Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
It’s 2015 and a text file can hack your Apple Watch. IS THIS THE FUTURE YOU WANTED?
http://www.theregister.co.uk/2015/09/21/apple_kicks_out_watchos_2_update/
Five days after delaying the release of watchOS 2, Apple has posted an update for its smartwatch operating system.
The watchOS 2 update brings the introduction of native apps for the Apple Watch, a new set of privileges that will allow developers previously limited to iOS applications the ability to access the Watch’s microphone, speaker, and both the HealthKit and HomeKit APIs.
The update also brings the addition of new Watch faces, including a set of time-lapse images set to change throughout the day, and a new “nightstand” mode to display a clock face while the Watch is charging at night.
The watchOS 2 update also brings a hefty load of security fixes, addressing 37 CVE-listed flaws in total. Among the flaws Apple patched are remote-code execution flaws that could be exploited by a malicious web page, text file, or audio file.
Tomi Engdahl says:
Advisory (ICSA-15-258-01)
Schneider Electric StruxureWare Building Expert Plaintext Credentials Vulnerability
https://ics-cert.us-cert.gov/advisories/ICSA-15-258-01
Tomi Engdahl says:
Interesting security breach news site:
http://www.databreaches.net/
Tomi Engdahl says:
US-CERT’s do’s-and-don’ts for after the cyber hack
http://www.databreaches.net/us-certs-dos-and-donts-for-after-the-cyber-hack/
Jason Miller reports that US-CERT is offering best practices for after an attack. Here’s a bit of what he reports:
Hacked organizations shouldn’t automatically initiate reactive measures to the network without first consulting incident response experts. Barron-DiCamillo said US-CERT and a host of other companies do incident responses for a living as opposed systems administrators or other IT experts who respond to cyber problems only when they happen.
“This can cause loss of volatile data such as memory and other host-based artifacts. We also see them touching adversary infrastructure. It seems unusual, but we do,” she said. “They are pinging or doing name server (NS) look up, browsing to certain sites. Agency staff is trying to investigate the incident, naturally, and they want to conduct the analysis on suspicious domains or IPs. However, these actions can tip off the adversaries that they have been detected. Again, a no-no. You don’t want to do that.”
US-CERT’s do’s-and-don’ts for after the cyber hack
http://federalnewsradio.com/cybersecurity/2015/09/us-certs-dos-and-donts-for-after-the-cyber-hack/
Tomi Engdahl says:
Facebook Dislike hype exploited in phishing campaign
https://thestack.com/security/2015/09/21/facebook-dislike-hype-exploited-in-phishing-campaign/
A new Facebook scam is quickly spreading across the social network which plays on the announcement of the highly-anticipated ‘Dislike’ button.
Facebook CEO Mark Zuckerberg discussed the proposed feature in an interview last week, confirming that there would be a public launch “very” soon. The social media giant has long considered adding a dislike or ‘empathise’ button for posts that may contain sad news, to avoid inappropriate ‘liking’.
A new scamming campaign is now exploiting impatient Facebook users anxiously awaiting the dislike button addition, by tricking them into believing that they can click on a link to gain early access to the feature.
The scam link, titled ‘Get newly introduced Facebook dislike button on your profile’, has been specifically designed to spread rapidly across Facebook as an ‘invite-only’ feature.
Once the unsuspecting victim selects a link, they are led to a malicious website, which enables access to their private Facebook accounts and allows the hackers to share further scam links on their behalf.
Facebook is an extremely appealing platform for scammers and hackers, due to the speed of potential propagation.
Tomi Engdahl says:
India withdraws controversial encryption policy
http://www.bbc.com/news/world-asia-india-34322118
The Indian government has withdrawn a draft encryption policy after public uproar over the proposed measures.
IT Minister Ravi Shankar Prasad said the proposals were released to the public without his knowledge.
The new law would have forced Indians to store plain-text versions of their encrypted data for 90 days and make it available to security agencies.
The draft policy sparked outrage on social media, as most messaging services use some form of encryption.
The encryption policy was proposed to enhance information security in India.
On Monday night the government exempted social media applications from the draft policy after social media outrage.
The “draft encryption policy is not the final view of the government. It will be redrawn to specify who it will apply to,” Mr Prasad told reporters on Tuesday.
Tomi Engdahl says:
More people have died from selfies than shark attacks this year
http://mashable.com/2015/09/21/selfie-deaths/#KubA4uSeukkG
A 66-year-old Japanese tourist has died, and his travel companion has been injured, after falling down stairs while attempting to take a selfie at the Taj Mahal.
The man’s death raises the selfie toll this year — to 12. To put that in perspective, in 2015 there have so far been eight deaths caused by shark attacks.
It sounds like a joke, but unfortunately it isn’t: The deaths are a tragic reminder to travelers that focusing on a phone screen instead of unfamiliar surroundings is not safe.
With no idea how far some people will go for a great selfie, many landmarks have begun banning selfies — or at least selfie sticks. In July, the Russian Interior Ministry released a brochure, warning about cool selfies that “could cost you your life.” Selfie-takers are urged to take precaution with weapons, ledges, dangerous animals, trains and live wires.
Tomi Engdahl says:
Number of XcodeGhost-infected iOS apps rises
http://www.net-security.org/malware_news.php?id=3109
As the list of apps infected with the XcodeGhost malware keeps expanding, Apple, Amazon and Baidu are doing their best to purge their online properties of affected apps, malicious Xcode installers, and C&C servers used by the attackers to gather the stolen information and control the infected apps/devices.
Apple has begun cleaning up its App Store on September 18 and is working with affected developers to get uninfected versions of their apps back in it. Some of the affected apps still remain in the Store, but will hopefully be removed soon.
China-based jailbreaking Pangu Team claims that the number of infected app is higher than 3,400, and have offered for download a free app that apparently detects the Trojanized apps.
Tomi Engdahl says:
NIST Hits Quantum Teleport Key Out of the Park
NIST bests world’s record at 63 miles
http://www.eetimes.com/document.asp?doc_id=1327759&
National Institute of Standards and Technology (NIST, Boulder, Colo.) has announced a breakthrough allowing secure quantum encryption keys to be teleported over 63 miles without a repeater.
Uncrackable encryption keys use what’s called quantum key distribution (QKD), which transmits the decryption key to the receiver over special communications lines using quantum teleportation to tell whether the key has been observed during transmission. Unfortunately, that requires the transmission of up to a 128,000 single photons—one at a time—through a single optical fiber, requiring ultra-sensitive sensors at the receiving end that detects single photons. So far, only about 15 miles was the longest distance a quantum key could be teleported.
Hard encryption is easy on a user’s device itself—just set your solid-state- or hard-drive to encrypt the contents of your drive with a long random passcode. However, today transmitting encrypted messages over public networks depends on the computational impracticality of deriving a properly generated private decryption key from its public key and a passcode. Depending on public key encryption is “good enough” for most users, because if the difficulty of cracking the passcode. But for banks, stock exchanges and government “top secrets,” its possible for foreign governments to still crack public key encrypted messages with supercomputers that try every passcode (the hard way, but widely available) or with quantum computers that can guess many passcode simultaneously (the easy way, but not widely available, yet).
Tomi Engdahl says:
US legislation requiring tech industry to report terrorist activity dropped
http://www.itworld.com/article/2985049/us-legislation-requiring-tech-industry-to-report-terrorist-activity-dropped.html
The provision would have required the tech industry to report vaguely-defined terrorist activity
The U.S. Senate Intelligence Committee has dropped a provision that would have required Internet companies to report on vaguely-defined terrorist activity on their platforms, a move that was strongly opposed by the industry and civil rights groups.
“Social media companies aren’t qualified to judge which posts amount to ‘terrorist activity,’ and they shouldn’t be forced against their will to create a Facebook Bureau of Investigations to police their users’ speech,” Wyden said in a statement.
The provision would have required Internet services companies, who obtain “actual knowledge of any terrorist activity,” to provide to the appropriate authorities the “facts or circumstances” of the alleged activities.
Powerful tech industry bodies like the Internet Association, Reform Government Surveillance and Internet Infrastructure Coalition found the description “any terrorist activity” as vague and overbroad.
Tomi Engdahl says:
Don’t Steal This Laptop
http://hackaday.com/2015/09/22/dont-steal-this-laptop/
As laptops have become smaller and easy to carry around, they have also picked up the most unfortunate property of being easy to steal. We’ve read the stories of how some victims are able to track them down via webcam still images of the thief. [Mastro Gippo] decided to take it one step further and add a remotely operated hardware self destruct to his laptop. The idea is if the laptop becomes unrecoverable, it will become useless and any sensitive data will be destroyed without harming the area around it.
The idea is to tuck the small board somewhere in the laptop and wire it up between the battery and some sensitive parts. Send a single SMS text and ‘poof’, bye-bye laptop.
Crunchtrack’s hacks
A project log for Crunchtrack
The smallest open source GSM+GPS+CAN board ever
https://hackaday.io/project/7134-crunchtrack/log/25451-crunchtracks-hacks
So, they stole your notebook and when you tracked it you found it so far away that’s not worth the trip to recover it anymore. You will want to wipe and disable it. There are a few options for that, depending on your goals. If you want to destroy the data
A better way would be to have the [always encrypted!] data on an SSD drive and short the notebook battery to the flash chips in a way that would destroy them beyond recovery. That’s a very nice way to wipe data, as it only requires a mosfet and can be used to burn the motherboard too, flipping the finger to the thief that will not be able to resell your notebook anymore.
Tomi Engdahl says:
Chinese ad firm pwns Android users, creates hijackable global botnet
Horrid marketing outfit roots user phones, exposes devices to malware hell
http://www.theregister.co.uk/2015/09/23/chinese_ad_firm_pwns_android_users_creates_hijackable_global_botnet/
A Chinese advertising company has infected and ‘completely’ hijacked likely hundreds of thousands of Android handsets with an attack so careless it exposes a global botnet to easy hijacking and opens handsets to total compromise by any malware.
FireEye (yet again, these guys need to get some sleep) researchers Yulong Zhang, Zhaofeng Chen, and Yong Kang say Chinese marketing company Xinyinhe which promotes itself as a big player in the app advertising game is behind the attack.
They didn’t tag the number of infected devices, but Xinyinhe claims to have ‘customers’ in 50 countries and be valued as of November at $100 million after it received some $20 million in seed funding in 2013.
The trio say the attack builds its network of customers by tricking them to install malware that gains root access on some 308 different handsets running virtually all versions of the Android operating system from Gingerbread (2.3.4) to the lastest stable Lollipop (5.1.1) build.
These victims are enslaved into a “very large” global botnet that incredulously uses plain text for command and control communications allowing “anyone” to hijack it.
Once infected the malware will install legitimate but booby trapped applications without user consent, automatically clicking installation and permission warning prompts.
It installs a backdoor and maintains persistence on devices, and opens its attack vector to compromise by third party malware.
“Any affected user may have inadvertently compromised their user credentials for some online services [and should] change their passwords for any online services such as iTunes, online banking, email, and work accounts.”
The trio says the attackers are so careless that the infected app which have “full control” root access to phones will allow anyone malware share that priveleged access.
So far some 300 infected apps have been discovered i
Guaranteed Clicks: Mobile App Company Takes Control of Android Phones
https://www.fireeye.com/blog/threat-research/2015/09/guaranteed_clicksm.html
First, the malicious adware collects and uploads device information to its remote servers. It iterates the following domains and posts data once a connection is established:
aedxdrcb.com
hdyfhpoi.com
syllyq1n.com
wksnkys7.com
Next, it downloads an APK from the following URL and dynamically loads logic to execute:
Now that the app has full control of the phone, it can use the victim’s phone for any purpose. The app never mounts the /system back to read-only, and allows anyone to invoke its root backdoor to obtain root privilege. Any other attackers landing on the same victim phone can control or make permanent damages to the phone. All communications use HTTP, so anyone can hijack the connection and take over the control of this large botnet.
This evidence points to the Chinese mobile ad promotion company, xinyinhe (with their official website hosted at http://www.xinyinhe.com and http://www.ngemobi.com. The first website was taken down before we wrote this blog, and the second got taken down while drafting this post).
Conclusion
This is a worldwide, spreading malicious adware family with a high threat, likely controlled by a Chinese organization. We suggest that you:
Never click on suspicious links from emails/SMS/websites/advertisements.
Don’t install apps outside the official app store.
Keep Android devices updated to avoid being rooted by public known bugs. (Note: The malware can not root devices with Android OS 5.0 and above, as of now. However, because the root program is downloaded on runtime, we cannot rule out the possibility that the attackers can enhance the root programs. So, upgrading to the latest version of OS will provide some security but is not a guarantee that you will remain completely safe from this malware.)
Tomi Engdahl says:
UK.gov creates £500K fund to help universities teach cyber skills
Switch off Countdown and protect yourselves, and us
http://www.theregister.co.uk/2015/09/23/cyber_skills_fund_security_universities/
The UK government is putting up a £500,000 fund to develop cyber security skills within universities and colleges, essentially helping them construct innovative teaching methods to provide the skills needed to protect the UK from hackers, malware and other information security threats.
The Higher Education Academy will administer the scheme.
More than 1,000 businesses have now adopted Cyber Essentials – the UK government-backed scheme which protects businesses against the most common threats on the internet.
It sets out five technical controls which will protect firms against the majority of internet threats, such as viruses, malware, and hacking.
“Trust and confidence in UK online security is crucial for consumers, businesses and investors,” Vaizey told delegates to the Financial Times Cyber Security Europe Summit. “We want to make the UK the safest place in the world to do business online and Cyber Essentials is a great and simple way firms can protect themselves.”
Tomi Engdahl says:
Hack Brief: Mobile Manager’s Security Hole Would Let Hackers Wipe Phones
http://www.wired.com/2015/09/hack-brief-popular-mobile-phone-manager-open-lock-wipe-hacks/
Remote management systems for mobile phones are supposed to make it easy for companies to wipe a device clean if it gets lost or stolen. But a vulnerability discovered in a popular remote management system used by thousands of businesses to manage employee mobile phones would allow an attacker to wipe a CEO’s phone clean, steal the phone’s activity log, or determine the executive’s location, researchers say.
The Hack
The hack involves an authentication bypass vulnerability in SAP AG’s Afaria mobile management system used by more than 6,300 companies. Ordinarily, system administrators send a signed SMS from an Afaria server to lock or unlock a phone, wipe it, request an activity log, block the user, disable the Wi-Fi or obtain location data. But researchers at ERPScan found that the signature is not secure.
The signature uses a SHA256 hash composed from three different values: the mobile device ID, or IMEI; a transmitter ID, and a LastAdminSession value.
The only thing the hacker needs to direct the attack, then, is someone’s phone number and IMEI
Who’s Affected?
Because the vulnerability is in the management system, not a phone’s operating system, it affects all mobile operating systems used with the Afaria server—Windows Phone, Android, iOS, BlackBerry and others. Afaria is considered one of the top mobile device management platforms on the market, and ERPScan estimates that more than 130 million phones would be affected by the vulnerability.
“The administrators usually don’t apply patches especially with SAP [systems] because it can affect usability,” he notes. “So what we see in the real environment is, we see vulnerabilities that were published three years ago but are still in the system [unpatched]. They really need to implement these patches.”
The vulnerability is somewhat similar to the recent Stagefright security hole that hit Android in that both attacks involve sending a text message to a phone.
Tomi Engdahl says:
Security firm pledges $1 million bounty for iOS jailbreak exploits
Eye-popping price tag reflects growing value of top-tier exploits.
http://arstechnica.com/information-technology/2015/09/security-firm-pledges-1-million-bounty-for-ios-jailbreak-exploits/
A broker of software attacks that exploit vulnerabilities in widely used software is placing a $1 million bounty on critical iOS bugs that allow hackers to remotely commandeer iPhones and iPads.
“Apple iOS, like all operating system(s), is often affected by critical security vulnerabilities,” officials with the Zerodium bug broker said in blog post published Monday that announced the hefty reward. “However, due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS. But don’t be fooled, secure does not mean unbreakable. It just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.”
Under the program, Zerodium is prepared to pay a total of $3 million for remote iOS exploits that give attackers complete control over a vulnerable device. Zerodium will pay $1 million to each person or team who creates and submits an exclusive browser-based attack that works on the latest-available version of the operating system.
The entire exploit process must be achievable remotely, reliably, surreptitiously, and without requiring any user interaction beyond browsing to a website or reading a text message.
ZERODIUM iOS 9 BOUNTY
https://www.zerodium.com/ios9.html
Tomi Engdahl says:
Bogus hotel-booking sites lure 15 million travelers a year, group says
http://www.latimes.com/business/la-fi-bogus-hotel-booking-sites-20150918-story.html
About 6% of U.S. travelers — 15 million people — are tricked each year into thinking they are booking a room directly through a hotel website but instead are making reservations through a “rogue” third-party site.
That is one of the findings of a survey by the American Hotel & Lodging Assn., which has been warning travelers to be on the lookout for online hotel-booking scams.
“These findings clearly show that online hotel-booking scams have eroded consumer confidence among third-party vendors,” said Katherine Lugar, president and chief executive of the lodging association.
The survey of more than 1,000 adults found that 6% of respondents said they have made hotel reservations thinking they were booking directly with a hotel, but later discovered they had logged into a third-party site.
When travelers don’t book directly with a hotel, they may not get the room they reserved, may be charged hidden fees, may not accumulate loyalty reward points and may have their identity stolen, according to the lodging association.
Tomi Engdahl says:
People emit a ‘germ cloud’ of bacteria as unique as a fingerprint, study finds
The bacterial ‘aura’ surrounding our bodies can be traced back to us in lab tests
http://www.telegraph.co.uk/news/health/11883473/People-emit-a-germ-cloud-of-bacteria-as-unique-as-a-fingerprint-study-finds.html
We are all surrounded by our own ‘germ’ cloud as unique as a fingerprint that could be used by police to identify murders, scientists have found.
Each of us give off millions of bacteria from our human microbiome into the air around us every day, and that cloud of bacteria can be traced back to us in lab tests.
The findings could help explain the mechanisms involved in the spread of infectious diseases in buildings.
It might also help forensic scientists identify or determine where a person has been.
It is known how humans “contaminate” surfaces through touch and spread pathogens through the air, but little was understood about the personal microbial cloud – the airborne microbes we emit into the air.
Now researchers at the University of Oregon have demonstrated the extent to which humans possess a unique “microbial cloud signature.”
Most of the occupants sitting alone in the chamber could be identified within four hours just by the unique combinations of bacteria in the surrounding air, the findings published in the journal PeerJ revealed.
Tomi Engdahl says:
Apple XcodeGhost Malware More Malicious Than Originally Reported
http://apple.slashdot.org/story/15/09/22/1657211/apple-xcodeghost-malware-more-malicious-than-originally-reported
Details were scant when Apple confirmed the XcodeGhost malware had infiltrated the iOS App Store. The company didn’t say which specific iOS vulnerabilities were exposed and didn’t indicate how its iPhone users were affected. However, a Palo Alto Networks security analyst is reporting that XcodeGhost had been used to phish for iCloud passwords, and more specific details are emerging.
Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps
http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/
Tomi Engdahl says:
Morgan Stanley Employee Pleads Guilty In Data Breach Case
http://yro.slashdot.org/story/15/09/22/1910248/morgan-stanley-employee-pleads-guilty-in-data-breach-case
A former Morgan Stanley financial adviser who was fired in connection with a major breach of client information pleaded guilty to accessing client data and taking it home with him. A
Morgan Stanley Employee Pleads Guilty in Data Breach Case
http://www.miltonstart.com/blog/2015/09/22/morgan-stanley-employee-pleads-guilty-in-data-breach-case/
A Morgan Stanley employee who was fired in connection with a data breach at the company, pleaded guilty Monday to downloading hundreds of thousands of confidential customer account data.
The defense tells a different story. According to Robert Gottlieb, Marsh’s attorney, he had nothing to do with posted data. 900 accounts were published online, but the defense claims that was a separate incident that should be blamed on hackers. Marsh transferred the 730,000 accounts to his home computer between 2011 and 2014, but claims that he did not post any of them online.
Tomi Engdahl says:
CIA Details Agency’s New Digital and Cyber Espionage Focus
http://it.slashdot.org/story/15/09/22/2154240/cia-details-agencys-new-digital-and-cyber-espionage-focus
October 1, the Central Intelligence Agency will ad a new directorate that will focus on all things cyber and digital espionage. The CIA’s Deputy Director David Cohen to a Cornell University audience last week that once the new Directorate of Digital Innovation (DDI) is up and running ”
CIA details agency’s new digital and cyber espionage focus
CIA Directorate of Digital Innovation opens for business Oct. 1
http://www.networkworld.com/article/2985246/security/cia-details-agency-s-new-digital-and-cyber-espionage-focus.html
It seems like it might be about 10 years too late to the party but come October 1, the Central Intelligence Agency will ad a new directorate that will focus on all things cyber and digital espionage.
The CIA’s Deputy Director David Cohen to a Cornell University audience last week that once the new Directorate of Digital Innovation (DDI) is up and running “it will be at the center of the Agency’s effort to inject digital solutions into every aspect of our work. It will be responsible for accelerating the integration of our digital and cyber capabilities across all our mission areas—human intelligence collection, all-source analysis, open source intelligence, and covert action.”
Tomi Engdahl says:
iOS 9 security flaw lets anyone access your photos and contacts
Uh oh
http://www.theinquirer.net/inquirer/news/2427278/ios-9-security-flaw-lets-anyone-access-your-photos-and-contacts
A ‘SERIOUS’ SECURITY FLAW has been discovered in iOS 9 that allows anyone to bypass the iPhone’s lock screen to gain access to users’ personal data.
YouTube user ‘videosdebarraquito’ spread word of the flaw, and showed how easily it can be executed on video (below).
To replicate, simply enter four different incorrect passcodes, and – carefully so as not to temporarily lock yourself out of iOS 9 – enter three digits of the fifth. Then, hold down the home button to fire up Siri as you enter the fourth.
With Siri activated, anyone is able to access the Contacts and Photos on the device, even though the handset is still technically locked.
If you’re anything like us you probably don’t like the idea of anyone being able to access your private photos, so thankfully, it’s quite easy to prevent. All you have to do is disable access to Siri while the phone is locked
“Apple iOS, like all operating systems, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS,” said the firm in a blog post.
Beware! iOS 9 & iOS 9.0.1 – Security Flaw – Passcode Bypass. Turn Off Siri on Lockscreen to be Safe.
https://www.youtube.com/watch?v=_giVIDKwRr4
Tomi Engdahl says:
Huge iOS 9 security flaw lets anyone see your photos and contacts without a PIN – here’s how to stop it
http://bgr.com/2015/09/23/ios-9-security-flaw-photos-contacts-siri/
There’s a lot to love in Apple’s newly released iOS 9 software. We told you about all of iOS 9’s best new features in an earlier article, and we also showed you 25 great hidden iOS 9 features that you really need to know about.
Now, it’s time to discuss iOS 9’s worst new feature: A major security flaw.
According to Apple, more than 50% of iPhone and iPad users have already upgraded to iOS 9, which was released to the public just last week.
YouTube user “videosdebarraquito” contacted BGR via email to draw our attention to a major flaw in Apple’s new mobile software. BGR has since been able to reproduce the resulting hack ourselves on multiple iPhone 6 handsets. The security hole allows people to use Siri to access an iPhone owner’s private data, and it is painfully easy to exploit.
Tomi Engdahl says:
Bitcoin Ponzi scheme operator pleads guilty to securities fraud
He only made out with around $165,000
http://www.theverge.com/2015/9/21/9367707/bitcoin-ponzi-scheme-operator-pleads-guilty
Trendon Shavers pleaded guilty today to operating a Ponzi scheme using the virtual currency bitcoin. The 33-year-old McKinney, Texas native started his own company, Bitcoin Savings & Trust, in 2011 and used it to collect bitcoins from prospective investors over the internet, claiming he would pay investors 1 percent interest on their investment every three days, or 7 percent a week. Instead, Shavers used most of the bitcoins to pay back older investors — a hallmark Ponzi scheme maneuver — while spending the rest
Shavers amassed more than 750,000 bitcoins worth around $4.5 million when he stopped paying back investors and abruptly shut down Bitcoin Savings & Trust in 2012, inciting backlash from unpaid investors and eventually a SEC investigation
Because of bitcoin’s volatility as a digital currency, Shavers’ scheme cost investors more like $150 million, leading the SEC to settle on a price point somewhere in the middle to account for the exchange rate fluctuations.
Prosecutors said Shavers controlled around 7 percent of all public bitcoins at the peak of his operation and misappropriated nearly 150,000 of them, netting himself $164,758.
Tomi Engdahl says:
Windows PCs Make Up 80% Of Mobile Network Infections
http://www.eetimes.com/author.asp?section_id=36&doc_id=1327776&
Microsoft Windows PCs — not smartphones and tablets — harbor most of the malware on mobile networks, according to a new Alcatel-Lucent report.
Mobile devices are the least of your worries in a mobile network: Windows PCs are responsible for 80% of all malware infections on today’s mobile infrastructure, new data shows.
Alcatel-Lucent’s Motive Security Labs this week published its findings from the first half of 2015, showing that the overall infection rate for mobile devices had declined from 0.68% to 0.50% from January to April of this year. Then it spiked to 0.75% in late June, thanks in part to the main source of malware on a mobile network — Windows PCs tethered to mobile WiFi devices, hotspots, and smartphones getting hit mainly with malicious adware.
The report is yet another reality check on mobile security, indicating that the bad guys still prefer infecting pervasive and often vulnerable Windows machines over smartphones, despite worries over mobile devices being targeted and a rise in mobile malware.
Windows PCs Make Up 80% Of Mobile Network Infections
http://www.darkreading.com/mobile/windows-pcs-make-up-80–of-mobile-network-infections/d/d-id/1322245?
Tomi Engdahl says:
SCADA Vulnerability on the Rise
http://www.eetimes.com/document.asp?doc_id=1327785&
Industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, are increasingly at risk of cyber-attack, recent security reports have revealed. Both the capabilities to attack such systems and the number of attacks recorded are on the rise. And the rise of the Industrial Internet of Things (IIoT) will only make things worse.
The recent report Up and to the Right from threat intelligence company Recorded Future, shows the number of reported security vulnerabilities for ICS systems has grown steadily since 2011 (post STUXNET) and shows no sign of slowing. At the same time, as reported by researchers and industry watchers, the number of “exploits” available for those vulnerabilities has also grown, the report said.
In its annual Threat Report for 2015, Dell Security reported that the number of reported attacks on SCADA systems worldwide had doubled last year, from 163,228 in 2013 to 675,186 in 2014. Nearly a quarter of these exploited buffer overflow vulnerabilities. The actual number may be much higher, however, as many SCADA attacks go unreported, the report adds, noting that companies are only required to report data breaches that involve personal or payment information.
Web Data Reveals ICS Vulnerabilities Increasing Over Time
https://www.recordedfuture.com/ics-scada-report/
What we found was a worrying trend of ICS exploits available and ready to be exploited.
Tomi Engdahl says:
Does IoT Data Need Special Regulation?
http://news.slashdot.org/story/15/09/24/0136258/does-iot-data-need-special-regulation
As part of the UK’s Smart Meter Implementation Programme, Spain’s Telefonica is deploying a M2M solution, using its own proprietary network, to collect and transmit data from 53 million gas and electricity smart meters. The most troubling issue is that the UK government awarded the contract to a private telecom that uses a proprietary network rather than to an independent organization that uses freely available spectrum and open source solutions? Those Smart Meters are supposed to be in operation for more than three decades, and rely on a network that can cease to exist.
Does IoT Data Need Special Regulation?
http://www.citiesofthefuture.eu/does-iot-data-need-special-regulation/
Do you know that one telecom will collect, consolidate, and transmit, using its own M2M network, two-thirds of smart meter data in the UK? What assurance users have that their data, which can be collected several times a day, do not end up being misused without their knowledge?
Computers, smartphones, tablets, wearables — indeed anything with a CPU — produce data as a natural by-product. Even sensors, feature phones, and connected devices produce data. By 2020, studies project that more than 60 billion devices will be connected.
All that data gets collected somewhere. The question is who gets the right to access and analyse it. Data collected through computers and phones, for instance, are subject to limited regulation. But data collected through IoT devices are still part of the Wild West.
One example is connected smart meters. Last week, I saw a demonstration at the IoT Solutions World Congress in Barcelona where all data from the water, electricity and gas usage of a home could be consolidated in a small box and transmitted together using WiFi or a cellular network.
In fact, Telefonica in the UK is deploying a similar solution involving gas and electricity meters as part of the UK’s Smart Meter Implementation Programme, and will connect 53 million meters, at 30 million domestic and smaller non-domestic properties by 2020, at two-thirds of the UK market.
But who controls all the data that Telefonica collects?
But perhaps what’s more troubling is that Telefonica is using proprietary hardware and software to manage the meters and collect the data; M2M services require a network designed for purpose. So why has the UK government awarded the contract to a private telecom that uses a proprietary network rather than to an independent organization that uses freely available spectrum and open source solutions?
This topic of privacy and who owns the data has been at the top of the agenda of every IT conference I have attended in the last few years. The questions of data ownership, the right to delete and “be forgotten”, and the price we pay for so called “free internet services” are always part of a heated debate.
“The people who have the most valuable data are the banks, the telephone companies, the medical companies, and they’re very highly regulated industries. As a consequence they can’t really leverage that data the way they’d like to unless they get buy-in from both the consumer and the regulators.”
By contrast, Internet giants like Google and Facebook operate in a largely unregulated environment. “They’re slowly, slowly coming around to the idea that they’re going to have to compromise on” issues of data control, says Professor Pentland.
This is where the regulators come in. The European Union is taking an active role protecting its citizens privacy perhaps because it has little faith that the industry will regulate itself.
But the explosion of connected devices, especially IoT ones that collect people’s data, is creating an Orwellian state, where all our activities are constantly monitored, analyzed and archived for further cross-reference. Many experts and organizations are already warning people about the dangers of sharing information they may not want exposed in the future.
Tomi Engdahl says:
Slow Internet led to the App Store hazards
Apple brings himself iOS significant security to the conflict since then. Wrong version of the application developers using Xcode software infected numerous applications in the Official App Store application store.
It was the first serious incident of malware in the App Store that touched hundreds of millions of iPhones.
China, local developers have downloaded Xcode often from local sources, because Apple’s US servers are too slow. Wrong version reached to strike through such sources.
Apple plans to take care of, that the Chinese application developers do not need to resort to informal sources of essential software for downloading.
Source: http://www.digitoday.fi/tietoturva/2015/09/23/hidas-netti-johti-app-store–katastrofiin/201512331/66?rss=6
Tomi Engdahl says:
Privacy, net neutrality, security, encryption … Europe tells Obama, US Congress to back off
Letter from 50 MEPs stresses EU will decide own laws, thanks
http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/
A letter sent to the US Congress by over 50 members of the European Parliament has hit back at claims of “digital protectionism” emanating from the United States.
Sent on Wednesday, the letter [PDF] takes issue with criticisms from President Obama and Congress over how the EU is devising new laws for the digital era.
Statement on ‘digital protectionism’
http://www.marietjeschaake.eu/wp-content/uploads/2015/09/2015-09-22-MEPs-Statement-on-Digital-Protectionism.pdf
As Members of European Parliament we are surprised and concerned about the strong
statements coming from US sources about regulatory and legislative proposals on the digital agenda for the EU. While many of these are still in very early stages, President Obama spoke of ‘digital protectionism’, and many in the private sector echo similar words.
Tomi Engdahl says:
Security is an Important Coding Consideration Even When You Use Containers (Video)
http://developers.slashdot.org/story/15/09/23/184233/security-is-an-important-coding-consideration-even-when-you-use-containers-video?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Last month Tom Henderson wrote an article titled Container wars: Rocket vs. Odin vs. Docker. In that article he said, “All three are potentially very useful and also potentially very dangerous compared to traditional hypervisor and VM combinations.”
Tomi Engdahl says:
Charlie Osborne / ZDNet:
Trend Micro report finds hacking or malware behind 25% of data breaches in last ten years, payment card data breaches up 169% in past five years
The price of your identity in the Dark Web? No more than a dollar
http://www.zdnet.com/article/the-price-of-your-identity-in-the-dark-web-no-more-than-a-dollar/
If you or your company is a victim of cyberattack, where does this stolen data go, and to what purpose?
Stolen data is a hot commodity in the Internet underground — but how much it goes for might be a surprise.
Data breaches are becoming a weekly part of the news cycle, and so common the idea of our data being lost by companies which collect it, while still distressing, not as much of a surprise as it used to be.
The recent Ashley Madison and Hacking Team data breaches reveal just how damaging these kinds of cyberattacks can be, with millions of user accounts compromised, intellectual property leaked and the private details of both user and executive spewed onto the web.
In Trend Micro’s new report, dubbed “Understanding Data Breaches,” the security firm explores who is most often targeted in data breaches, how they take place, and what happens to data once it leaves corporate networks.
Using the Privacy Rights Clearinghouse (PRC)’s Data Breaches database, Trend Micro found that hacking or malware was behind only 25 percent of data breach incidents from 2005 to April this year. Insiders are also a common reason for data loss, as well as the use of physical skimming devices and the loss or theft of devices including laptops, flash drives and physical files were also found to be the root cause of damaging data breaches.
Payment service providers are a hot target for hackers these days, with an increase in card-related data breach reports of 169 percent over the past five years. Cybercriminals can steal data through card skimming, making a rub off cards, rigging ATMs with skimmer devices or cameras and modifying point-of-sale (PoS) terminals. Interestingly, hardware keyloggers installed on cash registers have also entered as a data theft tactic.
However, the healthcare industry is now the most affected by data breaches, followed by government, retail and the education sectors.
stolen data for sale is easy to find. Accounts belonging to US mobile operators can be purchased for as little as $14 each, while compromised eBay, PayPal, Facebook, Netflix, Amazon and Uber accounts are also for sale.
compromised Uber accounts are in high demand in the underground — as they can be fraudulently charged and give users free rides.
Bank account details, naturally, are offered for a steeper price of between $200 and $500 per account — the higher the available balance, the more they are sold for.
When it comes to PII, sales are conducted on a per-line basis of approximately $1. Each line of data contains a name, a full address, a date of birth, a Social Security number, and other personally identifiable information.
document scans of passports, driver’s licenses and utility bills, among others, are available for purchase from $10 to $35 per document
Tomi Engdahl says:
Meet GreenDispenser: A New Breed of ATM Malware
https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser
On the heels of recent disclosures of ATM malware such as Suceful [1], Plotus [2] and Padpin [3] (aka Tyupkin), Proofpoint research has discovered yet another variant of ATM malware, which we have dubbed GreenDispenser.
GreenDispenser provides an attacker the ability to walk up to an infected ATM and drain its cash vault. When installed, GreenDispenser may display an ‘out of service’ message on the ATM — but attackers who enter the correct pin codes can then drain the ATM’s cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed.
Initial malware installation likely requires physical access to the ATM, raising questions of compromised physical security or personnel. Once installed, GreenDispenser is similar in functionality to Padpin but does exhibit some unique functionality, such as date limited operation and a form of two-factor authentication.
Conclusion
ATM malware continues to evolve, with the addition of stealthier features and the ability to target ATM hardware from multiple vendors. While current attacks have been limited to certain geographical regions such as Mexico, it is only a matter a time before these techniques are abused across the globe. We believe we are seeing the dawn of a new criminal industry targeting ATMs with only more to come. In order to stay ahead of attackers financial entities should reexamine existing legacy security layers and consider deploying modern security measures to thwart these threats.
Tomi Engdahl says:
Yahoo! Gits! Web! Security! Scanner!
Want to scan a million pages? Here’s how
http://www.theregister.co.uk/2015/09/25/yahooii_gitsii_webii_securityii_scannerii/
Yahoo! has opened the kimono on a project it hopes will make the Web that little bit safer for everyone, Project Gryffin.
The project’s so new, its to-do list includes “Link to news/finance scan video” – and, El Reg would add, someone might go over the project’s GitHub page with an editor’s pencil in hand.
The company describes the project as a large scale Web security platform designed to solve two specific problems: coverage, and scale.
During crawl, Gryffin’s designed to see as much of a Web app’s footrpint as possible, while during fuzzing, the challenge is to test “each part of the application for [an] applied set of vulnerabilities”.
The crawler is designed to discover the “millions of URLs” that might be generated by a single template from just on of the URLs. There’s also a de-duplication engine, and PhantomJS is used to handle DOM rendering in client-side JavaScript apps.
A combination of open source and custom fuzzers are used in Gryffin, Yahoo! says, hinting that some of its own work might turn up in the code base in the future.
https://github.com/yahoo/gryffin
Tomi Engdahl says:
Cisco tool IDs malware in the firmware
Your SYNs, forgiven
http://www.theregister.co.uk/2015/09/25/cisco_tool_ids_malware_in_the_firmware/
Cisco’s moved on the “SYNful knock” vulnerability with a free tool letting admins test their routers for fudged firmware.
The vulnerability emerged in August, when The Borg warned that its ROMMON firmware had been reverse-engineered. That meant a privileged user could flash routers with compromised versions.
Within a month, it was spotted in the wild.
The vulnerability got the name “SYNful knock” because the currently-known version of the malware givers a characteristic response to SYN packets.
Tomi Engdahl says:
Cookies MONSTER your security, even with encryption
HTTPS is secure, but cookies are rubbish, warns CERT
http://www.theregister.co.uk/2015/09/25/cookies_monster_your_security/
A whole lot of work rolling out HTTP security is being undermined by bad browser implementation that facilitates man-in-the-middle attacks.
CERT has warned that all of the major browser vendors have a basic implementation error that mean “cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information”.
The problem was first revealed at Usenix, and the good news for users is that the browser makers have now caught up with the problem, so if you’re using the latest versions of Safari, Chrome, IE (11 or later only), Mozilla, Opera or Vivaldi, you’re in the clear.
Unprotected browsers accept cookies via HTTPS, but they didn’t check the source of an HTTPS cookie. As the advisory states:
“A cookie can contain a “secure” flag, indicating that it should be only sent over an HTTPS connection. Yet there is no corresponding flag to indicate how a cookie was set: attackers who act as a man-in-the-midddle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections”.
Tomi Engdahl says:
Smartphone passcodes protected by the Fifth Amendment – US court
Fingerprint mobe locks, however … not so much
http://www.theregister.co.uk/2015/09/25/us_court_rules_phone_passcodes_are_protected_by_the_fifth_amendment/
The Feds can’t make suspects give up their company-issued smartphone passcodes because doing so violates the Fifth Amendment of the US Constitutio
Capital One gave the two staffers smartphones but, as a security measure, let them pick the passcodes themselves. When the duo were fired by their bosses they handed back the mobiles, which the SEC – America’s financial watchdog – wants to access to check for evidence.
The Pennsylvania court ruled on Wednesday that forcing the pair to unlock the passcode-protected devices would violate their constitutional rights – specifically the Fifth Amendment, which spells out the right against self-incrimination.
“We find, as the SEC is not seeking business records but defendants’ personal thought processes, defendants may properly invoke their Fifth Amendment right,” the judge wrote in his analysis
Since there’s no way for the SEC to prove that incriminating documents are on the handsets, the agency can’t force defendants to hand over their codes.
Oddly enough, this wouldn’t be an issue if the smartphones in question used a fingerprint access system, rather than a passcode. Last year, a court ruled in Virginia that cops could force a suspect to unlock their phone using a fingerprint, since this is no different from being fingerprinted at a police station or giving a DNA swab.
Tomi Engdahl says:
‘RipSec’ goes to Hollywood: how the iCloud celeb hack happened
TV starlet offers iCloud access, photoshopped nudes, to bait voyeur hackers
http://www.theregister.co.uk/2015/09/25/hollywood_infosec_man_ids_icloud_celeb_hacker_head_reveals_ripsec/
The chief hacker behind the infamous iCloud celebrity hacks has revealed in a documentary how the group dubbed RipSec shook Hollywood by plundering thousands of naked photos and financial data of Tinsel Town icons.
The hacker broke silence and spoke to Canadian tech and producer Travis Doering who provides information security consultancy services to film producers, Hollywood stars, and businesses.
Doering told Vulture South he obtained access to the secretive group and says he was able to establish the real identities of some of the iCloud hackers.
He says he will not reveal the identities of the hackers.
That access was obtained in the wake of the celebrity hacks after one major TV star agreed to offer Doering access to her iCloud account. The Register has agreed to suppress the identity of the actress to avoid making her a target of hackers.
Doering gained access to scuppered crime forums Hell and the RipSec iCloud hacker group where he investigated operational security flaws to discover the real identities of some of the black hats.
He says there is a lot more sensitive iCloud data on celebrities that was not released. “It is worse, a lot worse,” Doering says.
Doering says the group was a collective of hackers who plundered iCloud accounts for differing reasons, including blackmail, fraud, and voyeurism, and became a hierarchical group of largely unskilled hackers led by the skilled system administrator.
In a clip for the as-yet unreleased documentary Doering says an unnamed Canadian TV network was unwilling to run, Blackhat chastises Apple for what he claims are weak security controls including an absence of geographic restrictions.
Tomi Engdahl says:
XcodeGhost-infected apps open gates to malware hijacking
Easy-access private keys makes man-in-the-middle diddle.
http://www.theregister.co.uk/2015/09/25/xcodeghost_mitm_palo_alto/
Palo Alto threat bod Claud Xiao says XcodeGhost-infected apps are open to man-in-the-middle attacks and contain a beachhead for other malware writers to attack devices.
More than 4000 apps have been infected since developers downloaded a malicious copy of the Xcode iOS development tool through a file-sharing service.
The vulnerability in the infected apps can be exploited on all infected iOS devices.
Xiao says the DES ECB mode -encrypted communication streams between infected apps and the attacker’s command and control servers are poorly encrypted and contain easily-discoverable private keys.
“XcodeGhost used HTTP to upload information and receive command and control server commands … it’s also not hard to find the encryption key in its code by reverse engineering,”
Tomi Engdahl says:
UK in Frenchy cyber love-in to ward off ‘information bomb’
Qu’est-ce que la bombe informatique?
http://www.theregister.co.uk/2015/09/24/uk_in_frenchy_cyber_lovein_to_ward_off_information_bomb/
The UK’s defence secretary Michael Fallon has announced a cyber love-in with the French to offset the threat of the “information bomb” – whatever that is.
Fallon was discussing the complexity of the cyber-threat, and the means “to urgently identify ways to safeguard against the threats” at France’s first Cyber Defence Symposium.
He re-iterated the danger of Russia’s use of cyber-campaigns in order to gain military advantage, and ISIL’s use of it to radicalise individuals and spread misinformation.
He said Blighty’s cyber-relationship with France is among “our most valued” and will help both nations improve defence of their military IT networks.
Fallon also said the French and the UK should share information and lessons on how to attract and train cyber-specialists, given the recent “information bomb” resulting in extensive levels of generalised information being made easily accessible.
Tomi Engdahl says:
Americans care more about EU data protection laws than the French
Fewer than 10 downloads for draft comparison app in France
http://www.theregister.co.uk/2015/07/31/eu_data_protection_law_comparison_app/
Around 800 people really do want to compare all the different versions of the EU’s proposed new data protection law.
On Monday the European Data Protection Supervisor (EDPS) launched an app that allows users to compare the texts proposed by the European Commission, the European Parliament and the council of national ministers, as well as the EDPS’ own suggestions.
Since then more than 700 users have downloaded it.
Tomi Engdahl says:
You’ve been Drudged! Malware-squirting ads appear on websites with 100+ million visitors
eBay, Drudge Report, etc inadvertantly carry evil adverts
http://www.theregister.co.uk/2015/08/14/malvertising_expands_drudge/
Internet lowlifes who used Yahoo! ads to infect potentially countless PCs with malware have struck again – using adverts on popular websites to reach millions more people.
Security researchers at MalwareBytes this week discovered the crooks running another massive campaign of ads that use the Angler Exploit Kit to infiltrate Windows PCs via vulnerabilities in Adobe Flash and web browsers.
Prominent websites including the Drudge Report and Weather.com – a pair of sites whose total traffic alone amounts to nearly 200 million visits per month – were apparently inadvertently carrying the ads, putting millions of netizens at risk.
MalwareBytes said the network carrying the ads, AdSpirit, was notified, and it has since taken down the offending adverts.
“I think supporting free content is fine but not with the kind of risk it entails. People already hate ads, and we really didn’t need another incentive to block them,” said MalwareBytes senior security researcher Jérôme Segura.
“The popularity of ad blockers may really force the ad industry’s hand to change how they go about advertising.”
Tomi Engdahl says:
Amar Toor / The Verge:
Tinder says last year’s partnership with mobile security firm TeleSign has enabled it to reduce spambots by 90%
Tinder says spam prevention is now ‘priority number one’
http://www.theverge.com/2015/3/31/8318837/tinder-spam-prevention-telesign-mobile-security
Dating app credits mobile verification system with 90 percent reduction in spambots
Tinder’s spam problem is notorious and increasingly complex, but the company claims to have made inroads against it over the past year. Today, the dating app revealed details of a partnership it struck last year with TeleSign, a mobile security and fraud prevention company based in southern California. According to the two companies, TeleSign’s two-step verification system has reduced the number of Tinder spambots by 90 percent since they partnered in early 2014.
Tinder’s partnership with TeleSign aims to identify and block spammers from the moment they sign up. TeleSign identifies numbers that have a higher risk of being Tinder bots by analyzing their historical data and usage patterns. It may then send text messages to these numbers at Tinder’s request, prompting users to enter a code to prove they’re human. It’s essentially a targeted version of the same two-step authentication process that has become common across many social networks.
“Ultimately, the mobile phone number has been the most effective way of preventing this type of spam,” says Ryan Disraeli, vice president and co-founder of TeleSign, which counts Evernote and Salesforce among its clients. Red flags include numbers that are cheap or free to acquire, Disraeli adds, including VoIP numbers from services like Google Voice.
“The spam problem is ever-evolving,” Tinder CTO Ryan Ogle said in a telephone interview, adding that some scammers operate with legitimate phone numbers. “It’s never something that you completely solve.”
Tomi Engdahl says:
Mobile advertising DDoS JavaScript drip serves site with 4.5 billion hits
http://www.theregister.co.uk/2015/09/28/mobile_malvertiser_ddos_javascript_drip_serves_site_with_45_billion_hits/
CloudFlare has turned up an unusual form of denial-of-service attack: mobile advertisements that are pumping out around 275,000 HTTP requests per second.
The cloud outfit didn’t name the victim, but said the Layer 7 HTTP floods hitting the target is the latest example of a once-theoretical attack turning up in the real world.
London CloudFlare engineer Marek Majkowski says the difficulty in turning HTTP floods into a real attack was overcome using malicious JavaScript in an advertisement.
“Browser-based L7 floods have been rumored as a theoretical threat for a long time,” Majkowski says.
“It seems the biggest difficulty is not in creating the JavaScript — it is in effectively distributing it.
CloudFlare copped 4.5 billion requests in a day of attacks against a customer domain, originating from around 650 thousand unique IPs addresses.
Virtually all traffic came from mobile devices in China.
Majkowski says a victim’s browser was served an iframe with a malvertiser’s ad attack page that contained malicious JavaScript. The user’s device then launched a flood of XHR requests against CloudFlare servers.
The attack follows China’s so-called Great Cannon
Last week attackers targeted users of 4Chan and 8Chan through JavaScript uploaded via an image to Imgur.
Tomi Engdahl says:
Businesses Held for Ransom: TorrentLocker and CryptoWall Change Tactics
http://blog.trendmicro.com/trendlabs-security-intelligence/businesses-held-for-ransom-torrentlocker-and-cryptowall-change-tactics/
Perpetrators behind ransomware have moved away from targeting consumers and tailored their attacks to extort small and medium-sized businesses (SMBs).This business segment make potentially good targets for ransomware since small businesses are less likely to have the sophisticated solutions that enterprises have. And at the same time, the owners often have the capacity to pay.
Moreover, these SMBs are less likely to use comprehensive backup solutions unlike in enterprises, increasing the probability of paying the ransom. Imagine a small company with less than 50 employees. Now imagine one of its higher-ups receiving an odd billing statement via email with an innocent-looking URL. They click it and end up with ransomware. Unfortunately, their company doesn’t backup data. As such, the tendency would be to pay the ransom, so the business’s files can be saved. Paying to get the files back is likely to encourage cybercriminals to launch more attacks in the future.
We saw this trend most evident in attacks that used TorrentLocker and CryptoWall— two of the more persistent and high-volume ransomware variants today.
Based on feedback from our Smart Protection Network™, Australia (31.54%), Italy (26.60%), and Turkey (20.40%) are the top three countries targeted by email messages pointing to TorrentLocker.
Further evidence of ransomware’s change of focus to business targets can be seen in the evasion techniques used. Some variants of TorrentLocker have self-destruct capabilities to prevent IT personnel from collecting samples and eventually setting up security measures to protect the network. Captcha codes are employed on the landing pages so that automated crawlers and sandboxes have more difficultly identifying the malware samples.
Another common tactic used by both TorrentLocker and CryptoWall is compromised websites to hide redirections, thus avoiding detection on the infected system.
It’s interesting to note that Torrentlocker files are commonly downloaded in file storage sites like Yandex Disk and Cubby.com to hide malicious files and consequently, avoid detection. We also monitored the C&C servers where we identified are mostly hosted in Russia and some in Germany and Czech Republic. CryptoWall also employed compromised websites.
TorrentLocker and CryptoWall pose serious risks to a company’s confidential data. However, SMBs can protect their network via vigilance and awareness of such security risks. As simple as verifying emails first and checking the reputation of websites before visiting can go a long way.
Tomi Engdahl says:
AGD: silence about metadata retention plans is about security
If carriers talk, criminals might hear, apparently
http://www.theregister.co.uk/2015/09/28/agd_silence_about_metadata_retention_plans_is_about_security/
The Attorney-General’s Department has told The Register national security considerations lie behind it discouraging telcos and ISPs discussing their data retention plans.
Last week, The Register reported that the department was telling the sector if companies discussed their data retention implementation plans with other providers, they risked the department revoking approvals they may have received.
Those approvals may include the AGD granting a provider extra time to come into full compliance with the data retention regime.
Tomi Engdahl says:
The last post: Building your own mail server, Part 3
Adding some much-needed spam and virus filtering
http://www.theregister.co.uk/2015/09/26/feature_last_post_build_mailserver_part_3/
The story so far: Over the last two weeks, I’ve explained how you can set up a mail server to provide you with POP3 and IMAP services, for your own email, with some basic filtering of inbound connections, and the ability to connect to it and send emails from just about anywhere. This week, it’s time to add more serious mail filtering tools to provide better protection against spam and viruses.
Tomi Engdahl says:
Josh Chin / Wall Street Journal:
Researchers connect hacking activity with Chinese military staffer, providing glimpse inside Beijing’s state-controlled cyberespionage operations
Cyber Sleuths Track Hacker to China’s Military
http://www.wsj.com/article_email/cyber-sleuths-track-hacker-to-chinas-military-1443042030-lMyQjAxMTE1NTIzMzkyMzMwWj
The story of a Chinese military staffer’s alleged involvement in hacking provides a detailed look into Beijing’s sprawling state-controlled cyberespionage machinery
Tomi Engdahl says:
Saudi Arabia: They liked Hacking Team so much they tried to buy the company
Might be nice to avoid new spy tech export laws
http://www.theregister.co.uk/2015/09/28/saudi_arabia_hacking_team/
The Saudi Arabian government came close to buying a majority stake in Italian surveillance software firm Hacking Team last year.
Wafic Saïd – a UK-based, Syrian-born businessman who is friends with the Saudi royal family – and Ronald Spogli, a former US ambassador to Italy, who indirectly owned a stake in Hacking Team, tried to broker a deal which ultimately fell through in April 2014.
The putative deal was revealed in leaked emails (available via WikiLeaks) resulting from a wide-ranging breach against Hacking Team back in July.
Negotiations to sell Hacking Team to Said’s investment company Safinvest began in late 2013. By February 2014, a price of €37m ($42m) had been agreed and plans to rebrand the acquired firm as “Halo” had been drawn up.
In other emails, Hacking Team chief exec David Vincenzetti expressed support for the idea of setting up a new company outside of Europe and away from the reach of tighter export controls for surveillance technologies due to come with the implementation of the Wassenaar Arrangement.
Eric Rabe, a spokesman for Hacking Team, told IT World that talks to sell Hacking Team had never been close to completion.
Tomi Engdahl says:
AGD: silence about metadata retention plans is about security
If carriers talk, criminals might hear, apparently
http://www.theregister.co.uk/2015/09/28/agd_silence_about_metadata_retention_plans_is_about_security/
The Attorney-General’s Department has told The Register national security considerations lie behind it discouraging telcos and ISPs discussing their data retention plans.
Tomi Engdahl says:
RSA Key Sizes: 2048 or 4096 bits?
http://danielpocock.com/rsa-key-sizes-2048-or-4096-bits
Many people are taking a fresh look at IT security strategies in the wake of the NSA revelations. One of the issues that comes up is the need for stronger encryption, using public key cryptography instead of just passwords. This is sometimes referred to as certificate authentication, but certificates are just one of many ways to use public key technology.
One of the core decisions in this field is the key size. Most people have heard that 1024 bit RSA keys have been cracked and are not used any more for web sites or PGP. The next most fashionable number after 1024 appears to be 2048, but a lot of people have also been skipping that and moving to 4096 bit keys.
The case for using 2048 bits instead of 4096 bits
Some hardware (many smart cards, some card readers, and some other devices such as Polycom phones) don’t support anything bigger than 2048 bits.
Uses less CPU than a longer key during encryption and authentication
Using less CPU means using less battery drain (important for mobile devices)
Uses less storage space: while not an issue on disk, this can be an issue in small devices like smart cards that measure their RAM in kilobytes rather than gigabytes
So in certain situations, there are some clear benefits of using 2048 bit keys and not just jumping on the 4096 bit key bandwagon
The case for using 4096 bits
If an attack is found that allows a 2048 bit key to be hacked in 100 hours, that does not imply that a 4096 bit key can be hacked in 200 hours. The hack that breaks a 2048 bit key in 100 hours may still need many years to crack a single 4096 bit key. It is also worth noting that simply adding 1 bit (going from 1024 bits to 1025 bits) does not double the effort to crack the key, each extra bit adds some security but a little bit less than what was gained with the previous bit. There is a law of diminishing returns with RSA key length.
Some types of key (e.g. an OpenPGP primary key which is signed by many other people) are desirable to keep for an extended period of time, perhaps 10 years or more. In this context, the hassle of replacing all those signatures may be quite high and it is more desirable to have a long-term future-proof key length.
Tomi Engdahl says:
Ed Bott / ZDNet:
Microsoft explains data collection practices, says Windows 10 doesn’t infringe on user privacy
Microsoft tries to clear the air on Windows 10 privacy furor
http://www.zdnet.com/article/microsoft-tries-to-clear-the-air-on-windows-10-privacy-furor/
Executives in Redmond were caught flat-footed after this summer’s Windows 10 launch by charges that the new operating system is spying on customers. Several new statements for consumers and IT pros today aim to explain why those accusations are unfounded.
Microsoft has a privacy problem.
It’s not the one you’ve read about lately, though. Instead, Microsoft’s biggest problem is that its customers don’t understand its privacy policies, and a sensational press is all too eager to manufacture outrage over policies that don’t exist.
In reality, Microsoft has been building privacy protections into its software products for years.
Given the long awareness of privacy in Redmond, then, the virulent attacks against Windows 10 this summer came as an unwelcome surprise. Critics have accused Windows 10 of spying on customers and collecting data for nefarious purposes, and those criticisms, despite a lack of supporting evidence, have persisted.
The trouble for Microsoft is that its only communication on Windows 10 privacy features so far has been its privacy policy, a long document written by lawyers and designed to cover a broad range of legal situations across hundreds of jurisdictions worldwide.
Today, the company published a series of detailed technical articles designed to explain how its actual practices align with its privacy policies across the board. The explanation starts with two clear principles:
1. Windows 10 collects information so the product will work better for you.
2. You are in control with the ability to determine what information is collected.
Most of the criticisms I’ve seen were based on misreading of the privacy policies for Windows 10 and for Microsoft’s online services.
Telemetry data
“We collect a limited amount of information to help us provide a secure and reliable experience,” the company says. “This includes data like an anonymous device ID and device type. … This doesn’t include any of your content or files, and we take several steps to avoid collecting any information that directly identifies you, such as your name, email address or account ID.”
In Windows 10, telemetry data is stored on dedicated servers that are used exclusively for reliability purposes. I’ve seen several online analyses using network packet sniffers that point a suspicious finger at the unique ID included with each packet. But as Microsoft engineers have explained in the past, the point of those identifiers isn’t to tag an individual person; rather, that ID is essential to tell whether 100 identical problem reports are from a single device or from 100 different devices.
Windows 10 has three telemetry settings: Basic, Full, and Enhanced.
Basic. This information includes information about security settings, quality-related info (such as crashes and hangs), and application compatibility.
Enhanced. This level includes the Basic information and adds details about how Windows and Windows apps are used, how they perform, and advanced reliability info.
Full. This setting, which is the default for Windows 10, includes all information from the previous levels, plus additional details necessary to identify and help to fix problems.
In earlier Windows versions, telemetry (Windows Error Reporting) was an opt-in feature. In Windows 10, it’s on by default. Individuals and small businesses can change telemetry collection to the Basic level with the flip of a switch in Settings. Organizations running Windows 10 Enterprise or Education have the option to disable telemetry completely, although Microsoft recommends against it.
Personalization and services
In a world where software and cloud-based services are increasingly intertwined, software companies have to “collect” your information to carry out your wishes.
As the company explains, “Windows sends and gets info … to give you access to online services like Outlook, OneDrive, Cortana, Skype, Bing and the Microsoft Store, to personalize your experiences on Windows, to help you keep your preferences and files in sync on all your devices, to help keep your device up to date, and so that we can make the next features of Windows ones that you’ll enjoy.”
As usually happens, the Internet echo chamber turned the complex technical details of Windows 10 privacy into a series of gross oversimplifications. Even normally sober publications like PC World succumbed to the hysteria, offering advice on “how to turn off Windows 10′s keylogger,” adding parenthetically, “Yes, it still has one.”
No, it doesn’t.
Privacy and Windows 10
http://blogs.windows.com/bloggingwindows/2015/09/28/privacy-and-windows-10/