Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Is the FBI Hiding a Firefox Zero-Day?
http://news.softpedia.com/news/is-the-fbi-hiding-a-firefox-zero-day-503026.shtml
A question posed by a researcher from the International Computer Science Institute in Berkeley, California has led many to believe, even us, that the FBI may be sitting on a Firefox zero-day which it is currently fighting in US courts to keep secret.
All the time while everybody was focused on the Apple vs. FBI fight to unlock the San Bernardino’s shooter iPhone, the FBI’s lawyers and the US Department of Justice were also busy battling the defense in a related case.
It all started with a seized Dark Web child pornography website
The Bureau says it used a network investigative technique (NIT) to detect and pinpoint the location of users that accessed and posted on that website, charging 137 US citizens following the incident.
Signs point to the FBI using a Tor Browser exploit
The Tor Project used a version of the Firefox ESR (Extended Support Release) browser to add their encrypted-layered-proxy technology on top and create the Tor Browser.
“the Tor Browser is simply Firefox running in a hardened mode.”
“Tor Browser exploits are automatically Firefox exploits as well”
“While many Firefox exploits will not work against the Tor browser—particularly those relying on Flash—the converse is not necessarily true. To the contrary, any Tor browser exploit is almost certainly a Firefox exploit too,”
FBI Is Pushing Back Against Judge’s Order to Reveal Tor Browser Exploit
Written by
Joseph Cox and Sarah Jeong
March 29, 2016 // 09:10 AM EST
https://motherboard.vice.com/read/fbi-is-pushing-back-against-judges-order-to-reveal-tor-browser-exploit
Last month, the FBI was ordered to reveal the full malware code used to hack visitors of a dark web child pornography site. The judge behind that decision, Robert J. Bryan, said it was a “fair question” to ask how exactly the FBI caught the defendant.
But the agency is pushing back
“Knowing how someone unlocked the front door provides no information about what that person did after entering the house.”
Tomi Engdahl says:
F-Secure’s Chief Research Officer Mikko Hypponen did not think often repeated security tips, that the Internet is not worthwhile to click on unknown links. For example, the spread of malware on Facebook evasions too general counsel is not effective in practice, says YLE interviewed Hyppönen.
“It’s almost the same as the advice that” Do not surf the Internet at all – Internet surfing is precisely the purpose of links to click, “Hyppönen says.
Facebook’s case, Hypponen sees the responsibility of the service provider that is, Facebook has the right, and keeping pure service is also its advantage
Source: http://www.tivi.fi/Kaikki_uutiset/hypponen-kumoaa-vanhan-tietoturvavinkin-ylella-ala-surffaa-netissa-lainkaan-6542661
Tomi Engdahl says:
Hackers can track your every call and movement, using just your phone number
http://www.cnet.com/news/60-minutes-demo-hackers-track-calls-and-movements-using-just-your-phone-number/
Forget complicated hacking tricks — spying on someone’s calls and texts and tracking their movements is as simple as knowing their phone number
Security experts say breaking into a smartphone is easier than you think — and they’ve spied on a US Congressman’s phone calls to prove it.
German computer engineer Karsten Nohl told “60 Minutes” in America that all a hacker needs is a phone number.
From there, Nohl says hackers can “track [the owner's] whereabouts, know where they go for work…spy on whom they call and what they say over the phone. And you can read their texts.”
Just by knowing the number of an off-the-shelf iPhone and exploiting a known network flaw, Nohl was able to spy on Representative Ted Lieu of California (who agreed to participate in the demo) — they then recorded his calls with “60 Minutes” and tracked his movements.
Tomi Engdahl says:
Jordan Pearson / Motherboard:
BlackBerry Won’t Confirm or Deny it Gave Encryption Keys to Law Enforcement — Last week, a joint investigation by Motherboard and VICE News revealed that Canada’s federal police are in possession of the “global encryption key” that unlocks every non-corporate BlackBerry user’s encrypted BBM messages.
BlackBerry Won’t Confirm or Deny it Gave Encryption Keys to Law Enforcement
http://motherboard.vice.com/read/blackberry-wont-confirm-or-deny-law-enforcement-global-encryption-key-bbm-rcmp
Last week, a joint investigation by Motherboard and VICE News revealed that Canada’s federal police are in possession of the “global encryption key” that unlocks every non-corporate BlackBerry user’s encrypted BBM messages. But we didn’t know how they got it.
BlackBerry still has not commented directly to Motherboard or VICE News on the specifics of the investigation, but CEO John Chen published a blog post on Monday addressing the report in broad strokes… very broad strokes.
Chen essentially gave a version of the US government’s standard GLOMAR response—that is, neither confirming nor denying the answer to the most burning question raised by our investigation: Did BlackBerry give the Royal Canadian Mounted Police, or RCMP, the key to every consumer BlackBerry user’s digital front door?
“Regarding BlackBerry’s assistance,” Chen wrote instead, “I can reaffirm that we stood by our lawful access principles. Furthermore, at no point was BlackBerry’s BES server involved.”
Exclusive: How Canadian Police Intercept and Read Encrypted BlackBerry Messages
http://motherboard.vice.com/read/rcmp-blackberry-project-clemenza-global-encryption-key-canada
Tomi Engdahl says:
Apple’s Penchant for Consumer Security
https://techpinions.com/apples-penchant-for-consumer-security/45122
At a security “deep dive” at Apple on Friday, executives went into depth on Apple security philosophy and technological approach to the matter. I’ve sat through many technology company’s technical briefings but never one from Apple which went deeper on custom silicon solutions than I had seen before. I’ll weave some technical tidbits I learned into this article but there was a theme which came up that struck me. More than a handful of times, presenters used the phrase “balancing security with ease of use”.
Tomi Engdahl says:
Do You Use Chrome Extensions? Google Finally Started Caring About Your Privacy
New Chrome Web Store policy will ban extensions and apps that gather your data without asking first.
http://www.inc.com/minda-zetlin/do-you-use-chrome-extensions-google-finally-started-caring-about-your-privacy.html
If you’ve never browsed the Chrome Web Store, it’s a cloud-based marketplace, similar to the Android Marketplace, where you can download extensions for your Chrome browser, as well as apps and games that run within Chrome much the same way mobile apps run on your smartphone or tablet.
Much like the Android Marketplace, the Chrome Web Store has been plagued with rogue applications and extensions that pretend to create value for users while actually serving nefarious purposes.
Today, Google took steps to put a stop to nefarious chrome apps and extensions, or at least place some limits on them. The company announced on its blog that it is updating and expanding its policies governing how user data is collected and used. “Since early on, Chrome has included privacy-protecting features,” the Chrome Policy Team explains in the blog post. “Now, we’re consolidating and expanding our policies about user data to ensure our Chrome Web Store developers follow similar principles.”
Developers will now be required to disclose their privacy practices and “be transparent” about how user data will be collected and used; post a privacy policy; use encryption for personal or sensitive user information; and ask users for consent before collecting personal or sensitive information, unless that information is “related to a prominent feature.”
What happens if they don’t? “We’ll notify developers when we discover items that violate the User Data Policy, and they’ll have until July 14, 2016 to make any changes needed for compliance,”
Tomi Engdahl says:
Google found 760,935 compromised web sites in a year
There’s a lot of lazy and/or lousy webmasters out there who don’t know they’re p0wned
http://www.theregister.co.uk/2016/04/19/google_80000_sites_breached/
Google and university researchers say the tech giant found some 760,935 compromised websites across the web during a year-long research effort.
Google’s Eric Kuan; Yuan Niu; Lucas Ballard; Kurt Thomas, and Elie Bursztein joined the University of California, Berkely’s Frank Li, Grant Ho, and Vern Paxson in writing Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension [PDF]
In it the team says the Choc Factory usually emails the admins of hacked sites operating its Search Console. It finds up to three quarters of admins will expunge malware when emailed, while about half act when their sites are painted with browser and search warnings.
Most admins were quicker to patch and purge when tipped off by Google to the malware menace, with about 12 per cent falling flat and being compromised again within 30 days.
The research is Google’s latest effort to bring web admins into its anti-malware embrace. Google has urged admins to sign up to its Safe Browsing alerts.
Remedying Web Hijacking: Notification
Effectiveness and Webmaster Comprehension
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/44924.pdf
Tomi Engdahl says:
Hacking Team hole still unpatched, exploit pop doc claims
‘Phineas Fihser’ says embedded device pwnage exposed spyware-for-states firm
http://www.theregister.co.uk/2016/04/19/hacking_team_hacker_dossier/
The hacker who claims responsibility for the flaying of Italian spyware-for-States firm Hacking Team says the vulnerability they used is yet to be patched and has detailed the process by which they claimed to have gained access to the huge trove of data and documents later dumped online.
The details are contained in a post broadcast from their known (Twitter account) but the veracity of the claims cannot be verified.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
A look at the Latin American countries that bought Hacking Team exploit packages and then used them to spy on political opposition
Hacking Team’s ‘Illegal’ Latin American Empire
http://motherboard.vice.com/read/hacking-team-illegal-latin-american-empire
In early April, 2014, a spy from the Ecuador’s intelligence agency sent a flurry of emails to the support team of Hacking Team, a company of Italian hackers-for-hire that works with government agencies around the world.
The agent, Luis Solis, needed Hacking Team to plant its spyware in a series of PDF documents he planned to send. This episode would’ve been just another story of a customer asking for help booby-trapping email attachments—which was standard procedure for Hacking Team—if it wasn’t for the target of the investigation.
”I was incensed to see how an Italian company sold to my country’s government software to spy on citizens that, just like me, were critical of the government.”
Hacking Team’s support engineer Bruno Muschitiello seemed worried—not because his customer wanted to use the company’s Remote Control System, or RCS, spyware against a political opponent—but because he thought he’d get caught.
“It is not a good choice send [sic] many exploit documents to the same target, it can be very risky, the target may suspect something,” Muschitiello wrote in an email.
“I had four email accounts and problems with all of them,” Figueroa told the Associated Press, which first reported on the incident last year. “I also had problems with Facebook. At one point, it seems like they attacked all my communications on social media.”
”If you give spyware to the police who makes students disappear, you’re practically giving it to the organized crime.”
There’s evidence that Hacking Team’s Mexican customers weren’t just using it to hunt down drug lords.
Tomi Engdahl says:
Adam Conner-Simons / MIT News:
MIT’s new AI platform, which incorporates input from human experts, can predict 85% of cyberattacks, which is 3x better than previous benchmarks — System predicts 85 percent of cyber-attacks using input from human experts — Virtual artificial intelligence analyst developed …
System predicts 85 percent of cyber-attacks using input from human experts
http://news.mit.edu/2016/ai-system-predicts-85-percent-cyber-attacks-using-input-human-experts-0418
Virtual artificial intelligence analyst developed by the Computer Science and Artificial Intelligence Lab and PatternEx reduces false positives by factor of 5.
Today’s security systems usually fall into one of two categories: human or machine. So-called “analyst-driven solutions” rely on rules created by living experts and therefore miss any attacks that don’t match the rules. Meanwhile, today’s machine-learning approaches rely on “anomaly detection,” which tends to trigger false positives that both create distrust of the system and end up having to be investigated by humans, anyway.
But what if there were a solution that could merge those two worlds? What would it look like?
In a new paper, researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) and the machine-learning startup PatternEx demonstrate an artificial intelligence platform called AI2 that predicts cyber-attacks significantly better than existing systems by continuously incorporating input from human experts. (The name comes from merging artificial intelligence with what the researchers call “analyst intuition.”)
The team showed that AI2 can detect 85 percent of attacks, which is roughly three times better than previous benchmarks, while also reducing the number of false positives by a factor of 5. The system was tested on 3.6 billion pieces of data known as “log lines,” which were generated by millions of users over a period of three months.
Creating cybersecurity systems that merge human- and computer-based approaches is tricky, partly because of the challenge of manually labeling cybersecurity data for the algorithms.
Tomi Engdahl says:
All-Python malware nasty bites Windows victims in Poland
Slurps keystrokes, mines Bitcoin, even sets up web servers
http://www.theregister.co.uk/2016/04/19/python_malware_windows_executable_poland/
Malware authors have put together a strain of malicious code written entirely in Python, in what may turn out to be an experiment in creating a new type of cross-platform nasty.
PWOBot is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable.
The malware has already infected a number of Europe-based organisations, particularly in Poland, according to new research.
Distribution routes include the popular Polish file-sharing web service chomikuj.pl. Victims include a Polish national research institution, a Polish shipping company, a large Polish retailer, a Polish information technology organisation, a Danish building company and a French optical equipment provider.
The underlying code is cross-platform, so the nasty might easily be ported over to the Linux and OS X operating systems.
Tomi Engdahl says:
Attackers packing malware into PowerShell
It’s 2016 and the macro virus is still a thing thanks to phools phalling for spear phishing
http://www.theregister.co.uk/2016/03/15/attackers_packing_malware_into_powershell/
Microsoft’s PowerShell has once again become an attack vector for malware, this time a file-less attack dubbed “Powersniff” by Palo Alto Networks.
The attack arrives through e-mails containing Word documents bearing malicious macros, almost as if it isn’t more than 15 years since the first macro viruses were let loose on the world.
Infected files are being distributed in standard spear-phishing attacks.
Tomi Engdahl says:
Viber adds end-to-end encryption and hidden chats as messaging app privacy wave grows
http://techcrunch.com/2016/04/19/viber-adds-end-to-end-encryption-hidden-chats-universal-delete-as-messaging-app-privacy-grows/
Following WhatsApp’s move to add end-to-end encryption to its platform, another big messaging company is joining the wave of apps turning on expanded privacy features. Viber — a messaging app with 711 million+ users — today is introducing end-to-end encryption for all messages and calls on its platform, including group chats (you can chat with up to 200 people), and a way to ‘hide’ chats on your account alongside its existing expanded deleting function.
The company — founded in Israel and acquired by Japan’s Rakuten in 2014 — says the new services will be rolled out globally in the coming weeks, starting today in four countries where Viber centers most of its R&D: Brazil, Belarus, Israel and Thailand.
The new privacy features will work across Android, iOS, PCs and Mac desktops, with the encryption coming with the latest app update (6.0) and a reauthentication of the app (via QR Code) to turn the feature on.
Tomi Engdahl says:
Patching up Web applications
New debugging method found 23 undetected security flaws in 50 popular Web applications.
http://news.mit.edu/2016/patching-web-applications-0415
By exploiting some peculiarities of the popular Web programming framework Ruby on Rails, MIT researchers have developed a system that can quickly comb through tens of thousands of lines of application code to find security flaws.
In tests on 50 popular Web applications written using Ruby on Rails, the system found 23 previously undiagnosed security flaws, and it took no more than 64 seconds to analyze any given program.
The researchers will present their results at the International Conference on Software Engineering, in May.
According to Daniel Jackson, professor in the Department of Electrical Engineering and Computer Science, the new system uses a technique called static analysis, which seeks to describe, in a very general way, how data flows through a program.
“The problem with this is that it can’t be completely accurate, because you lose information,”
With Web applications, however, the cost of accuracy is prohibitively high, Jackson says. “The program under analysis is just huge,” he says. “Even if you wrote a small program, it sits atop a vast edifice of libraries and plug-ins and frameworks. So when you look at something like a Web application written in language like Ruby on Rails, if you try to do a conventional static analysis, you typically find yourself mired in this huge bog. And this makes it really infeasible in practice.”
Ruby on Rails — or Rails, as it’s called for short — has the peculiarity of defining even its most basic operations in libraries. Every addition, every assignment of a particular value to a variable, imports code from a library.
Near rewrote those libraries so that the operations defined in them describe their own behavior in a logical language. That turns the Rails interpreter, which converts high-level Rails programs into machine-readable code, into a static-analysis tool. With Near’s libraries, running a Rails program through the interpreter produces a formal, line-by-line description of how the program handles data.
Tomi Engdahl says:
Corporate data leakage from mobile devices
Blancco Mobile Technology provides hardware diagnostic tools has taken an interesting study, which surveyed both use their own mobile devices in companies that arising from the use of mobile devices to threats. Company data is leaked out via a smart phone which is the fifth company.
BYOD, or to use their own devices at work (Bring Your Own Device) has spread rapidly all over. Blancco on the basis of the study 40 percent of companies allow BYOD use of all workers and 32 per cent for selected employees. Only 13 percent of companies do not intend to allow the use of their own equipment for the treatment of duties.
Contribute to their own devices many companies afraid of leakage into the hands of unauthorized data or data loss (72 percent of those surveyed). The concern is justified, because every fifth company (21 per cent), mobile devices have reason to data theft. In addition, 37 per cent are not sure whether this is the case.
The company’s data is at risk, even when the employee leaves the company. Just under a third of companies (29 per cent) deletes all the data on employee devices.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4287:yritysten-data-vuotaa-mobiililaitteista&catid=13&Itemid=101
Tomi Engdahl says:
VXers pass stolen card data over DNS
NewPosThings back as Multigrain, says Fireeye
http://www.theregister.co.uk/2016/04/20/vxers_pass_stolen_card_data_over_dns/
The NewPosThings malware has spawned an offspring that exploits the DNS protocol to sneak data past firewalls.
The VXers have reasoned DNS has a couple of advantages for data exfiltration. Since the enterprise network can’t talk to the Internet without it, it’s unlikely to be blocked; and since it’s probably thought of as more-or-less benign, sysadmins probably don’t look too hard at what’s in DNS packets.
As Fireeye notes, sysadmins in card-processing environments will generally pay much more attention to monitoring, restricting or blocking HTTP or FTP traffic. Prior POS malware attacks to use DNS include BernhardPOS and FrameworkPOS.
The “Multigrain” variant of NewPosThings, discussed here, targets the multi.exe back-end POS process – if that’s not present, the attack ends.
Tomi Engdahl says:
FBI Tells Congress It Needs Hackers To Keep Up With Tech Company Encryption
https://yro.slashdot.org/story/16/04/19/2036201/fbi-tells-congress-it-needs-hackers-to-keep-up-with-tech-company-encryption
A high ranking technology official with the FBI told members of Congress Tuesday that the agency is incapable of cracking locked phones and devices on its own, even with additional resources. Amy Hess, the agency’s executive assistant director for science and technology told a panel of the House Energy and Commerce Committee that encrypted communications continue to pose a challenge to the American law enforcement, and to the safety of the American public.
FBI Tells Congress It Needs Hackers To Keep Up With Tech Company Encryption
https://www.buzzfeed.com/hamzashaban/fbi-says-bolstering-its-own-capability-to-crack-encrypted-de#.cdG6OgrvN1
A high ranking FBI official tells Congress that developing solutions to penetrate encrypted devices is too costly and sometimes requires expertise that the FBI does not have.
Tomi Engdahl says:
Google Admits That Google.com Is Partially Dangerous
https://news.slashdot.org/story/16/04/20/029227/google-admits-that-googlecom-is-partially-dangerous
For over a decade, Google’s Safe Browsing technology has helped to alert users to dangerous sites, where malware and phishing exploits can be found. Apparently, one of those unsafe sites is none other than Google.com itself.
According to eWeek, “Google’s automatic spidering of the Web will catch some malicious sites, and by Google’s own admission, there are sites in its index that will redirect users to locations that will attempt to install malware on their computers.”
Google Is Partially Dangerous—According to Google
http://www.eweek.com/blogs/security-watch/google-is-partially-dangerousaccording-to-google.html
Searching on Google.com might be dangerous—don’t take my word for it, take Google’s. The search giant’s own Transparency Report for Google.com gives itself a current rating of “partially dangerous.’”
The reason for the “partially dangerous” status? According to the report, “Some pages on google.com contain deceptive content right now.”
Google’s Safe Browsing technology scans Websites for potential risks to warn users before they visit unsafe sites.
Tomi Engdahl says:
Google is currently listing Google.com as a partially dangerous domain
http://thenextweb.com/google/2016/04/19/google-currently-listing-google-com-potentially-dangerous-domain/
Err, that embarrassing moment when your own Transparency Report tools list your primary source of revenue as a ‘partially dangerous domain’ that could be serving up malware.
That’s right, Google’s warning anyone who cares to check that Google.com is currently at risk of serving you up something worse than targeted advertising.
Presumably, this is down to the way in which Google’s ad network operates
Tomi Engdahl says:
These are the ‘well-intentioned’ people who want to kill encryption
http://thenextweb.com/us/2016/04/20/these-are-the-well-intentioned-people-who-want-to-ruin-encryption/
Remember these faces, because they want to ruin technology for the whole world.
These are the “well-intentioned” senators, Republican Richard Burr (60) and Democrat Dianne Feinstein (82), that have penned The Compliance with Court Orders Act 2016 draft seeking to end encryption in the name of national security.
The pair are chair and vice-chair of the Senate Intelligence Committee, respectively, and the draft bill has no doubt been written as some sort of response to the FBI versus Apple case.
Now, just about everyone who’s anyone in tech – that’s Apple, Microsoft, Google, Facebook, Amazon, Netflix, eBay and Dropbox – have joined forces under four industry coalitions to call out this latest “unworkable” plan in an open letter.
On the potential economic ramifications, it suggests the proposal will: “only serve to push users to non-US companies, in turn undermining the global competitiveness of the technology industry,” which should strike right where it’s supposed to with elected officials.
Tomi Engdahl says:
’60 Minutes’ asked a security firm to hack an iPhone and we’re all basically screwed
http://thenextweb.com/insider/2016/04/18/60-minutes-asked-a-security-firm-to-hack-an-iphone-and-were-all-basically-screwed/
Apple’s battle with the FBI may have whipped the tech world into a frenzy of establishment-hating wannabe anarchists, but it’s this ’60 minutes’ segment that should really piss you off.
Wanting to find out just how safe our phones are from hackers, the 60 minutes team sought professionals from Security Research Labs to break into Congressman Ted Lieu’s iPhone. Lieu, a member of the House Oversight and Reform Subcommittee on Information Technology (an acronym that’s dangerously close to spelling h-o-r-s-e-s-h-i-t) agreed to be the team’s guinea pig.
While security professionals are abuzz with theories — ranging from deep freezing the flash memory to creating its own operating system — on how the FBI accessed the San Bernardino shooter’s iPhone, it turns out all Security Research Labs needed to access secure data was Congressman Lieu’s phone number.
It’s not apples-to-apples; the researchers weren’t accessing encrypted files or attempting to gain access to the physical device, but what they were able to accomplish with just a phone number is still incredible.
With those digits alone, the team was able to hear and record Lieu’s phone calls, track his movement, view his contacts and create a log of all incoming and outgoing calls.
Signaling System 7 (SS7) is a global network that connects all phone carriers around the world into a singular hub, of sorts. The hack exploits a known security flaw in SS7, but one that’s proven relatively difficult to fix due to the way SS7 is governed, or not governed, in this case.
Tomi Engdahl says:
Charisse Jones / USA Today:
Visa says EMV technology is reducing counterfeit fraud, up to 18% for some big merchants
Visa: Some merchants see dip in fraud thanks to chip cards
http://www.usatoday.com/story/money/2016/04/19/some-major-merchants-see-dip-counterfeit-fraud-thanks-chip-cards-visa-says/83194722/
Chip-enabled cards are supposed to be safer in theory, but when shopping online or with retailers who haven’t caught up to the technology, they’re no more secure than cards with magnetic stripes.
The new chip-enabled cards flowing into the U.S. marketplace have already made a dent in fraud, with some of the biggest merchants seeing a dip of more than 18% in counterfeit transactions, according to Visa.
“We’re seeing EMV is having a positive impact on counterfeit fraud,’’ Ericksen says. “Merchants who implement chip, their counterfeit fraud is going down, while those still finalizing plans, their counterfeit fraud is going up.’’
Microchip embedded cards, already common in Europe and Brazil are considered a more secure alternative to those bearing just a magnetic stripe because they generate a unique code for each transaction. That makes them more difficult to counterfeit, and helps to cut down on fraudulent uses.
MasterCard meanwhile says that as of last month, 70% of its consumer credit cards were chip equipped, a 50% bump since October of last year
Tomi Engdahl says:
FBI can’t unlock 13% of password-protected phones it seized, official says
http://www.usatoday.com/story/news/politics/2016/04/19/fbi-cant-unlock-13-password-protected-phones-seized-official-says/83224860/
The FBI cannot unlock 13% of the password-protected cellphones it has seized as evidence in the past six months, a top bureau official told a House panel Tuesday.
About 30% of the 3,000-plus phones that the FBI has seized since Oct. 1 require passwords to open
“Clearly, that presents us with a challenge,” Hess told members of the House Energy and Commerce Committee, which brought in law enforcement officials and tech experts to testify about the pros and cons of “end-to-end” encryption, which is designed so that only users can unlock it.
Congress is struggling to decide what legislation — if any — it should pass on encryption.
Law enforcement officials say that such a law is needed to keep terrorists and criminals from hiding plots and evidence from investigators armed with court orders. Silicon Valley has come out strongly against the bill, saying it will make Americans more vulnerable to cyber criminals and hackers.
Requests involving more than 500 encrypted devices flooded the FBI’s Computer Analysis Response Team and the agency’s Regional Computer Forensic Laboratory programs during a four-month period beginning last October, FBI officials have said.
Tomi Engdahl says:
Malware replaced the crowbar in ATMs robberies
TMs robbery malware using have become more common around the world. Also, Finland has prepared for vending machines exhaustive programs.
The thieves also hit ATMs more and more technical means.
- Traditional man and a crowbar method is a minority because of risk of getting caught. It has been quite a bit of casuistry opportunities, says security expert Klaus Niki security company Nixusta.
- An increase in the malware to attack in the vending system.
Adverse program will be the same as crowbars: to get inside the ATM out of money. Malware using ATMs trying to get their money to push out through the normal banknote opening.
Malware attacks have been going on for several years. The ATM service provision in Finland Automatia director Ari Partanen, for example, Russia and Ukraine were carried out in 2010, a lot of malware attacks Diebold ATMs produced by the company.
- The fact that Europol will be such a report, it is a sign that such a form of crime is on the rise, says Partanen.
The European security organization responsible for ATMs EAST companies has collected information on the malware attacks until a couple of years. In 2014, reported cases in Europe was 51, but only 15 last year.
Western Europe ATMs have been emptied malware, at least in the UK and Germany. However, the automatic robberies in Finland malware is not detected.
- I do not believe that the tools used in Europe as such would be suitable for Finland.
The most common associated with ATMs criminal form, however, are still Skimmers, or discreetly connected to the machines readers, which seeks to copy the users machine card details and pin-codes. According to Partanen, ID copy now used in more high-tech than malware.
Source: http://www.digitoday.fi/tietoturva/2016/04/21/haittaohjelma-korvasi-sorkkaraudan-pankkiautomaattien-ryostoissa/20164288/66?rss=6
Tomi Engdahl says:
Hackers jailed over SpyEye virus that robbed bank accounts worldwide
https://www.theguardian.com/technology/2016/apr/21/hackers-jailed-over-spyeye-virus-that-robbed-bank-accounts-worldwide
Russian developer known online as ‘Gribodemon’ and ‘Harderman’ gets nine years in US jail, while malware vendor ‘Bx1’ receives 15 years in billion-dollar case
The Russian creator of a computer program that enabled cybercriminals to infect millions of computers and drain bank accounts in multiple countries has been sentenced to serve nine and half years in a US federal prison.
Aleksandr Andreevich Panin, 27, the inventor of SpyEye who went by aliases “Gribodemon” and “Harderman” online, pleaded guilty to a count of conspiracy to commit bank and wire fraud in January 2014 after reaching a deal with prosecutors.
Prosecutor Steven Grimberg said SpyEye a pre-eminent piece of malware from 2010 to 2012 and was used to infect more than 50m computers, causing nearly $1bn in damage to individuals and financial institutions around the world.
SpyEye was a type of Trojan virus that secretly implanted itself on victims’ computers to steal sensitive information, including bank account credentials, credit card information, passwords and PINs. Once it took over a computer, it allowed hackers to trick victims into surrendering personal information — including data-grabbing and fake bank account pages. The information was relayed to a command and control server to be used to access victim accounts.
Panin conspired with others to advertise SpyEye in online cybercrime forums and sold versions of the software for prices ranging from $500 to $10,000, FBI Special Agent Mark Ray testified.
Ray’s testimony offered a glimpse into the world of online marketplaces where cybercriminals advertise, buy and sell malicious software, using aliases to avoid arrest.
Panin advertised SpyEye as early as June 2010 on Darkode.com, a cybercrime forum dismantled by the FBI last July. Before it was taken down
With the cover of anonymity and payments made through online currency servers, reputation is extremely important on cybercrime forums
Tomi Engdahl says:
Ex-NSA security expert develops generic Mac ransomware blocker
RansomWhere? suspends untrusted processes
http://www.theregister.co.uk/2016/04/20/mac_ransomware_detection/
An Apple security expert has developed a free-of-charge standalone ransomware defense tool for OS X.
Patrick Wardle, a former NSA staffer who now heads up research at crowdsourced security intelligence firm Synack, has built RansomWhere?, a generic ransomware detector. The utility works by suspending untrusted processes that are encrypting files, a hallmark of ransomware attacks, before firing up an alert for users to act upon, as explained here.
https://objective-see.com/products/ransomwhere.html
Tomi Engdahl says:
Cybercrooks turn away from banks. Your health records are far juicier
Why break into Fort Knox when you can get a data treasure trove from hospital?
http://www.theregister.co.uk/2016/04/20/cybercrooks_switching_targets/
Cybercrooks are switching up targets moving away from retail and financial services onto healthcare and government last year, according to figures from IBM’s security business.
Retail drops out of top five most attacked sector while financial targets dropped from #1 to #3 in IBM X-Force’s 2016 Cyber Security Intelligence Index. The new highest volume breaches in 2015 centered on healthcare (most attacked), manufacturing (second place), government (fourth) and transportation. Healthcare’s prominence as a target for attacks is essentially because cybercrooks have tuned into ways of making money from stolen healthcare data, making health insurance firms, clinics and hospitals an increasingly attractive target.
“Five of the eight largest healthcare security breaches since the beginning of 2010—those with more than one million records reportedly compromised—took place during the first six months of 2015,” IBM X-Force researchers explain. “In fact, over 100 million healthcare records were reportedly compromised in 2015.”
“Packed with a wealth of exploitable information, electronic health records fetch a high price on the black market. They typically contain credit card data, email addresses, social security numbers, employment information and medical history records—much of which will remain valid for years, if not decades. Cyber thieves are using that data to launch spear phishing attacks, commit fraud and steal medical identities.”
Elsewhere the threat for banks and other financial service firms from extortion has increased. The number of breaches in the financial services industry that involved extortion tactics or theft of currency rose by 80 per cent (or almost doubled) in 2015. At the same time, many commercial banking clients fell victim to the Dyre and Dridex Trojans, which were responsible for a large number of multi-million dollar heists targeting enterprises last year.
Tomi Engdahl says:
How innocent people ‘of no security interest’ are mere keystrokes away in UK’s spy databases
Blighty’s classified manuals on mass snooping revealed
http://www.theregister.co.uk/2016/04/21/bulk_personal_datasets/
Classified mass-surveillance manuals for UK spies have been published today amid a legal battle against the British government.
The newly obtained documents set out Blighty’s secret do’s and don’ts for monitoring populations. The files acknowledge that chapter and verse on the lives of people “of no security interest” lie within the spooks’ secret databases – and analysts and agents are simply told to avoid pulling up their information.
‘Staggering extent to which the intelligence agencies hoover up our data’
Bulk Personal Datasets Challenge
https://privacyinternational.org/node/843
Tomi Engdahl says:
Biometrics not a magic infosec bullet for web banking, warns GCHQ bloke
You can change a password. You can’t change fingerprints
http://www.theregister.co.uk/2016/03/18/biometrics_not_answer_online_banking_security_gchq_cesg_allgrove/
Around the world, banks are implementing biometric authentication systems for their customers as fraud cases increase – but experts warn biometrics should not be treated like a silver bullet for ID woes.
Earlier this year, HSBC announced the launch of Voice ID for its customers in the UK, alongside fingerprint authentication, to offer a more secure service to its mobile banking customers by allowing them to authenticate themselves with their unique biological features.
Classically the three factors of authentication have been something an individual knows, something they have, and something they are. While biometrics have come to typify the latter category, they have not done so without concern.
Something you are, rather than something you know, is capable not merely of allowing individuals to voluntarily authenticate themselves, but also exposes them to the risk of being identified, potentially covertly and without their consent, for the purposes of surveillance.*
In the already highly-surveilled world of finance, however, there is little defence of anonymity, such as in cash transactions, due to the risk posed by theft and money laundering. The use of chip-and-pin cards to provide two-factor authentication (having the chip and knowing the pin) provides security in raising the bar for fraudulent access, and also in creating a record of expenditure.
This certainly benefits victims, whose losses to cybercriminals, for instance, are reimbursed far more often than losses may be when cash is stolen from a wallet.
Speaking at a Westminster Business Forum on Biometrics, the CESG’s Head of Identity in Government, Dr Chris Allgrove, claimed that society had reached “the tipping point” at which financial and other services have started backing the introduction of biometrics for authentication, according to Allgrove, due to the mass misuse of alternative authentication methods.
In the work conducted by GCHQ’s information assurance arm, Allgrove noted that “people basically use passwords that are not terribly helpful, people don’t use them well, people don’t follow rules – or the rules are so horribly complicated that there’s no point following them.”
This was “not to say they’re rubbish, it’s not to say that they shouldn’t be used,” said Allgrove, “but they need to be used wisely” – and they rarely are, he suggested.
Existing technology has underpinned the developments in alternatives, and some of it has been in existence for quite a while.
Dactyloscopy, or fingerprint identification
According to Allgrove, different manufacturers may implement different security paradigms for uploading apps or accessing information, “but they are all vulnerable.”
Spook security
Biometrics are not a silver bullet to such issues, Allgrove stressed to his audience, adding that anyone who says otherwise is “either very, very naïve, or just not telling the truth.”
The CESG-man listed Cheltenham’s concerns, starting “with the sensor or the biometric device where you’re capturing the sample, creating a template from that, storing the template and then using the template against its reference.”
“These are all areas that we need to be concerned about, and they will be targets,” he told the forum. However, threats and attacks will not only be targeting these particular functions, he said; concern must equally address “how the biometric component interacts with the wider world, whether it’s an application that’s using it to authenticate somebody’s identity, or the host operating system, any of the external service that the service providers will be running their service from.”
The point of this is it’s not just a spoofing tactic, it’s not just making an artefact that mimics somebody’s physical characteristic. It’s a lot more than just playing with Gummy Bears.
Tomi Engdahl says:
Gumtree serves world’s worst exploit kit to scores of Aussies
Stolen law firm creds, iconography, used to seed Angler.
http://www.theregister.co.uk/2016/03/29/gumtree_aus_serving_angler/
Malware expert Jerome Segura says Australia’s most popular classifieds site, Gumtree.com.au, was serving the world’s most capable exploit kit to some of its millions of monthly visitors.
The site is Australia’s twelfth-most-popular website and last month attracted some 47.8 million views. Parent site eBay Australia scored 74.6 million views.
Segura says attackers hacked a Sydney legal firm and spun up a legitimate-looking subdomain from which to host the exploit infrastructure.
From there they flipped between legitimate and malicious advertisements to confuse ad market vendors.
“The rogue advertisers simply lifted the company logo and some text from their website to create what looks like a typical ad banner,” Segura says.
“They then approached ad networks and pretended to want to advertise under the disguise of the victims they abused.
“By alternating between clean and malicious versions of the same ad banner, these crooks can dupe the ad industry and carry out their attacks in stealthy ways.”
It is unknown how many visitors were exposed, and what malware was dropped on those who were infected.
Users most at risk are typically those running un-patched machines chronically insecure code like Internet Explorer, Adobe Flash or Java.
Tomi Engdahl says:
PC World’s cloudy backup failed when exposed to ransomware
30-day backup promise wasn’t, says aggrieved customer
http://www.theregister.co.uk/2016/03/22/pc_world_knowhow_shortcomings/
The shortcomings of consumer-grade backup services in protecting against the scourge of ransomware have been exposed by the experiences of a UK businesswoman.
Amy W, who runs a small business in the Newbury, Berkshire area, was convinced that the KnowHow cloud was the only backup technology she’d ever need1 when she bought a laptop from PC World.
Eight months later, however, in the aftermath of a ransomware infection, Amy discovered that the KnowHow cloud backed up all her newly encrypted files and didn’t keep any revisions, leaving her unable to restore files from a historic clean backup.
PC World suggested that Amy’s machine might have been infected with the ransomware for weeks before she discovered the problem, a suggestion she strongly denied.
“It was Cryptowall,” Amy said. “It came through as an invoice. It wanted me to pay £1000 to get a key to unlock files and the price doubled every 14 days.”
Chris Boyd, a senior malware intelligence analyst at Malwarebytes, said that the case illustrates the wider potential shortcomings of cloud-based backups as a defence against ransomware.
“In general, cloud backup is another useful tool to help ward off the threat of ransomware, but isn’t applicable in all situations,” Boyd told El Reg. “Individuals and businesses may rightly balk at uploading potentially sensitive documents into the cloud where they suddenly have no control over it, and should look into file encryption of their own to ensure nothing valuable leaks.”
“Offline backups would be the best way to go, especially as you have full control over the data at all times. Not all cloud backup hosts offer the ability to roll back to specific dates, which is a disaster in situations where malware butts heads with an automatic upload. Off-the-shelf backup solutions are fine for most things, but should go hand in hand with a layered approach which could include AV [anti-virus], anti-malware and exploit protection,” he added.
Tomi Engdahl says:
Open-Source Project Secretly Funded by CIA
http://www.linuxjournal.com/content/open-source-project-secretly-funded-cia
It’s fair to say that the interests of governments and the FOSS community are not always aligned. That’s not to say that the US government is out to crush every FOSS project or that every FOSS user is on a secret mission to destroy the government. Nonetheless, the relationship is often a strained one.
So it shouldn’t be surprising that the Open Source community gets a little restless when it learns that the government has its hands in an open-source project—particularly when we discover it’s secretly pouring money into the pockets of developers to develop features it requires. And, when the government agency in question is the CIA—well, you can understand why some feathers are rustled.
It shouldn’t be surprising to learn that the CIA is a big investor in tech development. After all, if there’s one thing we’ve learned from spy movies and TV, it’s that spies love their gadgets.
If there’s a suitable commercial project in development, the answer is venture capital. The CIA has its own venture capital branch called In-Q-Tel. In-Q-Tel’s mission is to get the required technology into the hands of the CIA’s analysts and agents as soon as possible. It does that by using its money to support the R and D costs of public companies who are working on similar products.
Of course, as Silicon Valley continues to embrace open source, that means a number of open-source projects actually are funded by the CIA. Docker is one example of a high-profile open-source firm that was secretly funded by the CIA.
Given the recent FBI demands to insert back doors into iPhones to “help investigate criminals”, you can understand why some privacy advocates are worried as to how much control the CIA exerts over some of these projects.
Of course, adding a back door to Docker would be quite hit-and-miss as a spying strategy. It seems more likely to me that the CIA wants to steer the project to meet its own container needs
But even if spying on end users isn’t the goal, another concern is that projects like Docker could be steered in the wrong direction
Tomi Engdahl says:
Ashley Madison Hacking Victims Face A Big Decision
http://fortune.com/2016/04/20/ashley-madison-data-breach-lawsuit-names/
They must reveal their identities to join lawsuit.
Last year, hackers tore into Ashley Madison, a website for people seeking extramarital affairs, and dumped personal information about its users online.
Dozens of the site’s 32 million members filed suit and are pooling their litigation into a proposed class action against Avid Life Media, Ashley Madison’s parent company. A district court judge in Missouri, where the case is set be heard, has ordered the plaintiffs to submit a consolidated complaint by June 3, Ars Technica reported, citing a court document.
“there is a compelling public interest in open court proceedings, particularly in the context of a class action, where a plaintiff seeks to represent a class of consumers who have a personal stake in the case and a heightened interest in knowing who purports to represent their interests in the litigation.”
The ruling will likely have a repercussion: some of the plaintiffs will drop out.
John Driscoll, the attorney behind the consolidated suit, told Fortune that the name requirement will presumably reduce the number plaintiffs in the class action lawsuit.
Plaintiffs, of course, have an incentive to go on the record: They stand to win any monetary rewards if they triumph in court. Revealing themselves, however, opens them up to scrutiny even beyond the acknowledgement that they signed up for the site. Anyone can rifle through Ashley Madison’s stolen records to dig up sensitive personal information about them, for example.
Tomi Engdahl says:
Free Wi-Fi hotspots are a major security threat for businesses
http://betanews.com/2016/04/21/free-wi-fi-security/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed+-+bn+-+Betanews+Full+Content+Feed+-+BN
Free Wi-Fi hotspots are the biggest security threat for mobile workers, according to new reports.
The recently released iPass Mobile Security Report says that 62 per cent of organizations are banning their mobile workers from using free Wi-Fi hotspots, with another 20 percent planning on doing the same in the future.
For 94 percent of surveyed companies, free and open Wi-Fi hotspots are a “significant mobile security threat”.
“Wi-Fi is a disruptive technology that has changed the way people work, but in recent times it has also introduced formidable mobile security concerns”, said Keith Waldorf, VP Engineering at iPass. “Being connected is the basic requirement of every mobile worker. However, with increasing numbers of businesses falling afoul to security breaches, the number of organizations expressing a concern about mobile security is high. The use of free and insecure Wi-Fi hotspots in particular is a growing concern, as organizations balance the need for low-cost and convenient connectivity against the potential threat posed by hackers”.
Tomi Engdahl says:
Interfaces create new business – and cry for security
fewer than half of the commercial cloud services like Salesforce or eBay’s revenue is generated through the browser front nyhertävien end-user actions.
Most of the revenue coffers jingle grindstone through customers or partners’ self-written applications. Smartphones and tablets use applications has become so common that the use of the browser is an exceptional case.
Services can be accessed via the application interface, or API interface. The cloud giants in the wake of the quite ordinary companies have started to publish their own APIs for example product catalogues, business apps or info to their services. Open data providers are also significant APIs publishers.
The use of APIs can already view as a separate business as a form, API economy. Public APIs directory to maintain ProgrammableWeb.com. The directory is as of this writing 13 990 APIs.
API stands for application programming interface.
The current API-boom at the heart of Web APIs represent a new generation of the 2010s. The most common standards are rest and json, but on top of them built practices are less formal and therefore easier to use than SOA
When new business models are developed with enthusiasm, unpleasant basics such as security meet to be forgotten.
security breaches and vulnerabilities associated with api implementations past few years have raised the headlines of all the known companies like Facebook, Snapchat, Tinder, Twitter … Even the US tax authorities
As SOA time, the development of important standardized security procedures such as WSS (Web Services Security) and SAML.
Rest APIs, the world dispersion is more; the main security procedures are traffic TLS encryption, secure access to the delegation of the OAuth 2.0 and OpenID, and json-practices to protect jw family of encryption standards.
Of course, nothing to force the use of any specific procedures, because the API is a kind of two-way street. Apin publisher is satisfied if Apia is used, and the feedback will come in, hopefully not in the form of information leakage. Minority apin publishers to verify customers’ applications in any way – if api provides a technically sufficient data security, its use is the customer’s responsibility.
German University of Darmstadt and Fraunhofer SIT organization researchers reported in May to have found Parse- Facebook and Amazon AWS user databases of tens of millions of virtually unprotected user data: email addresses, passwords, contacts, and even financial payment transaction data
Researchers found Google’s and Apple’s app store multitudes of applications that have registered those background services confidential user data without any other protection. Such an application API is contrary to the instructions for use of services, but too few people thinking the author of the application security issues enough.
The end user is the entire unprotected against API threats; the ball is application developers. Owasp organization’s vulnerability statistics is a useful checklist to API developers. After careful software design and coding, can be used in the finished code vulnerability testing. Traditional testing products are indeed not very useful with novel APIs.
According to Gartner, published in August of applications security testing tools report goes through the 19 products. It is only a sparse instrument descriptions indicate any willingness to test the REST / JSON APIs, although progress has been over the last couple of years, just started to happen.
If several different APIs use the same authentication process, this should be implemented in a special API gateway on the other hand, that every programmer encodes its own solution.
APIs centralized management products are offered by many well-established enterprise software companies such as CA, IBM and Software AG.
Source: http://www.tivi.fi/Kaikki_uutiset/rajapinnat-luovat-bisnesta-ja-huutavat-tietoturvaa-6543765
Tomi Engdahl says:
Criminals hide child abuse images behind legal porn sites
https://www.theguardian.com/technology/2016/apr/21/criminals-hide-child-abuse-images-behind-legal-porn-sites
Viewers of adult material at risk of prosecution as commercial sites are increasingly being used to conceal paedophile content.
People viewing or searching for adult pornography online face the risk of being arrested for accessing child abuse images because paedophiles are increasingly hiding criminal content on legal commercial websites, the Internet Watch Foundation has warned.
The past 18 months have seen a significant rise in the use of disguised websites that provide a secret route to child sexual abuse content
Langford said they were using a new technique where only legal content was displayed if the site was accessed directly through a browser but illegal child abuse images were shown if a specific pathway of links was used.
Last year, the IWF found that 21% of the webpages containing illegal images and videos were commercial and those seeking to profit from the abuse were increasingly disguising it behind legal content
Langford said the trend raised the risk that people searching for adult pornography could unwittingly access child abuse images on disguised websites.
Langford added that people who had only viewed legal content on disguised websites could also be targeted in police investigations
Tomi Engdahl says:
Dutch PGP-encrypted comms network ‘abused by crooks’ is busted
Secure chat setup swooped on by police forces
http://www.theregister.co.uk/2016/04/21/dutch_encrypted_comms_network_busted/
Dutch firm Ennetcom has pulled its systems offline following a bust by police and accusations that its encryption technology was being abused as a communications network by drug dealers.
Police have seized servers in the Netherlands, and Canada is dismantling what local reports describe as a PGP-based comms network.
The system, which relied on custom PGP installs on smartphones, had 19,000 registered users, according to local reports. Compatible smartphones cost €1,500.
Technology provider Ennetcom, which provides encrypted BlackBerry PGP S/MIME communication, has suspended operations in the wake of the bust, as a notice on its website explains.
“The police seem to have proof that criminals misused this network/business, therefore they did a shut down of the whole thing.”
Tomi Engdahl says:
Duncan Robinson / Financial Times:
Social networks like Facebook and Snapchat face challenge of getting parental consent for under-16 users in EU after new rules go into effect 2018
Facebook, Snapchat, Twitter have tough task on rules for kids
http://www.ft.com/intl/cms/s/0%2F1a392244-055e-11e6-9b51-0fb5e65703ce.html#axzz46YAbQk3U
Social networks will need to get parental consent for users under 16
across the EU when new rules requiring social networks to get parental consent from all users under the age of 16 come into force in 2018.
While parents may face awkward questions, the likes of Facebook and Snapchat will have the logistical and legal challenge of abiding by the new law. If they do not, they run the risk of fines of up to 4 per cent of global turnover under a sweeping data protection regulation finally agreed by MEPs in Strasbourg last week.
The scale of this demand is significant. Big social networks such as Snapchat, Facebook — and its picture-sharing service Instagram — as well as Twitter all have large numbers of young users.
Big technology groups will have to come up with a way of gathering parental consent for these users or banning them from the service.
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Two hackers behind the SpyEye botnet creation kit sentenced to a combined 24 years in Georgia
SpyEye Makers Get 24 Years in Prison
http://krebsonsecurity.com/2016/04/spyeye-makers-get-24-years-in-prison/
Tomi Engdahl says:
Ex-NSA security expert develops generic Mac ransomware blocker
RansomWhere? suspends untrusted processes
http://www.theregister.co.uk/2016/04/20/mac_ransomware_detection/
An Apple security expert has developed a free-of-charge standalone ransomware defense tool for OS X.
Right now there are only two pieces of working OS X ransomware publicly available, so we’ll have to wait and see if RansomWhere? is capable of picking up future extortionware.
RansomWhere?
https://objective-see.com/products/ransomwhere.html
Tomi Engdahl says:
SpyEye duo behind bank-account-emptying malware banged up
Billion-dollar Russian Trojan team in the tank for quarter of a century in the US
http://www.theregister.co.uk/2016/04/21/us_jails_spyeye_malware_duo/
Tomi Engdahl says:
Bug Hunter Hacks Facebook, Finds Someone Else’s Backdoor Script
http://news.softpedia.com/news/bug-hunter-hacks-facebook-finds-someone-else-s-backdoor-script-503279.shtml
While trying to find bugs in Facebook’s services, a security researcher accidentally stumbled over a hacker’s backdoor script that was logging Facebook employee credentials for some of the company’s backend applications.
After identifying the application’s type and version, the researcher went to work and explored its source code, discovering in three cross-site scripting (XSS) flaws, two local privilege escalation issues, a known-secret-key issue that led to remote code execution, and a pre-auth SQL injection that also led to remote code execution.
The researcher used the SQL injection flaw he discovered in the FTA application to access Facebook’s server and was rewarded with complete control over the machine.
With his goal reached, the researcher then started collecting the necessary information to submit a bug report to Facebook’s staff. While looking at one of the server’s logs, Tsai discovered a lot of suspicious error messages.
Somebody already hacked the server and not part of the bug bounty program
He tracked these messages down to a webshell, which he was sure, and quite obvious, that no Facebook employee ever uploaded. Inspecting the webshell’s source code, Tsai found evidence of a server-side keylogger which was intercepting login operations and storing Facebook employee access credentials in a local log file.
How I Hacked Facebook, and Found Someone’s Backdoor Script
http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/
From a pentester’s view, I tend to start from recon and do some research. First, I’ll determine how large is the “territory” of the company on the internet, then…try to find a nice entrance to get in, for example:
What can I find by Google Hacking?
How many B Class IP addresses are used? How many C Class IPs?
Whois? Reverse Whois?
What domain names are used? What are their internal domain names? Then proceed with enumerating sub-domains
What are their preferred techniques and equipment vendors?
Any data breach on Github or Pastebin?
…etc
Of course, Bug Bounty is nothing about firing random attacks without restrictions.
Tomi Engdahl says:
‘I hacked Facebook – and found someone had beaten me to it’
Bug bounty hunter stumbles across backdoor leaking FB staff usernames, passwords
http://www.theregister.co.uk/2016/04/22/i_hacked_facebook_and_found_someone_had_beaten_me_to_it/
A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp – and finds someone’s already beaten him to it by backdooring the machine.
The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully drilling into the vulnerable system.
According to Facebook security engineer Reginaldo Silva, the password-slurping malware was installed by another security researcher who had earlier poked around within Facebook’s system in an attempt to snag a bug bounty.
“We determined that the activity Orange detected was in fact from another researcher who participates in our bounty program. Neither of them were able to compromise other parts of our infrastructure, so the way we see it, it’s a double win: two competent researchers assessed the system, one of them reported what he found to us and got a good bounty, none of them were able to escalate access.”
Tomi Engdahl says:
In a First, Judge Throws Out Evidence Obtained from FBI Malware
https://yro.slashdot.org/story/16/04/21/1718230/in-a-first-judge-throws-out-evidence-obtained-from-fbi-malware
For the first time, a judge has thrown out evidence obtained via a piece of FBI malware. The move comes from a cased affected by the FBI’s seizure of a dark web child pornography site in February 2015, and the subsequent deployment of a network investigative technique (NIT) — the agency’s term for a hacking tool — in order to identify the site’s visitors. “Based on the foregoing analysis, the Court concludes that the NIT warrant was issued without jurisdiction and thus was void ab initio,” Judge William G. Young of the District of Massachusetts writes in an order. “It follows that the resulting search was conducted as though there were no warrant at all.”
In a First, Judge Throws Out Evidence Obtained from FBI Malware
http://motherboard.vice.com/read/in-a-first-judge-throws-out-evidence-obtained-from-fbi-malware
For the first time, a judge has thrown out evidence obtained via a piece of FBI malware. The move comes from a cased affected by the FBI’s seizure of a dark web child pornography site in February 2015, and the subsequent deployment of a network investigative technique (NIT)—the agency’s term for a hacking tool—in order to identify the site’s visitors.
“Based on the foregoing analysis, the Court concludes that the NIT warrant was issued without jurisdiction and thus was void ab initio,” Judge William G. Young of the District of Massachusetts writes in an order. “It follows that the resulting search was conducted as though there were no warrant at all.”
“Since warrantless searches are presumptively unreasonable, and the good-faith exception is inapplicable, the evidence must be excluded,” it continues.
“This is the first time a court has ever suppressed anything from a government hacking operation,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an encrypted phone call. (Soghoian has been called as an expert by the defense in another affected case.)
UPDATE: Peter Carr, a spokesperson for the Department of Justice, sent a statement.
“We are disappointed with the court’s decision and are reviewing our options.”
Tomi Engdahl says:
Alec Muffett / Facebook:
Number of users accessing Facebook over Tor reached one million in the last 30 days
1 Million People use Facebook over Tor
https://www.facebook.com/notes/facebook-over-tor/1-million-people-use-facebook-over-tor/865624066877648
People who choose to communicate over Tor do so for a variety of reasons related to privacy, security and safety. As we’ve written previously it’s important to us to provide methods for people to use our services securely – particularly if they lack reliable methods to do so.
This is why in the last two years we built the Facebook onion site and onion-mobile site, helped standardise the “.onion” domain name, and implemented Tor connectivity for our Android mobile app by enabling connections through Orbot.
Over this period the number of people who access Facebook over Tor has increased.
Tomi Engdahl says:
J.M. Porup / Ars Technica:
UK intel agencies spy indiscriminately on millions of innocent folks — The UK’s intelligence agencies (MI5, MI6, and GCHQ) are spying on everything you do, and with only the flimsiest of safeguards in place to prevent abuse, according to more than a thousand pages of documents published today …
UK intel agencies spy indiscriminately on millions of innocent folks
Docs revealed by court order show only flimsiest safeguards against abuse.
http://arstechnica.com/tech-policy/2016/04/uk-secret-police-surveillance-bulk-personal-datasets/
Tomi Engdahl says:
Security company recruits hackers: “The door may be broken, but not allowed to go in”
he good-humored Mårten Mickos welcomes its guests in San Francisco’s youthful WeWork workspace. 14th-floor windows offering a view over the city’s hottest startups area, South of Market, or more familiarly known as Soma.
Mickos has been operating only since November promising to be increasing Hacker One’s CEO. He worked previously Director of HP in.
“HackerOne apply joint citizen action to improve security. When mankind’s basic systems for computerizing and exported to the network, there will be an unprecedented security risk. Each software has bugs. The best of these defects and vulnerabilities are found, when asked a wide range of skilled experts for advice, “Mickos said.
Startup has about fifty employees in San Francisco and the Netherlands, but the actual work is done by freelance hackers around the world.
“The door may be broken, but not allowed to go in,” Mickos describes the operating principle.
Source: http://www.tivi.fi/Kaikki_uutiset/tietoturvayhtio-varvaa-hakkereita-oven-saa-murtaa-mutta-sisaan-ei-saa-menna-6544240
Tomi Engdahl says:
DDoS Attacks Continue to Rise in Power and Sophistication
http://www.securityweek.com/ddos-attacks-continue-rise-power-and-sophistication
Distributed denial of service (DDoS) attacks observed in the first quarter of 2016 grew more advanced and more sophisticated, Imperva’s Global DDoS Threat Landscape Q1 2016 reveals. This should not come as a surprise, as DDoS attacks have been growing in both size and sophistication for years, but Imperva’s latest report provides a glimpse into some new tools and attack methods being used by threat actors.
Tomi Engdahl says:
Nation-State Actors Use Fileless Tricks to Deliver RATs
http://www.securityweek.com/nation-state-actors-use-fileless-tricks-deliver-rats
State-sponsored threat actors in Asia have been leveraging a new technique to deliver remote access Trojans (RATs) without being detected by security products.
According to endpoint security company SentinelOne, the method used by these threat groups enables them to inject the RAT payload into memory and avoid detection by antiviruses and even modern technologies that only focus on file-based threats.
In the attacks analyzed by researchers, some files had been written to the disk, but the malicious payload never touched the disk in an unencrypted state.
SentinelOne has detailed an attack involving a known RAT named NanoCore (aka Nancrat), which allows attackers to spy on victims. However, experts pointed out that the technique can be used to deliver any other RAT.
The settings for this DLL and the NanoCore executable itself are encrypted and stored across multiple PNG image files as pixel data.
Tomi Engdahl says:
Australia Boosts Cyber Security Amid Hack Attacks
http://www.securityweek.com/australia-admits-government-hack-attacks-boosts-cyber-security
Australia unveiled a multi-million-dollar cyber scheme to combat hacking on Thursday, as Prime Minister Malcolm Turnbull acknowledged an attack on the country’s weather bureau but stopped short of blaming it on China.
The Australian leader added that it was safe to assume “efforts are made by foreign actors, both governmental and non-governmental, to penetrate” local agencies.
“I can confirm reports that the Bureau of Meteorology suffered a significant cyber intrusion which was first discovered early last year, and the department of parliamentary services suffered a similar intrusion in recent years,” Turnbull said in Sydney as he announced Aus$230 million (US$180 million) in new government funding.