Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Anyone could destroy the image or page – Facebook found a serious bug
Anyone was able to remove anyone from Facebook photo albums. It was not a feature but a fault that India operating from security researcher discovered.
Folders and groups to successfully remove without authentication. Security hole found Laxman Muthiyah succeeded in his blog
Source: http://www.tivi.fi/Kaikki_uutiset/2015-02-12/Kuka-tahansa-pystyi-tuhoamaan-kuvasi-tai-sivusi—Facebookista-l%C3%B6ytyi-vakava-vika-3215695.html
How I Hacked Your Facebook Photos
http://www.7xter.com/2015/02/how-i-hacked-your-facebook-photos.html
What if your photos get deleted without your knowledge?
Obviously that’s very disgusting isn’t it? Yup this post is about a vulnerability found by me which allows a malicious user to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted.
Graph API is primary way for developers to read and write the users data. All the Facebook apps of now are using Graph API. In general Graph API requires an access token to read or write users data.
According to Facebook developers documentation, photo albums cannot be deleted using the album node in Graph API.
I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums.
the album got deleted!
OMG
Tomi Engdahl says:
Fearing an FBI raid, researcher publishes 10 million passwords/usernames
Move could advance password research—and test prosecutors’ tolerance for leaks.
http://arstechnica.com/security/2015/02/fearing-an-fbi-raid-researcher-publishes-10-million-passwordsusernames/
A security consultant has published 10 million passwords along with their corresponding usernames in a move he characterized as both necessary and legally risky given a legal landscape he said increasingly threatens the free flow of hacking-related information.
Most of the existing corpus of passwords exposed in hack attacks is stripped of usernames, preventing researchers from studying the possible relationship between the two fields. Mark Burnett, a well-known security consultant who has developed a specialty collecting and researching passwords leaked online, said his sole motivation for releasing the data was to advance what’s already known about the way people choose passcodes. At the same time, he said he was worried the list might land him in legal hot water given the recent five-year sentence handed to former Anonymous activist and writer Barrett Brown, in part based on links to hacked authentication data he posted in Internet chat channels.
Ten Million Passwords FAQ
https://xato.net/passwords/ten-million-passwords-faq/#.VNzxBCzPK1c
Where are the passwords from?
These are old passwords that have already been released to the public; none of these passwords are new leaks. They all are or were at one time completely available to anyone in an uncracked format. I have not included passwords that required cracking, payment, exclusive forum access, or anything else not available to the general public. You should still be able to find a large number of these passwords via a Google search.
The passwords were compiled by taking samples from thousands of password dumps, mostly from the last five years although it also includes much older data. I wanted to mix data from multiple sources to normalize inconsistencies and skewed data due to the type of web site, it’s users, and it’s security policies.
Why did you release this data?
The primary purpose is to get good, clean, and consistent data out in the world so others can find new ways to explore and gain knowledge from it. The data isn’t perfect and there are a few anomalies, but it should provide good insight into user password selection.
What if my password is not on the list?
It doesn’t mean you are safe. This is a tiny sample of the hundreds of millions of accounts that have been publicly dumped and doesn’t even include the hundreds of millions more that have never been made public.
How can I monitor my accounts to know if they have been leaked?
I would suggest the following:
Create a Google alert for your email address, username, and domain if you have one.
Create a Pastebin account and set alerts for your email address, username, and domain if you have one.
Sign up for account monitoring at haveibeenpwned.com, pwnedlist.com, breachalarm.com, canary.pw, or a similar site (feel free to add similar sites in the comments if you know of others).
Tomi Engdahl says:
Check if you were exposed in the 10 million password dump
http://www.geek.com/apps/check-if-you-were-exposed-in-the-10-million-password-dump-1615627/
Search for username/password matches in Mark Burnett’s publication of 10 Million accounts
https://rehmann.co/projects/10mil/
Tomi Engdahl says:
Malware targets manufacturers
http://www.controleng.com/single-article/malware-targets-manufacturers/5275d2fcf4c3265dcbc35dc9cb0c6682.html
Manufacturing is one of the sectors targeted by a new malware variant that is not only able to steal passwords and other sensitive information, but is also capable of infecting files, researchers said.
Ursnif is the malware used by bad guys to steal passwords and other sensitive information from infected devices, but its variant detected as PE_URSNIF.A-O, is also capable of infecting files, said researchers at Trend Micro.
The United States and the United Kingdom account for 39.35% and 35.51%, respectively, of infections. Researchers also found the malware on computers in Canada (19%) and Turkey (1.92%). Education, financial, and manufacturing are among the sectors impacted by the threat, which ends up distributed via spam messages and Trojan downloaders.
The Ursnif variant analyzed by Trend Micro infects .PDF, .MSI and .EXE files found on removable and network drives. Unlike other similar pieces of malware, which insert malicious code into host files, PE_URSNIF.A-O embeds the host file into its resource section. When one of the infected files ends up executed by the victim, the malware drops the original file and opens it in an effort to avoid raising any suspicion.
Another anti-detection technique leveraged by Ursnif involves sleeping for 30 minutes before starting the infection routine. This helps the threat evade sandboxes, which usually monitor suspicious files for only up to five minutes to see how they behave.
“The fact that a family known for spyware now includes file infectors shows that cybercriminals are not above tweaking established malware to expand its routines”
Tomi Engdahl says:
Keurig’s attempt to ‘DRM’ its coffee cups totally backfired
A system designed to lock out third-party competitors just enraged consumers
http://www.theverge.com/2015/2/5/7986327/keurigs-attempt-to-drm-its-coffee-cups-totally-backfired
You know Keurig’s machines. The company’s squat black coffee brewers have become fixtures in offices, hotels, and homes around the country
Keurig transformed its parent company, Green Mountain Coffee, from a small regional brewer to a major corporation doing over $4 billion in sales each year.
Late last year, Keurig announced a new machine, the 2.0, calling it the “future of brewing” and touting its ability to make both small cups and large carafes. But another, less-publicized feature has been getting most of the attention: the brewer’s advanced scanning system that locks out any coffee pods not bearing a special mark. It’s essentially a digital rights management system, but for coffee, and it’s proving to be the brewer’s downfall.
On an earnings call Wednesday the company announced that brewer sales fell 12 percent last quarter, the first full quarter for which the 2.0 was on sale.
“confusion among consumers as to whether the 2.0 would still brew all of their favorite brands.”
wrath of people who bought 2.0 machines only to find that their old cups don’t work.
The funniest thing about the backlash is that it was entirely predictable. Consumers hate DRM — in music, in movies, in anything — but applying it to coffee feels especially galling. It’s the most open caffeinated beverage there is; all you need is beans and hot water and, I guess, a vessel to brew it in. Locking it up in plastic cups was already a little silly, though something lots of people were happy to buy for the sake of convenience. Building a complicated infrared scanning system so that you can only use Keurig-approved cups was a step too far.
“I hate that they are dictating which coffee I’m using in my machine.”
It was designed to lock out cups made by third parties, but obviously it also locked out old Keurig ones
At a corporate level, Keurig’s attempt to make a DRM system for its coffee is understandable. The company’s business model depends on selling its brewers cheap and making money selling pods, a model reminiscent of printer manufacturers and their marked-up ink cartridges.
selling compatible cups for cheaper and quickly eating into Keurig’s market share.
You shouldn’t have to hack your coffee, and that’s especially true for a company whose entire success is based on being super easy and convenient.
Tomi Engdahl says:
Jordan Kahn / 9to5Google:
Visa launches Mobile Location Confirmation to its banking partners, a service that tracks smartphones to help prevent credit card fraud for travelers
Visa hopes to track smartphone locations to prevent credit card fraud for travellers
http://9to5google.com/2015/02/12/visa-hopes-to-track-smartphone-locations-to-prevent-credit-card-fraud-for-travellers/
Currently most of us have to inform our bank by phone when we’re travelling to avoid purchases in other countries appearing as red flags for fraud and being declined. That could soon change as Visa looks to track smartphones with a service called Mobile Location Confirmation in order to help their security systems become smarter and reduce declined purchases by as much as 30%.
“The service uses mobile geo-location data in real time as an additional input into Visa’s predictive fraud analytics. Finsphere Corporation, a leader in the use of mobile data and geo-spatial analysis, provides Visa an analysis of the account holder’s device location data, which is then matched with the transaction location in less than a millisecond, right at the point of sale.”
The service will be an optional one that your bank will have to implement and ask you to opt in to through their own mobile app.
Visa said “when a cardholder’s mobile device is in the same location as the payment transaction, the issuing financial institution can more confidently approve the transaction.”
Tomi Engdahl says:
New tracking device could help children with autism
http://news.microsoft.com/features/new-tracking-device-could-help-children-with-autism/
Last year, when his friend went missing, Vinny Pasceri was struck by how helpless he felt. All he could do was tweet and post about the search for his friend, a fellow Microsoft employee believed to have vanished from a popular hiking spot north of Seattle.
The prototype, called Lighthouse, has since become a much hailed idea, winning a first place award in last year’s Global Startup Battle.
“Our purpose is to keep children safe in school,” says Pasceri, a Microsoft program manager, of the Lighthouse team. “We think there are three key questions: Where are they? Are they with the right people? And do they need help?”
Tracking devices for kids with autism and other developmental disorders have gained traction in recent months
About half of autistic children are prone to wandering
“At the (National Autism Association), we often hear from parents who have a child who cannot sleep, forcing caregivers to barricade doors and take shifts staying awake,”
Unlike GPS trackers, which pinpoint location, Lighthouse tracks proximity to a caregiver through Bluetooth Low Energy.
With Lighthouse, a student wears a beacon in a wristband or other small device. It’s linked to an app on the phone of every teacher and specialist on the student’s schedule. The app registers when the student is within range of each caregiver. It sends a missing-kid alert if the student is out of range.
“The thing we were going after is reducing the time for someone to know that a kid is missing,” Pasceri says.
Tomi Engdahl says:
Martin Brinkmann / gHacks Technology News:
Virustotal’s Trusted Source project attempts to limit false positives
http://www.ghacks.net/2015/02/11/virustotals-trusted-source-project-attempts-to-limit-false-positives/
Whenever I discover a new program I scan it first on the Virustotal website before running it on a local test system.
This initial virus check helps me determine whether an application is (likely) legitimate or not. It happens that one or some of the antivirus engines used by the service to scan files may return hits.
These hits are often false positives, especially if lesser known antivirus engines report them. There is still a level of uncertainty about those files.
False positives can have severe consequences. Think of a local antivirus solution that identifies core operating system files as a virus. It happened in the past that entire systems became unusable after false positives were detected by security software.
The general idea behind the project is to whitelist files maintained by major software companies such as Microsoft.
If one of the antivirus engines used during the scan reports a verified file as malicious, its parent company is informed about the fact in hopes that the issue is corrected shortly thereafter.
Tomi Engdahl says:
A first shot at false positives
http://blog.virustotal.com/2015/02/a-first-shot-at-false-positives.html
These mistaken detections, commonly known as false positives, have all sorts of undesired effects:
Software developers may face strong business impact as a large portion of their users see their programs rendered unusable.
Support teams for the affected programs may be suddenly overwhelmed by user emails claiming that the given software is not working correctly.
End-users may be unable to interact with important software and see themselves unable to finish critical tasks.
Antivirus vendors’ reputation may be severely hindered.
It is, thus, obvious that false positives are a head ache both for the antivirus industry and software developers. Solving them can be a very challenging problem. Why? Nowadays antivirus vendors are increasingly required to become more proactive, this includes developing generic signatures and heuristic flags, which very often leads to mistaken detections in an effort to have a more secure user-base.
VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
https://www.virustotal.com/
Tomi Engdahl says:
Cost of Anthem’s data breach likely to exceed $100 million
http://www.cnet.com/news/cost-of-anthems-data-breach-likely-to-exceed-100-million/
The US health-insurance provider’s own cyberinsurance policy is likely to be exhausted following the theft of up to 80 million records.
The financial consequences of Anthem’s massive data breach could reach beyond the $100 million mark, according to reports.
The US health-insurance provider’s own cyberinsurance policy covers losses of up to $100 million. However, when a company has up to 80 million current customers, former customers, employees and investors to notify, this amount may not be enough.
According to Anthem CEO Joseph Swedish, the data stolen included client names, dates of birth, physical and email addresses, medical IDs and Social Security numbers. However, the company has said, there is no current evidence to suggest financial information or medical data — such as test results — were taken.
According to industry news site Insurance Insider’s sources, Anthem’s cyberinsurance policy — written by AIG, Lexington, Safehold and Zurich, among others — could be exhausted due to the “costs of notifying the affected customers.” Anthem plans to notify every individual affected by the cyberattack and has also provided a hotline for those with question.
Swedish has called the data breach a “very sophisticated external cyberattack.”
Tomi Engdahl says:
Anthem hack raises fears about medical data
http://www.latimes.com/business/la-fi-anthem-hack-fallout-20150206-story.html#page=1
Insurance giant Anthem Inc. suffered a massive data breach exposing the personal information of up to 80 million Americans — and it could have been even worse for consumers.
The intrusion is raising fresh questions about the ability of giant health insurers and other medical providers to safeguard the vast troves of electronic medical records and claims data they are stockpiling.
The federal government had put Anthem on notice in 2013 about its computer vulnerabilities, and last year the FBI warned healthcare companies about the growing threat of cyberattack on the industry.
The hackers broke into one of Anthem’s databases sometime around early January
Two days later, an internal investigation verified that the company was a victim of a cyberattack, the company said, and federal authorities were alerted.
Anthem said it has doubled its spending on cybersecurity in the past four years and it has 200 employees dedicated to monitoring and safeguarding its networks.
Consumer advocates said the issue of whether Anthem was largely at fault or the victim of a clever attack misses the point that no healthcare database is safe.
“This thirst for more and more data from the medical industry inevitably places consumers’ health information at risk,” said Carmen Balber, executive director of Consumer Watchdog, a Santa Monica advocacy group. “It’s not fair to consumers for these companies to create one-stop shopping for data thieves.”
This was not the first such slip-up by Anthem.
“Healthcare companies like Anthem have got to invest far more effort and resources in data security to regain public trust,” said Gerald Kominski, director of the UCLA Center for Health Policy Research.
Tomi Engdahl says:
Phishers Pounce on Anthem Breach
http://krebsonsecurity.com/2015/02/phishers-pounce-on-anthem-breach/
Phishers and phone fraudsters are capitalizing on public concern over a massive data breach announced this week at health insurance provider Anthem in a bid to steal financial and personal data from consumers.
The flood of phishing scams was unleashed just hours after Anthem announced publicly that a “very sophisticated cyberattack” on its systems had compromised the Social Security information and other personal details on some 80 million Americans.
According to Anthem, fraudsters also are busy perpetrating similar scams by cold-calling people via telephone.
It is likely that these phishing and phone scams are random and opportunistic, but there is always the possibility that the data stolen from Anthem has fallen into the hands of scam artists.
The company says it will begin sending notifications to affected consumers via snail mail in the coming weeks.
Tomi Engdahl says:
Technology
Amsterdam Police Respond To Death Threat Created By A Twitter Bot
Who’s responsible when a robot says something hostile?
http://www.popsci.com/amsterdam-police-respond-bot-created-twitter-threat
It’s always a good idea to be careful about what you say online, and it seems that notion goes for your robot creations, too. Dutch developer Jeffrey van der Goot received a visit from the police after one of his Twitter accounts appeared to contain a death threat involving an event in Van der Goot’s hometown of Amsterdam. The Law & Order twist that you didn’t see coming? The post was actually from Van der Goot’s automated posting bot.
The bot in question, which Van der Goot has subsequently shut down, took portions of his previous tweets and tried to combine them into sentences that seem to make sense.
Regardless, Van der Goot says that he was told by the police that he was ultimately responsible for said threat, because the bot was posting under his name and using some combinations of his words.
That seems like one of those claims that might be tough to actually arrest someone for–at least under my limited knowledge of U.S. law. It also seems like an unfortunate potential defense for people posting actual death threats online: “Oh, it wasn’t me; it was a robot.”
That said, it’s hard to fault the police for taking the threat seriously. In fact, there are plenty of cases in which law enforcement should have taken online death threats more seriously.
Tomi Engdahl says:
A Crypto Trick That Makes Software Nearly Impossible to Reverse-Engineer
http://www.wired.com/2015/02/crypto-trick-makes-software-nearly-impossible-reverse-engineer/
Software reverse engineering, the art of pulling programs apart to figure out how they work, is what makes it possible for sophisticated hackers to scour code for exploitable bugs. It’s also what allows those same hackers’ dangerous malware to be deconstructed and neutered. Now a new encryption trick could make both those tasks much, much harder.
Tomi Engdahl says:
Hundreds of South Carolina Inmates Sent to Solitary Confinement Over Facebook
https://www.eff.org/deeplinks/2015/02/hundreds-south-carolina-inmates-sent-solitary-confinement-over-facebook
In the South Carolina prison system, accessing Facebook is an offense on par with murder, rape, rioting, escape and hostage-taking.
Back in 2012, the South Carolina Department of Corrections (SCDC) made “Creating and/or Assisting With A Social Networking Site” a Level 1 offense [PDF], a category reserved for the most violent violations of prison conduct policies.
Prison systems have a legitimate interest in keeping contraband devices out of their facilities and preventing inmates from engaging in illegal activities through the Internet. But South Carolina’s policy goes too far, and not only because of the shockingly disproportionate punishments. The policy is also incredibly broad; it can be applied to any reason an inmate may ask someone outside to access the Internet for them
Tomi Engdahl says:
Antivirus tools miss almost 70 percent of malware within the first hour
http://betanews.com/2015/02/12/antivirus-tools-miss-almost-70-percent-of-malware-within-the-first-hour/
Threat protection company Damballa has released its latest State of Infections report for the fourth quarter of 2014 which highlights the limitations of a prevention-focused approach to security.
The report finds that within the first hour of submission, AV products missed nearly 70 percent of malware. Further, when rescanned to identify malware signatures, only 66 percent were identified after 24 hours, and after seven days the total was 72 percent. It took more than six months for AV products to create signatures for 100 percent of new malicious files.
This has an impact on containment and raises the risk that at any time there may be live infections on a network. The report also highlights the importance of automating manual processes and decreasing the noise from false positives to make the most of skilled security manpower, rather than trawling through uncorroborated alerts to find the true infections
In order to reduce manual efforts, Damballa advises that security teams must have automatic detection of actual infections able to reach a statistical threshold of confidence in a true positive infection. They also need integration between detection and response systems, and policies that enable automated response based on a degree of confidence.
Damballa State of Infections Report Q4 2014
https://www.damballa.com/state-infections-report-q4-2014/
With only 4% of the almost 17,000 weekly malware alerts getting investigated, the traditional approach to preventing malware attacks needs a makeover.
With limited financial and human resources to apply to security, no company can afford to dedicate the majority of its budget to failing security controls. While prevention-based defenses will continue to be important, companies need to put greater emphasis on detection and response.
Tomi Engdahl says:
Uber: Sorry we’re really awesome and all that (oh yeah, and for leaking your personal info)
Lost-and-found list found lost on the internet
http://www.theregister.co.uk/2015/02/13/uber_privacy_flap/
Taxi cab app maker Uber left its list of customers’ lost belongings wide open to the internet – exposing phone numbers and other personal info in the process.
The privacy snafu, revealed and corrected this week, marks the latest controversy for the San Francisco-headquartered upstart.
Vice reports the internal Uber document was accessible to all on the web for about five hours on Monday before it was yanked offline.
Uber Apparently Left Part of Its Lost and Found Database Public
http://motherboard.vice.com/read/uber-apparently-left-part-of-its-lost-and-found-database-public
The records detail 155 items filed in the system between early December and today.
It’s not a minor thing: Customer and driver names, along with some customer phone numbers, and internal identification numbers are on the site, as are specific route and ride identification information. Specific route information is hidden behind a password-protected site, but still, not a good look.
“They have these databases for a noble purpose, which is to get people’s stuff back, so I want to give them more leeway for that. That said, I can’t think of a reason why it would need to be publicly available,”
So, what are we leaving in our Ubers? Lots and lots of cell phones, of course. Keys, sunglasses, headphones, and credit cards, but also
About two hours after this story was first posted, Uber removed the page.
“Uber’s Lost Items feature has helped thousands of riders reconnect with belongings left behind after a trip,” an Uber spokesperson told me.
“The drivers often contact us to let us know when they’ve found items in the car in hopes that we can get them back in your hands quickly,” the company said.
Tomi Engdahl says:
Facebook bug could have ERASED the ENTIRE WORLD
ALL pictures, anyway. Record bounty coughed
http://www.theregister.co.uk/2015/02/13/facebook_bug_could_have_deleted_every_single_photo/
Software engineer Laxman Muthiyah has reported a dangerous vulnerability capable of deleting any photo from Facebook, prompting The Social NetworkTM to patch the hole within two hours and issue one of its biggest bug-spotting cheques ever.
The flaw potentially allowed mass deletion of photos using the identification number of a target album and an attacker’s Facebook Android app token. Any scripts to pull off this trick could be stopped by security controls like rate limiters.
“Any photo album owned by an user, a page, or a group could be deleted,” Muthiyah said.
“I [gained] the key to delete all of your Facebook photos.”
Tomi Engdahl says:
New York Times:
Obama Heads to Security Talks Amid Tensions
FEB. 12, 2015
http://www.nytimes.com/2015/02/13/business/obama-heads-to-security-talks-amid-tensions.html
President Obama will meet here on Friday with the nation’s top technologists on a host of cybersecurity issues and the threats posed by increasingly sophisticated hackers. But nowhere on the agenda is the real issue for the chief executives and tech company officials who will gather on the Stanford campus: the deepening estrangement between Silicon Valley and the government.
The long history of quiet cooperation between Washington and America’s top technology companies — first to win the Cold War, then to combat terrorism — was founded on the assumption of mutual interest. Edward J. Snowden’s revelations shattered that. Now, the Obama administration’s efforts to prevent companies from greatly strengthening encryption in commercial products
And there is continuing tension over the government’s desire to stockpile flaws in software — known as zero days — to develop weapons that the United States can reserve for future use against adversaries.
“What has struck me is the enormous degree of hostility between Silicon Valley and the government,” said Herb Lin, who spent 20 years working on cyberissues at the National Academy of Sciences before moving to Stanford several months ago. “The relationship has been poisoned, and it’s not going to recover anytime soon.”
The F.B.I., the intelligence agencies and David Cameron, the British prime minister, have all tried to stop Google, Apple and other companies from using encryption technology that the firms themselves cannot break into — meaning they cannot turn over emails or pictures, even if served with a court order.
That tension — between companies’ insistence that they cannot install “back doors” or provide “keys” giving access to law enforcement or intelligence agencies and their desire for Washington’s protection from foreign nations seeking to exploit those same products — will be the subtext of the meeting.
Mr. Obama has made online security a major theme, making the case in his State of the Union address that the huge increase in attacks during his presidency called for far greater protection.
“Our business depends on trust. If you lose it, it takes years to regain.”
When it comes to matters of security, Mr. Grosse said, “Their mission is clearly different than ours. It’s a source of continuing tension.”
Companies like Google, Facebook, Microsoft and Twitter are fighting back by paying “bug bounties” to friendly hackers who alert them
“Project Zero” would never get the number of bugs down to zero “but we’re going to get close.”
Chris Strohm / Bloomberg Business:
Zuckerberg, Page, and Mayer decline invitations to attend Obama’s cybersecurity summit at Stanford, a possible sign of ongoing tensions over NSA
Three of Tech’s Top CEOs to Skip Obama Cybersecurity Summit
http://www.bloomberg.com/news/articles/2015-02-11/three-of-tech-s-biggest-ceos-to-skip-obama-cybersecurity-summit
(Bloomberg) — The top executives of Google Inc., Yahoo! Inc. and Facebook Inc. won’t attend President Barack Obama’s cybersecurity summit on Friday, at a time when relations between the White House and Silicon Valley have frayed over privacy issues.
The technology industry had been a vital source of political support, campaign contributions and assistance in developing cutting-edge tech tactics for Obama when he won the presidency in 2008 and re-election in 2012. Relations have soured since, as the companies have clashed with the Obama administration over government spying and protecting the privacy rights of their users and customers.
The summit is part of a renewed push to combat hackers. Panels will focus on boosting collaboration between companies and agencies, improving cybersecurity to protect consumers and better securing payment processing systems.
The themes back up the administration’s efforts to improve information sharing about hacking threats and establishing a national standard for companies to report data breaches.
Apple and Google have started offering smartphones that encrypt data by default, essentially shielding photos, documents and contact lists from the prying eyes of government or hackers.
Obama also will announce an executive action aimed at encouraging companies to share information across industry sectors. The executive action will create a process for coming up with cybersecurity practices that the organizations should voluntarily follow.
It also will authorize the Homeland Security Department to enter into agreements with the organizations to share data about hacking threats.
Tomi Engdahl says:
Joseph Menn / Reuters:
Obama expected to announce executive order directing government and companies to share more cybersecurity threat information
Exclusive: Obama set to announce executive order on cybersecurity threat data
http://www.reuters.com/article/2015/02/12/us-usa-cybersecurity-exclusive-idUSKBN0LG2GR20150212
(Reuters) – President Barack Obama is expected to announce an executive order directing the government and companies to share more information about cybersecurity threats in response to attacks like that on Sony Entertainment.
Tomi Engdahl says:
JPMorgan Goes to War
The bank is building a new facility near the NSA’s headquarters to attract new talent
http://www.bloomberg.com/news/articles/2015-02-19/jpmorgan-hires-cyberwarriors-to-repel-data-thieves-foreign-powers
In the days following the massive breach of JPMorgan Chase’s computers last summer, the bank’s security chief, James Cummings, rarely left his operations center in its Manhattan headquarters. He directed a select group of colleagues to search for links to the Russian government. There was little evidence of a government tie, especially so early in the investigation, but Cummings, a former head of the U.S. Air Force’s cybercombat unit, was confident they’d find more.
Convinced that it faces threats from governments in China, Iran, and Russia, and that the U.S. government isn’t doing enough to help, JPMorgan has built a vast security operation and staffed it increasingly with ex-military officers.
The military overtones are no accident. JPMorgan is responding to attacks that the federal government is unable or unwilling to stop, says Nate Freier, research professor at the U.S. Army War College, yet it isn’t clear whether the bank’s weapons-grade operation is doing a better job than law enforcement agencies. “It’s a brave new world that’s not very well understood by the people playing the game,” Freier says. “It really is every man for himself.”
Tomi Engdahl says:
Lenovo has just released an automatic Superfish removal tool
The company updated its statement on the bug today
http://www.theverge.com/2015/2/20/8079933/lenovo-superfish-removal-tool-uninstall
Lenovo has released a tool to help users remove Superfish, according to a statement released today by the company.
Superfish is an adware program that was pre-installed on Lenovo’s consumer PCs and made users vulnerable to attack. The Superfish bug quickly went from bad to worse yesterday when researchers found and published a password that would allow anyone to unlock the certificate authority and bypass the computer’s web encryption. With the password and the right software, a person on the same Wi-Fi network as a bugged Lenovo user could potentially spy on that user, or insert malware into the data stream.
The tool allows users to automatically uninstall the Superfish application and remove the certificate from web browsers, which previously could only be done manually. In the statement, Lenovo said, “We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies. This action has already started and will automatically fix the vulnerability even for users who are not currently aware of the problem.”
Tomi Engdahl says:
Surprise! America Already Has a Manhattan Project for Developing Cyber Attacks
http://www.wired.com/2015/02/americas-cyber-espionage-project-isnt-defense-waging-war/
“What we really need is a Manhattan Project for cybersecurity.” It’s a sentiment that swells up every few years in the wake of some huge computer intrusion—most recently the Sony and Anthem hacks. The invocation of the legendary program that spawned the atomic bomb is telling. The Manhattan Project is America’s go-to shorthand for our deep conviction that if we gather the smartest scientists together and give them billions of dollars and a sense of urgency, we can achieve what otherwise would be impossible.
In a much-circulated post on Medium last month, futurist Marc Goodman sets out what such a project would accomplish. “This Manhattan Project would help generate the associated tools we need to protect ourselves, including more robust, secure, and privacy-enhanced operating systems,” Goodman writes. “Through its research, it would also design and produce software and hardware that were self-healing and vastly more resistant to attack and resilient to failure than anything available today.”
These arguments have so far not swayed a sitting American president.
On Monday, we finally learned the truth of it. America already has a computer security Manhattan Project. We’ve had it since at least 2001. Like the original, it has been highly classified, spawned huge technological advances in secret, and drawn some of the best minds in the country. We didn’t recognize it before because the project is not aimed at defense, as advocates hoped. Instead, like the original, America’s cyber Manhattan Project is purely offensive.
This revelation came by way of the Russia-based anti-virus company Kaspersky. At a conference in Cancun this week, Kaspersky researchers detailed the activities of a computer espionage outfit it calls the “Equation Group,” which, we can fairly surmise from previous leaks, is actually the NSA’s Tailored Access Operations unit.
The result is impressive. The company has linked six different families of malware—“implants,” as the NSA calls them—to the Equation Group, the oldest of which has been kicking around since 2001. The malware has stayed below the radar in part because the NSA deploys it in limited, cautious stages. In the first stage, the agency might compromise a web forum or an ad network and use it to serve a simple “validator” backdoor to potential targets. That validator checks every newly infected computer to see if it’s of interest to the NSA. If not, it quietly removes itself, and nobody is the wiser.
Only if the computer is a target of interest to the NSA does the validator take the next step and load a more sophisticated implant from a stealth NSA website like suddenplot.com or technicalconsumerreports.com. That’s where it gets interesting. The top tier of NSA malware discovered by Kaspersky is a generation ahead of anything previously reported in the wild. It uses a well-engineered piece of software called a bootkit to control the operating system from the ground up. It hides itself encrypted in the Windows registry, so that anti-virus software can’t find it on the computer’s disk. It carves out its own virtual file system on your machine to store data for exfiltration.
Tomi Engdahl says:
Ina Fried / Re/code:
Lenovo CTO admits company “flat-out missed” major security flaws resulting from Superfish
Lenovo CTO Admits It ‘Messed Up’ Allowing Major Security Hole Onto PCs
http://recode.net/2015/02/20/lenovo-cto-admits-it-messed-up-allowing-major-security-hole-onto-pcs/
Lenovo’s chief technology officer said Friday that the computer maker erred significantly by preinstalling onto consumer PCs a piece of software that made the machines vulnerable to attack.
The tool, a shopping aid called Superfish, was installed on some Lenovo consumer laptops sold between September and January. Lenovo said earlier this week that it had stopped installing the controversial software because of bad customer reviews, but initially downplayed the security concerns.
“We messed up,” CTO Peter Hortensius told Re/code. The company now confirms that the way Superfish operates could leave machines vulnerable to a “man-in-the-middle,” or MITM, attack, in which an attacker mimics both sides of a conversation to actively eavesdrop on each one. The problem stems from the fact that Superfish intercepts Web traffic, including secure traffic, using a self-signed security certificate that could be spoofed by attackers.
Lenovo, like most PC makers, makes some of its money by preinstalling certain software.
Dan Goodin / Ars Technica:
Superfish doubles down, says HTTPS-busting adware poses no security risk
http://arstechnica.com/security/2015/02/superfish-doubles-down-says-https-busting-adware-poses-no-security-risk/
Tomi Engdahl says:
Research: 84 percent more concerned about security and privacy in 2015
http://www.zdnet.com/article/research-84-percent-more-concerned-about-security-and-privacy-in-2015/
Summary:Security and privacy concerns are a major issue for the vast majority of those participating in Tech Pro Research’s newest survey, with 84 percent reporting increased worries.
Tomi Engdahl says:
Cisco IPv6 processing bug can cause DoS attacks
Carriers need to patch their big network iron
http://www.theregister.co.uk/2015/02/23/cisco_ipv6_processing_bug_can_cause_dos/
Cisco has announced that NCS 6000 and Carrier Routing System (CRS-X) – heavy hunks of iron used in the service provider market – have an IPv6 software bug that needs patching.
The bug impacts the ways Cisco IOS XR units parse IPv6 packets and an attack exploiting the problem could result in a forced restart of the line card that’s processing the traffic.
“An attacker could exploit this vulnerability by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card,” the company’s advisory states. “This vulnerability could be exploited repeatedly to cause an extended DoS condition.”
Tomi Engdahl says:
Mozilla mulls Superfish torpedo
Green-lighted blacklist of compromised certs could be ready in a day
http://www.theregister.co.uk/2015/02/23/mozilla_mulls_super_phish_torpedo/
Firefox-maker Mozilla may neuter the likes of Superfish by blacklisting dangerous root certificates revealed less than a week ago to be used in Lenovo laptops.
The move will be another blow against Superfish, which is under a sustained barrage of criticism for its use of a root certificate to launch man-in-the-middle attacks against innocent users in order to inject advertising into web searches.
That crude tactic meant Lenovo machines running the program could be trivially attacked by hackers who set up fake banking websites using the certificate to shore-up legitimacy.
Mozilla has not yet pulled the blacklist trigger but is mulling options, cryptographic engineering manager Richard Barnes told El Reg.
“It is one of our core principles that individuals’ security and privacy on the internet are fundamental and must not be treated as optional,” Barnes says.
Tomi Engdahl says:
Three Months Later, State Department Hasn’t Rooted Out Hackers
Amount of data lost in unclassified email network is unclear; Investigators point finger at Russia
http://www.wsj.com/articles/three-months-later-state-department-hasnt-rooted-out-hackers-1424391453
Tomi Engdahl says:
SIM card security scare: Gemalto is investigating UK and US hack allegations
http://www.theinquirer.net/inquirer/news/2396223/sim-card-security-scare-gemalto-is-investigatiing-uk-and-us-hack-allegations
SIM CARD COMPANY Gemalto has reacted to reports that US and UK spy agencies have hacked their way into its heart, pinched its security crown jewels, and hopped right into global communications.
US news website The Intercept, a frequent host of Snowden revelations, claims to have evidence that GCHQ and the US National Security Agency (NSA) worked together to hack Gemalto and steal its encryption keys. This potentially gave the agencies an easy way to eavesdrop on global mobile communications.
“The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including voice and data,” said The Intercept.
The Great SIM Heist
How Spies Stole the Keys to the Encryption Castle
https://firstlook.org/theintercept/2015/02/19/great-sim-heist/
AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.
The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ.
The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world.
In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”
With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.
Tomi Engdahl says:
Report: ICT downtime costs businesses $4 million per year
http://www.cablinginstall.com/articles/2015/02/infonetics-ict-downtime-survey.html
Technology researcher Infonetics Research, now part of IHS, Inc. (NYSE: IHS), recently conducted in-depth surveys with 205 medium and large businesses in North America and discovered that companies are losing as much as $100 million per year to downtime related to information and communication technology (ICT).
“Businesses participating in our ICT downtime survey are losing almost $4 million a year to downtime on average, about half a percent of their total revenue,” comments Matthias Machowinski, directing analyst for enterprise networks and video at Infonetics Research.
According to the survey, the most common causes of ICT downtime are failures of equipment, software and third-party services; power outages; and human error. Infonetics’ respondent organizations said they experience an average of two outages and four degradations per month, with each event lasting around six hours.
“Fixing the downtime issue is the smallest cost component,” adds Machowinski. “The real cost is the toll downtime takes on employee productivity and company revenue, illustrating the criticality of ICT infrastructure in the day-to-day operations of an organization.”
Tomi Engdahl says:
Superfish, Komodia, PrivDog vulnerability test
https://filippo.io/Badfish/
Tomi Engdahl says:
Debian on track to prove binaries’ origins
Reproducible binary project 83% complete
http://www.theregister.co.uk/2015/02/23/debian_project/
Debian is on its way to becoming what could be the first operating system to prove the origin of its binaries, technologist Micah Lee says.
The feat will allow anyone to independently confirm that Debian binaries were built from a reported source package.
So far a project team devoted to confirming the reproducibility of builds has knocked off 83 percent of source packages within the main archive of the unstable distribution.
The effort will not be completed in time for the release of the next major Debian release, codenamed Jessie, but could see reproducible builds a feature for the following stable release dubbed Stretch.
“The team developed the tool debbindiff to provide in-depth detailed diffs of binary packages,” Debian said in a report note.
Tomi Engdahl says:
Leaky battery attack reveals the paths you walk in life
‘Innocent’ power consumption metrics found in scores of Android apps
http://www.theregister.co.uk/2015/02/23/mobe_battery_stats_the_latest_tracking_trick_for_spies_creeps/
More than 100 mobile apps leak users’ location regardless of whether they opt to keep the information private, according to researchers.
Power consumption data is the source of the leaks, which make it possible to determine users’ whereabouts with 90 percent accuracy.
A quartet from Stanford University and Israeli defence contractor Rafael developed an app called PowerSpy to demonstrate the leak.
“Modern mobile platforms like Android enable applications to read aggregate power usage on the phone … We show that by simply reading the phone’s aggregate power consumption over a period of a few minutes an application can learn information about the user’s location,” the team wrote in the paper PowerSpy: Location Tracking using Mobile Device Power Analysis
“Aggregate phone power consumption data is extremely noisy due to the multitude of components and applications simultaneously consuming power.
“Nevertheless, we show that by using machine learning techniques, the phone’s location can be inferred.”
Victims need only install an attacker’s app, in this case PowerSpy, that had benign access to network connectivity and battery consumption.
http://arxiv.org/pdf/1502.03182v1.pdf
Tomi Engdahl says:
Andrea Peterson / Washington Post:
President Obama’s doomsday encryption scenario doesn’t align with how the tech actually works — What President Obama is getting wrong about encryption
What President Obama is getting wrong about encryption
http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/19/what-president-obama-is-getting-wrong-about-encryption/
President Obama tried to walk a very fine line on encryption, the technology that secures much of the communications that occur online, during his recent visit to Silicon Valley — saying that he is a supporter of “strong encryption,” but also understands law enforcement’s desire to access data.
“I lean probably further in the direction of strong encryption than some do inside of law enforcement,” Obama said during an interview with tech news site re/code. “But I am sympathetic to law enforcement because I know the kind of pressure they’re under to keep us safe. And it’s not as black and white as it’s sometimes portrayed.”
But the technical aspects of encryption actually are quite black and white, experts say, adding that the example Obama used to illustrate the risks of encryption doesn’t match up with how tech companies are deploying the security measure for customers. Obama suggested that the FBI might be blocked from discovering who a terrorist was communicating with by tech companies’ recent efforts to beef up encryption. But that type of data would still remain available, technical experts say.
The White House declined to comment.
Tomi Engdahl says:
Kevin Poulsen / Wired:
Equation Group shows US already has a Manhattan Project for cybersecurity, but like the original, it’s purely offensive
Surprise! America Already Has a Manhattan Project for Developing Cyber Attacks
http://www.wired.com/2015/02/americas-cyber-espionage-project-isnt-defense-waging-war/
Tomi Engdahl says:
Millions of Children Exposed to ID Theft Through Anthem Breach
http://www.nbcnews.com/business/personal-finance/millions-children-exposed-id-theft-through-anthem-breach-n308116
Adults aren’t the only ones who can have their identity stolen.
Tens of millions of American children had their Social Security numbers, date of birth and health care ID numbers stolen in the recent data breach at health insurance giant, Anthem Inc. This exposes these kids to the real risk of identity theft.
“Every terrible outcome that can occur as the result of an identity theft will happen to the children who were on that database,” said Adam Levin, chairman and founder of IDentityTheft 911. “Criminals will use those stolen Social Security numbers to open accounts, get medical treatment, commit tax fraud, you name it.”
“This is a watershed event,” Rohrbaugh said. “There is no other bulk acquisition of this much personal data – names, birthdates, addresses and Social Security numbers – that I am aware of in history.”
And because the children’s information was linked to their parents’ data, it will make it much easier for cybercriminals to commit fraud against the parents as well, Rohrbaugh said.
The Social Security number was never supposed to be used as a national identifier, but it’s become that. For an identity thief, that nine-digit number is the brass ring. It’s the skeleton key that unlocks your life.
A child’s number is even more valuable. Here’s why: For most minors, their number is pristine – it’s never been used and is not yet associated with a credit file. That means there’s very little chance that the credit reporting agencies are monitoring it.
So a criminal can take that stolen number, combine it with someone else’s name, address and birth date to create a fake ID
“They will always take the child over the adult,” Abagnale told NBC News. “And the younger the child is the better, because they have longer to use that identity before someone finds out.”
“Now it’s really all about detection,”
The ITRC has prepared A Guide for Parents – Child Identity Theft Indicators
ITRC Fact Sheet 120B
Child Identity Theft Indicators:
A Guide for Parents
http://www.idtheftcenter.org/Fact-Sheets/fs-120b.html
Tomi Engdahl says:
AT&T is putting a price on privacy. That is outrageous
http://www.theguardian.com/commentisfree/2015/feb/20/att-price-on-privacy
Poor customers should not have to choose between being spied on and forking over money
Imagine if the postal service started offering discount shipping in exchange for permission to scan every letter you receive and then target you with junk mail based on the contents of your personal mail.
One of the largest telecommunications companies in America, AT&T, is doing just that for customers of its super-fast gigabit broadband service, which is rolling out in select cities.
The tracking and ad targeting associated with the gigabit service cannot be avoided using browser privacy settings: as AT&T explained, the program “works independently of your browser’s privacy settings regarding cookies, do-not-track and private browsing.” In other words, AT&T is performing deep packet inspection, a controversial practice through which internet service providers, by virtue of their privileged position, monitor all the internet traffic of their subscribers and collect data on the content of those communications.
What if customers do not want to be spied on by their internet service providers? AT&T allows gigabit service subscribers to opt out – for a $29 fee per month.
But charging extra for privacy has significant social justice implications: broadband access is hard to come by for many communities, and subscribers on the lower rungs of the income ladder may not be able to afford an additional fee to protect their privacy. Privacy should not be reserved for the rich, and the poor should not be forced to choose between broadband, an essential tool in modern life, and their privacy.
Moreover, it is not clear what gigabit subscribers get when they pay the $29 fee to opt out. AT&T says that it “may collect and use web browsing information for other purposes
Even worse, the virtual lack of competition in the broadband market makes it difficult for many subscribers to jump to another, more privacy-protective company.
AT&T does not have a stellar track record when it comes to protecting its subscribers’ information from government intrusion, as the company’s early collaboration with the NSA proved.
There is one silver lining to this dark cloud: AT&T says it is not attempting to monitor its customers’ connections to encrypted websites (like Google, Yahoo!, Facebook and Twitter), which could endanger its customers’ security. This is small comfort, however, given the wide array of websites that do not support HTTPS by default.
Tomi Engdahl says:
Calling all cybercrooks: Ready-made phone attack rig for sale
Kit used as part of online banking fraud
http://www.theregister.co.uk/2015/02/23/tdos_telephone_dos_attack_cybercrime/
Cybercrooks are marketing a hardware-based tool for running denial of service attacks on telephone systems.
The Telephone Denial of Service attacks (TDoS) rig is being sold by a group of cybercriminals called “TNT” from Eastern Europe via underground cybercrime forums.
The tool, called “TNT Instant Up”, features a special hardware platform made up of several connected Wireless USB 3G/4G modems (up to 12 devices).
Specialised software allows the tool to perform continuous calls from inserted unlocked SIM-cards (GSM flood) and leverages various SIP providers (SIP flood), according to security intelligence firm IntelCrawler.
Pricing ranges between $560 and $1,200, depending on activation options and software. TNT Instant Up also offers TDoS services for hire.
Cybercrooks use the tools for online banking fraud or targeted cyber attacks against banking customer services, preventing their systems from receiving legitimate calls.
Last summer, the FBI reported TDoS attacks telephone swamping moves against healthcare and public health targets. Isolated attacks against emergency call centre targets have also been reported.
Tomi Engdahl says:
Cellphones Crime Privacy The Courts
In Florida, Secrecy Around Stingray Leads To Plea Bargain For a Robber
http://yro.slashdot.org/story/15/02/23/0611254/in-florida-secrecy-around-stingray-leads-to-plea-bargain-for-a-robber
Secrecy around police surveillance equipment proves a case’s undoing
http://www.washingtonpost.com/world/national-security/secrecy-around-police-surveillance-equipment-proves-a-cases-undoing/2015/02/22/ce72308a-b7ac-11e4-aa05-1ce812b3fdd2_story.html?hpid=z1
But before trial, his defense team detected investigators’ use of a secret surveillance tool, one that raises significant privacy concerns. In an unprecedented move, a state judge ordered the police to show the device — a cell-tower simulator sometimes called a StingRay — to the attorneys.
Rather than show the equipment, the state offered McKenzie a plea bargain.
McKenzie’s case is emblematic of the growing, but hidden, use by local law enforcement of a sophisticated surveillance technology borrowed from the national security world. It shows how a gag order imposed by the FBI — on grounds that discussing the device’s operation would compromise its effectiveness — has left judges, the public and criminal defendants in the dark on how the tool works.
That secrecy, in turn, has hindered debate over whether the StingRay’s use respects Americans’ civil liberties.
“It’s a terrible violation of our constitutional rights,” asserted Elaine Harper, McKenzie’s grandmother, who raised the young man. “People need to know — the public needs to know — what’s going on.”
The StingRay is a box about the size of a small suitcase — there’s also a handheld version — that simulates a cellphone tower. It elicits signals from all mobile phones in its vicinity. That means it collects information not just about a criminal suspect’s communications but also about the communications of potentially hundreds of law-abiding citizens.
The Tallahassee police used the StingRay or a similar device in more than 250 investigations over a six-year period, from mid-2007 through early 2014
Tomi Engdahl says:
US wants to hack the machines lawfully
American criminal justice is being done additions to the country’s security services should be lawful to hack into computers abroad. Google and many other companies are strongly opposed to this Rule 41 Add-in.
So far, Rule 41 is dictated by the security authorities can monitor only within their powers in the area of computers. The rule change would mean that controls the computer’s location could not be anywhere.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2465:usa-haluaa-hakkeroida-koneita-luvallisesti&catid=13&Itemid=101
Tomi Engdahl says:
Cyber security is the greatest threat to companies
Finnish companies workstation environments are protected mainly anti-virus software and firewalls.
Many people think they are acting in a closed and safe environment, but closed environments no longer exit.
- Few is held by a real-time snapshot of the network, and log data to manage effectively. Companies are often not even known with certainty what all your network environment is connected, and data networks has become the worst dumps, Pekka Blomberg complains.
According to him, employees too extensive access to various information systems constitute a serious threat to businesses. They can lead to intentional and unintentional abuse. House for one reason or another can not stay still dispatches access to enterprise information systems, because they have not been removed.
Only a few companies are able to monitor cyber enough professionally without external expertise
- The digital world and the physical world are increasingly intertwined with. In a networked world, cyber needed alongside the core of continuous flows of control. Technology and automation in addition to be able to use systematically the human perceptual ability. The majority of devices on the network is fairly easy to identify.
Finnish companies have woken up cyber earnest during the past year, and attitudes seem to be in order. Now, companies need a strategy for cyber security situations, with wide-ranging evaluation of business and information risks to the capital. Without a comprehensive preparedness threats can materialize in economic losses. Industrial Internet will further increase the network traffic and brings new threats, which should be prepared in time for the physical safety as well
- It’s only a matter of time before companies are facing increasingly more difficult attack in Finland, Blomberg warns.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2446:kyberturvallisuus-yritysten-suurin-uhka&catid=13&Itemid=101
Tomi Engdahl says:
Android is already a higher security risk than Windows
ate last year, the world had 16 million mobile device that had some kind of malware polluters. Security company says Android has already passed the worst of the virus as a platform of Windows, which has been in possession of the title for years.
Alcatel-Lucent security solutions developer of Motive Security Labs unit has announced last year, the second half of the security report. According to Android malware increased last year by 25 per cent. Contaminated machines half of Android smartphones and half a Windows micros.
A significant part of the Android-cons are spyware programs that spy on mobile phone users.
Android “pollution” has been rapid. Even in late 2012 Android malware was virtually no. Motive Security Labs by the end of 2013 the database was found 400 000 Android-harm. Late last year the figure was well over a million.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2429:android-on-jo-windowsia-suurempi-turvariski&catid=13&Itemid=101
Tomi Engdahl says:
Dan Goodin / Ars Technica:
SSL-busting code that threatened Lenovo users found in a dozen more apps
SSL-busting code that threatened Lenovo users found in a dozen more apps
“What all these applications have in common is that they make people less secure.”
http://arstechnica.com/security/2015/02/ssl-busting-code-that-threatened-lenovo-users-found-in-a-dozen-more-apps/
The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that’s categorized as a malicious trojan by a major antivirus provider.
Trojan.Nurjax, a malicious program Symantec discovered in December, hijacks the Web browsers of compromised computers and may download additional threats.
Nurjax is one such example of newly found software that incorporates HTTPS-defeating code from an Israeli company called Komodia. Combined with the Superfish ad-injecting software preinstalled on some Lenovo computers and three additional applications that came to light shortly after that revelation, there are now 14 known apps that use Komodia technology.
“What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove,” Matt Richard, a threats researcher on the Facebook security team, wrote in Friday’s post. “Furthermore, it is likely that these intercepting SSL proxies won’t keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic.”
Komodia, a company that brazenly calls one of its software development kits as an “SSL hijacker,” is able to bypass secure sockets layer protections by modifying the network stack of computers that run its underlying code. Specifically, Komodia installs a self-signed root CA certificate that allows the library to intercept encrypted connections from any HTTPS-protected website on the Internet. This behavior is by no means unique to Komodia, Superfish, or the other programs that use the SSL-breaking certificates. Antivirus apps and other security-related wares often install similar root certificates. What sets Komodia apart from so many others is its reuse of the same digital certificate across many different computers.
“We’re publishing this analysis to raise awareness about the scope of local SSL MITM software so that the community can also help protect people and their computers,”
Tomi Engdahl says:
Gemalto World leader in Digital Security:
Despite NSA hacking claims, Gemalto says initial conclusions indicate SIM products are secure
http://www.gemalto.com/press/Pages/Update-on-the-SIM-card-encryption-keys-matter.aspx
Tomi Engdahl says:
Security software found using Superfish-style code, as attacks get simpler
Titles from security firms Lavasoft and Comodo leave users open to easier attacks.
http://arstechnica.com/security/2015/02/security-software-found-using-superfish-style-code-as-attacks-get-simpler/
Two more software makers have been caught adding dangerous, Superfish-style man-in-the-middle code to the applications they publish. The development is significant because it involves AV company Lavasoft and Comodo, a company that issues roughly one-third of the Internet’s Transport Layer Security certificates, making it the world’s biggest certificate authority.
Lavasoft and Comodo were added just as researchers were discovering simpler, more potent ways to exploit the vulnerabilities.
Late last week came word that self-signed Secure Sockets Layer certificates installed by a company called Komodia caused most browsers to trust any self-signed certificate that used the same easily extracted private key. That was bad, but now, researchers have discovered vulnerabilities in the closely related proxy software of interception applications from Komodia and Comodo. The new insight makes it even easier for attackers to forge trusted credentials that impersonate Bank of America, Google, or any other HTTPS-protected destination on the Internet.
The first case involves Lavasoft Ad-aware Web Companion, software that’s distributed by antivirus provider Lavasoft.
As discovered over the weekend by security researcher Filippo Valsorda, Komodia root certificates SSL-intercepting proxy software will cause most browsers to trust any self-signed certificate, as long as the name of the targeted website is inserted into the certificates’ alternate name field. That discovery dramatically lowers the bar for successful exploitation of the serious vulnerability.
Lavasoft Ad-aware Web Companion is free privacy software Lavasoft markets as a companion to regular antivirus protection. Lavasoft appears to have licensed the Komodia engine and put it into the Companion product for inspecting SSL traffic. Most other AV products use similar self-signed certificates to detect SSL-injected threats, but so far there are no reports of other AV companies using such vulnerable implementations
The second security-marketed software was “PrivDog,” which is the creation of Comodo CEO Melih Abdulhayoglu.
PrivDog bills itself as software that enhances security and privacy by replacing ads in Web pages with ads from trusted sources. Presumably, the vulnerable version of PrivDog is using the man-in-the-middle proxy and certificate to replace ads in HTTPS-protected sites.
Tomi Engdahl says:
Komodia/Superfish SSL Validation is broken
https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/
If you are on the ball already and just want the new vulnerability, scroll to the “client side SSL verification” section. tl;dr The Komodia/Superfish proxy can be made to allow self-signed certificates without warnings.
Tomi Engdahl says:
Adware Privdog worse than Superfish
https://blog.hboeck.de/
There is an adware called Privdog. It totally breaks HTTPS security.
In case you haven’t heard it the past days an Adware called Superfish made headlines. It was preinstalled on Lenovo laptops and it is bad: It totally breaks the security of HTTPS connections. The story became bigger when it became clear that a lot of other software packages were using the same technology Komodia with the same security risk.
What Superfish and other tools do is that it intercepts encrypted HTTPS traffic to insert Advertising on webpages. It does so by breaking the HTTPS encryption with a Man-in-the-Middle-attack, which is possible because it installs its own certificate into the operating system.
A quick analysis shows that it doesn’t have the same flaw as Superfish, but it has another one which arguably is even bigger.
US-CERT writes: “Adtrustmedia PrivDog is promoted by the Comodo Group, which is an organization that offers SSL certificates and authentication solutions.” A variant of PrivDog that is not affected by this issue is shipped with products produced by Comodo (see below). This makes this case especially interesting because Comodo itself is a certificate authority (they had issues before). As ACLU technologist Christopher Soghoian points out on Twitter the founder of PrivDog is the CEO of Comodo.
Tomi Engdahl says:
The State of Email Trust 2014 Report
http://info.agari.com/state-of-email-trust-2014.html
As you saw in the headlines and news, 2014 was a big year for email threats.
And from our findings – the proof is in the data.
By summarizing the TrustIndex data we gathered quarterly in 2014 that measures how well both individual companies and industries as a whole are protecting their customers from email cyberattacks, we saw that email security improved somewhat in 2014, but most companies still haven’t implemented technology that protects them from cybercrime.
Tomi Engdahl says:
Vulnerability Note VU#529496
Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA certificates and private keys
http://www.kb.cert.org/vuls/id/529496
Komodia Redirector with SSL Digestor installs non-unique root CA certificates and private keys, making systems broadly vulnerable to HTTPS spoofing
Komodia Redirector SDK is a self-described “interception engine” designed to enable developers to integrate proxy services and web traffic modification (such as ad injection) into their applications. With the SSL Digestor module, HTTPS traffic can also be manipulated. This is accomplished by installing a root CA certificate into browser trusted certificate stores, enabling the proxy to effectively man-in-the-middle all web traffic without raising any flags for the end-user.
In multiple applications implementing Komodia’s libraries, such as Superfish Visual Discovery and KeepMyFamilySecure, the root CA certificates have been found to use trivially obtainable, publicly disclosed, hard-coded private keys. Note that these keys appear to be distinct per application, though the same methods have proven successful in revealing the private keys in each instance.
Tomi Engdahl says:
More Protection from Unwanted Software
http://insidesearch.blogspot.fi/2015/02/more-protection-from-unwanted-software.html
SafeBrowsing helps keep you safe online and includes protection against unwanted software that makes undesirable changes to your computer or interferes with your online experience.
We recently expanded our efforts in Chrome, Search, and ads to keep you even safer from sites where these nefarious downloads are available.
If you’re a site owner, we recommend that you register your site with Google Webmaster Tools. This will help you stay informed when we find something on your site that leads people to download unwanted software, and will provide you with helpful tips to resolve such issues.