Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Your browser history, IP addresses, online purchases etc all up for grabs without a warrant
What the FBI can do with an NSL and a gagging order
http://www.theregister.co.uk/2015/11/30/isp_national_security_letter_details_published_following_11year_legal_battle/
Following a decade-long legal battle, the details of a US national security letter (NSL) sent to ISP owner Nicholas Merrill can finally be revealed.
The broad details have been known for some time, and a recent court decision all but listed the personal information that Merrill was told to hand over on all of his ISPs’ customers.
However, the decision by the FBI to not continue appealing the federal court’s judgment means people are now able to formally see the personal information that the US government believes it has a right to be granted access to without a warrant.
Merrill celebrated his legal victory on Twitter, noting: “Today my National Security Letter gag order is gone after over 11 years of litigation. I hope others who get NSLs find ways to challenge them”, adding: “I risked my freedom to speak out about my National Security Letter because I feel strongly about the need to protect privacy and free speech.”
Judge Marrero’s decision was carefully worded to effectively reveal the sort of details the FBI had requested but the unredacted version makes them explicit: an individual’s complete web browsing history; the IP addresses of everyone a person has corresponded with; and records of all online purchases.
Tomi Engdahl says:
Skip the Picks; Expert Uses Hammer To Open a Master Lock
http://it.slashdot.org/story/15/12/01/2042253/skip-the-picks-expert-uses-hammer-to-open-a-master-lock
Buyer beware. If it’s security you’re looking for, the #3 Master Lock might not be for you. In a video, locksport enthusiast Bosnian Bill demonstrates how to open a new #3 Master Lock using a small brass hammer — in under 90 seconds.
Skip the picks, expert uses hammer to open a Master Lock
http://www.csoonline.com/article/3010200/physical-security/skip-the-picks-expert-uses-hammer-to-open-a-master-lock.html
locksport enthusiast Bosnian Bill demonstrates how to open a new #3 Master Lock with nothing more than a small brass hammer. If a hammer isn’t an option, a screwdriver handle works just as well.
This video is just one of several videos he’s produced focused on defeating the security of Master Locks, which might surprise some viewers, considering that Bosnian Bill states the company has threatened to sue him several times.
The process isn’t bumping exactly, but it looks as if the locking dogs are bounced or vibrated out of the way so the shackle can come out.
Master Lock shared the following statement earlier this evening:
“We recognize that there are those who attempt to challenge the integrity of security products for sport. With the proper time, knowledge and tools nearly any security device can be manipulated – especially in a controlled environment by a dedicated locksmith or security expert.”
“Master Lock shared the following statement earlier this evening:
“We recognize that there are those who attempt to challenge the integrity of security products for sport. With the proper time, knowledge and tools nearly any security device can be manipulated – especially in a controlled environment by a dedicated locksmith or security expert.”
“Consumers should choose a level of security based on their needs and budget.”
So consumers are better off making the investment if they need a solid lock
Tomi Engdahl says:
Heartbleed, Other Flaws Found in Advantech ICS Gateways
http://www.securityweek.com/heartbleed-other-flaws-found-advantech-ics-gateways
Researchers at security firm Rapid7 discovered that the latest firmware version for some Advantech EKI products is plagued by several known vulnerabilities.
Advantech EKI are Modbus gateways designed for connecting serial devices to TCP/IP network-based devices in industrial control environments.
The Taiwan-based industrial automation company recently released new firmware versions for EKI-136X, EKI-132X and EKI-122X products to address a security flaw related to the existence of hardcoded SSH keys (CVE-2015-6476).
While analyzing one of the new firmware versions, Rapid7’s HD Moore discovered that it includes version 2.05 of the bash shell, which is known to be vulnerable to Shellshock attacks.
In addition, the Advantech EKI firmware also includes version 1.0.0e of OpenSSL, which is vulnerable to Heartbleed attacks. The OpenSSL Project will end support for the 1.0.0 version starting with January 1, 2016.
The DHCP client used by Advantech is also highly outdated and known to contain vulnerabilities, including a high-severity stack-based buffer overflow discovered in 2012.
Beardsley has pointed out that while none of these flaws are new, the problem is that the vulnerable firmware can be found on production industrial control systems.
Rapid7 contacted Advantech on November 11 and published a Metasploit module on December 1.
This is the third time someone has found vulnerabilities in Advantech’s Modbus gateways. In February, the vendor patched a serious flaw that could have been exploited by remote attackers to execute arbitrary code.
Tomi Engdahl says:
Google Patches Over Dozen Serious Flaws in Chrome
http://www.securityweek.com/google-patches-over-dozen-serious-flaws-chrome
Google announced on Tuesday the availability of Chrome 47, a version that brings 41 security fixes, including more than a dozen serious vulnerabilities reported by external researchers.
Tomi Engdahl says:
The Importance of Learning From Hackers
http://www.securityweek.com/importance-learning-hackers
Earlier this month, during the RSA Conference in Europe, Amit Yoran President of RSA and former cybersecurity director at the U.S. Department of Homeland Security proclaimed, “Infosec is fundamentally broken.”
“Infosec is an industry that wastes billions of dollars on firewalls and policing network perimeters, things that ‘make us feel safe’ but don’t address real problems,” Yoran said. “Look at the major breaches of recent memory and you will find companies that were attacked despite using next-generation firewalls and high-level software that, for all their cost and promise, allowed massive, embarrassing and harmful breaches.”
Is it true? Certainly, data breaches continue to be in the headlines despite more than an estimated $70 billion in annual cybersecurity spending.
Why does this keep happening?
During a presentation at the Churchill club recently, the leaders from Symantec, Fortinet, Intel Security and Palo Alto Networks (all part of the Cyber Threat Alliance) were asked this very question, and attributed it to a variety of factors:
• Underinvestment in security until recently, when security has finally become a board level conversation
• Highly-automated, persistent adversaries taking advantage of the decreasing cost of compute power.
• Increased usage of a 50-year old Internet (with legacy) architecture while being protected by security solutions that don’t understand applications and content
In fact, Symantec CEO Michael Brown said this: “We have never spent as much on cybersecurity but we still spend a 10th of what attacks cost us”.
“The security industry is clearly trying to respond to an ever increasing number of attacks and severity of attacks, but until companies are actually spending even more, we’re creating a gap in terms of what companies need to be spending to protect themselves,”
Perhaps it’s time to supplement all our security defenses with a hacker-centric security paradigm. No, I’m not talking about hacking back at adversaries, I’m talking about proactively hacking with ourselves (and infrastructure) as the target. Organizations don’t need to understand our environments as much as they need to understand how adversaries view them. How will an adversary assess and attack us and our infrastructure?
This move towards a hacker-centric security paradigm is already taking place in the cybersecurity world. We have companies offering bug bounty programs for successfully finding flaws in product/systems, we also have ethical hackers that perform these tasks for security organizations. But these efforts are tied to the human element.
Tomi Engdahl says:
Changing the Economics of Cybersecurity
http://www.securityweek.com/changing-economics-cybersecurity
It’s almost a cliche to talk about how often breaches occur—in 2015 alone, we’ve seen high-profile breaches from everyone from Anthem, the popular work collaboration tool Slack, and even the federal government thanks to the recent US Office of Personnel Management attack. While many organizations are implementing security solutions to avoid becoming the next headline, there’s a fundamental math problem with the money they are investing: While organizations may think their ROI is pretty good, the ROI for criminals is even better, giving criminals more incentive to work their hardest to break into an enterprise network.
IT organizations can spend millions trying to protect the network perimeter from attackers, yet attackers will still breach defenses, leaving companies vulnerable to data loss or worse. And attackers will keep trying, because the success rate of attacks is high. Hackers might only have to spend a little bit of money and a week or two to worm their way inside a Fortune 500 network. One hacker can write an exploit that will open the digital doors of millions of corporate systems, spilling out data and resources of untold value. The exploits are easily passed around in the underground so the threats to corporations are exponential. And the attacks can be as easy as sending a carefully crafted phishing email to a top-level executive; the effort for attackers is minimal and the payback is huge. Meanwhile, IT departments are spending more and more money trying to keep hackers out, with minimal success. Which brings me to an uncomfortable point:
Clearly, the economics of security are not in the enterprise’s favor.
Let’s look at the numbers: Organizations will spend a staggering $77 billion on security in 2015, with growth forecasted at 8 percent. In addition, trying to protect your network edge from incentivized attackers takes a toll from the standpoints of money and time. Businesses spend an average of $1.27 million annually responding to false alerts, and they waste 395 people-hours each week thanks to faulty intelligence and alerts.
You’d think that with this kind of money being spent on security, breaches would be just about non-existent. However, this isn’t the case: Breaches have actually gone up dramatically in the past three years, and more than 97 percent of enterprises have been breached. At a per-breach average cost of $6.5 million in the US, even just a few breaches add up and one strategic one can put a company out of business.
To change these lopsided economics so they shift the balance in favor of effective security for businesses, companies need to find a way to make it more difficult and costly for attackers to try to breach defenses – reducing the potential attack surface so it’s tougher to break in. When you make it harder for attackers to gain entry, they tend to move on to easier targets. It’s the “outrun the lambs, not the wolves” approach.
Changing the Economics of Security Starts and Ends at the Endpoint
In my opinion, the answer rests in thwarting threats to the endpoint. Why? The endpoint poses far and away the greatest risks to a business. More than 70% of threats come into businesses this way, thanks to the combined power of the mobile and cloud revolutions. Now that employees spend a good part of the day working from home, hotels and cafes, corporate data no longer remains safely within the corporate network. The network perimeter has evaporated, causing enterprises to lose control of where data is hosted and where it is accessed, leaving them exposed to bad actors.
The endpoint problem is compounded by the fact that a single bug in the tens of millions of lines of code in an operating system or application – combined with an unguarded click by an unsuspecting employee – can put an enterprise at risk.
Halting attacks at endpoints reduces the attack surface and deters criminals.
While data breaches aren’t going away anytime soon, every company has a choice of how they prepare for them. By focusing on the endpoint, businesses can better secure themselves with less cost and less time expended by the IT team.
Tomi Engdahl says:
Popular 3G/4G data dongles are desperately vulnerable, say hackers
SOHOpelessness is the new normal
http://www.theregister.co.uk/2015/12/03/3g4g_data_dongles_vulnerable/
Cellular modems from four vendors have been popped by security researchers, who have documented cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE) and integrity attacks on the products.
The research published by Positive Technologies and carried out by the SCADA Strangelove team looked at modems from Huawei, Gemtek, Quanta and ZTE.
The tests tell some old, old stories: for example, code appearing in multiple devices suggests too many vendors base their firmware on silicon vendors’ reference designs without doing enough work themselves.
The researchers say all of the devices they tested – two from Gemtek, two from Quanta (one of which was a rebadged ZTE), and three from Huawei – are vulnerable to remote code execution, and all except the Huawei devices are vulnerable to malicious firmware
Tomi Engdahl says:
CloudFlare intros HTTP/2, so we can ‘spend holiday time with our family’
So … erm, that’s a good thing, probably
http://www.theregister.co.uk/2015/12/03/cloudflare_introduces_http2_for_everyone_ijoyeux_noli_web_devs/
CloudFlare is introducing HTTP/2 support for all of its users, to be available on all SSL/TLS connections – while still supporting SPDY – so netizens can spend more time with their families instead of waiting for pages to load this Christmas.
Talking to The Register on Tuesday night, CloudFlare CEO Matthew Prince explained the company’s “multiple step rollout” of the future of the web.
“The first step really started when we turned on TLS. Thursday will be the second step, when we announce base protocol support for everyone,” Prince said, before admitting “for most customers we’ve actually quietly already turned it on.”
“The way we do rollouts is roll out to free customers in one particular data centre: free customers in Toronto in this instance. So as of last Wednesday, they went live, so that happened quietly, and over the holiday weekend in the US we’ve been expanding that to other data centres,” said Prince.
“So, by the end of Tuesday we’d be done with the push (so it’s in all facilities) and then Wednesday is just a day of buffer before the announcement on Thursday. The third step is what we’re doing in the New Year,” he added.
Dodging HTTP/2 scanners for “a massive spike” on Thursday, Prince stated that the rollout will be “a Christmas present to the internet”.
“This is the first time that the underlying protocol of the internet, HTTP, has been updated since 1998, so it’s a pretty big change on one level, but on another level it’s just based on a protocol developed by Google called SPDY,” said Prince.
While not initially developed to replace HTTP, the method in which it overrides connection management and data transfer formats has substantially informed the Internet Engineering Task Force’s HTTP/2.
CloudFlare has supported SPDY for just over three years, and Prince claimed that “75 per cent of the top Alexa websites support SPDY because of CloudFlare”.
“When HTTP/2, which was really an outgrowth of SPDY, came out, we committed to making sure this was available to all of our users, including those using our service for free. We don’t believe you should pay a tax to be a part of the modern internet,” said Prince.
Tomi Engdahl says:
Hacking Techniques in Wireless Networks
http://cecs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm#_Toc77524674
Tomi Engdahl says:
The Wassenaar Arrangement
On Export Controls for Conventional Arms and Dual-Use Goods and Technologies
http://www.wassenaar.org/
Tomi Engdahl says:
Target settles with banks for $40m after data breach
I see a Friday and I want it painted black
http://www.theregister.co.uk/2015/12/03/target_settles_with_banks_for_40m_after_data_breach/
Retail giant Target has agreed to shell out $39.4m to banks and credit unions who had pursued the company following losses suffered after an enormous data breach.
Target has now resolved the class-action claims following lenders seeking to hold the company to account for reimbursing defrauded customers. $20.25m will be paid to banks and credit unions, while $19.11m will go to the card issuers as the compromised credit and debit cards needed to be replaced.
Financial institutions were chasing Target after crooks harvested 40 million credit card numbers back in 2013.
A previous settlement saw the retailer shell out $10m to litigants.
Tomi Engdahl says:
After Demanding $3 Million Ransom, Hacker Dumps Massive Customer Financial Data
http://yro.slashdot.org/story/15/12/03/1539217/after-demanding-3-million-ransom-hacker-dumps-massive-customer-financial-data
Just over week after a hacker breached a United Arab Emirates Bank, demanding a $3 million ransom to stop tweeting customers’ information, he appears to have dumped tens of thousands of customer files online. The actual data appears to be real. And it’s vast.
After asking bank for $3 million ransom, hacker dumps massive customer financial database
http://www.dailydot.com/politics/invest-bank-hacker-buba/
Just over week after a hacker breached a United Arab Emirates Bank, demanding a ransom to stop tweeting customers’ information, he appears to have dumped tens of thousands of customer files online.
As captured in archived tweets on since-deleted accounts, a user identifying himself as “Hacker Buba” tweeted information, mostly of corporate accounts, that was reportedly stolen from Invest Bank. He told Mazhar Farooqui, editor of the Dubai-based XPress newspaper, that he had an audacious scheme: if he wasn’t paid $3 million in Bitcoin, he’d keep leaking that information. One bank executive confirmed the hack to Farooqui, adding that, “This is blackmail.”
The means by which that information was posted is striking. Hacker Buba initially tweeted from accounts like @investbank_2, though those were quickly deleted. But late Tuesday night and then again on Wednesday, approximately 50 seemingly unrelated Twitter accounts began tweeting the same message, which included both the name Invest Bank and a link to a site, signed Hacker Buba, that had six zip files purporting to obtain that vast bank information.
The way that information was stored is even more bizarre. It sat—and still does, as of this writing—on the website of an eastern European basketball team, apparently also hacked by Buba and used as a temporary storage space.
The actual data appears to be real. And it’s vast. One database analyzed by the Daily Dot includes the sensitive information of around 40,000 customers, including their full names, credit card numbers, and birthdays.
Other databases show information for other customers, and include detailed transaction histories.
Tomi Engdahl says:
Home> Community > Blogs > Now Hear This!
IoT Security Spartans wanted
http://www.edn.com/electronics-blogs/now-hear-this/4440964/IoT-Security-Spartans-wanted?_mc=NL_EDN_EDT_EDN_today_20151203&cid=NL_EDN_EDT_EDN_today_20151203&elq=4b697e8f81414fa18216f5c1321baca5&elqCampaignId=25993&elqaid=29639&elqat=1&elqTrackId=1244e3af312c418b97de6010513a1b13
There’s a long-running joke in the IT community that white hat hacker Jay Radcliffe shared during his DoT (Designers of Things) keynote Wednesday morning:
The most secure computer is one that has been unplugged and destroyed.
Every joke has some truth to it. Security has been an issue since the days of the first electronic devices. Now, as we move into a world of ever-connected devices through IoT, security has become even more necessary.
Radcliffe told the keynote audience about IoT-enabled Bluetooth toothbrushes that need security patches as an example of how quickly IoT has moved into our daily lives without proper security development, opening itself up to malicious hacking.
“This [IoT] is exceptionally scary. We are going too fast,” said Radcliffe. “Are we opening ourselves up to something we don’t know enough about? Are we doing enough to secure these devices?”
Radcliffe himself uses his hacking skills for good, he noted, “because with great power comes great responsibility,”
He called for security specialists at every step of electronic design, especially as more IoT devices connect.
“All too often security gets pigeonholed as an iron fist,” Radcliffe said, describing an IT manager who dictates on what users can and cannot do. Instead, he’s looking for security to partner with design and for the long-term, addressing security issues that will inevitably come up over the life of a device.
“You want someone who will go to battle with you. We need Spartans,” he said.
This becomes especially important when connected medical devices come into play,
“We are entrusting a computer device to do what medical can’t do,”
“There’s no such thing as a perfectly secure system.”
Tomi Engdahl says:
Ransomware and scammy tech support sites team up for a vicious one-two punch
http://www.csoonline.com/article/3011061/security/ransomware-and-scammy-tech-support-sites-team-up-for-a-vicious-one-two-punch.html
One holds your files hostage, the other overcharges to fix nonexistent computer problems
Symantec has seen a curious fusing of two pernicious online threats, which would cause a big headache if encountered by users.
Some websites offering questionable tech support services are also dishing up ransomware, which locks up a users files until they pay a fee to decrypt them.
he support scams involve trying to convince users they have a computer problem and then selling them overpriced software or support services to fix it. It’s often done via a pop-up message that urges people to call a number or download software.
Symantec has seen tech support websites also trying to install ransomware in the background. Ransomware is malware that encrypts a computer’s files and asks for a payment, often in bitcoin, for the decryption key to be released.
“Unfortunate victims could end up paying both the fake tech support scam for ‘help’ and the ransom to decrypt their files, ”
On one tech support site seen by Symantec, an iframe hidden on the page redirected to the Nuclear exploit kit, a popular one used to spread malware.
It’s unclear if the people running tech supports scams are working with those who create and rent out the use of exploit kits and associated infrastructure
It’s also possible that the tech support websites, like many other websites, have been compromised in order to redirect visitors to exploit kits.
Tomi Engdahl says:
5G technology, cyber-threats under control
The new 5G Ensure project is a part of a big European Union’s Horizon 2020 5G PPP (European 5G Infrastructure Public Private Partnership) program, in which businesses and public bodies aiming at developing the future network infrastructure to the challenges of the 2020s.
5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business. For example, systems such as traffic remote control and etäkirurgian bring new security challenges.
Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Legal information monitoring and related legislation will also affect security solutions 5G networks.
VTT is developing a project in virtualization and segmentation of network security functionalities related. A strong industry-led consortium, combined with 5G PPP co-operation will enable the results of the project can be exported to 5G standards.
New security functionality and their use cases demonstrated on the test network, which is being built at the same time in both France and Finland, VTT. Finnish test network integrates with the Tekes-funded national 5G test network.
Coordinated by VTT, the 5G Ensure consortium includes European telecom and network operators, IT service providers and network security experts.
Source: http://www.uusiteknologia.fi/2015/12/03/5g-tekniikan-kyberuhat-kuriin/
Tomi Engdahl says:
Zack Whittaker / ZDNet:
In crude surveillance move, Kazakhstan requires Internet users install state-issued root certificate by January 1, imperilling security for all its citizens
Kazakhstan will force its citizens to install internet backdoors
http://www.zdnet.com/article/kazakhstan-forces-its-citizens-into-installing-internet-backdoors/
The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security.
In less than a month, Kazakhstan will begin enforcing a new law that requires every internet user in the country to install a backdoor, allowing the government to conduct surveillance.
In a brief statement (translated), KazakhTelecom, the country’s largest telecom, said citizens are “obliged” to install a “national security certificate” on every device, including desktops and mobile devices.
This allows the government to conduct a so-called “man-in-the-middle” attack, which allows the government to intercept every secure connection in the country and snoop on web browsing history, usernames and passwords, and even secure and HTTPS-encrypted traffic.
Telecom companies must monitor which internet users on its networks have not installed the certificate, according to a translation of the statement.
“Stupid”
Although few specifics have been made available, the proposal has been met with extreme criticism from security experts and privacy advocates.
Security researcher Kenneth White told ZDNet that the technique would be like a “country-level Superfish,” reminiscent of its namesake controversy in which computer maker Lenovo installed adware containing a root self-signing certificate that could intercept encrypted connections.
Certificates are usually issued by trusted authorities to ensure that connections can’t be snooped on. But if a malicious authority forces or tricks a user into installing a certificate, it can be used to intercept traffic on secure connections.
Tomi Engdahl says:
Lauren Hockenson / The Next Web:
EFF’s free HTTPS tool ‘Let’s Encrypt’ enters public beta
http://thenextweb.com/dd/2015/12/03/effs-free-https-tool-lets-encrypt-enters-public-beta/
Really, there’s no good reason for devs to not adopt HTTPS certification. The added protection makes you and your users safer, and ensures that you can guarantee that your website doesn’t inject malicious malware, tracking or unwanted ads onto your user experience.
The Electronic Frontier Foundation developed its ‘Let’s Encrypt’ tool to make HTTPS certification faster, easier and free for anyone to use. Developed with sponsorship from Mozilla, the University of Michigan, Cisco, Akamai and others, the tool is now in Public Beta, which means that anyone with a website can set up the automated process to get an HTTPS certificate.
According to the EFF, the process of adopting HTTPS has historically been difficult, and incurs cost on the website’s owner. By creating an automated tool, the barriers to HTTPS no longer exist, and more websites will be safe overall.
Let’s Encrypt Enters Public Beta
https://www.eff.org/deeplinks/2015/12/lets-encrypt-enters-public-beta
So if you run a server, and need certificates to deploy HTTPS, you can run the beta client and get one right now.
We’ve still got a lot to do. This launch is a Public Beta to indicate that, as much as today’s release makes setting up HTTPS easier, we still want to make a lot more improvements towards our ideal of fully automated server setup and renewal. Our roadmap includes may features including options for complete automation of certificate renewal, support for automatic configuration of more kinds of servers (such as Nginx, postfix, exim, or dovecot), and tools to help guide users through the configuration of important Web security features such as HSTS, upgrade-insecure-requests, and OCSP Stapling.
Tomi Engdahl says:
Revenge Porn King Gets Two Years In Prison
http://motherboard.vice.com/read/revenge-porn-king-gets-two-years-in-prison
On Wednesday, Hunter Moore was sentenced to two and a half years in prison by a federal district judge in Los Angeles, California.
Moore, the former operator of IsAnyoneUp.com, has been referred to as the “king of revenge porn.” His website hosted nude pictures that were uploaded without the subjects’ consent, often with personal information (names and contact information) accompanying them.
The site advertised itself as a kind of user-generated content site, soliciting submissions from vengeful exes. But in truth, a considerable chunk of the pictures were acquired through hacked email accounts.
In February 2015, Hunter Moore pled guilty to one count of computer hacking under the Computer Fraud and Abuse Act, and one count of aggravated identity theft.
Tomi Engdahl says:
Joseph Cox / Motherboard:
FBI Says Suspected Silk Road Architect Variety Jones Has Been Arrested — The man suspected of being a “senior adviser” to Ross Ulbricht, the convicted creator of the drug marketplace Silk Road, has been arrested, according to the United States Attorney’s Office.
FBI Says Suspected Silk Road Architect Variety Jones Has Been Arrested
http://motherboard.vice.com/read/fbi-says-suspected-silk-road-architect-variety-jones-has-been-arrested
The man suspected of being a “senior adviser” to Ross Ulbricht, the convicted creator of the drug marketplace Silk Road, has been arrested, according to the United States Attorney’s Office.
Roger Thomas Clark is accused of being “Variety Jones,” according to a press release, and allegedly was “a close confidante of Ulbricht’s who advised on all aspects of Silk Road’s operations and helped him grow the site into an extensive criminal enterprise.”
Manhattan U.S. Attorney Announces Arrest And Unsealing Of Charges Against Senior Adviser To The Operator Of The “Silk Road” Website
http://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-arrest-and-unsealing-charges-against-senior-adviser
Roger Thomas Clark Was a Key Figure in the Development of Silk Road Who Helped Ross Ulbricht Run the Criminal Enterprise
Tomi Engdahl says:
Jeremy Kirk / Computerworld:
Microsoft assists law enforcement in disrupting Dorkbot, a botnet that controlled 1M PCs worldwide
Microsoft joins law enforcement to disrupt Dorkbot botnet
http://www.computerworld.com/article/3012077/security/microsoft-joins-law-enforcement-to-disrupt-dorkbot-botnet.html
Dorkbot steals login credentials for many online services
Microsoft said Thursday it aided law enforcement agencies in several regions to disrupt a four-year-old botnet called Dorkbot, which has infected one million computers worldwide.
The Dorkbot malware aims to steal login credentials from services such as Gmail, Facebook, PayPal, Steam, eBay, Twitter and Netflix.
It was first spotted around April 2011. Users typically get infected by browsing to websites that automatically exploit vulnerable software using exploit kits and through spam. It also has a worm functionality and can spread itself through through social media and instant messaging programs or removable media drives.
Coordinated actions to take botnet servers offline have an immediate impact, but the benefits can be short-lived. Cybercriminals often set up new hosting and command-and-control infrastructure and begin rebuilding the botnet by infecting new computers.
Tomi Engdahl says:
Magenta: Compromised sites haven’t patched older flaws
http://www.computerworld.com/article/2995598/security/magenta-compromised-sites-havent-patched-older-flaws.html
Some Magento sites have been infected with the Neutrino exploit kit
Magento said Tuesday there does not appear to be a new vulnerability in its e-commerce platform that is causing some websites to become infected with the Neutrino exploit kit.
Some of the affected websites appear to not have patched a code execution vulnerability nicknamed the Shoplift Bug Patch, Magento’s security team wrote in a blog post. A patch was released in February.
Other Magento-powered sites have not applied other patches, making them vulnerable.
The infected Magento sites contained malicious scripts that created iframes, which pulled content from the malicious domain “Guruincsite.” That domain, which is blacklisted by Google, has been linked with the Neutrino exploit kit.
If encountered by someone browsing a website, exploit kits attack a computer, looking for software vulnerabilities in order to deliver malware. Hackers often try to plant code that triggers exposure to an exploit kit on legitimate, highly trafficked websites, as it creates an opportunity to infect many computers.
Magento warned that even if all patches have been applied to the software, it’s important to figure out if a website had been compromised prior to patching.
Magento, which is owned by eBay, is an attractive target for attackers since it’s used by a large number of companies
It claims to be the most used software for the top 1 million websites ranked by Alexa.
Tomi Engdahl says:
Social media censorship in Bangladesh hints at long-term problems for publishers
http://www.cjr.org/analysis/bangladesh_social_media.php
Two weeks have passed since the government in Bangladesh blocked access to Facebook, WhatsApp, Viber, and other social media sites. In Dhaka, some people have crowded into hotel lobbies to access private networks, while others are gaining access through proxy servers. The reason for the ban, according to the government, has to do with security, in light of the recent terrorist attacks and local political violence, but there is concern that it’s part of a creeping pattern of censorship that’s having a negative impact on publishers, especially after the temporary block in January and reports of journalists being harassed.
The government called the blackout “a mistake,” but then said the social media block would remain in place until the security threat had passed.
Fourteen days later, those sites are still down. Asked when access would be restored, the State Minister for Posts and Telecommunications said, “When the home ministry and law-enforcing agencies feel it’s safe.”
In a country where the ruling party once offered a transformative vision for media (its slogan in 2008 was “Digital Bangladesh”), and Facebook dominates online activity in a way that doesn’t happen in the US, the shutdown is a frustrating, unsettling setback for those who have come to depend on the site for news and information.
From a business perspective, the shutdown should also be a red flag for Facebook, which just announced its plan to bring Instant Articles, a mobile service that allows media organizations to publish directly to Facebook at faster speeds, to more emerging markets in Asia, where social media and mobile use is booming.
Tomi Engdahl says:
How not to report on the encryption ‘debate’
http://www.cjr.org/first_person/misinformation_and_misconceptions_how_not_to_report_on_the_encryption_debate.php
Rarely has a public debate been ignited so fast as the one about whether to ban online encryption after the tragic Paris attacks two and a half weeks ago. And rarely has the coverage of such a debate been so lacking in facts—especially considering that encryption is a tool reporters increasingly need to do their jobs.
The deplorable terrorist attacks in Paris occurred on the evening of Friday, Nov. 13. By the end of that weekend, news organizations had published dozens of articles linking the Paris attackers with the use of encrypted messaging apps that prevent the companies that make them—and therefore governments—from easily accessing the messages their users send back and forth. By the following Monday, there were literally thousands of articles questioning whether such apps should be outlawed, spurred on by the Sunday talk shows that gave intelligence officials license to speculate on the “likely” use of encryption as a catchall excuse for why the attacks had not been detected, and to condemn the technology without a single skeptical follow-up.
Why were officials saying it was “likely”? Not because they had actual evidence, but because they assumed that if authorities didn’t know about the plot in advance, the terrorists must have used encryption.
Meanwhile, an early New York Times article on the attackers’ supposed use of encryption—sourced to anonymous European officials, whose assertions became the launchpad for many of the weekend’s think pieces—was quickly rewritten and the anonymous reference to encryption removed (without a note to readers about why).
By Monday night, the Times made clear in its lead story about the still-raging encryption debate that there was “no definitive evidence” that encrypted communications had been used by any of the attackers, but by then the terms of the discussion were already set, and the CIA had no problem continuing its epic game of blame deflection throughout the week.
To this day, there’s hardly any publicly available evidence that the Paris attackers used encrypted communications to plan their attack. It’s important to point out, as journalist Dan Gillmor astutely writes, that whether these particular terrorists did use such technology should not matter in the debate over whether to ban it. But it does prove how easily the CIA can still mislead and steer the media while diverting attention from its own potential failures.
What have we learned since the “ban encryption” movement gained full steam on the first weekday after the attack? It turns out that most of the attackers were already known to intelligence agencies. Within a week of the attack, we found out they had used Facebook to communicate, as well as normal SMS text messaging.
By this week, The Wall Street Journal was reporting that the Paris attack had been “hatched in plain sight”: The terrorists used their real names and identification cards for hotel and rental car reservations and did not noticeably try to cover their tracks.
But cable news, which sadly often reflects the national agenda more than print, had no interest in the truth, and as Glenn Greenwald wrote, “neither CNN nor MSNBC has put a single person on air to dispute the CIA’s blatant falsehoods about Paris despite how many journalists have documented those falsehoods.”
Part of the problem is that many reporters—television anchors in particular—apparently don’t understand the basics of how encryption works and what it does and does not do.
First, even if terrorists do use encryption, that doesn’t mean a giant black cape has been thrown over them so they can work in complete secrecy. Far from it: Authorities can still track the precise location of terrorists 24/7 if they carry a mobile device. Even if suspects encrypt their communications, intelligence agencies can get information about who they’re talking to, when, and for how long. They can also hack into individual terrorists’ computers or phones and read their messages, no matter what type of encrypted apps they are using. (For more, read Nathan Freitas’s “6 Ways Law Enforcement Can Track Terrorists in an Encrypted World.”)
Ask any national security reporter who has tried to completely switch to encrypted and anonymous communication with a source and you’ll find that it is virtually impossible unless you have weeks or months of training.
While end-to-end encryption certainly gives us an extra layer of privacy protection at a time when our rights are constantly being eroded, this is actually a security vs. security debate. Encryption’s main purpose is to protect us from hackers of all sorts
The government is complaining that companies cannot unlock certain communications because only the sender and the receiver hold the key—the company itself does not. When tech companies do not have a way to access all their customers’ data at once, neither do hackers. As a commentator said last week in response to the new push to ban encryption in the name of “security”: “Weakening security with the aim of advancing security simply does not make sense.”
There are, of course, many questions reporters can and should be asking intelligence officials: Don’t you still have many other ways to track terrorists, even if they use encrypted messaging apps? If the terrorists planned so much of this out in the open, and they were known to intelligence agencies, why didn’t you catch them with the resources you already had?
Encryption is not an issue about which reporters should be “neutral”—it directly affects their wellbeing. Encryption is increasingly an important tool for journalists of all stripes
Tomi Engdahl says:
5G technology, cyber-threats under control
Research coordinated by VTT eurooppalaishanketta on cyber security, with 5G networks and systems will be developed of potential security and cyber threats in case. The results arising from the project are being taken in preparation 5G standards.
The new 5G Ensure project is a part of a big European Union’s Horizon 2020 5G PPP (European 5G Infrastructure Public Private Partnership) program, in which businesses and public bodies aiming at developing the future network infrastructure to the challenges of the 2020s.
5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business. For example, systems such as traffic remote control and remote surgery bring new security challenges.
Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Legal information monitoring and related legislation will also affect security solutions 5G networks.
“5G infrastructure must be able to serve the billions of internet-connected objects of small appliances in addition to large consumers of information. It should be a seamless infrastructure that is responsible for all communication needs invisibly and reliably, ”
Source: http://www.uusiteknologia.fi/2015/12/03/5g-tekniikan-kyberuhat-kuriin/
Tomi Engdahl says:
Law & Disorder / Civilization & Discontents
Judge sets 71-month sentence for former Secret Service agent who plundered Silk Road
Feds remind Shaun Bridges of former agency’s motto: “Worthy of Trust and Confidence.”
http://arstechnica.com/tech-policy/2015/12/rogue-secret-service-agent-who-stole-from-silk-road-sentenced-to-nearly-6-years/
Former Secret Service agent Shaun Bridges was sentenced Monday to 71 months in prison after he stole money from Silk Road dealers while investigating the site.
“This, to me, is an extremely serious crime consisting of the betrayal of public trust from a public official. From what I can see, it was motivated by greed,” US District Judge Richard Seeborg told the court today. “No departure or variance is warranted in this case. I seldom find myself in the position of imposing a high-end sentence, but I find this is warranted in this case.”
“This was a federal law enforcement agent that was involved in a multi agency task force who decided to steal bitcoins that he later converted to cash, from the target of the investigation and later blamed on a cooperating witness.”
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
Google Turns On Safe Browsing In Chrome For Android
http://techcrunch.com/2015/12/07/google-turns-on-safe-browsing-in-chrome-for-android/
Google’s Safe Browsing technology is now enabled by default on Android to protect mobile Chrome users from accessing phishing sites and web pages that harbor malware.
deceptive_mob_interstitial (2)Until now, Safe Browsing was only available to desktop users, as well as for Chrome users on Android who turned on Google’s optional data compression service. Indeed, for those mobile users, Safe Browsing has already been enabled for almost two years.
So why did it take Google so long to enable this feature for all of its mobile users on Android? According to the company, it’s far harder to keep a long list of potentially harmful sites on a mobile device than on the desktop. With the data compression service, all your unencrypted web traffic is routed through Google’s servers, where Google can then easily check URLs against its blacklist. On mobile, it’s not that easy.
“Bytes are big: our mantra is that every single bit that Safe Browsing sends a mobile device must improve protection,” Google’s Safe Browsing team members Noé Lutz, Nathan Parker, and Stephan Somogyi said in today’s announcement. “Network bandwidth and battery are the scarcest resources on a mobile device, so we had to carefully rethink how to best protect mobile users. Some social engineering attacks only happen in certain parts of the world, so we only send information that protects devices in the geographic regions they’re in.”
If you’re a Chrome user on Android, chances are you already use Safe Browsing. Google enabled this with its latest Google Play Services update.
Tomi Engdahl says:
Biometric Bracelet Electrifies You to Unlock Your Tablet
http://hackaday.com/2015/12/08/biometric-bracelet-electrifies-you-to-unlock-your-tablet/
Researchers [Christian Holz] and [Marius Knaust] have come up with a cool new way to authenticate you to virtually any touchscreen device. This clever idea couples a biometric sensor and low-data-rate transmitter in a wearable wrist strap that talks to the touch screen by electrifying you.
Specifically the strap has electrodes that couple a 50V, 150kHz signal through your finger, to the touchscreen. The touchscreen picks up both your finger’s location through normal capacitive-sensing methods and the background signal that’s transmitted by the “watch”. This background signal is modulated on and off, transmitting your biometric data.
Biometric Touch Sensing: Seamlessly Augmenting Each Touch With Continuous Authentication
http://www.christianholz.net/biometric_touch_sensing.html
Current touch devices separate user authentication from regular interaction, for example by displaying modal login screens before device usage or prompting for in-app passwords, which interrupts the interaction flow. We propose biometric touch sensing, a new approach to representing touch events that enables commodity devices to seamlessly integrate authentication into interaction: From each touch, the touchscreen senses the 2D input coordinates and at the same time obtains biometric features that identify the user. Our approach makes authentication during interaction transparent to the user, yet ensures secure interaction at all times. To implement this on today’s devices, our watch prototype Bioamp senses the impedance profile of the user’s wrist and modulates a signal onto the user’s body through skin using a periodic electric signal. This signal affects the capacitive values touchscreens measure upon touch, allowing devices to identify users on each touch.
Tomi Engdahl says:
Gizmodo:
Leaked documents, corroborating interviews point to two likely Bitcoin creators: Australian Craig Wright, and deceased US computer forensics expert Dave Kleiman — This Australian Says He and His Dead Friend Invented Bitcoin — A monthlong Gizmodo investigation has uncovered compelling …
This Australian Says He and His Dead Friend Invented Bitcoin
http://gizmodo.com/this-australian-says-he-and-his-dead-friend-invented-bi-1746958692?trending_test_three_a&utm_expid=66866090-68.NesmD4FSTbKroxp5qEjtVQ.1&utm_referrer=http%3A%2F%2Fwww.techmeme.com%2F
A monthlong Gizmodo investigation has uncovered compelling and perplexing new evidence in the search for Satoshi Nakamoto, the pseudonymous creator of Bitcoin. According to a cache of documents provided to Gizmodo which were corroborated in interviews, Craig Steven Wright, an Australian businessman based in Sydney, and Dave Kleiman, an American computer forensics expert who died in 2013, were involved in the development of the digital currency.
Wired reported this afternoon that Wright and Kleiman were likely involved in creating Bitcoin. Gizmodo has been following a similar trail for weeks
http://www.wired.com/2015/12/bitcoins-creator-satoshi-nakamoto-is-probably-this-unknown-australian-genius/
Tomi Engdahl says:
Michael Mimoso / Threatpost:
Microsoft patches 71 flaws, two for Office and Windows kernel vulnerabilities currently under attack, warns of leaked Xbox Live certificate — Microsoft Patches 71 Flaws, Two Under Attack; Warns of Leaked XBox Live Cert — Forgive your local Windows admin if they’re a little shy on holiday cheer in the coming days.
http://www.threatpost.com/microsoft-patches-71-flaws-two-under-attack-warns-of-leaked-xbox-live-cert/115601/
Tomi Engdahl says:
Guardian:
Reported Bitcoin “founder” Craig Wright’s home raided by Australian Federal Police in relation to Australian Tax Office investigation
http://www.theguardian.com/technology/2015/dec/09/bitcoin-founder-craig-wrights-home-raided-by-australian-police
Tomi Engdahl says:
Wired:
Blog posts and unverified leaked documents suggest eccentric 44-year-old Australian entrepreneur Craig Steven Wright is Bitcoin creator Satoshi Nakamoto — Bitcoin’s Creator Satoshi Nakamoto Is Probably This Unknown Australian Genius — Even as his face towered 10 feet above the crowd …
http://www.wired.com/2015/12/bitcoins-creator-satoshi-nakamoto-is-probably-this-unknown-australian-genius/
Tomi Engdahl says:
Bitcoin’s Creator Satoshi Nakamoto Is Probably This Unknown Australian Genius
http://www.wired.com/2015/12/bitcoins-creator-satoshi-nakamoto-is-probably-this-unknown-australian-genius/
Either Wright invented bitcoin, or he’s a brilliant hoaxer who very badly wants us to believe he did.
Since that pseudonymous figure first released bitcoin’s code on January 9th, 2009, Nakamoto’s ingenious digital currency has grown from a nerd novelty to a kind of economic miracle. As it’s been adopted for everything from international money transfers to online narcotrafficking, the total value of all bitcoins has grown to nearly $5 billion. Nakamoto himself, whoever he is, appears to control a stash of bitcoins easily worth a nine-figure fortune (it rose to more than a billion at the cryptocurrency’s peak exchange rate in 2014). But the true identity of bitcoin’s creator remains a cipher.
Media outlets from the New Yorker to Fast Company to Newsweek have launched investigations into unmasking Nakamoto that were either inconclusive or, in Newsweek’s case, pointed to a man who subsequently denied having anything to do with cryptography, not to mention cryptocurrency.
In the last weeks, WIRED has obtained the strongest evidence yet of Satoshi Nakamoto’s true identity. The signs point to Craig Steven Wright, a man who never even made it onto any Nakamoto hunters’ public list of candidates, yet fits the cryptocurrency creator’s profile in nearly every detail. And despite a massive trove of evidence, we still can’t say with absolute certainty that the mystery is solved.
‘I did my best to try and hide the fact that I’ve been running bitcoin since 2009. By the end of this I think half the world is going to bloody know.’ Craig Steven Wright
Wright talks about taking a buyout from his job and investing in hundreds of computer processors to “get [his] idea going.”
Tulip Trust,” containing 1.1 million bitcoins
That million-coin trove—The Tulip Trust—is the same size as a mysterious bitcoin fortune that’s long been visible on bitcoin’s blockchain and widely attributed to Satoshi Nakamoto. No one but Nakamoto is known to have assembled such a massive hoard of the cryptocurrency, and only Nakamoto could have generated so many bitcoins so early in its evolution, when a bitcoin could be “mined” with relatively small amounts of processing power.
The giveaways go on: There’s a leaked email from Wright to an associate in January 2014 about a tax dispute with the Australian government.
After WIRED sent an encrypted email to Wright suggesting that we knew his secret, we received a perplexing message: ‘You seem to know a few things. More than you should.’
Wright’s blog, his public records, and his verified writings on mail lists and Twitter sketch a man who matches with Satoshi Nakamoto’s known characteristics well enough to place him leagues above other candidates.
Despite that overwhelming collection of clues, none of it fully proves that Wright is Nakamoto. All of it could be an elaborate hoax—perhaps orchestrated by Wright himself.
But this much is clear: If Wright is seeking to fake his Nakamoto connection, his hoax would be practically as ambitious as bitcoin itself. Some of the clues added to his blog were made more than 20 months ago
Tomi Engdahl says:
Davey Alba / Wired:
In select regions, the US Postal Service will soon email you scans of envelopes you receive in the mail — The US Postal Service Will Soon Email You Scans of Your Mail — The US Postal Service is rolling out a new service that emails you scans of the mail you’ll be getting in your mailbox each day.
The US Postal Service Will Soon Email You Scans of Your Mail
http://www.wired.com/2015/12/the-us-postal-service-will-now-email-you-scans-of-your-mail/
The US Postal Service is rolling out a new service that emails you scans of the mail you’ll be getting in your mailbox each day.
Postal Service Confirms Photographing All U.S. Mail
http://www.nytimes.com/2013/08/03/us/postal-service-confirms-photographing-all-us-mail.html?_r=0
The Postal Service on Friday confirmed that it takes a photograph of every letter and package mailed in the United States — about 160 billion pieces last year — and occasionally provides the photos to law enforcement agencies that request them as part of criminal cases.
The images are taken at more than 200 processing plants around the country and are used primarily to help the agency sort mail, the postmaster general, Patrick R. Donahoe, said in an interview with The Associated Press.
Tomi Engdahl says:
Glyn Moody / Ars Technica:
New EU cybersecurity rules say critical providers must ensure their infrastructure is robust and report major security incidents
New EU cybersecurity rules neutered by future backdoors, weakened crypto
Critical providers must ensure infrastructure is robust and report major incidents.
http://arstechnica.com/tech-policy/2015/12/new-eu-cybersecurity-rules-neutered-by-future-backdoors-and-weakened-crypto/
The European Union has drawn up a set of rules governing the security of the region’s digital infrastructure. Under the framework provisionally agreed last night by Members of the European Parliament (MEPs) and the Luxembourg Presidency of the EU Council of Ministers, transport, energy and other key companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is resilient enough to withstand online attacks. Similarly, major digital marketplaces like eBay or Amazon, search engines, and cloud services will be required to ensure that their infrastructure is secure, and to report major incidents. Smaller digital companies will be exempt from these requirements.
As a press release from the European Parliament explains: “MEPs put an end to current fragmentation of 28 cybersecurity systems by listing sectors—energy, transport, banking, financial market, health and water supply—in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities.”
Member states will be required to identify “operators of essential services” from these key sectors, using various criteria such as whether the service is critical for society and the economy, whether it depends on network and information systems, and whether an incident could have significant disruptive effects on its provision, or public safety.
A network of Computer Security Incidents Response Teams will be set up by each member state to handle incidents, and to coordinate responses to them. In addition, there will be a new talking shop: “the draft rules sets up a strategic cooperation group to exchange information and best practices, draw up guidelines and assist member states in cybersecurity capacity building.”
Alongside a ridiculous name—for some reason best known to itself the EU insists on calling this stuff “cybersecurity,” a term that went out of fashion in the 1990s
MEPs close deal with Council on first ever EU rules on cybersecurity
http://www.europarl.europa.eu/news/en/news-room/content/20151207IPR06449/html/MEPs-close-deal-with-Council-on-first-ever-EU-rules-on-cybersecurity
Transport and energy companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyber-attacks, under new rules provisionally agreed by internal market MEPs and the Luxembourg Presidency of the EU Council of Ministers on Monday. Online marketplaces like eBay or Amazon, search engines and clouds will also be required to ensure that their infrastructure is secure.
“Today, a milestone has been achieved: we have agreed on first ever EU-wide cyber-security rules, which the Parliament has advocated for years”, said Parliament’s rapporteur Andreas Schwab (EPP, DE), after the deal was clinched.
“Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfil security measures and notify significant cyber incidents. Member states will have to cooperate more on cybersecurity – which is even more important in light of the current security situation in Europe.”
“Moreover this directive marks the beginning of platform regulation.”
MEPs put an end to current fragmentation of 28 cybersecurity systems by listing sectors – energy, transport, banking, financial market, health and water supply – in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities.
In addition, some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal says.
In addition, a network of Computer Security Incidents Response Teams (CSIRTs), set up by each member state to handle incidents, will have to be established to discuss cross border security incidents and identify coordinated responses.
Tomi Engdahl says:
Online Lender Says It Gave Money to San Bernardino Shooter
http://fortune.com/2015/12/08/online-lender-says-it-gave-money-to-san-bernardino-shooter/
Online lender Prosper Marketplace on Tuesday confirmed that it facilitated a $28,500 loan to Syed Farook, just weeks before he and his wife Tashfeen Malik killed 14 people during an ISIS-inspired shooting spree in San Bernadino.
“All loans originated through the Prosper platform are subject to all identity verification and screening procedures required by law, including US anti-terrorism and anti-money laundering laws.”
used wav vehicles says:
I always spent my half an hour to read this blog’s articles or reviews daily along with a cup of coffee.
Tomi Engdahl says:
Sarah Jeong / Motherboard:
The “Satoshi” PGP keys reported to be linked to Craig Wright were likely backdated, pointing to a hoax
http://motherboard.vice.com/read/satoshis-pgp-keys-are-probably-backdated-and-point-to-a-hoax
On Tuesday, both Wired and Gizmodo dropped a big bombshell: According to “leaked” (Wired) or “hacked” (Gizmodo) documents, the real Satoshi Nakamoto is…. Craig Steven Wright.
Uh, who? one might ask. It’s a good question. Until now, Wright hasn’t pinged very many people’s radars as a potential Satoshi Nakamoto. On the other hand, Wright is indeed considered an expert on Bitcoin—in fact, he appeared on a panel with other possible-Satoshi Nick Szabo this year at the Bitcoin Investor Conference.
Both Wired and Gizmodo outline Wright’s qualifications and accomplishments in detail, aside from pointing to emails and other documents that seem to nail Wright as once-and-future Bitcoin king Satoshi Nakamoto.
A lot of this evidence isn’t authenticated, so there’s that. But there’s one really big problem with the case for Craig S. Wright as Satoshi: at least one of the key pieces of evidence appears to be fake. The “Satoshi” PGP keys associated with the Wired and Gizmodo stories were probably generated after 2009 and uploaded after 2011.
But the keys are important because they’re not just plain suspicious, there’s evidence of active, intentional deception with respect to the keys.
Two of the keys attributed to Satoshi were likely created using technology that wasn’t available on the dates that they were supposedly made
Tomi Engdahl says:
Patrick Howell O’Neill / The Daily Dot:
Senator Dianne Feinstein to seek legislation to “pierce” through encryption with warrant, working with Judiciary Committee Chairman Richard Burr, others
Top Democratic senator will seek legislation to ‘pierce’ through encryption
http://www.dailydot.com/politics/fbi-encryption-james-comey-tech-companies/
A leading Democratic senator will seek legislation requiring the ability to “pierce” through encryption. The potential bill would allow American law enforcement to read protected communications with a court order.
Sen. Dianne Feinstein (D-Calif.) told the Senate Judiciary Committee on Wednesday that she would seek a bill that would give police armed with a warrant based on probable cause the ability “to look into an encrypted Web.”
“I have concern about a PlayStation that my grandchildren might use,” she said, “and a predator getting on the other end, and talking to them, and it’s all encrypted. I think there really is reason to have the ability, with a court order, to be able to get into that.”
The Federal Bureau of Investigation is actively warning America’s biggest technology companies about the “public safety and national security risks” of encryption, according to FBI Director James Comey.
Deadly terrorist attacks in Paris, San Bernardino, California, and elsewhere around the world have reignited a major U.S. debate about encryption. Feinstein cited Paris as a reason the debate against encryption had evolved so quickly. Despite these concerns, the attackers in both of Paris and San Bernardino did not use encryption to organize or execute the deadly strikes, according to authorities.
Most Internet and gadget users encounter encryption without ever knowing it. The “HTTPS” connection that allows users to safely buy products on Amazon or access their bank account uses one category of encryption, while newer Apple iOS and Android devices apply strong encryption whenever a user locks her phone
“The tech companies and the FBI both care about safety on the Internet,” Comey told the Senate Judiciary committee in an FBI oversight hearing. “We understand that encryption is a very important part of being secure on the Internet. We also all care about public safety. We also see a collision course between those two things.”
Comey said that use of encryption by terrorists and criminals is growing. He offered one example.
Comey knew the shooter spoke to an overseas terrorist means that metadata revealed the extensive communications.
Metadata is data surrounding communications that includes phone numbers, times of calls, and identities of callers, or the subject lines of emails. It’s unencrypted and relatively easy for law enforcement to collect.
Over the last two years, Comey has been one of the most prominent figures in the American debate over encryption, increasingly known as the new “Crypto Wars.” He’s consistently warned of terrorist and criminal communications “going dark,” which he says is a “continuing focus for the FBI.”
“There’s no way we solve this entire problem,” Comey said. “Encryption is always going to be available to the sophisticated user. The problem is, post-Snowden, it’s moved to become default.”
Privacy advocates and technologists have long fought against the idea of a legally-mandated “backdoor” into encryption that would give the government the ability to read any encrypted message, with or without a court order.
Objections vary, including that doing so would violate and chill free speech.
The FBI director explained his hopes for the encryption debate by saying that “government doesn’t want a backdoor.”
Instead, Comey said, “if a judge issues an order, the company figures out how to supply that information to the judge and figures out on its own what would be the best way to do that. The government shouldn’t be telling people how to operate their systems.”
When Comey argued that “encryption is part of terrorist tradecraft now,” he received a lot of pushback from online observers.
Tomi Engdahl says:
Obama to clarify his stance on encryption by the holidays
http://www.dailydot.com/politics/white-house-encryption-policy-response-petition/
The Obama administration plans to clarify its stance on strong encryption before Washington shuts down for the holidays.
Administration officials met Thursday with the civil-society groups behind a petition urging the White House to back strong, end-to-end encryption over the objections of some law-enforcement and intelligence professionals.
A senior administration official confirmed that an encryption response was forthcoming but did not comment on the deadline. “The response we posted was an interim one,” the official said of the brief reply to the petition, “and we will have a more fulsome response soon.”
FBI Director James Comey, the staunchest advocate for making tech companies modify their products to facilitate investigations, has warned that criminals are “going dark” by encrypting their communications in indecipherable ways.
Security experts overwhelmingly oppose backdoors, which they say would create opportunities for criminals, not just cops, to breach secure systems.
President Obama has not taken a firm stance on backdoors. He told Re/code in February that “there’s no scenario in which we don’t want really strong encryption,” but he called on tech companies to work with the government to make investigations easier in an Oval Office address on Sunday. His administration continues to pressure tech companies to make such accommodations.
The White House considered a variety of backdoor policies but ultimately rejected them as unworkable.
The White House “seemed to very clearly understand the security implications of weakening encryption.”
The debate over whether businesses should weaken their encryption to help the government, known as the “crypto wars,” began in the 1990s and took on new life after the Paris terrorist attacks in November and the San Bernardino shooting in December. Some officials and lawmakers have blamed encryption and called for a policy response, although there is no evidence that the perpetrators of both attacks relied on encryption to evade detection.
Tomi Engdahl says:
Anonymous warns Donald Trump, attacks his website
http://www.dailydot.com/politics/anonymous-declares-war-donald-trump/
While Anonymous has focused much of its attention lately on the Islamic State after the Paris attacks, the hacktivist group now reportedly is keeping at least one eye on what Donald Trump is saying.
And since the frontrunner for the Republican presidential nomination has proposed banning all Muslims from entering the U.S., Anonymous has shown him its displeasure.
As reported by the International Business Times, the OpTrump hacking campaign began on Wednesday night, as Anonymous crashed Trump’s website, http://www.trumptowerny.com, by hitting it with a distributed denial-of-service (DDoS) attack.
Anonymous also released the following video in which a masked member of the group said, “The more Muslims feel sad, the more ISIS feels that they can recruit them. The more the United States appears to be targeting Muslims, not just radical Muslims, you can be sure that ISIS will be putting that on their social media campaign. Donald Trump, think twice before you speak anything. You have been warned.”
OpTrump: Anonymous declares war on Donald Trump with DDOS attack following Muslim ban speech
http://www.ibtimes.co.uk/optrump-anonymous-declares-war-donald-trump-ddos-attack-following-muslim-ban-speech-1532739
Hacktivist group Anonymous has continued to add to its list of targets, with controversial US presidential candidate Donald Trump the latest in the crosshairs. Following Trump’s radical speech stating he wanted to ban Muslims from entering the US, Twitter accounts linked to the group declared war.
Tomi Engdahl says:
TransUnion Buys Trustev In $44M Deal To Beef Up In E-Commerce Fraud Protection
http://techcrunch.com/2015/12/10/transunion-buys-trustev-in-44m-deal-to-beef-up-in-e-commerce-fraud-protection/
Fraud continues to be a huge issue for consumers and brands doing business online, and today one of the bigger companies managing credit reports and fraud and ID management is scaling up to expand its capabilities specifically in the area of e-commerce. TransUnion, a Chicago-based company that went public earlier this year, is acquiring Trustev, an e-commerce ID and fraud protection startup based out of Ireland, in a $44 million deal, $21 million up front and $23 million more contingent to meeting certain targets.
Trustev has integrated into TransUnion’s wider fraud management solutions business. Trustev — which made its debut on the Disrupt stage in 2013 — looks at transactions and the people making them in real time, using big data analytics to make sure that sales are being made by legit entities.
“As fraud grows in volume and sophistication, TransUnion continues to invest in building our global capabilities to help companies manage their risk,” said Jim Peck, TransUnion’s president and chief executive officer in a statement. “Holistic information is a powerful tool to help our customers approve good transactions and prevent fraud, and Trustev’s innovative capabilities are at the forefront of technology in this increasingly critical field.”
Tomi Engdahl says:
Steam tightens trading security amid 77,000 monthly account hijackings
Traded items will be “held” for days unless you have two-factor security.
http://arstechnica.com/gaming/2015/12/steam-tightens-trading-security-amid-77000-monthly-account-hijackings/
Account theft is a common and longstanding problem for all kinds of online gaming services
Valve says the problem is reaching epidemic proportions on Steam, with “around 77,000 accounts hijacked and pillaged each month.” Since the service launched item-trading features back in 2011, Valve says the problem of account theft “has increased twenty-fold as the number one complaint from our users… What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items.”
It’s not hard to see why the problem is increasing. Items in games like Team Fortress 2 and Counter-Strike: GO can be worth a lot of real money on the secondary market, not to mention the inexplicably popular virtual trading cards floating around the Steam social network.
Now, Valve is taking additional steps to decrease the value of these hacks when they happen. By default, traded items will now be “held” by Valve for “up to three days”—hopefully enough time to give users a chance to discover that their account has been compromised (and to prevent quick item transfer/liquidation by the hackers). Users that have two-factor authentication enabled will be exempt from this restriction, since their accounts are theoretically safe from most hacking attempts. Trades between users that have been friends for a year or more will only be held for “up to one day” even without two-factor, since that implies a real relationship between the traders.
Tomi Engdahl says:
CNN:
Chinese Internet czar Lu Wei says no plans to stop blocking foreign websites, defends censorship calling it regulation
Bad luck Zuck: China says no plans to stop blocking foreign web sites
http://edition.cnn.com/2015/12/09/asia/china-internet-lu-wei-facebook/
Beijing (CNN)Facebook founder Mark Zuckerberg has been courting China assiduously — learning Mandarin, welcoming officials to Facebook’s offices and asking President Xi Jinping to choose a name for his then unborn child.
But, so far, there’s little sign his charm offensive is paying off.
Lu Wei, China’s Internet czar, says the country has no plans to stop blocking foreign websites, which includes popular social media sites such Facebook, Twitter and Instagram, as well as some news websites.
“I can’t change you, but I have the right to choose my friends,” Lu said at a rare news conference Wednesday.
“I indeed have to choose. We don’t welcome those who come to China to make money while smearing China.”
Tomi Engdahl says:
Kim Zetter / Wired:
Tor Project hires Shari Steele, who led the EFF for 15 years, as its new executive director
Tor Hires a New Leader to Help It Combat the War on Privacy
http://www.wired.com/2015/12/tor-hires-a-new-leader-to-help-it-combat-the-war-on-privacy/
The Tor Project is entering a crucial phase in its nearly 10-year existence. In the wake of the Edward Snowden leaks, it has assumed a higher profile in the world of privacy and security than ever before. But it’s also come under increased attack by governments out to demonize it, and by law enforcement and intelligence agencies out to crack it and unmask its anonymous users.
To lead it into this new phase, the organization announced today that it had hired Shari Steele as its new executive director, following a five-month search.
The Tor Project had been looking for someone to be the face and voice of the organization, to educate the public about privacy and encourage wider adoption of its tools, and could court donors to help sustain the organization and fund development of its tools.
Steele would seem to be the ideal fit, since she comes to Tor from the Electronic Frontier Foundation where, as executive director for 15 years, she helped grow the organization from a small team of lawyers to a world-class team of attorneys who have led or played a role in nearly every high-profile legal battle of the digital world
Tomi Engdahl says:
Harry Davies / Guardian:
Ted Cruz using UK behavioral targeting firm Cambridge Analytica, which harvests psychological profiles of millions of unwitting US Facebook users
Ted Cruz using firm that harvested data on millions of unwitting Facebook users
http://www.theguardian.com/us-news/2015/dec/11/senator-ted-cruz-president-campaign-facebook-user-data
Exclusive: Documents reveal donor-funded US startup embedded in Republican’s campaign paid UK university academics to collect psychological profiles on potential voters
Tomi Engdahl says:
Darren Samuelsohn / Politico:
Inside the NSA’s battle with the private sector to recruit coders, hackers, and engineers
Inside the NSA’s hunt for hackers
The government is losing ground in the effort to hire critical cyber talent—but our most secretive agency isn’t doing too badly.
Read more: http://www.politico.com/agenda/story/2015/12/federal-government-cyber-security-technology-worker-recruiting-000330#ixzz3u7jG4ZQe
Tomi Engdahl says:
If You’re Not Paranoid, You’re Crazy
http://www.theatlantic.com/magazine/archive/2015/11/if-youre-not-paranoid-youre-crazy/407833/
As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives?
Tomi Engdahl says:
American cyber crims operate popup hack ‘n crack sites in plain sight
Yanks thumb noses at cops, use YouTube to sell RATs
http://www.theregister.co.uk/2015/12/14/trend_micro_glass_tank/
North American cyber criminals are so blatantly thumbing their noses at law enforcement that their forums have been nicknamed “glass tanks”.
The selling of malware, stolen credentials, and other crime services are so open they can be found using Google, Trend Micro researchers Kyle Wilhoit and Stephen Hilt say.
Moreover, the forums post advertisements across web sites and post YouTube videos in a bid to gain more users.
This stands in stark contrast to almost every other serious crime forum which attempts to hide from police and vet the criminal bent of registered users.
“In effect, the North American underground is more like a glass tank where business goes on in full view of both cyber criminals and law enforcement,” the researchers write in the paper North American Underground: The Glass Tank [PDF].
“Unlike other underground scenes, a lot of North American cybercrime operations don’t shy away from peddling its goods in the open.
“Underground sites have a short life span, and they can easily disappear within a short span of time, which makes tracking the illegal activities and the people behind them very tricky for law enforcement, who has to keep up with the cat-and-mouse game on every takedown operation.”
North American Underground
The Glass Tank
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-north-american-underground.pdf
Tomi Engdahl says:
IoT Security Spartans wanted
http://www.edn.com/electronics-blogs/now-hear-this/4440964/IoT-Security-Spartans-wanted?_mc=NL_EDN_EDT_EDN_funfriday_20151204&cid=NL_EDN_EDT_EDN_funfriday_20151204&elq=6428a80e24a1434cb7c4b5ee3d129e00&elqCampaignId=26019&elqaid=29669&elqat=1&elqTrackId=1bc29108baf8431dac15c1eead550578
There’s a long-running joke in the IT community that white hat hacker Jay Radcliffe shared during his DoT (Designers of Things) keynote Wednesday morning:
The most secure computer is one that has been unplugged and destroyed.
Every joke has some truth to it. Security has been an issue since the days of the first electronic devices. Now, as we move into a world of ever-connected devices through IoT, security has become even more necessary.
Sponsor video, mouseover for sound
Radcliffe told the keynote audience about IoT-enabled Bluetooth toothbrushes that need security patches as an example of how quickly IoT has moved into our daily lives without proper security development, opening itself up to malicious hacking.
“This [IoT] is exceptionally scary. We are going too fast,” said Radcliffe. “Are we opening ourselves up to something we don’t know enough about? Are we doing enough to secure these devices?”
Tomi Engdahl says:
Why Layered Security Strategies Don’t Work – And What You Can Do About It
https://webinar.darkreading.com/1446?keycode=DRWE04
Every year, enterprises spend record levels of money on new IT security technology – yet major breaches and compromises are more prevalent than ever. The concept of “layered security” – in which enterprises support a wide variety of security technologies in order to discourage attackers – doesn’t seem to be working.
It’s time to rethink IT security – not just the technology, but the way enterprises approach it from a strategic, architectural perspective. There are ways for organizations to build a comprehensive set of defenses – a security architecture – that can not only discourage attackers, but actually prevent them from penetrating your IT environment.