Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
What Keeps Security Professionals Up at Night? Their Users
http://www.securityweek.com/what-keeps-security-professionals-night-their-users
You might believe that the expensive network security hardware you installed will protect you from bad actors — until a single employee undoes all that good work when he doesn’t realize the attachment he just opened carries dangerous malware. It’s hard keeping criminals from infiltrating networks, much less worrying that users will simply open the door to bad guys by letting their guard down.
According to a survey of attendees at the 2016 RSA Conference, users cause the most sleepless moments for security professionals. We asked 100 attendees, “Are users your biggest security headache?” Seventy-percent said yes
Endpoints are the biggest source of security risk
In line with concerns about users, security professionals are also worried about endpoint security: After all, this is where concerns about protecting entry points and user behavior intersect. Forty-nine percent of security professionals we surveyed said endpoints are the source of their greatest security risk, followed by insider threats (21 percent), networks (16 percent), and the cloud (14 percent). This fear is borne out by research: Verizon’s 2015 Data Breach Investigations Report says that end-user devices were a factor in 82 percent of security incidents.
Delays in patching zero-day vulnerabilities
Patching for known vulnerabilities is part of a “low hanging fruit” approach to security – in other words, it’s a straightforward way to prevent threats using zero-day vulnerabilities. When asked how quickly their organizations patched for zero-day vulnerabilities, 50 percent of security professionals said they did so in the first week. However, 24 percent said they waited a month, and 26 percent said more than a month. A delayed approach to patching leaves dangerous windows open to bad actors.
Tomi Engdahl says:
Network Security: The Unknown Unknowns
http://www.securityweek.com/network-security-unknown-unknowns
Conveniently, Robertson has written a series of blog posts to describe how to get up and running quickly with the Assimilation Project:
1. Fifteen Minutes to Better Security
2. An Hour Towards Better Security
3. A Half-Day to Better Security
The Fifteen Minute article leads you through the steps of downloading the automated install script to install the Assimilation Project and its dependencies
The Assimilation Project depends on Neo4j, so next you start the database, the central service, and the inventory agent. Once the discovery and collection is completed, which only takes a few minutes, you can produce a snapshot of a single system.
In part three of Robertson’s series, he describes how to remotely install the nanoprobe agent onto other systems in your network. The nanoprobe sends the collected configuration data to the CMA server, so that you can continue to visualize the services offered in your network
Tomi Engdahl says:
Zack Whittaker / ZDNet:
GAO report raises privacy and accuracy concerns with FBI’s facial recognition program, which now has over 173M driver’s license photos and 411M photos total
FBI has 411 million photos in its facial recognition system, and a federal watchdog isn’t happy
http://www.zdnet.com/article/federal-watchdog-concerned-at-fbi-biometric-database/
The watchdog said it had “concerns regarding both the effectiveness of the technology” and the “protection of privacy and individual civil liberties.”
Tomi Engdahl says:
Michael del Castillo / CoinDesk:
Microsoft’s Project Bletchley is an Azure-powered enterprise blockchain architecture with blockchain middleware and “cryptlets”, which can add info to contracts — Microsoft today unveiled a new project designed to make it easier for businesses across a wide range of industries …
Microsoft Launches Blockchain Fabric to Help Enterprises Form Consortia
http://www.coindesk.com/microsoft-unveils-project-bletchley-streamline-consortium-construction/
Tomi Engdahl says:
Alex Johnson / NBC News:
“Spam King” Sanford Wallace is sentenced to 30 months in prison and a $100K+ fine for bombarding over 550K Facebook users
‘Spam King’ Sanford Wallace Sentenced to 2½ Years for Facebook Scheme
http://www.nbcnews.com/tech/internet/spam-king-sanford-wallace-sentenced-2-years-facebook-scheme-n592651
Sanford Wallace, the self-proclaimed “spam king” who has bedeviled Web users since the dawn of the public Internet two decades ago, has been sentenced to 30 months in prison and ordered to pay hundreds of thousands of dollars in restitution for bombarding Facebook users, according to court records.
Wallace, 47 — also known as “Spamford” and the handle he preferred himself, “the Spam King” — pleaded guilty in August to electronic mail fraud and to criminal contempt of court
According to the 2011 indictment, Wallace — using the aliases “David Frederix” and “Laura Frederix,” along with at least 1,500 fake Internet domain names (including “GayestProfile.com”) — illegally obtained Facebook users’ account information to lure them into clicking on a link that would download their friend lists and redirect them to other websites.
In just four days over three user sessions from November 2008 to February 2009, he flooded more than 550,000 Facebook users with more than 27 million spam messages, prosecutors said.
The contempt charge arose from Wallace’s disregard of three 2009 court orders never to visit Facebook.
Tomi Engdahl says:
Morgen Peck / Backchannel:
Profile of Vitalik Buterin, inventor of Ethereum, the cryptocurrency rivaling Bitcoin and inspiring a movement — Vitalik Buterin invented the world’s hottest new cryptocurrency and inspired a movement—before he’d turned 20.
The Uncanny Mind That Built Ethereum
https://backchannel.com/the-uncanny-mind-that-built-ethereum-9b448dc9d14f#.bthlbd7ft
Vitalik Buterin invented the world’s hottest new cryptocurrency and inspired a movement — before he’d turned 20.
Tomi Engdahl says:
Malware Levels Drop As Huge Botnet Goes Offline
http://www.techweekeurope.co.uk/security/malware-botnet-offline-193667
A major botnet has mysteriously disappeared in recent days, killing off two large-scale malware campaigns
One of the largest networks of compromised systems on the Internet has mysteriously gone dark in recent days, leading to a noticeable fall-off in the distribution of spam and malware, computer security researchers have found.
Several IT security firms have confirmed that Necurs, which is believed to be one of the biggest botnets in existence, controlling several million compromised computers, went offline on June 1.
Read more at http://www.techweekeurope.co.uk/security/malware-botnet-offline-193667#2VbH1hS8ctLCLCzp.99
Tomi Engdahl says:
Hackers Hijack ISIS Twitter Accounts With Gay Porn After Orlando Attack
Anonymous hacker targets Twitter accounts of ISIS supporters following Orlando attacks.
http://europe.newsweek.com/isis-twitter-accounts-gay-porn-orlando-attacks-anonymous-470300
Twitter accounts belonging to supporters of the Islamic State militant group (ISIS) have been hacked in the wake of the Orlando shooting, with jihadist content replaced with gay pride messages and links to gay pornography.
A hacker affiliated with the hacktivist collective Anonymous, who uses the online moniker WauchulaGhost, first began hijacking pro-ISIS Twitter accounts several months ago. Following the mass shooting at the Pulse gay nightclub in Orlando, Florida, on June 13, the hacker decided to replace ISIS imagery posted to the accounts with rainbow flags and pro-LGBT messages.
The vigilante hacker claims to have taken over 200 Twitter accounts belonging to ISIS supporters. However, many have since been taken down by Twitter.
Tomi Engdahl says:
Schneider Patches Severe Flaw in Video Management System
http://www.securityweek.com/schneider-patches-severe-flaw-video-management-system
Schneider Electric has released a software update for its Pelco Digital Sentry video management solution to address a high severity vulnerability that allows attackers to compromise affected systems.
Pelco Digital Sentry (DS) is advertised as a video management system that is ideal for education, healthcare and corporate environments. Schneider Electric has learned that the product is plagued by what it describes as a privilege escalation flaw.
More precisely, Pelco DS contains hardcoded credentials that can be leveraged by an attacker to elevate their privileges and gain access to sensitive information or execute arbitrary code on the affected system. Schneider has assigned a CVSS v3 score of 8.6 to this vulnerability.
This is not the first time Schneider has learned of vulnerabilities in its Pelco DS product.
Tomi Engdahl says:
Flaw Allowed Hackers to Steal Emails From Verizon Users
http://www.securityweek.com/flaw-allowed-hackers-steal-emails-verizon-users
A critical vulnerability affecting Verizon’s webmail service could have been exploited by malicious actors to silently forward a targeted user’s emails to an arbitrary address.
Researcher Randy Westergren discovered several vulnerabilities in Verizon’s webmail portal. The most serious of them was related to the feature that allows users to forward all incoming emails to a specified address. When this feature is enabled, the forwarded emails are not shown in the normal Verizon inbox.
The expert determined that the value of the userID was associated with an internal verizon ID. However, he found a way to look up the internal ID and obtain the mail ID for a specified email address by using a Verizon API.
“Any user with a valid Verizon account could arbitrarily set the forwarding address on behalf of any other user and immediately begin receiving his emails — an extremely dangerous situation given that a primary email account is typically used to reset passwords for other accounts that a user might have, .e.g banking, Facebook, etc,” Westergren said in a blog post.
Critical Vulnerability Compromising Verizon Email Accounts (Again)
https://randywestergren.com/critical-vulnerability-compromising-verizon-email-accounts/
Tomi Engdahl says:
Chinese Attackers Conduct Cyberespionage for Economic Gain
http://www.securityweek.com/chinese-attackers-conduct-cyberespionage-economic-gain
A threat group believed to be affiliated with the Chinese government has been conducting cyber espionage operations against Myanmar and other countries for economic gain.
Tomi Engdahl says:
AT&T Sees 30 Billion Malicious Network Scans Daily
http://www.securityweek.com/att-sees-30-billion-malicious-network-scans-daily
Network provider AT&T says it has to deal with large numbers of cyber-attacks each day on its global network, and that it sees around 30 billion malicious scans daily on its IP network.
According to Jason Porter, Security Solutions Vice President at AT&T, the company blocks 5 billion malicious scans targeted specifically to the company every day, as attackers are probing for vulnerabilities they can exploit. What’s more, the provider sees 400 million spam messages on its global IP network each day and blocks 200,000 malware events targeted specifically to it.
With an even large number of cyber-attacks happening around the world each day, it’s no surprise that many companies suffer data breaches. In fact, AT&T’s newly published Cybersecurity Insights, “The CEO’s Guide to Cyberbreach Response” report shows that 62% of organizations experienced a security breach last year.
According to AT&T’s research, 42 percent of the orgaizations that admitted experiencing a breach said he negative impact they suffered following was significant. However, only 34 percent of organizations believe they have an effective incident response plan, and only 16 percent of passive companies have a strong incident response plan in place, the report reveals.
The company’s report reveals that AT&T logged over 245,000 distributed denial of service (DDoS) alerts across its global data network over a 12-month period. However, it reveals that traditional brute-force DDoS attacks are not the only threat that organizations of all sizes face daily: concealed attacks such as ransomware are on the rise and pose a significant threat too.
“Most organizations have invested in a variety of tools, processes, and personnel to help protect sensitive systems and data against these threats. But given the sheer volume of attacks, it’s highly likely that one or more will penetrate your defenses. This is why, in addition to threat prevention and detection, you must invest in a comprehensive incident response plan,” AT&T says.
Tomi Engdahl says:
APT Group Uses Flash Zero-Day to Attack High-Profile Targets
http://www.securityweek.com/apt-group-uses-flash-zero-day-attack-high-profile-targets
The Flash Player zero-day vulnerability whose existence was brought to light on Tuesday by Adobe has been exploited by a relatively new advanced persistent threat (APT) group named by Kaspersky Lab “ScarCruft.”
Tomi Engdahl says:
Matt Levine / Bloomberg:
The “theft” of Ethereum from the DAO violated the DAO’s intent, but not its smart contract, exposing tensions between blockchain idealism and real world systems
Blockchain Company’s Smart Contracts Were Dumb
http://www.bloomberg.com/view/articles/2016-06-17/blockchain-company-s-smart-contracts-were-dumb
We talked this morning about a hack at the DAO, the Distributed Autonomous Organization that lives on the Ethereum blockchain and that was supposed to take money from investors and invest it in projects voted on by the investors and administered through smart contracts. Instead — surprise! — the DAO was hacked, and about $60 million worth of Ether (Ethereum’s digital currency) was stolen. Or that is the terminology — “hacked,” “stolen” — that most people have used, and that I used this morning. But maybe it is wrong? The most interesting thing to read about the DAO hack is this Medium post:
By any usual interpretation (including those commonly used by Slock.it’s team in the past hours) the hacker has stolen money from other users and violated the intent of the DAO.
However, according to the DAO’s own legal contract, there is no such thing as theft and the intent is completely unimportant — the only important and relevant thing are the smart contracts themselves. Consequently, there is no real legal difference between a feature and an exploit. It is all a matter of perspective.
For example, one interpretation is that this unusual recursive splitting function is itself a feature and that a user simply used this feature to take funds into a sub-DAO.
That is: The DAO was advertised to users as, well, a Distributed Autonomous Organization that was supposed to take money from investors and put it in projects voted on by the investors and administered through smart contracts.
There were websites and forums explaining, in English, for humans, how the DAO would work, what its security features were, etc. (Some of the explaining was done by Slock.it, a blockchain company associated with the DAO.) But there was also this bit of boilerplate:
The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code. Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain.
Tomi Engdahl says:
William Alden / BuzzFeed:
A detailed report of a penetration test Palantir conducted; firm says issues are now resolved
How Hired Hackers Got “Complete Control” Of Palantir
https://www.buzzfeed.com/williamalden/how-hired-hackers-got-complete-control-of-palantir?utm_term=.cs2BQjEwp#.ixjoME0WY
Palantir hired a cybersecurity firm last year to test its digital defenses. A confidential report shows how the pro hackers were able to dominate the tech company’s network.
Palantir Technologies has cultivated a reputation as perhaps the most formidable data analysis firm in Silicon Valley, doing secretive work for defense and intelligence agencies as well as Wall Street giants. But when Palantir hired professional hackers to test the security of its own information systems late last year, the hackers found gaping holes that left data about customers exposed.
Palantir, valued at $20 billion, prides itself on an ability to guard important secrets, both its own and those entrusted to it by clients. But after being brought in to try to infiltrate these digital defenses, the cybersecurity firm Veris Group concluded that even a low-level breach would allow hackers to gain wide-ranging and privileged access to the Palantir network, likely leading to the “compromise of critical systems and sensitive data, including customer-specific information.”
This conclusion was presented in a confidential report, reviewed by BuzzFeed News, that detailed the results of a hacking exercise run by Veris over three weeks in September and October last year.
It is not known whether Palantir’s systems have ever been breached by real-world intruders. But the results of the hacking exercise — known as a “red team” test — show how a company widely thought to have superlative ability to safeguard data has struggled with its own data security.
The red team intruders, finding that Palantir lacked crucial internal defenses, ultimately “had complete control of PAL’s domain,” the Veris report says, using an acronym for Palantir. The report recommended that Palantir “immediately” take specific steps to improve its data security.
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
Mozilla announces experimental “containers” feature that lets Firefox users log in to sites using different identities within the same browser
Experimental Firefox feature lets you use multiple identities while surfing the web
https://techcrunch.com/2016/06/16/experimental-firefox-feature-lets-you-use-multiple-identities-while-surfing-the-web/
Mozilla’s Firefox browser is getting a new experimental feature today that aims to help you segregate your online identities and allow you to sign in into multiple mail or social media accounts side-by-side without having to use multiple browsers.
This new “container tab” feature, which is now available in the unstable Nightly Firefox release channel, provides you with four default identities (personal, work, shopping and banking) with their own stores for cookies, IndexedDB data store, local storage and caches. In practice, this means you can surf Amazon without ads for products you may have looked at following you around the web when you switch over to your work persona.
As the Firefox team notes, the idea behind this feature isn’t new, but nobody has figured out how to best present this new tool to users.
Tomi Engdahl says:
Ethereum/TheDAO hack simplified
http://blog.erratasec.com/2016/06/etheriumdao-hack-similfied.html#.V2WDVDXeI64
The news in the Bitcoin world is the Ethereum/DAO hack. I thought I’d write up a simplified explanation.
How can they recover the stolen money?
They can’t — at least not without destroying the entire principle of cryptocurrencies. It’s like trying to cure cancer with a Howitzer.
One solution is to roll-back the blockchain before the theft. Of course, that means screwing over everybody who made a transaction since then. You’d be screwing people out of $1 million in order to compensate the theft of $100 million. This is, of course, the type of corrupt thinking that gets us into banking failures in the real world, as we screw over everyone else in order to protect those banks who are too big to fail.
Another solution is to update the Ethereum code to blacklist this address, or better yet, insert a magic key that will give control over those funds back to TheDAO.
The problem with changing the code is that it forks the blockchain.
What does this all mean?
I’m a crypto-anarchist. The entire point of cryptocurrencies to get around corrupt humans. And that’s what trying to repair this problem is — corruption. It’s a violation of TheDAO’s own contract, which says the code is the contract, not to be superseded by human re-interpretation.
In any case, the original concept of TheDAO is useless utopian nonsense. The original Bitcoin was created by people who actually understood a lot about currency. TheDAO was created by people who are hopelessly naive about investing, who then put the system in the hands of trained monkeys. This isn’t “wisdom of the crowds”, as they proposed, but “ignorance of the mob”.
Tomi Engdahl says:
Andy Chalk / PC Gamer:
Twitch files lawsuit against seven makers of “view-bots, follow-bots, chat-impersonation bots” designed to artificially inflate the viewer and follower counts
Twitch sues bot makers
http://www.pcgamer.com/twitch-sues-bot-makers/
The legal hammer is being dropped on seven of the most prolific bot-makers.
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Acer alerts 34,500 customers of its online store between May 2015 and April 2016 that hackers have stolen their credit card data — It’s not known how many online store users are affected. — Acer has quietly informed the California attorney general that its online store was attacked by hackers.
Acer store flaw let a hacker steal a year’s worth of credit cards
All affected users are from US, Canada, and Puerto Rico.
http://www.zdnet.com/article/acer-online-store-flaw-let-hackers-steal-a-years-worth-of-credit-cards/
Acer has quietly informed the California attorney general that its online store was attacked by hackers.
In a letter dated Wednesday, the Taiwanese technology giant admitted that an unauthorized outside party had taken a year’s worth of full credit card data, names and addresses between mid-May 2015 and late-April this year.
The company said it hasn’t found any evidence yet that passwords or logins were affected, but didn’t outright rule it out.
Tomi Engdahl says:
The Confidence to Excel in the Digital Economy
http://www.securityweek.com/confidence-excel-digital-economy
There’s nothing more exciting than a team that seems to overcome the odds to win a championship. Is it the coaching, the training, or determination of the players? Whatever the reason, their confidence builds and allows them to push forward and excel.
A convergence of multiple technology innovations that use connectivity – such as the cloud, big data and analytics, and the Internet of Things (IoT) – allows them to move quickly and take advantage of new opportunities. Organizations must adapt to this competitive environment, or risk being displaced.
Successful organizations compete and thrive in this new era by recognizing that digital transformation requires a strong cybersecurity foundation. Unfortunately, many organizations are missing out because they lack a comprehensive security program.
Nearly every industry can gain an advantage in the game by developing a strong security posture. Here is just one example in each of four industries.
Manufacturing. Remote maintenance sometimes requires that companies open their networks to outside vendors – an entirely new approach for many manufacturers. These vendors need to access the company’s machinery and data so they can identify and resolve issues. Providing internet-based access to machines can minimize machine downtime by allowing companies to fix problems over the network, versus having to send a repair expert to a specific location. But centralized remote maintenance systems carry high levels of risk as breaches can wreak havoc on a factory’s control and automation systems and cause significant disruption.
Financial Services. New research shows that the global mobile payment market is expected to reach $620 billion USD in 2016, up nearly 38 percent from 2015. The strength of the mobile payment business depends on customer trust. Financial services firms must be able to prevent security breaches – and detect and remedy them quickly if they occur.
Retail. In-store analytics helps retailers improve efficiency through dashboards, real-time information, operational analytics, workforce management tools, and shopping analytics. But this is predicated on customers sharing data. A security breach that compromises information quality and privacy could negatively impact customers’ willingness to share data and diminish the digital value in-store analytics can provide.
Oil and Gas. Cybersecurity plays a defining role in oil spillage detection and thus faster control over the situation. When digital oil-control systems are inaccessible, oil spills can go undetected for extended periods of time.
No matter how your team is ranked going into the game, you have the opportunity to increase your probability of winning by giving your players the confidence to become victors.
Tomi Engdahl says:
Attackers Used Leaked Passwords to Hack GitHub Accounts
http://www.securityweek.com/attackers-used-leaked-passwords-hack-github-accounts
GitHub informed users on Thursday that it has reset the passwords of an unspecified number of accounts after they had been compromised by attackers who leveraged credentials leaked from other online services.
Many people don’t change their passwords regularly and they use the same credentials across multiple websites, allowing malicious actors to hack into their accounts. This is apparently what happened in GitHub’s case as well.
The company said attackers attempted to access a large number of GitHub.com accounts.
The passwords of the affected accounts have been reset and impacted users are being notified. GitHub pointed out that its systems have not been compromised.
“We encourage all users to practice good password hygiene and enable two-factor authentication to protect your account,” the company said.
Tomi Engdahl says:
Losses From Business Email Compromise Scams Top $3.1 Billion: FBI
http://www.securityweek.com/losses-business-email-compromise-scams-top-31-billion-fbi
Just two months ago, the Federal Bureau of Investigation (FBI) said that cybercriminals had managed to scam $2.3 billion from 17,642 victims in at least 79 countries through business email compromise (BEC) from October 2013 through February 2016. The FBI has since updated those figures to over 22,000 victims and nearly $3.1 billion in losses, as of May 2016.
According to a new Public Service Announcement (PSA) from the FBI’s Internet Crime Complaint Center (IC3), BEC scams continue to evolve fast, while targeting businesses of all size.
Tomi Engdahl says:
Huge US Facial Recognition Database Flawed: Audit
http://www.securityweek.com/huge-us-facial-recognition-database-flawed-audit
The FBI’s facial recognition database has more than 400 million pictures to help its criminal investigations, but lacks adequate safeguards for accuracy and privacy protection, a congressional audit shows.
The huge database — which enables investigators to automatically search images for criminal suspects — “is far greater than had previously been understood” and raises concerns “about the risk of innocent Americans being inadvertently swept up in criminal investigations,” said Senator Al Franken, who requested the study.
“I will be asking tough questions about the FBI’s use of facial recognition technology and its plans to improve the testing, transparency, and privacy protections of its system,”
The FBI’s database includes some 30 million criminal mugshots and 140 million images from visa applications by foreign nationals, the GAO found. It also contains drivers’ license pictures from 16 US states and 6.7 million photos from the Defense Department’s biometric identification system of individuals detained by US forces abroad, among others.
“The FBI should better ensure privacy and accuracy,”
Tomi Engdahl says:
Department of Defense expanding Hack the Pentagon program
https://techcrunch.com/2016/06/17/department-of-defense-expanding-hack-the-pentagon-program/
Wanna hack the military? The Department of Defense is starting to give hackers more opportunities to test its systems without the threat of prosecution.
The department announced today that it is expanding its Hack the Pentagon program to include more DoD systems and networks. Hack the Pentagon pays hackers to find and report vulnerabilities in exchange for cash, and so far it’s proved effective — the first bug was reported 13 minutes after the program launched.
Hack the Pentagon initially ran as a pilot program between April 18 and May 12 of this year and only included five DoD websites, but DoD plans to develop it into a permanent program that collects vulnerability reports on more websites and systems. The introduction of Hack the Pentagon represents the first time the U.S. government has experimented with a commercial bug bounty that allowed participating hackers to be paid for discovering vulnerabilities.
Tomi Engdahl says:
GitHub accounts targeted in password reuse attack
https://techcrunch.com/2016/06/16/github-accounts-targeted-in-password-reuse-attack/
Following a massive cache of LinkedIn passwords being dumped online last month, users of another online service — GitHub — have become the latest target of a password reuse attack as hackers apparently seek to exploit credentials obtained elsewhere to gain illicit access to user accounts and data.
Writing on its blog today developer project hosting service GitHub said that on Tuesday evening PST it became aware of “unauthorized attempts to access a large number of GitHub.com accounts”.
Tomi Engdahl says:
Hackers target Isis supporters with thousands of graphic ‘Pornbots’ sex images
http://www.ibtimes.co.uk/hackers-attack-isis-supporters-thousands-graphic-pornbots-sex-images-1564187
Vigilante hackers on social media are spamming pro-Islamic State (Isis) accounts with thousands of graphic porn images. The covert computer experts are using Twitter to follow supporters of the extremists and militants with accounts known as “Pornbots”.
These Pornbots only show randomly-generated graphic sexual images automatically but as they never tweet, they cannot be deleted as spam. It would seem that the hackers targeted accounts who have shown support for the jihadists using certain hashtags.
Soon after the Paris terror attacks an Anonymous supporter in a mask told the world that they would attack IS. “Anonymous from all over the world will hunt you down.”
The masked speaker also hints at “massive cyberattacks”, adding: “War is declared. Get prepared.”
Thousands of porn bots follow so-called Islamic State group on Twitter
http://www.bbc.com/news/world-middle-east-36521057
Thousands of porn bots have started following Twitter profiles sympathetic to so-called Islamic State (IS) group.
Bots are computer programs that communicate with humans using artificial intelligence.
Porn bots on Twitter can range from showing explicit profile pictures to posting links and images of adult content.
Tomi Engdahl says:
New ‘Hardened’ Tor Browser Protects Users From FBI Hacking
https://yro.slashdot.org/story/16/06/19/2249239/new-hardened-tor-browser-protects-users-from-fbi-hacking
According to a new paper, security researchers are now working closely with the Tor Project to create a “hardened” version of the Tor Browser, implementing new anti-hacking techniques which could dramatically improve the anonymity of users and further frustrate the efforts of law enforcement…
Tor Is Teaming Up With Researchers To Protect Users From FBI Hacking
http://motherboard.vice.com/read/tor-is-teaming-up-with-researchers-to-protect-users-from-fbi-hacking
The FBI has had a fair amount of success de-anonymizing Tor users over the past few years. Despite the encryption software’s well-earned reputation as one of the best tools for online privacy, recent court cases have shown that government malware has compromised Tor users by exploiting bugs in the underlying Firefox browser—one of which was controversially provided to the FBI in 2015 by academic researchers at Carnegie Mellon University.
Tomi Engdahl says:
Can a Bunch of Doctors Keep an $8 Billion Secret? Not on Twitter
http://www.bloomberg.com/news/articles/2016-06-14/can-hundreds-of-doctors-keep-an-8b-secret-not-on-twitter
In New Orleans Monday, a major medical organization attempted a feat perhaps as hard as treating the disease doctors were there to discuss. They asked a packed convention hall of attendees not to tweet the confidential, market-moving data they had flown in to see.
It didn’t work.
In an unusual arrangement, the American Diabetes Association let hundreds, if not thousands, of in-person attendees see new data on Novo Nordisk A/S’s blockbuster diabetes treatment Victoza more than an hour before its official release to the public and the markets. That’s atypical for such sensitive data, which are usually shared only with journalists and researchers who have agreed to abide by strict terms, under threat of losing future access.
After warning attendees not to share the information they were about to post, presenters in the hall put up slides showing that Bagsvaerd, Denmark-based Novo’s drug cut heart attacks and strokes by 13 percent and improved survival, while also lowering blood sugar rates and a host of other complications. While good news for diabetics, it was less than investors had hoped.
Within minutes, some Twitter accounts were posting pictures of the charts, including key slides
“#2016ADA slides include unpublished data and are the intellectual property of the presenters,” the association tweeted at accounts who posted the data. “Please delete immediately.”
It was too little, too late. Some of the tweets had already been re-tweeted by others, making it impossible to scrub the information from the web.
Shares Drop
On Tuesday, Novo’s shares fell 5.6 percent to 343 kroner, for their biggest one-day drop since February — confirmation of how important the information was to the market. The decline represented about a 52 billion kroner ($7.77 billion) decline in market value.
The meeting organizers appeared aware of the potential for a leak. The moderator at the session, Matthew Riddle, an endocrinologist from Oregon Health & Science University in Portland, announced the embargo date and time at the start of the session, and the restrictions on sharing the data were noted on multiple slides.
It’s not the first time medical meeting organizers have tried to restrict the distribution of information from the event they are running
Tomi Engdahl says:
Slashdot Asks: Does Your Company Have A Breach Response Team?
https://it.slashdot.org/story/16/06/19/1734239/slashdot-asks-does-your-company-have-a-breach-response-team
This week HelpNetSecurity reported on a study that found that “the average data breach cost has grown to $4 million, representing a 29 percent increase since 2013.. ‘The amount of time, effort and costs that companies face in the wake of a data breach can be devastating, and unfortunately most companies still don’t have a plan in place to deal with this process efficiently,” said Caleb Barlow, Vice President, of IBM Security.”
The average cost of a data breach is now $4 million
https://www.helpnetsecurity.com/2016/06/16/data-breach-cost-4-million/
The average data breach cost has grown to $4 million, representing a 29 percent increase since 2013, according to the Ponemon Institute.
Cybersecurity incidents continue to grow in both volume and sophistication, with 64 percent more security incidents reported in 2015 than in 2014. As these threats become more complex, the cost to companies continues to rise. In fact, the study found that companies lose $158 per compromised record. Breaches in highly regulated industries like healthcare were even more costly, reaching $355 per record – a full $100 more than in 2013.
“The amount of time, effort and costs that companies face in the wake of a data breach can be devastating, and unfortunately most companies still don’t have a plan in place to deal with this process efficiently,” said Caleb Barlow, Vice President, IBM Security. “While the risk is inevitable, having a coordinated and automated response plan, as well as access to the right resources and skills, will make or break how much a company is impacted by a security event.”
Slow response and lack of planning cost companies millions
According to the study, leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach – saving companies nearly $400,000 on average (or $16 per record). In fact, response activities like incident forensics, communications, legal expenditures and regulatory mandates account for 59 percent of the cost of a data breach.
The study also found the longer it takes to detect and contain a data breach, the more costly it becomes to resolve. While breaches that were identified in less than 100 days cost companies an average of $3.23 million, breaches that were found after the 100 day mark cost over $1 million more on average ($4.38 million).
The average time to identify a breach in the study was 201 days, and the average time to contain a breach was 70 days.
Tomi Engdahl says:
You Acer holes! PC maker leaks payment cards in e-store hack
Lost info includes names, addresses, numbers and security codes
http://www.theregister.co.uk/2016/06/17/what_a_pain_in_the_acer/
Acer’s insecure customer database spilled people’s personal information – including full payment card numbers – into hackers’ hands for more than a year.
The PC maker has started writing to customers [PDF] warning that their personal records were siphoned off from its online store by crooks between May 12, 2015 and April 28, 2016.
Acer did not say how many customers had their details swiped.
The lost data includes customer names, addresses, card numbers, and three-digit security verification codes on the backs of the cards. Acer says that no passwords or social security numbers were obtained by the thieves, which will be of no comfort whatsoever to the victims.
https://oag.ca.gov/system/files/Customer%20Notice%20Letter%20-%20California_0.pdf?
Tomi Engdahl says:
Ransomware scum build weapon from JavaScript
Demands $250, steals passwords for good measure
http://www.theregister.co.uk/2016/06/20/ransomware_scum_build_weapon_from_javascript/
New ransomware written entirely in JavaScript has appeared encrypting users files for a US$250 (£172, A$336) ransom and installing a password-stealing application.
Bleeping Computer malware man Lawrence Abrams described the ransomware noting it is shipped as a JS file and uses the CryptoJS library for AES encryption.
“RAA is currently being distributed via emails as attachments that pretend to be doc files and have names like mgJaXnwanxlS_doc_.js,” Abrams says.
“When the JS file is opened it will encrypt the computer and then demand a ransom of about US$250 USD to get the files back.
“To make matters worse, it will also extract the embedded password stealing malware called Pony from the JS file and install it onto the onto the victim’s computer.”
The ransomware launches a word document that appears to be corrupted, and serves to distract users while the malware encrypts files.
Tomi Engdahl says:
Ethereum Debate Marred By Second Digital Currency Heist
https://news.slashdot.org/story/16/06/19/1839226/ethereum-debate-marred-by-second-digital-currency-heist
Thursday’s news of a $50 million heist of digital currency at Ethereum. was followed today by reports of a second heist from the DAO, according to the Bitcoin News Service — this one for just 22 Ether. “It appears this is just someone who wanted to test the exploit and see if they could use it to their advantage… ”
Vitalik Buterin, the co-founder of Ethereum, posted Sunday that “Over the last day with the community’s help we have crowdsourced a list of all of the major bugs with smart contracts on Ethereum so far, including both the DAO as well as various smaller 100-10000 ETH thefts and losses in games and token contracts.”
“Because of the way the code in question is written, Etherum’s developers and community have 27 days to decide what to do before the hackers are able to move the money and cash out…”
The clock is ticking now, the world is watching
Tomi Engdahl says:
DAO Ether Trading Platform to Shut Down Following Ongoing Cyber-Heist
DAO creator says platform is shutting down
The price of Ether dropped substantially today after news broke of an ongoing cyber-attack on the DAO platform from where crooks managed to steal more than $50 million in Ether, a third of the platform’s total funds.
Read more: http://news.softpedia.com/news/dao-ether-trading-platform-to-shut-down-following-ongoing-cyber-heist-505381.shtml#ixzz4C7N01q62
Blockchain Company’s Smart Contracts Were Dumb
http://www.bloomberg.com/view/articles/2016-06-17/blockchain-company-s-smart-contracts-were-dumb
DAO, the Distributed Autonomous Organization that lives on the Ethereum blockchain and that was supposed to take money from investors and invest it in projects voted on by the investors and administered through smart contracts. Instead — surprise! — the DAO was hacked, and about $60 million worth of Ether (Ethereum’s digital currency) was stolen. Or that is the terminology — “hacked,” “stolen” — that most people have used, and that I used this morning. But maybe it is wrong?
That is: The DAO was advertised to users as, well, a Distributed Autonomous Organization that was supposed to take money from investors and put it in projects voted on by the investors and administered through smart contracts. (I mean, it was advertised in much more hyperbolic ways than that — “a new breed of human organization never before attempted,” etc. — but the gist was a vote-based venture fund. See here for more explanation.)
But there was also this bit of boilerplate:
The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code. Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain.
The descriptions didn’t matter; only the code did. The descriptions didn’t allow for today’s hack, but the code did. (By definition! If the code could be hacked, the code allowed for the hack.) Any vulnerabilities in the DAO’s code were not flaws in the code; they were flaws in the descriptions — which were purely for entertainment purposes. The DAO’s websites failed to explain to investors that the code allowed a hacker to take $60 million by using a “recursive splitting function.” But the recursive splitting function itself is part of the DAO’s code, and therefore part of the DAO. Using it isn’t a “hack,” and using it to take money isn’t a “theft”; it is just using the DAO as intended.
The words “hack” and “theft” make human, normative presumptions about how you’re supposed to use the DAO code. But the code doesn’t care. The code can’t be “hacked.” It can only be used; its use has no normative implications.
The DAO’s leaders, and the community at the Ethereum blockchain that created it, are now trying to fix the hack by freezing the hacker’s funds and discussing what to do next.
Tomi Engdahl says:
Network Security Theatre
http://hackaday.com/2016/06/20/network-security-theatre/
Unlike academia, security professionals don’t make a name for themselves by publishing in journals. The pecking order of the security world is determined at these talks. The best talks, and the best media coverage command higher consultancy fees. It’s an economy, and of course there will always be people ready to game the system.
Like academia, these talks are peer-reviewed. Press releases given before the talks are not, and between the knowledge of security researchers and the tech press is network security theatre. In this network security theatre, you don’t really need an interesting exploit, technique, or device, you just need to convince the right people you have one.
The clearest example of security researchers using the media and lifestyle blogs to increase their presence at a security conference is ProxyHam. This talk, planned then cancelled for DEF CON 23, laid the groundwork for an online anonymity box that would keep anyone secure from NSA snooping and balaclava-wearing foes.
The case of ProxyHam was far more interesting: instead of hacking a few 900MHz network bridges and a Raspberry Pi, [Ben Caudill] hacked the media. [Ben] was very careful not to give anyone a reason on why he cancelled his talk, allowing speculation to run rampant through the Twitterverse and Blogosphere.
The simpler, more reasonable, and only probable reason why the ProxyHam talk was cancelled was far more mundane. ProxyHam just sucked. You can build one yourself on Newegg. It doesn’t make you secure
Just a few days after the ProxyHam cancellation was announced to an eager press, [Samy Kamkar] released a version of ProxyHam that actually works over 2G cellular connections.
ProxyGambit Better Than ProxyHam; Takes Coffee Shop WiFi Global
http://hackaday.com/2015/07/16/proxygambit-better-than-proxyham-takes-coffee-shop-wifi-global/
Tomi Engdahl says:
New Ransomware Written Entirely In JavaScript
https://yro.slashdot.org/story/16/06/19/1958203/new-ransomware-written-entirely-in-javascript
Security researchers have discovered a new form of ransomware written entirely in JavaScript and using the CryptoJS library to encode a user’s files. Researchers say the file is being distributed through email attachments, according to SC Magazine
The attachment does not visibly do anything, but appears to the victim as a corrupted file. However, in fact it is busy doing its dirty work in the background. This includes deleting the Windows Volume Shadow Copy
New RAA ransomware written in JavaScript discovered
http://www.scmagazine.com/new-raa-ransomware-written-in-javascript-discovered/article/504029/
Tomi Engdahl says:
GoToMyPC Resets All User Passwords After Attack
http://www.securityweek.com/gotomypc-resets-all-user-passwords-after-attack
Over the weekend, Citrix informed users of its remote access software GoToMyPC that their passwords have been reset due to what the company calls a “very sophisticated password attack.”
The company’s security team has decided that resetting the passwords of all customer accounts is the best way to address the issue. Users have been advised to set strong, unique passwords and enable two-step verification on their accounts to prevent unauthorized access.
GoToMyPC customers can reset their passwords using the regular “Forgot Password” feature, or by calling GoToMyPC support if they don’t have access to their email account.
The attackers leveraged credentials leaked recently from major websites to access GoToMyPC accounts. These types of attacks are often automated and they can be highly efficient considering that many people set the same password for multiple online services.
Tomi Engdahl says:
Top Websites Fail to Prevent Email Spoofing
http://www.securityweek.com/top-websites-fail-prevent-email-spoofing
More than half of Alexa top 500 domains allow email spoofing because their owners have failed to properly configure email servers, according to web security firm Detectify.
Email spoofing has often been used in spam, phishing and fraud campaigns, which is why the industry has created several validation and authentication systems designed to prevent unauthorized parties from sending bogus emails apparently coming from legitimate domains.
One of these systems is Sender Policy Framework (SPF), that allows domain administrators to specify in DNS records which servers are allowed to send emails using their domain.
Tomi Engdahl says:
Russian bill requires encryption backdoors in all messenger apps
http://www.dailydot.com/politics/encryption-backdoor-russia-fsb/
Backdoors into encrypted communications may soon be mandatory in Russia.
A new bill in the Russian Duma, the country’s lower legislative house, proposes to make cryptographic backdoors mandatory in all messaging apps in the country so the Federal Security Service—the successor to the KGB—can obtain special access to all communications within the country.
Apps like WhatsApp, Viber, and Telegram, all of which offer varying levels of encrypted security for messages, are specifically targeted in the “anti-terrorism” bill, according to Russian-language media. Fines for offending companies could reach 1 million rubles or about $15,000.
The new Russian legislation, which has already been approved by the Committee on Security, is just the latest such flare up in a global debate over encryption that earned a bright spotlight in the U.S. earlier this year, particularly after the San Bernardino terrorist attack led the FBI to plead for access to one of the shooter’s encrypted iPhones.
Tomi Engdahl says:
Indie dev says gray market key seller cost them $450K in sales
“Websites like G2A are facilitating a fraud-fueled economy”
http://www.polygon.com/2016/6/20/11982544/indie-dev-says-grey-market-key-seller-cost-them-450k-in-sales
TinyBuild, the developer behind games like Punch Club, Party Hard and SpeedRunners, say that game code marketplace G2A sold $450,000 worth of their products, many of them fraudulently acquired.
“Websites like G2A are facilitating a fraud-fueled economy where key resellers are being hit with tons of stolen credit card transactions,” Alex Nichiporchik wrote on the official TinyBuild blog. “These websites are now growing rapidly due to low pricing of game keys.”
the cost of dealing with third-party game code resellers can be significant for game developers and publishers.
He claims that fraudsters purchased thousands of codes through the portal, and began selling them on G2A.
“The shop collapsed when we started to get hit by chargebacks,”
“I’d start seeing thousands of transactions, and our payment provider would shut us down within days. Moments later you’d see G2A being populated by cheap keys of games we had just sold on our shop.”
Tomi Engdahl says:
Smartphone Users Are Paying For Their Own Surveillance
https://yro.slashdot.org/story/16/06/20/2119212/smartphone-users-are-paying-for-their-own-surveillance
While top secret NSA documents continue to trickle into the public sphere, tech industry leaders have endeavored to reassure anxious users by extolling the benefits of strong encryption. Rising demand among users for better privacy protection signifies a growth market for the titans of Silicon Valley — this results in a tendency to frame the issue of cybersecurity in terms of the latest mobile device.
https://cryptome.org/2013/11/snowden-tally.htm
Tomi Engdahl says:
CIA Director John Brennan Pretends Foreign Cryptography Doesn’t Exist
https://www.schneier.com/blog/archives/2016/06/cia_director_jo.html
Last week, CIA director John Brennan told a Senate committee that there wasn’t any strong cryptography outside of the US.
CIA director John Brennan told US senators they shouldn’t worry about mandatory encryption backdoors hurting American businesses.
And that’s because, according to Brennan, there’s no one else for people to turn to: if they don’t want to use US-based technology because it’s been forced to use weakened cryptography, they’ll be out of luck because non-American solutions are simply “theoretical.”
“US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them,” Brennan said.
Is he actually lying there? I suppose it is possible that he’s simply that ignorant. Strong foreign cryptography hasn’t been “theoretical” for decades. And earlier this year, I released a survey of foreign cryptography products, listing 546 non-theoretical products from 54 countries outside the US.
Non-US encryption is ‘theoretical,’ claims CIA chief in backdoor debate
No choice but to use American gear, grins spymaster
http://www.theregister.co.uk/2016/06/17/non_us_encryption_is_theoretical_claims_cia/
Tomi Engdahl says:
Destroying ransomware business models is not your job, so just pay up
The FBI’s advice to suffer and lose data only makes sense if you’re the FBI
http://www.theregister.co.uk/2016/05/17/pay_up_or_dont_ransomware_is_only_a_matter_of_money/
It’s not your job to defend the world against criminals, so the decision to pay a ransomware demand is all about business.
The likes of FBI Cyber Division deputy chief James C. Trainor disagree. The Bureau recently advised organisations not to pay lest they “embolden” criminals and encourage others to take start using ransomware.
Trainor added that “by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
That last point is worth noting
It isn’t just this reporter’s informed opinion; system administrators and hackers everywhere have so often recommended paying ransoms that whispers in this hack’s ears that hearing “one organisation has paid off ransomware attackers” borders on boring.
Police units across America have themselves paid off ransomware crims, as have doubtless scores of other government organisations, hospitals, and schools.
The cops are the only ones who really care if the criminals are caught, and so it is with ransomware.
So the victim has three choices.
Restore a backup.
Format and lose data.
Or pay.
If it is Cryptowall, the latter versions of Cryptxxx, or one of a few others, than you’ll probably find no way to decrypt files without paying.
Ransomware is, however, one of the world’s worst net menaces precisely because the fluid professional business model of providing keys for payment encourages other victims to pay up.
The key points for any business or individual in paying is the reputation of the ransomware, the value of the lost data, the cost of disruption from restoration, and the size of the coffers.
Tomi Engdahl says:
Situational Awareness and Crime Prevention
https://www.schneier.com/blog/archives/2016/06/situational_awa.html
Hardly anyone recognizes–whether politicians, public intellectuals, government policy makers, police or social workers–that focusing on the offender is dealing with only half the problem. We need also to deal with the many and varied ways in which society inadvertently creates the opportunities for crime that motivated offenders exploit by (i) manufacturing crime-prone goods, (ii) practicing poor management in many spheres of everyday life, (iii) permitting poor layout and design of places, (iv) neglecting the security of the vast numbers of electronic systems that regulate our everyday lives and, (v) enacting laws with unintended benefits for crime.
Tomi Engdahl says:
Michael Riley / Bloomberg:
Sources: Clinton Foundation among organizations breached by suspected Russian hackers, government investigators find — Trump, Democratic camps said briefed on effort to steal data — Democrats hire security firms to confirm ID of attackers — The Bill, Hillary and Chelsea Clinton Foundation …
Clinton Foundation Said to Be Breached by Russian Hackers
http://www.bloomberg.com/news/articles/2016-06-21/clinton-foundation-said-to-be-breached-by-russian-hackers
The Bill, Hillary and Chelsea Clinton Foundation was among the organizations breached by suspected Russian hackers in a dragnet of the U.S. political apparatus ahead of the November election, according to three people familiar with the matter.
The attacks on the foundation’s network, as well as those of the Democratic Party and Hillary Clinton’s presidential campaign, compound concerns about her digital security even as the FBI continues to investigate her use of a personal e-mail server while she was secretary of state.
Clinton Foundation officials said the organization hadn’t been notified of the breach and declined to comment further. The compromise of the foundation’s computers was first identified by government investigators as recently as last week, the people familiar with the matter said. Agents monitor servers used by hackers to communicate with their targets, giving them a back channel view of attacks, often even before the victims detect them.
Tomi Engdahl says:
Security Company Nixu warns that at the beginning of the summer holiday season, companies should be particularly vigilant with handling large amounts. Nixu found that the so-called. CEO of scams have become more alarming and summer-time Vice-risk persons to indulge in trickery is at its highest.
- Large-scale network hacking offenses usually contain the element. When you gain access to the organization’s information systems, provide critical information about the organization’s financial matters or situations such as large stores or acquisitions.
Intel Security is not talking about the physical theft of a laptop, but the breaking of its security. Today, all related to different networks on vacation and most of the time we do so without thinking.
The company’s survey, 55 percent of globetrotters will remain online during the holidays. According to the results, ie young people born in the 2000s leave smartphone home while on holiday, but from 40 to 50 years old are not.
Holiday in more than half of the use of public, free Wi-Fi networks. On the other hand only 15 per cent protects laptops or smartphones in one security solution.
Intel Security provides a few important instruction for holiday makers.
1. Keep your vacation as pause from social media. For many airports, smartphone and social media is a common pastime and the rest is waiting. However, cyber criminals can see that you’re using an unprotected network and therefore are trying to break into your device.
2. Limit the use of Wi-Fi, and Bluetooth.
3. Be careful what you share and with whom. Holiday Memories are nice to share Families and friends, but maybe not worth very openly shout that you’re on vacation.
4. Once you have joined into a safe network, check your account. See whether there are any suspicious activity.
Sources:
http://etn.fi/index.php?option=com_content&view=article&id=4624:kesalla-huijataan-suuria-summia&catid=13&Itemid=101
fi/index.php?option=com_content&view=article&id=4623:varo-koneesi-kaappausta-lomalla&catid=13&Itemid=101
Tomi Engdahl says:
Putting keys in freezer could prevent car break-ins
http://www.wcnc.com/news/putting-keys-in-freezer-could-prevent-car-break-ins/213206627
AAA is warning drivers about a potential risk their cars may face, as prime targets for some technologically savvy thieves. It’s a break-in method that might make you rethink where you leave your keys, even when they’re inside your home.
“Just as quickly as the cars are coming up with these technologies, we have criminals out there trying to combat it and find ways around it,” said Officer Chris Kopp with CMPD.
If you have a car with a hands-free key fob, you could become the target of a break-in tactic that you probably didn’t know was possible. AAA Carolinas’ Dave Yelverton says this type of key fob typically unlocks a car if it’s within about 30 centimeters.
“Your car is continually trying to reach out and touch this key,” Yelverton said. “And when it finds the key, you can open the door without touching the car without using the key. You can just leave it in your pocket.”
But there are break-in cases across the country, where a power amplifier device may have been used to unlock the cars. Yelverton says the amplifier would take that signal from the car and fire it out as far as 100 meters.
“That’s exactly right, that’s the theory behind the theft,” Yelverton said.
So if your car is in your driveway and the keys are inside your house, that’s close enough for this to work.
“Someone with an amplifier could theoretically grab your key signal from your car, open the car, you’d never know it, take all your goodies, then they lock the car and leave,”
Tomi Engdahl says:
David E. Sanger / New York Times:
FireEye report finds sharp drop-off in Chinese cyberattacks on US over past two years
Chinese Curb Cyberattacks on U.S. Interests, Report Finds
http://www.nytimes.com/2016/06/21/us/politics/china-us-cyber-spying.html
Nine months after President Obama and President Xi Jinping of China agreed to a broad crackdown on cyberespionage aimed at curbing the theft of intellectual property, the first detailed study of Chinese hacking has found a sharp drop-off in almost daily raids on Silicon Valley firms, military contractors and other commercial targets.
“It’s a mixed bag,” said Kevin Mandia, the founder of Mandiant, now part of FireEye, which first detailed the activities of a People’s Liberation Army cyber-arm, called Unit 61398, that had been responsible for some of the most highly publicized thefts of American technology. “We still see semiconductor companies and aerospace firms attacked.”
But the daily barrage of attacks has diminished, which Mr. Mandia attributed to “public pressure” from, among others, the Justice Department’s decision to indict five members of the P.L.A. unit about a year after its activities were exposed.
“The lesson is that when you figure out who has done this kind of theft, don’t fear making it public,” he said. “This is a slow process, but we are beginning to make people realize that even in cyberspace, laws and norms are applicable.”
Tomi Engdahl says:
Tom Simonite / MIT Technology Review:
The kernel of iOS 10 preview released last week was not encrypted, puzzling researchers
Apple Opens Up iPhone Code in What Could Be Savvy Strategy or Security Screwup
https://www.technologyreview.com/s/601748/apple-opens-up-iphone-code-in-what-could-be-savvy-strategy-or-security-screwup/
A preview of Apple’s next mobile operating system upgrade revealed some of its inner workings for the first time and suggests the company wants help finding security flaws.
When Apple announced a new version of its mobile operating system in San Francisco last week, executives boasted of features such as a smarter Siri and improved copy and paste. And as usual they announced that software developers could download a preview version of the software ahead of its fall release.
Some security experts who inspected that new version of iOS got a big surprise.
They found that Apple had not obscured the workings of the heart of its operating system using encryption as the company has done before. Crucial pieces of the code destined to power millions of iPhones and iPads were laid bare for all to see. That would aid anyone looking for security weaknesses in Apple’s flagship software.
Security experts say the famously secretive company may have adopted a bold new strategy intended to encourage more people to report bugs in its software—or perhaps made an embarrassing mistake.
Tomi Engdahl says:
Reuters:
Sources: Google and Facebook start automatically blocking reposted extremist videos — Some of the web’s biggest destinations for watching videos have quietly started using automation to remove extremist content from their sites, according to two people familiar with the process.
Exclusive: Google, Facebook quietly move toward automatic blocking of extremist videos
http://www.reuters.com/article/us-internet-extremism-video-exclusive-idUSKCN0ZB00M
Some of the web’s biggest destinations for watching videos have quietly started using automation to remove extremist content from their sites, according to two people familiar with the process.
The move is a major step forward for internet companies that are eager to eradicate violent propaganda from their sites and are under pressure to do so from governments around the world as attacks by extremists proliferate, from Syria to Belgium and the United States.
Tomi Engdahl says:
Russia Wants Encryption Backdoors in Telegram, WhatsApp, Viber, Allo, Others UPDATED
Controversial encryption backdoor bill reaches Russian Duma
Read more: http://news.softpedia.com/news/russia-wants-encryption-backdoors-in-telegram-whatsapp-viber-others-505557.shtml#ixzz4CfHJnGA9