Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Stagefright Patch Incomplete and Zero Day in Android Google Admin App Found
http://tech.slashdot.org/story/15/08/13/2212233/stagefright-patch-incomplete-and-zero-day-in-android-google-admin-app-found
A patch distributed by Google for the infamous Stagefright vulnerability found in 950 million Android devices is incomplete and users remain exposed to simple attacks targeting the flaw. Researchers at Exodus Intelligence discovered the issue in one of the patches submitted by Zimperium zLabs researcher Joshua Drake. Google responded today by releasing a new patch to open source and promising to distribute it next month in a scheduled OTA update for Nexus devices and to its partners.
Stagefright Patch Incomplete Leaving Android Devices Still Exposed – See more at: https://threatpost.com/stagefright-patch-incomplete-leaving-android-devices-still-exposed/114267#sthash.cHdq24SF.dpuf
Tomi Engdahl says:
Lots of security updated released for Apple devices:
About the security content of iOS 8.4.1
This document describes the security content of iOS 8.4.1.
https://support.apple.com/en-us/HT205030
Tomi Engdahl says:
The UK’s War On Porn: Turning ISPs Into Parents
http://yro.slashdot.org/story/15/08/13/1657234/the-uks-war-on-porn-turning-isps-into-parents?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
With British Prime Minister David Cameron announcing plans for porn users to be required to register their bank account/debit card as a means of age verification, Spiked-Online writer Stephen Beard explores the privacy implications, technical feasibility and motivations of such a plan.
The UK war on porn: turning ISPs into parents
http://www.spiked-online.com/newsite/article/the-uk-war-on-porn-turning-isps-into-parents/17288#.Vc2YxpdLZ4B
I
11 August 2015
19 comments
Share on facebook
Share on twitter
Share on email
More Sharing Services
67
Get spiked by email
n a bid to ‘protect children’, British prime minister David Cameron has recently proposed further measures to regulate porn websites. His government plans to require internet service providers (ISPs) to filter porn sites that do not comply with new guidance, whereby they will have to verify the ages of visitors through credit-card or bank-account details. Currently, many porn sites just have an ‘enter your birthday’ method of age verification, which is inadequate, for obvious reasons, yet desirable in its anonymity and simplicity.
It’s not as if ISPs don’t have enough to deal with, what with the growing list of ridiculous and pointless demands from government to censor the internet on its behalf. Now ISPs are being coerced into helping people raise their children, too. Because that’s what these plans amount to: state meddling in what should be a parental responsibility.
The implications for privacy of this war on porn are immense. Suddenly, porn habits will be tied to someone’s bank account. Who is going to want that? After all, if Sony can be hacked, what’s to prevent a porn site from having user information hacked, and then leaked online? Such information could, thanks to our neurotic societal attitudes towards sex and sexuality, be used for the purposes of blackmail. As a result, many users are likely to find other, less regulated sources of porn, which may not fully adhere to industry standards.
Tomi Engdahl says:
New IP address blacklist based on Web chatter
http://www.csoonline.com/article/2969312/network-security/new-ip-address-blacklist-based-on-web-chatter.html
Traditionally, blacklists of malicious IP addresses are assembled using honeypots and intrusion detection systems but a new approach, analyzing chatter on the dark and open Web, can find malicious addresses that would have been otherwise missed
Traditionally, blacklists of malicious IP addresses are assembled using honeypots and intrusion detection systems but a new approach, analyzing chatter on the dark and open Web, can find malicious addresses that would have been otherwise missed.
According to Recorded Future, an analysis of 700,000 Web sources resulted in 67,563 IP addresses associated with at least one type of malware — and 1,521 particularly dangerous IP addresses that were associated with at least two types of malware.
amtrak derailment
Business continuity and disaster recovery planning: The basics
Good business continuity plans will keep your company up and running through interruptions of any kind:
Read Now
Of these addresses, 91 percent of the smaller list and 98 percent of the larger list were new to security researchers, and did not show up on existing blacklists, according to the report released today.
One major difference between the new list and traditional lists is the higher percentage of “outbound” malicious addresses.
“An inbound address is when someone is attacking your system from an external address, trying to get in,”
On traditional blacklists, 99 percent of the addresses are for inbound activity, he said.
For example, Recorded Future identified 476 IP addresses associated with both the Dyreza and the Upatre malware families — only 41 of which were known to existing blacklists.
Another reason why traditional detection systems might be missing these new addresses are because the bad guys are trying to stay hidden, said Recorded Future’s CEO Christopher Ahlberg.
“They’ll do lots of hops along the way, so by the time they hit the honey pot, it lost the connection it originated from,” he said. “But we can get back to the core of the evil.”
Hidden Link Analysis Reveals 92% of Suspicious IPs Not Blacklisted
https://www.recordedfuture.com/two-shady-men-report/
By scouring the entire Web for mentions of known malware related to specific domains, we were able to identify nearly 1,400 instances of malware-infested domains that were not recognized on established blacklists. Recorded Future analyzed 890,000 documents that mention malware (including Web pages, tweets, and pastes) from nearly 700,000 Web sources that we track with the Recorded Future Web index. This means that 92% of the suspicious IP addresses identified in our project were not found elsewhere on other blacklists!
It’s important to note that in this particular test, the criteria for inclusion was two instances of malware mentions. When looking for suspicious domains with only one associated malware, the number of potential threats increases. Increasing the mentions of malware, we believe, increases the accuracy of the findings, meaning organizations can improve their threat intelligence and threat detection capabilities, and drive down risks.
Tomi Engdahl says:
NSA: Here’s $300,000, people. Go build us a safer Internet of Things
Maybe we could think about security when designing stuff
http://www.theregister.co.uk/2015/08/13/nsa_funds_iot_research_alabama/
The NSA is funding development of an architecture for a “safer” Internet of Things (IoT), in the hope of incorporating better security at a product’s design phase.
The controversial US intelligence agency is bestowing a $299,000, one-year grant to the University of Alabama in Huntsville (UAH) for a project that aims to build a lightweight virtualisation architecture which will make it easier to build security into IoT systems before they leave the factory.
A growing number of devices are being internet-enabled, thereby joining the IoT as smart meters, inter-enabled cars, and much, much more.
Unfortunately, little consideration has been given to security at the design phases, so that security flaws from weak authentication, crap crypto and glaring built-in web console flaws have become legion.
As a result, cars have been remotely hacked while home routers have been left hopelessly insecure. The list is extensive, and growing.
Given its history, particularly when it comes to intercepting the supply chain of routers to plant backdoors, it might be tempting to think that the NSA wants to backdoor IoT devices too. But it’s hardly worth the effort on kit that is wide open and insecure in the first place.
Tomi Engdahl says:
Facebook hands hackers $100k for breaking browsers
Internet Defense Prize™ handed out, bugs broken. Hello Oracle?
http://www.theregister.co.uk/2015/08/14/facebook_hands_hackers_100k_for_breaking_browsers/
Four researchers have scored US$100,000 from Facebook for revealing 11 bugs affecting platforms including the Chrome and Firefox browsers using novel vulnerability discovery methods.
The Georgia Institute of Technology team of PhD students Byoungyoung Lee and Chengyu Song, and professors Taesoo Kim and Wenke Lee discovered the holes affecting C++ programs.
The Social Network™, together with Usenix, offer up a pool of US$300,000 under the Internet Defense Prize™ first created last year.
Tomi Engdahl says:
ProPublica:
NSA spying relies on AT&T’s “extreme willingness to help” tap Internet communications, say newly-disclosed Snowden documents — NSA Spying Relies on AT&T’s ‘Extreme Willingness to Help’
https://www.propublica.org/article/nsa-spying-relies-on-atts-extreme-willingness-to-help
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
Mozilla tests private browsing mode with tracking protection in pre-beta versions of Firefox — Mozilla Makes Private Browsing More Private In Firefox, Adds Tracking Protection — Mozilla is testing a new private browsing mode in Firefox that doesn’t just keep no trace of your browsing habits …
techcrunch.com/2015/08/14/mozilla-makes-private-browsing-more-private-in-firefox-adds-tracking-protection/
Tomi Engdahl says:
One Petabyte of Data Exposed Via Insecure Big Data Systems
http://it.slashdot.org/story/15/08/15/2154233/one-petabyte-of-data-exposed-via-insecure-big-data-systems?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Behind every big data deployment is a range of supporting technologies like databases and memory caching systems that are used to store and analyze massive data sets at lightning speeds. A new report from security research firm Binaryedge suggests that many of the organizations using these powerful data storage and analysis tools are not taking adequate steps to secure them. The result is that more than a petabyte of stored data is accessible to anyone online with the knowledge of where and how to look for it.
In a blog post on Thursday, the firm reported the results of research that found close to 200,000 such systems that were publicly addressable. Binaryedge said it found 39,000 MongoDB servers that were publicly addressable and that “didn’t have any type of authentication.”
Data, Technologies and Security – Part 1
http://blog.binaryedge.io/2015/08/10/data-technologies-and-security-part-1/
Tomi Engdahl says:
Klint Finley / Wired:
Swiss researchers working to make two-factor authentication easier with Sound-Proof, which replaces numerical codes with digital signatures from ambient sound
The Noise Around You Could Strengthen Your Passwords
http://www.wired.com/2015/08/noise-around-strengthen-passwords/
Last year after nude photos apparently stolen from various celebrities’ iCloud accounts began circulating on Reddit, Apple responded by telling people to enable a feature called “two-factor authentication.”
The idea is simple.
Two-factor authentication provides much better security than a password alone, and you really should enable it everywhere you can: Gmail, Facebook, Twitter, your bank. But there is one big problem with it: it’s really annoying. Every time you want to log in to a site, you have to get your phone out, unlock it, find the authentication code, and type it in. If you type too slowly, the code changes and you’ve gotta try again. For far too many people, this is just too big of a hassle, so they leave themselves open to attack.
But a team of researchers from the Swiss Federal Institute of Technology in Zurich, Switzerland say they’ve found a way to make two-factor authentication painless.
You don’t need to unlock your phone or even take it out of your pocket or purse, as the recording is triggered automatically by the server. The software then creates a digital signature based on this noise and uploads it the server, which compares the two signatures. If they match, then the server assumes your phone is in the same room as the computer you’re trying to log in from and lets you in.
Tomi Engdahl says:
Choc Factory patches zero day Google for Work hack hole
Sysadmins told to lock down their Androids, also stop downloading random stuff
http://www.theregister.co.uk/2015/08/17/sandbox_bypass_through_google_admin_webview/
Google has patched a vulnerability in the Google Admin application that could allow attackers to steal enterprise accounts.
MWR Labs researcher Rob Miller reported the sandbox-hopping hole, rated medium severity, which can be exploited by malware residing on a user’s device.
The flaw can be used to steal Google for Work credentials, according to the UK researcher.
“A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox,” Miller says in an advisory.
“Devices with Google Admin installed should not install any untrusted third party applications.”
Miller says the problem occurs when the Google Admin app receives a URL from another installed application and loads it in a webview within its own activity.
Attackers using a file:// URL to link to a file that they controlled could use symbolic links to bypass the Same Origin Policy and hop the sandbox.
Tomi Engdahl says:
Spyware-spewing Wi-Fi drone found on Hacking Team, Boeing’s to-do list
Air-to-surface malware missiles
http://www.theregister.co.uk/2015/07/20/hacking_team_drone_delivered_spyware/
Leaked emails have exposed plans by Hacking Team and a Boeing subsidiary to deliver spyware via drones for sale to government agencies.
The scheme proposed the use of unmanned aerial vehicles (UAVs or drones) to deliver Hacking Team’s Remote Control System Galileo spyware via Wi-Fi networks from above. Boeing subsidiary Insitu and representatives of Hacking Team enthusiastically discussed the deal after meeting up at the International Defense Exposition and Conference (IDEX) in Abu Dhabi back in February.
Putting the plan together would involve developing a ruggedized and miniaturized Tactical Network Injector (TNI), Hacker News reports. This mini-TNI would be used to introduce malicious traffic into insecure Wi-Fi networks while perched on a drone and subject to jolts and low temperatures. Malicious traffic injection would only work in this scenario in cases where a target is surfing in an insecure, open Wi-Fi hotspot (coffee shop, transport hub, etc.) without using protective VPN technology.
Tomi Engdahl says:
ProPublica:
NSA spying relies on AT&T’s “extreme willingness to help” tap Internet communications, say newly-disclosed Snowden documents — NSA Spying Relies on AT&T’s ‘Extreme Willingness to Help’
NSA Spying Relies on AT&T’s ‘Extreme Willingness to Help’
https://www.propublica.org/article/nsa-spying-relies-on-atts-extreme-willingness-to-help
The National Security Agency’s ability to capture Internet traffic on United States soil has been based on an extraordinary, decadeslong partnership with a single company: AT&T.
Tomi Engdahl says:
Stack Ranking the SSL Vulnerabilities for the Enterprise
By David Holmes on July 30, 2015
http://www.securityweek.com/stack-ranking-ssl-vulnerabilities-enterprise
This week’s cute OpenSSL vulnerability is CVE-2015-1793. This little one-line OpenSSL bug could allow an attacker who has a legitimate end-leaf certificate to circumvent the OpenSSL code that validates the certificate’s purpose. The attacker could then, in theory, sign other leaf certificates and use those to pull off a man-in-the-middle attack on SSL sessions. The bug was slapped with the name “OprahSSL” because everyone gets to become a certificate authority. We all had a good laugh about this; someone even made a twitter account and a logo.
We in the security community have really started to hit our stride when it comes to naming and shaming cryptographic vulnerabilities. Let’s have a golf clap for social media awareness campaigns about crypto vulnerabilities. Good job, everyone.
Kidding aside, exactly how serious was OprahSSL? How did it compare the parade of other cleverly-named SSL vulnerabilities of the last four years? People remember BREACH and BEAST and Heartbleed and LOGJAM, to name a few. How did OprahSSL compare to them?
According to the Common Vulnerability Scoring System (CVSS) scores, OprahSSL was worse than Heartbleed.
Tomi Engdahl says:
The Economics of Cybersecurity – Are Scales Tipped to the Attacker?
http://www.securityweek.com/economics-cybersecurity-are-scales-tipped-attacker
An argument can certainly be made that the economics of cybersecurity largely favor the attacker. While the takedown of Darkode was a win for the good guys, at least temporarily, the unfortunate reality is there remains a multitude of other underground forums where criminals can gain easy access to the tools and technical support needed to organize and execute an attack. A simple search can get you quick access to virtually any tool needed for the job. Our role as executives and security professionals is to make sure these adversaries roaming these virtual havens of nastiness have to spend an inordinate amount of resources to try and achieve their objectives.
Many organizations are asking the natural question – how much do I really need to spend on security in order to tip the scales in my favor? In order to answer that question you must first quantify the impact and risk of a cyber attack.
Tomi Engdahl says:
The Snowball Effect of Data Breaches
http://www.securityweek.com/snowball-effect-data-breaches
It is no secret that data breaches and cyber attacks have become increasingly common in virtually every industry and sector. It is rare that a week goes by without news of another breach.
These attacks impact us as security professionals as well as individuals. Professionally, we must adapt our security practices to detect and quickly respond to these stealthy threats. As individuals, we must constantly be on the lookout for fraud resulting from the theft of our personal information.
But we also must be aware that attacks don’t occur in a vacuum, and that each breach has the potential to enable the next attack. While the theft of Personally Identifiable Information (PII), can be used by criminals to commit fraud, stolen information is also valuable for setting up the next major breach.
Passwords are always a prize
Hackers always attempt to extend their attack or enable the next one, and stealing passwords offers a clear path to that goal.
Depending on how those credentials are stored, attackers can often use stolen usernames and passwords to gain access to other sites, applications or networks.
This creates a feedback loop of breaches where one breach helps facilitate the next.
Tomi Engdahl says:
Attackers Use Stolen Credentials to Hack Cisco Networking Devices
http://www.securityweek.com/attackers-use-stolen-credentials-hack-cisco-networking-devices
Cisco has warned customers that hackers have been using stolen administrator credentials to install malicious software on networking devices running IOS.
IOS is the operating system that runs on most Cisco routers and switches. When these devices are powered on or rebooted, the hardware is initialized and the IOS software is booted by a bootstrap program called ROM Monitor (ROMMON).
According to an advisory published by the company, attackers are replacing the legitimate ROMMON firmware with a malicious ROMMON image. Once the device is rebooted with the new ROMMON, attackers are able to manipulate its behavior.
“In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON,” Cisco said in its advisory.
Tomi Engdahl says:
End the Innovation Catch-22: Reduce the Attack Surface
http://www.securityweek.com/end-innovation-catch-22-reduce-attack-surface
From a computing perspective, we live in a renaissance age. Information technology is not just a tool to help run businesses, but actually an economic factor of production; it is a necessary component in practically every finished good and service, like land, labor and capital. As computing integrates into every facet of our lives, it stretches the inter-connectedness of everything we do and touch. And it also raises the risk of our personal, commercial and national security information being obtained by bad actors.
The mainstreaming of IT has been paired to to a hailstorm of innovation over the past decade, including the fundamental emergence of a dynamic new computing architecture: distributed computing. Distributed computing and all of its branches — mobile, virtual, and cloud — is rapidly replacing the 30+ year dominance of client-server architectures. If you think I-a-a-S (AWS, Azure), you are thinking distributed computing. Linux containers? Check. Micoservices? Right on. If you are thinking of security as a fixed place in-time, you are thinking the wrong way.
The dynamic, innovative nature of new computing architectures presents a catch-22 for security professionals: what makes us more agile, fast, and distributed also exposes more mission-critical data to risk and hackers. It is difficult, potentially impossible, for the traditional network security model —built on the foundations of a fixed and centralized computing architecture — to address the new requirements.
What are some of the challenges?
• Security dependent on the network does not “bend” to hybrid or diverse environments (you cannot stretch your firewall into AWS).
• The temporal, brief life cycle of newer computing architectures such as Linux containers move too quickly for traditional, manual network management models.
• Most significantly, the segmentation model of networking such as VLANs or zones leaves too much attack surface available to bad actors.
So what can enterprises do?
1. Ring-fence critical assets. Determine ways to segment high-value assets away from lower-value compute infrastructure. This “hygiene” move will not stop a determined hacker, but will make communication with critical servers much more difficult.
2. Build security and segmentation into the application cycle. This would include building more granular security policies directly into application architectures to reduce inter-application communications.
3. Dynamically adapting is the best defense. Institute an adaptive security architecture whereby security moves and adapts with dynamic compute assets — such as Linux containers or vMotion that spin up or down and move — without human intervention. One of the best thought pieces on this strategy was outlined last year by Gartner’s Neil McDonald and Peter Firstbrook.
Tomi Engdahl says:
To Thwart Attackers, Measure What Matters
http://www.securityweek.com/thwart-attackers-measure-what-matters
For years the security industry has been focused on measuring the percentage of blocked attacks as a means to demonstrate security effectiveness. And that still holds true. The more threats we block, the fewer we have to deal with inside the network. We must continue to innovate and work diligently to get that number as close to 100 percent as possible. But that’s the catch.
Even as more effective and sophisticated security defenses emerge to thwart attackers, it has become clear that point solutions have limited impact against well-funded cybercriminals using a combination of more evolved tactics to evade detection.
Exploit kits, ransomware, and advanced malware are just a few examples of these innovative tactics.
The innovation race between attackers and security vendors will continue. And this dynamic creates a significant problem for organizations investing in security products and services while also struggling to deal with a shortage of skilled IT security personnel. They often obtain individual solutions to address security gaps, but that only results in a patchwork of solutions that do not and cannot work together. History has demonstrated that point solutions and weak operations will not stop waves of sophisticated attacks. To get a more realistic assessment of how well we’re doing at thwarting these types of attacks, we need to start focusing on another measurement that is equally, if not more important: time to detection.
Time to detection (TTD) is the window of time between the first observation of a file and the detection that it is a threat. This gap exists because of these tactics that cybercriminals use to slip through defenses as ‘unknown’ and later exhibit behaviors that are malicious. Based on various reports, the current industry standard for time to detection is 200 days. That’s far too long. By the time a breach is discovered credit card data, bank account information, credentials, you name it, have been compromised.
Of course, stopping attacks in the first place is important. But accepting the reality that some attacks will get through, security effectiveness must now be measured by how quickly we detect a compromise and stop the exploitation of that attack.
Tomi Engdahl says:
Detection May Not Be What You Think It Is
http://www.securityweek.com/detection-may-not-be-what-you-think-it
When building, improving, or operating a security program, aiming for the right balance between prevention and detection/response seems like an obvious choice
In my current position, I spend a lot of time educating people on the merits of security operations and incident response, including a balanced approach consisting of both prevention and detection/response.
At the same time, I hear a lot of noise from many in what I would call the “pro-prevention” camp. I hear things like “detection is ineffective” or “detection is dead” or “detection is not a winning strategy”.
The people beating the prevention drum aren’t fools, which leads me to two potential explanations for this behavior. They either don’t really believe what they are saying (i.e., they have some ulterior motive driving their messaging), or they simply don’t understand what I, and others are referring to when we discuss detection. In case there is some confusion around what detection is all about, I’d like to make an effort to clear that up.
Let’s start at the beginning. Detection is not about anti-virus (AV), Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM), or any other type of technology. Detection is also not about signatures, alerts, events, tickets, or any other type of meta-data. Do security technologies and meta-data play a role in detection? Absolutely. They are necessary for detection, but they are not sufficient.
Detection is a philosophy, approach, and methodology that seeks to identify suspicious or malicious behaviors matching risks and threats the organization is concerned about. The output and success of the detection process is highly dependent on the input to that process. In other words, garbage in leads to garbage out. If one wants to understand why detection rates are so poor across most organizations, one need only look at the content development process used to feed the detection process.
Detection/response serves to augment prevention and round out an organization’s approach to risk mitigation. Put another way, attackers regularly get by any and all preventative measures. When this occurs, an organization can use detection/response to quickly identify that this has occurred and contain and remediate the activity before it causes damage to the organization. This balanced approach allows the organization to spread its risk mitigation strategy across more than one mitigating factor.
Tomi Engdahl says:
The Most Vicious Zero-Day Exploit? Insiders.
http://www.securityweek.com/most-vicious-zero-day-exploit-insiders
As security professionals we worry about zero-day exploits – those vulnerabilities known by attackers for which there is no current fix. The zero day, of course, lasts until we assiduously apply patches, waiting for Tuesdays like a kid waiting for gifts on Christmas morning. The gift givers come from many sources – Microsoft, Apple, Adobe, Oracle and any number of other software vendors.
As much fun as it is to wake up to patches waiting to be unwrapped, we don’t want the regret of “exploit Wednesday”, which is far more embarrassing than becoming a victim of a zero-day exploit. After public disclosure of a zero-day exploit, there is an increase of up to five orders of magnitude (PDF) in the volume of attacks.
While there is some protection afforded by a good patch process, it doesn’t reduce the time between vulnerability discovery to patch distribution. It’s impossible to know for certain what the average vulnerability window is, but estimates put it at 312 days. Zero-day exploits can make anyone feel vulnerable and a bit intimidated, like a small child forced to take a photograph with an enormous bearded stranger.
Why insiders are a growing problem Zero-day exploits get a lot of attention, deservedly so. But insider misuse is a parallel, possibly greater threat, which needs to be revisited.
Tomi Engdahl says:
Cyber Intelligence-as-a-Service: In-House vs. Outsource Dilemma
http://www.securityweek.com/cyber-intelligence-service-house-vs-outsource-dilemma
Over the last few years, I’ve had the opportunity to meet and consult with companies about how they stay ahead of cybercrime threats to their businesses.
As an avid fan of all things analysis, this has provided me with some very interesting data fodder on how businesses view and use intelligence to help detect, mitigate, predict, prepare for and respond to cyber threats.
Right now, most businesses feel they should be actively engaged in pursuing a wide variety of cyber intelligence activities that are tied to their tactical cyber defenses in a direct and reciprocal way. What’s more, I’m starting to see that many businesses are finally beginning to view the cyber threat not just as a technical problem, but as real business problem with real business impacts.
These companies are seeking something more than just a bunch of threat intelligence feeds or an existing SIEM tool; a robust cyber intelligence function similar to many corporate and competitive intelligence teams that’s more than just technical.
The question is a big one for many reasons as cyber intelligence:
• Can be very expensive
• Requires skilled human capital
• Must have clear lines of communication with standard ways of talking about and presenting data for analysis
• Needs specialized processes and tools to carry them out
• Much more…
Additionally, even after you have all this, it takes time to bear fruit and must be nurtured and evolved dynamically to meet new threats.
In short, there are lots to things to consider that turns a pause into paralysis. Let’s take a look at some pros and cons.
Much like what the cloud and Anything-as-a-Service have done for software and data delivery now, by the end of the next decade it will likely be de rigeur that companies run intelligence programs that overlap cyber, operational, competitive and physical security domains. However, right now, the build vs. buy dilemma plus the almost total immaturity of the intelligence function in the cybersecurity domain means there will be a lot of growing pains as we evolve to a better way.
Tomi Engdahl says:
Hacking Team mulled stopping Ethiopia sales – because of idiot g-men
Human rights didn’t feature at all, says activists’ analysis
http://www.theregister.co.uk/2015/08/17/hacking_team_ethiopia/
Hacking Team failed to take effective action to investigate or stop reported abuses of its technology by the Ethiopian government against dissidents, according to Human Rights Watch.
A review of internal company emails leaked as part of a highly-publicised breach against the controversial spyware-for-government firm in July revealed that the company continued to train Ethiopian intelligence agents to hack – and even negotiated additional contracts, despite multiple reports that its services were being used to target government critics and expatriate journalists.
The Italian government should “investigate Hacking Team practices in Ethiopia and elsewhere with a view toward restricting sales of surveillance technology likely to facilitate human rights abuses”, Human Rights Watch concludes.
More than 400GB of Hacking Team’s internal emails, documents, and source code leaked online following the breach of its systems.
Hacking Team’s internal emails show only a superficial effort to investigate these findings and end the abuse, according to HRW.
According to Human Rights Watch, the Ethiopian government has invoked “national security” to clamp down on core freedoms and human rights. “Individuals with perceived or tenuous connections to even registered opposition groups are arbitrarily arrested and interrogated based on their phone calls,” according to Human Rights Watch. “Recorded phone calls with family members and friends – particularly those with foreign phone numbers – are often played during abusive interrogations in which people who have been arbitrarily detained are accused of belonging to banned organisations.”
Hacking Team states it sells its wares exclusively to governments. This assertion has come under scrutiny since the leak but most of the heat has come from sales of spyware to governments with questionable human rights records, in particular Ethiopia and Sudan.
Italy and other governments should ensure that all sales of Hacking Team systems and similarly echnologies are reviewed on a case-by-case basis, with particular emphasis on the human rights record of prospective buyers.
“The Hacking Team leaks show this industry cannot be depended upon to regulate itself,”
Tomi Engdahl says:
Web users at risk as 600,000 machines continue to run Windows Server 2003
One month on, and 175 million websites are still putting you at risk
http://www.theinquirer.net/inquirer/news/2422136/web-users-at-risk-as-600-000-machines-continue-to-run-windows-server-2003
MILLIONS OF WEB USERS are unknowingly exposing themselves to unnecessary risk from 600,000 web-facing machines still running Windows Server 2003.
Microsoft ended support for the popular server OS on 14 July, but a month later an alarming number of sites have failed to upgrade, meaning that a fifth of the internet is still running the unsupported server.
To put it another way, Netcraft, which collated the figures, reckons that 175 million websites are directly served from a Server 2003 computer.
After the lack of a tech-pocalypse after Windows XP, many senior managers have taken a lot of convincing that there is a problem in not updating to the latest version of Windows Server, and budgets to upgrade have not been given priority.
In reality, the risk is far greater, as a server infection to a high-profile website leaves every single visitor at risk.
High-profile companies on Netcraft’s list include NatWest, ING Direct and Panda Security, an actual anti-malware provider.
Microsoft’s out-of-range support costs a rumoured $600 a machine,
http://www.theinquirer.net/inquirer/news/2395635/microsoft-to-charge-usd600-per-server-for-windows-server-2003-holdouts
Tomi Engdahl says:
Dan Goodin / Ars Technica:
How distributed reflective DoS can amplify attacks while hiding the attacker’s identity by exploiting weaknesses in the open BitTorrent protocol
How BitTorrent could let lone DDoS attackers bring down big sites
uTorrent, Mainline, and Vuze most susceptible to DoS abuse, researchers say.
http://arstechnica.com/security/2015/08/how-bittorrent-could-let-lone-ddos-attackers-bring-down-big-sites/
Some of the most widely used BitTorrent applications, including uTorrent, Mainline, and Vuze are also the most vulnerable to a newly discovered form of denial of service attack that makes it easy for a single person to bring down large sites.
The distributed reflective DoS (DRDoS) attacks exploit weaknesses found in the open BitTorrent protocol, which millions of people rely on to exchange files over the Internet. But it turns out that features found uTorrent, Mainline, and Vuze make them especially suitable for the technique. DRDoS allows a single BitTorrent user with only modest amounts of bandwidth to send malformed requests to other BitTorrent users.
The BitTorrent applications receiving the request, in turn, flood a third-party target with data that’s 50 to 120 times bigger than the original request.
Tomi Engdahl says:
Italian teen finds two zero-day vulnerabilities in OS X
http://www.pcworld.com/article/2971772/italian-teen-finds-two-zeroday-vulnerabilities-in-os-x.html
An Italian teenager has found two zero-day vulnerabilities in Apple’s OS X operating system that could be used to gain remote access to a computer.
The finding comes after Apple patched last week a local privilege escalation vulnerability that was used by some miscreants to load questionable programs onto computers.
Luca Todesco, 18, posted details of the exploit he developed on GitHub. The exploit uses two bugs to cause a memory corruption in OS X’s kernel, he wrote via email.
The memory corruption condition can then be used to circumvent kernel address space layout randomization (kASLR), a defensive technique designed to thwart exploit code from running. The attacker then gains a root shell.
Tomi Engdahl says:
Andy Greenberg / Wired:
New Dark Web study shows drug market turns over $100M+/year in illegal substances, and the ecosystem is becoming more resilient to crackdowns, setbacks
Crackdowns Haven’t Stopped the Dark Web’s $100M Yearly Drug Sales
http://www.wired.com/2015/08/crackdowns-havent-stopped-dark-webs-100m-yearly-drug-sales/
After more than four years and two giant law enforcement busts, the Dark Web’s drug market is still just as robust as it was during the Silk Road’s heyday. In fact, according to a new study, it’s now moving well over $100 million of illegal substances a year, and it’s recovering from every new scam-induced setback and government crackdown faster than the last one.
More surprising, perhaps, is that the Dark Web economy roughly maintains that sales volume even after major disasters like thefts, scams, takedowns, and arrests. According to the Carnegie Mellon data, the market quickly recovered after the Silk Road 2 market lost millions of dollars of users’ bitcoins in an apparent hack or theft. Even law enforcement operations that remove entire marketplaces, as in last year’s purge of half a dozen sites in the Europol/FBI investigation known as Operation Onymous, haven’t dropped the market under $100 million in sales per year. “What we’ve seen is that, as a whole, the ecosystem is resilient to these adverse events,” says Christin. “That shows it’s going to be a lot harder to get rid of these marketplaces than one would have thought.”
The relatively limited impacts of these recent setbacks contrast starkly with earlier dings to the Dark Web drug economy.
The Carnegie Mellon study represents the best attempt yet to measure the size and trajectory of the drug markets that use tools like the anonymity software Tor and bitcoin to hide visitors’ identities and evade law enforcement.
The study’s sales data reveals a number of smaller points, too:
Although a few Dark Web dealers have sold huge amounts of narcotics, most vendors sell very little and don’t make much money: 70 percent of them sold less than $1,000 worth of products, while only 2 percent sold more than $100,000.
Dark Web market sellers are adopting more encryption tools. While they’ve been slow to start using so-called multi-signature transactions—a feature of bitcoin that could prevent the currency from being stolen by fraudsters or seized by cops—they’ve almost universally started communicating with the crypto software PGP.
The Dark Web’s most popular drugs appear to be marijuana and MDMA, with each accounting for close to 25 percent of the total sales volume.
The researchers end their paper with a plea for policymakers to rethink their attempts to simply shut down the Dark Web’s markets. “It is not clear that take-downs will be effective; at least we have found no evidence they were,”
Tomi Engdahl says:
John D. McKinnon / Wall Street Journal:
IRS says cyberattacks more extensive than previously reported, with more than 300K taxpayer accounts potentially affected — IRS Says Cyberattacks More Extensive Than Previously Reported — The Internal Revenue Service said identity thieves’ penetration of one of its computer databases …
IRS Says Cyberattacks More Extensive Than Previously Reported
Tax data for up to 330,000 households might have been stolen
http://www.wsj.com/article_email/irs-says-cyberattacks-more-extensive-than-previously-reported-1439834639-lMyQjAxMTE1NjE2NzUxNzc3Wj
The Internal Revenue Service said Monday that more than twice as many taxpayer accounts were hit by identity thieves than the agency first reported, with hackers gaining access to as many as 330,000 accounts and attempting to break into an additional 280,000.
The IRS said in May that cyber crooks used stolen Social Security numbers and other data acquired elsewhere to try to gain access to prior-year tax return information for about 225,000 U.S. households. That included about 114,000 successful attempts and 111,000 unsuccessful ones.
The agency said Monday that further investigation showed an additional 390,000 taxpayers were potentially affected, including about 220,000 accounts where hackers cleared an authentication process and about 170,000 failed attempts.
Tomi Engdahl says:
Ransomware goes OPEN SOURCE in the name of education
Won’t somebody think of the script kiddies?
http://www.theregister.co.uk/2015/08/18/ransomware_goes_open_source/
Turkish security bod Utku Sen has published what appears to be the first open source ransomware that anyone can download and spread.
The “Hidden Tear” ransomware, available to GitHub, is a functional version of the malware the world has come to hate; it uses AES encryption to lock down files and can display a scare warning or ransom message to get users to pay up.
Sen says the malware will evade detection by all common anti-virus platforms.
“While this may be helpful for some, there are significant risks,” Sen says.
“Hidden Tear may be used only for educational purposes. Do not use it as a ransomware.”
One could envisage such “educational purposes” as entailing making the case for better backup systems for purse-holding superiors, but it is likely a hard case to state.
Github moderators will no doubt evaluate that claim.
Tomi Engdahl says:
Anti-botnet initiatives USELESS in sea of patch-hating pirates
A million low end, pirate boxes still spewing malware relic.
http://www.theregister.co.uk/2015/08/18/antibotnet_initiatives_useless_in_sea_of_patchhating_pirates/
Three Dutch researchers have crunched data gleaned from efforts to battle the Conficker bot and declared anti-botnet initiatives all but useless for clean up efforts.
Conficker was born in 2008 spreading aggressively through a since patched remote code execution Microsoft vulnerability (MS08-067) that affected all operating systems including servers. The rate increased with a malware update that allowed Conficker to spread via USB
A million machines are thought to be still infected. Some 12 million unique IP addresses were still pinging a Conficker sinkhole server in the six weeks to December last year, despite that the botnet is headless and long abandoned.
About 284,000 of those were also infected with the scuttled GameOver Zeus bot, showcasing the threat that the headless node machines present to the wider internet.
Researchers Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten of Delft University of Technology say efforts including Australia’s iCode, Germany’s BotFrei, and Ireland’s anti-botnet initiative are largely failures.
“It is somewhat surprising, and disappointing, to see no evidence for the impact of the leading remediation efforts on bot cleanup,” the trio say in the paper [Post-Mortem of a Zombie: Conficker Cleanup After Six Years pdf].
“We find that institutional differences, such as ICT development or unlicensed software use, explain much of the variance, while the national anti-botnet centers have had no visible impact” while “… institutional factors such as ICT development and unlicensed software use have influenced the spread and cleanup of Conficker more than the leading large scale anti-botnet initiatives.”
The researchers say botnet battlers are better served by helping to bolster a country’s long term ICT development. Those with low technology development house twice as many Conficker nodes than those which are IT advanced.
To that end they highlight Finland for its long-term look at botnet cleansing which has made that country one of the least infected nations.
Post-Mortem of a Zombie:
Conficker Cleanup After Six Years
https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-asghari.pdf
Tomi Engdahl says:
VW Has Spent Two Years Trying to Hide a Big Security Flaw
Got a VW, Fiat, Audi, Ferrari, Porsche or Maserati? Then you might want to check the model.
http://www.bloomberg.com/news/articles/2015-08-14/vw-has-spent-two-years-trying-to-hide-a-big-security-flaw
Thousands of cars from a host of manufacturers have spent years at risk of electronic car-hacking, according to expert research that Volkswagen has spent two years trying to suppress in the courts.
“Keyless” car theft, which sees hackers target vulnerabilities in electronic locks and immobilizers, now accounts for 42 percent of stolen vehicles in London. BMWs and Range Rovers are particularly at-risk, police say, and can be in the hands of a technically minded criminal within 60 seconds.
Security researchers have now discovered a similar vulnerability in keyless vehicles made by several carmakers. The weakness – which affects the Radio-Frequency Identification (RFID) transponder chip used in immobilizers – was discovered in 2012, but carmakers sued the researchers to prevent them from publishing their findings.
This week the paper – by Roel Verdult and Baris Ege from Radboud University in the Netherlands and Flavio Garcia from the University of Birmingham, U.K. – is being presented at the USENIX security conference in Washington, D.C. The authors detail how the cryptography and authentication protocol used in the Megamos Crypto transponder can be targeted by malicious hackers looking to steal luxury vehicles.
The Megamos is one of the most common immobilizer transponders, used in Volkswagen-owned luxury brands including Audi, Porsche, Bentley and Lamborghini, as well as Fiats, Hondas, Volvos and some Maserati models.
“This is a serious flaw and it’s not very easy to quickly correct,” explained Tim Watson, Director of Cyber Security at the University of Warwick. “It isn’t a theoretical weakness, it’s an actual one and it doesn’t cost theoretical dollars to fix, it costs actual dollars.”
researchers broke the transponder’s 96-bit cryptographic system, by listening in twice to the radio communication between the key and the transponder
“The attack is quite advanced, but VW produces a lot of very high-end vehicles that get stolen to order. The criminals involved are more sophisticated than the sorts who just steal your keys and drive off with your car,” said security researcher Andrew Tierney.
There’s no quick fix for the problem – the RFID chips in the keys and transponders inside the cars must be replaced, incurring significant labor costs.
The research team first took its findings to the manufacturer of the affected chip in February 2012 and then to Volkswagen in May 2013. The car-maker filed a lawsuit to block the publication of the paper – arguing that its vehicles would be placed at risk of theft – and was awarded an injunction in the U.K.’s High Court. Now, after lengthy negotiations, the paper is finally in the public domain – with just one sentence redacted.
The Megamos Crypto is not the only immobilizer to have been targeted in this way – other popular products including the DST transponder and KeeLoq have both been reverse-engineered and attacked by security researchers.
Tomi Engdahl says:
Hackers Invade Hospital Networks Through Insecure Medical Equipment
http://spectrum.ieee.org/view-from-the-valley/biomedical/devices/hackers-invade-hospital-networks-through-insecure-medical-equipment
“Oh no, not again,” sings Rod Stewart in his 1984 song “Infatuation.” That’s how I felt in reading an early version of a report on medical device hacking from TrapX Labs, a cybersecurity research team within security system maker TrapX, scheduled to be released on 15 June.
The report, “Anatomy of an Attack–Medical Device Hijack (MEDJACK),” describes in detail three situations in which hackers were able to get into supposedly secure hospital networks, collecting valuable information, by targeting medical devices. human os icon
Once into the devices, the hackers were able to roam at will through hospital networks. Their goal was the valuable health insurance information in patient records—this, TrapX stated, is worth 20 times the value of a credit card record on the black market. But had they wanted to, they could potentially have taken control of the devices themselves.
So the world has changed, but many medical devices and systems have not.
The basic software architecture of many of the devices used in hospitals and medical clinics today is still based on designs from 10 or 20 years ago. The software may have been updated to support graphical or touchscreen user interfaces, enable greater connectivity to IT networks and increase ease-of-use, but security has rarely been a priority when building new versions of these old designs.
Now we are paying the price.
Over the past 25 years the automotive industry has made tremendous progress in vehicle safety.
These advances are the result of automakers embracing safety as a fundamental design principal and making heavy investments into safety. It is time for medical device companies to follow suit and treat security as a fundamental design component, not an optional add-on.
The notion of “security critical” vs. “non-security critical” devices must also be abandoned once and for all.
Building security into new devices is critical to ensure the next generation of medical devices does not suffer from the security problems outlined in the MedJack report. But a larger problem still exists. There are millions of legacy devices with weak or non-existent security in use today. The cost to replace these devices would run into the hundreds of billions of dollars. Realistically, it will take a decade or more to replace all of these devices.
A cost-effective alternative is needed for these systems. One option is a low cost bump-in-the-wire (BITW) security device. Such a device can be installed in front of a legacy device and used to control all network communication with the device.
Tomi Engdahl says:
Who Should Be Responsible For IT Security?
Hot potato, or hot job?
http://www.theregister.co.uk/2015/08/18/responsibility_for_it_security/
Typically, when a cybersecurity problem arises, it’s the IT department that gets it in the neck. Ostensibly, that makes sense. After all, if someone is in your network mining your database for corporate secrets, it’s hardly the office manager or the accounts receivable department’s lookout, right?
Perhaps. On the other hand, there’s a case to be made that putting Canadian IT departments alone in charge of the cybersecurity budget and decision making may not be wholly effective. Some believe that carving out cybersecurity as a separate function could lead to better, cheaper information security overall.
John Lyons, chief executive of the International Cyber Security Protection Alliance, is one of them. For security to be a first-class citizen, it needs to have its own champion outside the IT department, he believes. “If you have a CISO reporting through a CIO or if you put the cybersecurity budget in the technology budget, then the security spend gets lost among other priorities,” he warned. “It’s right to segregate out the expenditure on security as a discrete part of the overall spend in the company.”
Tim Holman, director of the international board for the Information Systems Security Association, agrees. It can be a particular problem when companies lump all of the cybersecurity budget into the IT department, he warned.
“If the IT director has a lot of purely IT staff working under him then it’s the wrong place to put money because it’ll just get spent on IT security,” he said. “Often, the security function is in the IT domain. I think everyone sees security as an IT problem. Maybe the IT director should know better than to accept that responsibility.” When companies do take cybersecurity expenditure out of the IT budget, how well do they protect themselves? IDC surveyed over 200 organisations in Canada to assess their security budgets, looking at how much they spent, and what they spent it on.
On average, Canadian organisations spend just under 10% of their budget on security technology, according to the IDC survey. This doesn’t include services and staff.
Realists spend 14% of their IT budget on security. Their IT security is fair but they strive to be better. Egoists are the top of the heap, with a 4-5 maturity rating when it comes to cybersecurity, but here’s the thing: they spend slightly less of their IT budget on cybersecurity than the realists, at 12%.
Why would the highest cybersecurity performers not also be the highest cybersecurity spenders? “The trend that most mature organisations start to spend less on security is very common,” Pescatore said. “That’s because they avoid vulnerabilities using better IT and procurement practices, but it’s also due to a lot of spending on security that isn’t counted as security spending.”
This spending typically happens outside the IT department, he argues, explaining that money earmarked for improving information security can be spent in various ways. For example, companies might allocate some of that money to a proper cybersecurity awareness training program that actually worked.
One danger of putting all the budget for cybersecurity inside the IT department is that it will just get spent on technology to try and solve the problem. Most experts seem to agree that cybersecurity tools on their own are enough.
Even when IT departments do buy technology, the signs are that the expenditure isn’t addressing some of the newer threats very well. Most of the spend – a whopping 32.8% – goes on network security, with identity access management and secure virtual machines coming a distant second and third. What’s interesting is that technologies such as mobile, web, and email security – often considered clear and present dangers – rank relatively low, with companies barely spending single figures.
Moreover, companies in Canada admit that they aren’t focusing enough on people as a crucial component of the security ecosystem. Ideally, companies would invest in awareness programs that actually make a difference
If we accept that companies should be spending money on cybersecurity outside the IT department, the question then becomes: how? In an ideal world, said Holman, there would be a single person responsible for that process. A CISO would have visibility and budget for cybersecurity across all aspects of the business. They would have a place on the board, and would be able to speak to other C-suite executives using board-level language.
IT employees may well be fired if a company is compromised by a breach, but ultimately, the responsibility rests with the board, which has a duty of care to the company, including making informed decisions with diligence and skill. In 2013, the Canadian Securities Association adopted Staff Notice 11-326, which outlines some board-level responsibilities around cybersecurity.
There are several other problems for CISOs. One of them is that they’re typically not very popular, warns Holman. “CISOs are seen as a thorn in people’s side,”
Done properly, a CISO role will often be at odds with the board, because agendas may conflict.
Cybersecurity may well be a holistic pursuit, but deficiencies in IT operations still contribute a disproportionate amount to cybersecurity breaches, he warns.
Tomi Engdahl says:
Wish Wu / TrendLabs Security Intelligence Blog:
Another serious exploit found in Android’s mediaserver component, where Stagefright bugs were found — MediaServer Takes Another Hit with Latest Android Vulnerability — The “hits” keep on coming for Android’s mediaserver component. We have discovered yet another Android mediaserver vulnerability …
Aug17
MediaServer Takes Another Hit with Latest Android Vulnerability
http://blog.trendmicro.com/trendlabs-security-intelligence/mediaserver-takes-another-hit-with-latest-android-vulnerability/
The “hits” keep on coming for Android’s mediaserver component. We have discovered yet another Android mediaserver vulnerability, which can be exploited to perform attacks involving arbitrary code execution. With this new vulnerability, an attacker would be able to run their code with the same permissions that the mediaserver program already has as part of its normal routines.
This vulnerability has been designated as CVE-2015-3842. While it affects Android versions 2.3 to 5.1.1, Google has fixed and published details this vulnerability via the Android Open Source Project (AOSP). Currently, there are no known active attacks against this vulnerability.
Tomi Engdahl says:
Kim Zetter / Wired:
Hackers post 9.7GB data purportedly from Ashley Madison breach to dark web, including e-mails, profiles, and credit card transactions — Hackers Finally Post Stolen Ashley Madison Data — Hackers who stole sensitive customer information from the cheating site AshleyMadison.com appear …
Hackers Finally Post Stolen Ashley Madison Data
http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/
“Ashley Madison is the most famous name in infidelity and married dating,” the site asserts on its homepage. “Have an Affair today on Ashley Madison. Thousands of cheating wives and cheating husbands signup everyday looking for an affair…. With Our affair guarantee package we guarantee you will find the perfect affair partner.”
The data released by the hackers includes names, addresses and phone numbers submitted by users of the site, though it’s unclear if members provided legitimate details. A sampling of the data indicates that users likely provided random numbers and addresses, but files containing credit card transactions will yield real names and addresses, unless members of the site used anonymous pre-paid cards. One analysis of email addresses found in the data dump also shows that some 15,000 are .mil. or .gov addresses.
The data also includes descriptions of what members were seeking.
asswords released in the data dump appear to have been hashed using the bcrypt algorithm for PHP, but Robert Graham, CEO of Erratasec, says that despite this being one of the most secure ways to store passwords, “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.” If the accounts are still online, this means hackers will be able to grab any private correspondence associated with the account.
Brian Krebs / Krebs on Security:
Multiple sources report finding their personal info in Ashley Madison data dump despite former CTO’s claims that some of the leaked data is not genuine — Was the Ashley Madison Database Leaked? — Many news sites and blogs are reporting that the data stolen last month from 37 million users …
Was the Ashley Madison Database Leaked?
http://www.krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/
Many news sites and blogs are reporting that the data stolen last month from 37 million users of AshleyMadison.com — a site that facilitates cheating and extramarital affairs — has finally been posted online for the world to see. In the past 48 hours, several huge dumps of data claiming to be the actual AshleyMadison database have turned up online. But there are precious few details in them that would allow one to verify these claims, and the company itself says it so far sees no indication that the files are legitimate.
Update, 11:52 p.m. ET: I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack.
A huge trove of data nearly 10 gigabytes in size was dumped onto the Deep Web and onto various Torrent file-sharing services over the past 48 hours.
Tomi Engdahl says:
OwnStar Wi-Fi attack now grabs BMW, Mercedes, and Chrysler cars’ virtual keys
Using SSL proxy, attack decrypts user data, allowing remote access to vehicle.
http://arstechnica.com/security/2015/08/simple-wi-fi-attack-grabs-bmw-mercedes-and-chrysler-cars-virtual-keys/
Remember OwnStar? Earlier this month, security researcher and NSA Playset contributor Samy Kamkar demonstrated a Wi-Fi based attack that allowed his device to intercept OnStar credentials from the RemoteLink mobile application—giving an attacker the ability to clone them and use them to track, unlock, and even remote start the vehicle. Kamkar discussed the details of the attack last Friday at DEF CON in Las Vegas, noting that the RemoteLink app on iOS devices had failed to properly check the certificate for a secure connection to OnStar’s server, or—as is more common in mobile apps using HTTPS to access Web services—use a “pinned” certificate hard-coded into the application itself. OnStar quickly resolved the issue with a RemoteLink app update.
But OwnStar has moved on to other targets. Today, Kamkar announced that he had adapted the tool to target applications for BMW Remote, Mercedes-Benz mbrace, and Chrysler’s Uconnect services on Apple iOS devices. All three, he said in an exchange with Ars via Twitter, have the exact same vulnerability as the RemoteLink app did: “no pinned cert or even PKI/[certificate authority] validation. Trivial to attack an unadulterated mobile device.”
The OwnStar device packs all the components required to execute this attack into a portable case that can be placed near a targeted vehicle.
Tomi Engdahl says:
Expand
Microsoft Security Bulletin MS15-093 – Critical
7 out of 12 rated this helpful – Rate this topic
Security Update for Internet Explorer (3088903)
Published: August 18, 2015
https://technet.microsoft.com/en-us/library/security/ms15-093.aspx
This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.
Tomi Engdahl says:
Why is Bitcoin forking?
A tale of differing visions
https://medium.com/@octskyward/why-is-bitcoin-forking-d647312d22c1
Tomi Engdahl says:
Why Certify? The Significance of Security Certification
http://www.eetimes.com/author.asp?section_id=36&doc_id=1327445&
Although OEMs may worry about the complexity of getting third-party security certifications, the benefits of certification far outweigh the cost.
When it comes to security, many electronics OEMs building anything from routers and network appliances to mobile devices consider certification of their products by an independent organization an option, rather than a requirement. However, third-party testing is an important element when a potential customer is choosing technology solutions to be part of its security management program.
Security management programs can be very complex and require a sound foundation of products and services. Much like the foundation of a house, security certification shores up your business’ foundation, enabling the products built on top of it to function as they should. Despite the clear advantages, a few key certification challenges seem difficult to overcome. With proper guidance and planning, however, these challenges don’t have to get in the way of sound security procedures.
Challenge: The inability to develop a business case and demonstrate a tangible return on investment
Solution: In the case of the enterprise, certification provides a critical component to the due diligence process. Whether you are spending tens of thousands or millions of dollars for a given technology, you are looking to solve a problem, not invite new ones or get a false sense of security. Today, data breaches have an impact on virtually every type of organization and they help highlight the importance of making the right technology decisions.
Tomi Engdahl says:
High speed Police pursuits: Technology needs to step in to save lives
http://www.planetanalog.com/author.asp?section_id=3065&doc_id=564018&
Police departments around the country have advanced in many technologies over the last 15 years, but pursuit-termination devices have not kept up with those advances
Helicopters are another possibility, but by the time a helicopter warms up and gets into the air, the suspect vehicle is usually gone. Not that many police departments have helicopters
There is one newer system being deployed called StarChase which shoots a small adhesive GPS device out of the front grille of the pursuing police vehicle but at a cost of $5,000 per vehicle and only with a 60% hit rate—not a device to put on every police car in the fleet if you have a tight budget. You still have to chase a car to get close enough to fire the GPS tracker, but the high speed pursuit can be cut short one the tracker adheres to the car.
Another idea was a device that could fire microwaves at the fleeing vehicle that would confuse the automobile’s electrical system and cause the engine to shut down. This could work from 60 feet away. But what about other cars and people nearby?
There has to be a lower cost way to do this with our amazing electronics technology today. In my mind, a far cheaper, but viable solution could be drones.
Tomi Engdahl says:
Stagefright 2: all versions of Android since 2010 hit by privacy-busting flaw
http://www.theguardian.com/technology/2015/aug/18/stagefright-2-all-versions-android-since-2010-hit-by-privacy-flaw
Security researchers warn that privacy of victims may be at risk from hackers running their own code on mobile devices – and a patch is not yet available
Stagefright, the hugely widespread Android vulnerability which Google finally patched in early August, is back for a second go.
Security research firm Trend Micro has discovered a new vulnerability in how videos are handled in Android, which they warn can allow a hacker to run their own code on mobile devices.
Like the flaw in Stagefright, the attack works on nearly every version of Android still in use, from 2010’s version 2.3 all the way to April’s version 5.1.1.
Trend Micro’s Wish Wu says: “With this new vulnerability, an attacker would be able to run their code with the same permissions that the mediaserver program already has as part of its normal routines.
Tomi Engdahl says:
Want branchless banking? Live in the developing world? Oops
Mo(bile) money, mo(bile) problems, says Florida team
http://www.theregister.co.uk/2015/08/19/branchless_banking_apps_developing_world/
Branchless banking apps targeted at customers in the developing world are rife with vulnerabilities, according to security researchers.
A study by computer scientists from the University of Florida focused on seven of the more high-profile apps, uncovering flaws that created a heightened risk of fraud as well as “unfair” terms of service.
The findings were based on a manual analysis of Airtel Money, Money-On-Mobile, Oxigen Wallet (all from in India); Thailand’s mPay, the Philippines’ GCash, Brazil’s Zuum, and mCoin from Indonesia.
The five researchers – Bradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor and Kevin R.B. Butler – came to their unfavourable assessment after what’s billed as the first comprehensive analysis of its type.
Smartphone apps provide an electronic payment infrastructure in the local absence of alternatives such as credit cards, and the technology provides much-needed financial services to the unbanked people in the developing world.
Although billed as a more secure option to cash, branchless banking apps are dangerously insecure, according to the team of five.
After carrying out an automated analysis of all 46 known Android mobile money apps across the 246 known mobile money sites, an exercise that “fails to provide reliable insights”, the researchers turned towards a “comprehensive manual teardown of the registration, login, and transaction procedures of a diverse 15 per cent of these apps”.
Mmmm, well, the results weren’t pretty.
“We uncovered pervasive and systemic vulnerabilities spanning botched certification validation, do-it-yourself cryptography, and myriad other forms of information leakage that allow an attacker to impersonate legitimate users, modify transactions in flight, and steal financial records,” according to the University of Florida team.
“These findings confirm that the majority of these apps fail to provide the protections needed by financial services,” they added.
Liability shift
Leaving aside alleged security shortcomings, the University of Florida said the terms of service for branchless banking apps tends to push the liability for fraudulent or disputed transactions towards consumers.
Credit card firms are jointly liable alongside vendors if something goes wrong with a product or a service purchased by credit card for purchases over £100 in the UK. Visa USA offers consumers “zero liability” for unauthorised purchases.
Similar protections exist for the majority of credit cards issued by banks in Europe, whereas users of branchless banking apps are generally held liable for transactions made using their credentials in a way not unlike European banking customers deemed responsible for ATM cash withdrawals.
“Through inspection of providers’ terms of service, we also discover that liability for these problems unfairly rests on the shoulders of the customer, threatening to erode trust in branchless banking and hinder efforts for global financial inclusion,” the team concluded.
Tomi Engdahl says:
Pawn Storm’s Domestic Spying Campaign Revealed; Ukraine and US Top Global Targets
http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storms-domestic-spying-campaign-revealed-ukraine-and-us-top-global-targets/
Why would Pawn Storm, the long-running cyber-espionage campaign, set its sights on a Russian punk rock group? Sure, Pussy Riot is controversial. Members of the feminist band had previously been thrown in jail for their subversive statements against the Orthodox Church and Russian patriarchal system. But why would attackers have any interest in them? What is their connection to other targets?
Earlier this year, we reported that the operators behind Pawn Storm had gone after members of the North Atlantic Treaty Organization (NATO), the White House, and the German parliament. Previously, they focused on various embassies and military attachés stationed across several countries. Pawn Storm’s targets have mostly been external political entities outside of Russia, but after our analysis we found that a great deal of targets can actually be found within the country’s borders.
Tomi Engdahl says:
Firefox Security Exploit Targets Linux Users and Web Developers
http://www.linuxjournal.com/content/firefox-security-exploit-targets-linux-users-and-web-developers?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
Through the years, Firefox has enjoyed a reputation as one of the most secure Web browsers on any platform, and it’s the default browser for many Linux distros. However, a security exploit appeared this week that has shown users they can’t afford to be complacent about security. Mozilla has rushed to patch the flaw, and a new release has closed the hole (39.0.3). But, plenty of users still haven’t updated their browsers.
The exploit comes in the form of malicious code hidden within an apparently innocuous ad. The code runs when the user visits the site and leaves no traces that it was active. It scans the victim’s computer for sensitive files and uploads them to a server in the Ukraine.
The current version of the exploit seems to be targeted at Web developers and administrators. It searches for files containing sensitive information that will allow the Ukrainian cyber-criminals to gain access to Web servers and Amazon Web services accounts.
With the credentials to access these remote servers, an attacker would have an almost unlimited array of options. They could deface a Web site, install malware to attack the site’s users, steal client databases and much more.
The search is extremely thorough, ransacking the victim’s machine searching for the following:
Configuration files for eight different FTP programs.
Configuration files for Remmina (a remote desktop app).
SSH config files and private/public key.
.bash_history (a list of the most terminal commands a bash user has executed).
.mysql_history and .pgsql_history (which contain information that could be used to attack a remote database).
s3browser files (s3browser is an app used to access Amazon cloud storage).
The malicious code recognizes the user’s operating system and looks in the appropriate directories. It can adapt itself to Windows, Linux and Mac.
Fortunately, protecting yourself from this current exploit is as easy as updating to the latest version of Firefox.
Tomi Engdahl says:
Graham Cluley / The State of Security:
Microsoft issues emergency patch for vulnerability allowing attackers to hijack Windows machines via IE — IE Under Attack! Microsoft Releases Emergency Out-of-Band Patch — If Microsoft calls a vulnerability “critical,” warns that it affects all versions of Windows …
IE Under Attack! Microsoft Releases Emergency Out-of-Band Patch
http://www.tripwire.com/state-of-security/vulnerability-management/ie-under-attack-microsoft-releases-emergency-out-of-band-patch/
Today, Microsoft has issued an advisory about a zero-day vulnerability, dubbed CVE-2015-2502, that could allow an attacker to hijack control of your computer via Internet Explorer – just by you visiting a boobytrapped webpage.
Microsoft’s new browser, Edge, which ships with Windows 10, is not at risk through the vulnerability. But the same cannot be said for all currently supported versions of Internet Explorer, including version 11.
In its advisory, Microsoft warns that vulnerable computers can be exploited just by visiting maliciously-crafted webpages using Internet Explorer, with no further user interaction is required.
Most likely, attempts would be made to redirect potential victims to boobytrapped websites using spammed-out links, or by tricking users into opening an unsolicited email attachment.
Tomi Engdahl says:
Ruth Reader / VentureBeat:
Ephemeral, off-the-record messaging app Confide expands to desktop for Windows and Mac, available now for free; paid business version coming later this year — Confide brings ephemeral messaging to desktop, with Mac and Windows clients — When off-the-record messenger Confide launched …
Confide brings ephemeral messaging to desktop, with Mac and Windows clients
http://venturebeat.com/2015/08/18/confide-brings-ephemeral-messaging-to-desktop-with-mac-and-windows-clients/
When off-the-record messenger Confide launched more than a year ago, its main goal was to secure business communications. It started by making a mobile app for ephemeral text messaging and then expanded to include document and photo sharing. Now the company is rolling out a desktop version for both Windows and Mac to help employees share sensitive documents without having to reach for their phone.
Like the mobile version, Confide for desktop allows users to send and receive encrypted messages, documents, and photos. In addition to being encrypted, text is blocked out with Confide’s signature orange censor bars. Users can pull documents and photos directly from Google Drive, Dropbox, Box, and OneDrive into Confide, or drag and drop documents directly from their desktop into a message.
If you’re like many in today’s workforce, you spend the majority of your day fixated on a glowing computer screen rather than on your phone, which makes desktop applications key. For Confide, in addition to moving closer to its goal of providing a paid enterprise service, the desktop launch is also meant to keep the company competitive with other services out there. Another self-destructing messaging app aimed at the business class, Cyber Dust, already has a desktop version.
But a little competition may not matter much, given the demand for this kind of product. Because of the number of cyber attacks that major companies — including J.P. Morgan, Target, and Sony — have suffered in recent years, more and more businesses are looking for ways to secure internal documents and communications around potential deals.
Tomi Engdahl says:
Robin Sidel / Wall Street Journal:
Sources: Target to pay Visa up to $67M over 2013 data breach, is working with MasterCard on similar deal after earlier $19M settlement rejected
Target to Settle Claims Over Data Breach
Retailer to pay Visa issuers up to $67 million, is working with MasterCard on similar deal
http://www.wsj.com/article_email/target-reaches-settlement-with-visa-over-2013-data-breach-1439912013-lMyQjAxMTI1MDE1ODkxMjgzWj
Target Corp. agreed to reimburse thousands of financial institutions as much as $67 million for costs incurred from a massive 2013 data breach that damaged the retailer’s reputation with shoppers and cut into sales.
The agreement, struck with Visa Inc. on behalf of banks and other firms that issue credit and debit cards, comes as the card industry and merchants are moving toward more secure cards that are aimed at stopping such attacks.
Target also said it is working with MasterCard Inc. on a similar deal for its card issuers.
The size of the two settlements could rival a 2010 agreement in which Heartland Payment Systems Inc. agreed to pay more than $100 million to Visa and MasterCard for a large 2008 breach.
The exact amount of fraud that resulted from the Target breach still isn’t known. Trade groups representing community banks and credit unions estimate that they spent more than $350 million to reissue credit and debit cards and deal with other issues tied to the Target breach and the subsequent Home Depot hack.
“This settlement is a step in the right direction, but it still may not make credit unions whole,”
Tomi Engdahl says:
Bruce Schneier: ‘We’re in early years of a cyber arms race’
We’re up against Norks, China … but who else?
http://www.theregister.co.uk/2015/08/19/bruce_schneier_linuxcon/
LinuxCon 2015 Security guru Bruce Schneier says there’s a kind of cold war now being waged in cyberspace, only the trouble is we don’t always know who we’re waging it against.
Schneier appeared onscreen via Google Hangouts at the LinuxCon/CloudOpen/ContainerCon conference in Seattle on Tuesday to warn attendees that the modern security landscape is becoming increasingly complex and dangerous.
“We know, on the internet today, that attackers have the advantage,” Schneier said. “A sufficiently funded, skilled, motivated adversary will get in. And we have to figure out how to deal with that.”
Using the example of last November’s crippling online attack against Sony Pictures, Schneier said it was clear that many of these new attacks were the work of well-funded nation-states.
“Many of us, including myself, were skeptical for several months. By now it does seem obvious that it was North Korea, as amazing as that sounds,” he said.
But what’s troubling about many of these new attacks, he added, is that they can be hard to spot when they don’t come in the form that security experts typically expect.
“The target [in the Sony hack] was not critical infrastructure,” Schneier said. “I think if you made a list of what we thought were foreign targets, a movie company wouldn’t be in our top 100. Yet it seems that the first destructive attack by a nation-state against the United States was against a movie company.”
What’s more, Schneier said, even though the evidence in the Sony case appears to point to North Korea, in other cases it can be difficult to pinpoint the attacker. In the case of the Stuxnet worm that crippled Iranian nuclear enrichment facilities, for example, Iran didn’t even seem to be aware that the damage was the result of an attack until the media started reporting that story.
‘A lot of attacks from the Western countries go through China’
“It’s easy to false-flag. It’s easy to pretend your attack comes from somewhere else,” Schneier said. “My belief is a lot of attacks from the Western countries go through China, simply because everyone knows a lot of attacks go through China, and that’s a perfect way to hide where you’re from.”
If the attacker is two guys in a basement, as Schneier says, then most likely it’s a matter for the police. If, on the other hand, the attacker is North Korea, then the military should probably get involved.
“Unfortunately, we’re in the early years of a cyber arms race. We’re seeing a lot of stockpiling cyber weapons, both by the United States and Western countries … by China, Russia, other countries. A lot of rhetoric about cyberwar,” Schneier said. “What concerns me is that we’re all going to be in the blast radius.”
Tomi Engdahl says:
Net scum respect their elders so long as it leads to p0wnage
Shiny new Angler exploit kit and mothballed macroviruses top attack charts
http://www.theregister.co.uk/2015/08/20/advanced_angler_mothballed_macros_both_winners_in_user_pwnage/
Net scum are employing both cool new attacks like the Angler exploit kit and oldies-but-goodies such as macroviruses in their undergoing something of a generational clash, with Cisco reporting both Word macros and the sophisticated Angler exploit kit are the most popular attack vectors this year.
Blackhats dumped macros as an attack vector after Microsoft deactivated the Word document scripting by default way back in 2006.
The vector is now back in vogue used in daily attacks as attackers go to some length to convince users to re-activate macros and ignore security warnings before running their malicious code.
“The upswing in the use of Microsoft Office macros to deliver banking trojans shows the convergence of two trends in the world of online criminals: resurrecting old tools or threat vectors for reuse, and changing the threat so quickly and frequently that they can relaunch attacks over and over again and evade detection,” Cisco says in its mid year threat report [pdf].
“Using social engineering techniques, bad actors can persuade users to turn on macros, thereby adding a new tactic to their toolboxes.”
Tomi Engdahl says:
Holes found in Pocket Firefox add-on
Patched server holes could making for painful reading
http://www.theregister.co.uk/2015/08/20/holes_found_in_pocket/
nformation security man Clint Ruoho has detailed server-side vulnerabilities in the popular Pocket add-on bundled with Firefox that may have allowed user reading lists to be populated with malicious links.
The since-patched holes were disclosed July 25 and fixed August 17 after a series of botched patches, and gave attackers access to the process running as root on Amazon servers.
“Applications similar to Pocket require some logic to handle HTTP redirects on links [and] I added a link to my queue that resulted in a somewhat malicious redirect,” Ruho says.
“After refreshing the Pocket app on my Android phone, the (reading) list included
etc/passwd.