Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
diff -u: What’s New in Kernel Development
http://www.linuxjournal.com/content/diff-u-whats-new-kernel-development-6
David Drysdale wanted to add Capsicum security features to Linux after he noticed that FreeBSD already had Capsicum support. Capsicum defines fine-grained security privileges, not unlike filesystem capabilities. But as David discovered, Capsicum also has some controversy surrounding it.
Capsicum has been around for a while and was described in a USENIX paper in 2010: http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf.
Part of the controversy is just because of the similarity with capabilities.
Capsicum also was controversial within its own developer community.
Eric was opposed to David implementing Capsicum in Linux.
But, given the fact that capabilities are much coarser-grained than Capsicum’s security features, to the point that capabilities can’t really be extended far enough to mimic Capsicum’s features, and given that FreeBSD already has Capsicum implemented in its kernel, showing that it can be done and that people might want it, it seems there will remain a lot of folks interested in getting Capsicum into the Linux kernel.
Tomi Engdahl says:
New Snowden documents show how the GCHQ tracked iPhone users
http://www.theverge.com/2015/1/17/7632407/new-snowden-documents-show-how-the-gchq-tracked-iphone-users
Snowden documents published today by Der Spiegel give new insight into the British GCHQ’s efforts to track targets through their iPhones. Previous leaks have revealed specific NSA exploits used to compromise the famously malware-resistant iPhone software controls, but the new documents show that even when the device itself hasn’t been compromised, any data on the phone can be pulled when the phone syncs with a compromised computer. Other techniques allow GCHQ researchers to surveil targets by following a device’s UDID across different services.
The report is dated to November of 2010, before Apple began deprecating the UDID system, but the documents show how useful the system was for surveillance while it was still operational.
Tomi Engdahl says:
The Mathematics Community
and the NSA
http://www.ams.org//notices/201502/rnoti-p165.pdf
Tomi Engdahl says:
To avoid detection, terrorists purposely sent emails with spammy subject lines
http://qz.com/326927/to-avoid-detection-terrorists-purposely-sent-emails-with-spammy-subject-lines/
By now, it’s common knowledge the National Security Agency collects plenty of data on suspected terrorists as well as ordinary citizens. But the agency also has algorithms in place to filter out information that doesn’t need to be collected or stored for further analysis, such as spam emails—a fact terrorists used to their advantage.
The only email written in English found on the computers contained a purposely spammy subject line: “CONSOLIDATE YOUR DEBT.”
“It is surely the case that the sender and receiver attempted to avoid allied collection of this operational message by triggering presumed ‘spam’ filters,” he said, noting the agency is constantly refining its algorithms to discover new threats.
Tomi Engdahl says:
Tech More: Apple Touch ID Patents and IP
Apple Is Considering Storing Your Fingerprints In iCloud
Apple is considering storing customers’ biometric data in the cloud to enable next-generation payment methods, according to new patent application found by Apple Insider.
Read more: http://uk.businessinsider.com/apple-touch-id-icloud-patent-2015-1?r=US#ixzz3PGqvuley
Tomi Engdahl says:
Buggy? Angry? LET IT ALL OUT says Linus Torvalds
‘I’m not a nice person and I don’t care about you’ says Linux Lord
http://www.theregister.co.uk/2015/01/19/got_bugs_got_anger_just_get_them_out_says_linus_torvalds/
Linux overlord Linus Torvalds has articulated views on security at Linux.conf.au, and seems to be closer to Google’s way of thinking than Microsoft’s.
During a discussion about Linux security, Torvalds (at about 50:00) says “I’m a huge believer in just disclosing … somewhat responsibly … but security problems need to be made public. And there are people argue, and have argued for decades, that you never want to talk about security problems because that only helps the black hats. The fact is that I think you absolutely need to report them and and you need to report them in a reasonable time frame.”
What’s reasonable? Torvalds says on the kernel security mailing list the disclosure time is five working days, “which for some people is a bit extreme.”
“In other projects it might be a month, or a couple of months,” he continues. “But that’s so much better than the years and years of silence which we used to have.”
Torvalds did, however, seem to be more sympathetic to Google’s approach of giving vendors 90 days to disclose a flaw than other approaches that see vendors sit on bugs until they are ready to release a fix.
Keynote: Linus Torvalds
https://www.youtube.com/watch?v=bAop_8l6_cI
Tomi Engdahl says:
Firefox 35 stamps out critical bugs
Nine flaws scrubbed out
http://www.theregister.co.uk/2015/01/19/firefox_35_stamps_out_critical_bugs/
Mozilla has crushed nine bugs, some rather dangerous, in the latest version of its flagship browser.
The fixes include a patch for a critical sandbox escape (CVE-2014-8643) in the Gecko Media Plugin used for h.264 video playback affecting Windows machines (but not OS X or Linux).
Tomi Engdahl says:
UK Teen Arrested For PlayStation, Xbox DDoS Attacks
http://www.securityweek.com/uk-teen-arrested-playstation-xbox-ddos-attacks
An 18-year-old was arrested this morning in the United Kingdom on suspicion of being involved in the distributed denial-of-service (DDoS) attacks launched against Sony’s PlayStation Network and Microsoft’s Xbox Live over Christmas.
The man has not been named, but the South East Regional Organised Crime Unit (SEROCU) reported that its Cyber Crime Unit arrested the suspect in Southport, a town in Merseyside, England.
Tomi Engdahl says:
False Positive Alerts Cost Organizations $1.3 Million Per Year: Report
http://www.securityweek.com/false-positive-alerts-cost-organizations-13-million-year-report
A new report published on Friday shows that organizations in the United States waste large amounts of money on dealing with erroneous malware alerts.
According to the study conducted by the Ponemon Institute on behalf of security firm Damballa, organizations spend, on average, nearly 21,000 hours each year analyzing false negatives and/or false positives. This means companies waste roughly $1.3 million per year due to inaccurate or erroneous intelligence.
The organizations that took part in the study reported receiving an average of 16,937 cyber security alerts in a typical week. Of these alerts, only 19% (3,218) are deemed reliable and only 4% (705) are actually investigated. This indicates that many companies don’t have the resources or expertise to detect or block serious threats, Damballa said.
When asked about trends in malware infections, 60% of respondents said they noticed an increase or a significant increase in severity in the past year. On the other hand, 45% of respondents reported an increase in the volume of malware infections.
As far as their malware containment practices are concerned, 33% of organizations have an unstructured or “ad hoc” approach. Around the same percentage have a structured approach that involves both manual activities and automated tools
“It’s more important than ever for teams to be armed with the right intelligence to detect active infections to reduce their organization’s risk exposure and make the best use of their highly-skilled, limited security resources,”
Tomi Engdahl says:
Google Discloses Windows Flaw That Microsoft Failed to Fix
http://www.securityweek.com/google-discloses-windows-flaw-microsoft-failed-fix
The vulnerability disclosure “game” between Microsoft and Google continues.
Google has released the details of another Windows vulnerability. Microsoft planned on fixing the flaw with the January updates, but was forced to delay the patch due to compatibility issues.
Microsoft informed Google in late October that they had managed to reproduce the issue. The company later told Google that it had planned to release a fix in January, but the patch had to be pulled due to compatibility issues. The vulnerability will likely be addressed in February, Microsoft said.
Tomi Engdahl says:
Hacking Back: Active Defenses Redux?
http://www.securityweek.com/hacking-back-active-defenses-redux
Following a year of high-profile data breaches, continued lack of guidelines for industry-government information sharing and frequent naming of attack victims as culprits by regulators, one might forgive those on the receiving end of cyber intrusions for revisiting thoughts of alternative cyber protective measures.
The Sony Pictures data capture-and-release heist and the reactions that followed may have provided the year’s only comedic interlude in a year of numerically impressive but otherwise gray-flannel suit, button down breaches that swept across a wide swath of corporate America with seeming ease.
the call for stronger response capabilities such as active defenses, also known as “hacking back” begin to look more and more like a rational solution.
In spite of its poor reputation, hacking back has both its supporters and participants. Tom Kellerman, chief cybersecurity officer for Trend Micro, states “Active defense is happening.” Confirming this belief, a survey at a recent Black Hat USA security conference revealed that an impressive 36 percent of respondents had engaged in “retaliatory hacking.”
If more official sanction for hacking back than from the unconventional, venturesome attitudes prevalent in a Black Hat gathering, such acceptance can be found in a report on intellectual property theft co-authored by Dennis Blair, Obama’s first director of national intelligence.
Others call for the government itself to take a stronger role in cyber defenses. An argument for stronger government-driven enforcement measures was heard from National Security director Admiral Mike Rogers
A recent Op-Ed in The Wall Street Journal citing President Obama’s statement that cyberattacks are “one of the most serious challenges we face as a nation” leaned strongly toward echoing
However, even hints of consideration of hacking back measures can easily draw strong, swift responses describing such practices in terms ranging from “reckless” and “illegal” to irresponsibly producing undesired collateral damage.
Tomi Engdahl says:
Stuart Dredge / Guardian:
Lizard Squad’s LizardStresser hacked and customer details made public
http://www.theguardian.com/technology/2015/jan/19/lizard-squad-lizardstresser-site-hacked
Researcher says hacker group took $11k worth of bitcoin payments for its DDoS service, but stored usernames and passwords in plain text
Hacking group Lizard Squad made a name for itself with high-profile attacks on Sony and Microsoft’s online gaming networks. Now the group appears to have been hacked itself, as it tried to profit from its fame by selling a service to take other websites down.
It charged between $6 and $500 in the bitcoin cryptocurrency to help people launch distributed denial of service (DDoS) attacks on any website or internet service they chose.
“A copy of the LizardStresser customer database obtained by KrebsOnSecurity shows that it attracted more than 14,241 registered users, but only a few hundred appear to have funded accounts at the service,” wrote Krebs in a blog post claiming that LizardStresser had been hacked.
“Interestingly, all registered usernames and passwords were stored in plain text.”
Tomi Engdahl says:
Microsoft Outlook Hacked In China, New Report Finds
http://techcrunch.com/2015/01/19/microsoft-outlook-hacked-in-china-new-report-finds/
Only a few weeks after Google’s Gmail service was blocked in China, a new report from online censorship monitoring organization GreatFire.org released this morning states that Microsoft’s email system Outlook was recently subjected to a “man-in-the-middle” attack in China. This is a form of eavesdropping where the attacker inserts himself in between the victims’ connections, relaying messages between them while the victims’ continue believe they have a secure, private connection. Meanwhile, the attacker is able to read all the content they’re sharing.
Tomi Engdahl says:
Video nasty: Two big bugs in VLC media player’s core library
Flaws disclosed in late December await exploitation
http://www.theregister.co.uk/2015/01/20/vlc_code_exec_flaws/
A Turkish hacker has revealed two zero-day vulnerabilities in library code used by the popular VLC media player and others.
The data execution prevention (CVE-2014-9597) and write access (CVE-2014-9598) violation vulnerabilities could lead to arbitrary code execution, researcher Veysel Hatas said in a post.
“VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitised when handling a specially crafted FLV” or M2V file, Hatas said.
“This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.”
Version 2.2.0-rc2, available to testers, is not vulnerable, according to the VLC project’s bug tracker.
Tomi Engdahl says:
Oracle E-Business suite wide open to database attack
Researcher who found bug says Big Red to patch flaw in Tuesday fix roundup
http://www.theregister.co.uk/2015/01/20/oracle_readies_to_patch_gobsmacking_vulnerability_tomorrow/
Clear some time in you diary and drink an extra coffee, sysadmins: a top hacker has warned that Oracle will tomorrow patch a horror bug that needs urgent attention.
Datacom TSS hacker David Litchfield told The Reg he has reported to Oracle that versions of its E-Business suite contain a “major” misconfiguration flaw that allowed anyone to fully compromise the database server.
“The technical details are that the PUBLIC role has been granted the INDEX privilege on the DUAL table owned by SYS,” Litchfield told Vulture South.
“I’m flabbergasted. I’m hoping it was simply done in error and I’ll leave the conspiracy theories for others.”.
Tomi Engdahl says:
Snowden doc leak ‘confirms’ China stole F-35 data
Headlines? Yes. Surprises? No.
http://www.theregister.co.uk/2015/01/18/snowden_doc_leak_confirms_china_stole_f35_data/
China now knows what most people in the west are catching up with: that the F-35 Joint Strike Fighter is a lemon.
The latest round of managed information release by Edward Snowden via Spiegel (one of a series) includes the snippet that Chinese security services copied “terabytes” of data about the aircraft.
The release states that the compromised information includes radar systems data, engine schematics, heat contour maps, and designs to cool exhaust gases.
The latest leak confirms the scale of the data theft, which emerged in US media such as The Washington Times March 2014.
As that report notes, the Defence Science Board at the Pentagon stated that “cyber attacks” had compromised F-35 design information.
In 2014, the leak was attributed to Lockheed Martin and was believed to have taken place in 2007, and in June 2013, Defense acquisitions boss Frank Kendall told the US Senate he was confident that F-35 data was now better protected.
F-35: the aircraft has flown a couple of times, and is considered to be at the demonstrator stage.
Tomi Engdahl says:
Just WHY is the FBI so sure North Korea hacked Sony? NSA: *BLUSH*
DOH! Clapper smacker for crapper tapper
http://www.theregister.co.uk/2015/01/19/nsa_saw_sony_hack/
For those still wondering why US President Barack Obama and the FBI have so confidently blamed North Korea for the Sony Pictures hack, it’s apparently because the NSA compromised the secretive country’s computer network years before – giving American intelligence a front-row seat for subsequent shenanigans.
The New York Times reports that the penetration (PDF) was accomplished in 2010, years before the hack of Sony Pictures, and initially with the assistance of South Korea.
FBI Director James Comey went on the record earlier this month to say that one key piece of evidence implicating North Korea was that IP [Internet protocol] addresses used to post and to send the emails by the Guardian of Peace connected with the attack were coming from IPs that were exclusively used by the North Koreans. Comey told delegates at a cyber conference at Fordham University on 7 January that the North Koreans had erred by being “sloppy” in disguising the source of the attack.
General James Clapper, director of the NSA, backed the attribution of the Sony attack to North Korea at the same conference without revealing the NSA’s apparent role.
http://www.spiegel.de/media/media-35679.pdf
Comment
Quite why the Feds are going to such lengths to convince the doubting infosec community, drawing attention to a program to wiretap a hostile country’s internet infrastructure, is a puzzle. Perhaps the program had been uncovered. If not, why is the US intel community disclosing source and methods just to bolster the credibility of its explanation for the Sony hack?
Tomi Engdahl says:
ICO gives shoe shop Office a boot up the jacksie after data breach
Don’t do it again, etc
http://www.theinquirer.net/inquirer/news/2391037/ico-gives-shoe-shop-office-a-boot-up-the-jacksie-after-data-breach
DOGGED ENFORCEMENT AGENCY the Information Commissioner’s Office (ICO) has resisted the opportunity to hit breached shoe store Office with a fine, and has instead chosen to issue a warning.
Office was breached last year and immediately began warning people who had shod their feet through its website to check their tracks and make sure that they have not stood in something that they would rather not have stood in.
Some nine months later, the ICO has completed its investigation of the incident and come to its conclusions as to what, or whom, is to blame.
“The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data, and the lack of security to protect data,” said Sally-Anne Poole, acting head of enforcement at the ICO.
“Fortunately, in this case there is no evidence to suggest that the information has been used any further, and the company did not store any bank details.”
Tomi Engdahl says:
How Was Your Credit Card Stolen?
http://krebsonsecurity.com/2015/01/how-was-your-credit-card-stolen/
Almost once a week, I receive an email from a reader who has suffered credit card fraud and is seeking help figuring out which hacked merchant was responsible. I generally reply that this is a fruitless pursuit, and instead encourage readers to keep a close eye on their card statements and report any fraud.
But it occurred to me recently that I’ve never published a primer on the types of card fraud and the likelihood with each of the cardholder ever learning how their account was compromised. This post is an effort to remedy that.
The card associations (Visa, MasterCard, et. al) very often know which merchant was compromised before even the banks or the merchant itself does. But they rarely tell banks which merchant got hacked. Rather, in response to a breach, the card associations will send each affected bank a list of card numbers that were compromised.
Here’s a look at some of the most common forms of credit card fraud:
Hacked main street merchant, restaurant:
Most often powered by malicious software installed on point-of-sale devices remotely.
Processor breach:
A network compromise at a company that processes transactions between credit card issuing banks and merchant banks.
Hacked point-of-sale service company/vendor:
Fraud is generally localized to a specific town or geographic region served by vendor.
Hacked E-commerce Merchant:
A database or Web site compromise at an online merchant.
ATM or Gas Pump Skimmer:
Thieves attach physical fraud devices to ATMs and pumps to steal card numbers and PINs.
Crooked employee:
Uses hidden or handheld device to copy card for later counterfeiting.
Lost/Stolen card:
The smallest source of fraud on cards. Consumer generally knows immediately or is alerted by bank to suspicious transactions
Malware on Consumer PC:
Leads to authorized online charges.
Physical record theft:
Merchant, government agency or some other entity charged with storing and protecting card data improperly disposes of card account records.
Tomi Engdahl says:
More than 1800 Minecraft account credentials leaked, your blocky world may be in danger
http://www.neowin.net/news/more-than-1800-minecraft-account-credentials-leaked-your-blocky-world-may-be-in-danger
On January 19, German media reported that more than 1800 user names and passwords of Minecraft players have leaked online, allowing random people from the internet to break into their blocky world. According to Heise, some of the accounts belong to German players, and a few credentials have already been tested and confirmed as legit.
The leaked credentials have been published in clear text to Pastebin, allowing unauthorized individuals to log into players’ game worlds, as well as download a free copy of Minecraft which normally retails for 19.95 EUR.
It is not yet clear what method has been used for the exploit
Tomi Engdahl says:
Need a Hacker? Check Out Hacker’s List
Assuming it’s not a joke, the hacker-for-hire website connects those in need of some (illegal?) tech help.
http://www.pcmag.com/article2/0,2817,2475356,00.asp
A new service, dubbed Hacker’s List, wants to be the Craigslist of professional hackers. Its goal? Connect those who need shadowy services with those who are willing to pull them off—anything from breaking in to an ex’s email address to taking out an enemy’s website.
“Hiring a hacker shouldn’t be a difficult process, we believe that finding a trustworthy professional hacker for hire should be a worry free and painless experience.”
The site, which is registered in New Zealand, asks users not to “use the service for any illegal purposes,” as laid out in its terms and conditions section.
But the site has requests for Android game hacks, iPhone hacks, Facebook account hacks, etc.
Although it remains to be seen just how legitimate the site is—and whether bidders and hackers alike are getting all that much work from it—Hacker’s List is designed to stress the anonymity of the pairing (though it encourages you to register by linking up your Facebook account, which seems like a poor choice for those looking to stay anonymous).
Tomi Engdahl says:
Technology
Need Some Espionage Done? Hackers Are for Hire Online
http://dealbook.nytimes.com/2015/01/15/need-some-espionage-done-hackers-are-for-hire-online/?_r=1
A man in Sweden says he will pay up to $2,000 to anyone who can break into his landlord’s website. A woman in California says she will pay $500 for someone to hack into her boyfriend’s Facebook and Gmail accounts to see if he is cheating on her.
The business of hacking is no longer just the domain of intelligence agencies, international criminal gangs, shadowy political operatives and disgruntled “hacktivists” taking aim at big targets. Rather, it is an increasingly personal enterprise.
At a time when huge stealth attacks on companies like Sony Pictures, JPMorgan Chase and Home Depot attract attention, less noticed is a growing cottage industry of ordinary people hiring hackers for much smaller acts of espionage.
A new website, called Hacker’s List, seeks to match hackers with people looking to gain access to email accounts, take down unflattering photos from a website or gain access to a company’s database. In less than three months of operation, over 500 hacking jobs have been put out to bid on the site, with hackers vying for the right to do the dirty work.
It is done anonymously, with the website’s operator collecting a fee on each completed assignment. The site offers to hold a customer’s payment in escrow until the task is completed.
Tomi Engdahl says:
Hayley Tsukayama / Washington Post:
Google, Apple, Microsoft, Khan Academy, and others sign pledge to protect K-12 student privacy — Google, Khan Academy join in student privacy pledge — Google has signed on to a pledge promising not to sell ads on its products designed for schools. (AP Photo/Marcio Jose Sanchez, File)
Google, Khan Academy join in student privacy pledge
http://www.washingtonpost.com/blogs/the-switch/wp/2015/01/20/google-khan-academy-join-in-student-privacy-pledge/
Fifteen more companies, including Google and the YouTube-based educational organization Khan Academy, have signed on to a pledge to protect student privacy. The pledge was highlighted in a speech by President Obama last week, in which he also said he will introduce legislation to protect data collected in the classroom.
The two companies, both major players in education technology, are among second wave of 15 that signed on to the pledge Monday; 75 signed the agreement last week. The document holds companies to several data privacy tenets, including promises not to sell student information or to use behaviorally targeted advertising on education products. It also promises to make it easy for parents to see their students’ data and to be transparent about how those data are collected and used.
The move was hailed by privacy advocates
Tomi Engdahl says:
Government Health Care Website Quietly Sharing Personal Data
http://abcnews.go.com/Technology/wireStory/privacy-concerns-governments-health-care-website-28340119?singlePage=true
The government’s health insurance website is quietly sending consumers’ personal data to private companies that specialize in advertising and analyzing Internet data for performance and marketing, The Associated Press has learned.
The scope of what is disclosed or how it might be used was not immediately clear, but it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer’s Internet address, which can identify a person’s name or address when combined with other information collected by sophisticated online marketing or advertising firms.
A former White House chief information officer, Theresa Payton, said third-party vendors are a weak link on any website.
“You don’t need all of that data to do customer service,” said Payton, who served under President George W. Bush. “We know hackers are just waiting at the door, salivating to get at this data.”
The privacy concerns come against the backdrop of President Barack Obama’s new initiative to protect personal data online.
Third-party outfits that track website performance are a standard part of e-commerce. HealthCare.gov’s privacy policy says in boldface that “no personally identifiable information is collected” by these Web measurement tools.
Google said it doesn’t allow its systems to target ads based on health or medical history information.
Tracking consumers’ Internet searches is a lucrative business, helping Google, Facebook and others tailor ads to customers’ interests. Because your computer and mobile devices can be assigned an individual signature, profiles of Internet users can be pieced together, generating lists that have commercial value.
Tomi Engdahl says:
HealthCare.gov Sends Personal Data to Dozens of Tracking Websites
https://www.eff.org/deeplinks/2015/01/healthcare.gov-sends-personal-data
The Associated Press reports that healthcare.gov–the flagship site of the Affordable Care Act, where millions of Americans have signed up to receive health care–is quietly sending personal health information to a number of third party websites. The information being sent includes one’s zip code, income level, smoking status, pregnancy status and more.
EFF researchers have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track.
Sending such personal information raises significant privacy concerns. A company like Doubleclick, for example, could match up the personal data provided by healthcare.gov with an already extensive trove of information about what you read online and what your buying preferences are to create an extremely detailed profile of exactly who you are and what your interests are. It could do all this based on a tracking cookie that it sets which would be the same across any site you visit.
It’s especially troubling that the U.S. government is sending personal information to commercial companies on a website that’s touted as the place for people to obtain health care coverage. Even more troubling is the potential for companies like Doubleclick, Google, Twitter, Yahoo, and others to associate this data with a person’s actual identity.
For now, EFF recommends installing software that will block third party tracking, such as EFF’s own Privacy Badger. Privacy badger will block the referrers and the connections to third party sites on healthcare.gov and protect your personal health information.
rivacy Badger blocks spying ads and invisible trackers.
https://www.eff.org/privacybadger
Tomi Engdahl says:
The Most Popular Passwords Are Still “123456″ and “password”
http://it.slashdot.org/story/15/01/20/1834237/the-most-popular-passwords-are-still-123456-and-password
The Independent lists the most popular passwords for 2014, and once again, “123456″ tops the list, followed by “password” and “12345″ at #3
The passwords used were mostly from North American and Western European leaks.
‘Password’ and ’123456′ keep top spot on list of most popular passwords, as security experts panic
http://www.independent.co.uk/life-style/gadgets-and-tech/news/password-and-123456-keep-top-spot-on-list-of-most-popular-passwords-as-security-experts-panic-9990442.html
The most popular passwords in 2014 were also the most obvious —leading security experts to once again urge people to change their passwords.
As with 2013, variations on passwords like 123456 continue to be the most popular passwords. Other obvious choices such as “password” and “qwerty” are also in the top five.
But other new (if still easily guessable) passwords have made the list, including “696969” and “batman”.
Tomi Engdahl says:
Silverlight Exploits Up, Java Exploits Down, Says Cisco
http://it.slashdot.org/story/15/01/21/0225213/silverlight-exploits-up-java-exploits-down-says-cisco
Attempts to exploit Silverlight soared massively in late 2014 according to research from Cisco. However, the use of Silverlight in absolute terms is still low compared to the use of Java and Flash as an attack vector, according to Cisco’s 2015 Annual Security Report.
Silverlight exploits up, Java down, Cisco reports
http://www.computerworld.com.au/article/564336/silverlight-exploits-up-java-down-cisco-reports/
And Flash malware using JavaScript to cover its tracks, according to the Cisco 2015 Annual Security Report
Attempts to exploit Silverlight soared massively in late 2014 according to research from Cisco. However, the use of Silverlight in absolute terms is still low compared to the use of Java and Flash as an attack vector.
Java-based security exploits declined in 2014, partly due to a lack of new zero-day exploits, according to Cisco security researchers. The automatic patching of newer versions of the Java Runtime Environment and steps by browser vendors to block vulnerable versions of the JRE also helped, according to the Cisco 2015 Annual Security Report, which was released this morning.
“Java’s reign as the top attack vector has been on a steady downward trend for more than a year,” the report states.
The report’s assessment of the 2014 threat landscape also notes that Cisco researchers observed Flash-based malware that interacted with JavaScript.
“The exploit is shared between two different files—one Flash, one JavaScript. Sharing exploits over two different files and formats makes it more difficult for security devices to identify and block the exploit, and to analyze it with reverse engineering tools,” the report states.
A global survey of chief information security officers and security operations mangers, the results of which were included in the report, found a perception gap between the two functions when it came to assessing the maturity of security processes in their organisations.
“CISOs are notably more optimistic than their SecOps colleagues about the state of their security,” the report states.
“For example, 62 percent of CISOs said they strongly agree that security processes in their organization are clear and well understood, compared to only 48 percent of SecOps managers.”
In 2014 there were a number of headline-making vulnerabilities in widely used software products, including the ‘Heartbleed’ OpenSSL vulnerability, the ‘Shellshock’ vulnerability in the Bash shell, and the Drupal SQL injection flaw.
“There are still quite a lot of unpatched OpenSSL servers on the Web,” he said. Organisations are failing when it comes to “things as basic as Internet Explorer patching”, he added.
Something that CISOs and CSOs should take away from the report is putting greater emphasis on the remediation process following security breaches, he added.
“Cisco talks about the threat continuum before during and after attacks, and one of the things we see being borne out time and again is a lot of investment and a lot of time is spent on ‘before’ activities, which are how you effectively reduce your attack surface — so things like firewalls and VPNs and encryption,” Stitt said.
“One of the trends that’s persisted in the market for decades is the focus has largely been on before, less on during and not much on after.”
Tomi Engdahl says:
Paris Terror Spurs Plan for Military Zones Around Nuclear Plants
http://www.bloomberg.com/news/2015-01-20/paris-terror-spurs-plan-for-military-zones-around-nuclear-plants.html
Lawmakers in France want to create military zones around its 58 atomic reactors to boost security after this month’s Paris terror attacks and almost two dozen mystery drone flights over nuclear plants that have baffled authorities.
Critics of the measures say they won’t prevent assaults by extremists and would ramp up criminal penalties against civic campaigners such as anti-nuclear activists for trespassing on land owned by companies that operate power stations.
“A law of this type may deter activists but won’t do anything to prevent a terrorist attack on nuclear installations,” said Yannick Rousselet, Greenpeace’s nuclear campaigner in France
Tomi Engdahl says:
It’s 2015 and default creds can brick SOHO routers
Remote reboot and takedown tricks detailed by security chap
http://www.theregister.co.uk/2015/01/21/fun_router_hacks_to_bash_crash_and_mash/
A hacker has detailed a series of tricks that can silently reboot or brick routers or activate admins functions.
Many routers including Netgear and Surfboard models look to be affected, with most attacks requiring just victims’ default universal credentials to be applied.
Applications security bod Joseph Giron detailed how victims could be knocked offline or routers bricked.
So many routers have been found vulnerable in recent years that the DEF CON security event threw a “SOHOpelessly Broken” competition that saw 15 zero days were dug up by only a handful of hackers.
Last week, Argentine and Spanish telcos were found deploying ADB Pirelli broadband routers with two dangerous security holes that exposed the internal web server.
That find paled in comparison to the discovery that an estimate 200 cheap SOHO router models including D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL and used by 12 million people were affected
Cisco, Netgear and Diamond router models were found vulnerable last year, following the 2012 discovery of security holes in 13 routers from the likes of Linksys and Belkin
Tomi Engdahl says:
Sarah Perez / TechCrunch:
LastPass Launches A Native Password Manager For Mac Offering Quick Search, Security Checks And Offline Access
http://techcrunch.com/2015/01/20/lastpass-launches-a-native-password-manager-for-mac-offering-quick-search-security-checks-and-offline-access/
With data breaches becoming par for the course, it seems, there’s renewed interest from mainstream web users in increased password security and other protections. (Well, some users that is.) A handful of software makers serve this market with desktop, mobile and browser-based applications that let you set secure passwords, quickly change them following a breach or hack, and store other personal information needed for filling out online forms.
Apps like Dashlane, LastPass, 1Password and others are now often some of the first to get installed on users’ new computers or mobile devices, as consumers become increasingly aware of the threat hackers pose, even though, ironically, some of the most high-profile data breaches as of late, like those at Target, Staples and Home Depot, took place at stores’ point-of-sale, not online.
However, the news coverage of the hacks has helped raise awareness about data security in general, and security software makers have benefitted.
The upgraded Mac also lets users store logins, passwords, IDs, credit cards and other important data in a “vault,” allowing customers to have secure local access to their sensitive information. The ability to call this information up without relying on an internet connection as before, via LastPass’s web browser extensions, is a huge improvement over its earlier software
Tomi Engdahl says:
Remotely Controlling Automobiles Via Insecure Dongles
http://hackaday.com/2015/01/21/remotely-controlling-automobiles-via-insecure-dongles/
Automobiles are getting smarter and smarter. Nowadays many vehicles run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled. We’re not just talking about the window or seat adjustment controls, but also the instrument cluster, steering, brakes, and accelerator. These systems can make the driving experience better, but they also introduce an interesting avenue of attack. If the entire car is controlled by a computer, then what if an attacker were to gain control of that computer? You may think that’s nothing to worry about, because an attacker would have no way to remotely access your vehicle’s computer system. It turns out this isn’t so hard after all. Two recent research projects have shown that some ODBII dongles are very susceptible to attack.
The first was an attack on a device called Zubie. Zubie is a dongle that you can purchase to plug into your vehicle’s ODBII diagnostic port.
A separate but similar project was also recently discussed by [Corey Thuen] at the S4x15 security conference. He didn’t attack the Zubie, but it was a similar device.
The first research team provided their findings to Zubie who have supposedly fixed some of the issues. Progressive has made a statement that they hadn’t heard anything from [Thuen], but they would be happy to listen to his findings.
Tomi Engdahl says:
VideoLAN Says Flaws Exist in Codecs Library, Not VLC
http://www.securityweek.com/videolan-says-flaws-exist-codecs-library-not-vlc
Two vulnerabilities that could potentially be exploited for arbitrary code execution exist in libavcodec, a free and open-source audio/video codecs library used by several popular media players.
The issues were discovered last year by Turkey-based researcher Veysel Hatas. Hatas said the vulnerabilities exist in the VLC media player and even got the MITRE Corporation to assign them CVE identifiers.
However, VideoLAN, the non-profit organization that develops VLC, pointed out that the security holes actually exist in libavcodec, which is used as the main decoding engine not only by VLC, but several other media players as well, including Xine and MPlayer.
http://en.wikipedia.org/wiki/Libavcodec
Tomi Engdahl says:
CISOs in the Dark on State of Security Readiness: Cisco
http://www.securityweek.com/cisos-dark-state-security-readiness-cisco
The gulf between reality and perception is widening, according to Cisco’s annual survey of CISOs and security executives.
Nearly 75 percent of CISOs in the survey said the security tools they have in place were very, or extremely, effective, according to Cisco’s 2015 Annual Security Report, released Tuesday.
There is nothing to celebrate, however, as it’s not clear the CISOs have an idea of what they should have. It turned out less than 50 percent of respondents had standard security tools such as patch and configuration management, the survey found.
Security experts are getting better dismantling exploit kits, such as the effort to shut down the Black Hole exploit kit in 2013. No other exploit kit has been able to achieve similar levels of success and there is no clear contender for the most popular kit.
A significant number of Web application attacks target Web technologies such as Flash and Java.
However, an interesting finding was that Java exploits have decreased by 34 percent in 2014, but Silverlight attacks have soared 280 percent
Users are caught right in the middle—they are both victims as well as unwitting participants in spreading the attack, Cisco found in its report. Criminals count on users to be “careless” when using the Internet, and attackers are also targeting users to infect machines with malware or to launch exploits.
“They [attackers] design malware that relies on tools that users trust, or view as benign, to persistently infect and hide in plain sight on their machines,” the report said.
Defenders may believe they have optimal security processes in place, but it’s more likely their security readiness needs improvement. Cisco offers a “Security Manifesto,” a set of security principles corporate boards and security teams can use to address the shortcomings in their security posture.
Tomi Engdahl says:
World Economic Forum Proposes New Cyber Risk Framework
http://www.securityweek.com/new-framework-calculating-cyber-risk-proposed-world-economic-forum
With the annual World Economic Forum meeting in Switzerland just days away, the organization and its partners have released a new framework designed to help businesses calculate the impact of cyber-threats.
The framework, called “cyber value-at-risk”, was proposed in a new report entitled ‘Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats’ and was created in collaboration with Deloitte. The idea behind the framework is to help organizations answer questions about their susceptibility to cyber attacks, how valuable their key assets are and who might be after them.
The framework includes three principle components: the assets under threat, profile of the attacker based on who the attacker is and their motivation and information about vulnerabilities and defenses in the enterprise.
“The components, some of which can be represented by both random variables (a variable subject to change due to chance, such as frequency of attacks, general security trends, maturity of security systems in the organization, etc.) are put into a stochastic model (a statistical tool to estimate probability distribution, which has one or more random variables over a period of time),” the report continues. “The statistical process will yield a probability distribution.”
To improve the situation, the World Economic Forum is starting a multi-year initiative to bring leaders in the public and private sector together with the technical community and others to address these issues, according to the report.
Partnering for Cyber Resilience
Towards the Quantification of Cyber Threats
http://www3.weforum.org/docs/WEFUSA_QuantificationofCyberThreats_Report2015.pdf
Tomi Engdahl says:
Australian traffic lights need better security says auditor-general
Poor passwords, proprietary code … what could possibly go – CRASH! – wrong?
http://www.theregister.co.uk/2015/01/22/nsw_traffic_lights_need_better_infosec_auditorgeneral/
The Auditor-General of the Australian State of New South Wales (NSW) and the state’s roads bureaucrats are at loggerheads over whether or not traffic signal infrastructure is vulnerable to attacks over the Internet.
In a report on critical infrastructure security, the audit office asserts that “systems in place to manage traffic signals are not as secure as they should be”.
The report adds that “there is a potential for unauthorised access to sensitive information and systems that could result in traffic disruptions, and even accidents in one particular section of the road network”.
The report, naturally enough, doesn’t identify where the vulnerabilities might exist.
The bloodstream of the network is the locally-developed SCATS – Sydney Co-ordinated Adaptive Traffic System – which was first developed in the 1970s by the current Roads & Maritime Services predecessor, the Roads and Traffic Authority.
The auditor identifies key risks as being poor SCATS password control; and asserts that some servers in the network are only receiving anti-virus updates on a weekly basis
There’s also concern that the roadside cabinets – the immediate control of traffic signals – are too easy to break into, that staff aren’t well trained to respond to security incidents, and that some software isn’t patched frequently enough.
TfNSW, however, isn’t certain that things are dire. In its response, published as part of the report, it states:
“Whilst Transport accepts that there is a possibility for unauthorised access to sensitive information and systems, as there is for all inter-connected industrial control systems, we refute the suggestion the result could ” … cause accidents on one particular section of the road network”.”
Even the auditor’s report notes that attacks on the traffic light infrastructure are unlikely to lead to a cascade of Camrys nose-to-tailing:
“Traffic light controllers are highly resistant to standard hacking techniques. The devices in use have been certified to formal Australian Standards that require safety interlocks. These interlocks are used to prevent simultaneous green lights creating a dangerous situation at an intersection.”
The same report also recommended improvements to the Sydney Water security infrastructure
Security of Critical IT Infrastructure
http://www.audit.nsw.gov.au/publications/performance-audit-reports/2015-reports/security-of-critical-it-infrastructure/security-of-critical-it-infrastructure
Tomi Engdahl says:
Remote code execution vulns hit Atlassian kit
Patch this! And this! And this! And this!
http://www.theregister.co.uk/2015/01/22/atlassian_vulns/
Software development software house Atlassian has patched critical vulnerabilities found in all versions of its Confluence, Bamboo, FishEye, and Crucible products.
Confluence is an enterprise Wiki, Bamboo runs software builds and commits, FishEye centralises multiple code repositories and Crucible offers a code peer review platform.
The bug affecting all platforms was an Object-Graph Navigation Language
Customers should apply their own severity ratings to the bugs and could download patches from the respective advisories.
Tomi Engdahl says:
Flash zero day under attack
Most popular exploit kit smashing IE users, but Chrome safe
http://www.theregister.co.uk/2015/01/22/angler_ek_exploits_flash_0day/
A zero day Flash vulnerability is being actively exploited by criminals using the popular Angler exploit kit.
Adobe is investigating the report by respected French malware researcher Kafeine, who found the exploit kit circulating on cybercrime forums.
The vulnerabilities affected Flash Player versions up to 15.0.0.223 and the latest 16.0.0.257, he said.
Punters on Windows 8.1 are safe, along with those using Google Chrome thanks to use of sandboxing.
The free version of MalwareBytes’ Anti-Exploit tool prevented the attack, but it is as yet unknown if Microsoft’s Enhanced Mitigation Exploit Tool can fight the attack.
The zero-day came as Cisco warned separately that exploit kit writers were taking more time to write obfuscated code.
Tomi Engdahl says:
Russell Brandom / The Verge:
Journalist and Anonymous advocate Barrett Brown sentenced to 63 months in prison on charges stemming from Stratfor hack
Barrett Brown has been sentenced to 63 months in prison
http://www.theverge.com/2015/1/22/7871317/barrett-brown-sentencing-anonymous-stratfor
After years of legal battles, Barrett Brown’s legal saga has finally come to a close. Today, the independent journalist has been sentenced to 63 months in prison, after pleading guilty to charges of transmitting threats, accessory to hacking charges, and interfering with the execution of a search warrant. As Brown’s legal team described the charges in the run-up to sentencing, “This breaks down to uploading YouTube videos that contained unfortunate statements, efforts to redact sensitive e-mails that had been procured by hackers, and hiding laptops in a kitchen cabinet.”
Brown had closely followed Anonymous during the Stratfor hack and drew the attention of law enforcement when he shared a link to an IRC channel where Anonymous members were distributing stolen information from the hack, including credit card details. That led to identity theft and fraud charges, as well as subsequent legal and evidentiary battles with the FBI, which led to the ancillary charges adjudicated today.
Tomi Engdahl says:
Michael Carney / PandoDaily:
Braintree opens private beta allowing US merchants to accept bitcoin via its v.zero SDK and Coinbase integration
Paying for Uber with Bitcoin? Braintree opens up bitcoin payments to its thousands of merchants
http://pando.com/2015/01/22/braintree-goes-full-bitcoin-allowing-all-merchants-to-accept-the-virtual-currency-for-any-transaction/
Two of the biggest forces in modern payments collided today as Braintree announced broad availability of its bitcoin payments product via a previously announced partnership with Coinbase.
The integration was initially announced in September, with subsequent news from PayPal that limited use by its merchants to digital goods transactions like media, software, and in-app purchases. Today’s update means that, effective immediately, “any merchant that uses Braintree for credit card payments [can now accept bitcoin payments]” according to a Braintree spokesperson.
“Today, our initial integration with Coinbase is complete and we are opening up private beta access to allow merchants in the US to accept bitcoin via v.Zero,” the company writes in a blog post today.
With Braintree powering the online and mobile payments of several of the most popular consumer companies, this could be big news for bitcoin adoption. Popular merchants like Uber, AirBnB, HotelTonight, and thousands of others all have the option to enable bitcoin payments by flipping a single switch within the Braintree administrative interface. Coinbase already works with some 38,000 merchants including household names like Dell, Expedia, and Overstock.com, in addition to its 2.2 million consumer wallets. The company also has a similar payments processing partnership with Stripe
For bitcoin bulls, this news couldn’t come at a better time. The market has been fighting a negative news cycle – namely the BitStamp hack and Silk Road trial – and several fundamental factors contributing to declining prices. This includes the inflationary effects of new bitcoins entering circulation daily, merchants instantly converting all incoming bitcoin to fiat currency, and the declining profitability of mining. Anything that increases transaction volume and buy-side demand has the potential to stabilize, if not buoy prices.
Braintree, its parent PayPal, and their parent eBay have often presented conflicting perspectives on bitcoin.
Tomi Engdahl says:
Adobe finds, patches ANOTHER exploited Flash 0day
One down, one to go.
http://www.theregister.co.uk/2015/01/23/adobe_finds_patches_another_exploited_flash_0day/
Another exploited zero-day vulnerability has been uncovered and patched in Adobe Flash, 24 hours after a second flaw in the popular web trinket was found being used in attack kits.
Adobe is examining yesterday’s zero day, picked up by French researcher Kafeine who spotted it after analysing a version of the popular Angler exploit kit.
The vulnerability affected Flash Player versions up to 15.0.0.223 and the latest 16.0.0.257.
Tomi Engdahl says:
Symantec data centre security software has security holes
Stop face-palming and start patching – the fixes are out there
http://www.theregister.co.uk/2015/01/23/symantec_patch_data_centre_security_holes/
Security bod Stefan Viehböck has detailed holes in Symantec’s data centre security platforms that the company plugged this week because they allowed hackers to gain privilege access to management servers.
The patches fix holes in the management server for Symantec Critical System Protection (SCSP) 5.2.9 and its predecessor Data Center Security: Server Advanced (SDCS:SA) 6.0.x and 6.0 MP1.
SEC Consult researcher Stefan Viehböck who found the flaws said the products should not be used until a full security audit was conducted.
“Attackers are able to completely compromise the SDCS:SA Server as they can gain access at the system and database level,” Viehböck wrote in an advisory
“Furthermore attackers can manage all clients and their policies.
Tomi Engdahl says:
Top US privacy bod: EU should STOP appeasing whiny consumers
Ding ding ding: Round 94 of the EU vs the US on privacy
http://www.theregister.co.uk/2015/01/23/us_law_enforcement_commish_slams_eu_data_protection_bodies/
A top US law enforcement commissioner has claimed European data protection authorities are too worried about helping consumers instead of robustly enforcing privacy laws.
Speaking at CPDP2015 in Brussels, Julie Brill, privacy commissioner for the US Federal Trade Commission (FTC) defended the US approach to protecting privacy.
“European data protection authorities are too focussed on individual cases and can’t see the bigger picture,” she said. “If you rely entirely on complaints, you will always focus on consumer-facing companies and I think that’s a problem.”
“We at the FTC get our cases from all sources including newspaper articles or even competitors,” continued Brill. “A great data protection law is no good if you don’t enforce it.”.
Paul Nemitz, a director in the European Commission’s justice department, didn’t tackle Brill’s accusation directly, but countered by slamming the US’ refusal to give EU citizens equal data protection.
“You don’t take action on any EU cases,” Nemitz thundered. “There aren’t thousands of EU complaints coming to the FTC, but you still say its too tedious – it really is a bit much.”
Tomi Engdahl says:
Increased gov spy powers are NOT the way to stay safe against terrorism
Because dancing on corpses is for the cool kids
http://www.theregister.co.uk/2015/01/18/theresa_may_david_cameron_stupid_surveillance_encryption_ideas/
Opinion As various unsavoury characters scrabble to grab the limelight after the Charlie Hebdo mass murders in Paris, the British government is using the atrocities to justify yet more intrusive snooping powers to use against ordinary people.
The Home Secretary told Parliament that because the French authorities might have used communications data, Brits should roll over and accept her Snoopers’ Charter.
Tomi Engdahl says:
Apple Agrees To Chinese Security Audits of Its Products
http://apple.slashdot.org/story/15/01/23/022204/apple-agrees-to-chinese-security-audits-of-its-products
According to a story in the Beijing News, Apple CEO Tim Cook has agreed to let China’s State Internet Information Office to run security audits on products the company sells in China in an effort to counter concerns that other governments are using its devices for surveillance.
Report: Apple agrees to Chinese security audits of its products
http://www.itworld.com/article/2874235/report-apple-agrees-to-chinese-security-audits-of-its-products.html
Apple will allow China’s State Internet Information Office to run security audits on products the company sells in China in an effort to counter concerns that other governments are using its devices for surveillance, according to news reports.
Featured Resource
Presented by Jive Software
10 Commandments of Collaboration for Exceptional Customer Service
Read this whitepaper to discover best practices that drive brand affinity, repeat business and
Learn More
Apple CEO Tim Cook agreed to the security inspections during a December meeting in the U.S. with information office director Lu Wei, according to a story in the Beijing News.
Tomi Engdahl says:
Leaked doc: Europe’s justice chiefs forming plans to cosy up to ISPs
Yeah, and bring back PNR! Think of the terrorists…
http://www.theregister.co.uk/2015/01/23/leaked_doc_reveals_eu_forming_plans_for_easier_isp_data_access/
23 Jan 2015 at 11:38, Jennifer Baker
Europe’s justice ministers appear to be forming plans to make it easier to access ISPs’ data, as part of a series of proposals intended to limit the spread of online radicalising material.
The proposals were revealed when an internal document for discussion at the Justice and Home Affairs Council in Riga (on 29, 30 January) was published on Statewatch.org (PDF). The document has drawn immediate criticism of being a knee-jerk response to the Charlie Hebdo attacks.
According to the document, the European Commission should “deepen the engagement with internet companies” as “working with the main players in the internet industry is the best way to limit the circulation of terrorist material online”.
The document laments that “cross-border information about owners of IP addresses can take very long to obtain”, and says the process must be speeded up – although it does not specify how it plans to do this.
Tomi Engdahl says:
the top five most dangerous threats to your data center, namely:
1. DDoS Attacks
2. Web Application Attacks
3. DNS Infrastructure: Attack Target and Collateral Damage
4. SSL-Induced Security Blind Spots
5. Brute Force and Weak Authentication
Source: http://whitepapers.theregister.co.uk/paper/view/3642/todays-most-dangerous-security-threats.pdf
Tomi Engdahl says:
Former FBI Agent: Case Against Accused Silk Road Boss Is ‘as Strong as It Gets’
http://motherboard.vice.com/read/former-fbi-agent-case-against-accused-silk-road-boss-is-as-strong-as-it-gets
In October of 2013, an undercover FBI agent watched then-29-year-old Ross Ulbricht log out of the drug market Silk Road’s administration tools, walk down the street to the library, and log back in. According to a former FBI agent who worked on cyber crime, the arrest of Ulbricht—now on trial for allegedly being the kingpin of the online black market—was a slam dunk.
“That’s about as good as it gets as far as I’m concerned, where someone was watching as he was working on the site,” Michael Panico, who worked on cyber cases with the FBI for 10 years, told me.
Establishing attribution in cyber cases is particularly hard, with anonymity tools such as Tor; encryption that law enforcement can’t even crack; and things like virtual personal networks (VPNs), a type of connection that can make people appear as though they are in another geographic location than they actually are. It’s one of the reasons why there’s so much doubt surrounding the Sony hack.
The FBI has presented this as an open-and-shut case, and Ulbricht has admitted that he did run Silk Road for a while. But the defense has now suggested that Ulbricht created the site as an “economic experiment” and passed control of it, and the Dread Pirate Roberts name on to someone else.
“Even in cyber cases, especially in cyber cases, there’s always a physical component.”
Tomi Engdahl says:
This Small Box Will Stop Hackers from Turning Your Smart Home Against You
http://motherboard.vice.com/read/this-small-box-will-stop-hackers-from-turning-your-smart-home-against-you?trk_source=recommended
Most people are bad enough at setting up their home routers. It’s probably too much to ask that they know what sort of data is passing through them, too.
And while not everyone should have to be their own CTO, that doesn’t mean there shouldn’t be an easier way to keep track of what the devices on our networks are doing. Or, at the very least, to know whether the traffic they’re sending or receiving is good or bad.
That’s the intent behind Numa. It’s a personal networking device, still under development, that’s intended to act as a go-between for your router and modem, or whatever you use to connect to the internet. What Numa does is watch the data travelling in and out of your home network for threats. Some of those threats might come from outside, but they might also come from inside your network, too.
Either way, when Numa detects a threat, it can block it, and your network stays secure.
While there’s lots of arcane software that can do this sort of thing already, the goal is to make Numa extremely simple for anyone to use—a self-contained product that’s plug-and-play. When it comes to networking hardware, that’s certainly no small feat.
Numa has a few tricks—it’s got a whole database of possible threats it can cross check when it detects something nefarious. Numa knows what servers are used by botnets, prevents malware from connecting to your computer, and can block traffic from IP addresses known to launch denial of service attacks.
And Numa is thinking of your smart home devices, too. If an attacker tries to access cameras in your home, perhaps, or deliver an exploit to your internet-connected fridge, Numa will keep them out. Gone are the days when threats were limited to payloads of malicious code, waiting to be opened or clicked.
“There are all these new applications for network technology that involve hooking up things to the internet that were never connected before,” Isaac Wilder, Numa’s creator, told Motherboard. It’ll protect everything from thermostats to fridges, vacuums and lightbulbs. “And that comes with a lot of new opportunities. But it also comes with a lot of new risks.”
After the pre-sale, Numa will retail for $349.
https://nodal.net/numa
Tomi Engdahl says:
Privacy is Dead, Davos Hears
http://www.securityweek.com/privacy-dead-davos-hears
Davos, Switzerland – Imagine a world where mosquito-sized robots fly around stealing samples of your DNA. Or where a department store knows from your buying habits that you’re pregnant even before your family does.
That is the terrifying dystopian world portrayed by a group of Harvard professors at the World Economic Forum in Davos on Thursday, where the assembled elite heard that the notion of individual privacy is effectively dead.
“Welcome to today. We’re already in that world,” said Margo Seltzer, a professor in computer science at Harvard University.
“Privacy as we knew it in the past is no longer feasible… How we conventionally think of privacy is dead,” she added.
Another Harvard researcher into genetics said it was “inevitable” that one’s personal genetic information would enter more and more into the public sphere.
Sophia Roosth said intelligence agents were already asked to collect genetic information on foreign leaders to determine things like susceptibility to disease and life expectancy.
Tomi Engdahl says:
New CTB-Locker Variant Allows Victims to Recover 5 Files for Free
http://www.securityweek.com/new-ctb-locker-variant-allows-victims-recover-5-files-free
A new variant of the CTB-Locker (Critroni) ransomware has been spotted in the wild by researchers at Trend Micro.
The cybercriminals behind CTB-Locker have become more generous and more greedy at the same time. According to the security company, the latest version of the malware gives victims more time to pay the ransom and even allows them to decrypt some files for free. On the other hand, the ransom has increased significantly.
The malware encrypts important files on the infected machine and displays a ransom demand. Victims are instructed to make the payment in Bitcoin via the Tor network.