Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
The State of Security this Past Year is a Just a Glimpse of What’s to Come in 2015
http://www.securityweek.com/state-security-past-year-just-glimpse-what%E2%80%99s-come-2015
2014 was quite the year. From the string of major data breaches leading to reputational damage, to large-scale cloud hacks creating distrust in cloud-based services, who would’ve predicted the past year would be as eventful as it was, security-wise? Well, as we enter the New Year, it’s time to reflect on these latest occurrences and consider what they may lead to in the year that lies ahead.
Securing the Internet of Things
As more devices are connected to the Internet and as BYOD continues to dominate the workplace, we are likely to see attackers follow as the potential for attacks only increases.
The Black Market Continues to Grow and Mature
In 2014, we saw that along with the increase of connected devices and data breaches, hacker black markets reached a significant level of skill and maturity. In 2015, we are likely to see the continued expansion and maturity of hacker black markets. Fueled by the continued vulnerability of point of sale systems and an influx of cloud services, the market opportunity for economically motivated attackers will continue to grow.
Data Science Spreads to Security
With the continued focus of the industry on providing better and more actionable threat intelligence this year, we are likely to see a rise in demand of data scientists in security. While already in high demand in other fields, the need for data scientists capable of making more accurate and effective colorations of threat data will increase. The companies capable of best applying data science to security will find competitive differentiation in the marketplace by being able to deliver more reliable and useful intelligence about attacks and attackers.
Tomi Engdahl says:
New York Times:
Winklevoss Twins Aim to Take Bitcoin Mainstream With a Regulated Exchange
Winklevoss Twins Aim to Take Bitcoin Mainstream
http://dealbook.nytimes.com/2015/01/22/winklevoss-twins-aim-to-take-bitcoin-mainstream-with-a-regulated-exchange/
Bitcoin, the virtual currency that was once the talk of the financial world, has been taking a beating over the last year with the price tumbling downward.
Now two of the biggest boosters of the virtual currency, Cameron and Tyler Winklevoss, are trying to firm up support by creating the first regulated Bitcoin exchange for American customers — what they are calling the Nasdaq of Bitcoin.
“Right now we have to build the infrastructure,” Tyler Winklevoss said. “You have to walk before you run.”
Since being brought into existence in 2009, by a creator going by the name of Satoshi Nakamoto, Bitcoin has become a technology and financial industry phenomenon. Many major Bitcoin companies, however, were founded by people with little previous financial experience. Bitcoins themselves are stored on a decentralized database run by the currency’s users, and can be bought and sold by anybody.
This week, an American Bitcoin company, Coinbase, a kind of retail brokerage firm, announced a $75 million financing round — the biggest ever for a Bitcoin start-up — with backing from the New York Stock Exchange and the Spanish bank BBVA.
But exchanges, where traders can meet to buy and sell Bitcoins for dollars and euros, have proved to be the biggest vulnerability for Bitcoin.
The first major Bitcoin exchange, Mt. Gox in Japan, lost hundreds of millions of dollars and went bankrupt last year. Earlier this month, a security breach at another prominent exchange in Europe, Bitstamp, was the latest reminder of the risks, and helped push the price of a Bitcoin below $200 from a peak above $1,200 in late 2013.
Tomi Engdahl says:
Panicked teen hanged himself after receiving ransomware scam email
Autistic student ‘probably didn’t understand’, court hears
http://www.theregister.co.uk/2015/01/23/autistic_teen_joseph_edwards_ransomware_scam_suicide_tragedy/
A 17-year-old college student who suffered from autism hanged himself after receiving a ransomware scam.
Joseph Edwards was alarmed after receiving an email that falsely claimed he’d been spotted browsing illegal websites and needed to pay £100 (payable in Ukash electronic money) or face being prosecuted. The email pushing the well-known police ransomware scam also downloaded malware that locked up his laptop once it was opened.
Police ransomware of this type does not encrypt files and is normally much easier to purge from infected systems, a factor that underlines the tragedy of what transpired.
Edwards was so distressed by the accusation and the extortionate demand that he took his own life hours after falling victim to the cruel scam on 6 August last year.
“Joseph was subjected to a scam on the internet, a threatening, fake police link that was asking for money,”
The tragedy is mercifully rare but not unprecedented. Last year a Romanian “ransomware victim” hanged himself and his four-year-old son.
Tomi Engdahl says:
Views of the NSA Little Changed from 2013
NSA Viewed More Favorably By Those Under 30 Than Adults 65 and OlderFavorability ratings for the National Security Agency (NSA) have changed little since the fall of 2013, shortly after former NSA analyst Edward Snowden’s revelations of the agency’s data-mining activities. About half (51%) view the NSA favorably, compared with 37% who have an unfavorable view.
Young people are more likely than older Americans to view the intelligence agency positively. About six-in-ten (61%) of those under 30 view the NSA favorably, compared with 40% of those 65 and older.
Adults with a post-graduate degree have mixed views of the NSA (45% favorable vs. 43% unfavorable). Among those with less education, favorable opinions of the NSA outnumber unfavorable views.
Source: http://www.people-press.org/2015/01/22/most-view-the-cdc-favorably-vas-image-slips/#views-of-the-nsa-little-changed-from-2013
Tomi Engdahl says:
US Gas Stations Exposed to Cyberattacks: Researchers
http://www.securityweek.com/us-gas-stations-exposed-cyberattacks-researchers
Malicious actors could theoretically shut down more than 5,300 gas stations in the United States because the automatic tank gauges (ATGs) used to monitor fuel tanks are easily accessible via the Internet.
ATGs are electronic devices that monitor fuel level, temperature, and other parameters in a tank. The devices alert operators in case there is a problem with the tank, such as a fuel leak.
“Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board. In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001,” Rapid7’s HD Moore noted in a blog post.
Based on an Internet-wide scan targeting the TCP port 10001, Rapid7 has determined that roughly 5,800 ATGs are accessible via the Internet and without a password to protect them against unauthorized access.
According to Moore, malicious hackers who have access to the serial interface of an ATG can spoof reported fuel levels, generate false alarms, and perform other actions that could lead to the gas station being shut down.
The Internet of Gas Station Tank Gauges
https://community.rapid7.com/community/infosec/blog/2015/01/22/the-internet-of-gas-station-tank-gauges
How serious is this?
ATGs are designed to detect leaks and other problems with fuel tanks. In our opinion, remote access to the control port of an ATG could provide an attacker with the ability to reconfigure alarm thresholds, reset the system, and otherwise disrupt the operation of the fuel tank. An attack may be able to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown. Theoretically, an attacker could shut down over 5,300 fueling stations in the United States with little effort.
Tomi Engdahl says:
Hackers Target Malaysia Airlines, Threaten Data Dump
http://www.securityweek.com/lizard-squad-hackers-target-malaysia-airlines-website
Kuala Lumpur – The Malaysia Airlines website was commandeered Monday by hackers who referenced Islamic State jihadists and claimed to be from the “Lizard Squad”, a group known for previous denial-of-service attacks.
It was not clear why the troubled airline was targeted but the hacking group said on its Twitter feed that it was “Going to dump some loot found on malaysiaairlines.com servers soon.”
Visitors to the website were re-directed to another page bearing an image of a tuxedo-wearing lizard and reading “Hacked by LIZARD SQUAD — OFFICIAL CYBER CALIPHATE”.
Media reports said versions of the website takeover in some regions included the wording “ISIS will prevail”.
Concerns over IS have spiked in Malaysia after scores of its citizens were lured to the Syrian jihad.
Tomi Engdahl says:
Davos Elites Warned About Catastrophic Cyberattacks
http://www.securityweek.com/davos-elites-warned-about-catastrophic-cyberattacks
Davos, Switzerland – Attacks on power plants, telecommunications and financial systems, even turning all of Los Angeles’ traffic lights green: Davos elites were warned Saturday of the terrifying possibilities of modern cyber terrorism.
Eugene Kaspersky, who heads the Kaspersky Lab security group, said the possibilities of individuals being hacked would only increase in future as more devices, such as “smart” televisions, are hooked up to the Internet.
“What you call the Internet of Things, I call the Internet of Threats,” he told the assembled global political and business movers-and-shakers.
“The worst of the worst scenarios is an attack on a big infrastructure, a power plant. If there’s no power, the rest of the world doesn’t work,” Kaspersky cautioned.
Estonian President Toomas Hendrik Ilves said that criminals could bring about chaos in a much lower-level way.
“You can wreak havoc in all kinds of ways,” said Ilves, who added that it was the duty of governments to give citizens powerful encryption tools to protect their data.
He told an anecdote about traffic authorities in Los Angeles who went on strike and also set all the lights to red, sparking gridlock.
“But what if someone turned all the lights green?” he asked.
In the wake of the cyberhack on Sony late last year, cybersecurity has been a hot button topic at the four-day World Economic Forum in the swanky Swiss ski resort.
The conclusion, in Ilves’s words: “Basically nothing is safe.”
Jean-Paul Laborde, head of the UN’s counter-terrorism unit, pointed to increasing links between organised crime and extremist groups such as Islamic State, which he said were now combining to launch cyberattacks on authorities.
“They even attack now … in a low key way … police infrastructure, in order to block police action against them outside their terrorities,” said Laborde.
Smith also warned of the dangers of putting in so-called “backdoors” to messaging systems, as urged recently by British Prime Minister David Cameron to keep track of potentially criminal activity.
“The path to Hell starts at the back door. You should not ask for back doors. That compromises protection for everyone for everything,” stressed the executive.
Tomi Engdahl says:
New Technology Detects Cyberattacks By Power Consumption
http://www.eetimes.com/author.asp?section_id=36&doc_id=1325409&
Startup’s “power fingerprinting” approach catches stealthy malware within milliseconds in DOE test.
A security startup launching early next week uses trends in power consumption activity, rather than standard malware detection, to spot cyberattacks against power and manufacturing plants. The technology successfully spotted Stuxnet in an experimental network before the malware went into action.
PFP Cybersecurity, which officially launches on Monday and was originally funded by DARPA, the Defense Department, and the Department of Homeland Security, basically establishes the baseline power consumption of ICS/SCADA equipment such as programmable logic controllers (PLCs), supervisory relays, or other devices and issues an alert when power consumption or RF radiation changes outside of their baseline usage occur. Such changes could be due to malware, as well as to hardware or system failures, for instance.
Joe Cordaro, advisory engineer with SRNL, says the PFP system right away found small changes to the code on the PLC while it was dormant.
SRNL also plans to test the technology on protective relay devices, which form the backbone of the power grid.
Tomi Engdahl says:
Wide-Spread SSD Encryption is Inevitable
http://www.eetimes.com/document.asp?doc_id=1325401&
The recent Sony hack grabbed headlines in large part due to the political fallout, but it’s not the first corporate enterprise to suffer a high profile security breach and probably won’t be the last.
Regardless, it’s yet another sign that additional layers of security may be needed as hackers find ways to break through network firewalls and pull out sensitive data, whether it’s Hollywood secrets from a movie studio, or customer data from retailers such as Home Depot or Target. And sometimes it’s not only outside threats that must be dealt with; those threats can come from within the firewall.
While password-protected user profiles on the client OS have been standard for years, self-encrypting SSDs are starting to become more appealing as they allow for encryption at the hardware level, regardless of OS, and can be deployed in a variety of scenarios, including enterprise workstations or in a retail environment.
In general, SSDs are becoming more common. SanDisk, for example, is bullish about adoption by average notebook users,
A survey by the Storage Networking Industry Association presented at last year’s Storage Visions Conference found users lacked interest in built-in encryption features for SSDs, particularly in the mobile space.
Ritu Jyoti, chief product officer at Kaminario, said customers are actually requesting encryption as a feature for its all-flash array, but also voice concerns about its effect on performance. “They do ask the question.” Customers in the financial services sector in particular are looking for encryption on their enterprise SSDs, she said, driven by compliance demands, as well as standards outlined by the National Institute of Standards and Technology.
Jyoti said SEDs and encryption of all-flash arrays have become a growing trend in the enterprise. “They are going to become the defacto standard very quickly.”
George Crump, president and founder of research firm Storage Switzerland, recently blogged about Kaminario’s new all-flash array and addressed its new features, including encryption, which he wrote is critical for flash systems in particular because of the way controllers manage flash. “When NAND flash cell wears out the flash controller, as it should, it marks that cell as read-only. The problem is that erasing a flash cell requires that null data be written to it,” he wrote. “But how do you do that if the flash controller had previously marked the cell as read-only? If you can’t erase the data, but you can read it, then some enterprising data thief may be able to get to your data.”
Crumb noted that some vendors have special utilities they claim will override this setting to make sure the erasure can be done, but he has yet to see any guarantee this is the case.
Tomi Engdahl says:
Jon Southurst / CoinDesk:
Coinbase to launch first regulated US bitcoin exchange on Monday, approved by half of all state regulators
Coinbase Secures Approval to Launch Regulated US Bitcoin Exchange
http://www.coindesk.com/coinbase-secures-approval-launch-regulated-us-bitcoin-exchange/
Bitcoin services provider Coinbase is set to launch a US exchange on Monday – one reportedly already approved by regulators in 24 jurisdictions, including California and New York.
Coinbase has until now acted largely as a brokerage for bitcoin users. By expanding into this new vertical the company will be able to “offer greater security for individuals and institutions to trade bitcoin and monitor real-time pricing of the cryptocurrency”, the company told the Wall Street Journal.
“Our goal is to become the world’s largest exchange,”
Tomi Engdahl says:
Patrick Tucker / Defense One:
Obama’s cyber plan raises questions about data anonymization, chilling effects for researchers
What the Cyber Language in the State of the Union Means to You
http://www.defenseone.com/technology/2015/01/what-cyber-language-state-union-means-you/103425/
On Tuesday night, President Barack Obama appeared before the American people and again acknowledged digital data theft and data destruction as one of the most important issues facing the nation. “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.”
It was a rallying cry for greater “cyber security.” But according to many security experts, “security” and the specific cyber-security proposal the president unveiled last week could be a pretext for expanded, unchecked surveillance that may not actually make the nation safer. The ideas in the proposal face no strong political resistance especially since the information collection organism would not be the government itself but rather private companies reporting user information to the government.
The chief of the NSA’s Tailored Access Division Robert Joyce, has described the Sony hack as a key moment that will fundamentally change the way the United States deals with the murky threat posed by shadowy enemies with laptops. It was, in popular if clichéd Washington, D.C. parlance, “a game changer.” Joyce was not alone in that assessment.
“We had seen cyber attacks but we’ve never seen a nation-state…destroy data,”
CISPA would give companies the freedom to share user data with DHS where the info could then go to virtually any other law enforcement agency for use in any investigation related to crimes from drug trafficking to copyright infringement. It sent a clear message to some of America’s biggest companies: “We need you to do our spying for us.”
“The White House proposal relies heavily on privacy guidelines that are currently unwritten. What these guidelines say and when they are applied will be critical to protecting Internet users. Privacy protections and use restrictions must be in effect before information sharing occurs,”
The single section that makes the White House proposal somewhat more palatable than CISPA is the provision demanding that user data “establish a process to anonymize and safeguard information.”
But anonymization may offer false reassurance. In fact, researchers have shown that anonymization is data is something of a joke.
“I agree, 100 percent. The way the data comes in, there isn’t a whole lot of benefit. Why make a law that says anonymize it,” said Robert Twitchell, CEO of Dispersive Technologies.
One of the key benefits of sharing cyber information with other investigative bodies is affixing attribution, which permanent anonymization would undermine.
Tomi Engdahl says:
Quinn Norton / Medium:
Barrett Brown sentence shows increasing dangers of security journalism, and why reporters should step back until laws are fixed — We Should All Step Back from Security Journalism — I’ll Go First — I started studying the computer underground back when I worked in tech, as an early web developer, in the mid 1990s.
We Should All Step Back from Security Journalism
I’ll Go First
https://medium.com/message/we-should-all-step-back-from-security-journalism-e474cd67e2fa
Barrett Brown’s Case
Part of Barrett Brown’s 63 month sentence, issued yesterday, is a 12 month sentence for a count of Accessory After the Fact, of the crime of hacking Stratfor. This sentence was enhanced by Brown’s posting a link in chat and possessing credit card data. This, and a broad pattern of misunderstanding and criminalizing normal behavior online, has lead me to feel that the situation for journalists and security researchers is murky and dangerous.
I am stepping back from reporting on hacking/databreach stories, and restricting my assistance to other journalists to advice.
I can’t look at the specific data another journalist has, and I can’t pass it along to a security expert, without feeling like there’s risk to the journalists I work with, the security experts, and myself.
I know some of my activist hacker contacts will find this cowardly of me. Many of them risk much more than this in the course of their lives, but I have two replies to this. One is that I have a family to care for including a child, and I can’t ask them to enter this murky legal territory. The other is that my causes are often not the same as the causes I write about, and I feel I best serve my causes by stepping back and highlighting this problem of law to the public.
Tomi Engdahl says:
The Verge:
How Bahrain’s government used FinFisher spyware to target a political activist
A Spy in the Machine
How a brutal government used cutting-edge spyware to hijack one activist’s life
http://www.theverge.com/2015/1/21/7861645/finfisher-spyware-let-bahrain-government-hack-political-activist
Tomi Engdahl says:
Snowden: iPhone has secret software that can be remotely activated to spy on people
http://www.neowin.net/news/snowden-iphone-has-secret-software-that-can-be-remotely-activated-to-spy-on-people
According to NSA whistleblower Edward Snowden, the iPhone has secret spyware that allows governments to watch users without their knowledge and consent. Snowden doesn’t use the phone because of the hidden software embedded in it, which his lawyer says can be remotely activated to watch the user.
“The iPhone has special software that can activate itself without the owner having to press a button and gather information about him, that’s why on security grounds he refused to have this phone.”
Apple has been actively making the iPhone harder for security services to spy on
Despite these attempts, recently published files from the NSA indicate that GCHQ used the phones unique identifiers (UDIDs) to track users.
Tomi Engdahl says:
Google explains why it’s not fixing web security in old Android phones
http://www.engadget.com/2015/01/24/google-responds-to-webview-flaw/?ncid=rss_truncated
You might not be happy that Google isn’t fixing a web security flaw in your older Android phone, but the search giant now says that it has some good reasons for holding off. As the company’s Adrian Ludwig explains, it’s no longer viable to “safely” patch vulnerable, pre-Android 4.4 versions of WebView (a framework that lets apps show websites without a separate browser) to prevent remote attacks. The sheer amount of necessary code changes would create legions of problems, he claims, especially since developers are introducing “thousands” of tweaks to the open source software every month.
Ludwig suggests a few things you can do to avoid or mitigate problems, though. For a start, he recommends surfing with browsers that don’t use WebView but still get updates, like Chrome (which works on devices using Android 4.0) and Firefox (which runs on ancient Android 2.3 hardware). Hackers can’t abuse the vulnerable software if you’re not using it, after all. The Googler also tells app creators to either use their own web rendering tech or limit WebView to pages they can trust, like encrypted sites.
https://plus.google.com/+AdrianLudwig/posts/1md7ruEwBLF
Following public discussion of vulnerabilities in versions of Webkit last week, I’ve had a number of people ask questions about security of browsers and WebView on Android 4.3 (Jellybean) and earlier. I want to provide an update on what we’re doing and guidance on steps that users and developers can take to be safe, even if your device is not yet running Lollipop.
Tomi Engdahl says:
Chrome 40 marks the beginning of the end for Microsoft Silverlight
Yes, it’s Week in Google time
http://www.theinquirer.net/inquirer/news/2391616/chrome-40-marks-the-beginning-of-the-end-for-microsoft-silverlight
Chrome has reached a milestone after version 40 was declared stable across Windows, iOS, Mac, Linux and Android.
The big changes are in security. The pesky and beyond repair SSL 3.0 is completely blocked and NPAPI (ie Netscape) plug-ins are blocked by default, as promised.
This should make the whole thing faster as well as more secure. If one of your favourite sites still uses NPAPI, you can opt back in when the ‘blocked’ message pops up.
There are also 62 security fixes resulting in an $88,500 bug bounty payout.
Tomi Engdahl says:
Game over? Sony FINALLY offers compensation to MEELLIONS of PSN hack victims
Free goodies dished out in U.S.
http://www.theregister.co.uk/2015/01/25/sony_finally_accepts_compensation_claims_from_2011_psn_hack_victims/
Millions of PSN gamers, who were hit by a massive data breach on Sony’s Playstation network back in 2011, are finally being offered the opportunity to claim compensation from the company.
Victims can either claim one free game, up to three themes or a free subscription to Playstation Plus for three months for those subscribers not already signed up to that option.
While those affected by identity theft can claim up to $2,500 in compensation.
Tomi Engdahl says:
Ed Felten: California Must Lead On Cybersecurity
http://it.slashdot.org/story/15/01/25/2335245/ed-felten-california-must-lead-on-cybersecurity
In a Sacramento Bee op-ed, (in)famous computer security researcher Ed Felten responds to the State of the Union cybersecurity proposal. He doesn’t mince words: “The odds of clearing Congress: low. The odds of materially improving security: even lower. “What he suggests as an alternative, though, is a surprise. “California,” he writes, “could blaze a trail for effective cybersecurity policy.” He calls for the state government to protect critical infrastructure and sensitive data, relying on outside auditors and experts. It’s an interesting idea. Even if it doesn’t go anywhere, at least it’s some fresh thinking in this area of backward policy.
“Critical infrastructure increasingly relies on industrial automation systems. And those systems are often vulnerable – they keep a default password, for instance, or are accessible from the public Internet. These are not subtle or sophisticated errors. Fixing them requires basic due diligence, not rocket science. Requiring the state’s critical infrastructure providers to undergo regular security audits would be straightforward and inexpensive – especially relative to the enormous risks.”
California must lead on cybersecurity
http://www.sacbee.com/opinion/the-conversation/article7967445.html
No state has more at stake on cybersecurity than California. From Hollywood’s intellectual property to the Central Valley’s water reserves to Silicon Valley’s cloud services, the Golden State is at singular risk. But, as the world’s innovation capital, California also has a unique opportunity to advance cybersecurity.
At last week’s State of the Union address, President Barack Obama announced a new federal cybersecurity agenda. Except … it wasn’t so new. It was a portfolio of unpopular old proposals, dusted off and relabeled. The odds of clearing Congress: low. The odds of materially improving security: even lower.
That’s a shame. Events over the past year – most prominently, the breach at Sony Pictures in Culver City – have highlighted the growing importance of cybersecurity. Attacks are more frequent, better organized and increasingly sophisticated. And intruders are driven by a diverse range of motives – greed, malice, national security or even national pride. America’s consumers, businesses and government agencies are undeniably under threat.
While the federal government is stalled, however, the states have an opportunity to lead. California could blaze a trail for effective cybersecurity policy.
The Golden State is, in fact, already an innovator on technology security and privacy.
An adaptable approach would also facilitate cybersecurity reform in other states. A national patchwork of nit-picky requirements serves no one. Harmonized high-level standards, by contrast, would make multistate compliance straightforward. Best practices could percolate among jurisdictions, channeled through auditors, consultants and large businesses.
As the federal government gets serious about cybersecurity, it too could draw upon California’s template. This is already happening.
Tomi Engdahl says:
Anonymous Asks Activists To Fight Pedophiles In ‘Operation Deatheaters’
http://yro.slashdot.org/story/15/01/25/2123226/anonymous-asks-activists-to-fight-pedophiles-in-operation-deatheaters
The Independent reports that hacktivist group Anonymous, in a project named Operation DeathEaters, is calling for help in its fight against international pedophile networks, or what it calls the “paedosadist industry” and has issued a video instructing activists on how they can aid in the operation.
Anonymous calls for activists to help expose international paedophile networks with ‘Operation DeathEaters’
http://www.independent.co.uk/news/uk/home-news/anonymous-calls-for-activists-to-help-expose-international-paedophile-networks-with-operation-deatheaters-9998350.html
Hacktivist group Anonymous, which has made public attacks on extremists, corporations and religious and governmental bodies, is calling for help in its fight against international paedophile networks, or what it calls the “paedosadist industry”.
Anonymous has issued a video instructing activists on how they can aid in the operation, which has appeared at a time of serious allegations of historic child sexual abuse levied against prominent UK figures
Recent allegations have led to the Met police’s investigation
“In fear of these investigations being bungled over time, the operation’s objectives are clear and simple: source public information before it disappears, push for independent enquiry, and offer support to witnesses and the victims where needed.”
Anonymous is planning on setting up a database to be able to map the connections between cases, and is calling on its followers to research cases of high level corruption
Tomi Engdahl says:
IT professionals believe in open source
The vast majority of IT professionals are replacing traditional software with open source tools.
The reason for this is not the price, but better security.
Ponemon Institute study that a Europe-wide study reported that 67 percent of IT professionals considers open source software to bring a better continuity of enterprise systems. In the US the figure is even higher, 74 percent.
In the past, open source software is often justified at a lower price. Now the number one criterion has increased security.
76 percent of those surveyed IT professionals believes that an open source transparency increases the reliability of the application. Two out of three believes that transparency increases the security and reduces the risks to privacy.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2335:it-ammattilaiset-uskovat-avoimeen-koodiin&catid=13&Itemid=101
Tomi Engdahl says:
Passwords and PIN codes are a primitive way to ensure the user’s identity. Therefore, it is reassuring that Juniper Research predicts a variety of biometric applications downloading to mobile devices grow furious pace in the coming years.
Research estimates that this year, for example, fingerprint identification applications utilizing only be loaded to six million. In 2018, the number rises to 770 million, ie the generalization occurs quickly.
A large part of the growth comes fingerprint scanners, which according to Juniper find their way rapidly in the mid-range devices.
Juniper believes that biometric authentication will be an important role for example, in trying to prevent the users of social media accounts hacking. For example, Facebook could provide additional security users by combining the face detection pages.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2328:salasanoista-paastaan-vihdoin-eroon&catid=13&Itemid=101
Tomi Engdahl says:
Librem 15: A Free/Libre Software Laptop That Respects Your Essential Freedoms
https://www.crowdsupply.com/purism/librem-laptop
The first high-end laptop that respects your freedom and privacy.
The Purism Librem 15 is the first high-end laptop in the world that ships without mystery software in the kernel, operating system, or any software applications. Every other consumer-grade laptop you can purchase comes with an operating system that includes suspect, proprietary software, and there’s no way for you to know what that software does.
The reality is that unless every aspect of your kernel, operating system, and software applications are free/libre and open source, there is no way to know that your computer is truly working in your best interest. Purism is the first to solve this problem.
http://puri.sm/
Tomi Engdahl says:
WikiLeaks demands answers after Google hands staff emails to US government
http://www.theguardian.com/technology/2015/jan/25/wikileaks-google-staff-emails-us-government
Tomi Engdahl says:
A CISO’s Nightmare: Digital Social Engineering
http://www.securityweek.com/cisos-nightmare-digital-social-engineering
While Olga Redmond could be written off a satirical account, the amount of time and effort someone spent making it seem legitimate and connecting with such specific industry professionals suggests that this is something more sinister than satire. Olga Redmon is a well planned and executed next generation social engineering campaign. Social engineering is when a hacker creates convincing fake profiles to connect and interact with a target or group of targets. Hackers create the profiles, build up a network of connections to make them appear trustworthy, and eventually connect with their actual target. Once the request is accepted a hacker can steal information or launch a cyberattack. Instead of a promising HR, marketing, or sales lead, profiles like Olga Redmon’s can be serious cyber security threat.
Social engineering campaigns are shockingly easy to carry out. This was made clear at the RSA Europe conference last year when IT services provider World Wide Technology presented the results of a comprehensive penetration test carried out for one of their clients. The story will sound familiar – a fake account under the named Emily Williams, claiming to be an MIT grad with 10 years experience. Within days, the pen-testers received endorsements, job offers, and even a company laptop.
Had this been an actual attack, as a cyber criminal could have compromised an entire corporate network or brand by just creating a single fake account. From this point, the potential for attack would be nearly endless. The hacker could launch phishing and malware campaigns with increased effectiveness or begin to mine sensitive company information from unsuspecting employees.
By creating an account like Olga Redmon, no actual hacking, in the traditional sense, has been done, meaning this type of attack goes completely unaddressed by traditional security measures like anti-virus or email gateways. A tweenager with no programming experience could bypass existing security infrastructure with no more than a free afternoon and an Internet connection. Now imagine it in the hands of a skilled hacker.
In the event of a serious information breach, the CMO and the sales team will most likely not be held liable. They will always be able to point to the extensive body of research supporting social media as a robust business development tool. Social media isn’t going anywhere–the CISO need to learn how to manage the corresponding risks.
Social media is already ripe with threats
Our research suggests that between 4-8% of all social media links are malicious in nature, meaning the daily number of malicious links on Twitter alone nearly exceeds the population of Spain. Expect these trends to continue.
Monitoring social media is a daunting task. It’s not a matter of logging into a company’s profiles once a day to look for suspicious activity. Employees, customers, executives, and anyone connected to your organization are the new endpoints for attack. A recent survey suggests that of the 74% of Internet users now active on social media, and the average person has 3 different social media accounts.
Tomi Engdahl says:
Collection and Analysis: Two Sides to the Coin
http://www.securityweek.com/collection-and-analysis-two-sides-coin
Many enterprises see the need for and share a desire to be doing “big data” and “security analytics”, and thus, it’s not particularly surprising that many vendors are offering “big data” and “security analytics” solutions.
At a high level, “big data” and “security analytics” are about the two very different, somewhat diametrically opposed, but equally important concepts of collection and analysis. Allow me to explain.
Before it is possible to run analytics, one needs the right data upon which to run those analytics. Before “big data” emerged as a buzzword, this was called “collection” or “instrumentation of the network and endpoint”
Collection and analysis, at enterprise speeds and volumes, are both equally important. If you think about it, you can’t really have one without the other
In addition to being the fundamental elements of “big data”, collection and analysis form the cornerstone of a strong security program. Collection and analysis provide an organization with the visibility required to practice Continuous Security Monitoring (CSM).
he goal of CSM is to allow an organization to move rapidly from Detection to Analysis and on to Containment and Remediation.
Of course, proper Continuous Security Monitoring involves many details.
Tomi Engdahl says:
Lizard Squad threatens Malaysia Airlines with data dump: We DID TOO hack your site
Carrier: PLEASE. It was just a defacement, skiddies…
http://www.theregister.co.uk/2015/01/26/lizard_squad_threaten_data_dump_after_attack_on_malaysia_airlines_site/
Infamous hacktivists Lizard Squad are threatening to dump data they supposedly snatched during the process of defacing the website of Malaysia Airlines.
Surfers visiting Malaysia Airlines (www.malaysiaairlines.com) website on Monday were confronted by a bragging message from Lizard Squad rather than flight timetables. The airline attributes the apparent defacement to a redirection rather than an actual attack on its site.
Malaysia Airlines is playing down the significance of the attack
“Going to dump some loot found on http://www.malaysiaairlines.com servers soon,” the group claimed.
Tomi Engdahl says:
Eileen Sullivan / Associated Press:
Sheriffs pressure Google to disable Waze feature that warns when police are near, saying it endangers officers — Sheriffs want popular police-tracking app disabled — WASHINGTON (AP) — Sheriffs are campaigning to pressure Google Inc. to turn off a feature on its Waze traffic software that warns drivers when police are nearby.
Law enforcement wants popular police-tracking app disabled
http://hosted.ap.org/dynamic/stories/U/US_POLICE_TRACKING_APP?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2015-01-26-03-07-22
Law enforcement is concerned that the popular Waze mobile traffic app by Google Inc., which provides real-time road conditions, can also be used to hunt and harm police.
Waze is a combination of GPS navigation and social networking. Fifty million users in 200 countries turn to the free service for warnings about nearby congestion, car accidents, speed traps, traffic cameras, construction zones, potholes, stalled vehicles or unsafe weather conditions.
Waze users mark police – who are generally working in public spaces – on maps without much distinction other than “visible” or “hidden.”
To some in law enforcement, this feature amounts to a stalking app for people who want to harm police. They want Google to disable that feature.
The growing concern is the latest twist in Google’s complicated relationship with government and law enforcement.
There are no known connections between any attack on police and Waze, although Beck said Waze was used in the killing of two New York Police Department officers on Dec. 20.
Investigators do not believe the shooter, Ismaaiyl Brinsley, used Waze to ambush the NYPD officers
Tomi Engdahl says:
Kieren James-Lubin / O’Reilly Radar:
An explanation of the stumbling blocks to blockchain scalability and some possible solutions
Blockchain scalability
http://radar.oreilly.com/2015/01/blockchain-scalability.html
A look at the stumbling blocks to blockchain scalability and some high-level technical solutions.
“I have no worries that bitcoin can scale, and the simple reason for that is that I know that IPv4 can’t, and yet I use it every day.”
The issue of bitcoin scalability and the phrase “blockchain scalability” are often seen in technical discussions of the bitcoin protocol. Will the requirements of recording every bitcoin transaction in the blockchain compromise its security (because fewer users will keep a copy of the whole blockchain) or its ability to handle a great number of transactions (because new blocks on which transactions can be recorded are only produced at limited intervals)? In this article, we’ll explore several meanings of “blockchain scalability” and some high-level technical solutions to the issue.
The three main stumbling blocks to blockchain scalability are:
1. The tendency toward centralization with a growing blockchain
2. The bitcoin-specific issue that the blockchain has a built-in hard limit of 1 megabyte per block (about 10 minutes)
3. The high processing fees currently paid for bitcoin transactions, and the potential for those fees to increase as the network grows.
Bitcoin (or, more generally, cryptocurrency) mining serves several functions. Mining allows the peer-to-peer network that bitcoin is composed of to agree on a canonical order of transactions, thus solving the double spend problem.
In a peer-to-peer system, one does not generally have the expectation of knowledge of all messages. However, bitcoin transactions are intended to be broadcast one-to-all by peer forwarding. Thus, in principle, every network participant should have total knowledge of account states and pending transfers. A problem arises when a malicious actor propagates two conflicting transactions to the network. The peer-to-peer network must decide which transaction came first and must invalidate the second.
Tomi Engdahl says:
P0wning for the fjords: Malware turns drones into DEAD PARROT
Parrot AR drones susceptible to flying firmware footling
http://www.theregister.co.uk/2015/01/27/malware_backdoor_makes_parrot_ar_drones_squawk/
Hacker Rahul Sasi has found and exploited a backdoor in Parrot AR Drones that allows the flying machines to be remotely hijacked.
The Citrix engineer developed what he said was the first malware dubbed Maldrone which exploited a new backdoor in the drones.
Sasi (@fb1h2s) said the backdoor could be exploited for Parrot drones within wireless range.
“Once my program kills the actual drone controllers, it causes the motors to stop and the drone falls off like a brick,” Sasi said.
“But my backdoor instantly takes control so if the drone is really high in the air the motors can start again and Maldrone can prevent it from crashing.”
Tomi Engdahl says:
PHP 5 Updates Fix Several Vulnerabilities
http://www.securityweek.com/php-5-updates-fix-several-vulnerabilities
Several security vulnerabilities affecting PHP were addressed last week with the release of versions 5.6.5, 5.5.21 and 5.4.37.
One of the flaws, an out-of-bounds read (CVE-2014-9427) that crashes php-cgi, was reported by Brian Carpenter.
The NVD advisory notes that a remote attacker could exploit the vulnerability to “obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.”
Tomi Engdahl says:
It’s Okay to Fail – Security is a Problem That Can’t be Solved
http://www.securityweek.com/its-okay-fail-security-problem-cant-be-solved
It’s okay to fail. This may sound radical, but I would argue that the information security community isn’t failing enough. Or rather, we as a community are failing passively on a continual basis, rather than failing actively. The difference between passive and active failing is key. Allow me to elaborate.
Consider the famous, though often misattributed quote: “The definition of insanity is doing the same thing over and over and expecting it to come out different.” Although this statement was not made in reference to information security, its relevance to our field is striking. Pundit after pundit, expert after expert, thought leader after thought leader, conference after conference, and so on paint a dire picture regarding the state of information security. The threat landscape is imposing. The risk to organizations is real. The consequences are increasingly severe.
While there are clearly exceptions, most information security professionals hear the message loud and clear. We know that we face serious challenges that we need to overcome. We know that we face formidable problems that we need to solve. We know that the status quo is not working. Additionally, leaders and executives outside of the security profession are increasingly beginning to grasp and grapple with the gravity of the situation. True, there is still a long way to go until awareness is where it needs to be, but more and more, we as a community have the world’s attention and focus. The question is, what will we do with this attention and focus?
What’s missing from the hype and hysteria is action. There is plenty of talk out there, but unfortunately, there is very little action. Or to be more precise, there is far too little practical, hands-on material that security professionals can leverage as part of an effective action plan. I would argue that it’s no longer enough to stand up and speak only about the challenges and problems in the information security realm in the name of raising awareness. In my opinion, any talk also needs to spell out constructive steps for action. Practical, tangible, realistic approaches raise far more awareness than Fear, Uncertainty, and Doubt (FUD) ever have.
Tomi Engdahl says:
Evolved Kjw0rm and Sir DoOoM malware found in hacker forum
The developed attack tools have advanced functionality
http://www.theinquirer.net/inquirer/news/2391967/evolved-kjw0rm-and-sir-dooom-malware-found-in-hacker-forum
NOTORIOUS MALWARE kjw0rm and Sir DoOoM have been uncovered in a hacker forum as evolved versions, developed with advanced functionality, according to researchers at Trend Micro.
Kjw0rm and Sir DoOoM’s appearance follows the discovery of several evolved attack tools. These include the defence-dodging Skeleton Key malware and the advanced Cryptowall 3.0 ransomware.
Tomi Engdahl says:
U.S. Spies on Millions of Cars
DEA Uses License-Plate Readers to Build Database for Federal, Local Authorities
http://www.wsj.com/articles/u-s-spies-on-millions-of-cars-1422314779
Millions of cars tracked across US in ‘massive’ real-time spying program
http://www.theguardian.com/world/2015/jan/27/millions-of-cars-tracked-across-us-in-massive-real-time-spying-program
American Civil Liberties Union warns scanning of license plates by Drug Enforcement Agency is building a repository of all drivers’ movements
The DEA database has the potential to track every driver’s movements, the American Civil Liberties Union has warned.
The United States government is tracking the movement of vehicles around the country in a clandestine intelligence-gathering programme that has been condemned as a further official exercise to build a database on people’s lives.
The Drug Enforcement Administration was monitoring license plates on a “massive” scale, giving rise to “major civil liberties concerns”, the American Civil Liberties Union said on Monday night, citing DEA documents obtained under freedom of information.
“This story highlights yet another way government security agencies are seeking to quietly amplify their powers using new technologies,” Jay Stanley, a senior policy analyst with ACLU, told the Guardian.
“On this as on so many surveillance issues, we can take action, put in place some common sense limits or sit back and let our society be transformed into a place we won’t recognize – or probably much like.”
Tomi Engdahl says:
Internet of Things Security Challenging Enterprise Networks: Survey
http://www.securityweek.com/internet-things-security-challenging-enterprise-networks-survey
While there have increasingly been many predictions about the impact the Internet of Things (IoT) will have on organizations in the future, it appears that the number of non-traditional devices connected to corporate networks is already challenging enterprises.
According to a study by Atomik Research and security firm Tripwire, employed people working from home have an average of 11 IoT devices on their home networks, and nearly one in four have connected one of these devices to their enterprise networks. The devices run the gamut, with printers (27 percent), routers (22 percent), video equipment (20 percent) and video gaming consoles (14 percent) the most popular. Twenty-four percent of them admitted to connecting a personal smart device – other than laptops and cell phones – to a corporate network, and most said they are only “somewhat” concerned with the security of these devices.
“Network monitoring and change control policies provide the foundation for enterprises to quickly recognize new devices being connected to the corporate network,” said Craig Young, security researcher for Tripwire. “Unauthorized devices should stand out like a sore thumb by performing continuous or periodic network scans. This type of change can trigger an administrative response to disable or isolate the unknown device as an active enforcement of corporate policies.”
“Proper network segmentation and firewalling is definitely good security hygiene and will mitigate some of the risks associated with these systems but this alone is generally not enough to keep the determined attacker out of your system,” Young said.
“By implementing these security controls the attacker may be prevented from launching certain direct attacks but persistent attackers have shown in the past the capability to move laterally through an organization in spite of segmentation and firewalls.”
Tomi Engdahl says:
Java Patch Plugs 19 Security Holes
http://krebsonsecurity.com/2015/01/java-patch-plugs-19-security-holes/
Oracle this week released its quarterly patch update for Java, a widely-installed program that for most casual users has probably introduced more vulnerability than utility. If you have Java installed and require it for some application or Web site, it’s time to update it. If you’re not sure you have Java on your computer or are unsure why you still have it, read on for advice that could save you some security headaches down the road.
Oracle’s update brings Java 7 to Update 75 and Java 8 to Update 31, and fixes at least 19 security vulnerabilities in the program. Security vendor Qualys notes that 13 of those flaws are remotely exploitable, with a CVSS score of 10 (the most severe possible score).
Java 7 users should know that Oracle plans to start using the auto-update function built into the program to migrate those users to Java 8 this week.
According to a new report (PDF) from Cisco, online attacks that exploit Java vulnerabilities have decreased by 34 percent in the past year. Cisco reckons this is thanks to security improvements in the program, and to bad guys embracing new attack vectors — such Microsoft Silverlight flaws (if you’re a Netflix subscriber, you have Silverlight installed). Nevertheless, my message about Java will remain the same: Patch it, or pitch it.
Tomi Engdahl says:
Enterprises Overly Reliant on Perimeter-based Defenses: Survey
http://www.securityweek.com/enterprises-overly-reliant-perimeter-based-defenses-survey
Survey Examines Impact Data Breaches at Target and other Organizations Have had on IT Budgets and Security Practices.
Organizations are increasing investment in IT security, but even after a string of high profile data breaches in 2014, they aren’t thinking beyond perimeter-based defenses, according to the latest Ponemon Institute survey.
The mega-breach at Target and other retailers served as a “wake up call” for senior managers at organizations to realize they needed better security. About 13 percent of senior management expressed extreme concern about their security posture before the Target breach was publicized, according to the survey. The number rose to 55 percent after the breach.
More importantly, the new understanding has resulted in more resources to prevent, detect, and resolve data breaches, according to the report from Ponemon Institute. For example, 61 percent of organizations increased its security budget by an average of 34 percent in 2014. The most common areas of investment included security incident and event management (SIEM), endpoint security, intrusion detection and prevention (IDS/IPS), encryption, tokenization, and Web application firewalls. About 63 percent of respondents in the survey said this increase in budget resulted in investments in enabling security technologies to prevent and/or detect breaches.
“This study shows that organizations are dedicating greater attention and financial resources towards managing sensitive information and preventing data breaches, which is certainly encouraging news,”
Tomi Engdahl says:
NSA Releases Defensive Strategies for Fighting Malware Targeting Corporate Data
http://www.securityweek.com/nsa-releases-defensive-strategies-fighting-malware-targeting-corporate-data
The NSA’s Information Assurance Directorate (IAD) issued a report this month laying out best practices for combating malware designed to steal or destroy corporate data.
The report, entitled ‘Defensive Best Practices for Destructive Malware’, seems in part aimed at dealing with the type of data-wiping malware at the center of the recent attack on Sony Pictures Entertainment. Much of the advice, the document notes, is also contained in the guidance in the previously published ‘Information Assurance Mitigation Strategies’.
Among the key pieces of advice: segregate network systems, limit workstation-to-workstation communication and protect and restrict administrative privileges for high-level administrator accounts. Organizations are also advised to deploy, configure and monitor application whitelisting to prevent unauthorized or malicious software from executing.
“The earlier that network defenders can detect and contain an intrusion, the less damage the intruder can possibly cause,”
Other advice includes:
Using network security technologies such as perimeter and application firewalls, forward proxies, sandboxing or other dynamic analysis filters to capture malware when it enters the network
Monitor host and network logs
Leverage pass-the-hash mitigations to reduce the risk of credential theft
Deploy Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) or other anti-exploit tools
Patch vulnerable software
Use antivirus reputation services to compliment antivirus protections
Use host intrusion prevention systems
“Once a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all the data that is on the network,”
Tomi Engdahl says:
Facebook, Instagram, Tinder IN THREE-WAY SIMUL-TITSUP* moment
* Total Inability To Support Uninteresting People
27 Jan 2015
http://www.theregister.co.uk/2015/01/27/facebook_down/
It appears Facebook and its image-sharing subsidiary Instagram have fallen off the web. Hook-up-finder Tinder is also reportedly having problems.
Presumably the FBI will turn up soon to blame North Korea.
“We’re aware of an outage affecting Instagram and are working on a fix.”
It’s claimed Facebook et al are facing a huge distributed denial-of-service attack – although millions of people constantly hitting refresh could be contributing to that. Lizard Squad appears to be gloating about the downtime, but that could be anything and nothing.
The downtime comes right as the US East Coast prepares to be hit by an incoming snow storm
Tomi Engdahl says:
Photons link arms on chip to hasten march of quantum crypto
Cheap, fast, entangled photons for fun and profit
http://www.theregister.co.uk/2015/01/27/photons_link_arms_on_chip_march_in_time_in_fibre/
A multinational collaboration of boffins reckons it’s come up with a chippable solution to one of the practical problems of quantum communications: getting a good source of entangled photons.
While commercial quantum key distribution (QKD) devices already exist, getting as much of the process onto silicon is the foundation of making such services widespread and affordable.
To be published in The Optical Society’s (OSA’s) journal Optica, the paper – also available as an Arxiv pre-print here – describes the use of a micro-ring resonator as a continuous on-chip source of bright, entangled photons.
As the researchers note while the micro-ring resonator is an efficient source of photon pairs, “entangled state emissions have never been demonstrated”.
Tomi Engdahl says:
Martyn Williams / Network World:
DEA’s license plate reader program tracks car journeys across US, shares data with other law enforcement agencies
DEA cameras tracking hundreds of millions of car journeys across the US
http://www.networkworld.com/article/2875934/dea-cameras-tracking-hundreds-of-millions-of-car-journeys-across-the-us.html
A U.S. Drug Enforcement Administration program to keep tabs on cars close to the U.S.-Mexican border has been gradually expanded nationwide and is regularly used by other law enforcement agencies in their hunt for suspects.
The extent of the system, which is said to contain hundreds of millions of records on motorists and their journeys, was disclosed in documents obtained by the American Civil Liberties Union as part of a Freedom of Information Act request. Much of the information disclosed to the ACLU was undated, making it difficult to understand the growth of the network, which is different from the cameras used to collect traffic tolls on expressways.
One of the undated documents said more than 100 cameras had been deployed in at least California, Arizona, New Mexico, Texas, Florida, Georgia, and New Jersey. The cameras snap each vehicle that passes, recording its license plate, the direction of travel and the time. Some cameras also snap a picture of the driver and passengers.
Tomi Engdahl says:
EFF Unveils Plan For Ending Mass Surveillance
http://yro.slashdot.org/story/15/01/27/042212/eff-unveils-plan-for-ending-mass-surveillance
The Electronic Frontier Foundation has published a detailed, global strategy for ridding ourselves of mass surveillance.
The central part of the EFF’s plan is: encryption, encryption, encryption. They say we need to build new secure communications tools, pressure existing tech companies to make their products secure against everyone, and get ordinary internet-goers to recognize that encryption is a fundamental part of communication in the surveillance age.
They also advocate fighting for transparency and against overreach on a national level.
EFF’s Game Plan for Ending Global Mass Surveillance
https://www.eff.org/deeplinks/2015/01/effs-game-plan-ending-global-mass-surveillance
We have a problem when it comes to stopping mass surveillance.
The entity that’s conducting the most extreme and far-reaching surveillance against most of the world’s communications—the National Security Agency—is bound by United States law.
That’s good news for Americans. U.S. law and the Constitution protect American citizens and legal residents from warrantless surveillance.
But what about everyone else? What about the 96% of the world’s population who are citizens of other countries, living outside U.S. borders. They don’t get a vote in Congress. And current American legal protections generally only protect citizens, legal residents, or those physically located within the United States. So what can EFF do to protect the billions of people outside the United States who are victims of the NSA’s spying?
Today we’re laying out the plan, so you can understand how all the pieces fit together
This plan isn’t for the next two weeks or three months. It’s a multi-year battle that may need to be revised many times
The National Security Agency is working to collect as much as possible about the digital lives of people worldwide.
The NSA can’t do this alone. It relies on a network of international partners who help collect information worldwide, especially the intelligence agencies of Australia, Canada, New Zealand, and the United Kingdom (collectively known, along with the United States, as the “Five Eyes.”)
Here’s the game plan for right now. Note that these are not consecutive steps; we’re working on them concurrently.
1. Pressure technology companies to harden their systems against NSA surveillance
2. Create a global movement that encourages user-side encryption
3. Encourage the creation of secure communication tools that are easier to use
4. Reform Executive Order 12333
5. Develop guiding legal principles around surveillance and privacy with the help of scholars and legal experts worldwide
6. Cultivate partners worldwide who can champion surveillance reform on the local level, and offer them support and promotion
7. Stop NSA overreach through impact litigation and new U.S. laws
8. Bring transparency to surveillance laws and practices
Global Solutions for a Global Problem
Mass surveillance affects people worldwide, reaching everywhere that the Internet reaches (and many places that it doesn’t!). But laws and court systems are divvied up by jurisdictional lines that don’t make sense for the Internet today. This means we need a range of tactics that include impact litigation, technological solutions, and policy changes both in the United States and across the globe.
Tomi Engdahl says:
Jellybean upgrade too hard for Choc Factory, but not for YOU
Patching WebKit would be unsafe, Google tells 960 million users
http://www.theregister.co.uk/2015/01/27/jellybean_upgrade_too_hard_for_choc_factory_but_not_for_you/
Google says it won’t patch Android Jellybean because it’s too hard.
The company revealed earlier this month that it would not fix vulnerabilities found in WebView, the core component used to render web pages on older Android devices.
Android engineer lead Adrian Ludwig said it was too hard to squeeze a patch into Webview’s WebKit engine which was five million lines of code deep.
“WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a two year-old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely,” Ludwig said.
“With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices.”
Despite the risks, Google is welcoming patches developed by the community.
https://plus.google.com/+AdrianLudwig/posts/1md7ruEwBLF
Tomi Engdahl says:
Warrantless snooping on American man was LEGAL in terrorism case, rules US judge
Gov use of FISA data passes muster in Oregon district court
http://www.theregister.co.uk/2014/06/25/us_judge_rules_warrantless_snooping_okay_in_terrorist_bomber_case/
A US judge has ruled that warrantless electronic surveillance is legal when he upheld the terrorism conviction of an Oregon man.
His legal team argued that the government’s bulk data-scraping of non-US citizens, which also hoovers up information on the US citizens that contact them, violated his constitutional rights.
But District Judge Garr King rejected the appeal yesterday and upheld Mohamud’s conviction, for which he could face a sentence as long as life in prison.
“I do not find any significant additional intrusion,” he wrote in his ruling. “Thus, subsequent querying of (the data), even if US person identifiers are used, is not a separate search and does not make (this surveillance) unreasonable under the Fourth Amendment.
Tomi Engdahl says:
Trevor Timm / Guardian:
The war on leaks has gone way too far when journalists’ emails are under surveillance
http://www.theguardian.com/commentisfree/2015/jan/25/war-on-leaks-gone-way-too-far-journalist-emails-are-under-surveillance
The US government’s demands for the private emails of WikiLeaks staffers is outrageous. Disliking Julian Assange is a disgraceful reason for anyone to stay silent
The outrageous legal attack on WikiLeaks and its staffers, who are exercising their First Amendment rights to publish classified information in the public interest—just like virtually every other major news organization in this country—is an attack on freedom of the press itself, and it’s shocking that more people aren’t raising their voices (and pens, and keyboards) in protest.
In the past four years, WikiLeaks has had their Twitter accounts secretly spied on, been forced to forfeit most of their funding after credit card companies unilaterally cut them off, had the FBI place an informant inside their news organization, watched their supporters hauled before a grand jury, and been the victim of the UK spy agency GCHQ hacking of their website and spying on their readers.
Now we’ve learned that, as The Guardian reported on Sunday, the Justice Department got a warrant in 2012 to seize the contents – plus the metadata on emails received, sent, drafted and deleted – of three WikiLeaks’ staffers personal Gmail accounts, which was inexplicably kept secret from them for almost two and a half years.
Most journalists and press freedom groups have been inexplicably quiet about the Justice Department’s treatment of WikiLeaks and its staffers ever since, despite the fact that there has been a (justified) backlash against the rest of the Justice Department’s attempt to subpoena reporters’ phone call records and spy on their emails. But almost all of the tactics used against WikiLeaks by the Justice Department in their war on leaks were also used against mainstream news organizations.
Unfortunately the news world has never rallied around WikiLeaks’ First Amendment rights they way they should – sometimes even refusing to acknowledge they are a journalism organization, perhaps because they dare to do things a little differently than the mainstream media, or because WikiLeaks tweets provocative political opinions, or because they think its founder, Julian Assange, is an unsympathetic figure.
Those are all disgraceful excuses to ignore the government’s overreach: the rights of news organizations everywhere are under just as much threat whether the government reads the private emails of staffers at WikiLeaks, Fox News or the Associated Press. In the eyes of the law, the organizations are virtually indistinguishable, as legal scholars from across the political spectrum have documented for years.
It shouldn’t be the government’s job to decide who is enough of a journalist in their minds to qualify for the constitutional and legal protections that can and should be afforded to all of them – since it’s clear that, when they do, almost nobody qualifies, whether it’s James Risen, James Rosen or Julian Assange.
Tomi Engdahl says:
Great Firewall of China blasts DDoS attacks at random IP addresses
Upgrade to system causing bizarre traffic spikes
http://www.theregister.co.uk/2015/01/26/great_firewall_of_china_ddos_bug/
An upgrade to China’s Great Firewall is having knock-on effects all over the internet, with seemingly random sites experiencing massive traffic spikes.
The post goes into some detail over howHockenberry managed to deal with the firehose-blast of requests, all of it coming from China and much of it trying to find Bittorrents or reach Facebook. Short version: he blocked all of China’s IP blocks.
China uses a weak spot of the DNS system to intercept requests coming into and going out of the country. If it spots something it doesn’t like – such as a request for “facebook.com” or “twitter.com” – it redirects that request to a different IP address.
Unfortunately, it seems that there have been some configuration mishaps and the wrong IP addresses have been entered. When one wrong number means that a server on the other side of the world suddenly gets hits with the full stream of millions of Chinese users requesting information, well then … that server falls over.
The situation has had a broader impact within China. Tens of millions of users weren’t able to access the Web while the government scrambled to fix the problem. According to one Chinese anti-virus vendor, Qihoo 360, two-thirds of Chinese websites were caught up in the mess.
China’s DNS infrastructure experts started pointing the finger at unknown assailants outside its system. “The industry needs to give more attention to prevent stronger DNS-related attacks,” said Li Xiaodong, executive director of China’s Internet Network Information Center (CNNIC).
The reality, however, is that China has seen the downside to its efforts to reconfigure the basic underpinnings of the domain name system to meet political ends. The network is designed to be widely distributed and route around anything that prevents effective communication.
By setting itself up as a bottleneck – and an increasingly huge bottleneck as more and more Chinese users get online – the Chinese government is making itself a single point of failure.
For years, experts have been warning about the “balkanization” of the internet
Fear China
http://furbo.org/2015/01/22/fear-china/
I’ve been using the Internet in one form or another since the mid-80′s. In that time, I’ve seen a lot of strange stuff happening on our global network. On Tuesday, I experienced something extraordinary.
The number of requests peaked out at 52 Mbps. Let’s put that number in perspective: Daring Fireball is notorious for taking down sites by sending them about 500 Kbps of traffic. What we had just experienced was roughly the equivalent of 100 fireballs.
All of this traffic directed at one IP address backed by a single server with a four core CPU.
Like I said, “Holy shit.”
The first course of business was to regain control of the server. Every service on the machine was unresponsive, including SSH. The only thing to do was perform a remote restart and wait for things to come back online.
As soon as I got a shell prompt, I disabled the web server since that was the most likely source of the traffic. I was right: things quieted down as soon as traffic on port 80 and 443 was rejected.
I’m a big believer in the power of an open and freely accessible Internet: I don’t take blocking traffic from innocent people lightly. But in this case, it’s the only thing that worked. If you get a DDOS like what I’ve described above, this should be the first thing you do.
Will this happen again? For everyone’s sake, I hope not. The people of China will only end up being banned from more websites and site owners will waste many hours in total panic.
Tomi Engdahl says:
Some Androids can be HOSED by WiFi Direct vuln
Google intransigence or publicity vuln?
http://www.theregister.co.uk/2015/01/27/some_androids_can_be_hosed_by_wifi_direct_vuln/
Google, which has been criticised by Microsoft for recent bug disclosures, is now downplaying a bug of its own.
Core Security reckons there’s a bug in the Android implementation of WiFi Direct, which if exploited would let an attacker force a reboot of a device. Google, however, isn’t convinced it’s critical, and isn’t showing much interest in a patch.
If the attacker sends a malformed wpa_supplicant event, the disclosure states, Android’s WifiP2pDevice class throws an IllegalArgumentException, crashing the device: “a device name attribute with specific bytes generates a malformed supplicant event string that ends up throwing the IllegalArgumentException”, the disclosure states.
The vulnerability would occur while the Android device is scanning for other WiFi Direct-enabled devices (other phones, printers, cameras, and so on).
Tomi Engdahl says:
The UK’s Drug Dealers Are Swapping Crack for Nokia 8210s
http://www.vice.com/read/the-uks-drug-dealers-love-the-nokia-8210-988
Smartphones have their perks; without them, it would be impossible to take a photo of your junk and instantly share it with someone in Brazil. But they also have their downsides. Like constantly having your office in your pocket, or people ruining debates by googling the answer, or the fact that they’re effectively just GPS ankle monitors that double up us pizza-ordering devices.
That last point is a salient one for people who spend a lot of their time doing stuff they don’t want anyone to know about. People like drug dealers and other criminals, who—thanks to the nature of their jobs—are understandably paranoid that they’re having their every movement monitored.
The best remedy for this problem is to switch from an Android or iPhone to a shitty old handset. And the shitty old handset of choice, according to every source I’ve spoken to, is the Nokia 8210.
“The feds can now use wifi and Bluetooth to get information from the phone, and seem to be able to listen to phones a lot easier now than ever before. Every dealer I know uses old phones, and the Nokia 8210 is the one everyone wants because of how small it is and how long the battery lasts.”
Tomi Engdahl says:
Static analysis tool focuses on code security
http://www.edn.com/design/design-tools/development-kits/4438417/Static-analysis-tool-focuses-on-code-security
The latest release of GrammaTech’s Static Analysis Tool gives developers tools to ensure embedded software quality and security, and will feature 64-bit binary analysis, distributed analysis and with check for tainted buffer accesses.
CodeSonar 4.1 is the latest version of the company’s software analysis tool for C/C++, Java, and machine code. Built to deliver depth of analysis, the latest version includes new distributed analysis capabilities, deeper tainted-data analysis, and binary analysis support for x64 processors. Combined, these advances will, its writers say, help developers build more stable and secure code in the Internet of Things era, where a growing number of devices are connected in unpredictable and often unsecure ways.
“Embedded systems continue to require better protection against security attacks and quality lapses,” said Paul Anderson, Vice President of Engineering at GrammaTech. “With CodeSonar 4.1′s visual dataflow analysis, advanced tainted data checks, and binary analysis capability, developers can more easily identify bugs that are buried deep within complex codebases or hidden in third-party code.”
Tomi Engdahl says:
How a 7-year-old girl hacked a public Wi-Fi network in 10 minutes
Cybercrime is child’s play, it seems, as seven-year-old Betsy Davies succeeds in hacking a Wi-Fi hotspot
http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes
Free Wi-Fi at a coffee shop or other public space is a welcome sign for millions of people everyday who want to get some work done, make a video call, or just catch up on a bit of online shopping.
However, as results of a new experiment today prove, public Wi-Fi is so unsecure it can even be hacked by a seven-year-old child – and in just over ten minutes.
The ethical hacking experiment was conducted as part of a new Wi-Fi safety public awareness campaign by VPN provider http://www.hidemyass.com, which aims to to highlight just how effortlessly hackers can compromise any of the UK’s almost 270,000 public Wi-Fi spots.
With the consent of her family and in a controlled environment, IT-savvy seven-year-old Betsy Davies managed to hack a willing participant’s laptop while they were connected to a purpose-made open Wi-Fi network – designed to replicate those found on the high street.
It took the primary schooler just 10 minutes and 54 seconds to learn how to set up a rogue access point – frequently used by attackers to activate what is known as a ‘man in the middle’ attack – before eavesdropping on traffic.
The results of this experiment are worrying but not entirely surprising,”
The danger to consumers using public Wi-Fi lies in the sensitive data they make available to eavesdroppers – and the risk is growing. A recent Cabinet Office report showed over half of Britons had fallen victim to cybercriminals.
Tomi Engdahl says:
Keylogger: Somebody STOP ME! Oh hang on, I just did
We use ‘dark arts’ knowledge for good – says company man
http://www.theregister.co.uk/2015/01/27/spyshelter_anti_keylogging_software/
Developers of a range of commercial keyloggers have switched sides and begun marketing anti-keylogging technology.
SpyShelter encrypts every keystroke on the PC and sends it via a safe “tunnel” directly to the application. The tactic prevents third-party software or malware from capturing the data, and even if a malicious application manages to penetrate the system, it will only retrieve meaningless, random text.
The keystroke protection tech is reminiscent of IBM Trusteer.
“SpyShelter is complementary to antivirus software,” Bogdan Siemienowicz, SpyShelter brand manager, told El Reg. “It is focusing on dangerous malware such as keyloggers and zero day threats such as ZeuS or Citadel. IBM Trusteer is basically about blocking injections to web browsers, which is like a very small part of what SpyShelter does.”
Security software firms are normally quick to point out that the skills needed to develop defensive technologies are different from those needed to develop malign apps.