Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Kill Flash now? Chrome may be about to do just that
Google browser preparing to close the internet’s screen door
http://www.theregister.co.uk/2016/05/13/kill_flash_now_chrome_may_be_about_to_do_just_that/
Google’s Chrome web browser could be disabling all Flash content by default before the year’s out.
El Reg has learned that developers with the Chromium Project are working on a new feature known as ‘HTML5 by Default’.
The move could help to keep users safe by locking off a favorite target for web-based malware exploits.
As its name suggests, the feature would set Chrome to run the HTML5 version of web pages by default. If not available, the browser would then check for Flash content and ask the user to manually approve it before loading.
This would, in effect, seal off Flash content from the user unless absolutely necessary, though Chromium developers do note that they plan to exempt the top 10 domains that use Flash for one year in order to reduce impact of the blockade.
Tomi Engdahl says:
4 Ways to Protect Against the Very Real Threat of Ransomware
https://www.wired.com/2016/05/4-ways-protect-ransomware-youre-target/
Ransomware is a multi-million-dollar crime operation that strikes everyone from hospitals to police departments to online casinos.
It’s such a profitable scheme that experts say traditional cyberthieves are abandoning their old ways of making money—stealing credit card numbers and bank account credentials—in favor of ransomware.
But now that lawmakers on Capitol Hill are in the sights of cyber extortionists, the government will finally do something to stop the scourge, right?
Don’t count on it. You’re still largely on your own when it comes to fighting ransomware attacks, which hackers use to encrypt your computer or critical files until you pay a ransom to unlock them. You could choose to cave and pay, as many victims do. Last year, for example, the FBI says victims who reported attacks to the Bureau enriched cyber extortionists’ coffers by $24 million.
But even if you’ve backed up your data in a safe place and choose not to pay the ransom, this doesn’t mean an attack won’t cost you.
The damages include the cost of disinfecting machines and restoring backup data—which can take days or weeks depending on the organization.
First of All, Who Are Ransomware’s Prime Targets?
Any company or organization that depends on daily access to critical data—and can’t afford to lose access to it during the time it would take to respond to an attack—should be most worried about ransomware. That means banks, hospitals, Congress, police departments, and airlines and airports should all be on guard. But any large corporation or government agency is also at risk, including critical infrastructure, to a degree.
1. Back Up, as Big Sean Says
The best defense against ransomware is to outwit attackers by not being vulnerable to their threats in the first place. This means backing up important data daily, so that even if your computers and servers get locked, you won’t be forced to pay to see your data again.
“More than 5,000 customers have called us for help with ransomware attacks in the last 12 months,”
2. Just Say No—To Suspicious Emails and Links
The primary method of infecting victims with ransomware involves every hacker’s favorite bait—the “spray-‘n’-pray” phishing attack, which involves spamming you with emails that carry a malicious attachment or instruct you to click on a URL where malware surreptitiously crawls into your machine. The recent ransomware attacks targeting Congressional members prompted the House IT staff to temporarily block access to Yahoo email accounts, which apparently were the accounts the attackers were phishing.
3. Patch and Block
But users should never be considered the stop-gap for infections, Ghosh says. “Users will open attachments, they will visit sites that are infected, and when that happens, you just need to make sure that your security technology protects you,” he says.
4. Got an Infection? Disconnect
When MedStar Health got hit with ransomware earlier this year, administrators immediately shut down most of the organization’s network operations to prevent the infection from spreading. Sjouwerman, whose firm distributes a 20-page “hostage manual” (.pdf) on how to prevent and respond to ransomware, says that not only should administrators disconnect infected systems from the corporate network, they should also disable Wi-Fi and Bluetooth on machines to prevent the malware from spreading to other machines via those methods.
http://www.wired.com/wp-content/uploads/2016/03/RansomwareManual-1.pdf
Tomi Engdahl says:
BBC:NEW
Study: 45% of online households in US refrained from some online activities due to security and privacy concerns; 19% experienced an online security breach — Almost half of American households with at least one internet user have been “deterred” from online activity recently because of privacy or security concerns, a survey has said.
Privacy fears ‘deterring’ US web users from online shopping
http://www.bbc.com/news/technology-36285651
Almost half of American households with at least one internet user have been “deterred” from online activity recently because of privacy or security concerns, a survey has said.
Their concerns had stopped them either using online banking or shopping or posting on social media, the survey by a Department of Commerce agency said.
The study asked 41,000 households about their activity in the past 12 months.
A US official said mistrust about privacy was causing “chilling effects”.
The agency that carried out the study, the National Telecommunications and Information Administration (NTIA), called for encryption and security to be improved.
The report, based on data collected by the US Census Bureau in July 2015, said 45% of online households had refrained from at least one of the activities identified in the survey, and 30% had refrained from at least two.
Activities avoided due to privacy or security concerns
When respondents were asked what concerned them the most about online privacy and security, 63% said identity theft.
The respondents, who were allowed to give multiple answers, also cited credit card or banking fraud (45%), data collection by online services (23%), loss of control over personal data (22%) and data collection by the government (18%); 13% also said they were concerned about threats to personal safety.
The data suggested 19% of US online households had been affected by an online security breach in the previous year. The NTIA said this represented about 19 million American households.
The survey also suggested that households with more internet-connected devices were more likely to suffer a security breach online – 31% of those using at least five different internet-enabled devices were hit by a breach, it said.
“For the internet to grow and thrive, users must continue to trust that their personal information will be secure and their privacy protected,” NTIA policy analyst Rafi Goldberg said in a post accompanying the report.
Tomi Engdahl says:
Microsoft boots fake fix-it search ads
Bada-Bing, bada-boom, you support scam’s doomed
http://www.theregister.co.uk/2016/05/13/microsoft_boots_fake_fixit_search_ads/
Microsoft has laid out new rules for its Bing search engine designed to crack down on tech support scams.
Redmond said that it will no longer allow advertisers to pitch their third-party support and repair products as “official” or branded tech support.
Under the new rules, Bing search ads will have to present themselves expressly as unaffiliated, and the ads cannot use the brand or product’s name to present themselves as official or affiliated.
In exact terms, the new policy reads:
Advertisers may not promote online technical support to consumers for products or services that the advertisers do not directly own
The aim, says Microsoft, is to protect users from scam operations that will present themselves as security products or updates that come directly from the PC or OS builder, when in fact they are paid third-party products.
Tomi Engdahl says:
Google can’t hold back this malware running riot in its Play store
Ad fraud, scareware slinger Android.Spy.277.origin found in more than 100 apps
http://www.theregister.co.uk/2016/04/26/android_malware_whack_a_mole/
Security researchers have discovered a strain of Android malware that keeps finding its way onto Google Play – despite the store supposedly being scrubbed clean of infiltrated apps.
The software nasty – Android.Spy.277.origin – is hidden in more than 100 applications on Google Play. Sketchy programs harboring the malware masquerade as legitimate popular games and the like, but they come with a secret backdoor.
Once the infected app is installed, the attacker can remotely download a malicious APK called “polacin.io” to the device. After the victim is tricked into allowing the code to be installed, the Android device sends a wide array of information about the hardware to command and control servers, plus the user’s email address and location.
Hackers make money from the malicious app through ad click fraud and by pushing mobile scareware. Users are induced into installing fraudulent apps by saying the device has battery issues that can be solved by downloading utilities which, in reality, have little or no use.
Tomi Engdahl says:
Hackers are preying on people who can’t spell
http://thenextweb.com/insider/2016/03/23/hackers-love-bad-spellers/
As if the spectre of being hacked while surfing the Web isn’t bad enough, there has been a surge in the number of attacks on people who misspell the names of popular websites.
In a study carried out by Endgame, the cyber security firm has found more than 300 well-known companies, such as Netflix, YouTube and Google had been targeted in an attempt to ensnare careless typers online.
The culprits have been registering domains such as googgle.com, googlw.com and Netflix.om – the latter points to sites registered in Oman – which have the look and feel of the site the searcher is looking for. However, these are loaded with malware and attempt to convince the browser to share their personal details.
What does Oman, the House of Cards, and Typosquatting Have in Common? The .om Domain and the Dangers of Typosquatting
By: Malware Research & Threat Intelligence Team / March 11, 2016
- See more at: https://www.endgame.com/blog/what-does-oman-house-cards-and-typosquatting-have-common-om-domain-and-dangers-typosquatting#sthash.WNuAdYpA.dpuf
Tomi Engdahl says:
Trista Kelley / Bloomberg:
SWIFT warns of a new hacker attack on a commercial bank similar to Bangladeshi heist, says it is part of a wider highly adaptive campaign targeting banks — Hackers used malware to target PDF reader of commercial bank — Warning comes after cyber heist from Bangladesh central bank
Swift Warns of Hack Attack on a Bank After Bangladesh Heist
Trista Kelley
http://www.bloomberg.com/news/articles/2016-05-13/swift-warns-of-new-hacker-attack-on-bank-after-bangladesh-heist
The details of a second hack follow a cyber theft in February, when more than $80 million was stolen from Bangladesh’s account at the Federal Reserve Bank of New York. Swift last month warned users last month that it was aware of several similar attacks.
This time, the hackers used malware to target a PDF reader used by the customer to check its statement messages, Swift said on Friday. A Swift spokesman declined to reveal the name of the bank, but a U.K.-based security firm, BAE Systems Plc, said in a blog post that it believes the second victim is a commercial bank in Vietnam.
Sony Similarities
BAE said details in the code from the Bangladesh and Vietnam hacks also match a third breach, the devastating 2014 attack on Sony Pictures, which U.S. officials attributed to North Korea. BAE said the match indicates that the same hackers may be behind all three attacks: “This adds a significant lead to the investigation,” BAE said in its post. An earlier report by the company probing the hack for the bank came to a different conclusion, according to a person briefed on the investigation.
“Forensic experts believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks,” Swift said in a statement.
Tomi Engdahl says:
Lynn Berry / Associated Press:
Hackers publish names and contact information for 4.5K journalists accredited to report from rebel-controlled eastern Ukraine
Ukrainian hackers publish info on thousands of journalists
http://bigstory.ap.org/article/c7dece4f3c60428297831e8836ca5b9f/ukrainian-hackers-publish-info-thousands-journalists
MOSCOW (AP) — A group of Ukrainian hackers has published the names and contact information of thousands of journalists who have reported from rebel-controlled eastern Ukraine, raising concerns about the safety of the journalists, including many from international media organizations.
The hackers said they had gained access to computers used by the Russia-backed separatists to register journalists working in the conflict zone and felt it was necessary to publish the list “because these journalists collaborate with fighters from terrorist organizations.”
The New York-based Committee to Protect Journalists issued a statement on Wednesday condemning the publication of the list, which contains 7,000 entries and data on about 4,500 journalists, including their cellphone numbers and email addresses.
Tomi Engdahl says:
Do users’ perceptions of password security match reality?
https://www.helpnetsecurity.com/2016/05/13/users-perceptions-password-security-match-reality/
Think your password is secure? You may need to think again. People’s perceptions of password strength may not always match reality, according to a recent study by CyLab, Carnegie Mellon’s Security and Privacy Institute.
“Although participants generally had a good understanding on what makes passwords stronger or weaker, they also had some critical misunderstandings of how passwords are attacked and assumed incorrectly that their passwords need to withstand only a small number of guesses,” said Blase Ur, the study’s lead author and a Ph.D. student studying societal computing in Carnegie Mellon’s School of Computer Science.
“In order to help guide users to make stronger passwords, it is important for us to understand their perceptions and misperceptions so we know where interventions are needed,”
Do Users’ Perceptions of Password Security Match Reality?
http://dl.acm.org/citation.cfm?doid=2858036.2858546
Tomi Engdahl says:
Hacking caused in Finland ice hockey halls invoice ten grand
Finnish companies corrective ice hockey arena refrigeration and air security in a hurry, because the hackers were able already to cause damage.
Industrial refrigeration and air conditioning automation systems Tekojää Finland faced a problem in ten, which was broken into via the mobile network subscriptions. Thus the hackers were able to send text messages to premium-rate services.
The traces of criminals led to Egypt, but beyond them did not provide information
The bigger task is the automation systems reform, which will, among other things, five hundred ice rink refrigeration and air conditioning systems provide encrypted remote access.
The company chose to implement the Oulu-based Tosibox system that provides centralized management, in addition to a kind of physical “security key”, which allows maintenance personnel to quickly take equipment for use in various countries.
Security problems exposed in the past
Tekniikka ja talous magazine told reporters earlier in the spring, but also the metropolitan area stores accounted for HOK-Elanto also updated the 180 retail service stations and the ABC refrigeration equipment and monitoring devices Tosibox system, as they were previously unprotected network.
Telecom operator Sonera again told T & T, the network had to be temporarily shut down for consumers and farm broadband connections, because, among other things ihakkeroidut air-source heat pumps and milking robot spread malware and spam network.
FICORA oblige operators to shut down the network disturbances caused by equipment.
Source: http://www.tivi.fi/Kaikki_uutiset/hakkerointi-aiheutti-suomessa-jaakiekkohalleille-kymppitonnin-laskun-6550524
Tomi Engdahl says:
Kevin Poulsen / Wired:
Profile of Maksym Igor Popov, a Ukrainian hacker turned FBI mole who later tried to scam EMC, AT&T, and the FBI — I’m sorry; your browser does not support HTML5 video in WebM with VP8 or MP4 with H.264. — Typography by Michiel Schuurman — O — One Thursday in January 2001 …
https://www.wired.com/2016/05/maksym-igor-popov-fbi/
Tomi Engdahl says:
Ricardo Bilton / Nieman Lab:
SecureDrop use is growing in newsrooms, but security fears mean few will detail exactly how they use it — For newsrooms, the first rule about SecureDrop is you don’t talk about SecureDrop — or not too much, anyway. — That’s clear from a new report from Columbia’s Tow Center for Journalism …
SecureDrop use is growing in newsrooms, but security fears mean few will detail exactly how they use it
http://www.niemanlab.org/2016/05/securedrop-use-is-growing-in-newsrooms-but-security-fears-mean-few-will-detail-exactly-how-they-use-it/
For newsrooms, the first rule about SecureDrop is you don’t talk about SecureDrop — or not too much, anyway.
That’s clear from a new report from Columbia’s Tow Center for Journalism, which looked at how sites such as The Intercept, Gawker and ProPublica are making use of SecureDrop, the encrypted anonymous commutation software maintained by The Freedom of the Press Foundation (FPF). As of writing, 14 news organizations, three journals, and eight nonprofit groups are using SecureDrop, according to FPF. Eighty organizations are waiting for the FPF to help them get it installed.
— News organizations say SecureDrop is useful, the definition of usefulness varies. While most news organizations have adopted SecureDrop as a way to get new stories, news organizations say that SecureDrop is useful even if no stories come from it. Gawker editor John Cook, for example, said that, at the very least, using SecureDrop communicates Gawker’s commitment to protecting sources.
— News organizations are reluctant to discuss exactly how they use SecureDrop.
— Most news organizations designate just a few people to monitor their SecureDrop. These people, usually editors, then distribute those tips to the right reporters. This arrangement is due to the complexity of accessing SecureDrop, which can only be used via a dedicated computer in a newsroom
— Not even encrypted channels are immune to trolls and spam. Running a SecureDrop, like any other communications channel, means having to sift through plenty of spam, unhelpful news tips and conspiracy theories from well-meaning readers. Some submissions aren’t news at all.
— SecureDrop is good for the first point of contact, but reporters often switch to other channels.
Tomi Engdahl says:
Guide to SecureDrop
This book, by Charles Berret, presents a timely guide to SecureDrop, an emerging platform for secure and anonymous communication between journalists and sources. — Tow Center for Digital Journalism
https://www.gitbook.com/book/towcenter/guide-to-securedrop/details
Tomi Engdahl says:
Sheera Frenkel / BuzzFeed:
How ISIS uses the internet: malware, phishing, DDoS attacks, and communicating over Telegram
Everything You Ever Wanted to Know About How ISIS Uses The Internet
https://www.buzzfeed.com/sheerafrenkel/everything-you-ever-wanted-to-know-about-how-isis-uses-the-i?utm_term=.ltJ2y9DJ5g#.ek49xbaD6P
They talk on Telegram and send viruses to their enemies. BuzzFeed News’ Sheera Frenkel looks at how ISIS members and sympathizers around the world use the internet to grow their global network.
What he wasn’t expecting was to wake up on the morning of March 29 to a virus planted by ISIS within a seemingly innocuous email attachment.
“Everything about this looked like a real email, sent from the admin of my own website. It looked safe, but it was not. They were trying to get my login information, my passwords. They were trying to get things that could have put real lives in danger,” said Abu Majad, who asked that his nickname be used instead of his real name to protect himself and his remaining family in Syria from reprisal attacks by ISIS. “It was very clever. When I saw it I thought to myself, Shit, now they are professional hackers?”
Cybersecurity experts and intelligence agencies who monitor ISIS say the malware is just one more sign that ISIS is growing more sophisticated in its use of the internet.
“I don’t think it is far-fetched to say that the internet is a major reason why ISIS is so successful, and so worrying, as far as global terror movements go,” said one U.S. intelligence officer, who spoke to BuzzFeed News in Washington, D.C., and asked not to be named as he wasn’t authorized to speak to the press. “They have always been ‘good’ at the internet, at the strategy of how they use it. Now they are smarter at the internet too.”
Many of the world’s major intelligence agencies are trying to figure out just how ISIS uses the internet.
“ISIS has been targeting sites that are outspoken against ISIS,”
“Malware, phishing campaigns, DDoS attacks are all things I have seen,” he said. “Now, these dropper attacks are new and are more sophisticated. What we see is the group growing and evolving their capabilities. What we are seeing is worrying.”
Here’s an example of a conversation on a private ISIS channel on the messaging app Telegram on a recent Sunday afternoon:
“brother r u use VPN for site?”
“no brother, that is shit. use tor.”
“tor is creation of CIA. avoid tor.”
“so use vpn?”
“lol, no there is something else”
These sorts of exchanges appear daily on Telegram
The advice is meant to keep ISIS supporters safe, but for most it’s a confusing labyrinth of conflicting opinions.
“To be anonymous online is the most important thing so that we can safely help the jihad when the time comes,” Abu Jihad wrote BuzzFeed News in a private message on Telegram. He refused to give his real name or location. “The kuffars make it as hard as possible, but we always find a way to succeed,” he said, using a derogatory term for non-Muslims.
“There are rumours that our forums are infected,” said Abu Jihad. “But it is impossible for us to stay off of the internet.”
The internet is full of American and Israeli spies,” Abu Jihad wrote BuzzFeed in a private message, before asking for more details on where BuzzFeed News is based and whether it had a political agenda. “It’s well-known that most journalists are spies.”
A security expert who is only known online as “the grugq,” but whose blogs and tweets are widely read by cybersecurity experts, closely follows how ISIS communicates online. After reviewing the magazine, he told BuzzFeed News that he believed ISIS only had a limited understanding of how encryption works.
“The author believes encryption is a solution to every problem,” the grugq said in an email to BuzzFeed News, noting that it eschewed other techniques, such as teaching users how to be anonymous online by never revealing or entering into public forms personal details such as real names, birth dates, or countries of origin
The author is not clear on the real threats that jihadis actually face. The faith in crypto as a panacea to all the dangers faced by online jihadis demonstrates the shallowness of the author’s security understanding.”
“The main takeaway from this guide is that the author believes so strongly in encryption they think it will solve everything. It is the ignorant belief that ‘going dark’ is as simple as downloading TAILS. In the real world, nation state adversaries are not deterred by a little bit of crypto sprinkled here and there like OPSEC fairy dust,” he said.
“Generally the technical detail provided is impressive — not error-free, but remarkable for what after all is a general interest magazine for jihadis,”
“Even people who use these programs every day occasionally make mistakes. The processes described by ISIS are not intuitive.”
The attacks on Paris and Brussels ignited a global debate on encryption and terror.
On the one hand are certain intelligence agencies and governments, who say they missed signs of the attacks because ISIS was using the “dark web” to communicate, sending encrypted messages that intel agencies couldn’t crack. On the other hand are cybersecurity activists and experts, who say there is little evidence that sophisticated techniques were used by the attackers to mask their communication. (Quite the opposite, they argue: The attackers lived in the same apartment and used the old-school method of multiple burner phones.) And then there is the media, whose coverage of the issue has received intense scrutiny, with reports of ISIS sending encrypted emails scrubbed from the web just days after their publication, and unnamed sources giving conflicting evidence of how the attackers communicated.
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Google plans to make Flash plugin click-to-play by default in Chrome in Q4’16, rendering HTML5 instead when available, except for 10 top sites relying on Flash
Google targets HTML5 default for Chrome instead of Flash in Q4 2016
http://venturebeat.com/2016/05/15/google-targets-html5-default-for-chrome-instead-of-flash-in-q4-2016/
Google has outlined a plan to push HTML5 by default in Chrome, instead of Flash. In Q4 2016, the company plans to only serve Flash by default for the top 10 domains that still depend on the plugin. Chrome will display the HTML5 experience if it’s available, but if Flash is required, the user will be asked whether Flash can be allowed to run or not.
Flash has been on its way out for years. Not only is the tool a security nightmare, with new vulnerabilities popping up regularly, the market has been slowly but surely moving away from plugins in favor of HTML5. Chrome and Flash, in particular, have had a complicated relationship.
While Flash is included in Google’s browser by default, it has been slowly but surely de-emphasized. In September 2015, Chrome 45 began automatically pausing less-important Flash content (ads, animations, and anything that isn’t “central to the webpage”). Now, Google wants to focus on the central content, such as games and videos.
Tomi Engdahl says:
Salesforce deleted four hours of its customers’ data
http://nordic.businessinsider.com/salesforce-lost-4-hours-of-customer-data-2016-5
Salesforce is now mostly up and available to its customers, the company says, after a mega outage of one of its major data centers took it down for a whole day.
The outage lasted from 13:31 UTC time Tuesday until 09:30 UTC Wednesday, or about 6:30 a.m. pacific Tuesday until 2:30 p.m. pacific on Wednesday.
A cloud outage that long is almost unheard of these days, and one Salesforce customer we talked to, who has been using Salesforce for over five years, told us he’s never experienced that kind of disruption from the company before.
The service disruption was caused by a database failure on the NA14 instance, which introduced a file integrity issue in the NA14 database. The issue was resolved by restoring NA14 from a prior backup, which was not impacted by the file integrity issues
Tomi Engdahl says:
John McAfee Apparently Tried to Trick Reporters Into Thinking He Hacked WhatsApp
http://gizmodo.com/john-mcafee-apparently-tried-to-trick-reporters-into-th-1776765480
John McAfee, noted liar and one-time creator of anti-virus software, apparently tried to convince reporters that he hacked the encryption used on WhatsApp. To do this, he attempted to send them phones with preinstalled malware and then convince them he was reading their encrypted conversations.
In April, WhatsApp announced that it had added automatic end-to-end encryption for its billion plus users. The company touted the move as one that would help protect and secure the communications of all WhatsApp users around the world.
McAfee has a history of being shifty with the press about his alleged cybersecurity exploits.
In March, for instance, during a media tour that included appearances on CNN and RT, McAfee claimed he would be able to hack into the phone of San Bernadino terrorist Syed Farook. McAfee never proved his claims, and later admitted that he was lying in order to garner a “shitload of public attention.” And earlier this year, McAfee hedged on his terrorism-prevention ideals for America during an interview with CNN about his Libertarian candidacy for president, saying that his strategy for preventing homegrown terrorism was “difficult to explain.”
Now, it seems McAfee has tried to trick reporters again, by sending them phones pre-cooked with malware containing a keylogger, and convincing them he somehow cracked the encryption on WhatsApp.
According to sources who spoke to Gizmodo anonymously because they were not authorized by their employer to speak to the press
WhatsApp Message Hacked By John McAfee And Crew
http://cybersecurityventures.com/whatsapp-message-hacked-by-john-mcafee-and-crew/
Cybersecurity expert John McAfee and a team of four other hackers, using their own servers located in a remote section in the mountains of Colorado, were able to read an encrypted WhatsApp message.
McAfee broke the hack news to Cybersecurity Ventures by phone, and followed with an email to us providing details of the feat.
The WhatsApp message was exchanged between two cooperating researchers located at the New York City headquarters office of LIFARS, a cyber intelligence and digital forensics firm with deep domain experience in the mobile security field. A tiny app written by McAfee’s team was downloaded onto two brand new Android phones which were used for the message exchange.
Tomi Engdahl says:
Security the key to software-defined datacentre takeup
http://www.cloudpro.co.uk/saas/5997/security-the-key-to-software-defined-datacentre-takeup
94 per cent of executives think security is more important than cost savings
A report by HyTrust has revealed security is the key factor that will make more executives take up Software-Defined Data Centre (SDDC) services, ranking higher than cost savings, agility and performance enhancements.
A total 94 per cent of the executives questioned said better security would help companies realise the benefits of the technology. Additionally, 93 per cent agreed that the benefits of migration to virtualisation and the cloud are undeniable and quantifiable, suggesting there will be a faster drive towards SDDC infrastructure in the future.
A further 88 per cent of respondents think optimal SDDC strategies and deployment will drive the take-up of virtualisation ratios and server optimisation, while also improving finances in the organisation.
“It’s always been hard to deny the potential benefits of SDDC infrastructure, but in the past the obvious advantages have sometimes been overshadowed by concerns over security and compliance,” said Eric Chiu, president of HyTrust.
Almost all (94 per cent) think current security levels on SDDC platforms and strategies meet their organisation’s needs ‘very well’ or ‘somewhat well’, with only four per cent saying they don’t address the needs of the company.
“What we’re seeing now is clear progress in this exciting arena, as technology solutions that balance high-quality workload security with effortless automation push back those fears,” Chiu added.
“The focus is now exactly where it should be: ensuring that the virtualized or cloud infrastructure enables tremendous cost savings with unparalleled agility and flexibility.”
Tomi Engdahl says:
Finnish state to force a new authentication
The bill requires all government agencies to move the PRC’s produced by the Suomi.fi detection operation by the end of next year. The bill is currently in the parliamentary procedure and the law is due to come into force on 01.07.2016.
National ICT Centre VALTORTA offers Vetuma-service government organizations use until the end of 2017, after which the central treasury Ministry of Finance, the service ends.
The amendment is about the harmonization of public authentication service. In 2008, the National Audit Office pointed out that the state has wasted tens of millions developing a number of competing identification system to different services and none of them have assumed a prominent place.
Source: http://www.tivi.fi/Kaikki_uutiset/valtio-pakottaa-uuteen-tunnistautumiseen-6550490
Tomi Engdahl says:
Teens allegedly live-stream sex acts on Facebook
http://www.cnet.com/news/teens-allegedly-live-stream-sex-acts-on-facebook/
Technically Incorrect: In Milwaukee, police are attempting to secure data from Facebook after three teens allegedly filmed their hookup and broadcast it to classmates.
The social-media era has been one in which everyone has learned how to broadcast.
It’s perhaps inevitable, then, that some may choose to broadcast things that might disturb others.
Tomi Engdahl says:
While Open Source Software provides many competitive advantages, most technology companies are yet to uncover its full potential and even slower to deploy basic compliance and risk avoidance measures concerning its use.
Tomi Engdahl says:
Finnish critical systems tested: Thousands still open to attack?
wide-open automation systems is found in hundreds if not thousands of previous studies.
Finnish Communications Regulatory Authority wading through those critical automation systems, which should not be reachable over the Internet, but are still.
the agency to find out unprotected automation equipment Finnish computer networks during May and June and will publish the results of the statistical information later.
In practice, the Finnish Communications Regulatory Authority to send connection requests to the opening of the Finnish networks of computers and network devices to specific communication ports and monitors the incoming reply messages.
Exposed device is such that the management or control of the user interface is accessible via the Internet.
The situation has been mapped for several years. Open-ended systems are joined, for example, industry, power management, traffic management and water distribution.
Sources:
http://www.digitoday.fi/tietoturva/2016/05/16/suomen-kriittiset-jarjestelmat-testataan-tuhansia-yha-auki-hyokkaajille/20165258/66?rss=6
https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2016/05/ttn201605160958.html
Tomi Engdahl says:
Anonymous Begins Teaching Hacktivism on IRC
https://yro.slashdot.org/story/16/05/15/1723217/anonymous-begins-teaching-hacktivism-on-irc
Softpedia reports that “At the end of April, members of the Anonymous hacker collective announced the launch of the OnionIRC, an internet relay chat network where the group says it aims to teach people about hacking and hacktivism.” [Chat logs are available through the @OnionIRC Twitter account.] Classes cover topics like open-source intelligence and how to use nmap and bash, but “The teachers and the main people behind this campaign have been focused more on promoting the principles of hacktivism than anything else…”
Anonymous Launches OnionIRC to Teach the World About Hacking & Hacktivism
Read more: http://news.softpedia.com/news/anonymous-launches-onionirc-to-teach-the-world-about-hacking-hacktivism-504072.shtml#ixzz48om2OGts
Tomi Engdahl says:
Hidden Microphones Exposed As Part of Government Surveillance Program In The Bay Area
http://sanfrancisco.cbslocal.com/2016/05/13/hidden-microphones-exposed-as-part-of-government-surveillance-program-in-the-bay-area/
Hidden microphones that are part of a clandestine government surveillance program that has been operating around the Bay Area has been exposed.
Federal agents are planting microphones to secretly record conversations.
Jeff Harp, a KPIX 5 security analyst and former FBI special agent said, “They put microphones under rocks, they put microphones in trees, they plant microphones in equipment. I mean, there’s microphones that are planted in places that people don’t think about, because that’s the intent!”
FBI agents hid microphones inside light fixtures and at a bus stop outside the Oakland Courthouse without a warrant to record conversations, between March 2010 and January 2011.
Harp says that if you’re going to conduct criminal activity, do it in the privacy of your own home. He says that was the original intention of the Fourth Amendment, but it’s up to the judge to interpret it.
Tomi Engdahl says:
Attacker Compromises Pornhub, Sells Shell Access for $1,000, Says Columnist
https://it.slashdot.org/story/16/05/15/0858203/attacker-compromises-pornhub-sells-shell-access-for-1000-says-columnist
Four days after launching a bug bounty program, Pornhub is said to be compromised. The person responsible used a vulnerability in the user profile script that handles images (not ImageMagick) and is selling shell access on one of their servers for $1,000 USD. This is the second major website the hacker has shelled. Prior to Pornhub, they compromised the LA Times website.
Pornhub said to be compromised, shell access available for $1,000
http://www.csoonline.com/article/3070420/security/pornhub-said-to-be-compromised-shell-access-available-for-1-000.html
Hacker used flaws in the user profile system to gain access
The offer included two images in order to demonstrate access to the Pornhub server, and when asked how the shell was uploaded, 1×0123 said a vulnerability in the user profile script that handles images enabled the shell’s upload.
Once the shell is uploaded, browsing to the proper URL will open it and enable command injection. In short, if someone pays for access, they’ll have full control over the environment.
The going price of $1000 is low considering anyone purchasing access would essentially control key parts of the server and any pages loaded from it. Pornhub sees more than 60 million daily visits, or roughly 2.1 million visits per hour.
Tomi Engdahl says:
The FBI and the Mozilla Foundation Lock Horns over Known Security Hole
http://www.linuxjournal.com/content/fbi-and-mozilla-foundation-lock-horns-over-known-security-hole
The Mozilla Foundation and the FBI recently have clashed over security weaknesses. The FBI is aware of a weakness in the Tor browser that may affect Firefox—it’s a weakness the FBI has exploited during an investigation.
Mozilla wants the FBI to reveal the details of the exploit ahead of the trial, but the FBI is playing its cards close to its chest. Because of the potential risk to its users, Mozilla has turned to the courts to force the FBI to reveal its information.
Tomi Engdahl says:
Everything We Know About How the FBI Hacks People
https://www.wired.com/2016/05/history-fbis-hacking/
Recent headlines warn that the government now has greater authority to hack your computers, in and outside the US. Changes to federal criminal court procedures known as Rule 41 are to blame; they vastly expand how and whom the FBI can legally hack. But just like the NSA’s hacking operations, FBI hacking isn’t new. In fact, the bureau has a long history of surreptitiously hacking us, going back two decades.
That history is almost impossible to document, however, because the hacking happens mostly in secret. Search warrants granting permission to hack get issued using vague, obtuse language that hides what’s really happening, and defense attorneys rarely challenge the hacking tools and techniques in court. There’s also no public accounting of how often the government hacks people.
A look at a few of these cases offers a glimpse at how FBI computer intrusion techniques have developed over the years. Note that the government takes issue with the word “hacking,” since this implies unauthorized access, and the government’s hacking is court-sanctioned. Instead it prefers the terms “remote access searches” and Network Investigative Techniques, or NIT. By whatever name, however, the activity is growing.
Big Questions Remain
For all that we now know about government hacking, there’s so much more that we still don’t know. For example, what exactly is the government doing with these tools? Are they just grabbing IP addresses and information from a computer’s registry? Or are they doing more invasive things—like activating the webcam to take pictures of anyone using a targeted machine, as they sought to do in a 2013 case? How are the tools tested to make sure they don’t damage the machines they infect?
Tomi Engdahl says:
Everyday File Sharing is Risky Business. Protect what matters. Permanently.
https://webinar.informationweek.com/2058?keycode=IKWE06
According to a recent Forrester study*, over 60% of engineering and support teams regularly use freeware or unsecure email to send files. And every time an employee does this, they put innovation, customer experience and competitive edge at high risk.
modernize your data infrastructure, improve security and customer interactions, without sacrificing ease of use
Tomi Engdahl says:
Meta Data, Big Data and the Coming Tectonic Shift in Security
https://webinar.darkreading.com/2102?keycode=DRWE02
While yesterdays’ security model was largely based on prevention of breaches, tomorrow’s security solutions will increasingly focus on detection of breaches from within followed by containment. This is a large shift both in terms of investment dollars and technologies.
However, a detection based strategy requires building context of the organization’s operating environment, triangulating bad-like behavior against what is normal-like behavior for an organization and trying to identify anomalies that could lead to the presence of malware in the organization. This requires marrying big data type solutions with SIEM type technologies. In this new world of big data for security, the ability to both, generate relevant and increasingly large volumes of data, as well as consume, correlate, index and alert on that data will require powerful and unique solutions that a defender can leverage as the core of their cyber security strategy.
Tomi Engdahl says:
Inter-bank system SWIFT on security? User manual needs ‘revamp’
Call for, er, tailored action
http://www.theregister.co.uk/2016/05/16/swift_security_control_need_revamp/
Inter-banking messaging systems SWIFT’s security guidelines are “outdated and incomplete”.
The criticism from security vendor Skyport Systems comes days after SWIFT revealed that a second bank had fallen victim to credential theft fraud, creating yet further concern already fuelled by February’s $81m Bangladesh reserve bank cyber-heist.
Vietnam’s Tien Phong Bank has come forward to identify itself as the victim of the second attempted attack, which involved a thwarted attempt to fraudulently transfer more than $1m, according to reports last weekend.
In both cases, the working theory is that hackers managed to get their hands on access credentials needed to send messages on the SWIFT secure financial messaging system after either successfully infecting terminals on the network of the targeted bank or by using a corrupt bank insider. SWIFT has repeatedly stated that in both cases the fraud arose because of a carefully planned attack against the targeted banks and shortcomings in their security controls rather than any weakness in the SWIFT financial messaging system as a whole.
Independent security experts are split on this point with some at least arguing that a major revamp of SWIFT’s systems is needed.
Update
We ran Skyhigh’s plan – outlined in a 1,800 word blog post – past SWIFT and an independent expert who has experience in installing SWIFT terminals at banks. We’ve not heard back from SWIFT yet, but the independent SWIFT terminal installer told us: “I think that everything in that blog is very sensible.
Five Necessary Improvements to the Swift (Not Taylor Swift) Security Model
https://skyportblog.com/2016/05/13/five-necessary-improvements-to-the-swift-security-model/
Tomi Engdahl says:
A million machines enslaved by MitM Google ad fraud botnet
Better the devil you know as malware replaces Alphabet ads with less sanitary banners
http://www.theregister.co.uk/2016/05/17/redirectorpaco/
About a million computers have been enslaved into a newly-identified botnet that is plundering Google advertising revenues, a security trio says.
The redirector.paco botnet steals advertising revenue by replacing a website’s Google AdSense for search results on infected machines with their own.
Bitdefender security researchers Cristina Vatamanu, Răzvan Benchea, and Alexandru Maximciuc say the botnet has been active since September 2014 and has infected more than 900,000 machines across India, Malaysia, Greece, and the USA.
They say the malware serves as a man-in-the-middle attack using a root certificate to spit out certificates for Google, Yahoo, and Bing that are accepted by the victim’s browser.
“To redirect the traffic the malware performs a few simple registry tweaks [modifying] the AutoConfigURL and AutoConfigProxy values from the internet settings registry key so that for every request that a user makes, a proxy auto-config file will be queried,” the trio say.
Tomi Engdahl says:
Malicious Android apps slip into Google Play, top third party charts
Enlist phones in ad fraud, premium SMS, loser DDoS
http://www.theregister.co.uk/2016/05/17/viking_horde_android_app_malware/
Malicious Android applications have bypassed Google’s Play store security checks to enslave infected devices into distributed denial of service attack, advertising fraud, and spam botnets.
The apps are legitimate games that in some stores outside of Google Play have made it to highly-contested top free games charts.
“Perhaps the most dangerous functionality is the update mechanism [which] allows downloading and executing any remote code on the device,” the pair say.
“The botnet created by the attackers spread worldwide to users from various targeted countries.”
A series of sought permissions has lead to user suspicion and subsequent low-ranking on the Google Play store.
Malicious components are installed (either internally or on an SD card) while the game boots. From there, a link to a command and control server is established where information about the infected phone is sent, and attackers can return commands.
Devices running the modern Marshmallow or Lollipop Android operating systems will need to grant the app a series of individual permissions making compromise more difficult.
Tomi Engdahl says:
John McAfee Tried to Trick Reporters Into Thinking He Hacked WhatsApp
https://entertainment.slashdot.org/story/16/05/16/1921252/john-mcafee-tried-to-trick-reporters-into-thinking-he-hacked-whatsapp
“[John McAfee was offering to a different couple of news organizations to mail them some phones, have people show up, and then demonstrate with those two phones that [McAfee] in a remote location would be able to read the message as it was sent across the phones,” cybersecurity expert Dan Guido, who was contacted by a reporter trying to verify McAfee’s claims said. “I advised the reporter to go out and buy their own phones, because even though they come in a box itâ(TM)s very easy to get some saran wrap and a hair dryer to rebox them.”
Tomi Engdahl says:
Facebook, Twitter, Youtube face hate speech complaints in France
http://www.reuters.com/article/us-france-internet-idUSKCN0Y60MM
Three French anti-racism associations said on Sunday they would file legal complaints against social networks Facebook (FB.O), Twitter (TWTR.N) and Google’s Youtube (GOOGL.O) for failing to remove “hateful” content posted on their platforms.
French law requires websites to take down racist, homophobic or anti-semitic material and tell authorities about it.
Twitter removed only four percent, Youtube seven percent and Facebook 34 percent, according to the associations.
“In light of Youtube, Twitter and Facebook’s profits and how little taxes they pay, their refusal to invest in the fight against hate is unacceptable,”
Tomi Engdahl says:
Jail sentence for YouTube pranksters
http://www.bbc.com/news/technology-36305727
Four members of the controversial Trollstation YouTube channel have been jailed in connection with fake robberies and kidnappings.
The group were involved in a fake robbery at London’s National Portrait Gallery and a fake kidnapping at Tate Britain in July 2015.
The channel, with 718,000 subscribers, has built a reputation for filming staged pranks around the city.
A fifth member was imprisoned in March following a bomb hoax.
“The hoaxes may have seemed harmless to them, but they caused genuine distress to a number of members of the public, who should be able to go about their daily business without being put in fear in this way.
Tomi Engdahl says:
Developer of anonymous Tor software dodges FBI, leaves US
http://money.cnn.com/2016/05/17/technology/tor-developer-fbi/
In its mission to hunt criminals, the FBI has been keen to hack Tor, the Internet browser that hides your true location.
The FBI’s attempts to break into Tor are starting to manifest in strange ways.
FBI agents are currently trying to subpoena one of Tor’s core software developers to testify in a criminal hacking investigation, CNNMoney has learned.
But the developer, who goes by the name Isis Agora Lovecruft, fears that federal agents will coerce her to undermine the Tor system — and expose Tor users around the world to potential spying.
Tomi Engdahl says:
New York Times:
China is quietly requiring foreign tech companies to submit their products to security reviews — HONG KONG — Chinese authorities are quietly scrutinizing technology products sold in China by Apple and other big foreign companies, focusing on whether they pose potential security threats …
http://www.nytimes.com/2016/05/17/technology/china-quietly-targets-us-tech-companies-in-security-reviews.html
Tomi Engdahl says:
David Voreacos / Bloomberg:
Ukrainian hacker admits stealing 150K press releases from newswire services to help criminal network make $30M from insider trading — Hacker, 28, broke into network after stealing user credentials — First hacker convicted in conspiracy to steal 150,000 releases
Ukranian Hacker Admits Stealing PR Newswire Press Releases
http://www.bloomberg.com/news/articles/2016-05-16/ukranian-hacker-admits-stealing-pr-newswire-press-releases
A Ukranian hacker pleaded guilty to stealing unpublished news releases that helped a criminal network make $30 million by trading on nonpublic information about corporate earnings.
Vadym Iermolovych, 28, admitted Monday in federal court in Newark, New Jersey, that he worked with two other Ukranian hackers to steal 150,000 releases from computer networks at PR Newswire, Business Wire and Marketwired. He is the fourth person to plead guilty in Newark or Brooklyn, New York, and the first hacker to do so.
Prosecutors said that from February 2010 to November 2014, the hackers broke into computer networks at the three companies and stole draft releases that they shared with others who made stock trades in advance of the public dissemination of the corporate earnings.
Tomi Engdahl says:
The recent “Panama Papers” breach, which resulted in the theft of 2.6 terabytes of data from a law firm, highlighted the firm’s failure to effectively secure and manage its open source software.
Open source is an essential element in application development today and the breach raises the question: What are the best practices for securing and managing open source to avoid exploitation?
Tomi Engdahl says:
Sarah Perez / TechCrunch:
117M LinkedIn user emails and passwords from 2012 hack offered for sale on dark web marketplace; LinkedIn is contacting affected users
117 million LinkedIn emails and passwords from a 2012 hack just got posted online
http://techcrunch.com/2016/05/18/117-million-linkedin-emails-and-passwords-from-a-2012-hack-just-got-posted-online/
A LinkedIn hack from back in 2012 is still causing problems for its users. The company announced this morning that another data set from the hack, which contains over 100 million LinkedIn members’ emails and passwords, has now been released. In response to this new data dump, LinkedIn says it’s working to validate the accounts and contact affected users so they can reset their passwords on the site.
As you may or may not recall, given how much time has passed, hackers broke into LinkedIn’s network back in 2012, stole some 6.5 million encrypted passwords, and posted them onto a Russian hacker forum. Because the passwords were stored as unsalted SHA-1 hashes, hundreds of thousands were quickly cracked.
Now, according to a new report from Motherboard, a hacker going by the name of “Peace” is trying to sell the emails and passwords of 117 million LinkedIn members on a dark web illegal marketplace for around $2,200, payable in bitcoin. In total, the data set includes 167 million accounts, but of those, only 117 million or so have both emails and encrypted passwords.
As this data set also originates from the 2012 hack, these passwords are encrypted in the same way – with “no salt” – meaning they are more easily cracked.
Tomi Engdahl says:
Knight Foundation:
Knight Foundation, Columbia University launch First Amendment Institute, a $60M project to help in legal fights over online privacy and free speech
Knight Foundation, Columbia University launch First Amendment Institute, $60 million project to promote free expression in the digital age
http://www.knightfoundation.org/press-room/press-release/knight-foundation-columbia-university-launch-first/
Project will support litigation, research and education on threats to freedom of speech and the press, and help shape First Amendment law in digital media
Tomi Engdahl says:
Reuters:
SEC: Cyber security is the biggest risk facing the financial system; some major exchanges, dark pools, clearing houses do not have adequate policies
SEC says cyber security biggest risk to financial system
http://www.reuters.com/article/us-finance-summit-sec-idUSKCN0Y82K4
Cyber security is the biggest risk facing the financial system, the chair of the U.S. Securities and Exchange Commission (SEC) said on Tuesday, in one of the frankest assessments yet of the threat to Wall Street from digital attacks.
Banks around the world have been rattled by a $81 million cyber theft from the Bangladesh central bank that was funneled through SWIFT, a member-owned industry cooperative that handles the bulk of cross-border payment instructions between banks.
The SEC, which regulates securities markets, has found some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced, SEC Chair Mary Jo White told the Reuters Financial Regulation Summit in Washington D.C.
“What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks,” she said.
“As we go out there now, we are pointing that out.”
“We can’t do enough in this sector,” she said.
Cyber security experts said her remarks represented the SEC’s strongest warning to date of the threat posed by hackers.
Tomi Engdahl says:
Unforeseen Costs of Security Training
https://www.schneier.com/blog/archives/2016/05/unforeseen_cost.html
At the last match of the year for Manchester United, someone found a bomb in a toilet, and security evacuated all 75,000 people and canceled the match. Turns out it was a fake bomb left behind after a recent training exercise.
Manchester United stadium ‘bomb’ identified as forgotten training device
https://www.theguardian.com/football/2016/may/15/manchester-united-abandon-final-premier-league-game-after-security-alert-leads-to-old-trafford-evacuation
Old Trafford evacuated after discovery of what turns out to be device left behind by company conducting training exercise
A fake bomb planted by a security company as part of a training exercise at Old Trafford caused the cancellation of Manchester United’s final Premier League game of the season when the firm forgot to take it away.
The security blunder led to United’s home stadium being evacuated 20 minutes before kick-off against Bournemouth after an “incredibly lifelike explosive device” was found at the ground.
Army bomb disposal experts carried out a controlled explosion on the dummy device, which was discovered in the toilets within the north-west quadrant, between the Sir Alex Ferguson Stand and the Stretford End.
“Following today’s controlled explosion, we have since found out that the item was a training device which had accidentally been left by a private company following a training exercise involving explosive search dogs.”
“The club takes security very seriously and staff are regularly trained with the police and emergency services to identify and deal with these incidents. We will investigate the incident to inform future actions and decisions.”
Tomi Engdahl says:
Minimizing Exposure to Ransomware Attacks
http://www.securityweek.com/minimizing-exposure-ransomware-attacks
Ransomware is dominating the headlines so far in 2016, having moved from targeting individuals to holding corporate data hostage and extorting payments to decrypt the files. Holding someone or something for ransom is a simple yet effective strategy that has been used by criminals for thousands of years. Today, cyber criminals are applying these ancient techniques to modern technologies. So what do enterprises need to know about ransomware attacks and what can they do to minimize the risk of being victimized?
Recent ransomware attacks against school districts (e.g. New Jersey, Horry County in South Carolina), healthcare providers (e.g., Ottawa Hospital), state and local governments, and enterprises illustrate that criminals have shifted away from using this crimeware to extort payments from consumers, since companies will pay higher ransoms.
Ransomware, which encrypts a victim’s data and demands a ransom to unlock it, often has a major impact since it represents a loss of sensitive data or can shut down business operations. Ransomware has been around for a few years. However, according to the Federal Bureau of Investigation (FBI), we’re currently seeing a dramatic increase of these type of cyber-attacks paired with increasingly higher ransom requests.
Paying Not an Option When Ransomware Hits
http://www.securityweek.com/paying-not-option-when-ransomware-hits
The rapid rise of ransomware has made it the latest marquee threat in cybersecurity. The growth in victims and damages has been widely reported, with successful attacks being waged against organizations of all sizes and stripes. However, this trend has had a disproportionate impact on small and medium-sized businesses.
When they get hit, they disconnect
Most ransomware does not hide the fact it has just locked down your system or encrypted your critical files. It alerts you. As a result, a majority of survey respondents said they were aware they had been compromised within an hour of the event. 90% were aware of the attack within 24 hours.
This is very different from traditional data breaches, where the average time of discovery is measured in months, not hours, according (PDF) to research from Ponemon Institute.
Unfortunately, the mission of the ransomware attack is accomplished in a much shorter period. Typical lockdown or encryption of a system happens within a minute or two of the ransomware’s execution. At that point, there are only two choices left: pay or start cleaning up. Regardless, the very first task most survey respondents focus on is isolating the infection. 75% of the victims pull the machines as soon as possible and begin some form of restoration process.
Common Ground: Don’t Pay
The most surprising response was the near unanimous resistance of these IT professionals to pay the ransom. Reporting on attacks at places like Hollywood Presbyterian Hospital in California and others have shown the willingness of organizations to pay. Back in 2014, Kent University reported that 40% of CryptoLocker victims had chosen to pay, and more recently the US DoJ reported on millions spent on ransomware and recovery efforts since 2005.
Both of the respondent groups (prospective and actual victims) agreed that paying was not a viable option, as 95% of ransomware victims refused to pay the ransom. Over 80% of the not-yet victims also indicated they wouldn’t pay if they were attacked.
Lessons Learned: Backups Can Come Up Short
The most common mitigation for these organizations was to restore their affected systems from backup. The unaffected groups indicated that they were backing up almost 100% of their data, and 81% felt that these backups would allow them to completely recover. Unfortunately, among the victims, only 42% were able to recover all of their data during the restoration process.
Tomi Engdahl says:
Mysteries of the Panama Papers
http://www.securityweek.com/mysteries-panama-papers
Just as the story of the “Panama Papers” was about to die out, we in the security community are treated to new data, some celebrities and a manifesto. The leaked data from the Mossack Fonseca breach is supposed to illuminate dark corners of international tax evaders, but the story has many mysteries around it still
Tomi Engdahl says:
Security Resources: Don’t Put All Your Eggs in One Basket
http://www.securityweek.com/security-resources-dont-put-all-your-eggs-one-basket
Why Centralizing Enterprise Security Resources is Not a Great Idea
One of my favorite proverbs advises: Don’t put all your eggs in one basket. The spirit of this proverb is that one should not risk everything on the success of one particular venture. This is a life lesson that some people learn better than others. Even more interesting to me than who learns this lesson is to which domains people are most apt to apply this lesson. What do I mean by that? Allow me to explain.
Let’s take look at some reasons why centralizing security resources is not a great idea:
● Business is global
● Recruiting is hard: It’s no secret that recruiting qualified, talented security professionals is extremely difficult.
● Natural disasters: We are technologically advanced as a society, but we still cannot control nature. Centralizing all of the organization’s security resources in one area makes the entire security posture of the organization vulnerable to natural disasters.
● Technical issues: They don’t happen very often, but power outages, network failures, and other sorts of technical issues still occur.
● The earth rotates continuously: Like it or not, the earth’s rotation means it will always be night somewhere. Think finding good security people is hard? Try finding them and then telling them you want them to work odd hours, including nights and weekends. That is not likely to be a successful conversation.
● Groupthink: Worried about groupthink? Try building a global security organization that brings in education, knowledge, and perspectives from around the world.
● Diversity: Everyone talks about diversity being important.
● Relationships are important: It is true that relationships are important, and of course, there is value in the relationships at corporate headquarters as well.
Tomi Engdahl says:
To Demonstrate ROI for Cyber Situational Awareness, Consider the Incident
http://www.securityweek.com/demonstrate-roi-cyber-situational-awareness-consider-incident
Security is now a topic on many board meeting agendas. Board members need to understand what threats they face, if they are prepared to stop them, and what additional security investments they need to make to better protect themselves from compromised brand integrity, instances of sensitive data loss, or potential threats. In 2015, in response to cyber risks, respondents to PwC’s Global State of Information Security Survey for 2016 boosted their information security budgets by 24 percent. It is safe to assume that this funding was allocated only after a compelling case was made and a CISO or CIO was able to demonstrate a return on investment.
Increasingly, one of these areas of investment is cyber situational awareness. Struck by the realization that they can no longer rely on traditional security defenses to stop bad actors, many organizations are looking for ways to understand which threats lurk outside of their perimeter. Cyber situational awareness provides the ability to achieve an ‘attacker’s eye view’ of their organization to prevent, detect and contain cyber-related incidents.
Tomi Engdahl says:
Cyber Attackers Target US Presidential Campaigns: Official
http://www.securityweek.com/cyber-attackers-target-us-presidential-campaigns-official
Cyber attackers are targeting the campaigns of Democratic and Republican presidential contenders, US Director of National Intelligence James Clapper said Wednesday.
“We already have some indications of that,” he said during a cyber-security discussion at the Bipartisan Policy Center in Washington.
“I anticipate that as the campaign intensifies, we are probably going to have more of it.”
The Department of Homeland Security and the Federal Bureau of Investigation are doing “what they can” to educate both campaigns against potential cyber threats ahead of the general election in November, when Republican Donald Trump will likely face off against Democrat Hillary Clinton, Clapper said.
“We’re aware that campaigns and related organizations and individuals are targeted by actors with a variety of motivations — from philosophical differences to espionage,”
Tomi Engdahl says:
Security: A True Crown Jewel of Software
http://www.securityweek.com/security-true-crown-jewel-software
A journalist asked me an interesting question this week: “Why doesn’t the Agile Manifesto address security?” After some thought, I think I have a good answer.
It does.
Recently, I’ve been carefully reviewing “The Manifesto for Agile Software Development,” the seminal document for agile development principles. The document, better known as the Agile Manifesto, was created in 2001 to provide guiding principles for the emergence of agile development. The Manifesto includes “Twelve Principles of Agile Software” that support the key concepts. In examining the Manifesto and the Key Principles, I believe the team that wrote the document was careful to use broad language and minimal words in framing the principles, to purposefully enable them to be applicable as the world of development evolved.
Think about it. The document was written before widespread adoption of the cloud, mobile applications, or the continuous implementation cycles we see today. Even with these foundational changes, the principles hold up well, which is a testimony to the authors’ brevity and careful word selection.
So back to the original question. The very first principle in the manifesto speaks to the “delivery of valuable software.” I believe the answer lies in the interpretation of “valuable.” There is a wide variety of business drivers that may qualify as “valuable,” such as return on investment, time to market, and usability. In my opinion, security is also a “valuable” business driver, and has become a growing point of emphasis up to the board level.
One CISO encouraged the providers to understand what the “crown jewels” — the valuables — of the organization really are. To illustrate his point, he noted that most would assume money would be his crown jewel. But it wasn’t. Instead, protecting his crown jewels was about preventing the loss of customer trust in a very competitive environment. Security mattered to him because a security breach would rupture that trust. So for that CISO, secure software translated to valuable software.
Of course, this is not limited to banks. Most organizations realize the importance of security to some extent. To an organization under unrelenting attack, security is viewed as not just valuable, but necessary.
Tomi Engdahl says:
TeslaCrypt ransomware shuts up shop and releases free decryption key for everyone
http://betanews.com/2016/05/18/teslacrypt-closes-free-decryption-key/
Ransomware is not exactly a new problem, but it’s one that seems to be getting increasingly serious. Every week there’s a new high profile attack out there including the likes of CryptXXX and PETYA. One of the biggest names, TeslaCrypt, has suddenly thrown in the towel and offered up a free decryption key for its victims.
The surprise move comes just a couple of months after version 4 of TeslaCrypt gained what was described as “unbreakable encryption”. The closure is somewhat bittersweet.
After downloading TelsaDecoder 1.0 — which is now able to decrypt TeslaCrypt 3.0 and 4.0 files