Security trends for 2015

3,110 Comments

1. September 1, 2015 at 6:47 am

   Tomi Engdahl says:

   Annalee Newitz / Gizmodo:
   Ashley Madison created 70K female bots which sent fake messages to 20M of 31M men in the database; 11M of them were chatted up by automatic ‘engagers’ — Ashley Madison Code Shows More Women, and More Bots — After searching through the Ashley Madison database and private email last week …

   Ashley Madison Code Shows More Women, and More Bots
   http://gizmodo.com/ashley-madison-code-shows-more-women-and-more-bots-1727613924

   After searching through the Ashley Madison database and private email last week, I reported that there might be roughly 12,000 real women active on Ashley Madison. Now, after looking at the company’s source code, it’s clear that I arrived at that low number based in part on a misunderstanding of the evidence. Equally clear is new evidence that Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, hoping to create the illusion of a vast playland of available women.

   Today Ashley Madison released a statement saying that I couldn’t have figured out how many active women are on the site based on the data dump. The company is right about that. It may still be true that a relatively small number of women are active on Ashley Madison, but the evidence that I thought supported my claims means something else entirely—more on that below.

   What I have learned from examining the site’s the source code is that Ashley Madison’s army of fembots appears to have been a sophisticated, deliberate, and lucrative fraud. The code tells the story of a company trying to weave the illusion that women on the site were plentiful and eager. Whatever the total number of real, active female Ashley Madison users is, the company was clearly on a desperate quest to design legions of fake women to interact with the men on the site.

   The Fembots of Ashley Madison [Updated]
   Annalee Newitz
   http://gizmodo.com/the-fembots-of-ashley-madison-1726670394

   Now we know that almost none of the woman in the Ashley Madison database ever used the site. The question is, was this a deliberate fraud? Or was it just a dating site gone wrong?

   Yesterday I published the results of my analysis of the Ashley Madison member database, which contained 37 million profiles of people seeking discreet affairs. What I discovered was that, at most, about 12 thousand of these profiles seemed to belong to women who were active on the site. The rest of the 5.5 million women had profiles that appeared to have been abandoned directly after they were created.

   Ashley’s “Angels”

   There are many reasons to call fraud on Ashley Madison’s parent company Avid Life Media, including the fact that they forced men to pay to delete their profiles—and then kept their personal data anyway. But I would argue that Ashley Madison’s fraud goes beyond the paid delete scam. The real scam is false advertising. In commercials and on the site itself, the company promises men that they will meet real women who want to have affairs.

   Men can even pay a premium rate for a “guaranteed affair.” To email women, men have to pay extra, and then they have to pay more still if they want to send a “gift” of a silly gif or picture. Using the site as a man is a little bit like playing Farmville, except instead of blowing your money on fake cow upgrades, you’re blowing it on messages to fake women.

   Reply
2. September 1, 2015 at 7:25 am

   Tomi Engdahl says:

   Los Angeles Times:
   China and Russia cross-referencing data from OPM, Anthem, other hacks to identify US spies; at least one support network for US spies compromised — China and Russia are cross-indexing hacked data to target U.S. spies, officials say — Foreign spy services, especially in China and Russia …

   China and Russia are using hacked data to target U.S. spies, officials say
   http://www.latimes.com/nation/la-na-cyber-spy-20150831-story.html

   Foreign spy services, especially in China and Russia, are aggressively aggregating and cross-indexing hacked U.S. computer databases — including security clearance applications, airline records and medical insurance forms — to identify U.S. intelligence officers and agents, U.S. officials said.

   At least one clandestine network of American engineers and scientists who provide technical assistance to U.S. undercover operatives and agents overseas has been compromised as a result, according to two U.S. officials.

   The Obama administration has scrambled to boost cyberdefenses for federal agencies and crucial infrastructure as foreign-based attacks have penetrated government websites and email systems, social media accounts and, most important, vast data troves containing Social Security numbers, financial information, medical records and other personal data on millions of Americans.

   Reply
3. September 1, 2015 at 7:26 am

   Tomi Engdahl says:

   Joe Mullin / Ars Technica:
   Former Secret Service agent Shaun Bridges pleads guilty to theft of $820K in bitcoin during Silk Road investigation

   Secret Service agent pleads guilty to stealing money from Silk Road dealers
   Agent also gets electronic monitoring after an attempt to adopt a “very odd” name.
   http://arstechnica.com/tech-policy/2015/08/secret-service-agent-pleads-guilty-to-stealing-money-from-silk-road-dealers/

   Reply
4. September 1, 2015 at 7:36 am

   Tomi Engdahl says:

   Keith Collins / Quartz:
   A victim of the recent IRS breach that has affected over 330K Americans offers clues to how the attackers stole $50M by filing fraudulent tax returns

   A rare detailed look inside the IRS’s massive data breach, via a security expert who was a victim
   http://qz.com/445233/inside-the-irss-massive-data-breach/

   The story of Kasper’s tax return would eventually turn out to involve a bank account in rural Pennsylvania, a go-between on Craigslist, and a Western Union wire transfer to Nigeria. He was almost certainly one of the more than 330,000 Americans who fell victim to an audacious hack of the Internal Revenue Service (IRS), which was disclosed earlier this year. And the hackers didn’t use sophisticated malware or social engineering tactics—the hallmarks of many recent data breaches. Instead, they walked in through the front door of the IRS website, pretending to be regular people filing their taxes, and walked out with millions of dollars in fraudulent refunds.

   The IRS has divulged few details about the data breach, but thanks to some amateur sleuthing by Kasper, who is a software engineer with a specialty in computer security, we’re able to fill in some of the blanks.

   The Monday after trying to file his tax return, Kasper called the IRS’s identity theft hotline. As he would later tell a Senate committee hearing (pdf) on the breach, the operator he spoke to agreed that this looked like a case of fraud. Someone had filed a tax return under his name, presumably in order to intercept his tax rebate. And whoever it was, their plan was working: The IRS was due to send out the rebate that very same day, and it was too late to stop it.

   Kasper asked for more details.

   But the operator wouldn’t tell him. To comply with a law protecting confidentiality, the IRS doesn’t divulge the details of a fraud to anyone—including the taxpayer affected by it—until it has conducted its own internal investigation.

   Fighting bureaucracy with bureaucracy

   Kasper felt this concern for privacy was protecting the criminals who had stolen his identity. Frustrated, he went to the “Get Transcript” service on the IRS website, which allows taxpayers to retrieve the details of their past tax returns. He figured it might lead him to the crook. But when Kasper attempted to use the service, he found that another email address was already registered to his Social Security number. He called the IRS again. Once more, though the people he spoke to seemed to agree that the address was fraudulent, they wouldn’t, for privacy reasons, tell him what the email address was.

   But Kasper found a way to bypass the IRS’s stringent privacy rules with a little bit of bureaucracy—and a check. For $50, he was able to request a paper copy of his 2014 tax return, sent to his home address, which the scammers had not tried to change. By mid-March he had the fraudulent document in his hands.

   This form, which had been filled out by strangers and submitted under Kasper’s name, looked very much like the return he himself had filed for the 2013 tax year. The crooks somehow knew Kasper’s Social Security number, his date of birth, and his real address. They knew his marital status. They even knew his salary. It was all right there on the photocopied form.

   The only major differences between the 2014 return and the one Kasper had filed a year earlier were an additional $6,000 added to his withholdings—and a bank account number he’d never seen before.

   Not until May 26 did the IRS announce a major data breach. Hackers had used the “Get Transcript” page to steal data—specifically, the contents of previously-filed tax returns—on thousands of taxpayers, and then used that information to file the new, falsified returns. At first, the IRS said more than 100,000 people’s records had been stolen. This month it revised the figure up to 334,000.

   Logging in to “Get Transcript” is a two-step process that requires a lot of personal data.

   How had the intruders obtained all that data for 334,000 people? Names, addresses, and Social Security numbers could very well have come from previous high-profile data breaches, such as those at the health insurers Anthem and Premera Blue Cross. Indeed, Kasper was one of millions of Anthem customers whose personal data had been compromised. Personal data and identities from such breaches are also frequently sold on the “dark web.”

   “Just knowing a person’s address, which you can get from one of these more traditional breaches, you can discover a lot about a person,” Fu said. “For instance, you can make a pretty good guess on who owns their mortgage when [the KBA tests] present you with four banks and only one of them happens to be in the city that person lives in.”

   A clue to the method the attackers used is that although they successfully stole 334,000 people’s tax information, they tried to steal it for another 281,000, according to the IRS, and got foiled at the final verification step.

   In any case, once the hackers had successfully obtained taxpayers’ personal data, they now had to use it to create new tax returns.

   Finally, they would have submitted the fake tax returns to the IRS, then waited. If a taxpayer had already filed a return when the fraudulent one was submitted, the fraudulent one would be rejected. If accepted, it would still have to pass a series of fraud-detection filters. When the IRS first announced the data breach in May, it said that 15,000 of the falsified documents got all the way through, leading to $50 million in refunds.

   But how did the criminals then collect the $50 million?
   the hackers would have had to open thousands of bank accounts

   The Nigerian connection

   Michael Kasper received his actual tax refund on May 12, along with a letter confirming that this was a case of identity theft. “But I don’t know if they ever tried to prosecute anyone,”

   The IRS did not comment on that, but did send Quartz a statement outlining the security benefits of IP PINs.

   Reply
5. September 1, 2015 at 7:37 am

   Tomi Engdahl says:

   Wall Street Journal:
   Russia won’t check whether Google, Facebook, Twitter, and others have complied with local data storage law that goes into effect on Sept. 1 until 2016

   Russia Puts Off Data Showdown With Technology Firms
   Facebook, Google and Twitter get more time to comply with law requiring Russian data centers
   http://www.wsj.com/article_email/russia-puts-off-data-showdown-with-technology-firms-1441043618-lMyQjAxMTA1MjMyMTkzODE0Wj

   Russia is postponing a showdown with a handful of technology titans, including Facebook Inc., over installing data centers on Russian soil, handing an interim victory to companies that have resisted a divisive new rule.

   Ahead of a law that goes into effect Tuesday requiring companies to store and process data about Russian users within the country’s borders, Russian regulators have told companies such as Facebook, Google Inc. and Twitter Inc. that they don’t plan to check until at least January whether the companies are in compliance, executives and Russian officials said.

   The three companies have so far either told officials they won’t have new data centers on Russian soil in the immediate future or haven’t made clear whether they plan to comply, some of the executives said. Russian officials provided a reprieve when they said these companies weren’t on the list of those the Russian communications regulator Roskomnadzor was planning to check before 2016.

   Reply
6. September 1, 2015 at 7:49 am

   Tomi Engdahl says:

   Six UK teens arrested for being “customers” of Lizard Squad’s DDoS service
   Amazon, Microsoft, and Sony were targets; service is almost ready to re-open for business
   http://arstechnica.com/security/2015/08/six-uk-teens-arrested-for-being-customers-of-lizard-squads-ddos-service/

   On August 28, the United Kingdom’s National Crime Agency announced the arrest of six teenagers, ranging in age from 15 to 18, for launching distributed denial of service attacks against multiple websites. The attacks were carried out using an attack tool created by Lizard Squad, the group behind denial of service attacks on gaming networks and the 8Chan imageboard site last winter. Called Lizard Stresser, the tool exploited compromised home routers, using them as a robot army against targeted sites and services.

   The six arrested “are suspected of maliciously deploying Lizard Stresser, having bought the tool using alternative payment services such as Bitcoin in a bid to remain anonymous,”

   Reply
7. September 1, 2015 at 7:53 am

   Tomi Engdahl says:

   US mulls unprecedented Chinese sanctions in wake of hacks: report
   Asian power plays ramp up.
   http://www.theregister.co.uk/2015/09/01/us_mulls_unprecedented_chinese_sanctions_in_wake_of_hacks_report/

   The US is mulling “unprecedented” sanctions against China in response to hacking according to reports.

   Anonymous WhiteHouse officials speaking to the Washington Post did not detail the specific economic sanctions which have already been drafted and are under consideration.

   Unnamed national security and treasury officials are backing the sanctions in response to network-centric spying.

   “Done in tandem with other diplomatic pressure, law enforcement, military, intelligence, then you can actually start to impose costs and indicate that there are costs to the bilateral relationship,” an official told the paper.

   The WhiteHouse declined to comment.

   Reply
8. September 1, 2015 at 8:51 am

   Tomi Engdahl says:

   Beyond Bitcoin: How Business Can Capitalize On Blockchains
   http://tech.slashdot.org/story/15/08/31/2230259/beyond-bitcoin-how-business-can-capitalize-on-blockchains

   Bitcoin’s widely trusted ledger offers intriguing possibilities for business use beyond cryptocurrency, writes InfoWorld’s Peter Wayner. “From the beginning, bitcoin has assumed a shadowy, almost outlaw mystique,”

   “the mathematical foundations of bitcoin create a solid record of legitimate ownership that may be more ironclad against fraud than many of the systems employed by businesses today”

   Beyond bitcoin: 7 ways to capitalize on blockchains
   http://www.infoworld.com/article/2976358/encryption/beyond-bitcoin-7-ways-to-capitalize-on-blockchains.html

   Bitcoin’s widely trusted ledger offers intriguing possibilities for business use beyond cryptocurrency

   From the beginning, bitcoin has assumed a shadowy, almost outlaw mystique. The technology’s origin and founder remain shrouded in mystery, even to this day. Add to that the Silk Road scandal, in which anonymous users traded bitcoins to buy drugs, landing its pioneer in prison for life, and it’s easy to see why many initially viewed bitcoin as a funding mechanism for the underworld. Even the mathematics of the technology are inscrutable enough to believe the worst.

   The irony is that the mathematical foundations of bitcoin create a solid record of legitimate ownership that may be more ironclad against fraud than many of the systems employed by businesses today. Plus, the open, collaborative way in which bitcoin processes transactions ensures the kind of network of trust that is essential to any business agreement.

   Bitcoin’s true value: The blockchain

   A currency’s viability depends in large part on its ability to guard against counterfeiting and to eliminate potential ownership disputes. Bitcoin tackles these problems by establishing a clear chain of ownership for each coin in circulation through a shared public ledger known as the blockchain. The blockchain — and the process by which it is updated and maintained — has been so successful that it is fast capturing the interest of researchers and entrepreneurs looking to create systems that nurture trust between competitors in realms beyond cryptocurrency.

   The blockchain’s function is simple: To log every bitcoin transaction ever conducted. When one person transfers ownership of a specific denomination of bitcoins to another person, that transaction is confirmed by the bitcoin network (via a process known as mining) as an entry in a block of transactions that is then added to the long chain that goes back to the beginning of the project. This chain of blocks is more powerful than a table of owners because it allows everyone in the network to follow any given coin’s trail of ownership all the way back to when it was first created.

   Another important wrinkle in the blockchain is that it employs public key encryption for identifying owners in the ledger, recording one half of the public key pair rather than names or Social Security numbers. Only the person who holds the corresponding private key can decide what happens next to their coin.

   This layer of cryptography offers a certain amount of privacy because no names are recorded. But the cryptography offers a greater value in that it ensures transactions are endorsed only by the person who controls the private half of the key pair. Enterprises thrive on trust and assurance, and the cryptography built into the blockchain offers a great foundation for fostering trust among vested parties.

   Pushing the blockchain beyond cryptocurrency

   The digital signatures that certify each transaction and the collaborative process by which the blockchain is created offer an enticing amount of certainty and assurance for those interested in using the blockchain for tasks beyond banking and currency.

   While bitcoin’s blockchain is generally filled with bitcoin transactions, many companies are exploring ways of using the blockchain to track other swaps, trades, or exchanges.

   More than 100 companies are exploring ways to extend the blockchain. Some want to build a trading platform; others want to create a more reliable secure identification card; some want to build “self-executing contracts”; some want to handle bitcoin accounting so that businesses can adopt the currency with a minimum of fuss. The applications are exploding.

   Contracts
   Digital collectables
   Voting
   Bills of lading
   Ironclad predictions
   Microtransactions
   Reward points

   Reply
9. September 1, 2015 at 9:02 am

   Tomi Engdahl says:

   TWEET of DOOM: tiny exploit back pillaging keychains
   Stone age anti-virus mitigated
   http://www.theregister.co.uk/2015/09/01/tweet_of_doom_tiny_exploit_back_pillaging_keychains/

   Mac malware using an exploit so small it fits in a tweet has been upgraded to avoid anti-virus checks.

   The malware uses the patched OS X DYLD_PRINT_TO_FILE vulnerability that grants attackers root privilege escalation through trivial code.

   The updated version will throw a fleeting installer request to access the OS X keychain and simulate a click on “allow” before the user can prevent the installation.

   MalwareBytes researcher Thomas Reed said that this grants access to the Safari Extensions List, but could grant attackers access to iCloud accounts and other keychain data.

   “More concerning, though, is the question of what’s to stop this adware from accessing other confidential keychain information like passwords?” Reed added.

   “With a few minor changes, the adware could get access to other things from the keychain, like the user’s iCloud password.

   “The user may be made suspicious by the window flashing up then disappearing, but may not know what the full implications of that are or what to do about it.”

   Reply
10. September 1, 2015 at 9:03 am

    Tomi Engdahl says:

    Better crypto, white-box switch support in Linux 4.2
    Penguinistas pulling a long, cold draught of code
    http://www.theregister.co.uk/2015/08/31/better_crypto_whitebox_switch_support_in_linux_42/

    The new kernel only needed a handful of fixes in the past week, according to Linus Torvalds’ release note.

    Now that it’s general availability, the kernel does bring some goodies worth having. The Crypto Forum Research Group’s ChaCha20 stream cipher and the Poly1305 authenticator (a reference implementation is described in RFC 7539) are supported, and there’s a new RSA implementation.

    To improve random number seeding, Linux 4.2 uses CPU execution jitter to help seed its random number generator, a feature called “jitter entropy RNG” on the basis that sushi should be called “cold dead fish”.

    The default crypto random number generator API is now DRBG.

    Reply
11. September 1, 2015 at 11:44 am

    Tomi Engdahl says:

    NCA targeted by Lizard Squad in apparent DDoS revenge attack
    There’s no skill in this, agency sneers
    http://www.theregister.co.uk/2015/09/01/nca_targeted_by_lizard_squad/

    The National Crime Agency’s website has been hit by a DDoS attack, in an apparent act of revenge for the body’s recent crackdown on users of Lizard Squad.

    The site was taken down this morning and remained offline at the time of publication.

    Last week the NCA arrested six people on suspicion of maliciously deploying Lizard Stresser, which allows users to pay to take websites offline for up to eight hours.

    An NCA spokesman said:

    The NCA website is an attractive target. Attacks on it are a fact of life. DDoS is a blunt form of attack which takes volume and not skill.

    It isn’t a security breach, and it doesn’t affect our operational capability.

    Reply
12. September 1, 2015 at 11:51 am

    Tomi Engdahl says:

    How Online Advertising Works
    … and how to control it!
    http://leonov.org/post/122144798210/how-online-advertising-works?utm_source=Outbrain&utm_medium=CPC&utm_campaign=blog

    Online advertising is broken. Advertisers think they know us by tracking where we live, what websites we visit, what products we buy, etc.

    Data collectors and advertising companies collect and sell information regarding your health, credit worthiness, search history, location, DMV reports. They build rich consumer profiles on every person online and offline. All of this data is used to sell you stuff in what is called “real-time bidding”. Here’s how this process works

    All of this loss of privacy, and advertisers still get us wrong – when was the last time you saw an ad for something you actually wanted? This “surveillance advertising” not only doesn’t work, but actually makes people hate online ads!

    Reply
13. September 1, 2015 at 1:39 pm

    Tomi Engdahl says:

    Safely Riding the Internet Highway
    http://www.edn.com/design/analog/4440126/Safely-Riding-the-Internet-Highway-?_mc=NL_EDN_EDT_EDN_today_20150831&cid=NL_EDN_EDT_EDN_today_20150831&elq=61407c1e3071445f91deeffef5596b9e&elqCampaignId=24570&elqaid=27810&elqat=1&elqTrackId=7e488d0d1b314dadb8f33c019e2d7fe1

    Learning how to drive the internet highway on the path to the Smart Home means rules, regulations and laws.

    Compared to most of the world’s infrastructure, it is amazing how primitive and lawless the internet really is. Yes, the web is technically sophisticated but when trying to understand how it should be used and how it can benefit our lives, it is still a wild and unruly path, needing a great deal of growth and maturing.

    When compared to our highway system – the learned knowledge of how we should travel on the internet highway, relatively, we are still in the horse and buggy days.

    To be efficient, useful and safe, societies worldwide have developed customs, rules and regulations to ensure that we don’t get run over and injured as we travel from one location to another.

    the real acceleration of car technologies occurred about 125 years ago. This development changed the way we live our lives today. Not only did it create a complex and worldwide automotive manufacturing industry, but it also gave birth to a cornucopia of associated industries and infrastructures. For example:

    1. Infrastructure. To service the world of the car, today we have major transcontinental highways, bridges that cross major rivers and seas, tunnels that go under water and through mountains, etc.
    2. Suppliers. Of course, we cannot forget the petrochemical industry. Without the need for fuel to power our vehicles, the oil industry as we know it today would not exist.
    3. Legislation. Although somewhat different from country to country
    4. Enforcement. With all the rules put in place there is also a mechanism for compliance and rule enforcing, embedded in the larger legal structure of a country
    5. Training. Although also different from country to country, it is common that someone needs to go through driving lessons and an exam to obtain a license for driving, before legally allowed to drive
    6. Insurance. With the increase in the speed of the cars in most countries it is now required to have a liability insurance to drive a car.
    7. A “standardized” Operator interface.

    The concept of ‘driving’ is a complete fabric that has evolved from the basic concept of a car.

    Now let us compare this highway and driving evolution to the experience of traveling on the internet highway.

    Although the internet has come a long way, it is clear that the fabric of the internet highway is still very immature, and everyone who is getting on the internet is doing so very much at his or her own risk.

    While the infrastructure is rapidly building, reaching into all the small corners of the world, the responsibility of getting on the internet is still very much with the individual users, without clear rules or legislation around basic principles of security and privacy. People buy a software package for security against computer viruses, more or less as a sort of insurance premium – without any assurance that this will fully protect them. Many people use a smart phone to access to the web – with very little protections against a rapidly growing assortment of attack vectors.

    Because of the open character of the internet the lack of security goes even a step further. Governments that are supposed to set the traffic rules on the internet are often the biggest culprits in exploiting the lack of rules to their own advantages.

    In the “real” world, “the people” have come a long way protecting themselves against an overzealous government while in the virtual world of the internet, governments and parliaments are still learning to understand the concept of the internet, and whether existing legislation around security and privacy is adequate.

    A second area of total confusion is around the privacy and ownership of personal data. Large companies develop appealing applications that people can use for free (Google, Facebook, Twitter, etc.), but by downloading, installing and using them, people explicitly give their privacy away. Have you ever read the small print (the EULA – End User License Agreement) that comes with an application before you download it onto your phone? Most applications – especially useful free apps – collect a great deal about the user’s life – where they are and when, who they contact, what sites they research and visit – in order to package this data and resell it to advertisers.

    Most “free” online games only survive by hooking their players into buying shortcuts and add-ons. Others can be victimized by phishing emails, exploiting people’s greed, curiosity and simple lack of knowledge about internet scams.

    The internet can be a dangerous and costly place, where people unknowingly expose themselves in the virtual world in a way that bad guys can come after them in the physical world, opening themselves up for extortion or eventually leading to suicide.

    With the emerging Internet of Things the amount of devices on the internet will increase exponentially with dozens, if not hundreds of devices in every home feeding valuable personal data onto the web. With data analytics software becoming more powerful and ubiquitous, both the usefulness as well as the capability for abuse will increase as well: the stakes are just getting higher, at both sides.

    There is not a simple solution. The internet is a great place to be, but at the same time it is full of dangers. The internet is the world greatest information tool but we need to learn how to use it carefully so that we do not end up injuring ourselves, our families and cultures.

    As a society, we have to invest in understanding these dangers and learning how to address them. This will not come for free, just like our cars and roads did not come for free. We will have to build a fabric around the internet that includes legislation, enforcement and training. Technology is complex, and there still is a lot of ongoing development around the internet

    There is reason for optimism. Today, driving may still be a dangerous thing, but it is now safer than it was ever before. Development of common sense rules, standards and infrastructure took a while – and so it will be with driving on the internet freeway. That is – if we put the right efforts and resources into it!

    Reply
14. September 1, 2015 at 1:41 pm

    Tomi Engdahl says:

    It’s not hacking, but the data theft – that online criminals smuggle their prey out

    Companies generally concentrating all their efforts to keep criminals out of their systems, but the real damage happens only when the systems provide information out. Intel’s Data Security Laboratory of the criminal means of sending out information are becoming increasingly sophisticated.

    One way of obtaining the information out is intel camouflage. The data may be packed in either a smaller size or it can be modified to resemble any other traffic. Data can also carve and sent in different directions, which the attacker collects the pieces back together, responsible for Intel’s data security technical lead Steve Grobman explained in the report.

    Companies should be prepared to new technological threats, companies should also think about what kind of data the attackers are interested in.

    Traditional items such as credit card information or the important role of intellectual property in addition to hackers looking for embarrassing data to the company. The kind you can find, for example, consistent e-mail accounts.

    Source: http://www.tivi.fi/Kaikki_uutiset/ei-se-tietomurto-vaan-tietovarkaus-nain-verkkorikolliset-salakuljettavat-saaliinsa-ulos-3481864

    Reply
15. September 1, 2015 at 2:26 pm

    Tomi Engdahl says:

    Easy option can be a security risk – the nearby town of recycling containers should not throw everything

    Many cupboards space pave wondering where the old mobile phones and computers can be returned to ensure that the information contained may not end up in the wrong hands.

    “The memory does not disappear by itself, and the responsibility for this issue is always on the last consumer Therefore, it is more important than ever that old or broken memory capacity of devices containing exported only official recycling stations, especially if you are unable to actually ensure that the device is currently empty.”, Reminds Elker’s President & CEO Sakari Hietala.

    Old equipment should be delivered to the nearest official WEEE recycling point

    “Trown away data device a security risk and can result in, for example, identity theft, misuse of personal images and to the fact that the devices are transported gray market to third countries”

    Source: http://www.tekniikkatalous.fi/tekniikka/2015-07-06/Helppo-vaihtoehto-voi-olla-tietoturvariski-%E2%80%93-L%C3%A4heiseen-kierr%C3%A4tyskonttiin-ei-pid%C3%A4-heitt%C3%A4%C3%A4-kaikkea-3325289.html

    Reply
16. September 1, 2015 at 3:19 pm

    Tomi Engdahl says:

    Mashed together malware threatens Japanese online banking users
    Making good use of the things that they find …
    http://www.theregister.co.uk/2015/09/01/shifu_banking_trojan_bits_japan/

    Customers of Japanese banks are on the front line of attacks based on a new and sophisticated banking trojan, mashed together from leaked bits of malware code.

    Shifu (named after the Japanese word for thief) is targeting 14 Japanese banks as well as electronic banking platforms used across Europe, according to security researchers from IBM Trusteer.

    Taking ideas from the creation of Frankenstein’s monster, Shifu is made up of powerful pieces of code from leaked (discarded and arguably dead) malware variants.

    Some of Shifu’s features and modules were borrowed from other banking Trojans’ leaked source codes, including Shiz, Gozi, Zeus and Dridex.

    “Shifu’s internal makeup was composed by savvy developers who are quite familiar with other banking malware, dressing Shifu with select features from the more nefarious of the bunch,”

    Once installed, Shifu keylogs passwords, grabs credentials that users key into HTTP form data, steals private certificates and scrapes external authentication tokens used by some banking applications.

    It uses webinjections to fool users of infected machines. Shifu scans, parses and exfiltrates data from smartcards once a reader is connected to on an infected endpoint. The trojan also lifts any cryptocurrency wallets found on infected devices.

    Shifu comes pre-configured to lift payment card data from compromised retail networks. The malware scans infected endpoints for strings that may indicate it has landed on a point of sale (POS) terminal. Once planted on a cash machine, Shifu deploys a RAM scraping plugin to collect payment card data.

    In addition, Shifu comes with security tools designed to prevent other malware from installing on a newly infected machine. The malware wants exclusive control of compromised systems.

    Reply
17. September 1, 2015 at 3:22 pm

    Tomi Engdahl says:

    SSD Advisory – AppLock Multiple Vulnerabilities
    https://blogs.securiteam.com/index.php/archives/2558

    AppLock is Most downloaded app lock in Play Store:

    #1 App lock in over 50 countries.
    Over 100 Million users, supporting 24 languages.
    AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings, Calls and any app you choose, with abundant options, protecting your privacy.
    AppLock can hide pictures and videos, AppLock empowers you to control photo and video access. Selected pictures vanish from your photo gallery, and stay locked behind an easy-to-use PIN pad. With AppLock, only you can see your hidden pictures. Privacy made easy!

    Vulnerability Details
    The following report describes three ( 3 ) different vulnerabilities found in the AppLock, an Android application, with over 10 Millions of downloads, used to secure pictures, videos and application with a PIN code.

    The first vulnerability will show how the pictures and videos are not encrypted but just hidden from the users

    The second vulnerability shows how an user, with root permission on the device, can easily remove the PIN code from applications or add it to others

    The last, and most critical, vulnerability is a PIN bypass. It is possible, without root permissions and with all applications, settings, etc blocked from the app, reset the PIN code to one of our choice, and the take full control of the application.

    The user is tricked to think that the Vault perform some sort of encryption using his PIN code, instead all the files are just hidden in the filesystem.

    Reply
18. September 2, 2015 at 7:28 am

    Tomi Engdahl says:

    Suzan Fraser / Associated Press:
    Turkey claims arrest of Vice journalists was due to encryption software on assistant’s computer, which reporters and assistant deny

    Lawyer: Turkey arrested journalists to deter foreign media
    http://bigstory.ap.org/article/2865216da3124d57b29fad5f7db86ac5/lawyer-turkey-arrested-journalist-deter-foreign-media

    ANKARA, Turkey (AP) — A lawyer representing two Vice News journalists and their assistant on Tuesday denounced a Turkish court’s decision to arrest them on terror-related charges, calling it a government attempt to deter foreign media from reporting on the conflict with Kurdish rebels.

    The arrests have prompted strong protests from media rights advocates, the U.S. and the European Union.

    A government official speaking on the basis of anonymity denied that Turkey was attempting to suppress journalists, and said the arrests were due to encryption software allegedly found on the assistant’s computer.

    Reply
19. September 2, 2015 at 7:29 am

    Tomi Engdahl says:

    Emil Protalinski / VentureBeat:
    Google, Microsoft, and Mozilla will drop RC4 encryption in Chrome, Edge, IE, and Firefox next year — Google, Microsoft, and Mozilla all made the same announcement today: They will drop support for the RC4 cipher in their respective browsers. Chrome, Edge, Internet Explorer

    Google, Microsoft, and Mozilla will drop RC4 encryption in Chrome, Edge, IE, and Firefox next year
    http://venturebeat.com/2015/09/01/google-microsoft-and-mozilla-will-drop-rc4-support-in-chrome-edge-ie-and-firefox-next-year/

    Google, Microsoft, and Mozilla all made the same announcement today: They will drop support for the RC4 cipher in their respective browsers. Chrome, Edge, Internet Explorer, and Firefox will all stop using the outdated security technology next year.

    RC4 is a stream cipher designed in 1987 that has been widely supported across browsers and online services for the purposes of encryption. Multiple vulnerabilities have been discovered in RC4 over the years, making it possible to crack within days or even hours.

    In February, new attacks prompted the Internet Engineering Task Force (IETF) to prohibit the use of RC4 with TLS. Browser makers have made adjustments to ensure they only use RC4 when absolutely necessary, but now they want to take it a step further.

    Reply
20. September 2, 2015 at 7:33 am

    Tomi Engdahl says:

    Erin Griffith / Fortune:
    Google Here project enabling third parties to send proximity based Maps alerts via beacons was killed due to privacy concerns, doubts about demand

    Google shut down a secret Google Maps project called ‘Google Here’
    http://fortune.com/2015/08/31/google-here-google-maps/

    It would have used beacons and Google Maps to reach smartphone users based on their location.

    Google GOOG -3.31% was set to launch a new product that added context to one of its most successful apps, Google Maps. But earlier this year, it was shut down by Alphabet CEO Larry Page, according to people familiar with the project.

    But people familiar with the project say it was shut down for two reasons: Google Here was potentially too invasive, and the company wasn’t sure if many retailers would want it. (Not helping matters, Nokia has used the name “Here” for its own mapping service.) A Google spokesman declined to comment.

    Google Here worked by sending a notification to a smartphone user’s lock screen within five seconds of their entering a partner’s location. If the user clicked on the notification, a full screen HTLM5 “app” experience would launch. Google Here would know when to send the notification via Google Maps and beacons placed in the stores of participating partners. Google planned to supply the beacons to partners for the launch, according to the document. The experience could also be found by going to the Google Maps app.

    The idea was to allow businesses to communicate with people based on their location, even if those people had not downloaded a specific app for that location. Some developers have called this “app-less distribution.”

    Developers want app-less distribution because it’s becoming increasingly difficult to reach people on their mobile phones. Smartphone users spend 90% of their mobile time using apps, but they’re not downloading new apps.

    Google already monetizes its Maps app with sponsored results that show up in searches.

    The problem is, despite prolonged hype around beacons and in-store advertising, only the largest, most tech-savvy retailers have poured resources into making mobile advertising, mobile commerce, and beacons work.

    Even though Google Here did not ship, Google has not given up on location-based advertising. The company recently launched Eddystone, a developer project for Bluetooth low energy beacons that competes with Apple’s iBeacon. The company will find a way into location-based advertising because it’s the best way to “close the loop” between online ads and offline purchases.

    Reply
21. September 2, 2015 at 8:13 am

    Tomi Engdahl says:

    SOHOpeless: Belkin router redirection zero-day
    DNS response fondling confounds security
    http://www.theregister.co.uk/2015/09/02/sohopeless_belkin_router_redirection_zero_day/

    Security bod Joel Land has reported zero-day holes in a popular model of Belkin router allowing attackers to yank cleartext credentials, spoof DNS responses, and pop admin interfaces.

    The Belkin N600 DB Wireless Dual Band N+ box released in 2012 and selling for around AUD$150 contains five vulnerabilities from slack randomness (CVE-2015-5987) to cleartext violations and cross-site request forgery (CVE-2015-5990).

    Reply
22. September 2, 2015 at 8:15 am

    Tomi Engdahl says:

    Vulnerability Note VU#201168
    Belkin N600 DB Wireless Dual Band N+ router contains multiple vulnerabilities
    http://www.kb.cert.org/vuls/id/201168

    Reply
23. September 3, 2015 at 8:04 am

    Tomi Engdahl says:

    Inquiry launched after HIV clinic reveals hundreds of patients’ identities
    http://www.theguardian.com/technology/2015/sep/02/london-clinic-accidentally-reveals-hiv-status-of-780-patients

    The 56 Dean Street clinic in London apologises after sending newsletter disclosing names and email addresses of 780 people, many living with HIV

    The health secretary, Jeremy Hunt, has ordered an inquiry into how the NHS handles confidential medical information after the “completely unacceptable” breach of the privacy of hundreds of HIV patients.

    The 56 Dean Street clinic in London apologised on Wednesday after sending a newsletter on Tuesday which disclosed the names and email addresses of about 780 recipients. The newsletter is intended for people using its HIV and other sexual health services, and gives details of treatments and support.

    The clinic, which is run by the Chelsea and Westminster NHS trust, apologised shortly after sending the email and on Wednesday pledged to investigate how the breach had occurred.

    Britain’s data protection watchdog is also likely to launch an investigation into the privacy breach, thought to be one of the biggest of its kind.

    Reply
24. September 3, 2015 at 8:06 am

    Tomi Engdahl says:

    Despite Reports of Hacking, Baby Monitors Remain Woefully Insecure
    http://it.slashdot.org/story/15/09/02/229208/despite-reports-of-hacking-baby-monitors-remain-woefully-insecure

    Researchers from security firm Rapid7 have found serious vulnerabilities in nine video baby monitors from various manufacturers. Among them: Hidden and hard-coded credentials providing local and remote access over services like SSH or Telnet; unencrypted video streams sent to the user’s mobile phone; unencrypted Web and mobile application functions and unprotected API keys and credentials; and other vulnerabilities that could allow attackers to abuse the devices

    Despite reports of hacking, baby monitors remain woefully insecure
    http://www.itworld.com/article/2979713/despite-reports-of-hacking-baby-monitors-remain-woefully-insecure.html

    Researchers from Rapid7 found serious vulnerabilities in nine video baby monitor devices

    Disturbing reports in recent years of hackers hijacking baby monitors and screaming at children have creeped out parents, but these incidents apparently haven’t spooked makers of these devices.
    no flash
    Tested: How Flash destroys your browser’s performance

    It’s a memory hog — and we’ve got the numbers to prove it.
    Read Now

    A security analysis of nine baby monitors from different manufacturers revealed serious vulnerabilities and design flaws that could allow hackers to hijack their video feeds or take full control of the devices.

    Reply
25. September 3, 2015 at 8:08 am

    Tomi Engdahl says:

    At LAST: RC4 gets the stake through the heart
    Google, Mozilla and Microsoft say ‘enough is enough’
    http://www.theregister.co.uk/2015/09/03/at_last_rc4_gets_the_stake_through_the_heart/

    One of the security set’s most intractable problems is the stubborn endurance of old standards – the kind of thing that left SSLv3 hanging around so that people didn’t have to weed out “fallback” code, for example.

    Well, at least one of security’s code zombies, the insecure and inadequate RC4 crypto algorithm, has been formally abandoned by Google, Mozilla, and Microsoft in coordinated announcements.

    The three outfits have agreed to unplug RC4′s life-support early in 2016.

    Their decision comes a couple of months after yet-another RC4 attack was able to recover RC4-encrypted cookies within 52 hours.

    Mozilla says the only variable between Firefox, Chrome and Internet Explorer will be their release cycles.

    “Disabling RC4 will mean that Firefox will no longer connect to servers that require RC4. The data we have indicate that while there are still a small number of such servers, Firefox users encounter them at very low rates,” the Mozilla note says.

    Reply
26. September 3, 2015 at 8:32 am

    Tomi Engdahl says:

    Hacking Medical Mannequins
    http://science.slashdot.org/story/15/09/02/1636236/hacking-medical-mannequins

    A team of researchers at the University of South Alabama is investigating potential breaches of medical devices used in training, taking the mannequin iStan as its prime target in its scenario-based research

    Hacking medical mannequins
    https://thestack.com/security/2015/09/02/hacking-medical-mannequins/

    The computer scientists investigated the ease of compromising a training mannequin system, tampering with communication vulnerabilities identified between the device and its controlling computer.

    The mannequin model used, named iStan, is one of the most advanced wireless patient simulator devices and is in use at the College of Nursing at the university. The device can bleed, secrete bodily fluids, has a blood pressure and heart rate, and breathes realistically. The simulator links with iStan software which controls the mannequin remotely by directing commands and inputs which represent real-life situations.

    Identifying the network security solution and network protocol as the vulnerable components, the team was able to carry out brute force attacks against the router PIN, and denial of service (DDoS) attacks, using open source tools such as BackTrack.

    The paper reads: ‘If medical training environments are breached, the long term ripple effect on the medical profession, potentially, impacts thousands of lives due to incorrect analysis of life threatening critical data by medical personnel.’

    Reply
27. September 3, 2015 at 8:34 am

    Tomi Engdahl says:

    Netflix Open Sources Sleepy Puppy XSS Hunter
    http://developers.slashdot.org/story/15/09/02/1959204/netflix-open-sources-sleepy-puppy-xss-hunter

    Netflix has released a tool it calls Sleepy Puppy. The tool injects cross-site scripting payloads into a target app that may not be vulnerable, but could be stored in a database and tracks the payload if it’s reflected to a secondary application that makes use of the data in the same field. “We were looking for a way to provide coverage on applications that come from different origins or may not be publicly accessible,”

    Netflix Sleepy Puppy Awakens XSS Vulnerabilities in Secondary Applications – See more at: https://threatpost.com/netflix-sleepy-puppy-awakens-xss-vulnerabilities-in-secondary-applications/114517#sthash.olYresZU.dpuf

    Announcing Sleepy Puppy – Cross-Site Scripting Payload Management for Web Application Security Testing
    http://techblog.netflix.com/2015/08/announcing-sleepy-puppy-cross-site.html

    http://netflix.github.io/#repo

    Reply
28. September 3, 2015 at 8:40 am

    Tomi Engdahl says:

    Check Point Introduces New CPU-Level Threat Prevention
    http://it.slashdot.org/story/15/09/02/220256/check-point-introduces-new-cpu-level-threat-prevention

    After buying Israeli startup company Hyperwise earlier this year, Check Point Software Technologies (Nasdaq: CHKP) now unveils its newest solution for defeating malware. Their new offering called SandBlast includes CPU-Level Threat Emulation that was developed in Hyperwise which is able to defeat exploits faster and more accurately than any other solution by leveraging CPU deubgging instruction set in Intel Haswell,

    SandBlast also features Threat Extraction — the ability to extract susceptible parts from incoming documents.

    SandBlast Zero-Day Protection
    http://www.checkpoint.com/products-solutions/zero-day-protection/index.html

    Reply
29. September 3, 2015 at 9:53 am

    Tomi Engdahl says:

    Websites aimed at kids are slurping too much info, finds report
    Large number are also sharing that data willy-nilly with third parties
    http://www.theregister.co.uk/2015/09/03/childrens_sites_data_slurping/

    A large proportion of websites aimed at children are slurping a concerning amount of personal info, research from cross-border privacy authorities has revealed.

    The Global Privacy Enforcement Network Privacy Sweep, comprising 29 data protection regulators around the world, looked at 1,494 websites and apps for children.

    Of those, it found that 67 per cent of sites and apps collected children’s personal information. Half of the total number shared personal information with third parties.

    As many as 22 per cent provided an opportunity for children to give their phone number and 23 per cent allowed them to provide photos or video.

    The potential sensitivity of this data is clearly a concern, it said in a statement.

    Reply
30. September 3, 2015 at 9:55 am

    Tomi Engdahl says:

    Wikipedia’s biggest scandal: Industrial-scale blackmail
    But can the stables be cleaned? And does anyone actually want to clean them?
    http://www.theregister.co.uk/2015/09/03/wikipedia_industrial_scale_smears_and_blackmail/

    No media mogul in history has ever matched the power of Wikipedia, which is capable of damaging reputations on an industrial scale. But with no checks in place to identify contributors, it was only a matter of time before fraudsters and blackmailers took advantage of Wikipedia to use it systematically, for profit.

    The Independent newspaper reported that this is exactly what has happened: hundreds of individuals and businesses were scammed by editors, who fraudulently claimed to improve reputations and even blackmailed subjects who didn’t pay up.

    There are serious questions to be asked, not only of Wikipedia’s community structures – which encourage and protect anonymous editing – but also of the Wikimedia Foundation (WMF) itself. The charity has amassed assets of over $70m and a ready cash pile of millions of dollars, thanks to aggressive fundraising which suggests donors must pay to keep the site online (in reality, only around $3m is required to run the site every year). Yet the Foundation has little power to compel anyone to do anything: the community makes its own mind up. Neither seems able to bear much self-examination.

    Wikipedia rocked by ‘rogue editors’ blackmail scam targeting small businesses and celebrities
    http://www.independent.co.uk/news/uk/crime/wikipedia-rocked-by-rogue-editors-blackmail-scam-targeting-small-businesses-and-celebrities-10481993.html

    Hundreds of small British businesses and minor celebrities have been targeted by a sophisticated blackmail scam orchestrated by “rogue editors” at Wikipedia, The Independent can reveal.

    The victims, who range from a wedding photographer in Dorset to a high-end jewellery shop in Shoreditch, east London, faced demands for hundreds of pounds to “protect” or update Wikipedia pages about their businesses. A former Britain’s Got Talent contestant was among dozens of individuals targeted.

    Wikipedia has taken action against what it described as the “co-ordinated group” of fraudsters by blocking 381 accounts. An investigation had found that the accounts were controlled by Wikipedia users offering to change articles about companies and private individuals in exchange for payment.

    In some cases, the requests for money amounted to blackmail, Wikipedia told The Independent.

    Reply
31. September 3, 2015 at 10:56 am

    Tomi Engdahl says:

    SSL/TLS RC4 CVE-2015-2808 Information Disclosure Weakness
    http://www.securityfocus.com/bid/73684

    Reply
32. September 3, 2015 at 12:31 pm

    Tomi Engdahl says:

    HMRC breaches job applicants’ privacy in mass email spaff
    http://www.theregister.co.uk/2015/09/03/hmrc_spaffs_applicants_email_addresses_due_to_glitch/

    HMRC is spewing job applicants’ email addresses to potential rivals in mass circular responses it has blamed on “a technical glitch”.

    HMRC is not the only body to apparently suffer from a “technical glitch” which resulted in data protection issues.

    Yesterday, WHSmith’s magazine subscription service began emailing everyone on the mailing list. The company blamed the issued on a “systems processing bug”.

    Reply
33. September 3, 2015 at 12:33 pm

    Tomi Engdahl says:

    IoT baby monitors STILL revealing live streams of sleeping kids
    The hacker that rocks the cradle
    http://www.theregister.co.uk/2015/09/03/baby_monitors_insecure_internet_things/

    Internet-connected baby monitors are riddled with security flaws that could broadcast live footage of your sleeping children to the world and his dog, according to new research.

    Mark Stanislav, a security researcher at Rapid7, discovered numerous security weaknesses and design flaws after evaluating nine different devices from eight different vendors. Security flaws included hidden, hardcoded credentials, unencrypted video streaming, unencrypted web and mobile app functions, and much more.

    Isolated real-world reports of hacking of baby monitors date back at least two years, so it’s not as if the problem is new.

    Last year privacy watchdogs at the ICO warned parents to change the default passwords on webcams to stop perverts shopping on kids.

    The warning followed a security flap created by the site, hosted in Russia, that streamed live footage ranging from CCTV networks to built-in cameras from baby monitors. The website itself – insecam.cc – accesses the cams using the default login credentials, which are freely available online for thousands of devices.

    Possessed baby monitor shouts obscenities at Texas tot
    ‘Somewhat of a blessing’ the child is deaf, say parents
    http://www.theregister.co.uk/2013/08/14/eurohacker_shouts_obscenities_at_texas_tot_via_hijacked_baby_monitor

    Reply
34. September 3, 2015 at 1:53 pm

    Tomi Engdahl says:

    As police move to adopt body cams, storage costs set to skyrocket
    http://www.computerworld.com/article/2979627/cloud-storage/as-police-move-to-adopt-body-cams-storage-costs-set-to-skyrocket.html

    Petabytes of police video are flooding into cloud services

    The police department in Birmingham, Ala. has seen a 71% drop in citizen complaints — and a 38% drop in use of force by officers — since deploying 319 body cameras two months ago.

    The cameras have been so effective that the department plans to buy another 300 cameras from Taser International.

    Birmingham is among a growing number of police departments that are rolling out body cameras, spurred in large part by public pressure in the wake of a series of controversial police shootings of civilians. That pressure first began to mount nationally last year

    The Birmingham police initially purchased 5TB of online storage on Evidence.com, Taser’s file management cloud, which is built on Amazon’s Web Service (AWS) platform. In just two months, however, the department has already used 1.5TB of its allotment — and it’s on track to exceed the 5TB limit in about six months.

    “That’s the biggest problem with this system…the cost of the storage,” Brewer said. “They do offer unlimited storage, but it’s quite costly — well above $1 million for the package we had looked at.”

    Traditionally, police departments saved dash camera footage and other videos on CDs stored away in an evidence room or on an onsite server. But with the increasing use of body cameras, dashboard cams and cameras within the police department itself, the amount of video content now being generated is far more difficult to manage locally.

    Reply
35. September 4, 2015 at 6:19 am

    Tomi Engdahl says:

    Borg bashes destabilising DoS bug in USC kit
    No workaround, so it’s ‘patch or chuck it in the bin’
    http://www.theregister.co.uk/2015/09/04/cisco_patches_overwrite_bug/

    Cisco has patched a denial of service vulnerability in its unified computing platform.

    The remote file-overwrite vulnerability exist in the Cisco Management Controller and Cisco UCS Director unified infrastructure software.

    Borg security bods say there are no workarounds for the vulnerabilities other than to patch.

    “Cisco Integrated Management Controller Supervisor and Cisco UCS Director contain a remote file overwrite vulnerability that could allow an unauthenticated, remote attacker to overwrite arbitrary system files, resulting in system instability or a denial of service condition,”

    Reply
36. September 4, 2015 at 6:56 am

    Tomi Engdahl says:

    Julia Edwards / Reuters:
    The Department of Justice revises cellphone tracking rules, warrant now required in most cases; data from non-targeted phones to be deleted within 30 days — Justice Department tightens rules on cellphone tracking devices

    Justice Department tightens cellphone tracking rules
    http://www.reuters.com/article/2015/09/03/us-usa-justice-mobilephone-idUSKCN0R32B420150903

    Reply
37. September 4, 2015 at 7:10 am

    Tomi Engdahl says:

    Pwn2Own Tokyo hacking contest trashed, US export rules blamed
    Sponsor HP stumped by Wassenaar Arrangement cluster-fsck
    http://www.theregister.co.uk/2015/09/03/pwn2own_tokyo_trashed_wassenaar_blamed/

    The Cold War has reached out a long-dead hand to stifle the Pwn2Own hackfest in Tokyo, with the Wassenaar Arrangement blamed for the event’s cancelation.

    Organized by the HP TippingPoint-backed Zero Day Initiative, Pwn2Own slings bug bounties to researchers.

    But it seems that this year, nobody could work out whether vulnerabilities revealed in Tokyo could be brought back to the US without breaking the Wassenaar treaty – which is undergoing a review by Uncle Sam’s lawyers, and its final form is still up in the air.

    Ruiu had previously tweeted that HP pulled its sponsorship and that he intends to try and host some kind of hackfest in its place

    He also told Ars Technica that HP had lawyered up to the tune of US$1 million to test the legal risk of Pwn2Own in a post-Wassenaar world, but decided it was untenable.

    Hackers had already expressed their concern that Pwn2Own was at risk, since it’s open to the interpretation that trafficking flaws across the US border is banned in light of the Wassenaar Arrangement.

    Reply
38. September 4, 2015 at 10:25 am

    Tomi Engdahl says:

    The Willie Sutton Theory of Cyber Security
    http://www.securityweek.com/willie-sutton-theory-cyber-security

    Despite the enormous attention on data breaches and cyber attacks, relatively little focus (and investment) has shifted to the principal scene of the crime, the servers and storage devices that manage and safeguard the vast bulk of a company’s or government agency’s data.

    Whether this data resides in the compute layer in traditional enterprise data centers or, increasingly, in new cloud computing environments such as Amazon Web Services or Microsoft Azure, it is self-evident that perimeter-centric technologies such as firewalls, IDS/IPS, and APT/malware detection systems provide limited value in addressing internal InfoSec issues. If vaults deep within the building protect banks from bank robbers, why do so many security professionals focus so much attention on their data center’s front door?

    It’s time to sharpen our focus to prioritize and secure critical information assets at the source, not only at the perimeter. This becomes even more important—and challenging—as we exit the well understood and fairly static client-server era and move to today’s computing environment, where applications and infrastructure have become more dynamic, distributed, hybrid, and heterogeneous. Much of what has made application development organizations more agile—orchestration, RESTful APIs, GitHub—has had a dark side from a security perspective. Increasingly, multi-tier applications are distributed across multiple environments to optimize cost and processing capabilities—e.g., ecommerce, Hadoop—and the notion of the perimeter as the control point can no longer be assumed.

    Reply
39. September 4, 2015 at 10:27 am

    Tomi Engdahl says:

    Our Rising Dependency on Cyberphysical
    http://www.securityweek.com/our-rising-dependency-cyberphysical

    In a previous column, I discussed how “cyberphysical” is an appropriate term to capture this new world we are entering, where machines operate automatically and rapidly based on real-time feedback. The next step is to understand why this cyberphysical matters to the wider population that these machines will service. We can then assess levels of risk in order to better develop a culture of cyberphysical security.

    The most notable trend is that critical services we rely on are increasingly dependent upon cyberphysical interactivity. The scope of these critical services continues to broaden and deepen across industries, especially as the functionality and speed of devices is more widely understood.

    To me, nothing offers a more direct example of cyberphysical dependency than heart pacemakers. More than three million people rely on these devices every day, and 600,000 new implants are performed each year (American Heart Association).

    Another set of cyberphysical interactions occur to deliver our electricity, which we ambitiously consume at approximately 18,000 TerraWatts a year. How many of us can go 60 minutes without an electrical charge to our cell phones? Smart meters, not to mention power generation control systems, play a part in delivering this critical energy service.

    Moving forward, we can envision a host of additional cyberphysical systems beyond these two examples, managing and impacting our daily lives. Many have seen self-driving cars, which are expected to grow at 134% CAGR in the next five years (not to mention electric cars, another dependency back on our power generation systems). Or consider home automation systems and maritime cargo monitoring.

    As a security specialist, while I anticipate great reward from these new types of cyberphysical systems, I also envision the need for better protection. The dependency on cyberphysical systems exposes the broader population to a variety of risks.

    Amidst pressures to be “first to market,” it is not uncommon for manufacturers to trade off convenience and price for limited protection. In some cases, it might not even be a conscious design decision. Considering our growing dependency on cyberphysical systems, however, security testing seems an obvious addition (but I will discuss solutions further in my next column).

    In other industries, it is less a rush to the consumer market triggering risks than it is a status quo regarding defining what constitutes “safe.” In the energy sector, offshore oil rigs were once “air gapped” and not connected to other systems.

    Today, devices from as far afield as transportation and government services have typically been prioritized by physical security implications first.

    Reply
40. September 4, 2015 at 10:36 am

    Tomi Engdahl says:

    Snowden: Others Get Prosecuted for What Hillary Clinton Did
    http://www.wired.com/2015/09/snowden-people-get-fired-prosecuted-hillary-clinton/

    The NSA was sloppy about guarding its classified secrets from Edward Snowden, but no one at the agency is in danger of being prosecuted for that security lapse. What Hillary Clinton did with her private email server, however, is criminal, says Snowden.

    If any other State Department or CIA employee were using a private email server to send details about the security of embassies, as Clinton is rumored to have done, as well as sensitive meetings with private US government officials and foreign officials over unclassified email systems, “they would not only lose their jobs and lose their clearance, they would very likely face prosecution for it,” the NSA whistleblower said in an interview with Al Jazeera English.

    “When the unclassified systems of the United States government, which has a full-time information security staff, regularly gets hacked, the idea that someone keeping a private server in the renovated bathroom of a server farm in Colorado, is more secure is completely ridiculous,” Snowden said, referring to the location of Clinton’s controversial email server, which had been maintained by the Denver-based company Platte River Networks, and to Clinton’s initial assertions that her server was secure and had suffered no security breaches.

    Snowden is right about the punishment others would face for mishandling classified information. There have been a smattering of such prosecutions over the last decade, generally involving low-to-mid-level military and government personnel.

    Reply
41. September 4, 2015 at 11:00 am

    Tomi Engdahl says:

    Stingray stung: FBI told ‘get a warrant’
    DoJ bends a little with new cell-site simulator policy
    http://www.theregister.co.uk/2015/09/04/stingray_stung_fbi_told_get_a_warrant/

    The US Department of Justice has moved to quell the ongoing row over the use of IMSI-catchers like Stingray, with a new policy that requires a warrant before they’re deployed.

    The policy, announced here, is designed to “establish a higher and more consistent legal standard and increase privacy protections” for the use of cell-site simulators.

    The policy takes effect immediately and applies across all DoJ agencies.

    The policy also addresses the understandable fear that anyone’s cellphone use could be caught by the devices, merely because they happened to be in the same place at the same time as a Stingray was in use.

    “As I’ve long stated, establishing a high uniform standard helps protect personal privacy and discourages abuse and mishandling of these powerful devices,”

    Reply
42. September 4, 2015 at 11:23 am

    Tomi Engdahl says:

    Prepare to be Thunderstruck: What if ‘deuszu’ ISN’T the Ashley Madison hacker?
    Attribution is harder than a taste in music
    http://www.theregister.co.uk/2015/09/01/prepare_to_be_thunderstruck_what_if_deuszu_isnt_the_ashley_madison_hacker/

    Security researcher Brian Krebs last week named whoever is behind the Twitter account deuszu as likely having had a hand in the Ashley Madison hack. But has Krebs named the right entity?

    Attribution isn’t that easy and Krebs has gone out on a limb.

    On August 19, 2015, deuszu tweeted a screen-cap showing a tab open playing AC/DC’s Thunderstruck. And in 2015 the Ashley Madison hackers made the company’s work computers play the song Thunderstruck as well.

    The second point that bothers me is to attribute this hack to deuszu based on a belief that Twitter provides the best – or only – timeline for the hack.

    The claim that the Impact Team hackers managed to make Ashley Madison employees’ computers play AC/DC’s Thunderstruck in 2015, and a screenshot showing deuszu once listened to the same song in 2012, is hardly forensic proof deuszu was responsible for the Ashley Madison hack.

    Krebs’ assertion that Twitter account deuszu appears “to be closely connected” to the Ashley Madison hack appears to rest on this tweet

    Thadeus Zu may well have been the first to post about it on Twitter on 17 July (without linking to the dumps), but frankly, tweeting about a breaking story – already announced online for more than 48 hours – seems a pretty crummy indication of potential guilt in perpetrating the original hack.

    Evidence about Zu’s location, based on his tweet-stream, is also equivocal.

    It would be just as easy (although outrageously conspiratorial) to paint Zu as an Army psy-ops cointel-pro Twitter account, partly-human-manned, part-bot script account, scraping and scanning social media, trying to gather intel by tweeting tantalising snippets in almost gibberish tweet-speak and perpetrating small defacements on a regular basis in an attempt to appear legitimate to other hackers. An intelligence organisation-funded Twitter account, that potentially jumped the gun and tweeted a link about a hack it was tracking just a little too early, gaining international media interest.

    Of course, such claims are utterly unfounded (for now), but Krebs’ theories about deuszu and the Ashley Madison hack are little stronger. For all we know, Zu may be a dog on the internet.

    Zu’s potential involvement in previous website defacements seems like a fairly low-value target for a legal prosecutor to chase.

    Although linking to dumped data has landed others in jail before

    Zu looks like an easy target – but probably the wrong one.

    Reply
43. September 6, 2015 at 11:26 am

    Tomi Engdahl says:

    The Ashley Madison Hack: Sleeping With the Enemy
    http://blog.centrify.com/ashley-madison-hack-privileged-identity-breach/

    The Ashley Madison hack is a wake up call not only for many individuals but for every single business, as well — many of which are still not paying enough attention to data security.

    The hack, which revealed the email addresses, personal information and sexual preferences of the site’s 36 million users, is devastating on many levels. For starters, Ashley Madison — whose slogan is “Life is short. Have an affair.” — will likely be the first high-profile company ever to go out of business as a direct result of a cyberattack. After all, it’s hard to see Ashley Madison regaining the trust of its customers, much less surviving the wave of legal action that’s now building. Two Canadian law firms were the first to file, with a $578 million class-action lawsuit in late August.

    On the customer end, the impact on many families has already been devastating. Site users are getting divorced, children are being teased, jobs and livelihoods are in jeopardy. Police in Toronto say they have unconfirmed reports of two people who committed suicide linked to the leak of Ashley Madison account information.

    It now seems likely that the perpetrator of the hack was an insider, probably a third-party contractor. The CEO of Ashley Madison has suggested that he knows who it is. The hacker was able to get into every system and extract massive amounts of information, including the CEO’s emails, the customer database, source code to the website — everything. If indeed the culprit was a contractor, the company failed in a fundamental way to limit that person’s access to sensitive data.

    To me, this hack comes down to poor privilege-management practices that granted the hacker far too much access. And it’s not just Ashley Madison. Many recent hacks can be blamed on privileged accounts that give the bad guys the proverbial keys to the kingdom via root access

    These privileged identities are necessary — users like database administrators and CIOs do need extensive access to computers, networks and applications — but privileged identities come with risk. Ashley Madison is just the latest and most sensational example of that risk’s enormity.

    There are so many privileged accounts in large organizations that many of them don’t even know where all of their privileged accounts reside or who has access to them. And it’s not just IT people with privileged access anymore. Nowadays, many of the regular folks in the enterprise are granted privileged access — marketing, for example.

    So, how can companies protect themselves from hackers, including malicious insiders, who can wreak havoc via privileged accounts? First, they must be smart. One of the most important steps they can take is to adopt the principle of least privilege. Limit access to the minimum level necessary for normal functioning. IT should assume that networks will be breached and bad guys will get in. But when they do get in, IT can contain and minimize the damage if it has implemented the practice of least privilege.

    Least privilege means giving people only the degree of privilege they absolutely need and access to the data they absolutely must have. It means auditing activity, especially on the most sensitive systems, looking for suspicious behavior, and generating alerts if something out of the ordinary is happening. It also means implementing two-factor authentication to verify that people really are who they say they are.

    The good news is that organizations are waking up to the threats posed by privileged user accounts. In the aftermath of breaches like Ashley Madison, there is a growing recognition that almost every cyberattack these days involves some kind of compromised credential and privilege escalation. Once a hacker or malicious insider gets their hands on a vulnerable credential, they have the means to launch a large-scale attack.

    Reply
44. September 6, 2015 at 1:21 pm

    Tomi Engdahl says:

    ABC News:
    Man Behind Virus That Stole Millions, Infected NASA Computers Reaches Deal
    http://abcnews.go.com/beta/Technology/hacker-allegedly-destructive-viruses-history-due-court/story?id=33536720

    A hacker who played a key role in developing a computer virus that stole millions of dollars from victims and even managed to infiltrate some NASA computers agreed to a plea deal today in New York federal court.

    Deniss Calovskis, a Latvian national, pleaded guilty to conspiring to commit computer intrusion, prosecutors said. He’ll be sentenced on Dec. 14 and faces a maximum 10 years in prison and a fine potentially as high as $250,000, according to a copy of the signed plea agreement.

    Authorities have called the Gozi computer virus “one of the most financially destructive computer viruses in history” and alleged Calovskis was responsible for writing some of the code that allowed the virus to stealthily infiltrate victims’ computers and avoid detection from spyware. He was arrested in November 2012.

    Reply
45. September 7, 2015 at 7:16 am

    Tomi Engdahl says:

    Even encryption does not guarantee that the health information is beyond the reach of criminals

    World on electronic applications security problems increase. Dating services and shops, POS systems hardly are the last examples of giant leaks of information.

    Microsoft security researchers that related to health care information systems are gaps, even if the data would be there in an encrypted form.

    In practice, this means that the patient information in hospitals are criminal information theft. It is possible to dig up sensitive information about people.

    In his report, the researchers used many hospitals used CryptDB database. Because of the relative ease of CrybtDB is quite popular in different organizations.

    In general, the encrypted data is well protected. However, encryption is unloaded, whenever data needs to be used. As a result, outside, such as computer memory data can be unencrypted form of a database. Criminals may be able to dig the data out there, because the researchers are able to.

    The experiment, the researchers became aware regardless of encryption, for example, patients’ severity of illness, age, time spent in hospital and other information.

    Source: http://www.tivi.fi/Kaikki_uutiset/edes-salaus-ei-takaa-etta-terveystiedot-ovat-rikollisten-ulottumattomissa-3482270

    Reply
46. September 7, 2015 at 7:19 am

    Tomi Engdahl says:

    Mozilla: data stolen from hacked bug database was used to attack Firefox
    A privileged user’s account was compromised at least as early as September 2014.
    http://arstechnica.com/security/2015/09/mozilla-data-stolen-from-hacked-bug-database-was-used-to-attack-firefox/

    An attacker stole security-sensitive vulnerability information from the Mozilla’s Bugzilla bug tracking system and probably used it to attack Firefox users, the maker of the open-source Firefox browser warned Friday.

    In an FAQ published (PDF) alongside Mozilla’s blog post about the attack, the company added that the loss of information appeared to stem from a privileged user’s compromised account. The user appeared to have re-used their Bugzilla account password on another website, which suffered a data breach. The attacker then allegedly gained access to the sensitive Bugzilla account and was able to “download security-sensitive information about flaws in Firefox and other Mozilla products.”

    Mozilla added that the attacker accessed 185 non-public Firefox bugs, of which 53 involved “severe vulnerabilities.” Ten of the vulnerabilities were unpatched at the time, while the remainder had been fixed in the most recent version of Firefox at the time.

    Improving Security for Bugzilla
    https://ffp4g1ylyit3jdyti1hqcvtb-wpengine.netdna-ssl.com/security/files/2015/09/BugzillaFAQ.pdf

    Reply
47. September 7, 2015 at 7:28 am

    Tomi Engdahl says:

    DDoS-Style YouTube Dislikes For Sale
    http://news.slashdot.org/story/15/09/06/1230220/ddos-style-youtube-dislikes-for-sale

    The number of dislikes was so disproportionate to the casual number of viewers for the channel, and so concentrated as to constitute a particular type of net-attack — one that appeared to originate in Vietnam. Stewart eschews the notion of a “cottage industry” of Vietnamese YouTube “dislikers” in favor of the fact that any network exploits are eminently reproducible in a country which has only five ISPs among nearly ninety million people — and a widely distributed vulnerable router.

    Reply
48. September 7, 2015 at 8:17 am

    Tomi Engdahl says:

    Vulnerability Note VU#903500
    Seagate wireless hard-drives contain multiple vulnerabilities
    http://www.kb.cert.org/vuls/id/903500

    Multiple Seagate wireless hard-drives contain multiple vulnerabilities.

    Reply
49. September 7, 2015 at 9:30 am

    Tomi Engdahl says:

    Researcher Hacks Self-Driving Car Sensors
    http://tech.slashdot.org/story/15/09/07/0140240/researcher-hacks-self-driving-car-sensors

    Jonathan Petit, security researcher at Security Innovation has created an electronics kit that costs only $60, which can flood LiDAR sensors on self-driving cars with a laser beam that contains fake data, making them think they have objects in front of them. This forces the self-driving car to slow down and sometimes abruptly stop.

    Researcher Hacks Self-driving Car Sensors
    http://spectrum.ieee.org/cars-that-think/transportation/self-driving/researcher-hacks-selfdriving-car-sensors

    The multi-thousand-dollar laser ranging (lidar) systems that most self-driving cars rely on to sense obstacles can be hacked by a setup costing just $60, according to a security researcher.

    “I can take echoes of a fake car and put them at any location I want,” says Jonathan Petit, Principal Scientist at Security Innovation, a software security company. “And I can do the same with a pedestrian or a wall.”

    Using such a system, attackers could trick a self-driving car into thinking something is directly ahead of it, thus forcing it to slow down. Or they could overwhelm it with so many spurious signals that the car would not move at all for fear of hitting phantom obstacles.

    Petit set out to explore the vulnerabilities of autonomous vehicles, and quickly settled on sensors as the most susceptible technologies. “This is a key point, where the input starts,” he says. “If a self-driving car has poor inputs, it will make poor driving decisions.”

    Other researchers had previously hacked or spoofed vehicle’s GPS devices and wireless tire sensors.

    While the short-range radars used by many self-driving cars for navigation operate in a frequency band requiring licensing, lidar systems use easily-mimicked pulses of laser light to build up a 3-D picture of the car’s surroundings and were ripe for attack.

    Petit began by simply recording pulses from a commercial IBEO Lux lidar unit. The pulses were not encoded or encrypted, which allowed him to simply replay them at a later point. “The only tricky part was to be synchronized, to fire the signal back at the lidar at the right time,” he says. “Then the lidar thought that there was clearly an object there.”

    Petit was able to create the illusion of a fake car, wall, or pedestrian anywhere from 20 to 350 meters from the lidar unit, and make multiple copies of the simulated obstacles, and even make them move. “I can spoof thousands of objects and basically carry out a denial of service attack on the tracking system so it’s not able to track real objects,” he says. Petit’s attack worked at distances up to 100 meters, in front, to the side or even behind the lidar being attacked and did not require him to target the lidar precisely with a narrow beam.

    Sensor attacks are not limited to just robotic drivers, of course. The same laser pointer that Petit used could carry out an equally devastating denial of service attack on a human motorist by simply dazzling her, and without the need for sophisticated laser pulse recording, generation, or synchronization equipment.

    Reply
50. September 7, 2015 at 9:56 am

    Tomi Engdahl says:

    Attention sysadmins! Here’s how to dodge bullets in a post-Ashley Madison world
    You’ve no time to get lazy
    http://www.theregister.co.uk/2015/09/07/sysadmins_dodge_bullet_post_ashley_madison_world/

    If the Ashley Madison saga has taught us one thing – well, many things, but one main thing – it was never, ever, ever use a work email account for personal pursuits online.

    Once trawled, data from the leaked site revealed that thousands of those with Ashley Madison accounts – presumably men, given the site’s overwhelming demographic – had linked those accounts to work domains in government, the police and military.

    Data also revealed IBMers led the tech pack of hopeful philanderers.

    How can this happen? I can resist anything but temptation, said Oscar Wilde, but what of complacency? Suits are one thing but trying to manage IT staff can be different, especially when it comes to matters IT related, as an atmosphere often pervades of “we know best.”

    As Ashley Madison has proved, sentiment is not only hard to control – it can be costly, embarrassing and potentially career limiting.

    So, here’s a helpful reminder of how to avoid becoming a victim, tried and tested in the field.

    1. User privileges (and abuse thereof)

    We all know that it is absolutely good practice to have separate login accounts and administrative accounts. Admittedly, after a while this process becomes tedious, changing between accounts and multiple passwords. It helps limit malware nasties from spreading due to – hopefully – restricted user accounts as well as potentially deleting documents you didn’t mean to.

    2. Password laziness

    Equally annoying is the need to remember multiple passwords. After the fourth or fifth non-Active-Directory enabled system password has to be remembered, it gets onerous. This one isn’t totally on the administrators.

    3. Keep your private life private

    On the non-technical side there are many pitfalls for the administrator when using company provided equipment. Keeping home and work separate is important. An administrator has to be seen to be beyond reproach, especially if working at another company’s site or being a contractor.

    4. Personal email and web browsing – a petri dish of liability

    People’s work-related emails may well be clean and clear of malware, but personal accounts are not always as clean. Frequently, users have been spearfished on personal accounts and it has led to business systems being exploited.

    Keeping clear of personal browsing and email at work is a habit to be encouraged. Do you want to be the one that causes that outage, data loss and expense to the company, or even worse, the client?

    5. The network is theirs, not yours

    This may seem incredibly obvious, but a lot of sysadmins, particularly those in SMEs, where one person is the entirety of the IT team, can get a bit precious over the infrastructure.

    It becomes a labour of love, and when that love is removed it can get rather darn nasty, à la Terry Childs. The network, the hardware, the servers; they belong to the company and the administrator is paid to look after the resources.

    If the CTO wants the root password, that’s fine. Just make sure it is documented and witnessed, if possible. On the subject of documentation, also make sure yours is up to date.

    Lessons learnt the hard way are not often forgotten. It is, however, better to not have to learn them in the first place.

    Reply