Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
FBI is building a tattoo tracking AI to identify criminals
Think before you ink.
http://www.engadget.com/2016/06/02/fbi-tattoo-tracking-ai/
AI-powered image recognition is all the rage these days, but it could have a sinister side too. Since 2014, the National Institute of Standards and Technology started working with the FBI to develop better automated tattoo recognition tech, according to a study by the Electronic Frontier Foundation. The idea here is to basically develop profiles of people based on their body art. The EFF says that because tattoos are a form of speech, “any attempt to identify, profile, sort or link people based on their ink raises significant First Amendment questions.”
There are supposedly some some serious ethical concerns at play here. For one, 15,000 images from inmates and folks who’ve been arrested were given to third parties to further test outside algorithms. Many of these tattoos apparently had personally identifying information
You might be asking what the difference is here between the algorithm for identifying people is and the books of tattoo photos law enforcement has collected over the years. Well, the gist of it is that the algorithm could be used to automatically associate criminals with a specific tattoo or tattoo pattern as a member of a gang, regardless of context. It might not be 100 percent accurate, but it could connect people (correctly or incorrectly) based on body art.
Unlike the results of a neural net counting calories in food or captioning a photo, if this algorithm gets something wrong it could have dire consequences for people. What’s more, tattoo removal is expensive.
Tomi Engdahl says:
The least stressful job in the US? Information security analyst, duh
That’s not a typo, we’ve checked and checked again
http://www.theregister.co.uk/2016/06/02/least_stressful_job_is_infosec_analyst/
Everyone knows that being an infosec analyst is a cushy job – but did you know quite how much? Because according to job website CareerCast, it is literally the least stressful job in the country.
“The proliferation of sensitive content stored online, as well as the growing importance of cloud computing, is fueling the demand for more information security analysts. Job prospects and competitive pay make this new addition to the Jobs Rated report one of the best jobs for 2016,” CareerCast argues.
Tomi Engdahl says:
Facebook Wants to Assure You It’s Not Listening to Your Conversations
http://time.com/4355425/facebook-microphone-listening-eavesdrop/?xid=time_socialflow_twitter
Facebook said it’s not using your microphone to eavesdrop
Tomi Engdahl says:
Tor Developer Jacob Appelbaum Resigns Amid Sex Abuse Claims
https://www.wired.com/2016/06/tor-developer-jacob-appelbaum-resigns-amid-sex-abuse-claims/?mbid=social_fb
Jacob Appelbaum has courted controversy throughout his career as a privacy and transparency activist, picking fights with several of the world’s most powerful government agencies over surveillance and state secrecy. Now he’s at the center of an entirely different sort of controversy: accused of rampant sexual and emotional abuse.
On Saturday, the privacy-focused non-profit Tor Project where Appelbaum held a position as a developer and activist released a statement explaining that Appelbaum had resigned from his position with the group as a result of a series of “serious, public allegations of sexual mistreatment”
On Monday morning, Appelbaum responded to the accusations in a statement, calling them “a calculated and targeted attack [that] has been launched to spread vicious and spurious allegations against me.”
Shepard says that Tor’s management had suspected Appelbaum of sexual misconduct for months.
For years, Appelbaum has held near-rockstar status within the hacker community. In 2010 he keynoted the HOPE hacker conference, outing himself as a collaborator with WikiLeaks—its only publicly known American staffer
Jacob Appelbaum · @ioerror
http://www.twitlonger.com/show/n_1soorlp
Tomi Engdahl says:
FBI wants access to Internet browser history without a warrant in terrorism and spy cases
https://www.washingtonpost.com/world/national-security/fbi-wants-access-to-internet-browser-history-without-a-warrant-in-terrorism-and-spy-cases/2016/06/06/2d257328-2c0d-11e6-9de3-6e6e7a14000c_story.html
The Obama administration is seeking to amend surveillance law to give the FBI explicit authority to access a person’s Internet browser history and other electronic data without a warrant in terrorism and spy cases.
The administration made a similar effort six years ago but dropped it after concerns were raised by privacy advocates and the tech industry.
FBI Director James B. Comey has characterized the legislation as a fix to “a typo” in the Electronic Communications Privacy Act
But tech firms and privacy advocates say the bureau is seeking an expansion of surveillance powers that infringes on Americans’ privacy.
An NSL can be issued by the special agent in charge of a bureau field office without a judge’s approval.
Such records may include a person’s Internet protocol address and how much time a person spends on a given site. But they don’t include content, such as the text of an e-mail or Google search queries.
Tomi Engdahl says:
DNS security can be improved with cookies, suggest IETF boffins
For message authentication, not for tracking. Promise!
http://www.theregister.co.uk/2016/06/07/dns_security_can_be_improved_with_cookies_ietf_boffins_suggest/
A proposal raised late May at the Internet Engineering Task Force (IETF) suggests adding cookies to the DNS to help defend the critical system against denial-of-service exploits.
The domain name system (DNS) is an old and fundamental piece of the Internet architecture, providing translation between human-readable addresses like theregister.co.uk and IP addresses.
The DNS has also been exploited several times over the years as a traffic amplifier in DoS attacks. [amplification attacks]
RFC 7873, authored by Donald Eastlake (Huawei*) and Mark Andrews (ISC*), puts forward the intriguing notion that a simple cookie deployment could help.
They describe DNS Cookies as “a lightweight DNS transaction security mechanism” for clients and servers. While the idea offers only “limited protection”, the authors say they can help address denial-of-service, amplification, forgery, and cache poisoning attacks.
The protection offered by the DNS cookie, the RFC says, comes from the fact that an attacker would have to guess the 64-bit pseudorandom value of the cookie.
The client cookie would be calculated using the client’s IP address, the server IP address, and “a secret value known only to the client”.
Tomi Engdahl says:
Android operating system is released 21 updates that correct a total of 40 vulnerabilities. The most serious vulnerabilities are rated critical, says Finnish Communications Regulatory Authority.
Critical vulnerabilities Mediaserver- and libwebm Library for handling media files and can allow a malicious program code execution on the target system, if a user opens a specially crafted MMS message or a web page.
Source: http://www.tivi.fi/Kaikki_uutiset/reikia-kuin-juustossa-androidista-loytyi-40-paikattavaa-aukkoa-6557580
Tomi Engdahl says:
Ryan Gallagher / The Intercept:
Snowden doc from 2010 shows UK’s MI5 reporting difficulties in making sense of the mass troves of surveillance data, warning of potential intelligence failure
Facing Data Deluge, Secret U.K. Spying Report Warned of Intelligence Failure
Ryan Gallagher
https://theintercept.com/2016/06/07/mi5-gchq-digint-surveillance-data-deluge/
secret report warned that British spies may have put lives at risk because their surveillance systems were sweeping up more data than could be analyzed, leading them to miss clues to possible security threats.
The concern was sent to top British government officials in an explosive classified document, which outlined methods being developed by the United Kingdom’s domestic intelligence agency to covertly monitor internet communications.
The Security Service, also known as MI5, had become the “principal collector and exploiter” of digital communications within the U.K., the eight-page report noted, but the agency’s surveillance capabilities had “grown significantly over the last few years.”
“Lack of staff and tools”
DIGINT was established for counterterrorism purposes, and “more generally for wider national security purposes,” the report said
97 percent of the calls, messages, and data the program had collected were found to have been “not viewed” by the authorities.
“It now appears it has been ‘business as usual’ for the tax man to access mass internet data for years.”
GCHQ focuses primarily on intercepting foreign communications that are “external” to the U.K. But in the process of doing so — by tapping into international cables that carry phone calls and internet traffic between countries — the agency vacuums up large quantities of data on British calls, emails, and web browsing habits, too.
A GCHQ document dated from late 2010 indicated that MILKWHITE was storing data about people’s usage of smartphone chat apps like WhatsApp and Viber, instant messenger services such as Jabber, and social networking websites, including Facebook, MySpace, and LinkedIn.
Tomi Engdahl says:
How proactive or reactive organizations need to be to protect against data breaches
Whether branded vulnerabilities are helping or hurting organizations’ abilities to protect themselves against cyberattacks
How security and development teams should work together to build secure code
Source: https://webinar.darkreading.com/1951?keycode=DRWE02
Tomi Engdahl says:
Security Teams: Trust the One You’re With
http://www.securityweek.com/security-teams-trust-one-youre
I’d like to discuss the theme of “Trust The One You’re With”.
Trust is extremely important in the information security field. In fact, it’s so important, that the security community is more or less built around it. Most security professionals I know maintain a circle of trust, either formally or informally. A relationship built on trust over time can often achieve what more formal relationships seem to have great difficulty achieving. For example, information sharing happens informally through a network of trusted relationships more often than we might realize.
It’s not just between peers and between different organizations that trust exists. Trust is also important between executives, management, and employees. In other words, the trust between those who run the security organization, and the analysts, incident responders, engineers, and others who do the work on a daily basis is also extremely important. Unfortunately, I’ve noticed over the course of my career that many people and organizations struggle with this “internal” trust. This can create an uncomfortable environment that stifles creativity, hampers productivity, decreases efficiency, and ultimately lowers the overall security posture of an organization.
Live outside the comfort zone: Because the field of information security is so new, it’s not uncommon for someone who in a leadership position and has responsibility for a security program to come from outside of the field entirely.
Don’t micromanage: Sometimes, when people feel overwhelmed, under informed, or vulnerable, they tend to react by digging in deeper. In other words, micromanagement sometimes arises out of a sense of feeling threatened, or at the very least, not knowing who or what to trust. Unfortunately, micromanagement generally doesn’t produce very good results.
Seek first to understand, then to be understood: I’ve seen many situations over the years where a lack of understanding fueled by a lack of communication causes people to feel tense, pressured, or angry. This can sometimes result in an explosive reaction, or at the very least a reaction that can damage trust between team members.
Avoid knee-jerk reactions: How many times have I heard the phrase: “But we have to do something!” in my life? More than a few times, I can tell you. Doing something is easy. Doing the right thing, or what needs to be done is much more difficult.
If you can’t take the heat, get out of the kitchen: Incident response is a tough field. During a critical incident, the response can be tough, demanding, and heated. There may be chaos at times, or at the very least organized chaos. No matter how good your incident response plan is or how many times you’ve tested it, things can and will go wrong. It’s natural to feel a bit pressured and uneasy about things.
Tomi Engdahl says:
The Most Important Security Question No One Seems to be Able to Answer
http://www.securityweek.com/most-important-security-question-no-one-seems-be-able-answer
Let me ask you a very simple question.
“What is your organization’s sensitive data, and where is it?”
You can’t shrug this two-part question off, although many security leaders have been doing just that for the last 10 years or more. While we can all agree that fundamentally security can’t succeed without knowing what we’re protecting, there are next to no good answers for how to do this. There is, however, no lack of excuses for why organizations don’t have these answers. So, let me talk this through.
There should be no debate about the necessity of knowing the answer to these two critical questions on which all actual security is based. Come to think of it, it’s not just security. How does an organization conduct business without knowing what is critical and where that “something” is? Simple, it can’t. Are servers critical? Workstations? Badge readers? Filing cabinets? Or rather is it the things stored inside or the processes conducted by these things that matters?
The answer varies from company to company, enterprise to enterprise, but one thing is certain– there are specific answers for your organization. Without those answers security has no choice but to treat every asset, from spreadsheet to paper file, as equally critical. This makes no sense
This begs the question, why hasn’t anyone found a better way? The answer is unfortunately much the same for many of security’s biggest problems – it’s hard. It’s much simpler to address symptoms ad infinitum than it is to attempt a resolution at the root cause.
Tomi Engdahl says:
Gaining OPSEC Resilience with Cyber Situational Awareness
http://www.securityweek.com/gaining-opsec-resilience-cyber-situational-awareness
Throughout history Operations Security (OPSEC) has been a key tactic used by commercial and military organizations to protect privacy and anonymity. When done well, it denies adversaries information they could use to do harm to an organization or individual. But criminals also use OPSEC as a means to an end – avoiding detection, maintaining availability of their attack infrastructure, and retaining access to environments they have compromised.
Lapses in OPSEC can have significant implications for defenders and attackers alike. All too often organizations unknowingly expose confidential information that significantly increases risks. In some cases organizations leak details that are used to fuel social engineering attacks against their staff and, in other cases, sensitive documents are publicly exposed and put their brand at risk. Adversaries stand to lose from poor OPSEC as well. Dridex botnet operator Andrey Ghinkul associated his nickname – “Smilex” – with his real name, providing law enforcement a valuable clue in their investigation.
Tomi Engdahl says:
A New Model for Cyber Risk Management: Observe, Orient, Decide, and Act
http://www.securityweek.com/new-model-cyber-risk-management-observe-orient-decide-and-act
To respond to mounting cyber-attacks, advanced persistent threats, and insider leaks, enterprises and government entities need reliable, real time visibility into their IT security posture. Unfortunately, it can take weeks or months to detect intrusions using traditional methods, during which time attackers can exploit vulnerabilities to compromise systems and extract data. To address these challenges, organizations are exploring the use of a military concept called the OODA (Observe, Orient, Decide, Act) Loop in their day-to-day cyber risk management operations.
The OODA Loop was originally developed by Colonel John Boyd, one of the most decorated fighter pilots in U.S. Air Force history. The concept describes the process needed to win at war.
So what are the four steps of the OODA Loop and how do they apply to today’s cyber risk management practices?
Observe
In order to understand what “Act” (a.k.a. remediation actions) is needed to minimize an organization’s cyber risk exposure, observation is the first step.
For many enterprises, data overload has become the Achilles heel of day-to-day security operations. The OODA Loop concept calls for automated aggregation of data across different data types; mapping of assessment data to compliance requirements; and normalization for ruling out false-positives, duplicates, and to enrich data attributes.
Orient
Many organizations have primarily focused on their internal security posture when it comes to cyber risk management and therefore have a difficult time prioritizing their remediation actions based on business criticality.
Decide
In cyber war, decisions need to be made swiftly. The OODA Loop concept calls for applying advanced risk scoring and machine-learning technology to classify the severity level that individual threats pose to assets, applications, and business processes. This approach can be used to drill-down and visualize correlated data and application attack paths.
Act
Increasing collaboration between security and IT operations teams, with one being responsible for identifying security gaps and the other focused on remediating them, continues to be a challenge for many organizations. In this context, the OODA Loop concept calls for combining workflow, ticketing, and remediation capabilities, assigning detailed remediation steps for each vulnerability and automating real-time risk management.
To implement the OODA Loop concept, progressive organizations are using cyber risk management software as an overlay to their existing security infrastructures.
Tomi Engdahl says:
An Occam’s Razor for Security: Less is More
http://www.securityweek.com/occams-razor-security-less-more
The rapid growth of innovation in cybersecurity technologies has presented a nearly endless range of new security offerings to address vulnerabilities in our computing environment. But what happens if more is not better?
In the data center and public cloud infrastructure world, the layering of technology at the perimeter—sometimes called defense in depth—has a followed a progression from the perimeter firewall to IDS/IPS to APT technologies, just to name a few waves of innovation. While all are important building blocks in protecting the data center edge, an increasing amount of attacks come from the inside out, not the outside in. Human error, malware, and hackers have presented a growing recognition that more focus is needed on the inside of the data center.
An Occam’s Razor for Security, Part 2
http://www.securityweek.com/occam%E2%80%99s-razor-security-part-2
I made the argument that simply adding more security technology into the heart of the data center (and public cloud) does not logically equate to a safer environment. I would actually posit the opposite: complexity, which adding additional infrastructure frequently causes, is one of the enemies of security.
The network security industry especially symbolizes this situation. An entire generation of firewall technology has spawned an awkward sub-industry of rule management. Firewall infrastructures can spawn millions of rules in the largest enterprise deployments and require the security equivalent of federal tax preparers to slowly and painfully untangle rule/policy sprawl. If your security operations require that you live with an enormous lack of clarity and require “experts” to do simple tasks, maybe it’s time to think again.
In security, extracting simplicity is more valuable than mastering complexity. With the evolution to cloud-centric architectures and distributed applications, however, security architectures that are built on top of network hierarchies—all networks need hierarchies or they will crash—run in contradistinction to the increasingly dynamic and distributed nature of modern computing.
Physical or virtual chokepoints built for North-South traffic and additional “fabrics” all create crazy hairpin traffic-steering nightmares and architectures
while simultaneously trying to deal with the increasing number of temporal software “components” such as Linux containers. This situation demands a rethinking of security and network architecture to deal with distributed computing.
And there is one more thing, the increasing cyber threat inside of data center and cloud environments means that security controls must be placed closer to the data, not at the perimeter. We need to make the cyber attack kill chain longer and more difficult to traverse for bad actors. Having a weakly protected development workload on the same network segment as a high-value database is a potential nightmare waiting to happen.
In the spirit of Occam’s Razor, it is important to understand the short list of actions that can reduce cyber incursions and the lateral spread of attacks: adaptive segmentation at the compute layer. Drawing tighter and tighter boundaries across applications or tiers of applications makes it more difficult for bad actors to operate and spread across data center environments—without the operational burden, traffic steering, and cost of chokepoint technologies.
Taking this observation a step further, the defenses to guard dynamic computing need to be built deep into the heart of the data center itself. These defenses must include the following properties:
Dynamically monitoring every server and application;
Performing unobtrusively while adding little to no operational overhead;
Minimizing propagation of attacks at the most granular layer;
Quickly dealing with any violations of security policies; and
Allowing the compute layer participate in its own defense.
If you have 10,000 compute instances—servers, VMs, containers—in your data center and cloud, you now can have 10,000 points of visibility and enforcement to counter the lateral spread of attacks. It’s like the old phrase about pets and cattle: when you had 10 servers, you treated them like pets—at any given time, you knew what they were, what they did, and if something tampered with them. Simple, right? When you have 10,000 servers, you treat them like cattle, constantly shuttling the traffic among them through central gates (choke points). If one cow starts to call out, you do not notice in the herd.
Tomi Engdahl says:
SQL Injection Flaws Found in European Union Websites
http://www.securityweek.com/sql-injection-flaws-found-european-union-websites
Researchers have discovered several SQL injection vulnerabilities in the websites of the European Parliament and the European Commission — both hosted on the official domain of the European Union (europa.eu).
The flaws were identified by experts from Government Laboratory, a project of Germany-based security firm Vulnerability Lab that focuses on finding zero-day vulnerabilities in government web applications and network services.
The security holes, discovered by Vulnerability Lab CEO Benjamin Kunz Mejri and researcher Marco Onorati, were reported to CERT-EU in May and they were plugged within 1-2 weeks.
“We reported the bugs by the responsible disclosure program and got acknowledged for the critical vulnerabilities in a fair way by the CERT-EU team,” Kunz Mejri, who was listed in CERT-EU’s Hall of Fame, told SecurityWeek.
The SQL injection flaws were found in various sections of the European Commission’s website,
According to the researchers, the flaws could have been exploited by remote, unauthenticated attackers to gain access to European Commission and European Parliament databases containing potentially sensitive user data.
Tomi Engdahl says:
Serious Flaw Found in Popular D-Link Wi-Fi Camera
http://www.securityweek.com/serious-flaw-found-popular-d-link-wi-fi-camera
An unpatched vulnerability in a popular Wi-Fi camera from D-Link allows hackers to reset the device’s password and gain remote access to its video feed.
The flaw, discovered by researchers at IoT security startup Senrio as part of their analysis into consumer and enterprise device vulnerabilities, affects D-Link’s DCS-930L Wi-Fi cameras, which are designed for home video monitoring.
The security hole is a stack overflow in a service designed to process remote commands. While experts have only conducted a successful attack on DCS-930L cameras, they believe the flaw could affect other D-Link products that use the same vulnerable component.
Tomi Engdahl says:
Singapore Blocking Internet Access on Government Computers
http://www.securityweek.com/singapore-blocking-internet-access-government-computers
Singapore confirmed Wednesday it would cut off Internet access for government work stations within a year for security reasons, a surprise move in one of the world’s most wired countries.
The decision will not disrupt government operations, the Infocomm Development Authority (IDA) said after local daily The Straits Times reported that some 100,000 computers would be affected.
“We have started to separate Internet access from the work stations of a selected group of public service officers, and will do so for the rest of the public service officers progressively over a one-year period,” the IDA said in a written reply to AFP queries.
Industry sources said the measure was aimed at preventing cyber attacks as well as the spread of malware that might enter the government email network thought Internet-enabled work stations.
Singapore is one of the world’s most Internet-savvy societies, offering broadband speeds envied by many.
Tomi Engdahl says:
Critical Vulnerabilities Patched With Release of Firefox 47
http://www.securityweek.com/critical-vulnerabilities-patched-release-firefox-47
Mozilla addressed more than a dozen vulnerabilities in the Firefox web browser with the release of version 47 on Tuesday, including issues rated as having critical impact.
The critical vulnerabilities are described in two advisories and they have been assigned three CVE identifiers. One of the flaws, tracked as CVE-2016-2819, is a heap buffer overflow triggered when parsing HTML5 fragments. The security hole, reported by a researcher with the moniker “firehack,” can lead to a potentially exploitable crash when inserting an HTML fragment into a document.
Tomi Engdahl says:
Record Number of 100+ Gbps DDoS Attacks Hit in Q1 2016: Akamai
http://www.securityweek.com/record-number-100-gbps-ddos-attacks-hit-q1-2016-akamai
Dominated by an overall increase in the number of distributed denial of service (DDoS) attacks, the first quarter of the year also saw a record number of attacks (19) larger than 100 Gbps, a recent report from Akamai reveals.
According to the company’s State of the Internet – Security Report, there was a 125.36% increase in total DDoS attacks and a 142.14% increase in infrastructure layer (layers 3 & 4) attacks in Q1 2016 compared to the same period of last year. The average attack duration, however, showed a 34.98% decrease, from 24.82 hours to 16.14 hours, the report reveals.
The most important change, however, is a 137.5% increase in 100+ Gbps attacks year-over-year to a record 19 attacks, a number that also marks a 280% increase over the fourth quarter of 2015. On quarter, the total number of DDoS attacks went up 22.47%, infrastructure layer incidents grew 23.17%, while the average attack duration went up 7.96% (16.14 vs. 14.95 hours).
The use of stresser/booter-based botnets also increased in Q1
https://www.akamai.com/us/en/our-thinking/state-of-the-internet-report/global-state-of-the-internet-security-ddos-attack-reports.jsp
Tomi Engdahl says:
Cyber Espionage Report: APT at RUAG
http://www.securityweek.com/cyber-espionage-report-apt-ruag
During a meeting last week in Belgium with Koen Van Impe, a security analyst with federal cyber emergency team, CERT.be, he recommended I look at a report involving a cyber espionage case involving the firm RUAG. “From a tech point-of-view… the persistence (and patience) of the attacker to get and maintain access and do lateral movement is an interesting read,” said Van Impe.
Two years ago, CERT.be security analysts discovered an Advanced Persistent Threat (APT) at RUAG rm, a Swiss government-owned defense technology company. For over a year, the analysts detected and cracked the layers of software, encryption, and reconnaissance techniques used by the attackers.
Once the cat was out of the bag, the Federal Council of the Swiss Confederation released a detailed analysis of the cyber espionage at RUAG. The report makes for informative and, dare I say, exciting reading. The report’s prescription for recommended security practices and countermeasures is as good as any I’ve seen. I’ll touch on a few of their key recommendations in a bit.
The attackers were using variants of the Turla malware family. Specific malware elements came from the Carbon, Snake, and Tavdig (also called Epic) malware projects.
The attackers moved laterally throughout the RUAG network via credentials that collected from a cornucopia of tools that included mimikatz and ShareEnum.exe. Ultimately they created a three-tier malware node architecture. A small, selected group of nodes near the firewall were designated as the communication proxies and did little more than pass information and workload tasks into the network and results back out. These proxies help prevent the other nodes evade the detection that would occur if they had to signal out to external command-and-control servers individually.
In total, the APT threat actor exfiltrated 23Gb of data (including signaling) over the nearly two-year period they were tracked.
Recommendations and Countermeasures for APT
The report delivers five pages of security posture recommendations and countermeasures against APTs, divided into categories. Readers are encouraged to view the original report for the full list, but here’s a sample of them:
• Network Level: All Internet access must pass through a proxy that logs all headers and cookies for every single outbound connection.
• System Level: Consider using Microsoft AppLocker, which allows an administrator to lock down binaries and paths based on group policy. Linux has a similar technology: SELinux profiles.
• Microsoft Active Directory: Discourage the use of LM/NTLM hashes (of course). But also, Microsoft Premiere customers should do regular AD RAPs.
• DNS Level: Don’t let clients resolve their own addresses; force them to go through the organization’s proxy. Use Response Policy Zones (RPZ) and PassiveDNS wherever appropriate.
• Instrumentation: Log information for the long term (2+ years). Don’t just accept default log settings, and log user-agent.
I highly recommend a lunchtime reading of the report,
Technical Report about the RUAG espionage case
https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
Tomi Engdahl says:
Going Deeper on Behavioral Detection
http://www.securityweek.com/going-deeper-behavioral-detection
As attackers have become better at evading traditional signatures and malware sandboxes, security teams are increasingly turning to behavior-based detection models to find the signs of an active cyber attack. This behavioral approach to finding threats comes with a lot of advantages. Behavioral detection models can focus in on what the attacker actually does, instead of relying on a set of signatures or known indicators of compromise that often lag behind attackers.
For example, while the perimeter IPS may have missed a drive-by-download, behavioral analytics could recognize that the victim end-user is starting to behave very strangely – perhaps trying to access abnormal resources or download an abnormal amount of files. This is actually exactly the sort of thing that the original intrusion detection systems were designed to do back in the 1980s.
However, we’d also be remiss if we didn’t remember why behavioral approaches to IDS fell out of favor in the first place. More often than not, analytics based on user behavior will identify anomalies as opposed to threats. Joe in accounting is downloading more data than he normally does, but is that a sign of an attack, or does Joe simply need to access a lot of data for a report he is working on?
This sort of user behavior modeling can let us know when something doesn’t seem normal, but it is often inconclusive and requires an analyst to go investigate. The shortage of time and talent in real-world security teams typically means that these sorts of anomaly-based detections become noise that ends up being ignored.
While detections based on end-user behaviors are extremely important, we need to complement them with better detections for attacker behaviors as well.
If you know what to look for, malicious tools and techniques have distinguishing behaviors that can be identified. For example, attackers will often rely on custom tunneling tools to control their attack. These tools are customized to bypass signatures and intelligence feeds. However, these tools also share a characteristic set of fundamental behaviors.
The point here isn’t to say one approach is better than another, but rather to show that there is an important middle step between traditional signatures and anomaly detection. Behavior-based detection models can see the things that simple signatures miss, and can provide more clarity than only looking at anomalies.
Tomi Engdahl says:
When Multi-Factor Authentication Fails
http://www.securityweek.com/when-multi-factor-authentication-fails
Recently, we’ve seen evidence of the increase in insider threats related to outsiders obtaining and abusing insider credentials. Like others, I’ve pointed to multi-factor authentication (MFA) as a means to mitigate the risk posed by this attack method. But, it’s worth considering – what are the limitations of MFA in reducing the risk of outsiders abusing insider credentials?
To be fair, has any security control has ever proven to be 100 percent effective? Even networks with an air gap to the Internet are vulnerable to malware on a USB memory stick given to an employee.
Similarly, while MFA will present a harder target for password pirates, what possibilities exist in a “what could go wrong analysis?” What risks remain that should at least be considered for further mitigation?
What can be done to combat the limitations of MFA?
Each of these examples (and more are sure to arise) can be mitigated with different approaches. Since most relate to people behaving in an insecure manner, education is one obvious method for mitigation. Given that there are at least three factors possible in MFA, adding more complex access controls is another approach, but, the inconvenience for users has to be considered in this case.
What should also be considered is that eventually a determined attacker will find a way to compromise credentials. Therefore, we must not only control access, but monitor what users are doing with their access, looking for abnormal patterns that would indicate an attack in progress. This concept of merging user behavior analytics and security analytics with identity analytics is in its infancy, but provides the possibility of preventing or limiting damage from compromised credentials.
Tomi Engdahl says:
Opinion by Preston Gralla
How Windows 10 became malware
http://www.computerworld.com/article/3080102/operating-systems/how-windows-10-became-malware.html?token=%23tk.CTWNLE_nlt_computerworld_security_2016-06-08&idg_eid=051598d6597df87056c54033166b3242&utm_source=Sailthru&utm_medium=email&utm_campaign=Computerworld%20Security%202016-06-08&utm_term=computerworld_security#tk.cw_nlt_computerworld_security_issues_2016-06-08
Any software — even a premier operating system — that gets onto computers through stealth means has crossed over to the dark side
“Windows 10 just hijacked my computer,” she complained. “Without asking, Microsoft upgraded me from Windows 7, even though I didn’t want Windows 10, and I had to wait for the installation to finish before I could get any work done.”
I asked her whether she had accidentally clicked “OK” on any upgrade notifications, ignored any warnings that she had received or gotten any other notices about the upgrade. No on all counts, she answered before leaving to wrestle with her new operating system.
Turns out, she was right. And I wasn’t the only tech writer whose spouse had this experience
All this made me wonder: If software from any other company behaved the way the Windows 10 upgrade does, would it be considered malware?
Last year Microsoft installed its Get Windows 10 app on millions of Windows 7 and Windows 8.1 PCs. It alerted people that they could “reserve” the free upgrade if they wanted. When the app popped up on people’s PCs, they could close its window and block any action it might take in the time-honored way of clicking on the X in the upper right of the dialog box.
Since then Microsoft has gotten increasingly aggressive in getting people to upgrade to Windows 10. It began stealthily downloading the bits required for the upgrade to PCs automatically without telling people. And then this spring Microsoft sprung a trap. When the upgrade app appeared, if someone clicked the X in its dialog box in order to close it and cancel an upgrade, Windows did the exact opposite of what the person intended to do: It upgraded that person’s PC to Windows 10. Microsoft did that even though the app always behaved in the opposite way before then, which is pretty much the way any legitimate app behaves — closing a dialog box and canceling any actions.
When Microsoft made that change, it violated its own recommended design guidelines, notes Computerworld’s Gregg Keizer.
The company writes on a website devoted to design guidelines, “The Close button on the title bar should have the same effect as the Cancel or Close button within the dialog box. Never give it the same effect as OK.”
In this case, that’s exactly what clicking X did: gave it the same effect as OK.
So is the Windows 10 upgrade malware? One place to look for clues is in Microsoft’s document, “How to prevent and remove viruses and other malware.” That document warns, “Never click ‘Agree’ or ‘OK’ to close a window that you suspect might be spyware. Instead, click the red ‘x’ in the corner of the window or press Alt + F4 on your keyboard to close a window.” And it defines spyware, in part, this way: “Spyware can install on your computer without your knowledge. These programs can change your computer’s configuration or collect advertising data and personal information.”
So let’s see: The Windows 10 upgrade downloads its bits to your PC without your knowledge. It changes your computer’s configuration. By default, Windows 10 collects advertising data and personal information. And if you try to stop the upgrade by doing what Microsoft tells you to do with every other application — click the X on its dialog box — it installs anyway.
Sounds like malware to me, malware that forces a Windows 10 upgrade.
Tomi Engdahl says:
Researchers built devious, undetectable hardware-level backdoor in computer chips
http://www.computerworld.com/article/3079417/security/researchers-built-devious-undetectable-hardware-level-backdoor-in-computer-chips.html?token=%23tk.CTWNLE_nlt_computerworld_security_2016-06-08&idg_eid=051598d6597df87056c54033166b3242&utm_source=Sailthru&utm_medium=email&utm_campaign=Computerworld%20Security%202016-06-08&utm_term=computerworld_security#tk.cw_nlt_computerworld_security_issues_2016-06-08
University of Michigan researchers developed an “invisible” backdoor built into computer chip hardware which would be nearly impossible to detect.
Oh goody, just what we need, more devious and undetectable surveillance in the form of an “invisible” backdoor built into computer chip hardware. I’m completely creeped out after reading “A2: Analog Malicious Hardware” (pdf), which won as “best paper” at the 37th IEEE Symposium on Security and Privacy.
This is not a hidden backdoor in software, but a malicious modification, a backdoor added to hardware, to a microchip. Tainted supply chains have long been a concern
Once triggered, after the capacitors store up enough electricity to be fully charged, it would “flip-flop,” or be switched on, to give an attacker complete access to whatever system or device that contains the backdoored chip – be that a PC in a corporation, a personal laptop, a smartphone or an IoT device.
“Once the trigger circuit is activated, payload circuits activate hidden state machines or overwrite digital values directly to cause failure or assist system-level attacks.”
“Experimental results show that our attacks work”
If you think it would be detected by testing, then think again; the researchers said that “attackers can craft attack triggers requiring a sequence of unlikely events, which will never be encountered by even the most diligent tester.”
“By publishing this paper we can say it’s a real, imminent threat. Now we need to find a defense.”
Although Google’s Zunger suggested “state-level actors” would be most interested in the “demonically clever,” undetectable hardware-level backdoor, he added, “I don’t know if I want to guess how many three-letter agencies have already had the same idea, or what fraction of chips in the wild already have such a backdoor in them.”
A2: Analog Malicious Hardware
http://ieee-security.org/TC/SP2016/papers/0824a018.pdf
While the move to smaller transistors has been a
boon for performance it has dramatically increased the cost to
fabricate chips using those smaller transistors. This forces the
vast majority of chip design companies to trust a third party—
often overseas—to fabricate their design. To guard against ship-
ping chips with errors (intentional or otherwise) chip design
companies rely on post-fabrication testing. Unfortunately, this
type of testing leaves the door open to malicious modifications
since attackers can craft attack triggers requiring a sequence
of unlikely events, which will never be encountered by even
the most diligent tester.
In this paper, we show how a fabrication-time attacker can
leverage analog circuits to create a hardware attack that is
small (i.e., requires as little as one gate) and stealthy (i.e.,
requires an unlikely trigger sequence before effecting a chip’s
functionality).
Tomi Engdahl says:
Review: New tools to fight insider threats
http://www.computerworld.com/article/3075387/security/review-new-tools-to-fight-insider-threats.html
In the 1979 film When a Stranger Calls, the horror is provided when police tell a young babysitter that the harassing phone calls she has been receiving are coming from inside the house. It was terrifying for viewers because the intruder had already gotten inside, and was presumably free to wreak whatever havoc he wanted, unimpeded by locked doors or other perimeter defenses. In 2016, that same level of fear is being rightfully felt towards a similar danger in cybersecurity: The insider threat.
An entire industry has sprung up to provide a defense against insider threats.
Tomi Engdahl says:
Robert McMillan / Wall Street Journal:
Twitter notifies users of threat after millions of usernames and passwords appear online, says credentials were not stolen from Twitter computers — Social media service notifies users of threat after database with usernames, passwords leaked — Twitter Inc. has notified millions of users …
Twitter: Passwords Leaked for Millions of Accounts
Social media service notifies users of threat after database with usernames, passwords leaked
http://www.wsj.com/article_email/twitter-millions-of-accounts-at-risk-of-breach-1465510623-lMyQjAxMTA2MzA1OTAwMjk5Wj
Twitter Inc. has notified millions of users that their accounts are at risk of being taken over after a database containing nearly 33 million purported usernames and passwords for the social-blogging service was made public Wednesday.
The database is the latest in a string of leaks in the past month affecting users of LinkedIn Corp. , Myspace and several Russian-language sites. The website that published the Twitter passwords, LeakedSource, says it has more than 1.8 billion records in its database. LeakedSource sells access to these records for a fee.
company is “quite confident” that the records weren’t stolen from Twitter’s computers.
There is “no indication that we have been compromised,”
LeakedSource said it has “very strong evidence that Twitter wasn’t hacked, rather the consumer was.”
capturing information from previously hacked computers.
Mr. Holden said hackers likely are using the leaked information to prod other accounts—banking or air-mile accounts for example—to see if they can find places where the passwords in the databases have been reused
Tomi Engdahl says:
Zack Whittaker / ZDNet:
A look at rival hackers Tessa88 and Peace who claim to have millions of hacked credentials not yet put up for sale, from Facebook, Instagram, and more — Three major social networks have quietly fallen victim to data breaches, but despite some high-profile success, patience and trust is now beginning to fade.
More “mega breaches” to come, as rival hackers vie for sales
http://www.zdnet.com/article/more-mega-breaches-to-come-as-rival-hackers-vie-for-sales/
Three major social networks have quietly fallen victim to data breaches, but despite some high-profile success, patience and trust is now beginning to fade.
Four weeks. Three hacks. Two rival sellers of almost one billion accounts — with more to come.
How did we get here? For Silicon Valley, the outbreak of recent confirmed data breaches served up a brutal reminder: security really matters. The hacks took over like a fever, fueled by the reasonable expectation — given the hackers’ apparently high level of access — that more breaches would emerge.
MySpace, LinkedIn, and Tumblr were all crucified for their failure to keep their users’ data secure. The companies said their Hail Mary’s and ate their humble pie, and promised to do better.
Other companies didn’t fare so well.
Dating site Badoo, which last month denied it had been hacked after tens of millions of accounts were being traded on a dark web marketplace
social networking site VK.com initially denied in an email that it was hacked, but admitted later
But after riding the wave of this year’s “mega breaches,” things began to unravel.
Was this the inflection point? Was “peak hack” over? Or have we saturated the market with so many usernames and passwords that reuse and repackaging existing hacks was almost inevitable?
It was easy to assume Dropbox had been hacked, but proving it would be difficult. It’s a hacker’s word against a company’s — and in most cases, the latter has more to lose.
“Tessa88″ claimed to have 103 million stolen accounts, according to an early March listing on a hacker’s forum
It transpired to be rehashed data from Tumbl
Teamviewer, too, was caught up in the hype of the “mega breach” series, which led some to believe the screen-sharing app had been hacked. Though no breach data had appeared online, many claimed their accounts had nonetheless been compromised.
“Are these serious incidents possibly conditioning us to automatically assume the worst? ”
Here’s the spoiler alert: A company doesn’t necessarily have to have its systems breached to fall victim to a “hack” — at least in how it appears. It’s more likely that years of password reuse are coming back to bite millions on the behind — because these shared lists of logins can be repackaged and sold on as a “verified” breach of another service.
In the case of verified hacks — MySpace, LinkedIn, and Tumblr — it’s not known where the data came from, or how the hacks happened.
A hackers’ underground emerges
Given that the two sellers meet in the middle on what could be the biggest ever known data breaches, you might think there would be a back story. And if you’re wondering what the connection between the two is — join the club.
It turns out the two sellers just flat-out hate each other.
a pissing contest between two hackers who are competing to sell third-party data for a quick buck on the dark web.
And what’s having the biggest impact on the hacking saga — better for the hackers and sellers, but worse for the ordinary public — is the dire state of password reuse. This sharing of passwords across services is security’s fundamental undoing. Two services with the same credentials, and you can pass off a list of passwords with a claim to a hack on each.
With a dark web market close to reaching a billion logins — and another billion said to be in the pipeline — it’s not unreasonable to expect the worst. “There’s been a hack.” “Another company breached.” That recirculated data will remain useful to someone — an account hijacker, phisher, or just a typical run-of-the-mill spammer — in one way or another, and for years to come.
Thanks to a decade of poor security and bad passwords, these sellers can just keep repackaging our fears and failures for months and years
Tomi Engdahl says:
Ingrid Lunden / TechCrunch:
Cylance, a cybersecurity startup that uses AI to detect threats, raises $100M Series D, source says at about $1B valuation
http://techcrunch.com/2016/06/09/cylance-fighting-malicious-hackers-with-ai-hits-1b-valuation-after-raising-100m/
“If you can’t beat them, join them” may not sound like the most encouraging pitch for a cybersecurity company, but a startup called Cylance has created an artificial intelligence-powered brain that essentially does just that
in the case of Cylance, McClure says the company uses machine learning and AI “to think like a cyber hacker.”
By that, he means that Cylance’s system — specifically its CylancePROTECT product — is predicting how malware, zero-day attacks, and other cyberthreats can attack networks, and then heading them off at the pass, “eliminating the need for individual security teams to analyze and develop expertise in defending against each new cyberattack.”
Cylance is not the only startup fighting security challenges with new big-data tools and clever algorithms. And in fact it seems to be something of a trend and belief that we have to go beyond blacklists and white lists, with machine learning inevitably going to be at the center of how we fight all these threats, which are by their nature also evolving with the use of machine learning and AI.
target customers running the gamut from “the largest financial institutions to the smallest dental office in Malaysia.”
“We want to protect every computer and endpoint under the sun with this revolutionary technology. And we won’t stop until we do,” a spokesperson said.
Tomi Engdahl says:
The Dark Arts: Hacking Humans
http://hackaday.com/2016/06/10/the-dark-arts-hacking-humans/
One of the biggest challenges for a company that holds invaluable data is protecting it. At first, this task would seem fairly straightforward. Keep the data on an encrypted server that’s only accessible via the internal network. The physical security of the server can be done with locks and other various degrees of physical security. One has to be thoughtful in how the security is structured, however. You need to allow authorized humans access to the data in order for the company to function, and there’s the rub. The skilled hacker is keenly aware of these people, and will use techniques under the envelope of Social Engineering along with her technical skills to gain access to your data.
Want to know how secure your house is? Lock yourself out. One of the best ways to test security is to try and break in. Large companies routinely hire hackers, known as penetration testers, to do just this. In this article, we’re going to dissect how a hired penetration tester was able to access data so valuable that it could have destroyed the company it belonged to.
Tomi Engdahl says:
Jenna McLaughlin / The Intercept:
NSA deputy director: agency couldn’t crack San Bernardino shooter’s iPhone because it hadn’t invested in exploiting iPhone 5c, and is looking to exploit IoT
NSA Looking to Exploit Internet of Things, Including Biomedical Devices, Official Says
https://theintercept.com/2016/06/10/nsa-looking-to-exploit-internet-of-things-including-biomedical-devices-official-says/
Photo: Alex Wong/Getty Images
NSA Looking to Exploit Internet of Things, Including Biomedical Devices, Official Says
Jenna McLaughlin
June 10 2016, 8:53 p.m.
The National Security Agency is researching opportunities to collect foreign intelligence — including the possibility of exploiting internet-connected biomedical devices like pacemakers, according to a senior official.
“We’re looking at it sort of theoretically from a research point of view right now,” Richard Ledgett, the NSA’s deputy director, said at a conference on military technology at Washington’s Newseum on Friday.
Biomedical devices could be a new source of information for the NSA’s data hoards — “maybe a niche kind of thing … a tool in the toolbox,” he said, though he added that there are easier ways to keep track of overseas terrorists and foreign intelligence agents.
When asked if the entire scope of the Internet of Things — billions of interconnected devices — would be “a security nightmare or a signals intelligence bonanza,” he replied, “Both.”
“As my job is to penetrate other people’s networks, complexity is my friend,” he said. “The first time you update the software, you introduce vulnerabilities, or variables rather. It’s a good place to be in a penetration point of view.”
When the agency is looking to exploit different new devices, the NSA has to prioritize its resources
That’s why the NSA wasn’t able to help the FBI crack the iPhone of the San Bernardino shooter, he said, because the agency hadn’t invested in exploiting that particular model of phone. “We don’t do every phone, every variation of phone,” he said. “If we don’t have a bad guy who’s using it, we don’t do that.”
Ledgett also said it wasn’t the agency’s place to mandate security standards for companies when it comes to new devices.
But NSA can’t ignore the potential that biomedical devices might be hacked by outsiders, too. Ledgett said no NSA employee has needed an internet-connected biomedical device yet — but that when it does happen, it will be a concern for an agency that doesn’t allow for cellphones.
Tomi Engdahl says:
Russell Brandom / The Verge:
Links shared in Facebook Messenger can be uncovered by anyone through querying Facebook’s API
Facebook has a problem with private links
Developers are able to view privately shared links by querying the company’s database
http://www.theverge.com/2016/6/10/11903048/facebook-messenger-private-link-scraping-database
Facebook has a link problem. Earlier this week, a security researcher named Inti De Ceukelaire detailed a curious fact about how Facebook Messenger treats privately shared links. Through the right API call, De Ceukelaire was able to summon links shared by specific users in private messages. The links were collected by the Facebook crawler, where De Ceukelaire discovered they were easily accessible to anyone running a Facebook app. Those links could be anything from a popular news story to directions to an abortion clinic. As long as they’re shared in private messages, they’re logged in Facebook’s database, and accessible to API calls.
It would be hard to exploit that bug at scale for a few different reasons.
Still, the bug points to a number of lingering problems with the conflicting way web services treat URLs, and how those conflicts can put private information into public view.
The practice of scanning links is larger than just Facebook. URLs are a common place for sites to collect data, either by routing the link through an intermediary or dropping some query tags at the end of the URL. That’s a great way to keep track of where people are coming from, but it can cause real privacy concerns, as Facebook is now discovering. Twitter was hit with a similar lawsuit last month, alleging that link-shortening measures in direct-messaged links constituted a violation of privacy. If bit.ly knows which links to shorten, they know which links are being sent to you.
But while some systems are using URLs as public data points, other systems are using them as passwords. If you’re sharing a Google document or a Dropbox folder, that URL is as much of a password as an address, a system that also plays a central role in Google Photos. Scooping up those URLs in transit is a genuine security risk, exposing potentially sensitive documents to third-party intermediaries.
That leaves consumers in a tricky place. When Google gives you a private 40-character URL, how are you meant to share it without allowing it be scraped?
Tomi Engdahl says:
Nicole Nguyen / BuzzFeed:
With just the last 4 digits of @deray’s SSN, a hacker rerouted texts to another device, bypassing two-factor authentication protecting the activist’s accounts — Did you know that someone only needs your name and the last four digits of your Social Security number to hack your phone number?
Here’s An Unexpected Way To Protect Yourself From Getting Hacked
If you have two-factor authentication enabled, do this immediately.
https://www.buzzfeed.com/nicolenguyen/how-to-prevent-yourself-from-getting-hacked-with-two-factor?utm_term=.jlQynMPdL#.bl9A8zNLY
Did you know that someone only needs your name and the last four digits of your Social Security number to hack your phone number?
That’s what happened to Black Lives Matter activist Deray Mckesson, whose Twitter account was hacked this week.
Hackers were able to break into the account, even though it was reinforced with two-factor authentication
With the last four digits of Mckesson’s Social Security number, they were able to gain full access to his Verizon account and changed the SIM, which redirected texts to a different device.
The hackers didn’t even need his account’s passwords. They could simply reset passwords to trigger two-factor authentication.
Verizon
You can prevent someone who is trying to impersonate you online by enabling a four-digit billing password by calling customer service at (800) 922-0204 or visiting a retail store.
T-Mobile
You can request to use a “customer care password,” which is an additional password required to gain access to your T-Mobile account over the phone.
Sprint already requests that customers set a PIN,
Lock down your digital lives, people!!
Tomi Engdahl says:
Meet The Maserati-Driving Deadhead Lawyer Who Stands Between Hackers And Prison
https://www.buzzfeed.com/josephbernstein/meet-the-maserati-driving-deadhead-lawyer-who-stands-between?utm_term=.bb2Zwr8Ny#.vrJKv10Qy
A medical marijuana and criminal defense lawyer from Southern California has made himself into the country’s leading defender of hackers. Can he save his clients from the worst law in technology — and themselves?
“Most people coming in here are having the worst day of their life. They don’t need some stuffy asshole who is dead inside.”
On March 18, 2013, a Monday, Jay Leiderman went on HuffPost Live to discuss his newest client, Matthew Keys. Keys had been indicted the previous Thursday by the U.S. government, which alleged that he had passed login credentials to members of Anonymous in an internet chat and encouraged members of the hacking collective to deface websites owned by the Tribune Company, his former employer, against which he had a grudge.
“No one was hurt, there were no lasting injuries, no one’s identity was stolen, lives weren’t ruined,” Leiderman had told the Associated Press. “It was a joke, and I guess a joke will get you 25 years in prison.”
Leiderman was far from alone in making this argument. The CFAA, introduced in 1984 and expanded in 1986, is widely loathed among internet activists, security researchers, and many lawyers in the field, who see the law as an “egregiously overbroad” relic that has led to a chilling effect on legitimate work, and that protects the rights of powerful corporations and government agencies while endangering ordinary web users.
In particular, the central phrases in the law, which forbid “unauthorized access” of a “protected computer,” can be interpreted so widely as to include behavior as mundane as password sharing. Worse still, the law carries exorbitant statutory maximum sentences; Keys was looking at a maximum prison term of 25 years.
The January before Keys was indicted, Aaron Swartz, a 26-year-old programmer and activist, hanged himself in his Brooklyn apartment in the face of 35 years in prison.
The CFAA-amending Aaron’s Law Act, named for Swartz, has been introduced in Congress twice but has never come up for a vote.
Indeed, the government tends to prosecute CFAA cases only when it has a strong chance of securing a conviction, as it did against Keys, who had confessed to the crime in a taped interview with an FBI agent — a confession Keys said he gave while whacked out on prescription pills.
The law professor and media scholar Tim Wu has called the CFAA “the worst law in technology.”
Leiderman sees hackers as part of a grand narrative of American counterculture — at least the parts of it with good music.
Tomi Engdahl says:
Symantec Wants to Protect Your Car From Zero-Day Attacks
http://www.securityweek.com/symantec-wants-protect-your-car-zero-day-attacks
Symantec this week introduced a new IoT security solution specifically designed to protect connected vehicles from zero-day attacks and never-before-seen threats.
News of Symantec’s undertaking comes just a few months after the FBI released a warning on remotely exploitable cyber vulnerabilities that affect modern motor vehicles.
“Connected cars offer drivers conveniences such as navigation, remote roadside assistance and mobile internet hot spots,” Symantec said. “There will be 220 million connected cars on the road in 2020, according to Gartner. While new technologies promise to enhance the driving experience, these advancements also create avenues of attack for hackers that can endanger drivers and passengers.”
“Automotive security threats have gone from theory to reality,” said Shankar Somasundaram, senior director of product management and engineering at Symantec. “The infrastructure and technology that already helps protect billions of devices and trillions of dollars now protects the car.”
Symantec currently protects more than 1 billion connected IoT devices through its portfolio of IoT security offerings.
Tomi Engdahl says:
Mozilla Launches Secure Open Source Fund
http://www.securityweek.com/mozilla-launches-secure-open-source-fund
In an effort to help secure open source software, Mozilla this week announced the creation of Secure Open Source (“SOS”) Fund, which kicks off with an initial $500,000 grant.
The SOS Fund was created to support security auditing, remediation, and verification for open source software projects, in an attempt to prevent major vulnerabilities from slipping into them, as Heartbleed and Shellshock have in the past. According to Mozilla, there hasn’t been adequate support for securing open source software until now, and the new initiative aims at changing that.
The Fund is part of the Mozilla Open Source Support program (MOSS), and the initial $500,000 funding should cover audits of a series of widely-used open source libraries and programs, Mozilla said. However, Mozilla challenges the millions of organizations out there that leverage open source software to join the initiative and provide additional financial support.
“Open source software is used by millions of businesses and thousands of educational and government institutions for critical applications and services. From Google and Microsoft to the United Nations, open source code is now tightly woven into the fabric of the software that powers the world. Indeed, much of the Internet – including the network infrastructure that supports it – runs using open source technologies,” Chris Riley, Head of Public Policy, Mozilla, notes in a blog post.
Tomi Engdahl says:
“Gaza Cybergang” Attacks Attributed to Hamas
http://www.securityweek.com/gaza-cybergang-attacks-attributed-hamas
Researchers are fairly confident that the Palestinian terrorist organization Hamas is behind the cyber espionage group known as Gaza Hackers Team, Gaza Cybergang and Molerats.
The threat actor, believed to be active since at least 2012, has been monitored by several security firms, including Kaspersky Lab, FireEye, PwC and ClearSky. The group’s campaigns have focused on countries in the Middle East, such as Israel, Egypt, Saudi Arabia, the UAE and Iraq, but attacks have also been observed against entities in the United States and Europe.
A report published by ClearSky in January detailed DustySky (aka NeD Worm), a multi-stage malware that the group had been using since May 2015.
“Based on the type of targets, on Gaza being the source of the attacks, and on the type of information the attackers are after – we estimate with medium-high certainty that the Hamas terrorist organization is behind these attacks,” ClearSky said in its report.
Tomi Engdahl says:
“IoT Security” is an Empty Buzzword
http://hackaday.com/2016/06/13/iot-security-is-an-empty-buzzword/
“Internet of Things” doesn’t describe much that’s useful from a security standpoint. On one hand, it includes widely varying classes of devices with correspondingly varying needs for security. On the other hand, it fails to describe or delimit the extent of the network that needs securing. Saying “Internet of Things security” adds nothing to just saying “security” except to warn the listener that they might need to be worrying about a very large class of problems, and end-users who don’t think they’re using a computer.
Tomi Engdahl says:
Did Angler Exploit Kit Die With Russian Lurk Arrests?
http://www.securityweek.com/did-angler-exploit-kit-die-russian-lurk-arrests
Researchers have recently noted a large scale switch from the Angler exploit kit (EK) to the Neutrino exploit kit.
with Angler no longer prevalent – nor even visible, and Neutrino dominant. While criminal switching between exploit kits is not unknown, this seems to be different.
The question is whether this is a temporary blip or a permanent demise. It is similar to the sudden decline of the Blackhole EK in 2013.
The similarity Blackhole and Angler has prompted researchers to wonder if the Angler gang have also been arrested. Indeed, one security industry source told SecurityWeek he had heard of imminent likely action against the gang, but had no further details.
Tomi Engdahl says:
North Korean Hackers Steal Defense Files from South
http://www.securityweek.com/north-korean-hackers-steal-defense-files-south
North Korean hackers managed to steal thousands of records from private firms and state agencies in the South including defense industry information and files from Korean Air, Seoul police said Monday.
The hacking originated from 16 servers based in the North’s capital Pyongyang, police said, adding the North had stolen more than 42,000 internal records.
The North gained access to the internal systems of the firms and agencies at some point after hacking in 2014 into computer management software developed by a Seoul IT firm, according to the police.
The breach was discovered earlier this year.
The hackers also planted 33 types of malicious code into the computers in an apparent bid to use them as “zombie” machines to launch future cyberattacks on other organizations in the South
The companies that were hacked include South Korea’s flagship air carrier Korean Air and SK Networks, a sister company of South Korea’s top wireless operator, SK Telecom, Yonhap news agency said.
Seoul has in recent years blamed the North’s hackers for a series of cyberattacks on military institutions, banks, state agencies, TV broadcasters, media websites and a nuclear power plant.
Tomi Engdahl says:
Netgear Routers Plagued by Serious Vulnerabilities
http://www.securityweek.com/netgear-routers-plagued-serious-vulnerabilities
Netgear released firmware updates last week for its D3600 and D6000 Wi-Fi modem routers to address a couple of serious vulnerabilities reported to the company in December 2015.
One of the flaws, tracked as CVE-2015-8288, is related to the use of hardcoded cryptographic credentials, including an RSA private key, and an X.509 certificate and key. An attacker who obtains this information can leverage it to gain admin access to the vulnerable device, launch man-in-the-middle (MitM) attacks, and decrypt intercepted packets, CERT warned in an advisory published on Friday.
The second security hole, identified as CVE-2015-8289, has been described as an authentication bypass issue
The flaws affect D3600 and D6000 routers running version 1.0.0.49 or earlier of the firmware. CERT noted that other models may be impacted as well.
Tomi Engdahl says:
Symantec to Acquire Blue Coat for $4.65 Billion
http://www.securityweek.com/symantec-acquire-blue-coat-465-billion
Security firms Symantec (NASDAQ:SYMC) and Blue Coat Systems announced on Sunday that they have entered into a definitive agreement under which Symantec will acquire Blue Coat for roughly $4.65 billion in cash.
After completing the sale of its Veritas information management (IM) business early this year, Symantec has become a pure-play cybersecurity company, and the company is now looking to expands its position in the enterprise market.
Blue Coat, which historically has been known for its web gateway appliances and solutions for monitoring and filtering users’ Internet activity, has transformed significantly over the past years, mainly through a handful of acquisitions.
With more than 15,000 global customers, Blue Coat had GAAP revenue for fiscal year ending April 30, 2016 of $598 million and non-GAAP revenue of $755 million.
According to Bloomberg, citing a person familiar with the matter, Symantec had been in advanced talks to acquire FireEye earlier this year. Discussions reportedly broke down over concerns about FireEye’s future growth potential, the source said.
While Symantec is looking to expand its position in the enterprise security space, it does have its eyes on other areas of Internet security. Just last week Symantec introduced a new IoT security solution specifically designed to protect connected vehicles from zero-day attacks and never-before-seen threats.
http://www.securityweek.com/symantec-wants-protect-your-car-zero-day-attacks
Tomi Engdahl says:
Juli Clover / MacRumors:
Apple to disable plug-ins like Flash, Java, Silverlight, and Quicktime by default in Safari 10, to focus on HTML5 content
Safari in macOS Sierra Deactivates Flash and Other Plug-ins By Default
http://www.macrumors.com/2016/06/14/safari-macos-sierra-plugins-disabled-default/
In Safari 10, set to ship with macOS Sierra, Apple plans to disable common plug-ins like Adobe Flash, Java, Silverlight, and QuickTime by default in an effort to focus on HTML5 content and improve the overall web browsing experience.
As explained by Apple developer Ricky Mondello in a post on the WebKit blog, when a website offers both Flash and HTML5 content, Safari will always deliver the more modern HTML5 implementation. On a website that requires a plug-in like Adobe Flash to function, users can activate it with a click as can be done in Google’s Chrome browser.
Next Steps for Legacy Plug-ins
https://webkit.org/blog/6589/next-steps-for-legacy-plug-ins/
Tomi Engdahl says:
Josh Constine / TechCrunch:
Facebook now offers a Store Locator ad unit and tracks in-store visits and purchases through GPS, Wi-Fi, and a partnership with Square, with no user opt out — Facebook has found the Holy Grail of advertising in a set of new partnerships with point-of-sale systems like Square and Marketo …
Facebook taps GPS, Square to track your in-store visits and purchases
http://techcrunch.com/2016/06/14/facebook-knows/
Facebook has found the Holy Grail of advertising in a set of new partnerships with point-of-sale systems like Square and Marketo that will prove who bought what after seeing Facebook’s ads. Even if you don’t buy something, Facebook will also now know you visited a store based on a new feature that matches GPS, beacons, WiFi, radio signals, and cell towers with brick-and-mortar coordinates.
This data could get advertisers to spend a lot more on Facebook because it will be able to demonstrate exactly how ad views led to in-store purchases and foot traffic. Ninety percent of sales still happen in physical retail stores, not online. Facebook is pushing to evolve the industry past flimsy metrics like ad views and clicks, towards measuring when ads actually inspired purchases anywhere.
The Offline Conversions API could help Facebook compete with Google for ad dollars. Google has had store visit metrics for AdWords since 2014 and recently launched ads that show maps of nearby locations.
Though Facebook aggregates and anonymizes the data to protect privacy, the fact that there’s no specific opt-out option is a bit unsettling.
To fuel ad buys seeking foot traffic. Facebook also has a new Store Locator ad unit. It can show a business’ nearby brick-and-mortar locations at the end of an ad carousel and let people “Get Directions”.
The location data will roll out as a new Store Visits metric in Facebook’s ad performance dashboard over the next few months.
Tomi Engdahl says:
Mike Isaac / New York Times:
Facebook rolls out new suicide prevention tools, including faster message flagging for moderators, self-help guides, more
Facebook Offers Tools for Those Who Fear a Friend May Be Suicidal
http://www.nytimes.com/2016/06/15/technology/facebook-offers-tools-for-those-who-fear-a-friend-may-be-suicidal.html
he saw a status update from a high school friend she had not seen in years that alarmed her. It read like a suicide note.
“Thank you for everyone who tried to help me,” Ms. Simmons’s friend
“If I hadn’t already been educated in suicide prevention or hadn’t seen the post on Facebook, I don’t know that I would have picked up the phone and known to call,”
With more than 1.65 billion members worldwide posting regularly about their behavior, Facebook is planning to take a more direct role in stopping suicide. On Tuesday, in the biggest step by a major technology company to incorporate suicide prevention tools into its platform, the social network introduced mechanisms and processes to make it easier for people to help friends who post messages about suicide or self-harm. With the new features, people can flag friends’ posts that they deem suicidal; the posts will be reviewed by a team at the social network that will then provide language to communicate with the person who is at risk, as well as information on suicide prevention.
The timing coincides with a surge in suicide rates in the United States to a 30-year high. The increase has been particularly steep among women and middle-aged Americans, reflecting widespread desperation.
Tomi Engdahl says:
Apple will require HTTPS connections for iOS apps by the end of 2016
http://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/
During a security presentation at Apple’s Worldwide Developers’ Conference, the company revealed the deadline for all apps in its App Store to switch on an important security feature called App Transport Security — January 1, 2017.
App Transport Security, or ATS, is a feature that Apple debuted in iOS 9. When ATS is enabled, it forces an app to connect to web services over an HTTPS connection rather than HTTP, which keeps user data secure while in transit by encrypting it.
mobile apps often aren’t as transparent with users about the security of their web connections, and it can be hard to tell whether an app is connecting via HTTP or HTTPS.
Enter ATS, which is enabled by default for iOS 9. However, developers can still switch ATS off and allow their apps to send data over an HTTP connection — until the end of this year, that is. (For technical crowd: ATS requires TLS v 1.2, with exceptions for already encrypted bulk data, like media streaming.)
At the end of 2016, Apple will make ATS mandatory for all developers who hope to submit their apps to the App Store. App developers who have been wondering when the hammer would drop on HTTP can rest a little easier now that they have a clear deadline, and users can relax with the knowledge that secure connections will be forced in all of the apps on their iPhones and iPads.
In requiring developers to use HTTPS, Apple is joining a larger movement to secure data as it travels online. While the secure protocol is common on login pages, many websites still use plain old HTTP for most of their connections.
Tomi Engdahl says:
National Security
Russian government hackers penetrated DNC, stole opposition research on Trump
https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html
Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach.
The intruders so thoroughly compromised the DNC’s system that they also were able to read all email and chat traffic, said DNC officials and the security experts.
The intrusion into the DNC was one of several targeting American political organizations. The networks of presidential candidates Hillary Clinton and Donald Trump were also targeted by Russian spies, as were the computers of some Republican political action committees, U.S. officials said. But details on those cases were not available.
“It’s the job of every foreign intelligence service to collect intelligence against their adversaries,” said Shawn Henry, president of CrowdStrike, the cyber firm called in to handle the DNC breach and a former head of the FBI’s cyber division.
“We’re perceived as an adversary of Russia,” he said. “Their job when they wake up every day is to gather intelligence against the policies, practices and strategies of the U.S. government. There are a variety of ways. [Hacking] is one of the more valuable because it gives you a treasure trove of information.”
“The purpose of such intelligence gathering is to understand the target’s proclivities,”
“The security of our system is critical to our operation and to the confidence of the campaigns and state parties we work with,” said Rep. Debbie Wasserman Schultz (D-Fla.), the DNC chairwoman. “When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network.”
The firm identified two separate hacker groups, both working for the Russian government, that had infiltrated the network, said Dmitri Alperovitch, CrowdStrike co-founder and chief technology officer.
CrowdStrike is not sure how the hackers got in. The firm suspects they may have targeted DNC employees with “spearphishing” emails.
The two groups did not appear to be working together
Tomi Engdahl says:
IoT Devices Not Properly Secured on Enterprise Networks: Survey
http://www.securityweek.com/iot-devices-not-properly-secured-enterprise-networks-survey
Internet of Things (IoT) devices are becoming an increasingly important part of enterprise environments, yet companies continue to fail at securing them properly, a recent report sponsored by ForeScout reveals.
According to the research, nearly three quarters of enterprises either don’t have efficient protection methods for their IoT devices, or are not aware of what is being used. At the other end, only 19% of organizations have a specialized agent that monitors the network, while 7% say they use a different approach to securing IoT devices, the report says.
The insecurity of products that can be included in the IoT category has been long said to put both enterprises and their customers at risk. Many such devices feature vulnerable software or re-use cryptographic secrets that make them vulnerable, yet there are also those who are sold with malware embedded in them right from the start.
However, there are also devices that, although secure on their own, aren’t properly protected once they’ve entered a company’s network, which turns them into security hazards.
According to the survey, conducted among professionals who “represent the technological elite in IT and Telecommunications,” 66% of respondents feel that 25% or less devices in the network are IoT. However, 85% of respondents said they aren’t confident they know all devices in the network
When asked about the security policy for IoT, only 44% of the respondents said that their company had such a policy in place. While 26% admitted they didn’t know, 30% said no such policy was in use.
The report also shows that 89% of the respondents believe that it is important to discover that an IoT device is on the network, while 87% said it is important to classify IoT devices. What’s more, 86% of them found discovering/classifying without the use of an agent to be quite important.
When asked about their organization’s current primary approach to securing IoT devices on the network, 30% of respondents said that they rely on “industry or manufacturer standard methods, such as Wi-Fi, WPA22, Bluetooth protocols, etc.” 17% said they have a password on the network, 13% didn’t know and 14% weren’t aware of such protection.
As Cigital’s Jim Ivers noted in SecurityWeek column earlier this year, IoT devices are, by definition, connected to the Internet, yet plugging something to the Internet actually makes it vulnerable. The software running on these devices is what should be secured first, but only “by building a software security initiative (SSI) and creating a software security group (SSG) to ensure someone is held responsible and accountable.”
“Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now”
Tomi Engdahl says:
Is a Platform Security Strategy Realistic?
http://www.securityweek.com/platform-security-strategy-realistic
The choice between using a single vendor platform, and integrating best-of-breed point products from different vendors is as old as computing – but is particularly pertinent to cyber security. In April this year Fortinet commissioned a survey of IT decision makers in 10 countries around the world, with particular reference to firewalls; and discussed some of the findings in a blog post yesterday.
The key finding for Fortinet is that 59% of approximately 1,000 respondents described their greatest challenge in achieving automated and consistent security policies across their networks is down to the numerous firewall solutions deployed within their network infrastructures.
The precise results varied slightly between geographic regions.
This response dwarfs other problems. Insufficient staff skills to implement standard procedures and problems from different security requirements throughout the network all returned around 20% – with only EMEA standing out with 26% for differing requirements.
In its blog, Fortinet concentrates on the difficulty in integrating different security solutions.
In response to this problem vendors have started to sell the advantages of single-vendor solutions on a single platform
Single vendors cannot develop a complete range of security solutions, and consequently expand their platform by buying other companies and their technology.
But, suggests Fortinet, “While these vendors may offer a wide range of security tools, their solutions are hardly integrated. They often run on different operating systems, use different management tools, and cannot provide unified visibility, control, response, or reporting. And their lack of standardization makes integration with third-party solutions difficult if not impossible.”
Sixty-one percent “of IT leaders said that the lack of ‘standardization of security technologies’ from such vendors was still a barrier to re-architecting their infrastructures with the advanced security solutions they need to protect themselves.”
Tomi Engdahl says:
Enterprises Warned About Risky Connected Third-Party Apps
http://www.securityweek.com/enterprises-warned-about-risky-connected-third-party-apps
More than a quarter of the third-party apps used in enterprises are risky, and one of the most problematic are connected cloud applications, according to cloud security company CloudLock.
CloudLock CyberLab’s Cloud Cybersecurity Report for the second quarter of 2016, which is based on the analysis of over 150,000 unique apps and 10 million users, shows that the use of third-party apps has increased 30 times over the past two years.
The security firm pointed out that organizations must not neglect a very important aspect when addressing the issue of “shadow IT,” the term used to describe applications and systems used by employees without approval from IT security teams. One technology that can introduce serious risks is OAuth, an authentication protocol that allows users to approve apps to act on their behalf without sharing their password.
The problem, according to experts, is that OAuth-connected applications can have extensive access to corporate data.
Tomi Engdahl says:
Let’s Encrypt Exposes User Email Addresses
Server Bug Exposes Email Addresses of 7,618 Let’s Encrypt Users
http://www.securityweek.com/lets-encrypt-exposes-user-email-addresses
Thousands of Let’s Encrypt users saw their email addresses being exposed this Saturday, when the open certificate authority (CA) started sending a notification to active subscribers.
Backed by the Electronic Frontier Foundation (EFF) and numerous large Internet and tech companies, Let’s Encrypt is a project aimed at bringing encryption to all areas of the Internet. It provides website owners with free certificates, in an attempt to encourage them to transition to HTTPS to ensure a secure communication between their sites and users’ browsers.
Because of a server glitch, when Let’s Encrypt started sending out emails to its users on June 11 to inform them of an update to its subscriber agreement, the automated system used for that mistakenly prepended email addresses to the body of the message. Because of this issue, recipients could see the email addresses of other subscribers.