Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
The Intercept:
Sen. Wyden: this year’s annual intelligence authorization, just passed in Senate committee and not yet public, allows FBI warrantless access to email records — A provision snuck into the still-secret text of the Senate’s annual intelligence authorization would give the FBI the ability …
Secret Text in Senate Bill Would Give FBI Warrantless Access to Email Records
https://theintercept.com/2016/05/26/secret-text-in-senate-bill-would-give-fbi-warrantless-access-to-email-records/
A provision snuck into the still-secret text of the Senate’s annual intelligence authorization would give the FBI the ability to demand individuals’ email data and possibly web-surfing history from their service providers without a warrant and in complete secrecy.
If passed, the change would expand the reach of the FBI’s already highly controversial national security letters. The FBI is currently allowed to get certain types of information with NSLs — most commonly, information about the name, address, and call data associated with a phone number or details about a bank account.
Tomi Engdahl says:
Hacking Rolling Code Keyfobs
http://hackaday.com/2014/03/17/hacking-rolling-code-keyfobs/
Most keyfobs out there that open cars, garage doors, and gates use a rolling code for security. This works by transmitting a different key every time you press the button. If the keys line up, the signal is considered legitimate and the door opens.
[Spencer] took a look into hacking rolling code keyfobs using low cost software-defined radio equipment. There’s two pars of this attack. The first involves jamming the frequency the keyfob transmits on while recording using a RTL-SDR dongle. The jamming signal prevents the receiver from acknowledging the request, but it can be filtered out using GNU Radio to recover the key.
Jam Intercept and Replay Attack against Rolling Code Key Fob Entry Systems using RTL-SDR
http://spencerwhyte.blogspot.fi/2014/03/delay-attack-jam-intercept-and-replay.html
For the past 6 months I have been developing a proof of concept attack against rolling code key fob entry systems. Some examples of affected systems would be the key fob you use to unlock your car.
Or even open the garage door.
The oscillators used in these key fobs are typically low cost, meaning that they may not operate at exactly their design frequency throughout the full temperature range. For this reason, the receiver in the car, or home security system is designed to accept signals within a certain pass band. The trick of the attack is for the adversary to jam at some frequency within the receivers passband, but not too close to the frequency of the remote.
If you jam in this manor, when the victim presses the unlock button on their key fob, nothing will happen because the receiver is being jammed by an adversary. The adversary can then use a SDR such as the RTL-SDR, to record the whole transaction.
GNURadio makes it easy to filter out the jamming signal and obtain the authorized remote signal.
The signal obtained is the Nth rolling code, it is still valid because the receiver has not yet received the Nth rolling code. Therefore the adversary can replay the signal at a later time and unlock the car. But how does one replay the signal on the cheap?
The demodulated signal was then played back through the audio interface of the computer.
The signal was then fed into a LM386 op amp to bring the signal from line level (~1V), up to TTL (~3V). The TTL signal was then fed into an ASK RF module operating at the same frequency as the authorized remote.
A 315 MHz ASK module was used, but this module is inexpensive and could easily be swapped out for say a 400 MHz FSK module.
The attack was successful against all three rolling code secured automobiles.
Tomi Engdahl says:
Nathaniel Popper / New York Times:
Researchers say crowdfunded VC fund The DAO project is flawed, cryptocurrency in it could be frozen or stolen by hackers
Paper Points Up Flaws in Venture Fund Based on Virtual Money
http://www.nytimes.com/2016/05/28/business/dealbook/paper-points-up-flaws-in-venture-fund-based-on-virtual-money.html?_r=0
A group of computer scientists released a paper on Friday describing a number of security vulnerabilities in a novel cryptocurrency crowdfunding project that has raised more than $100 million.
The authors of the paper argue that the money that has been put into the project, known as the Decentralized Autonomous Organization, could be frozen or stolen by attackers as a result of flaws in the way that the venture, known as the D.A.O., was set up. The money is all in a digital currency called Ether, which is a newer alternative to Bitcoin and exists entirely online.
The threats emerged on the eve of the organization’s move from fund-raising to operational mode, in which it will evaluate proposals to fund experimental digital projects.
The D.A.O. is a sort of venture capital fund that will pick investments based on direct voting from investors. The entire operation is computerized, with no humans in charge.
The authors of the new paper are calling for the D.A.O.’s investors to hold off on considering any potential investments until the vulnerabilities are fixed.
“The current implementation can enable attacks with severe consequences,”
Tomi Engdahl says:
the biggest problems to your web site aren’t cross-site scripting and SQL injection attacks. The biggest problems are the ones you don’t see; automated bots masquerading as real people browsing through web sites and mobile interfaces.
Traditional web security products directed towards exploits, vulnerabilities and software coding defects don’t look to tell if an automated bot is driving a session meant for people. Only Web Behavior Analytics can determine this.
Source:
A human? A bot? Application Firewalls (WAFs) vs. Web Behavior Analytics for Finding The Biggest Threats to Your Web Site
https://webinar.darkreading.com/2122?keycode=DRWE01
Tomi Engdahl says:
FBI raids dental software researcher who discovered private patient data on public server
http://www.dailydot.com/politics/justin-shafer-fbi-raid/
Someone alerts you to exposed, unencrypted patient information on your FTP server. Is the correct response to thank them profusely or try to have them charged as a criminal hacker?
It is not a trick question. Once again, a security researcher has found himself facing possible prosecution under a federal statute known as the Computer Fraud and Abuse Act (CFAA). His crime, according to a dental-industry software company, was accessing what had been left publicly available on the open Internet.
Moving onto Eaglesoft aka Patterson Dental
http://justinshafer.blogspot.fi/2016/02/moving-onto-eaglesoft-aka-patterson.html
So I have been asking Eaglesoft since 2014 if they would improve the authentication of Eaglesoft. Eaglesoft uses Sybase iSQL Anywhere for its database.
How do they currently authenticate?
Currently for read access they use the default username and password dba and sql.
Do they support changing the backend database for reading AND writing?
I do not know but I plan on finding this out, I have asked US-CERT.
“Hackers are awful, evil, and rotten, but one thing they aren’t is stupid. In fact, many hackers specifically target small dental practices, assuming they don’t have “sophisticated” data protection systems. Learn how to secure your important data by reading up on PattLock, Patterson’s “sophisticated” data protection service. #PinkyOut”
Other then spending time on how Eaglesoft authenticates, I noticed a free Eaglesoft 16 Developer License was on the Eaglesoft FTP site. This led to me wondering: What other careless mistakes have they put on their FTP Server?
OH… Let me tell you.
1. A file called Dental.Log which is a transactional log file without the actual Dental.DB file to go along with it. I converted the dental.log file to dental.sql and discovered patient data with over 5000 patients. The patients belong to Massachusetts General Hospital.
2. A Recall Report from ES that was converted to PDF. This file belonged to a Dental office in Canada. There are over 2300 patients in this file. The SSN is not present, but insurance info, balances, and patient alerts are present.
3. An entire Eaglesoft Database was also present. This database was to an office in Canada and has a little over 15 thousand patients in the database.
This is all pretty sad, in a way. Apparently they just finished having a seminar February 2nd over “how to protect yourself from a data breach”
Comment:
Yeah, this is pretty wide open and ridiculous. I’m sure they’ll say it’s up to the client to protect their own network, but they really could make things a hell of a lot easier by tweaking a few things here.
Tomi Engdahl says:
Security researcher discovered the private information on the internet
A US security researcher Justin Shafer discovered February 22 000 dentist customer data unencrypted on the internet. He reported the matter, as well as the software to be used by dentists to the manufacturer that security issues CERT responsible.
Three months later the FBI knocked on the door early in the morning Shafer and arrested him in a big operation
Security researchers that were a difference has been persecuted in the past. In 2013, a hacker Andrew “weev” Auernheimer was sentenced to three years in prison operator AT & T’s public web site examination, and activist Aaron Swartz took his life after his hacking incident investigation swelled over the banks.
Source: http://www.tivi.fi/Kaikki_uutiset/tietoturvatutkija-loysi-yksityistietoja-netista-kiitokseksi-siita-hallitus-teki-jotain-torkeaa-6554982
Tomi Engdahl says:
CERT warns of hardcoded creds in medical app
Patch or miscreants could doctor records
http://www.theregister.co.uk/2016/05/30/cert_warns_of_hardcoded_creds_in_medical_app/
The US computer emergency response team has issued a warning after admin credentials were found in a popular medical application used for acquiring patient data.
The MEDHOST application is designed for handling the perioperative three stages of surgery including patient tracking, and patient conditions. It can be hosted and managed remotely.
About 1,000 healthcare facilities use the company’s various technology products.
The flaw meant attackers could key in the details and access patient data on servers that did not restrict logins from unknown locations.
Vulnerability Note VU#482135
MEDHOST Perioperative Information Management System contains hard-coded database credentials
https://www.kb.cert.org/vuls/id/482135
The vendor has addressed the use of hard-coded credentials in PIMS 2015R1 and newer versions. Administrators are encouraged to upgrade to the latest release.
Tomi Engdahl says:
Fiverr Suffers Six-Hour DDoS Attack After Removing DDoS-for-Hire Listings
Crooks give Fiverr a piece of their mind
Read more: http://news.softpedia.com/news/fiverr-suffers-six-hour-ddos-attack-after-removing-ddos-for-hire-listings-504570.shtml#ixzz4A7vHmbEp
Tomi Engdahl says:
This Facebook Clone Appears to Be Hosted in North Korea
https://motherboard.vice.com/read/this-appears-to-be-north-koreas-facebook-clone
Someone in North Korea appears to have created a Facebook clone, according to an internet analytics company that traced the site’s DNS to the notoriously isolated country.
Right now, anyone in any country can make an account on the unnamed site—the current title just says “Welcome to Our Social Network.”
Madory says he doesn’t know who set the website up, but if you click around it for a while, you’ll see that it’s a pretty faithful clone of Facebook, complete with a newsfeed, likes, and messaging service. The site is functional
The North Korean Facebook Clone Has Already Been Hacked
https://motherboard.vice.com/read/the-north-korean-facebook-clone-has-already-been-hacked
You don’t need to be an ancient social media site to get hacked on the internet.
On Friday, we first reported on a mysterious Facebook clone hosted in North Korea. A mere few hours later, someone had already hacked the site.
McKean was able to become an admin for the site just by clicking on the “Admin” link at the bottom of the site and guessing the username and password. As it turned out, McKean said, the combination was extremely predictable: “admin” and “password.”
“Was easy enough,” McKean told me in an online chat.
In any case, the admin account gave him practically full control of the site. With it, he could “delete and suspend users, change the site’s name, censor certain words and manage the eventual ads, and see everyone’s emails, according to McKean. In the backend, he was also able to see the name of the site, which was “Best Korea’s Social Network.“
The fate of the site, just like its origin, is totally unclear at this point.
Tomi Engdahl says:
There are hundred demolition tools that unlock encrypted by tightening program files without any ransom payment. Blackmailers are harmless, at least:
AutoLocky
HydraCrypt
UmbreCrypt
cryptolocker
Petya
Nemucod
DMALocker2
HydraCrypt
DMALocker (3.0)
CrypBoss
Gomasom
LeChiffre
KeyBTC
Radamant
CryptInfinite
PClock
CryptoDefense
Harasom
TeslaCrypt
CryptXXX
Rector
Rakhni
scatter
Xorist
CoinVault
Bitcryptor
If possible, the user should maintain a record on the three copies of two different physical format, one copy still physically situated in different locations.
A normal user can achieve reasonable security by keeping your important data in your computer or smart phone in addition to some in the cloud, but also an external hard drive or memory stick, which is not connected to the Internet.
Source: http://www.digitoday.fi/tietoturva/2016/05/27/iskiko-kiristaja-ei-hataa-naille-ei-tarvitse-enaa-maksaa/20165736/66?rss=6
More: https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2016/05/ttn201605261544.html
Tomi Engdahl says:
Nicole Perlroth / New York Times:
How the United Arab Emirates has used foreign-supplied hacking tools to crack down on human rights activists
Governments Turn to Commercial Spyware to Intimidate Dissidents
http://www.nytimes.com/2016/05/30/technology/governments-turn-to-commercial-spyware-to-intimidate-dissidents.html?_r=0
In the last five years, Ahmed Mansoor, a human rights activist in the United Arab Emirates, has been jailed and fired from his job, along with having his passport confiscated, his car stolen, his email hacked, his location tracked and his bank account robbed of $140,000. He has also been beaten, twice, in the same week.
Mr. Mansoor’s experience has become a cautionary tale for dissidents, journalists and human rights activists. It used to be that only a handful of countries had access to sophisticated hacking and spying tools. But these days, nearly all kinds of countries, be they small, oil-rich nations like the Emirates, or poor but populous countries like Ethiopia, are buying commercial spyware or hiring and training programmers to develop their own hacking and surveillance tools.
The barriers to join the global surveillance apparatus have never been lower. Dozens of companies, ranging from NSO Group and Cellebrite in Israel to Finfisher in Germany and Hacking Team in Italy, sell digital spy tools to governments.
A number of companies in the United States are training foreign law enforcement and intelligence officials to code their own surveillance tools.
“There’s no substantial regulation,”
“Any government who wants spyware can buy it outright or hire someone to develop it for you. And when we see the poorest countries deploying spyware, it’s clear money is no longer a barrier.”
Hacking Team’s global license was revoked this year by the Italian Ministry of Economic Development.
For now, Hacking Team can no longer sell its tools outside Europe and its chief executive, David Vincenzetti, is under investigation for some of those deals.
Tomi Engdahl says:
Reuters:
Iran gives foreign messaging apps a year to move all data and activity linked to Iranian users onto servers inside the country
Iran orders social media sites to store data inside country
http://www.reuters.com/article/internet-iran-idusl8n18q0in
May 29 Iran has given foreign messaging apps a year to move data they hold about Iranian users onto servers inside the country, prompting privacy and security concerns on social media.
Iran has some of the strictest controls on internet access in the world and blocks access to social media platforms such as Facebook and Twitter, although many users are able to access them through widely available software.
Tomi Engdahl says:
Mobile USB charging is dangerous
Security company Kaspersky Lab points out that downloading a smartphone via USB includes a variety of risks.
Security Company notes that the USB interface is designed for charging, but also for data transfer. Because of this, every time the device is connected to the USB port, it will try to handshake and establish a connection. Even at this data transfer takes place, of course.
While the phone is in charging mode – when data transmission is blocked – data is still transferred between your phone and the host device. The amount of this data depends on your platform and operating system.
At least the master device goes information about a device, the manufacturer’s name and serial number of the device.
The problem is that this information can be AT commands used to capture the SIM card telephone number and contact information. Since then, the attacker can call any phone number at the expense of the SIM card owner.
The important thing to remember is that you never know what the unknown USB port can do to your phone.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4517:kannykan-usb-lataaminen-on-vaarallista&catid=13&Itemid=101
More:
Previous
Charging your smartphone’s battery over USB can be dangerous
https://blog.kaspersky.com/usb-battery-charging-unsecurity/12206/
Chances are that each of us has found ourselves in a situation where our phone is dying and we have no charger on hand, but at the same time we desperately need to stay connected — to answer an important call, receive a text message or email, whatever.
It is perfectly normal to look for any source of precious electricity on such occasion — any USB port would do. But is it safe? No. In fact, it can be dangerous: Over a USB connection someone can steal your files, infect your smartphone with something nasty — or even brick it.
Tomi Engdahl says:
MISRA Adds Security Updates
http://www.eetimes.com/author.asp?section_id=182&doc_id=1329792&
MISRA is probably the most widely-used firmware standard. Alas, only a tiny fraction of us use any standard religiously.
Though MISRA (Motor Industry Software Reliability Association) was founded by companies with an automotive bent it is now used by organizations all across the firmware landscape. With good reason, too. The 140-odd rules are designed to improve the quality of embedded code. I think that MISRA doesn’t go far enough; it’s silent, for example, about stylistic issues. But MISRA is an excellent starting point and every embedded developer should be familiar with the standard. The current, 2012, version is available as a pdf for £15.
It has recently been extended to deal with security issues. The new Amendment 1, issued last month, (free here) adds 14 rules targeting security. Some highlights:
Directive 4.14 requires that all values from external sources be checked for validity. Duh!
Rule 21.7 restricts the use of functions in string.h to ensure references don’t exceed the size of the variable being worked on.
22.8 requires one to set errno to zero before calling any errno-setting function (e.g., fgetpos). Why? These functions change errno only if an error is detected.
MISRA security updates
http://www.embedded.com/electronics-blogs/break-points/4442122/MISRA-security-updates
Tomi Engdahl says:
Infosec newbie looking for entry level training? So is SWIFT
Hacked transaction house wants US security trainee
http://www.theregister.co.uk/2016/05/31/infosec_newbie_looking_for_entry_level_training_so_is_swift/
International payments clearing-house SWIFT wants extra hands to keep its stable doors closed.
In a job ad that inexplicably fails to mention the hundreds of millions of dollars missing, in a variety of currencies because of astonishingly-lax security, it seeks an information security trainee.
As previously documented, SWIFT’s slackery aided and abetted a US$81 million heist from the Bangladesh central bank, another $12 million from Ecuador’s Banco del Austro, and attacks in the Philippines and Vietnam.
SWIFT’s response has been criticised for, among other things, only offering a guarantee that the network would “expand” its use of two-factor authentication, rather than demanding it of all banks.
“Knowledge of intrusion detection and vulnerability assessment capabilities is an asset”,
True enough: until recently, SWIFT doesn’t seem to have had intrusion detection on its list at all
Tomi Engdahl says:
Google’s Abacus Project: It’s All about Trust
http://www.linuxjournal.com/content/googles-abacus-project-its-all-about-trust
Do you hate having to remember your password when you want to access a secure Web site? Well, that soon may be a thing of the past. Google has announced a new API that developers can use to identify you without messing around with passwords pet names. The new system (codenamed Abacus) should be ready for use by the end of the year.
Of course, Google currently supports OAuth 2, which enables users to log on to third-party sites with their Google account. As long as you’re logged on with Google, accessing a secure site is as simple as clicking a button.
That seems simple enough—how can Google improve on that?
Well, there’s always the case where you forget your Google password. And, what happens if someone else picks up your phone? Others easily could use OAuth’s one-click mechanism to access your secure data.
Abacus works differently. It uses a wide range of different biometrics to verify the identity of the person holding the phone. It uses data from your phone’s sensors to recognize you, and it combines multiple pieces of information, from your location to the way you type. Voice recognition and facial recognition also are a part of the system.
Third-party developers will access Abacus through the “Trust API”, which will be integrated into the Android platform.
Most mobile devices lack dedicated biometric sensors, such as fingerprint readers or iris scanners. So Abacus uses only data that a regular Android phone can collect.
Every time you interact with your device, you send a stream of tiny signals that can be used to uniquely identify you. Most of these data points aren’t enough to identify you, on their own, but taken together, they form a complete picture of the user.
But while the Trust API may be a boon for people with password amnesia, it does raise some concerns. To begin with, it’s hard to be comfortable with a system that constantly monitors you.
The Trust API effectively spies on you, listening to your voice, using your phone’s camera to peer at your face and tracking your position using satellites. Just a few years ago, this would sound like paranoid ravings. Today, it’s a reality.
Tomi Engdahl says:
Microsoft Warns of ZCryptor Ransomware with Self-Propagation Features
ZCryptor exhibits worm-like behavior and can spread to removable and network drives to expand its attack surface
Read more: http://news.softpedia.com/news/microsoft-warns-of-zcryptor-ransomware-with-self-propagation-features-504566.shtml#ixzz4AElCwslI
Tomi Engdahl says:
Eric Holder says Edward Snowden performed a ‘public service’
http://edition.cnn.com/2016/05/30/politics/axe-files-axelrod-eric-holder/index.html
Former U.S. Attorney General Eric Holder says Edward Snowden performed a “public service” by triggering a debate over surveillance techniques, but still must pay a penalty for illegally leaking a trove of classified intelligence documents.
“We can certainly argue about the way in which Snowden did what he did, but I think that he actually performed a public service by raising the debate that we engaged in and by the changes that we made,”
“Now I would say that doing what he did — and the way he did it — was inappropriate and illegal,” Holder added.
Holder said Snowden jeopardized America’s security interests by leaking classified information while working as a contractor for the National Security Agency in 2013.
“He harmed American interests,”
Snowden, who has spent the last few years in exile in Russia, should return to the U.S. to deal with the consequences, Holder noted.
“I think that he’s got to make a decision. He’s broken the law in my view.”
“But,” Holder emphasized, “I think in deciding what an appropriate sentence should be, I think a judge could take into account the usefulness of having had that national debate.”
Tomi Engdahl says:
Hackers Stole 65 Million Passwords From Tumblr, New Analysis Reveals
https://motherboard.vice.com/read/hackers-stole-68-million-passwords-from-tumblr-new-analysis-reveals?trk_source=recommended
Since Tumblr’s announcement, the hacked data appears to have been circulating within the internet underground.
Tomi Engdahl says:
Paul Sawers / VentureBeat:
Sirin Labs launches Solarin, its $13,800 smartphone touted as super secure, says it’s partnered with KoolSpan to integrate chip-to-chip 256-bit AES crypto
Sirin Labs launches Solarin, a $14,000 privacy-focused smartphone
http://venturebeat.com/2016/05/31/sirin-labs-solarin/
Stealth Israeli startup Sirin Labs officially launched its super high-end Android smartphone at an event in London today, bringing to an end years of speculation about what the company’s been cooking up behind the scenes.
Solarin promises “the most advanced privacy technology, currently unavailable outside the agency world,” and has partnered with KoolSpan to integrate chip-to-chip 256-bit AES encryption, similar to what the military uses to protect communications. It’s activated via a physical security switch on the back of the phone.
“‘Cyberattacks are endemic across the globe,” said Tal Cohen, CEO and cofounder of Sirin Labs. “This trend is on the increase. Just one attack can severely harm reputations and finances. Solarin is pioneering new, uncompromising privacy measures to provide customers with greater confidence and the reassurance necessary to handle business-critical information.’
Solarin also sports a Qualcomm Snapdragon 810 processor
It’s worth noting here that this isn’t a mass-market device — at $13,800 this is for the super-rich. But if that’s you, then it goes on sale online globally
Tomi Engdahl says:
Amar Toor / The Verge:
Facebook, Twitter, Google, and Microsoft agree to EU hate speech rules that mandates review of “the majority of” hateful content within 24 hours of notification — Facebook, Twitter, Microsoft, and YouTube today agreed to European regulations that require them to review …
Facebook, Twitter, Google, and Microsoft agree to EU hate speech rules
New “code of conduct” aims to combat illegal hate speech and terrorist propaganda
http://www.theverge.com/2016/5/31/11817540/facebook-twitter-google-microsoft-hate-speech-europe
Facebook, Twitter, Microsoft, and YouTube today agreed to European regulations that require them to review “the majority of” hateful online content within 24 hours of being notified — and to remove it, if necessary — as part of a new “code of conduct” aimed at combating hate speech and terrorist propaganda across the EU. The new rules, announced Tuesday by the European Commission, also oblige the tech companies to identify and promote “independent counter-narratives” to hate speech and propaganda published online.
Hate speech and propaganda have become a major concern for European governments following terrorist attacks in Brussels and Paris, and amid the ongoing refugee crisis, which has inflamed racial tensions in some countries.
The EU has been pushing for web companies to combat terrorist propaganda, as well, with some developing their own material to counter efforts from groups like ISIS. The code of conduct announced today marks the first effort to unify policy on online hate speech across the EU.
“The recent terror attacks have reminded us of the urgent need to address illegal online hate speech,”
Europe’s crackdown on hate speech has put tech companies in a difficult situation, as governments push them to assume more responsibility in policing illegal content, and there are concerns over free speech, and how the code of conduct was structured. European Digital Rights (EDRi), a Brussels-based advocacy group, criticized the code of conduct in a post published Tuesday, saying that it delegates tasks to private companies that should be carried out by law enforcement.
Tomi Engdahl says:
Kurt Wagner / Recode:
Periscope to let livestream viewers vote on whether flagged comments are abusive in “flash juries” of five random users — Attention livestreamers: You’ve been summoned for jury duty. — Attention Periscope users: You’ve been summoned for jury duty.
Periscope has a new plan to fight back against internet trolls
http://www.recode.net/2016/5/31/11803070/periscope-abuse-safety-update-internet-trolls
Periscope, Twitter’s standalone livestreaming app, has created a new way to combat internet trolls, which includes a system to put internet bad guys on trial in front of their internet peers.
Here’s how the new abuse system works: If you’re watching a Periscope livestream and come across a vile or inappropriate comment, you can report that comment, triggering what Periscope calls a “flash jury” of other users watching the same livestream.
Periscope will ask this flash jury, a small group of other randomly selected users, if they also consider the comment abusive or offensive. If the majority agrees with you, the commenter will be placed in a one minute time-out with commenting disabled. Repeat offenders will be muted for good.
The new system is pretty unusual. Most social sites like Facebook, Twitter and Snapchat rely on users to report abusive and inappropriate material, but Periscope seems to be the first one asking other users to then weigh in.
Tomi Engdahl says:
The Duo Security Bulletin:
Analysis shows Lenovo, Acer, HP, Dell, and Asus are shipping laptops with bloatware that’s known to be insecure
Out-of-Box Exploitation: A Security Analysis of OEM Updaters
https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters
Original Equipment Manufacturers (OEM) refer to the first boot of a new PC as the out-of-box experience (OOBE). As you battle your way through modal dialogues for questionable software, and agree to some exciting 30 day antivirus trials, it’s pretty forgivable to want to throw your brand new computer through the nearest window.
Today, Duo Labs is publishing our take on the OOBE; Out-of-Box Exploitation: A Security Analysis of OEM Updaters. Shovelware, crapware, bloatware, “value added” – it goes by a lot of names – whatever you call it, most of it is junk (please, OEMs, make it stop). The worst part is that OEM software is making us vulnerable and invading our privacy. Issues like Superfish and eDellRoot make us less secure and are often easy to abuse in practice. With that in mind, Duo Labs decided to dig in to see how ugly things can get.
Spoiler: we broke all of them (some worse than others). Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM.
Some vendors made no attempts to harden their updaters, while others tried to, but were tripped up by a variety of implementation flaws and configuration issues.
https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf
Tomi Engdahl says:
Facebook planning encrypted version of its Messenger bot, sources say
https://www.theguardian.com/technology/2016/may/31/facebook-messenger-bot-encryption-secure-messaging
The move illustrates how technology companies are doubling down on secure messaging while not wanting to get in the way of their other business objectives
Tomi Engdahl says:
Hackers Find Bugs, Extort Ransom, Call It a Public Service
https://it.slashdot.org/story/16/05/31/1717233/hackers-find-bugs-extort-ransom-call-it-a-public-service
Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching and is becoming a growing new threat to businesses vulnerable to attacks.
Hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. Researchers say once the intruders steal the data, there’s no explicit threat that they will break in again or release data if companies don’t pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability
Hackers Find Bugs, Extort Ransom and Call it a Public Service
https://threatpost.com/hackers-find-bugs-extort-ransom-and-call-it-a-public-service/118360/
According to IBM’s X-Force researchers, the new tactic it is a variation on ransomware. In the case of bug poaching, hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. More conventional ransomware attacks, also growing in number, simply encrypt data and demand payment for a decryption key.
Researchers say once the intruders steal the data, there’s no explicit threat that they will break in again or release data if companies don’t pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability
“These attackers are trying to play a moral high ground when it comes to exposing bugs,” Kuhn said to Threatpost in an interview. “But make no mistake, this is straight up extortion,”
Kuhn said that payment of the ransom is no guarantee the hackers will destroy the stolen data.
“These attackers are equal opportunity hackers looking for any business that may have a simple vulnerability to exploit such as a SQL injection attack against a website flaw,” Kuhn said. Other attacks have included the use of off-the-shelf penetration testing tools to find flaws.
Tomi Engdahl says:
Tor Browser 6.0: Ditches SHA-1 Support, Uses DuckDuckGo For Default Search Results
https://tech.slashdot.org/story/16/05/31/1643234/tor-browser-60-ditches-sha-1-support-uses-duckduckgo-for-default-search-results
The version 6.0 of Tor Browser, a free software for enabling anonymous communication, is now available to download. The new version introduces several changes, including disabling SHA-1 support, and removing Mac Gatekeeper issue. Another big change is that Tor now uses DuckDuckGo for search results by default.
Tomi Engdahl says:
“Drive Crazy Y’all”: Hacker Faces 10-Years Behind Bars for Changing Road Sign
http://www.secureworldexpo.com/%E2%80%9Cdrive-crazy-y%E2%80%99all%E2%80%9D-hacker-faces-10-years-behind-bars-changing-road-sign?utm_source=SW+Post+May+26%2C+2016&utm_campaign=SW+Post%3A+May+26%2C+2016&utm_medium=email
Geoffrey Eltgroth thought it would be funny to change a Texas road sign to say “drive crazy y’all”, but he probably isn’t laughing now. The 26-year-old is facing felony charges and 10-years in prison for hacking into the sign.
The incident happened on May 22nd, in Leander, Texas, a suburb of Austin.
Eltgroth’s ‘sign-changing prank’ is nothing new, and there has never been a better time to look back at some of the best road-sign hacks.
Tomi Engdahl says:
Life after Safe Harbour: Avoiding Uncle Sam’s data rules gotchas
Do business, not time, across the Pond
http://www.theregister.co.uk/2016/06/01/us_eu_data_export_rules_staying_safe/
Back in the day I used to work for a multi-national company with a big presence in the US. I learned a lot there, from the usefulness of a BA silver card to how to run the tendering process for a big global WAN.
I also learned what a big deal our US cousins make of their data export regulations.
Safe Harbour was a scope minnow
The Safe Harbor scheme targeted the movement of individuals’ personal data, or personally identifiable information (PII) between the EU and the US. Important, yes, but not exactly a vast scope. US export controls go more than a little further, though, with ten categories of technology whose export is restricted. Although export controls apply primarily to exporting physical items, they also apply to data about those items. After all, exporting the design of something can be as harmful as exporting the finished product.
The export of security-related technology has been a bone of contention for years, of course.
The desire not to permit the export of encryption technology is understandable: the country rightly wants to protect itself, and data encryption is key to that. They have, however, clearly sat down and thought about not just the export of directly relevant technology (i.e. software that can decrypt data) but also the indirect technologies that could be used against them by an outsider.
Tomi Engdahl says:
Windows Zero-Day Affecting All OS Versions On Sale For $90,000
https://hardware.slashdot.org/story/16/06/01/0023207/windows-zero-day-affecting-all-os-versions-on-sale-for-90000
“A hacker going by the handle BuggiCorp is selling a zero-day vulnerability affecting all Windows OS versions that can allow an attacker to elevate privileges for software processes to the highest level available in Windows, known as SYSTEM,” writes Softpedia.
Two videos are available, one showing the hacker exploit Windows 10 with the May 2016 security patch, and another one bypassing all EMET features.
Windows Zero-Day Affecting All OS Versions on Sale for $90,000
Over 1.5 billion users in danger due to new exploit
Read more: http://news.softpedia.com/news/windows-zero-day-affecting-all-os-versions-on-sale-for-90-000-504716.shtml#ixzz4AL5etNop
Tomi Engdahl says:
U.S. court says no warrant needed for cellphone location data
http://www.reuters.com/article/us-usa-court-mobilephones-idUSKCN0YM2CZ
Police do not need a warrant to obtain a person’s cellphone location data held by wireless carriers, a U.S. appeals court ruled on Tuesday, dealing a setback to privacy advocates.
Writing for the majority, Judge Diana Motz said obtaining cell-site information did not violate the protection against unreasonable searches found in the Fourth Amendment of the U.S. Constitution because cellphone users are generally aware that they are voluntarily sharing such data with their provider.
The ruling overturns a divided 2015 opinion from the court’s three-judge panel and reduces the likelihood that the Supreme Court would consider the issue.
Tomi Engdahl says:
Your WordPress and Drupal installs are probably obsolete
Research reckons Mossack Fonseca hack may have been thanks to CMS vulns
http://www.theregister.co.uk/2016/06/01/cms_vulns_rife_in_top_uk_companies_wordpress_drupal/
Many of the UK’s biggest firms are running outdated versions of their Drupal and WordPress Content Management Systems (CMSes).
CMSes play an important role in everything from providing potential customers with product information to ongoing communications and support. Despite the widespread use of the technology CMSes are frequently not given the attention they deserve, hence the widespread occurrence of problems even in the UK’s largest and presumably best-resourced enterprises.
“In many cases they are not tier 1 applications set up and supported by central IT and this can all too often result in a set up and forget approach,”
RiskIQ was prompted to carry out the study by the Panama Papers controversy. Evidence of tax avoidance and personal info about the rich and powerful was exposed by a leak of Panamanian lawyers Mossack Fonseca. Many in the infused community, at least, suspect a hack against Mossack Fonseca’s CMS played a key role in the breach.
Tomi Engdahl says:
HackerOne:
5 Most Viewed HackerOne Vulnerability Reports of 2016 — Public vulnerability reports are security gold – everyone benefits from the shared knowledge. There are over 1600 publicly disclosed vulnerability reports on HackerOne, with more added each day. For every company or hacker that shares a report – thank you!
Top 5 Most Viewed Bugs of 2016
https://hackerone.com/blog/top-5-most-viewed-bugs-of-2016-so-far?utm_source=Techmeme&utm_medium=display&utm_campaign=variation_2
Public vulnerability reports are security gold – everyone benefits from the shared knowledge. There are over 1600 publicly disclosed vulnerability reports on HackerOne, with more added each day. For every company or hacker that shares a report – thank you! The internet and all of us are safer because of your generous actions.
Tomi Engdahl says:
Megan Rose Dickey / TechCrunch:
Facebook to test Safety Checks triggered by a large number of posts about a particular crisis that has been confirmed by third-party sources
Facebook to enable community-activated Safety Check
http://techcrunch.com/2016/06/02/facebooks-taking-a-more-community-driven-approach-to-safety-check/
Facebook is making its Safety Check feature more stable and easier to deploy, which means that you might start seeing more Safety Checks on the platform. Before today, engineers had to type code to deploy a Safety Check. Now, there’s a simple form that any Facebook employee on the team could activate, which brings the total of people able to deploy a Safety Check from about two to a dozen throughout the world.
Safety Check is Facebook’s tool that enables you to quickly let people know that you’re okay during a crisis. The attacks in Paris were the first time Facebook deployed Safety Check for a human disaster, rather than a natural disaster, like an earthquake or tsunami.
In these tests, Facebook’s Safety Check will be triggered by a combination of a certain number of people posting about a particular crisis plus an alert from one of Facebook’s third-party sources.
Tomi Engdahl says:
Meta Data, Big Data and the Coming Tectonic Shift in Security
https://webinar.darkreading.com/2102?keycode=DRWE04
While yesterdays’ security model was largely based on prevention of breaches, tomorrow’s security solutions will increasingly focus on detection of breaches from within followed by containment. This is a large shift both in terms of investment dollars and technologies.
However, a detection based strategy requires building context of the organization’s operating environment, triangulating bad-like behavior against what is normal-like behavior for an organization and trying to identify anomalies that could lead to the presence of malware in the organization. This requires marrying big data type solutions with SIEM type technologies.
Tomi Engdahl says:
The least stressful job in the US? Information security analyst, duh
That’s not a typo, we’ve checked and checked again
http://www.theregister.co.uk/2016/06/02/least_stressful_job_is_infosec_analyst/
Everyone knows that being an infosec analyst is a cushy job – but did you know quite how much? Because according to job website CareerCast, it is literally the least stressful job in the country.
The company measured 11 stress factors, including the amount of travel, deadlines, competitiveness, physical demands, risk to your life, and being in the public eye and concluded that the best of all possible worlds was in infosec.
“The proliferation of sensitive content stored online, as well as the growing importance of cloud computing, is fueling the demand for more information security analysts. Job prospects and competitive pay make this new addition to the Jobs Rated report one of the best jobs for 2016,” CareerCast argues.
In fact, CareerCast seems to have a thing for infosec analysts, putting it not only bottom of the stress league but also listing it as the third best job to have in the United States, with a median salary of $89,000 and a healthy 18 per cent growth outlook. It’s beaten only by statistician and data scientist.
And at the other end of the scale? Newspaper reporter.
That’s right, being a newspaper reporter is literally the worst job in America, according to CareerCast. And the ninth most stressful.
Tomi Engdahl says:
Web ads are reading my keystrokes and I can’t even spel propperlie
Let’s not get paranoid, here, but…
http://www.theregister.co.uk/2016/03/18/web_ads_are_reading_my_keystrokes_and_i_cant_even_spell_propperlie/
Perhaps those online ads are correctly targeted after all. My man-purses and my friend’s willies probably go together well.
Well, let’s not be paranoid, eh? It’s all harmless ads, after all
Tomi Engdahl says:
TeamViewer denies hack after PCs hijacked, PayPal accounts drained
Remote-control tool wobbles offline, blames bad passwords for compromises
http://www.theregister.co.uk/2016/06/01/teamviewer_mass_breach_report/
TeamViewer users say their computers were hijacked and bank accounts emptied all while the software company’s systems mysteriously fell offline. TeamViewer denies it has been hacked.
In the past 24 hours, we’ve seen a spike in complaints from people who say their PCs, Macs and servers were taken over via the widely used remote-control tool on their machines.
It’s claimed TeamViewer.com’s DNS was screwed up during the IT snafu, thus stopping people from getting through to the Germany-based company’s servers. We’ve heard that its DNS servers were pointing towards Chinese IP addresses at one point, but we haven’t been able to verify that.
After getting its systems back online, TeamViewer insisted that its security was not breached.
It is possible that some folks have been caught out by password reuse, or by weak passwords, or by a Windows Trojan disguised as an Adobe Flash update
TeamViewer said its DNS systems fell offline because they were pummeled by a denial-of-service attack.
Tomi Engdahl says:
Want a job that pays at least $90,000 a year? Get into ransomware
Career progression may include very hard time, though
http://www.theregister.co.uk/2016/06/03/ransomware_pays_90000_a_year/
An analysis of the finances and operation of a ransomware outfit has shown it’s entirely possible bankroll a modest-sized crime gang on victims’ payoffs.
Dark web monitoring firm Flashpoint has been following a ransomware-as-a-service campaign organized by Russian crooks since December 2015, tracking the recruitment of associates, distribution of the malware, and payment processes.
The boss hired 10 to 15 affiliates in this way and they are responsible for spreading the ransomware code.
Once the code is installed and running, the boss then handles communications with the victim, obtaining a ransom averaging $300 for the decryption key
Payment was in Bitcoins
40 per cent of the ransom to the affiliate and 60 per cent for himself
The investigators found there were an average of 30 ransom payments made every month, netting the boss around $90,000 a year and his affiliates about $600 a month
Still, there is risk involved. The Russian police are cracking down on ransomware operations
Tomi Engdahl says:
Shaun Nichols / The Register:
Remote desktop tool TeamViewer introduces new security features after reports of PC and Mac hijacks — Stable door settles for bolt long after brief relationship with passing horse — TeamViewer is whacking anti-hacker protections into its remote-desktop tool – as its customers continue …
TeamViewer beefs up account security after rash of PC, Mac hijacks
Stable door settles for bolt long after brief relationship with passing horse
http://www.theregister.co.uk/2016/06/03/teamviewer_beefs_up_security/
TeamViewer is whacking anti-hacker protections into its remote-desktop tool – as its customers continue to report having their PCs and Macs remotely hijacked by criminals.
Two new security checks in TeamViewer will warn users when a new device or location attempts to log into their TeamViewer account and remotely manage any computers connected to it, and will raise an alert if suspicious activity is detected.
This exact behavior has been reported in surprising numbers by folks throughout the past two weeks: TeamViewer users complain that miscreants on the other side of the internet have broken into their desktops, and seized victims’ web browsers to empty online bank accounts and place internet orders. In some cases, people have lost thousands of dollars as crooks exploited passwords saved in browsers.
Tomi Engdahl says:
Michael Mimoso / Threatpost:
Lenovo tells users to uninstall its Accelerator app, says it’s vulnerable to MITM attacks after Duo Labs report on insecure bloatware in top PC vendor laptops
Lenovo Tells Users to Uninstall Vulnerable Updater
https://threatpost.com/lenovo-tells-users-to-uninstall-vulnerable-updater/118436/
Lenovo has waved the white flag on a vulnerable component of its pre-installed software updater and recommends that users uninstall it from more than 110 notebook and desktop models running Windows 10. The decision to have users yank the Lenovo Accelerator Application comes days after a Duo Labs study on bloatware vulnerabilities exposing machines from five leading computer manufacturers to a variety of attacks.
“Lenovo recommends customers uninstall Lenovo Accelerator Application”
Bloatware Insecurity Continues to Haunt Consumer, Business Laptops
https://threatpost.com/bloatware-insecurity-continues-to-haunt-consumer-business-laptops/118356/
Tomi Engdahl says:
OEM software update tools preloaded on PCs are a security mess
http://www.csoonline.com/article/3077466/security/oem-software-update-tools-preloaded-on-pcs-are-a-security-mess.html
Researchers found remote code execution flaws in support tools from Acer, Asus, Lenovo, Dell, and HP.
Serious vulnerabilities have crept into the software tools that PC manufacturers preload on Windows computers, but the full extent of the problem is much worse than previously thought.
Tomi Engdahl says:
Will your backups protect you against ransomware?
http://www.csoonline.com/article/3075385/backup-recovery/will-your-backups-protect-you-against-ransomware.html
The headlines are full of reports about institutions such as hospitals and police departments, organizations that should have business continuity plans in place with solid backup strategies
In theory, nobody should be paying any money to the ransomware extortionists. Doesn’t everyone have backups these days? Even consumer has access to a wide variety of free or low-cost backup services.
But the headlines are full of reports about institutions such as hospitals and police departments, organizations that should have business continuity plans in place with solid backup strategies.
Still, according to the FBI, more than $209 million in ransomware payments have been paid in the United States in the first three months of 2016 — up from just $25 million for all of 2015.
What’s going on? Why aren’t backups working?
To save money, some organizations don’t include all their important files in their backups, or don’t run their backups often enough. Others don’t test their backups and find out that the systems don’t work only when it’s too late. Finally, some companies put their backups on network drives that ransomware can easily find and jump to and encrypt.
“But that’s before the cost of storage has come down exponentially in the last five to 10 years. Now we’re in a world with really inexpensive storage and cloud storage.”
In addition, it might not be enough just to back up the important data and documents. Entire machines may need to be backed up, if they are critical to the business.
If clean images of the infected machines were readily available, the hospital could have completely wiped the infected hardware and restored it to the last good version.
“If the entire system has been compromised, you could roll back to the bare metal,” said Stephen Spellicy, senior director, product management, enterprise data protection, mobile information management, at HPE.
“The biggest gotcha that companies are encountering when they get hit with ransomware is that they haven’t had a recent test of their recovery process,”
“They’ve been doing backups, but they haven’t been drilled in how to recover — and there’s anecdotal evidence that some administrators ask, ‘How much pain would it be to restore from a backup versus pay the ransom?’”
Many companies are failing to properly test their backups
Cyber extortionists know that backups are their number one enemy and are adapting their ransomware to look for them.
“Several ransomware families destroy all Shadow Copy and restore point data on Windows systems,”
Any file system that’s attached to an infected machine is potentially vulnerable, as well as attached external hard drives and plugged-in USB sticks.
“To make your backups ransomware proof, you should use a drive not mounted to a particular workstation,”
Security controls need to be in place to segregate users from backups
“You don’t need to have access on a daily basis — those backups are there only for an emergency, when everything else falls apart,”
For day-to-day use, such as when employees accidentally delete important files and need to restore them, there are many file synching services available
These systems will constantly monitor for changes in files. But if malware gets into the computer and encrypts all the files, the encryption will be mirrored by the backup system as well.
It’s not just about the data
If losing files and getting locked out of mission-critical systems wasn’t bad enough, ransomware might be doing even more damage.
It might be covering up other attacks.
“Advanced hackers are using ransomware as a secondary infection or to counter incident response,”
And they may even hijack a company’s communications or website to spread the ransomware further.
Tomi Engdahl says:
Jeremi M. Gosney / Ars Technica:
How the full dump of LinkedIn passwords from 2012 hack will speed cracking of hashed passwords from any future breaches
How LinkedIn’s password sloppiness hurts us all
Second data dump lets hackers be 6 times better cracking future dumps.
http://arstechnica.com/security/2016/06/how-linkedins-password-sloppiness-hurts-us-all/
Back in 2012, fellow professional password cracker d3ad0ne (who regretfully passed away in 2013) and I made short work out of the first LinkedIn password dump, cracking more than 90 percent of the 6.4 million password hashes in just under one week.
But those 6.4 million unique hashes posted on a Russian password-cracking forum in June 2012 only accounted for a fraction of the total LinkedIn database. This second dump, on the other hand, contains 177.5 million password hashes for 164.6 million users, which aligns perfectly with LinkedIn’s user count in the second quarter of 2012.
this does appear to be a nearly complete dump of the user table from the 2012 LinkedIn hack.
You may think that 178 million password hashes is a lot, and you wouldn’t be wrong. But some 362 million passwords, allegedly from Myspace, have recently been posted for sale on the darkweb elsewhere. What makes the LinkedIn breach more notable? While Myspace also acknowledged the breach, the data actually holds very little analytical value due to the fact the passwords were dramatically altered before being hashed.
So as it stands today, the LinkedIn breach is the largest and most relevant publicly acknowledged password breach in Internet history.
As Ars explained a few months after the first batch of LinkedIn passwords spilled, password cracking is an endless feedback loop. We crack the passwords so that we can learn about passwords which helps us to crack more passwords, which we can then analyze and use to crack more passwords.
Back in the early days of password cracking, we didn’t have much insight into the way people created passwords on a macro scale.
most post-RockYou breaches have paled in comparison to the latest LinkedIn leak. Breaches from Zappos, Evernote, and LivingSocial (with 24 million, 50 million, and 50 million respectively) would have made for fantastic password statistics, except those hashes never saw the light of day. I’m sure the Adobe breach (at 130 million) was an amazing win for whoever stole the encryption key, but the rest of us are stuck playing a crossword puzzle
While the RockYou breach revolutionized password cracking with “only” 32 million passwords, this second wave of LinkedIn data is nearly six times larger. And given how many times this data has changed hands over the past two weeks, it’s surely just a matter of time before the full data is made publicly available. When it is, any password cracker worth their salt (ha!) should be able to crack 80 to 90 percent of the passwords on their own.
This means hackers will soon have a drop-in replacement for RockYou that is over five times more effective: a new de facto wordlist, new patterns to analyze to generate new rules, and new statistics for probabilistic password cracking.
Let’s quickly remember why we hash passwords in the first place: password hashing is an insurance policy. It ensures that should the password database be compromised in any way or through any vector, including physical theft, the passwords will not be recovered until engineers have an opportunity to identify and contain the breach, notify the public, and give users an opportunity to change their passwords anywhere else they may have used them. The stronger and slower the password hashing is, the more time a sites buys for itself and its users in the event of a breach.
Therein lies the problem. We’ve known about the necessity of slow hashing since the 1970s, yet due to a global failure in threat modeling, adoption has been extremely low.
What this means is even if the next big breach does employ slow hashing, it likely will not be anywhere near as effective as it would have been even five years ago. Post-LinkedIn, it will now take hackers many fewer attempts to guess the correct password than it otherwise would have.
That’s not to say that online services shouldn’t employ slow hashing today. If they aren’t using something like bcrypt or Argon2 for password storage, then they’re doing things very, very wrong.
Examining the breach, LinkedIn didn’t have very much of an insurance policy. It was employing raw SHA1 for password hashing
The average person has at least 26 online accounts; IT professionals usually have hundreds. It is absolutely crucial that you employ a good password manager and let your password manager generate a new random password for each of your accounts.
Tomi Engdahl says:
Reuters:
After report about 50+ breaches at the Federal Reserve from 2011 to 2015, Congressional committee asks for all breach-related documents since 2009 — A U.S. congressional committee has launched an investigation into the Federal Reserve’s cyber security practices after a Reuters report revealed …
U.S. lawmakers probe Fed cyber breaches, cite ‘serious concerns’
http://www.reuters.com/article/us-usa-fed-cyber-exclusive-idUSKCN0YP281
A U.S. congressional committee has launched an investigation into the Federal Reserve’s cyber security practices after a Reuters report revealed more than 50 cyber breaches at the U.S. central bank between 2011 and 2015.
The House Committee on Science, Space and Technology on Friday sent a letter to Federal Reserve Chair Janet Yellen to express “serious concerns” over the central bank’s ability to protect sensitive financial information.
Tomi Engdahl says:
Two plead guilty to stealing personal information of millions
Database theft generated $2m in illegal profits
http://www.theregister.co.uk/2016/06/03/two_plead_guilty_personal_information_theft_millions/
Two men have admitted to running a computer hacking and identity theft scheme which hijacked customer email accounts, stole personally identifiable information (PII) from millions of people, and generated more than $2m in illegal profits.
In a press release the US Department of Justice named Tomasz Chmielarz, 33, of Rutherford, New Jersey, and Devin James McArthur, 28, of Ellicott City, Maryland as pleading guilty to a series of fraud-related activities in connection with computers and email.
Livingston and Chmielarz allegedly used proxy servers and botnets to remain anonymous, hide the true origin of the spam, and evade anti-spam filters and other spam blocking techniques.
Tomi Engdahl says:
On her microphone’s secret service: How spies, anyone can grab crypto keys from the air
Boffins decode ‘coil whine’ while encryption code runs
http://www.theregister.co.uk/2016/06/04/sidechannel_encryption_theft/
Discerning secret crypto keys in computers and gadgets by spying on how they function isn’t new, although the techniques used are often considered impractical.
A new paper demonstrates this surveillance can be pretty easy to pull off, even over the air from a few metres away.
We all know that tiny fluctuations in electrical current during encryption routines, or even the sounds made by the system, can be picked up wirelessly to ascertain keys used – but it usually requires hooking up expensive analysis equipment and takes long periods of time to gather all the bits needed. The NSA’s TEMPEST program was set up to do just that.
Now, in a paper published by the Association for Computing Machinery, researchers from Tel Aviv University have detailed how inexpensive kit can be used to harvest 4,096-bit encryption keys in just a few seconds and from distances of around 10 metres (33 feet).
Physical Key Extraction Attacks on PCs
http://m.cacm.acm.org/magazines/2016/6/202646-physical-key-extraction-attacks-on-pcs/fulltext
Cryptography is ubiquitous. Secure websites and financial, personal communication, corporate, and national secrets all depend on cryptographic algorithms operating correctly. Builders of cryptographic systems have learned (often the hard way) to devise algorithms and protocols with sound theoretical analysis, write software that implements them correctly, and robustly integrate them with the surrounding applications. Consequentially, direct attacks against state-of-the-art cryptographic software are getting increasingly difficult.
For attackers, ramming the gates of cryptography is not the only option. They can instead undermine the fortification by violating basic assumptions made by the cryptographic software
Side channels on small devices. Many past works addressed leakage from small devices (such as smartcards, RFID tags, FPGAs, and simple embedded devices); for such devices, physical key extraction attacks have been demonstrated with devastating effectiveness and across multiple physical channels.
The electromagnetic emanations from a device are likewise affected by the computation-correlated currents inside it.
Note numerous side channels in PCs are known at the software level; timing,8 cache contention,6,26,27 and many other effects can be used to glean sensitive information across the boundaries between processes or even virtual machines. Here, we focus on physical attacks that do not require deployment of malicious software on the target PC.
Our research thus focuses on two main questions: Can physical side-channel attacks be used to nonintrusively extract secret keys from PCs, despite their complexity and operating speed? And what is the cost of such attacks in time, equipment, expertise, and physical access?
Tomi Engdahl says:
Stealing secret crypto-keys from PCs using leaked radio emissions
AM radio + HTC HTC EVO 4G smartphone = snooping rig
http://www.theregister.co.uk/2015/06/20/tempest_radioshack/
Your encryption keys can accidentally leak from your PC via radio waves, computer scientists have reminded us this week. This is a well-understood risk, but as these guys have demonstrated, it can be done cheaply with consumer-grade kit, rather than expensive lab equipment.
Tel Aviv University researchers Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer have built on Genkin’s earlier work on capturing 4096-bit RSA keys using the sound emitted by a computer while it runs a decryption routine.
The latest research involved extracting private decryption keys from GnuPG on laptops within seconds by measuring the electromagnetic emanations during the decryption of a chosen cipher text. The researchers used the Funcube Dongle Pro+, hooked up to a small Android embedded computer called the Rikomagic MK802 IV, to measure emissions within 1.6 and 1.75 MHz. It may even be possible to pull off the attack with a standard AM radio with the output audio recorded by a smartphone.
“Any device close to a computer can pick up RF signals – put your phone close to the car radio and listen to it chatting,” Armstrong explained. “The key thing of this attack will the the required proximity. If they can do it at 10 metres in a different room, I would be impressed; if the device needs to be within 20cm, I am not.”
http://www.funcubedongle.com/
Tomi Engdahl says:
UK Home Office is creating mega database by stitching together ALL its gov records
At least it consulted… The public? Parliament? No one? WHAT!
http://www.theregister.co.uk/2016/06/03/home_office_mega_database/
The UK Home Office is secretly creating a centralised database on the good folk of Britain without presenting the capability increases to the public or subjecting them to Parliamentary scrutiny.
The Register can reveal the project, which was described as simply a “replatforming” of the department’s aging IT infrastructure, has already begun to roll out, with the “first wave” of changes being delivered in what it is calling the Technology Platforms for Tomorrow (TPT) programme.
TPT will lay the foundations for this mega database by ushering in “core infrastructure, compute platforms and Live Service capability” changes, primarily using Hadoop, the open source software framework for centralising databases and allowing batch queries and analyses to be run across them in bulk.
While this data on the population is currently stored in “siloed” and disparate databases, connecting it could make it possible to automatically follow individuals’ records across all of the Home Office’s many directorates
Despite this increased capability to automate digital tracking of the population and the intention to run machine learning algorithms on the public’s information, there has been no presentation of these details to Parliament and there will be no additional scrutiny or oversight mechanisms applied to it.
Tomi Engdahl says:
Air-gapping SCADA systems won’t help you, says man who knows
Faizel Lahkani sounds bleak warning over future Stuxnet-style attacks
http://www.theregister.co.uk/2016/06/03/airgaps_scada_systems_wont_prevent_attacks/
Hoping to keep industrial control systems out of reach of hackers by keeping them air-gapped is a hopeless mission that’s bound for failure, according to the inventor of the technology.
Isolating SCADA systems as a means of protection has been suggested by some as a defensive tactic after hackers briefly took out elements of the power grid in the Ukraine last December.
Faizel Lakhani, a pioneer of SCADA technology, told El Reg that air-gapping such systems would be a quixotic endeavour, at best.
“Most SCADA systems are theoretically air gapped but not really disconnected from the network” Lakhani explained. “There are ways to get around isolation either because systems are not set up properly or because that’s a test link in there or someone bridged the Wi-Fi network, to name a few examples.”
http://www.theregister.co.uk/2016/03/04/ukraine_blackenergy_confirmation/
Tomi Engdahl says:
On her microphone’s secret service: How spies, anyone can grab crypto keys from the air
Boffins decode ‘coil whine’ while encryption code runs
http://www.theregister.co.uk/2016/06/04/sidechannel_encryption_theft/
Discerning secret crypto keys in computers and gadgets by spying on how they function isn’t new, although the techniques used are often considered impractical.
A new paper demonstrates this surveillance can be pretty easy to pull off, even over the air from a few metres away.