Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Medical Equipment Crashes During Heart Procedure Because of Antivirus Scan
http://news.softpedia.com/news/medical-equipment-crashes-during-heart-procedure-because-of-antivirus-scan-503642.shtml#ixzz48907KsNT
A critical medical equipment crashed during a heart procedure due to a timely scan triggered by the antivirus software installed on the PC to which the said device was sending data for logging and monitoring.
The device in question is Merge Hemo, a complex medical equipment used to supervise heart catheterization procedures, during which doctors insert a catheter inside veins and arteries in order to diagnose various types of heart diseases.
The incident happened in February 2016
Merge Hemo consists of two main modules. The main component is the actual medical device, connected to the catheters, through which data acquisition takes place. This component is connected to a local PC or tablets via a serial port.
The second component is a software package that runs on the doctor’s computer or tablet and takes recorded data and logs it or displays it on the screen via simple-to-read charts.
According to one such report filed by Merge Healthcare in February, Merge Hemo suffered a mysterious crash right in the middle of a heart procedure when the screen went black and doctors had to reboot their computer.
Fortunately, the patient was sedated, and the doctors had five minutes at their disposal to wait for the computer to finish rebooting, start the Merge Hemo application again, and complete their procedure without any health risks for the patient.
Merge investigated the issue and later reported to the FDA that the problem occurred because of the antivirus software running on the doctors’ computer.
MAUDE Adverse Event Report: MERGE HEALTHCARE MERGE HEMO PROGRAMMABLE DIAGNOSTIC COMPUTER
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/detail.cfm?mdrfoi__id=5487204
http://www.merge.com/Solutions/Cardiology/Merge-Hemo.aspx
Tomi Engdahl says:
U.S. investigates security of mobile devices
http://www.reuters.com/article/us-wireless-inquiry-regulators-idUSKCN0Y022E
The Federal Communications Commission and Federal Trade Commission have asked mobile phone carriers and manufacturers to explain how they release security updates amid mounting concerns over security vulnerabilities, the U.S. agencies said on Monday.
The FCC sent letters to six mobile phone carriers on security issues, while the FTC ordered eight mobile device manufacturers including BlackBerry Ltd, Microsoft Corp, LG Electronics USA Inc and Samsung Electronics America Inc [SMELA.UL] to disclose “the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device.”
The FTC also seeks “detailed data on the specific mobile devices they have offered for sale to consumers since August 2013″ and “the vulnerabilities that have affected those devices; and whether and when the company patched such vulnerabilities.”
Tomi Engdahl says:
Privacy warriors take legal action over UK gov’s right to hack
Privacy International challenges the Investigatory Powers Tribunal (again)
http://www.theregister.co.uk/2016/05/10/privacy_ngo_take_legal_action_over_governments_right_to_hack/
Privacy International is reviving its challenge against the UK government’s right to issue general hacking warrants. It’s filed for the High Court to review the Investigatory Powers Tribunal (IPT) decision that ruled the warrants are legal.
The Investigatory Powers Bill, or Snoopers’ Charter, is currently under consideration and could cement this right into law.
Tomi Engdahl says:
Chrome, Firefox and Safari Block Pirate Bay as “Phishing” Site
https://torrentfreak.com/chrome-and-firefox-block-tpb-as-phishing-site-160507/
There’s a slight panic breaking out among Pirate Bay users, who are having a hard time accessing the site.
Chrome, Firefox and Safari are actively blocking direct access to The Pirate Bay. According to the browsers, Thepiratebay.se is a “deceptive site” or “web forgery,” that may steal user information. The TPB crew has been alerted to the issue, and hope it will be resolved soon.
Tomi Engdahl says:
Privacy and the New Math
http://www.linuxjournal.com/content/privacy-and-new-math
In the Apple vs. FBI case, the real disputes are between math and architecture, and between open and closed. Linux can play an important role in settling those disputes, because it is on the right side of both.
Apple’s case is for crypto, an application of math. The FBI’s case is for a way through the crypto. The term for that architectural hole is a “back door”. Since the key to that door would be the FBI’s alone, with no way for others to tell how or when they’ll use it (unless the FBI shares it), the FBI’s side is the closed one.
To unpack this, let’s look at the case.
The FBI would also like to solve what it calls the “Going Dark Issue”. Specifically, the growing use of encryption on the Internet is “eroding law enforcement’s ability to quickly obtain valuable information that may be used to identify and save victims, reveal evidence to convict perpetrators, or exonerate the innocent.”
While the FBI contends that the country’s safety depends on “law enforcement’s lawful intercept and evidence collection needs”, in fact, it also depends on the math we call crypto to keep commerce and infrastructure up and running. To serve both these needs, math has to work differently for the FBI than for everyone else. But math works the same for everyone, and taking action inconsistent with this principle leads predictably to bad outcomes.
In order both to break security for the government’s benefit and continue to use it for infrastructure and commerce, the government must keep the tools and methods that enable such breakage secret at all costs. But if you have a secret that breaks digital security, you don’t use digital security to secure it. You use vaults, guns and worse.
Resilience against brute-force attack is a critical control in the iPhone’s security model. This is because the cryptography is impenetrable, but human-chosen passwords are surprisingly easy to crack.
Designing the phone to wipe the data after some number of failed attempts compensates for the human tendency to pick really bad passwords. Defeating that control—which is what the government wants—breaks the security model.
In Hollywood, a back door gives an attacker direct login to a system, but in real life, the term refers to an intentional weakness in the security model.
Corporations are much more susceptible to government coercion than a distributed Open Source community, such as the ecosystem that has grown up around Linux.
In recent years, governments have made an enemy of personal privacy, regarding it as a vulnerability within the state and a potential refuge for terrorism. That’s why many vendors of secure hardware and software have fled their home countries and relocated to privacy-friendly jurisdictions.
If the US government succeeds in its bid to break Apple’s security model, its next step is to prohibit Apple from fixing the vulnerability. After that comes mandated back doors and a general prohibition on unbreakable information systems. Those sanctions would be relatively easy to enforce on domestic corporations but much more difficult against a worldwide development community. The good news is that this is the easiest call to action ever: Just keep doing what you do.
Tomi Engdahl says:
Transfer techies at SWIFT tell Bangladesh Bank: Don’t shift blame for $81m cyberheist
Calls it out over ‘basic password protection’
http://www.theregister.co.uk/2016/05/10/swift_rejects_bangladeshi_criticism/
SWIFT has firmly rejected Bangladeshi claims that mistakes on its part are to blame after $81m was looted from Bangladesh’s central bank.
Bangladeshi officials claimed earlier this week that technicians from SWIFT had introduced vulnerabilities into the bank’s network when connecting a Real-Time Gross Settlement (RTGS) system to SWIFT’s inter-bank financial transaction messaging system.
A meeting between Bangladesh Bank and New York Federal Reserve Bank officials in Basel, Switzerland is due to take place later today. The bank’s security issues as well as attempts to recover looted security funds are expected to top the agenda.
As well as network infrastructure weaknesses, the hackers behind the heist used custom malware specifically created to target SWIFT. The code even adjusted the SWIFT system’s printed reports to hide fraudulent transfers from the Bangladesh central bank account at the New York Federal Reserve Bank.
Tomi Engdahl says:
Firms that make ‘questionable use’ of your data will pay… with their reputations
SIlly us – thought Euro banking authority meant with fines
http://www.theregister.co.uk/2016/05/10/firms_reputations_at_risk_if_they_make_questionable_use_of_consumer_data_says_eba/
There is a reputational risk to firms if they make “questionable use” of consumer data, the European Banking Authority (EBA) has warned.
The regulator highlighted the risk in a new discussion paper on the innovative uses of consumer data by financial institutions (29-page/292KB PDF).
“Financial institutions might use data in a way that results in questionable decisions about consumers if, for instance, they do not take into account relevant details contained in the data they possess; do not possess enough data to make a decision; or interpret data in a wrong way, because the tool used to process it is flawed,” the EBA said. “In any of these situations, financial institutions can face reputational risk if they then offer particular products to a consumer that are not tailored to his/her specific needs.”
“Additional reputational risk may arise if a financial institution makes a decision that is correct from a business point of view (e.g. the rejection of a loan application), but is made using data that the consumer would not expect to be used by financial institutions (e.g. data from social networks),”
http://www.eba.europa.eu/documents/10180/1455508/EBA-DP-2016-01+DP+on+innovative+uses+of+consumer+data+by+financial+institutions.pdf
Tomi Engdahl says:
SS7 spookery on the cheap allows hackers to impersonate mobile chat subscribers
WhatsApp, Telegram secure – but the transport isn’t
http://www.theregister.co.uk/2016/05/10/ss7_mobile_chat_hack/
Flaws in the mobile signalling protocols can be abused to read messaging apps such as WhatsApp and Telegram.
Security researchers at Positive Technologies found they can intercept messages and respond as if they were the intended recipient in services such as WhatsApp or Telegram.
This is not a man in the middle attack: instead, the attacker is actually impersonating the victims identity. The mechanism of the attack renders encryption offered by the apps irrelevant.
Alex Mathews, technical manager EMEA of Positive Technologies explained: “Chat applications such as WhatsApp, Telegram, and others use SMS verification based on text messages using SS7 signalling to verify identity of users/numbers.
“SMS authentication is one of the major security mechanisms for services like WhatsApp, Viber, Telegram, Facebook, and is also part of second factor authentication for Google accounts, etc. Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker can easily intercept these and assume identity of the legitimate user. Having done so, the attacker can read and write messages as if they are the intended recipient.
Positive Technologies’ isn’t the first to warn about SS7. Security researchers at AdaptiveMobile have researched the issue in some depth, and there was a practical demonstration of SS7 vulnerabilities by white hats at the Chaos Communication Congress back in 2014.
SS7 vulnerabilities can be exploited to run all sorts of attacks that threaten the privacy of mobile subscribers including – but not limited to – discovering a subscriber’s location, disrupting a subscriber’s service, SMS interception, Unstructured Supplementary Service Data (USSD) forgery requests, voice call redirection, conversation tapping and disrupting the availability of a mobile switch.
Tomi Engdahl says:
Swiss Defense Ministry Hit by Cyber-Attack
http://news.softpedia.com/news/swiss-defense-ministry-hit-by-cyber-attack-503781.shtml
Swiss defense minister Guy Parmelin says his ministry faced a powerful cyber-attack this past winter, Swiss newspaper Tages-Anzeiger reports.
Parmelin says the attack took place in January while he was at the annual World Economic Forum (WEF) in Davos, Switzerland. At that time, Kaspersky warned of such incidents. The attack was fended off, and the minister says that the hackers weren’t able to steal any sensitive information.
A local defense contractor was also attacked
Tomi Engdahl says:
London HIV clinic fined £180,000 for ‘serious’ data breach
http://www.wired.co.uk/news/archive/2016-05/09/56-dean-street-fine-data-protection-hiv
A London HIV clinic that leaked data on 781 of its patients has been fined £180,000.
56 Dean Street, based in London’s Soho, sent an email newsletter with all patient email addresses in the ‘To’ field, rather than the ‘Bcc’ field.
The email addresses allowed for the identification of the patients – 730 of the 781 contained people’s full names – and constituted a “serious breach” of data protection rules, the Information Commissioner’s Office (ICO) said.
The ICO said the breach was “likely to have caused substantial distress” to those who were included on the list. Under data protection rules, information about a person’s health or sexual life is deemed as sensitive and the organisation issued the monetary penalty after an investigation.
“It is clear that this breach caused a great deal of upset to the people affected,”
Tomi Engdahl says:
The Critical Hole at the Heart of Our Cell Phone Networks
https://www.wired.com/2016/04/the-critical-hole-at-the-heart-of-cell-phone-infrastructure/
Tomi Engdahl says:
Joseph Menn / Reuters:
VirusTotal cuts back on sharing virus info with firms that don’t contribute data, which means many startups are losing access to the critical information
Software security suffers as upstarts lose access to virus data
http://www.reuters.com/article/us-cybersecurity-sharing-virustotal-anal-idUSKCN0XY0R4
A number of young technology security companies are losing access to the largest collection of industry analysis of computer viruses, a setback industry experts say will increase exposure to hackers.
The policy change at the information-sharing pioneer VirusTotal takes aim mainly at a new generation of security companies, some with valuations of $1 billion or more, that haven’t been contributing their analysis. Older companies, some with market valuations much smaller than the upstart rivals, had pressed for the shift.
Alphabet Inc’s Google runs the VirusTotal database so security professionals can share new examples of suspected malicious software and opinions on the danger they pose. On Wednesday, the 12-year-old service quietly said it would cut off unlimited ratings access to companies that do not share their own evaluations of submitted samples.
Tomi Engdahl says:
BBC:
UK government’s bid to get Lauri Love, a man accused of hacking into US government computers, to reveal his encryption passwords thrown out by UK judge — A bid by the National Crime Agency to force an alleged cyber hacker to hand over encrypted computer passwords has been thrown out by a judge.
NCA’s bid to get Lauri Love US hack case passwords thrown out
http://www.bbc.com/news/uk-england-suffolk-36256852
A bid by the National Crime Agency to force an alleged cyber hacker to hand over encrypted computer passwords has been thrown out by a judge.
The US is attempting to extradite Lauri Love, 31, on charges of hacking into the US Army, Nasa and US Federal Reserve networks.
The agency (NCA) seized the computers during a raid at Mr Love’s home in Stradishall, Suffolk, in October 2013.
A call to hand over passwords was rejected by a district judge.
Tomi Engdahl says:
Message in a molecule
http://www.nature.com/ncomms/2016/160503/ncomms11374/full/ncomms11374.html
Since ancient times, steganography, the art of concealing information, has largely relied on secret inks as a tool for hiding messages.
Here, we describe a method that enables one to conceal multiple different messages within the emission spectra of a unimolecular fluorescent sensor. Similar to secret inks, this molecular-scale messaging sensor (m-SMS) can be hidden on regular paper and the messages can be encoded or decoded within seconds using common chemicals, including commercial ingredients that can be obtained in grocery stores or pharmacies.
uncovering these messages by an unauthorized user is almost impossible because they are protected by three different defence mechanisms: steganography, cryptography and by entering a password
Tomi Engdahl says:
U.S. Investigates Security Update Practices
FTC, FCC send letters to mobile industry
http://www.eetimes.com/document.asp?doc_id=1329648&
Perhaps, it’s a sign of the times. Federal agencies are seriously worried about cyberattacks.
Whether such assaults are launched on smartphone or connected vehicles, the U.S. government has come to believe that the threats are real. Agencies are asking industries how they’re responding to the vulnerabilities of their own connected devices and networks.
Last month,the Government Accountability Office (GAO) released a report on vehicle cybersecurity—connected to possible safety issues. The GAO interviewed 32 selected industry stakeholders to better understand how the automotive industry is developing cyber security.
Vehicle Cybersecurity:
DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack
http://www.gao.gov/products/GAO-16-350
Tomi Engdahl says:
No, I’m not surfing smut. I’m trying to score a bug bounty from P0rnhub
World’s biggest flesh site offering cash if you can expose its seamy underbelly
http://www.theregister.co.uk/2016/05/11/p0rnhub_bug_bounty/
The world’s most popular porn site PornHub has launched a somewhat restrictive security bug bounty.
The site draws a eye-watering 60 million visitors a day and has been subject to breaches mainly limited to malvertising attacks which would generally not be uncovered by bug bounties.
Hackers must report bugs 24 hours after discovery, found without the use of automated tools, and must not interrupt the delivery of porn services.
Tomi Engdahl says:
Brian Barrett / Wired:
How IBM researchers are teaching Watson to analyze and identify cybersecurity threats in hopes of launching to enterprise customers this year
IBM’s Watson Has a New Project: Fighting Cybercrime
https://www.wired.com/2016/05/ibm-watson-cybercrime/
IBM’s Watson supercomputer hardly needs any more resumé-padding. It’s already won Jeopardy, written a cookbook, and dabbled in revolutionizing healthcare. The next stop in its storied career? Tackling cybercrime.
Today, IBM announced that Watson is taking its cognitive learning chops to the cloud, where it’ll apply them to analyzing, identifying, and (hopefully) preventing cybersecurity threats. But first, it’s going to have to learn. Fast.
Playing Defense
There are already plenty of computer-enhanced approaches to combating cybercrime, most of which involve identifying outliers or abnormalities—like when a user logs a few too many failed password attempts—and determining whether those constitute some sort of threat.
Collecting and analyzing this type of data can and does work. It’s not ideal, though. First, there’s simply too much of it; according to a recent IBM report, the average organization sees over 200,000 pieces of security event data every single day. There’s simply no way to keep up with it all. And while solutions like MIT’s recent AI2 can trim down the number of incidents a human researcher needs to sift through, there’s still the fact that the data points being considered are only a small part of the picture.
“This is about interpreting and learning and bringing in unstructured data, bringing in things like blogs, white papers, and research reports,”
Tomi Engdahl says:
Sean Michael Kerner / eWeek:
Docker’s security scanning product for repositories becomes generally available
Docker Rolls Out Tool to Scan Containers for Vulnerabilities
http://www.eweek.com/security/docker-rolls-out-tool-to-scan-containers-for-vulnerabilities.html
The Project Nautilus effort first announced in 2015 and now named Docker Security Scanning is now generally available as container security ramps up.
Among the big pieces of news that Docker Inc. announced at its DockerCon EU conference in November 2015 was its Project Nautilus effort to scan Docker repositories for security vulnerabilities. Now six months later, the company is making Nautilus generally available under the product name Docker Security Scanning. And Docker is complementing the new security product with an update to Docker Bench, a container best practices security tool, further improving the overall security tooling for Docker.
Tomi Engdahl says:
Tom Warren / The Verge:
Microsoft removes the Wi-Fi Sense feature that shared network passwords with friends from Windows 10, cites low usage and demand
Windows 10 will stop sharing your Wi-Fi passwords soon
http://www.theverge.com/2016/5/11/11655628/microsoft-windows-10-wi-fi-sense-password-sharing
Microsoft is removing part of its controversial Wi-Fi Sense feature from Windows 10. “We have removed the Wi-Fi Sense feature that allows you to share Wi-Fi networks with your contacts and to be automatically connected to networks shared by your contacts,” says Microsoft’s Gabe Aul. “The cost of updating the code to keep this feature working combined with low usage and low demand made this not worth further investment.”
Wi-Fi Sense was originally introduced on Windows Phone and then updated and included with Windows 10. It’s a feature that lets you automatically connect to open hotspots, and share your Wi-Fi passwords with contacts. Some security experts had expressed concerns over Windows 10 automatically connecting to open hotspots, but Microsoft is keeping this feature in place. Wi-Fi Sense’s password sharing feature generated unnecessary noise from people who didn’t understand it wasn’t sharing all Wi-Fi passwords by default, but Microsoft has clearly received enough data and feedback to show that it’s not widely used.
Tomi Engdahl says:
John McAfee’s first move as a new CEO is to rename the company after himself
http://techcrunch.com/2016/05/09/john-mcafees-first-move-as-a-new-ceo-is-to-rename-the-company-after-himself/?ncid=rss&cps=gravity_1730_3407314537453746770
Some exciting news from the John McAfee camp today: America’s favorite (and most entertaining) cybersecurity expert has a new gig!
MGT Capital Investments (NYSEMKT: MGT), a company that owns and operates social gaming apps, has announced the appointment of John McAfee as Executive Chairman and CEO.
But best of all? The company said it will be changing its corporate name to John McAfee Global Technologies!
John McAfee Global Technologies, has entered a definitive asset purchase agreement from D-Vasive, McAfee’s iPhone app that lets you monitor which internal hardware features are being used by different apps.
But wait, it gets better! The social gaming startup also announced it has entered into a consulting agreement with Future Tense Secure Systems, the cybersecurity company led by none other than… John McAfee!
So a “company” hired McAfee, renamed itself after him, bought his startup AND is paying him for consulting services. Okay.
Tomi Engdahl says:
Malvertising is increasing in sophistication and prevalence, and often being used to distribute ransomware. According to the FBI, criminals are netting an estimated $325–500 million a year through these scams. But while the FBI is warning of a rise in ransomware, they are at a loss when it comes to how to handle it: “The ransomware is that good,” says Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people just to pay the ransom.”
As malvertising-based infections (including ransomware) in businesses increase, questions will arise on who is accountable – ad networks, site owners, or owners of the ad content? If your company is a victim, and the FBI is just advising to pay the ransom, can you begin to seek legal remedy against the ad networks or content owners that were the vector for the infection?
Source: https://webinar.darkreading.com/2063?keycode=DRWE02
Tomi Engdahl says:
Outdated Internet Explorer versions still run on many business PCs
http://betanews.com/2016/05/11/outdated-internet-explorer-business-pcs/
Businesses around the world don’t really enjoy updating their software, security researchers from Duo Security have found, exposing themselves, and their organization to risks of cyber-attacks, phishing, scams and malware.
Researchers looked at a sample of two million Windows devices used by businesses around the world and found that almost a quarter, and that’s 500,000 devices, are using an outdated and unsupported version of Internet Explorer.
That puts both the users and the company at risk from more than 700 known, and who knows how many unknown, vulnerabilities.
Besides using outdated Internet Explorer, almost two-thirds (60 percent) of business users are also risking a lot by using an out-of-date version of Flash. Almost three quarters (72 percent) are using an outdated version of Java, also putting their systems at risk.
Mac users are more up-to-date than Windows users. Among internet browsers, Google Chrome is the most up-to-date browser of the bunch.
Tomi Engdahl says:
Defence industry company Patria has acquired the 25 percent minority interest in specialized cyber security company Silverskin Information Security. Patria grow their business cyber security in the region. The deal will open the Patria of new business opportunities, particularly in international markets, but also in Finland.
Silverskin is a security company with the highest certified level of the European Union than in the United States Department of Defense standards. The company operates in Finland directly with customers, as well as indirectly through a comprehensive network of partners.
Source: http://www.tivi.fi/Kaikki_uutiset/aseyhtio-patrialta-uusi-valtaus-hotkaisi-siivun-kyberturvayrityksesta-6549590
Tomi Engdahl says:
Pornhub Launches Bug Bounty Program With Rewards Up To $25,000
https://tech.slashdot.org/story/16/05/11/239250/pornhub-launches-bug-bounty-program-with-rewards-up-to-25000
Pornhub is launching a bug bounty program for security researchers and pornography enthusiasts who are able to identify flaws on its platform. Hunters will be paid a minimum of $50 for each vulnerability discovered, with up to $25,000 on offer for particularly vicious flaws
Successful applicants to the scheme will need to be the first person to responsibly disclose an unknown issue, which the Pornhub security team has 30 days to respond to, and up to 90 days to implement a fix base on the severity of the report.
Pornhub Launches Bug Bounty Programme For Security Researchers
Read more at http://www.techweekeurope.co.uk/security/security-management/pornhub-bug-bounty-stamps-backdoors-191901#ZI8ALRWUH2ByAeAp.99
https://hackerone.com/pornhub
Tomi Engdahl says:
FBI Has Sights On Larger Battle Over Encryption After Apple Feud
https://politics.slashdot.org/story/16/05/12/0010208/fbi-has-sights-on-larger-battle-over-encryption-after-apple-feud
FBI Director James Comey said the FBI is exploring how to make broader use of the hack, used to access a San Bernardino terrorist’s encrypted iPhone, while bracing for a larger battle involving encrypted text messages, e-mails and other data. The tool could “in theory be used in any case where there’s a court order” to access data on an iPhone 5c running Apple’s iOS 9 OS, Comey told reporters in Washington on Wednesday. However, accessing content on a phone, known as “data at rest,” is only part of the challenge that encryption poses for U.S. investigators. Software applications and other services that encrypts texts, e-mails and other information in transit over the Internet, known as “data in motion,” are “hugely significant,” especially for national security investigations, Comey said.
FBI Has Sights on Larger Battle Over Encryption After Apple Feud
http://www.bloomberg.com/news/articles/2016-05-11/fbi-has-sights-on-larger-battle-over-encryption-after-apple-feud
After buying a software tool to access a dead terrorist’s encrypted iPhone, the FBI is exploring how to make broader use of the hack while bracing for a larger battle involving encrypted text messages, e-mails and other data, Director James Comey said.
Software applications and other services that encrypt texts, e-mails and other information in transit over the Internet — known as “data in motion” — are “hugely significant,” especially for national security investigations, Comey said.
“The data at rest problem affects non-national security law enforcement overwhelmingly,” Comey said. “The data in motion, at least today, overwhelmingly affects our national security work. Terrorists and their fellow travelers are increasingly using end-to-end encrypted apps.”
Comey said criminals are increasingly using services that encrypt data in motion, and he didn’t rule out litigation against companies such as Facebook Inc.’s mobile messaging service WhatsApp, which has more than 1 billion subscribers worldwide.
WhatsApp has been embroiled in a legal dispute in Brazil
“WhatsApp has over a billion customers, overwhelmingly good people,” Comey said. “But in that billion customers are terrorists and criminals, and so that now ubiquitous feature of all WhatsApp products will affect both sides of the house.”
The FBI is trying to figure out how to allow “law enforcement around the county with court orders to be able to use our tool,” Comey said.
It’s “tricky,” he said, because using the tool to help state and local criminal investigations could mean that it would have to be revealed in a court proceeding if there isn’t a procedure in place to prohibit testimony about how it works.
Tomi Engdahl says:
36 idiots running SAP under attack after flubbing 2010 patch
US-CERT issues first-ever alert for SAP users, advising them to become competent
http://www.theregister.co.uk/2016/05/12/us_cert_warns_sap_users/
The United States Computer Emergency Readiness Team has taken the unusual step of enumerating just how many organisations have a particular problem, by calling out “36 organizations worldwide are affected by an SAP vulnerability … that was patched by SAP in 2010.”
You read that right: 2010.
US-CERT is relaying research conducted by Onapsis that says it found at least 36 organisations under active attack thanks to the flaw.
The problem is caused by the “Invoker Servlet”, a component of the NetWeaver Application Server Java systems (SAP Java platforms). Somehow, the dirty 36 have managed to either flub or ignore the patch for years. Onapsis says the flaw means “remote unauthenticated attackers” enjoy “full access to the affected SAP platforms, providing them with complete control of the business information and processes run by them, as well as potentially further access to connected SAP and non-SAP systems.”
The fix is simple: apply the patch and make sure it works. Or disable the Invoker Servlet.
Tomi Engdahl says:
Hackers tear shreds of Verizon’s data breach report top 10 bug list
Researchers reckon Verizon’s been very lazy and unsophisticated
http://www.theregister.co.uk/2016/05/12/verizon_dbir_criticised/
Information security boffins have pilloried Verizon’s latest data breach report, suggesting its list of top security vulnerabilities do not represent reality.
The 2016 Data Breach Investigations report [PDF] is Verizon’s ninth in the series drawing on a wider pool of data including some 100,000 security incidents and 2260 data breaches last year. It includes case load data from Verizon and some 50 other organisations including computer emergency response teams.
Among its findings is that attackers are popping boxes and siphoning off data with days or minutes, using multiple exfiltration paths, and with most exploiting weak or stolen credentials.
Verizon claims vulnerabilities it compiled into a top 10 list are responsible for 85 per cent of attacks, something security types say is disconnected from reality.
2016 Data Breach Investigations Report
89% of breaches had a financial or espionage motive.
https://regmedia.co.uk/2016/05/12/dbir_2016.pdf
Hackers so far ahead of defenders it’s not even a game
Crims using multiple exfiltration points
http://www.theregister.co.uk/2016/04/26/verizon_breach_report/
Verizon’s top 10 vulnerabilities: CVE-2001-0876; CVE-2001-0877; CVE-2002-0953; CVE-2001-0680; CVE-2002-1054; CVE-2015-0204; CVE-2015-1637 (FREAK); CVE-2003-0818; CVE-2002-0126, and CVE-1999-1058.
https://pbs.twimg.com/media/ChEoIFRWgAAbMFA.jpg
Tomi Engdahl says:
Criminals exploit zero day Flash vulnerability
Adobe readies patch cannons. Yet again
http://www.theregister.co.uk/2016/05/12/flash_zero_day_hole/
Adobe will this week patch a critical vulnerability in Flash Player that is being actively exploited in the wild.
Not information is available on the exploit (CVE-2016-4117) ahead of the patch that is set for release from tomorrow.
“A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS,” Adobe says.
“Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild.
Tomi Engdahl says:
Linux is evolving very quickly. of the kernel maintainers Greg Kroah-Hartman added to the kernel 10,800 lines of new code every day. On the other hand the core will also be deleted 5300 lines of code every day. 1875 lines of code are modified every day
Kroah-Hartman, the pace is not an end in itself, but it is a necessity to develop. – Almost every bug can be a security risk. If the operating system does not change, it is dead
Kroah-Hartman says they will update their share of the linux kernel once a week. The new version contains an average of 100-150 correction or patches.
Unfortunately patching the kernel does not mean that projects based on it will be corrected at the same pace.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4406:linuxiin-yli-10-000-uutta-koodirivia-joka-paiva&catid=13&Itemid=101
Tomi Engdahl says:
Suicide on Periscope Prompts French Officials to Open Inquiry
http://www.nytimes.com/2016/05/12/world/europe/periscope-suicide-france.html?_r=0
In a series of videos on the live-streaming app Periscope, she said that her name was Océane, that she was 19 and that she worked in a retirement home.
At 4:29 p.m. on Tuesday, while recording herself on Periscope, the woman threw herself under a train at the Égly station, about 25 miles south of Paris
The videos are no longer available on Periscope, which is owned by Twitter, but excerpts from the videos were widely circulated on YouTube
The death appeared to be the latest of several recent episodes in which disturbing and violent acts have been transmitted via live-streaming technologies.
Thomas Husson, a Paris-based analyst at the technology research company Forrester Research, said it was inevitable that live-streaming tools would be used to record tragic and even brutal events.
“It’s both the good and bad part of these technologies: They allow people to enter other people’s private lives,” he said in a phone interview.
“It would be very difficult to prevent such events from happening,” he said of the suicide. “We now live in a dictatorship of real time.”
Mr. Husson added: “These technologies enable real-time streaming, which can have a lot of unintended consequences. Internet giants are starting to monitor how people use their technologies in real time, but it’s tricky. It’s almost impossible to control how people use social media.”
Regulators have been trying to get a hold on new social media tools, like Periscope and Snapchat, mostly out of concern about their use by extremist organizations like the Islamic State.
Twitter encourages people to submit a form if they believe that a user is at risk of self-harm.
Tomi Engdahl says:
John Ribeiro / Computerworld:
Mozilla court filing asks government to turn over details of Tor browser flaw to protect Firefox users before making details of vulnerability public — Mozilla says it wants to check if the vulnerable code is found in Firefox code — Mozilla has asked a court that it should be provided information …
Mozilla wants U.S. to disclose to it first any vulnerability found in Tor
http://www.computerworld.com/article/3069574/security/mozilla-wants-us-to-disclose-to-it-first-any-vulnerability-found-in-tor.html
Mozilla says it wants to check if the vulnerable code is found in Firefox code
Mozilla has asked a court that it should be provided information on a vulnerability in the Tor browser ahead of it being provided to a defendant in a lawsuit, as the browser is based in part on Firefox browser code.
transparent binary code binary code computer coding technical programming 000000123354
More PowerShell: Hash tables
This one might make you scratch your head a bit — but learning about hash tables is definitely worth
Read Now
“At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base,” wrote Denelle Dixon-Thayer, chief legal and business officer at Mozilla, in a blog post Wednesday.
Mozilla is asking the U.S. District Court for the Western District of Washington, in the interest of Firefox users, to ensure that the government disclose the vulnerability to it before it is revealed to any other party. The rationale behind the request, according to Mozilla: Any disclosure without advance notice to Mozilla will increase the likelihood that the exploit will become public before Mozilla can fix any associated vulnerability in Firefox.
Advanced Disclosure Needed to Keep Users Secure
https://blog.mozilla.org/blog/2016/05/11/advanced-disclosure-needed-to-keep-users-secure/
User security is paramount. Vulnerabilities can weaken security and ultimately harm users. We want people who identify security vulnerabilities in our products to disclose them to us so we can fix them as soon as possible. That’s why we were one of the first companies to create a bug bounty program and that’s why we are taking action again – to get information that would allow us to fix a potential vulnerability before it is more widely disclosed.
Today, we filed a brief in an ongoing criminal case asking the court to ensure that, if our code is implicated in a security vulnerability, that the government must disclose the vulnerability to us before it is disclosed to any other party. We aren’t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure.
The relevant issue in this case relates to a vulnerability allegedly exploited by the government in the Tor Browser. The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser
Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community. In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly.
Tomi Engdahl says:
We Said We’d Be Transparent … WIRED’s First Big HTTPS Snag
https://www.wired.com/2016/05/wired-first-big-https-rollout-snag/
Two weeks ago, WIRED.com tackled a huge security upgrade by starting a HTTPS transition across our site. (What’s HTTPS, and why is it such a big deal? Read all about it here.) The original plan was to launch HTTPS on our Security vertical and then roll it out across all of WIRED.com by May 12. However, only our Transportation vertical is making the switch today. We set ambitious goals for our HTTPS transition, so our revised timeline isn’t a total surprise—but we promised we’d be transparent about the process with our readers. So here are the unique challenges that are making our HTTPS launch take a little longer than we’d hoped.
SEO
Temporary SEO changes on your site are a possible consequence of transitioning to HTTPS.
This type of SEO change is not without precedent. We expect that our site will rebound, so we are giving it more time to recover before committing to HTTPS everywhere.
Mixed Content Issues
As we previously explained, one of the biggest challenges of moving to HTTPS is preparing all of our content to be delivered over secure connections. If a page is loaded over HTTPS, all other assets (like images and Javascript files) must also be loaded over HTTPS. We are seeing a high volume of reports of these “mixed content” issues, or events in which an insecure, HTTP asset is loaded in the context of a secure, HTTPS page. To do our rollout right, we need to ensure that we have fewer mixed content issues—that we are delivering as much of WIRED.com’s content as securely possible.
“When people ask why transitioning to HTTPS is so difficult, this is why: Sites like WIRED.com have a massive amount of data to process and understand.”
We’ve learned a lot by monitoring mixed content issues in the past two weeks.
We’ve been trying to find a suitable metric for gauging progress on handling mixed content issues. So far, we’ve found the ratio of mixed content issues to page views to be helpful. This metric is not affected by spikes in traffic and is thus a good metric to compare day-to-day progress towards our goals of minimizing mixed content issues.
What’s Next?
We promised we would be transparent about the struggles and triumphs of our HTTPS rollout. Today we’re acknowledging a delay—but we’ve got good news too. If you read this article about our editor Alex Davies blacking out in a jet, you’ll see that you are reading it over HTTPS.
Tomi Engdahl says:
A warning message went to the wrong address – four minutes later exploded in the subway
The police tried to close after the metro Brussels airport attack, but the e-mail went to the wrong address. Four minutes later Maalbeekin metro station exploded. Decuyper never seen a message because it was sent to his personal email address and not to work mail.
Key question has become, how it was possible that the subway network was still operating at 9.11, or more than one hour after the Zaventem airport attack.
Source: http://www.iltalehti.fi/ulkomaat/2016051321555120_ul.shtml
Tomi Engdahl says:
Device makers, telecoms face competing government demands on privacy
http://in.reuters.com/article/usa-cyber-frankel-idINKCN0Y32P8
For tech companies, there was a confounding juxtaposition in the news this week.
On Monday, the Federal Trade Commission and the Federal Communications Commission announced a joint effort to assure that businesses are safeguarding their customers’ data. The FCC sent a letter to mobile carriers, citing “a growing number of vulnerabilities … that threaten the security and integrity of a user’s device and all the personal, sensitive data on it,” and asking how carriers address those vulnerabilities.
The FTC simultaneously ordered eight manufacturers of mobile devices to respond to a detailed set of questions about how they update the devices’ security protections and keep customers informed of those updates.
Meanwhile, on Wednesday, as Julia Harte reported for Reuters, FBI Director James Comey said in press briefing that he expects to keep litigating to force companies like Apple to help investigators access their customers’ data.
Terrorist groups rely on encryption, Comey said, suggesting – as the government argued throughout its attempt to compel Apple to help crack security on an iPhone used by the San Bernardino shooter – that law enforcement agencies believe they are entitled to assistance from tech companies.
Tomi Engdahl says:
Bangladesh Bank heist similar to Sony hack; second bank hit by malware
http://in.reuters.com/article/us-usa-fed-bangladesh-idINKCN0Y40Z1
Investigators probing the cyber heist of $81 million from the Bangladesh central bank connected it on Friday to the hack at Sony Corp’s film studio in 2014, while global financial network SWIFT disclosed a previously unreported attack on a commercial bank.
SWIFT did not say which commercial bank it was or whether it had lost money, but cyber-security firm BAE Systems said a Vietnamese bank, which it did not name, had been a target. It was not clear if they were referring to the same attack and there was no immediate comment from authorities in Hanoi.
SWIFT, the linchpin of the global financial system, said forensic experts believed the second case showed that the Bangladesh heist was not a single occurrence, but part of a wider campaign targeting banks.
In both cases, SWIFT said, insiders or cyber attackers had succeeded in penetrating the targeted banks’ systems, obtaining user credentials and submitting fraudulent SWIFT messages that correspond with transfers of money.
BAE Systems, Europe’s largest weapons maker, which also has a large cyber-security business, said it had uncovered evidence linking malicious software used in the Bangladesh heist to the high-profile attack on Sony’s Hollywood studio in 2014 and other cases.
“What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign,” BAE’s cyber-security team said in a report it released on Friday.
BAE also said it uncovered malware that was recently used to target a Vietnamese commercial bank using fraudulent messages on the SWIFT money-transfer network. The malware operated “in a similar fashion” to the Bangladesh Bank hack, BAE said.
Tomi Engdahl says:
Another Flash security issue on wild:
Flash Player Help / Check if Flash Player installed on your computer
https://helpx.adobe.com/flash-player.html
Tomi Engdahl says:
Dozens of companies found open to SAP bug patched years ago
Dangerous Invoker servlet function was disabled in 2010, but it lives on.
http://arstechnica.com/security/2016/05/dozens-of-companies-breached-through-sap-bug-patched-years-ago/
May 12, 2016 8:50 PDT: The researchers who originally discovered the SAP vulnerability say they have uncovered evidence that 36 organizations were vulnerable to the bug. They say there’s no evidence the organizations were actually breached. Ars has modified the original headline of this post to reflect this new information.
More than 36 organizations—some in the gas, telecommunications, and steel manufacturing industries—have been breached by attackers exploiting a vulnerability in older SAP business applications that gives them remote access to highly confidential data, the US government-sponsored CERT warned Wednesday.
The attacks were carried out over the past three years by attackers exploiting the “invoker servlet,” which is a set of functions in SAP applications that allows users to run Java applications without use of a password or other authentication measure. Attackers outside the targeted organizations have abused the feature to gain access to sensitive data and possibly to take control over servers that process the data, according to researchers at security firm Onapsis.
“The exploitation of this vulnerability gives remote unauthenticated attackers full access to the affected SAP platforms, providing them with complete control of the business information and processes run by them, as well as potentially further access to connected SAP and non-SAP systems,”
SAP fixed the vulnerability in 2010 when it disabled the invoker servlet by default. The companies getting hit by the attacks appear to be running SAP applications that either predate those updates or overrode the default settings, possibly to make the SAP offerings compatible with custom software.
The Tip Of The Iceberg:
Wild Exploitation & Cyber-attacks On SAP Business Applications
https://www.onapsis.com/threat-report-tip-iceberg-wild-exploitation-cyber-attacks-sap-business-applications
Understanding the DHS US-CERT Alert on SAP Cybersecurity
On May 11, 2016, the first-ever US-CERT Alert for cybersecurity of SAP business applications was released by the Department of Homeland Security (DHS) to forewarn the cybersecurity community about the significance and implications of an SAP vulnerability, which was patched by SAP over five years ago, that is being leveraged to exploit SAP systems of many large-scale global enterprises. Below are some resources to help you better understand this vulnerability, the potential impact to an organization if it is exploited, as well as the mitigation steps to ensure your organization is not at risk.
Tomi Engdahl says:
Compression tool 7-Zip pwned, pain flows to top security, software tools
Attackers can score user privileges thanks to heap corruption hassle
http://www.theregister.co.uk/2016/05/12/popular_zip_tool_7zip_pwned_pain_flows_to_top_security_software_tools/
Some of the world’s biggest security and software vendors will be rushing to patch holes in implementations of the popular 7-zip compression tool to stop attackers gaining full control of customer machines.
Cisco security researcher Marcin Noga found and reported the holes to the maintainers of the open source 7-Zip platform who kindly cooked up a fix.
Colleague Jaeson Schultz told The Register the flaws could allow attackers to compromise updated machines, giving attackers the same access rights as logged-in users.
“Anytime the vulnerable code is being run by any sort of privileged account, an attacker can exploit the vulnerability and execute code under those same permissions,” Schultz says.
“A fully patched Windows 10 box lacking the 7-Zip fixes would not help you.”
Many security and software products use 7-Zip. Google searches reveal hugely popular affected products including FireEye and MalwareBytes, however it is important to note the vulnerabilities are not due to flaws in these offerings.
“An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format files … [which] can be triggered by any entry that contains a malformed Long Allocation Descriptor,”
Tomi Engdahl says:
Don’t feel guilty: This is your brain on piracy
A new study shows why you don’t feel bad about torrenting the latest “Game of Thrones”.
http://www.cnet.com/news/this-is-your-brain-on-piracy-no-guilt/
In addition to its number of venomous animals per capita, sunny beaches and an interminable fascination with cricket, Australia puts the world to shame when it comes to piracy. Despite a relatively small population, our fair island state leads the world in “Game of Thrones” piracy (three years running, no less).
But it’s totally not our fault, says a new study conducted by Monash University. Or, at least, it explains why we don’t feel so guilty about doing it.
“The findings from the two brain imaging experiments suggest that people are processing the intangible and tangible objects very differently within their brains,” Eres said.
Eres went on to say that this could also explain why people feel far less guilt over things like online bullying or hacking, compared to their physical counterparts.
The science behind piracy: Guilt portion of the brain fails to fire
http://www.monash.edu/news/show/the-science-behind-piracy
Tomi Engdahl says:
Tieto was founded 24 hour security center
IT service company Tieto has set up an operational security center. It is part of the company which started its operations in January of internal security services, start-up units.
Information Security Center monitors around the clock business-critical security events and to analyze the general situation of the picture.
Tieto also announced on Friday that the company has also expanded its security consulting services. These include, inter alia, the most critical risks and vulnerabilities in the analysis, as well as the general security services, and to ensure compliance with the requirements (compliance).
Large IT service companies are expanding their service diligently to change the data side. CGI also opened last year, around the clock functioning cyber security center in Finland.
Source: http://www.tivi.fi/Kaikki_uutiset/tieto-perusti-ymparivuorokautisen-tietoturvakeskuksen-6550211
Tomi Engdahl says:
Meta Data, Big Data and the Coming Tectonic Shift in Security
https://webinar.darkreading.com/2102?keycode=DRWE01
While yesterdays’ security model was largely based on prevention of breaches, tomorrow’s security solutions will increasingly focus on detection of breaches from within followed by containment. This is a large shift both in terms of investment dollars and technologies. Focusing on detection of breaches provides an opportunity to reverse the asymmetry between the attacker and defender and shift the odds of success in favor or the defender. However, a detection based strategy requires building context of the organization’s operating environment, triangulating bad-like behavior against what is normal-like behavior for an organization and trying to identify anomalies
Tomi Engdahl says:
Building an Effective Defense Against Ransomware
https://webinar.darkreading.com/1995?keycode=DRWE01
A growing number of enterprises are being hit by attacks of ransomware, in which critical systems or data are maliciously encrypted or threatened until an enterprise victim pays a ransom.
Tomi Engdahl says:
While Open Source Software provides many competitive advantages, most technology companies are yet to uncover its full potential and even slower to deploy basic compliance and risk avoidance measures concerning its use. Many have no strategy for optimizing development with Open Source Software and often ignore or are unaware of the technical, business and legal opportunities and challenges of multi-source development. Open Source Software governance includes strategy, compliance processes, legal compliance, knowledge building and sharing and an increased emphasis on data security management.
Tomi Engdahl says:
70,000 OkCupid Users Had Their Data Published
http://motherboard.vice.com/read/70000-okcupid-users-just-had-their-data-published
A student and a co-researcher have publicly released a dataset on nearly 70,000 users of the dating site OkCupid, including their sexual turn-ons, orientation, usernames and more. And critics say it may be possible to work out users’ real identities from the published data.
The situation is raising questions about what type of data researchers should be allowed to collect en masse, repackage and perhaps distribute.
Information posted to OkCupid is semi-public: you can discover some profiles with a Google search if you type in a person’s username, and see some of the information they’ve provided, but not all of it. In order to do that, you need to log into the site. Such semi-public information uploaded to sites like OkCupid and Facebook can still be sensitive when taken out of context—especially if it can be used to identify individuals.
“OkCupid is an attractive site to gather data from,”
“The OKCupid dataset: A very large public dataset of dating site users.”
The data was collected between November 2014 to March 2015 using a scraper—an automated tool that saves certain parts of a webpage—from random profiles that had answered a high number of OkCupid’s multiple-choice questions. These include things like whether they ever do drugs, whether they’d like to be tied up during sex, or what’s their favourite out of a series of romantic situations.
This was all information available to users of OkCupid once they were signed in. Arguably, the data was public, as it didn’t contain direct messages, or anything of that sort.
“It is our hope that other researchers will use the dataset for their own purposes,” the paper reads.
But plenty of academics are unhappy with the publication of this data.
Tomi Engdahl says:
Multiple 7-Zip Vulnerabilities Discovered by Talos
http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
7-Zip vulnerabilities were discovered by Marcin Noga.
Blog post was authored by Marcin Noga, and Jaeson Schultz.
7-Zip is an open-source file archiving application which features optional AES-256 encryption, support for large files, and the ability to use “any compression, conversion or encryption method”. Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.
TALOS-CAN-0094, Out-of-Bounds Read Vulnerability, [CVE-2016-2335]
An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.
This vulnerability can be triggered by any entry that contains a malformed Long Allocation Descriptor.
TALOS-CAN-0093, Heap Overflow Vulnerability, [CVE-2016-2334]
An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the HFS+ file system, files can be stored in compressed form using zlib. There are three different ways of keeping data in that form depending on the size of the data. Data from files whose compressed size is bigger than 3800 bytes is stored in a resource fork, split into blocks.
Block size information and their offsets are kept in a table just after the resource fork header.
Conclusion
Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation.
Tomi Engdahl says:
Hardcore fetish forum hacked, personal details leaked, including .gov email addresses
http://www.neowin.net/news/hardcore-fetish-forum-hacked-personal-details-leaked-including-gov-email-addresses
An online hardcore fetish forum has been the subject of a hack, resulting in more than 100,000 user details being leaked. The details include: usernames, IP addresses, email addresses and weakly-hashed passwords.
The breach was discovered by the founder of Have I Been Pwned, Troy Hunt. The service is used to find out if you have been the subject of a data breach by entering your email address. He was made aware of the leak by somebody who is involved in the trading of such information and the person then provided him with a download link for the data. It was verified as accurate by using the password reset function of the affected website.
Whilst talking to the BBC, Troy explained that the forum was exploited by an SQL injection vulnerability, as the site was using an outdated piece of software.
An online hardcore fetish forum has been the subject of a hack, resulting in more than 100,000 user details being leaked. The details include: usernames, IP addresses, email addresses and weakly-hashed passwords.
The breach was discovered by the founder of Have I Been Pwned, Troy Hunt. The service is used to find out if you have been the subject of a data breach by entering your email address. He was made aware of the leak by somebody who is involved in the trading of such information and the person then provided him with a download link for the data. It was verified as accurate by using the password reset function of the affected website.
An online hardcore fetish forum has been the subject of a hack, resulting in more than 100,000 user details being leaked. The details include: usernames, IP addresses, email addresses and weakly-hashed passwords.
The breach was discovered by the founder of Have I Been Pwned, Troy Hunt. The service is used to find out if you have been the subject of a data breach by entering your email address. He was made aware of the leak by somebody who is involved in the trading of such information and the person then provided him with a download link for the data. It was verified as accurate by using the password reset function of the affected website.
Whilst talking to the BBC, Troy explained that the forum was exploited by an SQL injection vulnerability, as the site was using an outdated piece of software.
Traceable data ‘stolen from fetish forum’
http://www.bbc.com/news/technology-36275547
Tomi Engdahl says:
Second Bank Hit By ‘Sophisticated’ Malware Attack, Says Swift
https://yro.slashdot.org/story/16/05/13/1659237/second-bank-hit-by-sophisticated-malware-attack-says-swift
Swift, the global financial messaging network that banks use to move billions of dollars every day, warned of a second malware attack similar to the one that led to February’s $81 million cyberheist at the Bangladesh central bank. The second case targeted a commercial bank, Swift spokeswoman Natasha de Teran said, without naming it.
Swift said in a statement that the attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks
SWIFT Customer Communication: Customer Security Issues
https://www.swift.com/insights/press-releases/swift-customer-communication_customer-security-issues
No impact on SWIFT network, core messaging services or software
SWIFT has issued a notice to all its customers about a newly identified malware found in a customer’s environment.
Tomi Engdahl says:
Yet another SE Asia bank hit by a SWIFT credentials hack
Bank network’s quick to blame others, notes El Reg source
http://www.theregister.co.uk/2016/05/13/swift_credential_hack_reoaded/
Cybercrooks have once again broken into the SWIFT financial transaction network and stolen money from another bank.
The breach – victim and amount looted undisclosed – comes as the fallout from February’s $81m Bangladesh reserve bank cyber-heist continues to spread.
The second robbery was uncovered by investigators looking into the looting of funds held by the central bank of Bangladesh at the Federal Reserve Bank of New York.
The second heist involves an unnamed commercial bank but may have been carried out using similar malware in a follow-up attacks by the same group of attackers, The New York Times reports.
http://www.nytimes.com/2016/05/13/business/dealbook/swift-global-bank-network-attack.html?_r=0
Tomi Engdahl says:
Symantec: I know we said things’d get better when we sold Veritas…
But we need $400m cost savings. Which means fewer people, less real estate
http://www.theregister.co.uk/2016/05/13/symantec_i_know_we_said_things_would_get_better_when_we_sold_vertias/
Symantec is slipping back into cost-cutting mode just months after the split with storage arm Veritas was supposed to provide the healing balm the business so clearly needed.
The standalone security biz wants to carve out savings of $400m via an “efficiency programme” that includes “eliminating stranded costs” from the sale of Veritas; “rationalising corporate infrastructure” including slashing 1,200 jobs; and “simplifying” the enterprise portfolio.
The move was confirmed as Symantec rolled out financials for fiscal ’16 ended April Fool’s Day – sales slid three per cent to $873m, as expected.
The firm warned of the shortfall last month when CEO and president Michael Brown confirmed he is to stand down.
He said enterprise security sales were down four per cent to $467m “driven by declines in both threat protection and information protection that were offset by growth in cyber security and other services”.
Some 1.2 million Advanced Threat Protection subscriptions were flogged by Symantec.
The enterprise wing posted operating profit that was breakeven (versus an operating loss of $47m in Q4 ’15), and the consumer arm said operating profit fell 10 per cent to $217m.
Tomi Engdahl says:
36 firms at risk from that unpatched 2010 SAP vuln? Try 500+
Fixing Java-related bug trickier than it sounds, claims ERP security firm
http://www.theregister.co.uk/2016/05/13/sap_six_year_unpatched_bug_analysis/
A vulnerability in SAP systems that some enterprises have failed to patch for six years is more difficult to fix than previously reported and estimates of enterprise exposure are way too low, according to the security consultancy that originally found it.
US-CERT took the unprecedented move on Wednesday of enumerating in an alert that 36 organisations have failed to correctly patch a flaw resolved by SAP way back in 2010, as previously reported.
The vulnerability relates to a misconfiguration flaw in “Invoker Servlet”, a component of the NetWeaver Application Server Java systems (SAP Java platforms).
ERPScan, the ERP security specialist firm which originally discovered the misconfiguration flaw (research pdf here), said that Onapsis’s figures on exposure to the vulnerability are optimistic by more than an order of magnitude.
Alexander Polyakov, CTO at ERPScan, told El Reg that its research suggests as many as 533 organisations are at risk.
“Onapsis said that 36 organizations were actually breached,” Polyakov told El Reg. “Our assumption is that all of them were just examples of vulnerable systems which white-hats publish on their forum.”
Patching headache
The Invoker Servlet vulnerability affects business applications running on SAP Java platforms.
Finding what systems need patching is far removed from the trivial.
The reason that some organisations are still exposed to the flaw more than six years after the release of a patch is more complex that simple tardiness or a lackadaisical attitude to patching, according to ERPScan.
“This vulnerability was not easy to patch; first, it was necessary to analyse many options and then configure every service securely,” Polyakov of ERPScan told El Reg.
ERPScan released a free tool (ERPScan WEBXML Checker) to make the process of identifying vulnerable systems and patching easier.
Free Security
Tools for SAP
Security Testing
ERPScan SAP Pentesting Tool – SAP security testing solution
https://erpscan.com/research/free-pentesting-tools-for-sap-and-oracle/
ERPScan SAP Pentesting Tool is NOT a demo or a part of professional products such as ERPScan Security Scanner or ERPScan Security Monitoring Suite. it is just a set of perl scripts for penetration testers.