Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Chinese Hackers Breached LoopPay, Whose Tech Is Central to Samsung Pay
http://www.nytimes.com/2015/10/08/technology/chinese-hackers-breached-looppay-a-contributor-to-samsung-pay.html?_r=0
WASHINGTON — Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers.
As early as March, the hackers — alternatively known as the Codoso Group or Sunshock Group by those who track them — had breached the computer network of LoopPay, a start-up in Burlington, Mass., that was acquired by Samsung in February for more than $250 million, according to several people briefed on the still-unfolding investigation, as well as Samsung and LoopPay executives.
LoopPay executives said the Codoso hackers appeared to have been after the company’s technology, known as magnetic secure transmission, or MST, which is a key part of the Samsung Pay mobile payment wallet that made its public debut in the United States last week.
LoopPay did not learn of the breach until late August, when an organization came across LoopPay’s data while tracking the Codoso Group in a separate investigation.
Both LoopPay and Samsung executives said they were confident that they had removed infected machines, and that customer payment information and personal devices were not affected. They added that there was no need to delay the introduction of Samsung Pay, which had its debut in the United States last week after executing more than $30 million worth of purchases in South Korea.
“Samsung Pay was not impacted and at no point was any personal payment information at risk,” Darlene Cedres, Samsung’s chief privacy officer, said in a statement. “This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay.”
Tomi Engdahl says:
DuckDuckGo CEO: ‘It’s a myth you need to track people to make money in web search’
http://www.ibtimes.co.uk/duckduckgo-ceo-its-myth-you-need-track-people-make-money-web-search-1523025
The CEO and founder of DuckDuckGo has revealed that the privacy-focused search engine is making a profit despite not tracking its users’ online activity and search history.
“DuckDuckGo is actually profitable. It is a myth you need to track people to make money in web search,” Weinberg said during the AMA session. “Most of the money is still made without tracking people by showing you ads based on your keyword, i.e. type in ‘car’ and get a car ad.
“These ads are lucrative because people have buying intent. All that tracking is for the rest of the internet without this search intent, and that’s why you’re tracked across the internet with these same ads.”
Privacy awareness post-Snowden
One of the key factors to DuckDuckGo’s recent growth, according to Weinberg, was the mass surveillance revelations from former NSA contract worker Edward Snowden. Another factor cited for causing a spike in adoption rates included Google’s 2012 decision to change its privacy policy to allow tracking across all of its services.
Tomi Engdahl says:
Three-Quarters of Internet Users Can’t Recognize an Online Threat, Kaspersky Lab’s Quiz Shows
http://www.kaspersky.com/about/news/virus/2015/Three-Quarters-of-Internet-Users-Cant-Recognize-an-Online-Threat-Kaspersky-Labs-Quiz-Shows
Kaspersky Lab has found that three-quarters (74%) of Internet users would download a potentially malicious file, because they lack the ‘cyber-savviness’ they need to spot dangers online. The results of a quiz, which questioned 18,000 Internet users about their online habits, has raised concerns about the ability of users to recognize online threats.
The cyber-awareness of Internet users was tested during the quiz when they were asked to download the song ‘Yesterday’ by the Beatles. Out of the four download options, only one was a safe wma. file, intentionally named ‘Betles.Yesterday.wma.’ This was chosen by just a quarter (26%) of respondents, who spotted that it was a harmless file type, despite the spelling error in the file’s name.
The most dangerous file option, exe. contained the well-known ‘mp3’ term as part of its name, ‘Beatles_Yesterday.mp3.exe,’ tricking a third (34%) of respondents into selecting it. 14% chose a scr. screensaver download, a file type which has recently been used to spread malicious material, and 26% selected the zip. option, which could have contained some dangerous files.
The inability of users to spot danger online is not limited to music. According to the survey, one in five (21%) users download files from a variety of online sources, increasing their risk of encountering a malicious supplier. During the survey, only 24% of users could recognize a genuine webpage, without selecting a phishing option. In addition, while specifying the web pages on which they were prepared to enter their data, over half (58%) of users only named fake sites.
Tomi Engdahl says:
Webcam hacker spied on sex acts with BlackShades malware
http://www.bbc.com/news/technology-34475151
A Leeds-based hacker used a notorious piece of malware called BlackShades to spy on people via their webcams.
Rigo was arrested in November last year during an international investigation.
Victims ‘unaware’
The hacker had used his ex-girlfriend’s details to purchase BlackShades, a remote access trojan (RAT) which allows for a high level of surreptitious control over a victim’s computer.
“The problem with RATs specifically is a lot of the time people don’t know they’re being affected,” the NCA spokesman said.
“In the case of Stefan Rigo that we were looking at, his victims weren’t aware.”
BlackShades has been around since 2010 and has been sold for as little as $40 (£26), explained Jens Monrad at cyber security firm FireEye.
“The application in itself is not that difficult to detect but typically the attackers will wrap some sort of exploit around the application,” said Mr Monrad.
“Even with patches the victim will still be vulnerable so long as there is a hole in the operating system.”
The criminal market for webcam hacking tools is highly active
Tomi Engdahl says:
Middle managers can be cyber security threats
http://www.controleng.com/single-article/middle-managers-can-be-cyber-security-threats/3700165a7056a637111b15836bd4adac.html
Middle managers sometimes are an obstacle when it comes to implementing and promoting security within their realm. The idea of middle managers bottlenecking the security culture and program is a huge obstacle to overcome.
Middle managers may or may not be aware of the increased need for security, but they are an obstacle when it comes to implementing and promoting security within their realm. While the thought may seem to not make sense at first, it makes perfect sense where a middle manager’s compensation and performance objectives—whether it is a process line, an entire plant or anything in between—focus on performance. With pure performance objectives strictly in mind, security will often go by the wayside.
The CISO said his biggest problem is middle managers. Not the workers in the trenches, but middle managers.
“I have seen this with other clients where even higher-ups (e.g. VP’s) in Engineering, Operations or even IT may not be onboard with an OT cyber security program,” Cusimano said. “For such a program to be successful it requires support from all three. Not surprisingly, the battles are more about company politics than anything else.”
Tomi Engdahl says:
Washington Post:
The Chinese government arrested hackers accused of state-sponsored economic espionage at the request of the US before President Xi Jinping’s US visit last month
In a first, Chinese hackers are arrested at the behest of the U.S. government
https://www.washingtonpost.com/world/national-security/in-a-first-chinese-hackers-are-arrested-at-the-behest-of-the-us-government/2015/10/09/0a7b0e46-6778-11e5-8325-a42b5a459b1e_story.html
The Chinese government has quietly arrested a handful of hackers at the urging of the U.S. government — an unprecedented step to defuse tensions with Washington at a time when the Obama administration has threatened economic sanctions.
The action came a week or two before President Xi Jinping’s state visit to Washington late last month. The hackers had been identified by U.S. officials as having stolen commercial secrets from U.S. firms to be sold or passed along to Chinese state-run companies.
The arrests come amid signs of a potential change in the power balance between the U.S. and Chinese governments on commercial cyberespionage, one of the most fraught issues between the two countries.
Tomi Engdahl says:
Steven Perlberg / Wall Street Journal:
Dow Jones discloses customer data breach, says financial data of 3,500 people compromised
Dow Jones Discloses Customer Data Breach
Wall Street Journal owner says financial data from 3,500 individuals may have been accessed
http://www.wsj.com/articles/dow-jones-discloses-customer-data-breach-1444406517
Dow Jones & Co. disclosed that hackers had gained unauthorized entry to its systems, accessing contact information for current and former subscribers in order to send fraudulent solicitations.
The data breach potentially accessed payment card information for fewer than 3,500 individuals, said Dow Jones
Data breaches have become increasingly common among private companies and government organizations. Last year, 43% of the 567 executives surveyed by the Ponemon Institute said they experienced a data breach in the past year.
Tomi Engdahl says:
Sarah Jeong / Motherboard:
Inside the Matthew Keys case and why the government charged him under hacking laws
Why the Government Went After Matthew Keys
http://motherboard.vice.com/read/why-the-government-went-after-matthew-keys
On October 4, 2012, two FBI agents visited the home of Matthew Keys, aged 25, in Secaucus, New Jersey. At the time, he was the deputy social media editor for Reuters. Special Agents John Cauthen and Gabriel Andrews showed him a sheaf of papers—a search warrant over 50 pages including chat transcripts.
Keys was living with roommates, so Agent John offered to interview him somewhere else instead. Keys declined.
They interviewed him inside his bedroom.
When questioned by the FBI about his use of a VPN, he said he found a VPN service by Googling for “how to watch British television from the United States?”
This case is a use of the Computer Fraud & Abuse Act to go after behavior that, in common parlance, isn’t “hacking.” It happens often with the CFAA, which has long been criticized for being overbroad—it’s a statute that can be brought to bear on a perceived bad actor when all other statutes don’t fit the bill. In closing arguments, defense attorney Jay Leiderman alluded to CFAA creep when he said, with some measure of resignation, “Just about any computer these days is ‘a protected computer.’” (The statutory language of the CFAA only covers “protected computers.”)
The ultimate disagreement between prosecution and defense is whether the CFAA was used appropriately. “Hacking is one thing,” Leiderman said in closing. “Vandalism is another.”
There’s no indication that the government thinks Keys is a skilled computer criminal. They apparently went after him—using an anti-hacking law—for being a nightmare ex-employee.
Tomi Engdahl says:
Former NSA Chief: I ‘Would Not Support’ Encryption Backdoors
http://motherboard.vice.com/read/former-nsa-chief-strongly-disagrees-with-current-nsa-chief-on-encryption?trk_source=popular
The US is “better served by stronger encryption, rather than baking in weaker encryption.”
Tomi Engdahl says:
Cloud DDoS Mitigation Services Can Be Easily Bypassed
http://slashdot.org/story/15/10/11/0259218/cloud-ddos-mitigation-services-can-be-easily-bypassed
A recent research paper shows that most Cloud-Based Security Providers are ineffective in protecting websites from DDoS attacks, mainly because they cannot entirely hide the origin website’s IP address from attackers. As five security researchers from Belgium and the U.S. are claiming, there are eight methods through which these mitigation services can be bypassed.
Maneuvering Around Clouds:
Bypassing Cloud-based Security Providers
https://cloudpiercer.org/paper/CloudPiercer.pdf
Tomi Engdahl says:
EU Digital Commish: Ja, we should have done more about NSA spying
Oetti pins hopes on a ‘re-negotiated’ safe harbour
http://www.theregister.co.uk/2015/10/12/digi_commish_oettinger_admits_eu_should_have_done_more_in_reaction_to_nsa_spying/
Europe’s outspoken digi Commissioner, Günther H-dot Oettinger has admitted that the European Commission did too little, too late in reaction to Edward Snowden’s NSA spying revelations.
Following a landmark ruling by the European Court of Justice (ECJ) striking down the EU-US data sharing Safe Harbor agreement on Tuesday, Oetti told German daily Der Spiegel that “a mandatory government agreement would be the best solution” but that he didn’t believe it was likely to happen.
The second-best option is a re-negotiated arrangement, said Oettinger, for once sticking to the Commission official line. He said clarity was urgently needed for “the many medium-sized companies that are now feeling insecure”.
Safe Harbor is the workaround agreement between the EU and the US that allows international companies to transfer Europeans’ personal data to the US even though the US does not meet the adequacy standards for EU data protection law. Companies signed up to a voluntary code of conduct that was then enforced by the American Federal Trade Commission (FTC).
Tomi Engdahl says:
Cryptome grudgingly admits to leak of users’ ancient IP addresses
If you looked for vulnerabilities in 2009, you’re vulnerable today. A bit.
http://www.theregister.co.uk/2015/10/12/cryptome_in_data_leak_spat/
Venerable leak site Cryptome.org has ‘fessed up to a data leak that saw some users’ IP addresses reach the Internet.
Young encourages users to treat every channel including his own as suspect, and reminds us a third-party slip (since he attributes the inclusion of the statistics to a restore-from-backup) is especially hard to predict.
Tomi Engdahl says:
Freelancer.com code exposes bids to competitors
Not confidential information, just A/B testing
http://www.theregister.co.uk/2015/10/12/freelancercom_code_exposes_bids_to_competitors/
Pay-peanuts-get-monkeys project auction site Freelancer.com seems to have had its own site built on cents-per-hour rates, and has ended up with an embarrassing information disclosure bug.
The site’s programming error embeds far too much information in the HTML associated with project pages, letting those in the know look over what other bidders are saying – and bidding – to win a project.
Tomi Engdahl says:
WordPress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC
http://it.slashdot.org/story/15/10/11/1220253/wordpress-brute-force-attacks-using-multiple-passwords-per-login-via-xml-rpc
Online security firm Sicuri note a vertical rise in brute force attacks against WordPress websites using Brute Force Amplification, where a thousand passwords can be submitted within the scope of a single login attempt. The company notes that disabling the protocol is likely to interfere with the functionality of many plugins which rely on it.
WordPress attackers using hundreds of passwords in a single login attempt via XML-RPC
https://thestack.com/security/2015/10/10/wordpress-attackers-using-hundreds-of-passwords-in-a-single-login-attempt-via-xml-rpc/
Online security company Sucuri have posted a recent and rising cluster of brute force amplification security attacks against sites which use the WordPress content management system – 58.7% of all CMS-based websites, and 24% of all websites of any kind. BFA attacks put a new spin on traditional brute force attacks by wrapping multiple login attempts inside one dictionary-guessed login attempt using the XML-RPC protocol specification.
This means that if your website is set to lock or temporarily block an account after, for example, three unsuccessful login attempts, an attacker can still try out as many passwords within three tries as the parameters of the http request can handle – well over a thousand. If the lock-out is set to a higher number of attempts, or is not set at all, Brute Force Amplification can increase its chances of a successful incursion by several orders of magnitude.
Sucuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sucuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site.
Tomi Engdahl says:
Brute Force Amplification Attacks Against WordPress XMLRPC
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html
Brute Force attacks are one of the oldest and most common types of attacks that we still see on the Internet today. If you have a server online, it’s most likely being hit right now. It could be via protocols like SSH or FTP, and if it’s a web server, via web-based brute force attempts against whatever CMS you are using.
What if, the attacker could reduce the noise? What if the attacker could make it so that it’s a 1 to many relationship between each request? Imagine a request that was able to try 500 passwords in one shot.
One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allow application to pass multiple commands within one HTTP request.
Tomi Engdahl says:
The National Law Review:
In-depth look at how EU’s Safe Harbor invalidation affects US companies, and three primary alternatives they can use to comply with EU data protection laws —
European Court of Justice Invalidates U.S.-EU Safe Harbor Agreement – See more at: http://www.natlawreview.com/article/european-court-justice-invalidates-us-eu-safe-harbor-agreement#sthash.4WPosgeb.dpuf
Tomi Engdahl says:
Yevgeniy Sverdlik / Data Center Knowledge:
After EU Safe Harbor ruling, Amazon, Salesforce, Microsoft, Google, others use Model Clauses for compliance, but these contract changes are cumbersome for many
Safe Harbor Ruling Leaves Data Center Operators in Ambiguity
http://www.datacenterknowledge.com/archives/2015/10/09/safe-harbor-ruling-leaves-data-center-operators-in-ambiguity/
Europe’s annulment of the framework that made it easy for companies to transfer data between data centers in Europe and the US while staying within the limits of European privacy laws has caused a lot of uncertainty for businesses that operate data centers on both sides of the Atlantic.
US cloud services giants have taken steps to make sure they continue to provide services legally using means other than the Safe Harbor framework, but actual consequences of the European Court of Justice ruling earlier this week remain unclear.
“One is that Safe Harbor is dead,” he said.” The other, which I think is actually the accurate answer, is that the European Union, and the European Commission in particular, need to figure out how to interpret the ruling.”
Internet businesses will continue to operate in ambiguity until the commission issues its interpretation.
“It is unrealistic to think that all transatlantic data is going to have to stop as a result of this decision,” Snead added. “The European Commission is likely to figure out a way to accommodate it, and the US is as well.”
Tomi Engdahl says:
Rebecca Wexler / Slate:
Defendants Should Have the Right to Inspect the Software Code Used to Convict Them
Convicted by Code
http://www.slate.com/blogs/future_tense/2015/10/06/defendants_should_be_able_to_inspect_software_code_used_in_forensics.html
Secret code is everywhere—in elevators, airplanes, medical devices. By refusing to publish the source code for software, companies make it impossible for third parties to inspect, even when that code has enormous effects on society and policy. Secret code risks security flaws that leave us vulnerable to hacks and data leaks. It can threaten privacy by gathering information about us without our knowledge. It may interfere with equal treatment under law if the government relies on it to determine our eligibility for benefits or whether to put us on a no-fly list. And secret code enables cheaters and hides mistakes, as with Volkswagen: The company admitted recently that it used covert software to cheat emissions tests for 11 million diesel cars spewing smog at 40 times the legal limit.
ut as shocking as Volkswagen’s fraud may be, it only heralds more of its kind. It’s time to address one of the most urgent if overlooked tech transparency issues—secret code in the criminal justice system. Today, closed, proprietary software can put you in prison or even on death row. And in most U.S. jurisdictions you still wouldn’t have the right to inspect it. In short, prosecutors have a Volkswagen problem.
DNA match by a proprietary computer program
We need to trust new technologies to help us find and convict criminals but also to exonerate the innocent. Proprietary software interferes with that trust in a growing number of investigative and forensic devices, from DNA testing to facial recognition software to algorithms that tell police where to look for future crimes. Inspecting the software isn’t just good for defendants, though—disclosing code to defense experts helped the New Jersey Supreme Court confirm the scientific reliability of a breathalyzer.
Short-circuiting defendants’ ability to cross-examine forensic evidence is not only unjust—it paves the way for bad science. Experts have described cross-examination as “the greatest legal engine ever invented for the discovery of truth.” But recent revelations exposed an epidemic of bad science undermining criminal justice. Studies have disputed the scientific validity of pattern matching in bite marks, arson, hair and fiber, shaken baby syndrome diagnoses, ballistics, dog-scent lineups, blood spatter evidence, and fingerprint matching.
To be sure, government regulators currently conduct independent validation tests for at least some digital forensic tools. But even regulators may be unable to audit the code in the devices they test, instead merely evaluating how these technologies perform in controlled laboratory environments.
Tomi Engdahl says:
The National Law Review:
In-depth look at how EU’s Safe Harbor invalidation affects US companies, and three primary alternatives they can use to comply with EU data protection laws — European Court of Justice Invalidates U.S.-EU Safe Harbor Agreement — Negotiated under the European Commission’s Data Protection Directive …
European Court of Justice Invalidates U.S.-EU Safe Harbor Agreement – See more at: http://www.natlawreview.com/article/european-court-justice-invalidates-us-eu-safe-harbor-agreement#sthash.SMQdCMEU.dpuf
Yevgeniy Sverdlik / Data Center Knowledge:
After EU Safe Harbor ruling, Amazon, Salesforce, Microsoft, Google, others use Model Clauses for compliance, but these contract changes are cumbersome for many
Safe Harbor Ruling Leaves Data Center Operators in Ambiguity
http://www.datacenterknowledge.com/archives/2015/10/09/safe-harbor-ruling-leaves-data-center-operators-in-ambiguity/
Tomi Engdahl says:
Centrify:
What IT Pros Should Learn From Pope Francis’ Security Detail — Whether you’re part of the Pope’s security team or are responsible for corporate security, your job description is pretty much the same …
What IT Professionals Should Learn from Pope Francis’ Security Detail
http://blog.centrify.com/pope-security-lessons-for-it/
With Pope Francis’ recent visit to the U.S., I was struck by how similar the challenges faced by the Pontiff’s Security Team are to those in enterprise IT today. Whether physical or cyber, security teams must protect their people from the threats against them.
Let’s take a look first at why the challenges of protecting the Pope are, in fact, like those of protecting users from cyberthreats. In both cases, it starts with the physical boundaries in which these actors do their jobs. A little over twenty years ago, work for the most part was done in one place — at work. IT merely needed to protect the physical security of those buildings and the computers contained therein.
Fast forward to today, and compare that to Pope Francis, aka the “People’s Pope.” Pope Francis feels that to do his job he needs to interact with the people he visits and he can’t do that while enclosed in his moving protective fortress
Protection must go further than physical boundaries
This phenomenon is very similar to what we have experienced in the world of IT and enterprise security in the same timeframe. Internet, mobile and SaaS have completely redefined the modern workspace. Physical borders are now irrelevant; users must be protected wherever they are and on whatever device they are using.
Francis’ security team consisting of the Swiss Guard, the Secret Service, and the local police had to adapt to secure his surroundings since they could not keep him in his car.
Similarly, IT teams need to adapt to protect users as they venture outside the secure confines of their corporate perimeter and embrace mobile and SaaS products. Sure, it would be easier for IT to say “no” to mobile and SaaS, but that wouldn’t be at all practical today. Instead, IT must take measures to adapt and protect their users while enabling them to be productive.
Tomi Engdahl says:
The National Law Review:
In-depth look at how EU’s Safe Harbor invalidation affects US companies, and three primary alternatives they can use to comply with EU data protection laws —
European Court of Justice Invalidates U.S.-EU Safe Harbor Agreement – See more at: http://www.natlawreview.com/article/european-court-justice-invalidates-us-eu-safe-harbor-agreement#sthash.4WPosgeb.dpuf
Yevgeniy Sverdlik / Data Center Knowledge:
After EU Safe Harbor ruling, Amazon, Salesforce, Microsoft, Google, others use Model Clauses for compliance, but these contract changes are cumbersome for many
Safe Harbor Ruling Leaves Data Center Operators in Ambiguity
http://www.datacenterknowledge.com/archives/2015/10/09/safe-harbor-ruling-leaves-data-center-operators-in-ambiguity/
Europe’s annulment of the framework that made it easy for companies to transfer data between data centers in Europe and the US while staying within the limits of European privacy laws has caused a lot of uncertainty for businesses that operate data centers on both sides of the Atlantic.
US cloud services giants have taken steps to make sure they continue to provide services legally using means other than the Safe Harbor framework, but actual consequences of the European Court of Justice ruling earlier this week remain unclear.
“One is that Safe Harbor is dead,” he said.” The other, which I think is actually the accurate answer, is that the European Union, and the European Commission in particular, need to figure out how to interpret the ruling.”
Internet businesses will continue to operate in ambiguity until the commission issues its interpretation.
“It is unrealistic to think that all transatlantic data is going to have to stop as a result of this decision,” Snead added. “The European Commission is likely to figure out a way to accommodate it, and the US is as well.”
Tomi Engdahl says:
Cyber security is expensive for companies
A medium-sized American company uses annually of $ 15 million to boost security. Cyber War is becoming increasingly more expensive, because over the years the cost of security have risen by a fifth.
Thousand medium-sized US company employee uses annually approximately $ 15 million to the fight against cyber criminals.
Attacks in the vast majority, or 40 per cent related to malicious code, viruses, various worms and Trojans as well as bot nets.
16 per cent of crimes are denial of service attacks and 14 percent of phishing cases. Attacks carried out via computer networks and insiders crimes are the next biggest threats.
Stolen equipment was only seven per cent of all security offenses.
Attacking slowly detected
Institute founded by Larry Ponemon is of the opinion, the cost of security will rise, particularly because the corporate IT departments are reports of attacks, too late.
Attack revealed an average of 46 days after the start, he says.
“At the same time companies spend on average $ 43 000 per day the maintenance of security costs,” Ponemon says.
Data encryption is one such effective safety enhancing technology.
For example, the corresponding information security CISO’s (chief information security officer) recruitment saves cyber attack cost up to two million dollars per year. Good security boss is therefore worth of salary.
US crime prevention most expensive
Companies is USA use $ 15 million.
Rest of the world companies used the money to security-an average of 7.7 million dollars per year.
Source: http://www.tivi.fi/CIO/kyberturva-koituu-kalliiksi-yrityksille-6057544
Tomi Engdahl says:
Average business spends $15 million battling cybercrime
http://www.csoonline.com/article/2989302/cyber-attacks-espionage/average-business-spends-15-million-battling-cybercrime.html
The average U.S. company of 1,000 employees or more spends $15 million a year battling cybercrime, up 20 percent compared to last year
Attacks involving malicious code, malware, viruses, worms, trojans and botnets accounted for 40 percent of this cost, followed by 16 percent for denial of services, 14 percent for phishing and social engineering, 12 percent for web-based attacks, 10 percent for malicious insiders and 7 percent for stolen devices.
One of the reasons for the high cost of battling cybercrime is that it takes an average of 46 days to contain a successful attack after it has been detected, said Larry Ponemon, chairman and founder at Traverse City, MI-based Ponemon Institute, LLC
“Companies spend $43,000 a day, on average, for containment costs,”
The attacks are also happening more frequently, he added, and many are becoming more severe.
There was a wide variation in how much individual companies spent on battling cybercrime, from $1.9 million on the low end all the way up to $65 million a year.
Larger companies tended to spend more in total, though they had lower per-employee costs than smaller companies.
For example, Ponemon looked at several technologies that lowered defense costs.
“Companies that invested in these technologies did that much better than those who did not,” said Eric Schou, director of product marketing for HP Security.
The best-performing technology was security intelligence systems, which, on average, saved companies $3.7 million in cost. That translates to an average return on investment of 32 percent.
Companies that used encryption extensively saved $1.4 million a year, but, because of the lower cost of the technology, saw an average return on investment of 27 percent.
Advanced perimeter controls and firewall technologies saved $2.5 million a year, for a return on investment of 15 percent.
Technologies which had a return on investment of 10 percent or less were IT governance, risk and compliance tools, data loss prevention tools, and automated policy management tools.
The biggest organizational or management factor was having sufficient budget for cybersecurity — this reduced costs by $2.8 million a year.
Next, employment of expert security personnel saved companies $2.1 million a year, and hiring a CISO or similar high-level security leader saved $2.0 million.
Substantial training and security awareness activities saved companies $1.5 million, and extensive use of security metrics saved $1 million.
Tomi Engdahl says:
ACLU: Orwellian Citizen Score, China’s credit score system, is a warning for Americans
http://www.computerworld.com/article/2990203/security/aclu-orwellian-citizen-score-chinas-credit-score-system-is-a-warning-for-americans.html
In China, every citizen is being assigned a credit score that drops if a person buys and plays video games, or posts political comments online “without prior permission,” or even if social media “friends” do so. The ACLU said the credit rating system, an Orwellian nightmare, should serve as a warning to Americans.
Bad-mouthed the government in comments on social media? Strike. Even if you don’t buy video games and you don’t post political comments online “without prior permission,” but any of your online friends do….strike. The strikes are actually more like dings, dings to your falling credit score that is.
Thanks to a new terrifying use of big data, a credit score can be adversely affected by your hobbies, shopping habits, lifestyles, what you read online, what you post online, your political opinions as well as what your social connections do, say, read, buy or post. While you might never imagine such a credit-rating system in America, it is happening in China and the ACLU said it serves as a warning for Americans.
The new “social credit system” is linked to 1.3 billion Chinese citizens’ national ID cards, scoring them on their behavior and the “activities of friends in your social graph—the people you identify as friends on social media.” Citizens’ credit scores, or “Citizen Scores,” are affected by their own political opinions and the political opinions of their friends as well.
The new Chinese credit score will be mandatory by 2020, but citizens can currently track their score via a free “Sesame Credit” app.
Tomi Engdahl says:
Australian ISPs Not Ready For Mandatory Data Retention
http://yro.slashdot.org/story/15/10/12/2258209/australian-isps-not-ready-for-mandatory-data-retention
October 13 marks the day Australian ISPs are required by law to track all web site visits and emails of their users, but according to an article on the Australian Broadcasting Corporation’s news site the majority of ISPs are not ready to begin mandatory data retention.
Majority of ISPs not ready for metadata laws that come into force today
http://www.abc.net.au/news/2015-10-13/majority-of-isps-not-ready-to-start-collecting-metadata/6847370
The vast majority of Australian internet service providers (ISPs) are not ready to start collecting and storing metadata as required under the country’s data retention laws which come into effect today.
ISPs have had the past six months to plan how they will comply with the law, but 84 per cent say they are not ready and will not be collecting metadata on time.
The Attorney-General’s department says ISPs have until April 2017 to become fully compliant with the law.
ISPs ‘not given enough time’
ISPs must start retaining metadata as of today unless they have been granted an extension, according to the Attorney-General’s Department.
Extensions are granted after the ISPs submit a Data Retention Implementation Plan (DRIP) to the Government and have it approved.
An extension gives the ISP a further 18 months to comply with the legislation.
The survey found that while 81 per cent of ISPs say they have submitted a plan, only about 10 per cent have been approved so far.
Mr Stanton said ISPs were not given enough time to get ready.
“I think the survey shows that very clearly,”
Small ISPs say regulations putting them out of business
Craig runs a small ISP in regional Australia and his business will not be ready to collect metadata.
“We’ve now reached 400 pages of this document [the DRIP]. It’s a very complicated process and it’s eating into our profitability,”
“It’s such a complicated and fundamentally flawed piece of legislation that there are hundreds of ISPs out there that are still struggling to understand what they’ve got to do.”
Tomi Engdahl says:
Vigilante Malware
http://www.linuxjournal.com/content/vigilante-malware?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
Vigilante. The word itself conjures up images of a man in a mask, leaping across rooftops as he chases wrongdoers, dancing with the devil in the pale moonlight. In films and on TV, the vigilante is usually the character we support. But would you welcome a vigilante into your home in real life?
The question is not as hypothetical as it may seem. In a fascinating turn of events, security firm Symantec recently published the story of on an exceptional piece of malware that goes by the name Linux.Wifatch.
Wifatch is designed to avoid casual detection. The process runs under a false name and is designed to crash any debugging tools that try to inspect the process in memory
Tomi Engdahl says:
Hackers can steal your BRAIN WAVES
Depressingly familiar and stupid mistakes in EEG kit, health org’s storage of recorded brains
http://www.theregister.co.uk/2015/10/13/brain_waves_security/
BruCon: Behold the future: attackers can already get between brain-waves and hospital kit, and it’s just going to get worse according to IOActive senior consultant Alejandro Hernández.
Hernández says the ability to steal, manipulate, and replay brain waves used in electroencephalography (EEG) is already emerging, with consumer-grade kit already able to be hacked and the health care industry taking few precautions to properly protect recorded brain waves.
After decades in labs and hospitals, encephalography is steadily being implemented in lightweight consumer headsets and other devices that as yet remain largely experimental or gimmicky.
In clinical settings, EEG-recording devices are a useful tool for diagnosing seizures and sleeping disorders like narcolepsy.
Hernández says a year’s research taught him how to find discover holes in EEG equipment and come to the recognition that recorded brain waves should be considered sensitive data and therefore encrypted. The researcher worked with a US$80 MindWave device
Hospital-grade machinery remains out of reach of hackers without deep pockets and the required intricate knowledge of which brain waves can be modified for a given outcome.
Tomi Engdahl says:
SYNful Knock is no Stuxnet, says researcher
‘Nation state’ resources? Naah, just assembler
http://www.theregister.co.uk/2015/10/13/synful_knock_is_no_stuxnet_says_researcher/
Yet another set of shivers is running up spines at Cisco, with a researcher from Grid32 claiming that “rooting” the company’s IOS firmware isn’t as hard as people think.
The issue of compromised firmware arose in August when the company first warned that its ROMMON firmware images could be replaced with a compromised version by a malicious admin.
The vulnerability, since dubbed “SYNful Knock”, has since been spotted in the wild, with Cisco working hard to identify embaddened boxen.
It’s been widely assumed the only reason SYNful Knock and similar attacks aren’t widespread is the arcane nature of firmware hacking
In this paper (PDF), Balic says the idea that a firmware-based attack “involves advanced knowledge or nation state level resource” is a “common misconception”.
“a week‘s worth of studying PowerPC assembly, a week‘s worth of studying disassembly, and about a week‘s worth of writing code and debugging time” is sufficient, he claims,
Whitepaper: Writing Cisco IOS Rootkits
http://grid32.com/bb095447484a76e5c74d10f604b716f8/cisco_ios_rootkits.pdf
Tomi Engdahl says:
Japan Leads Push For AI-Based Anti-Cyberattack Solutions
http://it.slashdot.org/story/15/10/13/011228/japan-leads-push-for-ai-based-anti-cyberattack-solutions
Japanese firms NTT Communications and SoftBank are working to develop new artificial intelligence (AI) platforms, offering cyber-attack protection services to their customers.
Security
Japan leads push for AI-based anti-cyberattack solutions
https://thestack.com/security/2015/10/12/japan-leads-push-for-ai-based-anti-cyberattack-solutions/
Japanese firms NTT Communications and SoftBank are working to develop new artificial intelligence (AI) platforms, offering cyber-attack protection services to their customers.
The companies both highlight Big Data and analytics as holding great potential in the future of malware detection and preventing its distribution. However, current systems, which scan for illegal activity and shut down communication on detection, usually take between 8-15 minutes to identify new attacks due to the manual component.
The new NTT service, which launches globally next spring, can automatically recognise patterns in a virus and the methods used by previous malicious campaigns. It can also identify by analogy through the analysis of Big Data.
Even if cyber criminals amend a URL attached to the attack, the system is still able to detect it immediately. The company claims the solution will be able to detect 99% of unauthorised access.
Up until recently, AI-based security systems were only used for certain scenarios in online fraud detection for example.
Tomi Engdahl says:
More and more costly to go kyberiskut are forcing companies to extreme PROTECTIVE. Security investments in expanding in all sectors. New kybervakuutusten market will triple to 7.5 billion dollars by 2020, the researchers suggest a.
Cuber attack threat looms over constantly businesses and their IT managers concern. Although the number of attacks has decreased, the damage caused by them increased.
Sufficiently devastating blow can be even a large company to its knees, especially if cuber attack destroying the company’s reputation.
Today, the business world there is a direct mass movement towards long been known cyber insurance.
Before the mere kept small niche – cyber insurance solutions are boom due to become one of the whole insurance industry as the fastest growing product group, Cio.com write
Transition is so broad that kybervakuutusten the world market will triple from the current 2.5 billion to $ 7.5 billion in 2020, PwC survey shows.
The survey found that 59 percent of companies have acquired some level of insurance protection against cyber attacks.
Insurance facilitate risk management
Intrusion history has taught us anything, it is that the attacks happen in spite of all the precautions.
Experts agree that the mere existence of insurance may discourage launch cyber-attacks and reduce their damage.
Typically, the insurance will replace the lost data as well as comprehensive denial of service attacks, data theft and extortion damage caused.
Today insurance is often connected to the attacks, investigations, audits of security and crisis management-related clauses in the contract, which then these costs will be reimbursed.
“Even just the negotiations with the insurance companies facilitate risk analysis and management companies. Insurance Mathematics helps to assess the acceptable levels for the protection of data,”
At the moment, the entire discussion revolves around the risk.
PwC partners and the investigation revealed also that the increase in the business world security efforts also produce results.
During the year, investments in corporate information security have grown in all business sectors and attacks caused losses slightly decreased.
Last year cyber attacks caused businesses of $ 2.7 billion were destroyed, but this year the numbers have been reduced to 2.5 billion dollars.
Companies are now capable of detecting intrusions in real time – such cases increased by 38 per cent a year.
Intangible assets such as patents and other intellectual property, thefts increased by as much as 56 percent a year.
the former partner may become a threat to security.
Companies set of transition toward cloud services is permanently shaped the landscape of information security, ie how businesses use, manage and protect growing amounts of data.
Research house IDC predicts only public cloud investments to rise this year to $ 70 billion.
“Cloud Data must be protected for the cloud scaled means. This means that the data must be able to handle more and faster,”
Source: http://www.tivi.fi/CIO/kybervakuutuksista-uusin-tulppa-tietomurtoja-vastaan-6057549
More: http://www.cio.com/article/2990044/security/survey-says-enterprises-are-stepping-up-their-security-game.html
Tomi Engdahl says:
Want to self-certify for Safe Harbor? Never mind EU, YES WE CAN
Questions? Talk to our hand, or that lot across the pond
http://www.theregister.co.uk/2015/10/13/us_still_pushing_safe_harbour_despite_eu_court_ruling/
Despite Europe’s highest court ruling it invalid a week ago, the US Department of Commerce is still implementing so-called “Safe Harbor” arrangements, and directing any questions about the whole sorry business to its European cousins.
On its website the department maintains that despite “the current rapidly changing environment, [we] will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework”. In other words: business as usual.
Nor is the department going to answer any questions about why the whole deal has been declared invalid by the European Court of Justice (ECJ), instead passing the buck back to the EU.
“If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel,” advises the website.
Welcome to the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks
http://www.export.gov/safeharbor/
Tomi Engdahl says:
Analyst: Biometrics market will rely on smartphone fingerprint sensor, ATM vein, healthcare iris recognition technologies
http://www.cablinginstall.com/articles/2015/10/abi-biometrics-market.html?cmpid=EnlCIMCablingNewsOctober122015&eid=289644432&bid=1199804
According to a new report from ABI Research, biometrics on smartphone devices have moved past the simple authentication option and are headed towards establishing a more robust mobile payment solution.
ABI notes that an increasing amount of Chinese smartphone vendors are investing in equipping their devices with fingerprint sensors. Fingerprint sensors for smartphones are expected to reach 1 billion shipments by 2020
However, ABI adds that other biometric modalities like face, voice and eye-based recognition are currently moving out of the fledgling phase and are to be integrated as highly-secure – albeit more expensive – biometric capabilities in smartphone devices with a 5-year CAGR revenue growth of 144%.
In the banking and finance sector, ATMs are expected to receive a long overdue and much needed boost from biometrics technology.
Tomi Engdahl says:
Understand ‘Safe Harbor’, Schrems v Facebook in under 300 words
A legal, er, brief
http://www.theregister.co.uk/2015/10/08/understand_safe_harbor_ischrems_v_facebooki_in_under_300_words/
‘Safe Harbor’ is now defunct because the European Court of Justice found the following:
(a) There is no general privacy law or other measures enacted in the US that shows the US offers “an adequate level of protection” for personal data relating to European data subjects;
(b) Public law enforcement authorities which obtain personal data from organisations in Safe Harbor are not obliged to follow the ‘Safe Harbor’ rules after disclosure;
(c) Some US law enforcement agencies can gain access to personal data in ‘Safe Harbor’ without having any law that legitimises their access; and
(d) The European Commission knew all the above and knew that personal data was possibly being used for incompatible and disproportionate purposes by law enforcement agencies.
there is no law legitimising the interference by the National Security Agencies
Perhaps the time has come not for a revamped ‘Safe Harbor’, but for the US to adopt a Federal Data Protection Law.
Tomi Engdahl says:
Researcher messes up Wi-Fi with an rPi and bargain buy radio stick
Putrid Piper picked apart a packet for just $15
http://www.theregister.co.uk/2015/10/12/brucon_dongle_of_death/
KU Leuven Phd student Mathy Vanhoef has smashed conventional wireless security thought by creating continual, targeted and virtually indefensible stealth jamming of WiFi, Bluetooth, and Zigbee networks, and tampering with encrypted traffic, with little more than a $15 dongle.
The wireless security boffin presented his work at the BruCon conference last week and revealed his weapon of choice is a bargain WiFi dongle bought off Amazon that, when paired with a Raspberry Pi and a small amplifier, can block 2.4Ghz transmissions for up to 120 metres.
“You do not need these expensive devices – you can use a very cheap Wi-Fi dongle,” Vanhoef says.
“You have (in the 2.4Ghz spectrum) home automation systems, home security systems, sometimes industrial control systems, fancy baby monitors, car locks – and this is not wild speculation, if jammers are available thieves will use them.
“As a defender you should be at least able to detect these attacks.”
The Wi-Fi weakness lies in the fact that Wi-Fi assumes all devices play fair and will wait for transmissions to clear before sending packets. This scheme works well to ensure bandwidth is equally shared among devices, but it gives ample play room for selfish attackers.
Vanhoef says continual jamming is possible using the dongles if carrier sense is disabled and a frame is set to be continually resent.
Wi-Fi wreckers wanting to jam specific packets on the 2.4 Ghz or 5 Ghz spectra can reconstruct the header of a packet for source and destination information and stuff dummy information in the remainder.
This process of decoding the header is not easy nor 100 percent reliable and works for medium-to-large packets which allow enough time for decoding.
Tomi Engdahl says:
Is Streaming Pirated Movies Illegal? EU Court to Decide
By Ernesto on October 12, 2015
Breaking
https://torrentfreak.com/is-streaming-pirated-movies-illegal-eu-court-to-decide-151012/
Seeking clarification, a Dutch court has referred several streaming related questions to the EU Court of Justice. The questions relate to a case between local anti-piracy group BREIN and a seller of so-called “pirate boxes” that come pre-loaded with streaming plugins. It is currently unclear whether streaming pirated movies is permitted under EU law.
Online streaming continues to gain in popularity, both from authorized and pirate sources.
Unlike traditional forms of downloading, however, in many countries the legality of viewing unauthorized streams remains unclear.
In the European Union this may change in the near future.
BREIN is happy with the court’s referral and hopes that the EU Court’s ruling will bring more clarity on the streaming issue. But for now, it doesn’t plan to stop going after sellers of pirate boxes.
Tomi Engdahl says:
Jon Russell / TechCrunch:
Line Adds End-To-End Encryption To Its Mobile Messaging App
http://techcrunch.com/2015/10/12/line-adds-end-to-end-encryption-to-its-mobile-messaging-app/
Japan-based Line is finally bringing end-to-end encryption to its mobile messaging service, which is used by over 211 million people worldwide each month.
The company said today that a new security feature, dubbed ‘Letter Sealing’, will bring encryption to messages and features on the service, starting with one-on-one chats and the service’s location-sharing feature, on its mobile and desktop apps.
“This method of secure communication facilitates uncrackable encryption by scrambling the chat content with a key, which is stored only in user device instead of a centralized server. With the advanced security system, it is technically impossible for the chat content to be disclosed in the server or to a third party,” Line said in a statement.
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Microsoft’s Patch Tuesday addresses critical remote code execution flaw in Internet Explorer that affects all versions of Windows since Vista
All versions of Windows affected by critical security flaw
Even Windows 10 wasn’t left out of the trifecta of monthly security patches.
http://www.zdnet.com/article/october-2015-patch-tuesday/
Microsoft has issued a “critical” patch for every supported version of Windows.
The software giant said in its monthly security bulletin as part of its so-called Patch Tuesday that Windows Vista and later, including Windows 10, require patching from a serious remote code execution flaw in Internet Explorer.
The patch, MS15-106, addresses a flaw in how Internet Explorer handles objects in memory, the company said in its advisory. If exploited, an attacker could gain access to an affected machine, gaining the same access rights as the logged-in user, such as installing programs, and deleting data.
An attacker would have to “take advantage of compromised websites, and websites that accept or host user-provided content or advertisements,” said the advisory.
Tomi Engdahl says:
You Can Learn a lot about Social Engineering from a Repo Man
http://hackaday.com/2015/10/13/you-can-learn-a-lot-about-social-engineering-from-a-repo-man/
The most vulnerable part of any secure information system is the human at the controls. Secure passwords, strong encryption, and stringent protocols are all worthless if that human can be coerced to give away the keys to the kingdom. The techniques of attacking a system through the human are collectively known as social engineering. While most of us don’t use social engineering in our day-to-day jobs, anyone can fall victim to it, so it’s always good to see this stuff in action. Some of the best examples of social engineering come from unlikely places. One of those is [Matthew Pitman].
[Matt] is one of those people we all hope we never to meet in real life. He’s a repo man. For those not familiar with the term, [Matt] is the guy who comes to pick up your car, boat or other asset when you fall behind on your loan payments.
[Matt] uses plenty of high-tech gadgetry in his line of work, everything from GPS tracking devices to drones.
About 5 years ago, [Matt] began taking videos of his repossession jobs. His motivation was not fame and fortune on the internet. The cameras came out as a way to protect him from frivolous claims.
As time went on, he started uploading some of the videos to his YouTube channel: RepoNut, which is how we found him.
Leveraging What’s (mostly) Public
Social networking services such as Facebook, Twitter, Instagram, Tinder, and Snapchat are one of the greatest boons for digging up personal data. [Matt] uses all of this to his advantage.
Follow the Phone
Spearphishing is a technique where data is obtained from a specific target by sending them an innocent looking message. That target may be a high level executive, an engineer, or someone a few payments behind on their car.
Reading People
repo4A good social engineers is flexible, ready to change their techniques at a moments notice to achieve their goal.
The goal of a repossession is not to snag a car. It’s to get the bank the money which it is owed. If a debtor can pay the money, great! If they can’t, the car is eventually sold at auction to repay the loan.
Being Sneaky
Treating People Like People
The Confidence Game
Many of the social engineering exploits from well-known hackers like [Kevin Mitnick] involve getting privileged information by just asking for it. In fact, [Kevin] has said that he never used software based exploits to gain privileges on a computer system. It’s just a matter of calling the people with the target data and either sweet-talking or scaring that data out of them.
Danger Exists
Tomi Engdahl says:
Clinton Home Servers Had Ports Open
http://politics.slashdot.org/story/15/10/13/1951232/clinton-home-servers-had-ports-open
Hillary Clinton’s home servers had more than just the e-mail ports open directly to the Internet. The Associated Press discovered, by using scanning results from 2012 “widely available online”, that the clintonemail.com server also had the RDP port open; another machine on her network had the VNC port open, and another one had a web server open even though it didn’t appear to be configured for a real site.
AP Exclusive: Clinton email server setup risked intrusions
http://bigstory.ap.org/article/467ff78858bf4dde8db21677deeff101/only-ap-clinton-server-ran-software-risked-hacking
Tomi Engdahl says:
DRM In JPEGs?
http://news.slashdot.org/story/15/10/13/2338211/drm-in-jpegs
Adding DRM to JPEG files is being considered by the Joint Photographic Expert Group (JPEG), which oversees the JPEG format. The JPEG met in Brussels today to discuss adding DRM to its format, so there would be images that could force your computer to stop you from uploading pictures to Pinterest or social media
JPEG Looking To Add DRM To Images… Supposedly To Protect Images From Gov’t Surveillance
https://www.techdirt.com/articles/20150714/06503331631/jpeg-looking-to-add-drm-to-images-supposedly-to-protect-images-govt-surveillance.shtml
There’s No DRM in JPEG—Let’s Keep It That Way
https://www.eff.org/deeplinks/2015/10/theres-no-drm-jpeg-lets-keep-it-way
The EFF attended the group’s meeting to tell JPEG committee members why that would be a bad idea. Their presentation(PDF) explains why cryptographers don’t believe that DRM works
Copyright, Code and Creativity
A Note of Caution About DRM in JPEG
https://www.eff.org/files/2015/10/13/jpeg_presentation.pdf
Tomi Engdahl says:
Half-secure not good enough for Chrome users says Google
‘Confusing’ yellow security triangle binned on imperfectly-secured pages
http://www.theregister.co.uk/2015/10/14/chrome_to_lose_that_little_yellow_triangle/
Google has stepped up its effort to make Web site security a little more comprehensible to ordinary users, farewelling the yellow triangle nobody understands.
While the decision falls under the “and it’s a good thing too” heading for security experts, there’s no doubt it will cause some angst among people whose sites include both secure and insecure elements (images, for example, are often served sans-encryption even when everything else on a page is HTTPS).
Put simply, the Chocolate Factory reckons the difference between “insecure” and “almost secure” isn’t worth highlighting, so sites with “minor errors” in HTTPS will simply show as insecure, from Chrome 46 onwards.
“Removing the yellow “caution triangle” badge means that most users will not perceive a warning on mixed content pages during such a migration. We hope that this will encourage site operators to switch to HTTPS sooner rather than later”, the Google security blog post notes.
Tomi Engdahl says:
On its way: A Google-free, NSA-free IT infrastructure for Europe
Take open source. Enlist Euro carriers. How hard was that?
http://www.theregister.co.uk/2015/10/14/for_wed_europes_googlefree_nsafree_it_infrastructure_begins_to_take_shape/
This really wasn’t in the script. All conquering, “disruptive” Silicon Valley companies were more powerful than any nation state, we were told, and governments and nations would submit to their norms. But now the dam that Max Schrems cracked last week has burst open as European companies seek to nail down local alternatives to Google, Dropbox and other Californian over-the-top players.
They don’t have much choice, says Rafe Laguna, the open source veteran at Open Xchange.
What the Schrems vs Facebook decision in the European Court means, Laguna argues, is that any data protection guarantee that a US company makes in Europe is worthless, and so any business processing a European individual’s data on US servers exposes them to lawsuits they can’t win.
“Suppose I’m a German business, and I get an agreement from Google, which says everything is good, and I put that into my file. When a customer sues me, I go to court and find that agreement isn’t worth a dime. Google cannot guarantee what they’re guaranteeing.
“This takedown of Safe Harbor will be remembered as a historical event. It’ll be patched, but it’ll be a bad patch. The real patch is you do business with a trusted supplier operating in a country whose laws you trust. And that doesn’t mean the over-the-top big boys from California,” says Laguna.
Data from consumers and businesses routinely touches dozens of US internet services – and replacing them all with European-hosted alternatives is obviously going to take time. But piece by piece, they’re getting there. What’s interesting and perhaps surprising to US readers, is that European telcos are playing in a vital role in European data independence.
Unprotected email? You must be joking
The industry-wide Trusted Email (TES) Working Group that Open Xchange helped establish is part of the vision of an independent, European open source infrastructure. Mikko Linnamäki, co-founder of Dovecot explains:
“There are 2.9 million IMAP servers on the surface of this planet. The transfer of email between them is unprotected. The storage is unprotected. it’s a total disaster. And that’s for the whole world, for 20 years. Google and Apple and Microsoft don’t care – they want everyone to come to them. There is nobody who is solving this problem, and it’s a very delicate problem. If an IMAP server’s emails are searchable, like the Sony emails were searchable, then that’s a disaster.”
OX acquired Dovecot, a tiny outfit that maintains the IMAP software used by 60 per cent of the world’s email servers, and Dutch DNS outfit PowerDNS, which provides the software for 90 per cent of the world’s secure DNS.
The intention is to encrypt email on your behalf, with the minimum of technical end-user intervention.
Tomi Engdahl says:
Pornhub thinks your smartphone choice reflects your kinks
http://www.engadget.com/2015/10/01/pornhub-phone-choice-reflects-kinks/?utm_content=gravity_organic_sitefeed&cps=gravity_1677_7242124846758996766
Much like OK Cupid, Pornhub has access to a large repository of data concerning our most private and intimate desires. Every now and again, both sites like to reveal some statistics about what we like to get up to when nobody else is watching.
If you needed any more evidence that the smartphone is the dominant computing platform, then Pornhub’s figures should probably convince you. Back in 2010, desktop browsing accounted for 88 percent of the site’s traffic, but in 2015, that figure has fallen to just 37 percent. The rest of that figure is now accounted for by Android and iOS, with a near perfect split between the two (Android has 32 percent, iOS has 31). The company has also tracked the duration of each visit, and while the average iOS user lingering on the site for 8 minutes and 40 seconds — Android fans hang around for 10 minutes and six seconds.
The choices of content that people choose are different, too, and Pornhub believes that there’s a link between the phone you own and the sort of porn you look for.
Tomi Engdahl says:
New Flash Vulnerability Being Exploited In the Wild
http://tech.slashdot.org/story/15/10/13/2228210/new-flash-vulnerability-being-exploited-in-the-wild
Researchers from Trend Micro report a new attack on fully-patched versions of Adobe Flash. The attacks originate from an espionage campaign run by the group known as Pawn Storm, and seem to target only government agencies.
New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries
http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/
It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.
Foreign affairs ministries have become a particular focus of interest for Pawn Storm recently.
Tomi Engdahl says:
New zero-day exploit hits fully patched Adobe Flash
Attacks used to hijack end users’ computers when they visit booby-trapped sites.
http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-adobe-flash/
Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player so they can surreptitiously install malware on end users’ computers, security researchers warned Tuesday.
So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said in a blog post published Tuesday. It’s not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions 19.0.0.185 and 19.0.0.207 and may also affect earlier versions.
http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/
Tomi Engdahl says:
GCHQ can and will spy on politicos, rules tribunal
What about protection for whistleblowers? – MP
http://www.theregister.co.uk/2015/10/14/wilson_doctrine_gchq_can_will_spy_politicos/
The Investigatory Powers Tribunal (IPT) has ruled that GCHQ is allowed to collect the communications of MPs.
An IPT announcement stated that it “heard and resolved issues relating to the status, meaning and effect of what has been called the Harold Wilson Doctrine, or the Wilson Doctrine, originating in the statement in the House of Commons on 17 November 1966 by the Rt Hon Harold Wilson, the then Prime Minister.”
Wilson promised that MPs’ and peers’ phones would not be tapped by the security services. However, he also said that he might secretly remove this rule, and only tell parliament that he had done so at some later point decided by him.
Tomi Engdahl says:
Xen 4.6 lands, complete with NSA-penned security code
Spookhaus helped to implement virtual trusted platform module version 2.0
http://www.theregister.co.uk/2015/10/14/nsapenned_security_code_can_be_yours_for_free/
The Xen Project has released version 4.6 of its eponymous hypervisor.
The main eyebrow-raiser in the new release will probably be the US National Security Agency’s contribution of code to deliver support for version 2.0 of the Virtual Trusted Platform Module (vTPM). The TPM is the Trusted Computing Group’s secure storage and cryptographic standard that Intel uses in its Trusted Execution Technology product that helps users to verify that a workload is running on the physical server they desire. vTPM makes TPM available to guest VMs, so support for version 2.0 of the standard is a welcome addition to Xen.
The NSA has a long history of Xen contributions. Citrix dominates the effort with Suse a distant second and Intel in third, among organisations.
Tomi Engdahl says:
UK cyber cops warn of a Dridex banking malware nightmare
Lock up your daughters, and computers
http://www.theinquirer.net/inquirer/news/2430341/uk-cyber-cops-warn-of-a-dridex-banking-malware-nightmare
THE UK NATIONAL CRIME AGENCY (NCA) has looked up from its desk and warned the population about the threat of the Dridex malware and its bad intentions concerning your money.
Dridex, which is known in some circles as Bugat or Cridex, isn’t new, but its arrival on these shores in a big way is a worry.
The NCA certainly thinks so, and has released a kind of warning klaxon about the web-based threat. It reckons that there are thousands of infected computers in the UK, and that the people who own them are clueless about the problem.
“Computers become infected with Dridex malware when users receive and open documents in seemingly legitimate emails. The NCA assesses that there could be thousands of infected computers in the UK, the majority being Windows users,” added the information.
Tomi Engdahl says:
Business is turning to AI to fight the bad guys
Plugging the gap between incident and response through machine learning
http://www.theinquirer.net/inquirer/feature/2430238/business-is-turning-to-ai-to-fight-the-bad-guys
INSECURITIES ARE TURNING SOME organisations in the direction of artificial intelligence (AI).
Japan is a hotspot for this investment focus, and organisations including NTT DoCoMo and SoftBank are where the money is being spent on AI tech and security solutions.
The Wall Street Journal has SoftBank investing a reported $50m in an Israeli security startup called Cybereason that offers detailed anaysis and comprehensible consoles.
Cybereason describes itself as a kind of digital hunter, though grounds keeper would serve just as well. It uses AI to study network activity and detect malicious acts. It’s claim is that it will alert firms to attacks, infection and malicious behaviour, as early as possible and save themselves from discovery, embarressment and financial costs months later.
The Nikkei news site explains that NTT is also putting a spin on security, and is almost ready to launch a new solution that can learn from network traffic patterns and learn to spot malware and its evasion tactics. The service will launch next year, according to the report, and will be efficient at tackling 99 percent of threats.
“In recent tests, NTT Com confirmed that Time-series Deep Learning can analyse video images taken with network cameras to distinguish between specific motions, such as people crouching, acting restlessly or moving things. Specific motions were identified with more than 80 percent accuracy.”
“Existing technology mainly uses static images to analyse 2D vertical and horizontal data. Time-series Deep Learning detects motions more precisely using 3D data by adding a time axis,” the firm explained.
“It can also analyse IoT data as it changes over time, such as temperatures or voltages recorded with sensors.”
Tomi Engdahl says:
Rapid7 inhales cloudy machine data search firm Logentries
Metasploit maker goes deeper into compliance
http://www.theregister.co.uk/2015/10/14/rapid7_logentries_deal_metasploit/
Rapid7 has bought cloud-based machine data search and log company Logentries for $68m in cash and equity, allowing Rapid7 to add that functionality to its widely used penetration testing tool Metasploit.
Adding disruptive log management and efficient, fast search will give corporate security teams the ability to deeply investigate incidents and meet compliance requirements more efficiently, according to Rapid7.