in security operations and incident response knows, I’ve only just begun to enumerate some of the pain security professionals endure on a daily basis. The list goes on and on. I’ve discussed some of the issues listed above in previous pieces, and I certainly don’t wish to rehash those points here. Nonetheless, it’s fair to say that there is always more to do in security than there are resources available to do it.
It’s all too easy to get caught up in day-to-day activities and to forget to come up for air. How can a responsible security professional take a step back, take a deep breath, and contemplate strategic thoughts when there is so much tactical work to be done? It’s a valid question, but the fundamental assumption of the question is flawed. The tragedy in this way of thinking is that, sometimes, we are too busy to see that the reason we get bogged down is because we need to adjust or improve our processes, approaches, methodologies, techniques, and/or technologies. In other words, our very busyness is the cause of our continuing busyness. Sound counterintuitive? It’s really not.
Tomi Engdahl says:
All Information Security Is Cyber Security. All Information Security Must Change.
http://www.securityweek.com/all-information-security-cyber-security-all-information-security-must-change
Cyber security is a nation-first, vendor-second issue. Recent events have frighteningly underscored the requirement to fundamentally rethink our approach to information security lest our economy, our very way of life suffer drastically.
Cyber incidents are a form of terrorism: They can strike an open, digital society in ways not yet imagined when the security systems built to protect us were designed. To maintain an open society, we must first recognize that all information security is now cyber security, and, secondly, much is going to have to change.
The Office of Personal Management (OPM) breach was the digital equivalent of a major terrorist strike.
Just as we re-examined and retooled the security of our transport systems post 9/11, we must take a parallel approach to data security. We must start with a blank page and build a cyber security posture that parallels the dynamic requirements of today’s environment, rather than focusing on protecting the technology of a generation ago. It is sadly ironic that the intrusion detection system that monitors the network traffic of government departments is called EINSTEIN. While the government program has not changed very much in a decade, the real Einstein gave his definition of insanity as “doing the same thing over and over, but expecting a different result.”
Going forward, we must focus on these six principles of the current cyber threat environment:
1. All security is cyber security.
2. Threats come mostly from the inside out, not the outside in.
3. The speed at which security systems adapt is as important as how well they detect and prevent.
4. Everything is untrusted. In today’s environment, the assumption should be no-to-yes vs. yes-to-no in developing trusted connections among users and systems.
5. Security must be built into the fabric of computing. Today we have an application development process where someone creates an application, another party on-boards it to the infrastructure, and a third party determines how to secure it.
6. The public/private partnership must be rebuilt. In the post–NSA revelation era, the level of trust between Washington and business is inversely proportional to the need we have to cooperate and collaborate.
There is absolutely no doubt: All information security must change.
Tomi Engdahl says:
Gerry Shih / Reuters:
China releases draft cybersecurity law that authorizes cutting Internet to maintain order, requires data collected in China to be stored in China
China’s draft cybersecurity law could up censorship, irk business
http://www.reuters.com/article/2015/07/08/us-china-cybersecurity-idUSKCN0PI09020150708
China’s parliament has published a draft cybersecurity law that consolidates Beijing’s control over data, with potentially significant consequences for internet service providers and multinational firms doing business in the country.
The document, dated Monday but picked up by state media on Wednesday, strengthens user privacy protection from hackers and data resellers but elevates the government’s powers obtain records on and block dissemination of private information deemed illegal under Chinese law.
Citing the need “to safeguard national cyberspace sovereignty, security and development,” the proposed legislation will allow China to bolster its networks against threats to stability and better regulate the flow of information.
Tomi Engdahl says:
OpenSSL Patches Serious Certificate Forgery Vulnerability
http://www.securityweek.com/openssl-patches-serious-certificate-forgery-vulnerability
The developers of OpenSSL have released versions 1.0.2d and 1.0.1p to address a high severity vulnerability that can be exploited by an attacker to bypass certain untrusted certificate checks and issue invalid certificates.
The issue, described by OpenSSL as an alternative chain certificate forgery flaw (CVE-2015-1793), was introduced with OpenSSL versions 1.0.1n and 1.0.2b released last month.
According to an advisory published on Thursday morning, the vulnerability is related to the certificate verification process. If the first attempt to build a certificate chain fails, OpenSSL will try to identify an alternative chain.
“An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and ‘issue’ an invalid certificate,” the OpenSSL Project team explained. “This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.”
The vulnerability was reported to the developers of the SSL/TLS toolkit on June 24 by Google’s Adam Langley and David Benjamin, who both work on BoringSSL, the search giant’s own version of OpenSSL. OpenSSL developers noted that the fix for CVE-2015-1793 was developed by members of the BoringSSL project.
This bug affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. It does not impact the 1.0.0 or 0.9.8 releases, OpenSSL said.
OpenSSL developers also took this opportunity to remind users that versions 1.0.0 and 0.9.8 will no longer be supported starting with December 31, 2015. After this date, security updates will not be provided for these versions.
The fact that it consists of more than 500,000 lines of code makes OpenSSL difficult to maintain and researchers constantly uncover security flaws.
One alternative would be Amazon’s s2n, a new open source implementation of TLS designed to be simple, small, fast, and secure. s2n consists of only 6,000 lines of code
http://www.securityweek.com/amazon-releases-new-open-source-implementation-tls-protocol
Tomi Engdahl says:
One MEEELLION users download Facebook-pwning droid game
Yeee-haarrrr! Cowboy Adventure rides off into sunset with saddles full of passwords
http://www.theregister.co.uk/2015/07/10/cowboy_adventure_pwns_1_meellion_facebook/
Threat researchers at security vendor ESET say a malicious Facebook-creds-stealing trojan masquerading as an Android game has been downloaded up to a million times.
ESET chap Robert Lipovsky says the Cowboy Adventure game, and another also malicious game dubbed Jump Chess, has been since removed from Google’s Play code bazaar after stealing an unknown number of Facebook credentials.
The VXers had created – or possibly stolen – a legitimate and seemingly popular game, lacing it with code that threw up a Facebook login screen as the app was used.
That cocktail meant that “… even though the number of potential victims may have been up to one million, there were many of them who were not tricked by the scam,” Lipovsky says.
Tomi Engdahl says:
Hacking Team weren’t completely stoopid – they read El Reg!
If only they’d paid more attention instead of scoffing at rivals’ misfortunes
http://www.theregister.co.uk/2015/07/10/hacking_team_werent_so_stoopid_they_read_iel_regi/
Hacking Team CEO David Vincenzetti and his staff were avid readers of The Register, regularly sharing our stories so the team could learn of missteps by rivals.
A trawl through the company’s email records, which were hacked and revealed to the world this week, reveals that Vincenzetti ran something of an in-house news service in which his researchers and C-level chums chortled about security holes and online mayhem that The Reg, and other outlets, reported each day.
Of special interest was news of reverses at rival surveillance-ware firms, such as the revelation root and remote unauthenticated zero day pwnage was possible in kit sold by rival spy firm NICE.
“Too bad for NICE. Not bad for us,” Vincenzetti wrote.
The laughter’s probably stopped seeing as Hacking Team was thoroughly hosed by actors unknown who stole at least 400Gb of source code and emails – from which these select news bites are found – and uploaded it to BitTorrent.
El Reg is only one of a host of security news outlets to have been regularly cited in the email streams which picked up the daily spraying of digital blood that is the security research businesses
Tomi Engdahl says:
US Homeland Security boss wants nationwide law for reporting network break-ins
Plans to unleash Einstein IDS on all government departments
http://www.theregister.co.uk/2015/07/09/homeland_security_national_breach_reporting_system/
Politicians need to educate themselves about technology and enact new legislation to strengthen America’s computer networks against attack, according to the director of US Homeland Security Jeh Johnson.
Speaking at a conference organized by the Center for Strategic and International Studies, Johnson said that top of his wish list was a US-wide data breach reporting law: this law would replace the hodgepodge of individual state laws, and required organizations to report computer security attacks to Uncle Sam. It would also bring in tougher penalties for criminal hackers.
“Key to cybersecurity is information sharing,” he said. “It’s key even among the most sophisticated actors – you can’t be out there alone, and should partner with the federal government.”
Johnson was firm, however, that the best way to stop successful hacking attacks is education. He said that even the most sophisticated attack usually starts with one worker getting an email that they shouldn’t have clicked on if they’d been properly trained.
He also wanted to get the US government’s IT acquisition budget more targeted on security systems that worked. Simply picking the largest supplier was foolish, since smaller, leaner firms often had better products.
“With the use of Einstein E3A, agencies could clean up 60 per cent of vulnerabilities in a very short period of time,” he said.
Ultimately, attacks would always happen, and some of them would succeed, he said, but that the key to minimizing harm was sharing information, smart planning, having the best tools, and a little resilience.
“Terrorism can’t prevail if people refuse to be terrorized,”
Tomi Engdahl says:
Some Think That the “Get Windows 10” App Is a Virus That Won’t Go Away
http://news.softpedia.com/news/some-think-that-the-get-windows-10-app-is-a-virus-that-won-t-go-away-486471.shtml
“Help me remove this virus from my computer!”
Microsoft rolled out the Get Windows 10 app on June 1 in order to let Windows 7 and 8.1 users know that the new version of its operating system is available free of charge, but since this program showed up all of a sudden on users’ computers, some believe that their PCs actually got infected.
Poor communication?
Needless to say, this isn’t a virus and is actually supposed to let you take advantage of a great promo, but it’s a little bit worrying that pushing such a tool out of nowhere to users’ computers could make some think that they got infected.
Tomi Engdahl says:
Google’s machine learning helping it catch 99.9 percent of spam to Gmail
http://www.zdnet.com/article/googles-machine-learning-helping-it-catch-99-9-percent-of-spam-to-gmail/
Google has shed some light on why Gmail users should hardly ever see spam in their inbox, and almost never see wanted email in the spam folder.
Tomi Engdahl says:
Greece’s Cash Crisis is Bitcoin’s Boost
http://www.bloomberg.com/news/articles/2015-07-08/greece-s-cash-crisis-is-bitcoin-s-boost-ibuhh68t
At a coffee shop on a beach in Athens sits Thanos Marinos. The forty-something Greek prides himself on being the first to bring bitcoin, a digital currency, to his cash-strapped country a year ago.
“I didn’t see it as much as a business case back then,” says Marinos. “The main reason was to bring awareness about bitcoin and blockchain technology to Greece.”
Demand has never been stronger, he says, up by 500 percent in four weeks.
When starting from zero though, even 500 percent doesn’t go far. Greece is a country of more than 10 million and an average age of 43.5. A quick and un-scientific survey of 10 people on the street showed just two people had heard of bitcoin.
Tomi Engdahl says:
Danny Yadron / Wall Street Journal:
Profile of Open Whisper Systems’ founder Moxie Marlinspike, whose encryption software alarms governments unable to crack it
Moxie Marlinspike: The Coder Who Encrypted Your Texts
Dreadlocked programmer has spooked the FBI by creating a tool that police can’t crack
http://www.wsj.com/article_email/moxie-marlinspike-the-coder-who-encrypted-your-texts-1436486274-lMyQjAxMTA1MjEzMDkxMjAwWj
In the past decade, Moxie Marlinspike has squatted on an abandoned island, toured the U.S. by hopping trains, he says, and earned the enmity of government officials for writing software.
Mr. Marlinspike created an encryption program that scrambles messages until they reach the intended reader. It’s so simple that Facebook Inc. ’s WhatsApp made it a standard feature for many of the app’s 800 million users.
The software is effective enough to alarm governments. Earlier this year, shortly after WhatsApp adopted it, British Prime Minister David Cameron called protected-messaging apps a “safe space” for terrorists. The following week, President Barack Obama called them “a problem.”
That makes the lanky, dreadlocked and intensely private coder a central figure in an escalating debate about government and commercial surveillance. In a research paper released Tuesday, 15 prominent technologists cited three programs relying on Mr. Marlinspike’s code as options for shielding communications.
Tomi Engdahl says:
How To Build A ProxyHam Despite A Cancelled DEFCON Talk
http://hackaday.com/2015/07/14/how-to-build-a-proxyham-despite-a-cancelled-defcon-talk/
A few days ago, [Ben Caudill] of Rhino Security was scheduled to give a talk at DEFCON. His project, ProxyHam, is designed for those seeking complete anonymity online.
With the ProxyHam, the link between IP addresses and physical locations is severed. ProxyHam uses a 900MHz radio link to bridge a WiFi network over miles. By hiding a ProxyHam base station in a space with public WiFi, anyone can have complete anonymity online; if the government comes to take you down, they’ll first have to stop at the local library, Starbucks, or wherever else has free WiFi.
The talk has been killed, and no one knows why. Speculation ranges from National Security Letters to government gag orders to a far more pedestrian explanations like, “it doesn’t work as well as intended.”
That doesn’t mean this knowledge is lost – you can build a ProxyHam with equipment purchased from Amazon, Newegg, or any one of a number of online retailers.
The ProxyHam box contains something with an RJ45 connector on one end, and two RF connectors on the other. A quick perusal of Newegg lands on this, a radio base station designed to bridge networks via 900MHz radio. You’ll need to buy two of those to replicate the ProxyHam.
The Wired article describes the ProxyHam further: “…a Raspberry Pi computer connected to a Wi-Fi card and a small 900 megaherz antenna…”
To set up the ‘throwaway’ part of the ProxyHam, you’ll need to first connect to the desired WiFi network, then bridge the WiFi and wired connections.
Of course the 900MHz base station must also be configured
That’s also how to violate the FCC Part 97 prohibition against encryption – you can not use SSH or HTTPS over amateur radio. It’s also how you can be charged with the Computer Fraud & Abuse Act; connecting to a library’s WiFi from miles away is most certainly, “exceeding authorized access.”
Do not attempt this build. It’s illegal, it’s dumb, and the 900MHz band is flooded anyway.
The ProxyHam is this year’s BlackHat and DEFCON pre-game. A marginally interesting security exploit is served up to the tech media and devoured. This becomes a bullet point on the researcher’s CV, and if the cards land right, they’re able to charge more per hour. There is an incentive for researchers to have the most newsworthy talk at DEFCON, which means some speakers aren’t playing the security game, they’re playing the PR game.
Tomi Engdahl says:
InCyprus:
Cyprus Intelligence Service head resigns over Hacking Team’s software purchases
Intelligence Service chief steps down
http://in-cyprus.com/intelligence-service-chief-steps-down/
The head of the Cyprus Intelligence Service (KYP), Andreas Pentaras, has resigned following revelations that the island’s secret service department had purchased spy-hacking software.
Last week, leak documents revealed that KYP had paid €50,000 for what appeared to be remote attack vectors from Italian company ‘The Hacking Team’ in order to spy on persons of interest by either hacking their mobile telephones or other electronic devices like laptops and Ipads.
An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server for surveillance or even to deliver malicious software or viruses. Attack vectors enable hackers to exploit system vulnerabilities, including the human element.
There are strict laws in Cyprus on surveillance and it was argued that the use of such equipment compomises the data protection rights.
On Saturday morning, Pentaras informed the Presidential Palace of his intention to step down – something that was later confirmed by Government Spokesman Nicos Christodoulides.
Tomi Engdahl says:
Mozilla blocks Flash as Facebook security chief calls for its death article says that after yesterday’s news that Facebook’s new chief security officer wants to set a date to kill Flash once and for all, the latest version Mozilla’s Firefox browser now blocks Adobe’s vulnerability-riddled software as standard.”
http://www.theverge.com/2015/7/14/8957177/mozilla-blocks-flash-as-facebook-security-chief-calls-for-its-death
Tomi Engdahl says:
Lucian Constantin / PCWorld:
Hacking Team’s malware uses UEFI rootkit to survive OS reinstalls
http://www.pcworld.com/article/2948092/security/hacking-teams-malware-uses-uefi-rootkit-to-survive-os-reinstalls.html
Tomi Engdahl says:
Bloomberg Business:
China’s campaign to build a database on Americans began with hacking travel records in 2013; recent OPM breach was part of the same campaign
Hacked in the U.S.A.: China’s Not-So-Hidden Infiltration Op
http://www.bloomberg.com/news/articles/2015-07-12/hacked-in-the-u-s-a-china-s-not-so-hidden-infiltration-op
The vast cyber-attack in Washington began with, of all things, travel reservations.
More than two years ago, troves of personal data were stolen from U.S. travel companies. Hackers subsequently made off with health records at big insurance companies and infiltrated federal computers where they stole personnel records on 21.5 million people — in what apparently is the largest such theft of U.S. government records in history.
Those individual attacks, once believed to be unconnected, now appear to be part of a coordinated campaign by Chinese hackers to collect sensitive details on key people that went on far longer — and burrowed far deeper — than initially thought.
But time and again, U.S. authorities missed clues connecting one incident to the next.
Tomi Engdahl says:
Chris Dixon / Medium:
Keybase, a key directory service that aims to make public-key cryptography mainstream, raises $10.8M Series A led by a16z; Chris Dixon to join the board
Keybase: bringing public-key cryptography to mainstream users
https://medium.com/@cdixon/keybase-bringing-public-key-cryptography-to-mainstream-users-16a9379dddda
Almost every day we read about another major internet security breach.
Hackers are increasingly sophisticated, with the skills and resources to penetrate security systems that were developed mostly for a prior generation of threats. People are — quite justifiably — starting to question whether they can trust technology companies with their private information.
This is happening despite the fact that technology exists that can provide complete end-to-end security: public-key cryptography.
Using public-key cryptography, person A can send person B a message that nobody else in the world except person B can decrypt, even though persons A and B have never communicated before. Person A simply needs to know person B’s “public key” (a long number that can be listed in public) and use that to encrypt the message. Person B uses a “private key” (another long number that has a mathematical relationship to the public key and is kept private) to decrypt the m tessage.
Public-key cryptography means you don’t need to trust email providers, messaging companies, social networks, search engines, ISPs, cellular carriers, venture capitalists, tech startups, politicians, legal agreements, IT departments, and so on. You just need to trust math.
So why isn’t public-key cryptography widely used? It is, but in diluted form: various forms of cryptography are baked into almost every popular internet service. Yet the hacks and data breaches continue, mainly because the otherwise invulnerable cryptographic protocols are embedded within larger systems in which vulnerabilities are introduced by software bugs, employee mistakes, product design tradeoffs, legal constraints, management decisions, etc.
The ideal solution would be for users to adopt public-key cryptography themselves, in its pure, unadulterated form, without having to trust third-party service providers.
A key design principle of Keybase is: you don’t have to trust Keybase. All the relevant software is open source and therefore independently auditable, fork-able, etc. The keybase directory is fully public and therefore also fully auditable, fork-able, etc. Everything you need to verify that you can trust the end-to-end cryptography is open and auditable. Keybase could get hacked or acquired or shut down and it wouldn’t affect the security of anything that uses Keybase. You don’t need to trust Keybase. You only need to trust math.
Tomi Engdahl says:
Samuel Gibbs / Guardian:
Cybercrime forum site Darkode seized and 28 hackers arrested, bringing the total to 70, in joint operation between FBI, NCA, Europol, others — International hacker site Darkode taken offline by cross-borders task force — Over 60 hackers arrested in joint operation
International hacker site Darkode taken offline by cross-borders task force
http://www.theguardian.com/technology/2015/jul/15/international-hacker-site-darkode-taken-offline
Over 70 hackers arrested including six in UK in joint operation between FBI, NCA, Europol and others in global crackdown on cybercrime black market
Notorious cybercrime forum Darkode, frequented by Lizard Squad and other hacking groups, has been taken offline in a coordinated international law enforcement clampdown across 20 countries.
Steven Laval, senior investigating officer at the NCA’s National Cyber Crime Unit, said: “Despite the exclusive nature of Darkode and the technical skills of its users, this action shows once again that we can identify and pursue those we believe are seeking to offend through an apparently secure online environment, far removed from their victims.”
Darkode’s forum has been used by cybercriminals as a black market to trade stolen data, credit card information, email addresses, hacking tools and information on bugs and vulnerabilities used to coordinate attacks on companies, agencies and governments.
Established in 2007, Darkode operated as a place to sell hacking tools. It was an invitation-only site, closed off from the outside world and hosted on so-called “bulletproof” web servers that resist law enforcement action.
Tomi Engdahl says:
Panopticlick: You Are A Beautiful And Unique Snowflake
http://hackaday.com/2015/07/16/panopticlick-you-are-a-beautiful-and-unique-snowflake/
We all like to think we’re unique, but when it comes to remaining anonymous online that’s probably not such a good idea. By now, it’s common knowledge that advertising firms, three-letter agencies, and who-knows-who-else want to know what websites you’re visiting and how often. Persistent tracking cookies, third-party cookies, and “like” buttons keep tabs on you at all times.
For whatever reason, you might want to browse anonymously and try to plug some of the obvious sources of identity leakage. The EFF and their Panopticlick project have bad news for you.
The idea behind Panopticlick is simple: to try to figure out how identifiable you are even if you’re not accepting cookies, or if you’ve disabled Flash, or if you’re using “secure” browsers. To create a fingerprint of your browser, Panopticlick takes all the other little bits of identifying information that your browser gives up, and tries to piece them together.
The takeaway from the project is that the information your browser gives up to servers can, without any cookies, specifically identify you.
Tomi Engdahl says:
How to Decrypt 802.11
Wireshark can decrypt WEP and WPA/WPA2 in pre-shared (or personal) mode. WPA/WPA2 enterprise mode decryption is not yet supported.
https://wiki.wireshark.org/HowToDecrypt802.11
Tomi Engdahl says:
Fooling Google Search Console With Tricky PHP
http://hackaday.com/2015/07/17/fooling-google-search-console-with-tricky-php/
When you want to add a website to Google’s services, they require that you prove that you own the actual website as a security precaution. One method to provide proof is by uploading or creating an HTML file to your website with some specific text inside.
This is a very interesting hack, because not only did it allow this one hacker to add himself to [Steve’s] Google account, but it would also have allowed anyone else to do the same thing
Tomi Engdahl says:
Dan Goodin / Ars Technica:
0-day attacks exploiting Flash just got harder thanks to new defenses
0-day attacks exploiting Flash just got harder thanks to new defenses
Flash mitigations now fully baked into Chrome; coming to other browsers soon.
http://arstechnica.com/security/2015/07/zero-day-attacks-exploiting-flash-just-got-harder-thanks-to-new-defenses/
A string of weaponized attacks targeting Adobe’s Flash media player—including three in the past 10 days—has kept software engineers scrambling to fix the underlying vulnerabilities that make the exploits so dangerous. Fortunately, they have also been busy making structural changes to the way the program interacts with computer operating systems to significantly reduce the damage that can result not only from those specific attacks but entire classes of similar ones.
At the moment, the defenses are fully implemented only in the Flash version included in Google Chrome, having made their debut earlier this week. One of the two mitigations is available in other versions of Flash, and the remaining one is expected to be added to other browsers in August.
Had heap partitioning been a part of Flash earlier, it would have significantly complicated some of the exploits that recently came to light in the Hacking Team breach.
Under the new Flash design, an unmapped space forming a no-man’s land of sorts is put between the Flash heap and the system heap, making it significantly harder for exploit code to access the Vector. object. Not only does it help defend against use-after-free classes of attacks, it also makes it harder to carry out buffer-overflow exploits.
Got 64 bits?
To get the full benefit of this new defense in Chrome, Windows users with 64-bit systems should make sure they’re using the 64-bit version of the browser. That’s because the significantly higher number of memory addresses, as compared with the 32-bit version, makes heap spraying and other common exploitation techniques much harder. People using a 64-bit version of Windows should enter chrome://chrome into their address bar. Unless a string with “64-bit” appears in the resulting window, the version is 32 bits. If that’s the case, it’s worth uninstalling the browser and replacing it with a 64-bit version of Chrome.
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Symantec: Spam falls below 50% of all email for the first time since 2003
http://venturebeat.com/2015/07/17/symantec-spam-falls-below-50-of-all-email-for-the-first-time-since-2003/
Good news for all of us who still have to use email: spam rates are dropping! In fact, junk messages now account for just 49.7 percent of all emails.
More specifically, Symantec saw 704 billion email messages sent in June, of which 353 billion were classified as spam. At one of the peaks of the spam epidemic, in June 2009, 5.7 trillion of the 6.3 trillion messages sent were spam, according to past data from Symantec.
The decline of spam is usually attributed to legal prosecution against botnets (including by major tech companies like Microsoft), faster reaction times by network providers, improved blocking, and better filtering. The main goal is to make the business less lucrative: If you can slash profit margins for a spammer, you can slash spam itself.
Tomi Engdahl says:
Sean Gallagher / Ars Technica:
Hacking Team’s evil Android app had code to bypass Google Play screening
Hacking Team’s evil Android app had code to bypass Google Play screening
Full backdoor code wasn’t installed until after user activated app.
http://arstechnica.com/security/2015/07/hackingteams-evil-android-app-had-code-to-bypass-google-play-screening/
Security researchers at Trend Micro’s Trend Labs have uncovered a trick in a sample of a fake news application for Android created by the network exploitation tool provider Hacking Team that may have allowed the company’s customers to sneak spyware through the Google Play store’s code review. While the application in question may have only been downloaded fewer than 50 times from Google Play, the technique may have been used in other Android apps developed for Hacking Team customers—and may now be copied by others trying to get malware onto Android devices.
The sample app, called “BeNews,” is designed as a Trojan horse for Hacking Team’s RCSAndroid “backdoor” malware. It used the name of a defunct news site to make it seem like a legitimate Android application.
The app exploits a local privilege escalation vulnerability in Android which has been determined to affect all versions of the mobile operating system from Android 2.2 (“Froyo”) to 4.4.4 (“KitKat”). Other versions may be vulnerable as well, according to Wish. The exploit, which also affected other Linux operating systems, was documented last summer.
But the exploit appeared not to be included in the initial code of the BeNews app. “Initially, it only asks for three permissions and can be deemed safe by Google’s security standards as there are no exploit codes to be found in the app,” Wish noted. But after the application is downloaded and run by the user, it can dynamically load additional code—including the exploit, which is then used to escalate permissions and install the RCSAndroid backdoor.
Tomi Engdahl says:
Chad Terhune / Los Angeles Times:
UCLA Health System reports patient data breach; 4.5 million may be affected
UCLA Health System data breach affects 4.5 million patients
http://www.latimes.com/business/la-fi-ucla-medical-data-20150717-story.html
Marking another high-profile data breach, hackers broke into UCLA Health System’s computer network and may have accessed sensitive information on as many as 4.5 million patients, hospital officials said.
This cyberattack at UCLA comes on the heels of a major breach of federal employee records and a massive hack at health insurance giant Anthem Inc. affecting 80 million Americans this year.
The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.
The revelation that UCLA hadn’t taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cybercriminals are targeting so many big players in healthcare, retail and government.
“These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links,” said Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas.
UCLA said Friday that it’s working with the FBI and had hired computer forensic experts to further secure its network.
Atkinson said the hospital detected unusual activity on one of its computer servers in October and began investigating with help from the FBI.
It wasn’t until May 5, according to UCLA, that investigators determined that the hackers had gained access to parts of UCLA Health’s computer network where some patient information was stored.
The unauthorized access could have begun in September 2014, UCLA said, and some of the patient information dates to 1990.
UCLA said that prior to the attack on its system it had been taking steps and spending tens of millions of dollars to strengthen its computer security. It added that it has successfully thwarted hacker attacks in the past.
But some security experts were unimpressed. They questioned the lack of encryption at UCLA in light of other breaches across the country. Anthem faced similar criticism over its failure to encrypt the information that was exposed to hackers during its cyberattack.
“Despite these painful lessons, it seems that personal data compromised in the latest breach were still not encrypted,” said Igor Baikalov, chief scientist at Securonix, a data security firm in Los Angeles. “If our premium universities don’t learn from experience, what can we expect from other, less-learned organizations?”
Atkinson said the UCLA breach illustrates one potential drawback to the nation’s push to ditch paper records and digitize patient information in giant databases.
“We live in a digital age which brings tremendous benefits,” he said. “But electronic health records come with the risk of this.”
Tomi Engdahl says:
Hacker Airlines: United Awards 1M Air Miles For Vulnerability
http://hackaday.com/2015/07/19/hacker-airlines-united-awards-1m-air-miles-for-vulnerability/
We’re really happy to see companies getting serious about rewarding white hat hackers. The latest example of this is when [Jordan Wiens] submitted two bugs and was awarded 1,000,000 Sky Miles on United Airlines.
The bounty is so high because he uncovered a method of remote code execution which United has since patched. Unfortunately, United requires bug secrecy so we’re not getting any of the gritty details like we have for some of the recently discovered Facebook vulnerabilities. That’s really too bad because sharing the knowledge about what went wrong helps programmers learn to avoid it in the future. But we still give United a big nod for making this kind of work and responsible reporting worthwhile.
Tomi Engdahl says:
Washington Post:
Why the Islamic State leaves tech companies torn between free speech and security — The Islamic State and its supporters use social media to post propaganda and recruit followers. The Washington Post takes a closer look at how several groups in the United States monitor this activity.
Why the Islamic State leaves tech companies torn between free speech and security
https://www.washingtonpost.com/world/national-security/islamic-states-embrace-of-social-media-puts-tech-companies-in-a-bind/2015/07/15/0e5624c4-169c-11e5-89f3-61410da94eb1_story.html
“We also have to acknowledge that ISIL has been particularly effective at reaching out to and recruiting vulnerable people around the world, including here in the United States ,” President Obama said July 6 at the Pentagon. “So the United States will continue to do our part, by working with partners to counter ISIL’s hateful propaganda, especially online.”
The social-media savvy of the militant group is raising difficult questions for many U.S. firms: how to preserve global platforms that offer forums for expression while preventing groups such as the Islamic State from exploiting those free-speech principles to advance their terrorist campaign.
“ISIS has been confronting us with these really inhumane and atrocious images, and there are some people who believe if you type ‘jihad’ or ‘ISIS’ on YouTube, you should get no results,” Victoria Grand, Google’s director of policy strategy, told The Washington Post in a recent interview. “We don’t believe that should be the case. Actually, a lot of the results you see on YouTube are educational about the origins of the group, educating people about the dangers and violence. But the goal here is how do you strike a balance between enabling people to discuss and access information about ISIS, but also not become the distribution channel for their propaganda?”
Some lawmakers and government officials say the companies are not going far enough.
“They are being exploited by terrorists,” Assistant Attorney General for National Security John P. Carlin said in a recent interview.
“It’s not a problem just here in the United States. I think they’re hearing it from governments and customers from throughout the world.”
A field analysis in May by the Department of Homeland Security warns that the Islamic State’s use of social media is broadening the terrorist group’s reach.
“ISIL leverages social media to propagate its message and benefits from thousands of organized supporters globally online, primarily on Twitter, who seek to legitimize its actions while burnishing an image of strength and power,” according to the analysis. “The influence is underscored by the large number of reports stemming from social media postings.”
In Europe, some governments are requiring social-media companies to block or remove terror-related posts.
In the United States, government regulation of speech, regardless of how offensive or hateful, is generally held to be unconstitutional under the First Amendment. The social-media companies — each with its own culture, mission and philosophy — have been governing how and when to block or remove terror-related content.
The revelations of former National Security Agency contractor Edward Snowden about U.S. government surveillance have also made the tech companies wary of cooperating with Washington.
Facebook has been the most aggressive of the large social-media companies when it comes to taking down terror-related content. The company has adopted a zero tolerance policy and, unlike other social-media companies, proactively removes posts related to terrorist organizations.
Of all the large social-media companies, Twitter has been the most outspoken about protecting freedom of speech on its platform. Still, the company recently updated its abuse policy, stating that users may not threaten or promote terrorism.
Another challenge for the companies: It is often difficult to distinguish between communiques from terrorist groups and posts by news organizations and legitimate users. Internet freedom advocates also note that much of what groups such as the Islamic State are posting can be seen as part of the historical record — even though many of the photographs and videos are horrific.
“You want to live in a world where people have access to news — in other words, documentary evidence of what is actually happening,”
‘Pure evil’
Before the rise of social media, many of the three dozen video and audio messages Osama bin Laden issued before his death were recorded in remote locations, smuggled out by couriers, and aired on what was then a largely unknown television station based in Qatar called Al Jazeera. Weeks could pass between the time when bin Laden spoke and when he was heard.
Al-Qaeda operatives communicated through password-protected forums and message boards on the Internet.
“The wide-scale spread of jihadist ideology, especially on the Internet, and the tremendous number of young people who frequent the Jihadist Web sites [are] a major achievement for jihad,”
“Twitter is providing a communication device, a loudspeaker for ISIS,” said Mark Wallace, a former U.S. ambassador who now runs the Counter Extremism Project, a nonprofit group that tracks terrorists and attempts to disrupt their online activities. “If you are promoting violence and a call to violence, you are providing material support. Twitter should be part of the solution. If not, they are part of the problem.”
Tomi Engdahl says:
Google’s machine learning helping it catch spam to Gmail
http://www.zdnet.com/article/googles-machine-learning-helping-it-catch-spam-to-gmail/
Google has shed some light on why Gmail users should hardly ever see spam in their inbox, and almost never see wanted email in the spam folder.
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Dating site for cheaters AshleyMadison hacked, data of 37M users potentially compromised
Online Cheating Site AshleyMadison Hacked
http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/
Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”
The data released by the hacker or hackers — which go by the name The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.
“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”
Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.
The compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder.
In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.
According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote.
Their demands continue:
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.
“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver.”
“Our one apology is to Mark Steele (Director of Security),” the manifesto reads. “You did everything you could, but nothing you could have done could have stopped this.”
Tomi Engdahl says:
Roy Goldenberg / Globes Online:
Microsoft reportedly buying Israeli cloud security startup Adallom for around $320M — Microsoft buys Israeli cloud security co Adallom for $320m — With its development center in Tel Aviv, the cyber security company has raised $49.5 million to date.
Microsoft buys Israeli cloud security co Adallom for $320m
http://www.globes.co.il/en/article-microsoft-buys-israeli-cloud-security-co-adallom-for-320m-1001054306
Adallom is striving to achieve a solution for a security problem which bothers many organizations on the seam of mobile computers such as smartphones, tablets and laptops, with apps outside the organization. In an interview with “Globes” Rappaport once said, “The protection layers for enterprise information are not relevant in a world that is becoming more and more accessible for an organization’s users in remote server farmers.”
To solve this, Adallom has developed a technology that provides a layer that envelopes the application and the organizational information that sits in the remote server farm, so that access to it passes via Adallom’s command and control mechanism. This mechanism sends an alert in the event that anomalous use is identified that indicates the possibility that privileged use has been stolen or broken into.
The sale of Adallom to Microsoft brings it full circle because it was the Israeli company back in December 2013 that won enormous publicity when it was the first to expose the break into the security server of Microsoft Office365.
Tomi Engdahl says:
Google Calls Proposed U.S. Wassenaar Rules ‘Not Feasible’
https://threatpost.com/google-calls-proposed-u-s-wassenaar-rules-not-feasible/113865
As the clock winds down on the comment period for the United States government’s proposed implementation of the Wassenaar Arrangement export controls for intrusion software, Google officials say that the rules would have a “significant negative impact” on security research.
The Department of Commerce’s Bureau of Industry and Security has proposed a set of regulations that would implement Wassenaar’s export controls on so-called intrusion software. The proposal’s definition of intrusion software is what worries many security researchers, who say that it is overly broad and would have the effect of preventing much discussion and sharing of vulnerability information. The intent of the regulations is to control the sale and use of exploits, but experts, including some at Google, say that BIS’s rules would have broad implications for legitimate security researchers.
- See more at: https://threatpost.com/google-calls-proposed-u-s-wassenaar-rules-not-feasible/113865#sthash.PoaBdhsN.dpuf
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Microsoft releases emergency patch for Windows Vista, 7, 8, 8.1, RT, Server 2008 and later; vulnerability also affects Windows 10 Preview — Microsoft releases emergency patch for all versions of Windows — The flaw, affecting Windows Vista, 7, 8, and 8.1, can allow a hacker to take over a machine.
Microsoft releases emergency patch for all versions of Windows
The flaw, which also affects Windows 10, allows a hacker to take over a machine.
http://www.zdnet.com/article/microsoft-releases-emergency-patch-for-critical-windows-flaw/
Microsoft has released an emergency out-of-band patch for a critical flaw, affecting all supported versions of Windows.
The software giant said in an advisory Monday that the vulnerability, if exploited, could “allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.”
Microsoft issues 14 security fixes in July’s Patch Tuesday
Microsoft’s monthly release of patches includes security fixes for dozens of vulnerabilities.
“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the advisory added.
Tomi Engdahl says:
Andy Greenberg / Wired:
Hackers remotely gain partial control of a Jeep Cherokee on the highway using vulnerability found in thousands of Chrysler cars, SUVs, and trucks — Hackers Remotely Kill a Jeep on the Highway—With Me in It — I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
Hackers Remotely Kill a Jeep on the Highway—With Me in It
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.
As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.
The Jeep’s strange behavior wasn’t entirely unexpected. I’d come to St. Louis to be Miller and Valasek’s digital crash-test dummy, a willing subject on whom they could test the car-hacking research they’d been doing over the past year. The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.
“no matter what happens, don’t panic.”
As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl.
This wasn’t the first time Miller and Valasek had put me behind the wheel of a compromised car.
“When you lose faith that a car will do what you tell it to do,” Miller observed at the time, “it really changes your whole view of how the thing works.”
It’s the latest in a series of revelations from the two hackers that have spooked the automotive industry and even helped to inspire legislation; WIRED has learned that senators Ed Markey and Richard Blumenthal plan to introduce an automotive security bill today to set new digital security standards for cars and trucks
Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes
Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.
All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country. “From an attacker’s perspective, it’s a super nice vulnerability,” Miller says.
That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels.
After the researchers reveal the details of their work in Vegas, only two things will prevent their tool from enabling a wave of attacks on Jeeps around the world. First, they plan to leave out the part of the attack that rewrites the chip’s firmware
Second, Miller and Valasek have been sharing their research with Chrysler for nearly nine months, enabling the company to quietly release a patch ahead of the Black Hat conference.
Unfortunately, Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic.
In fact, Miller and Valasek aren’t the first to hack a car over the Internet.
If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers. This might be the kind of software bug most likely to kill someone. – Charlie Miller
Tomi Engdahl says:
Hackaday Prize Entry: Two Factor Authentication Key
http://hackaday.com/2015/07/20/hackaday-prize-entry-two-factor-authentication-key/
Because people are generally idiots when it comes to choosing passwords — including people who should know better — Google created Google Authenticator. It’s two-factor verification for all your Google logins based on a shared secret key. It’s awesome, and everyone should use it.
Actually typing in that code from a phone app is rather annoying, and [Alistair] has a better solution: an Authenticator USB Key. Instead of opening up the Authenticator app every time he needs an Authenticator code, this USB key will send the code to Google with the press of a single button.
The algorithm behind Google Authenticator is well documented and actually very simple; it’s just a hash of the current number of 30-second periods since the Unix epoch and an 80-bit secret key.
The current plan is to use an ATMega328, a real-time clock, and VUSB for generating the Authenticator code and sending it to a computer.
https://hackaday.io/project/5886-authenticator-usb-key