Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Draas system can save the business
Disruptions in service and IT disasters are the company than the company a matter of life and death. Fortunately, cloud services vendors now offer a variety of draas-systems for missing software holes patched quickly.
breaks in the service business of losing money by the minute. The cash flows are broken as, for example, a knife to cut the billing program is lost in cyberspace.
Cloud and mobile solutions provider Acronis product marketing manager Frank Jablonski set the CIO of conscience to the question: “How long has the company takes service interruptions”
In his opinion, the typical answer all lines of business is that not a single moment.
“There is no question that IT bosses understand the backup and dr. Advantages of the Multi-just keep them too expensive to implement,” Jablonski says.
And expensive it was not so long ago, when the company had to build the entire dual-mode, ie redundant IT systems in separate servers and software licenses.
Moreover, these back-up systems had to maintain a different place that is safe from the company’s main IT systems.
Draas promises to dispel the CIO’s concerns
Cloud Application providers new as-a-service ‘type systems are making inroads varmennuskopioinnissa and disaster recovery (disaster recovery).
In particular, SMEs and growth companies, these baas (backup-as-a-service) -And draas (Disaster Recovery-as-a-service) systems are already reducing budgetary reasons, a significant improvement compared to the old redundant backup systems.
“Quietly in the background raging draas-service security under all conditions of important data, software, servers, and even entire data centers pelittämisen. The service is tested on a regular basis in order to ensure its operation,” Jablonski explains.
Source: http://www.tivi.fi/CIO/draas-jarjestelma-voi-pelastaa-bisneksen-6562301
Tomi Engdahl says:
Save Your Business with Disaster Recovery-as-a-Service
http://www.cio.com/article/3078077/backup-recovery/save-your-business-with-disaster-recovery-as-a-service.html
Every minute a business remains closed due to a disaster is a minute during which revenue isn’t being earned, bringing the business one step closer to complete failure with every tick of the clock.
Frank Jablonski, Product Marketing Director for Acronis Cloud and Mobility Solutions puts it this way: “Can you afford to be down for a week?” The answer to that question for large numbers of businesses is a definite “No.”
For most businesses, no matter what products or services they sell, recovery from a disaster requires the restoration of the critical customer, product, process and other data needed to run the business. Recovering that data quickly can make the difference between failure and survival. “If you’ve lost your billing system,” says Jablonski as an example, “and you don’t know who to send invoices to, you’re not going to get money in…. People go out of business pretty quickly due to cash flow issues.”
Because of the heavy reliance on data for all types of business, the U.S. Department of Homeland Security says “a plan for backup and restoration of electronic information is essential” for every business to recover from a disaster of any kind.
“A lot of people understand this concept,” says Jablonski, “but it used to be too expensive.”
Tomi Engdahl says:
Why Are Hackers Increasingly Targeting the Healthcare Industry?
https://science.slashdot.org/story/16/06/25/1343235/why-are-hackers-increasingly-targeting-the-healthcare-industry
In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identity theft. This personal data often contains information regarding a patient’s medical history, which could be used in targeted spear-phishing attacks…and hackers are able to access this data via network-connected medical devices, now standard in high-tech hospitals. This is opening up new possibilities for attackers to breach a hospital or a pharmaceutical company’s perimeter defenses.
Why are hackers increasingly targeting the healthcare industry?
https://www.helpnetsecurity.com/2016/06/23/hackers-targeting-healthcare-industry/
Cyber-attacks in the healthcare environment are on the rise, with recent research suggesting that critical healthcare systems could be vulnerable to attack.
In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identify theft. This personal data often contains information regarding a patient’s medical history, which could be used in targeted spear-phishing attacks.
Dangerous attacks – what are the risks?
Cybercriminals have found medical data to be far more valuable than credit card fraud or other online scams. This is because medical information contains everything from a patient’s medical history to their medical prescriptions, and hackers are able to access this data via network-connected medical devices, now standard in hi-tech hospitals. This is opening up new possibilities for attackers to breach a hospital or a pharmaceutical company’s perimeter defences. If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security.
Tomi Engdahl says:
From File-Sharing To Prison: The Story of a Jailed Megaupload Programmer
https://yro.slashdot.org/story/16/06/25/0344201/from-file-sharing-to-prison-the-story-of-a-jailed-megaupload-programmer
“I had to be made an example of as a warning to all IT people,” says former Megaupload programmer Andrew Nomm, one of seven Megaupload employees arrested in 2012. Friday his recent interview with an Estonian journalist was republished in English by Ars Technica (which notes that at one point the 50 million users on Megaupload’s file-sharing site created 4% of the world’s internet traffic). The 37-year-old programmer pleaded guilty to felony copyright infringement in exchange for a one-year-and-one-day sentence in a U.S. federal prison, which the U.S. Attorney General’s office called “a significant step forward in the largest criminal copyright case in US history.”
From file-sharing to prison: A Megaupload programmer tells his story
Programmer Andrew Nõmm: “I had to be made an example of as a warning to all IT people.”
http://arstechnica.com/tech-policy/2016/06/from-file-sharing-to-prison-a-megaupload-programmer-tells-his-story/
Soon after the domain was registered in Hong Kong, the now-defunct Megaupload.com grew into one of the world’s most popular file-sharing sites. At its peak, the site engaged nearly 50 million users a day and took up around four percent of the world’s Internet traffic. Users uploaded nearly 12 billion files overall.
In total, seven men associated with the site were arrested and indicted on 13 charges (including copyright infringement and money laundering). Dotcom remains notably free and has been continually fighting in New Zealand against his extradition to the USA. Others were not as lucky.
Tomi Engdahl says:
Crypto Ransomware Attacks Have Jumped 500% In The Last Year
https://it.slashdot.org/story/16/06/25/157247/crypto-ransomware-attacks-have-jumped-500-in-the-last-year?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Tomi Engdahl says:
Java, PHP, NodeJS, and Ruby Tools Compromised By Severe Swagger Vulnerability
https://developers.slashdot.org/story/16/06/25/1441215/java-php-nodejs-and-ruby-tools-compromised-by-severe-swagger-vulnerability
“Researchers have discovered a vulnerability within the Swagger specification which may place tools based on NodeJS, PHP, Ruby, and Java at risk of exploit,” warns ZDNet’s blog Zero Day, adding “the severe flaw allows attackers to remotely execute code.” Slashdot reader msm1267 writes:
A serious parameter injection vulnerability exists in the Swagger Code Generator that could allow an attacker to embed executable code in a Swagger JSON file. The flaw affects NodeJS, Ruby, PHP, Java and likely other programming languages. Researchers at Rapid7 who found the flaw disclosed details…
R7-2016-06: Remote Code Execution via Swagger Parameter Injection (CVE-2016-5641)
https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641
This disclosure will address a class of vulnerabilities in a Swagger Code Generator in which injectable parameters in a Swagger JSON or YAML file facilitate remote code execution. This vulnerability applies to NodeJS, PHP, Ruby, and Java and probably other languages as well. Other code generation tools may also be vulnerable to parameter injection and could be affected by this approach. By leveraging this vulnerability, an attacker can inject arbitrary execution code embedded with a client or server generated automatically to interact with the definition of service. This is considered an abuse of trust in definition of service, and could be an interesting space for further research.
Tomi Engdahl says:
Financial Times:
Sources: Intel weighs sale of cyber security business created from its $7.7B McAfee acquisition in 2010 — Intel is looking at options for Intel Security, including potentially selling the antivirus software maker formerly known as McAfee which it bought for $7.7bn almost six years ago.
Intel weighs sale of cyber security business
Hannah Kuchler in San Francisco and James Fontanella-Khan in New York
http://www.ft.com/cms/s/0%2Fb2b36068-3b80-11e6-8716-a4a71e8140b0.html#axzz4ClRy8buz
Intel is looking at options for Intel Security, including potentially selling the antivirus software maker formerly known as McAfee which it bought for $7.7bn almost six years ago.
The Silicon Valley chipmaker has been talking to bankers about the future of its cyber security unit in a deal that would be one of the largest in the sector, according to people close to the discussions.
Private equity buyers are increasingly interested in cyber security companies, anticipating strong cash flow as corporate customers become increasingly worried about protecting their business from cyber attacks.
The chipmaker bought McAfee in 2010 intending to embed its cyber security functionality on to chips, promising the ability to detect threats at a deeper level. Under this plan, device manufacturers would still have to decide to activate this option.
Tomi Engdahl says:
Hackers peer into Uber passenger privates, find and plot trips on maps
Brute force efforts reveal 1000 discount codes
http://www.theregister.co.uk/2016/06/27/hackers_peer_into_uber_passenger_privates_find_and_plot_trips_on_maps/
Three hackers have found eight holes in Uber that could allow fake drivers to be created and user email addresses reveal, and found more than 1000 of valid coupon codes including one giving drivers $100 extra in fare rides.
The flaws have been reported to Uber which is working through to develop fixes.
They abused the Uber help section to find user email addresses, peered into requests during fare splits to find a passenger’s picture, UUID, and phone number, and find driver and passenger trip details including the full directions of fares which can be plotted on a map.
Tomi Engdahl says:
So Hey You Should Stop Using Texts for Two-Factor Authentication
https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/
Since two-factor authentication became the norm for web services that care about securing your accounts, it’s started to feel like a security blanket, an extra layer keeping your data safe no matter whether your password is as strong
But a two-factor setup—which for most users requires a temporary code generated on, or sent to, your phone in addition to a password—isn’t an invincibility spell. Especially if that second factor is delivered via text message.
The last few months have demonstrated that SMS text messages are often the weakest link in two-step logins: Attacks on political activists in Iran, Russia, and even here in the US have shown that determined hackers can sometimes hijack the SMS messages meant to keep you safe.
“SMS is just not the best way to do this,” says security researcher and forensics expert Jonathan Zdziarski. “It’s depending on your mobile phone as a means of authentication [in a way] that can be socially engineered out of your control.”
That kind of social engineering is more than hypothetical. Earlier this month, Black Lives Matter activist DeRay McKesson found that his Twitter account was hacked to tweet pro-Donald Trump messages, despite having two-factor authentication in place.
Adding a layer of SMS-based verification to your login process is certainly better than relying on a password alone. But Zdziarski goes so far as to argue that two-factor authentication using SMS text messages isn’t technically two-factor at all.
The idea of two-factor authentication, he points out, is to test someone’s identity based on something they know (like a password) and something they have (like their phone or another device.) Better tools like Google Authenticator or an RSA token prove that possession, by generating a unique code that matches one generated on a web service’s server.
“SMS has turned that ‘something you have’ into ‘something they sent you,’” says Zdziarski. “If that transaction is happening, it can be intercepted. And that means you’re potentially at some level of risk.”
Tactics like social-engineering or strong-arming the phone company to subvert two-factor comprise only a fraction of SMS vulnerabilities. Fake cell phone towers known as IMSI catchers or “stingrays” can intercept text messages, too. And the security community has recently been calling attention to weaknesses in SS7, the protocol that allows telecom networks to communicate with each other. Hackers can exploit SS7 to spoof a change to a user’s phone number, intercepting their calls or text messages. “Any network can tell any other network ‘your subscriber’s here now,’
Luckily, plenty of services offer better options. Google last week launched Google Prompt, a service that sends a second-factor login prompt directly from its servers to Android phones or to the Google Search app for iOS. But even more secure still are systems that don’t require any message to be sent at all. Apps like Google Authenticator and tokens like those sold by RSA generate one-time-password codes that change ever few seconds.
Those same exact codes are generated on the servers run by services like Slack, WordPress, or Gmail, so that the user can cough up the code to prove their identity without it ever being sent over the internet.
Unfortunately, some services like Twitter still only offer two-factor authentication via text message.
Tomi Engdahl says:
IRS Gets Hacked Again, Forced To Scrap Their Entire PIN System
https://yro.slashdot.org/story/16/06/26/1527256/irs-gets-hacked-again-forced-to-scrap-their-entire-pin-system
The IRS has abandoned a system of PIN numbers used when filing tax returns online after they detected “automated attacks taking place at an increasing frequency,” adding that only “a small number” of taxpayers were affected. An anonymous reader quotes the highlights from Engadget:
IRS kills e-filing PINs prematurely due to cyberattacks
The IRS says you don’t need one anyway.
https://www.engadget.com/2016/06/25/irs-kills-e-filing-pins/
The IRS was gearing up to kill e-file PINs later this year, but it has decided to speed up its plans after discovering suspicious activity. These electronic filing personal identification numbers, which people could use to authenticate tax returns filed online, are no longer available on IRS.gov or via the agency’s toll-free phone number. If you’ll recall, identity thieves used malware to steal taxpayers’ info from other websites, which was then used to generate 100,000 PINs, back in February. The thieves were actually gunning for 464,000 PINs, but the agency was able to stop them before they got near that number.
This time, the IRS detected “automated attacks taking place at an increasing frequency”
Tomi Engdahl says:
Aalto University’s Erasmus student Cesar Garcia Pereida solved the OpenSSL cryptographic library of the security problem that allows an attacker was able to determine the signature key.
” Correcting code was pretty simple after a software bug was found. Now the algorithm for squaring and multiplication operation duration of the phase is always the same, regardless of the value of the signature key, and the active attacker no longer able to determine sacrifice signature key, says Pereida Garcia.
In the latest Intel computer architecture has three levels of caches. If the data in the cache will be destroyed on one level, it is destroyed at the same time all the higher-level caches. The processor contains the lowest level cache (LLC last level cache) are shared among all the processors cores.
An active attacker can program code executable by one processor core used to track the use of shared cache LLC.
Source: http://www.uusiteknologia.fi/2016/06/27/opiskelija-korjasi-salauskoodin/
Tomi Engdahl says:
Mitch Smith / New York Times:
Case in Wisconsin spurs debate about the use of proprietary algorithms that calculate defendants’ recidivism risk in sentencing
In Wisconsin, a Backlash Against Using Data to Foretell Defendants’ Futures
http://www.nytimes.com/2016/06/23/us/backlash-in-wisconsin-against-using-data-to-foretell-defendants-futures.html?_r=0
When Eric L. Loomis was sentenced for eluding the police in La Crosse, Wis., the judge told him he presented a “high risk” to the community and handed down a six-year prison term.
The judge said he had arrived at his sentencing decision in part because of Mr. Loomis’s rating on the Compas assessment, a secret algorithm used in the Wisconsin justice system to calculate the likelihood that someone will commit another crime.
Tomi Engdahl says:
Bloomberg:
China’s search engines need to verify advertisers, clearly ID paid results from Aug. 1, following death of a student who accused Baidu of showing misleading ads — Avertisers’ qualifications must be verified effective Aug. 1 — Banned content must be reported: Cyberspace Administration
China Tightens Internet Rules for Baidu and Other Search Engines
http://www.bloomberg.com/news/articles/2016-06-25/china-tightens-internet-rules-for-baidu-and-other-search-engines
Chinese authorities will require Baidu Inc. and other search engines to report banned content and verify advertisers’ qualifications in its latest attempt at Internet regulation.
Under rules to take effect Aug. 1, search engines operating in the country will be prohibited from providing banned information in various formats including links, summaries, cached pages, associative words, related searches and relevant recommendations, the Cyberspace Administration of China said in a statement. They will also be required to report websites and applications that contain prohibited content when spotted, the regulator said.
Tomi Engdahl says:
Removing DRM From Aaron Swartz’s eBook
http://hackaday.com/2016/06/27/removing-drm-from-aaron-swartzs-ebook/
After his death, Aaron Swartz became one of the Internet’s most famous defenders of the free exchange of information, one of the most polarizing figures on the topic of intellectual property, and the most famous person that still held on to the ideals the Internet was founded on. Aaron was against DRM, fought for the users, and encouraged open access to information.
Early this year, Verso Books published the collected writings of Aaron Swartz. This eBook, according to Verso, contains ‘social DRM’, a watermarking technology that Verso estimates will, “contribute £200,000 to the publisher’s revenue in its first year.” This watermarking technology embeds uniquely identifiable personal information into individual copies of eBooks.
The watermarking technology in Aaron Swartz’s eBook comes courtesy of BooXtream, a security solution where every eBook sold is unique using advanced watermarking and personalization features.
After analyzing several digital copies of Aaron Swartz’s eBook, the Institute for Biblio-Immunology is confident they have a tool that removes BooXtrem’s watermarks in EPUB eBooks. Several watermarks were found, including the very visible – Ex Libris images, disclaimer page watermarks, and footer watermarks – and the very hidden, including image metadata, filename watermarks, and timestamp fingerprints.
In a communique released late last weekend, they cracked this watermarking scheme and released the code to remove this ‘social DRM’ from ePub files.
While the Institute believes this tool can be used to de-BooXtream all currently available ‘social DRM’ed’ eBooks, they do expect the watermarking techniques will be quickly modified.
https://pastebin.com/raw/E1xgCUmb
Tomi Engdahl says:
Adam Jourdan / Reuters:
New Chinese rules for mobile app developers require user verification with real-name registration and saving user activity logs for 60 days
China tightens rules for mobile app developers
http://www.reuters.com/article/us-china-internet-regulations-idUSKCN0ZE0N5
China has tightened rules for mobile app developers including requiring real-name registration and preserving users’ activity logs, the country’s internet regulator said on Tuesday, as Beijing looks to strengthen oversight of the growing app market.
The Cyberspace Administration of China (CAC) said in a statement that mobile app providers would need to fulfill six requirements to help crack down on “unscrupulous” use of their platforms to carry out fraud, distribute pornography and spread malicious rumors.
China’s government already exercises widespread controls over the internet. It argues tough restrictions are needed to ensure security in the face of rising threats like terrorism, irking some foreign governments and business groups who say that the controls affect trade.
Tomi Engdahl says:
Dissent Doe / The Daily Dot:
655K patient records from three healthcare breaches are up for sale on the dark web after hacking victims refused extortion demands — For 655,000 patients who were enjoying a quiet Sunday, life may become a lot more complicated. Their personal, medical, and insurance information is up for sale in a forum on the dark net.
655,000 patient records for sale on the dark net after hacking victims refuse extortion demands
http://www.dailydot.com/politics/655000-patient-records-dark-net/
For 655,000 patients who were enjoying a quiet Sunday, life may become a lot more complicated. Their personal, medical, and insurance information is up for sale in a forum on the dark net.
Early on Sunday, “TheDarkOverlord” listed three databases for sale on TheRealDeal market. None of the victim entities from which the databases were stolen were named, but the database descriptions included geographic area.
The first database was listed as a “Healthcare Database (48,000 Patients) from Farmington, Missouri, United States.” Priced at about $100,000, the database contains patient information including first and last name; middle initial; postal address; Social Security number; date of birth; gender; marital status; email address; and home, work, and cellphone numbers. The Daily Dot was able to obtain a small sample of unredacted data from this database. Some of the data, such as addresses and phone numbers, were found to be out of date when we attempted to verify the data, but we were able to verify some of it.
The second database was described as “(210,000 Patients) from Central/Midwest United States.” The seller comments, “it was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords.”
Priced at $200,000, this database includes Social Security numbers, first and last names, middle initial, gender, date of birth, and postal address.
The third database was described as “Healthcare Database (397,000 Patients) from Atlanta, Georgia, United States:”
Priced at $400,000, this database contains a lot more fields, including primary and secondary health insurance and policy numbers
“I found several exploits to remotely access the SRSSQL servers,” he claimed in a private chat. “It was like stealing candy from a baby.”
Tomi Engdahl says:
25,000 malware-riddled CCTV cameras form network-crashing botnet
Watching us and borking you
http://www.theregister.co.uk/2016/06/28/25000_compromised_cctv_cameras/
A massive network of hacked CCTV cameras is being used to bring down computers around the world, we’re told.
The unusual 25,000-strong botnet was apparently spotted by US security outfit Sucuri when it investigated an online assault against an ordinary jewelry store.
The shop’s website was flooded offline after drowning in 35,000 junk HTTP requests per second. When Sucuri attempted to thwart the network tsunami, the botnet stepped up its output and dumped more than 50,000 HTTP requests per second on the store’s website.
When the security biz dug into the source of the duff packets, it found they were all coming from internet-connected CCTV cameras – devices that had been remotely hijacked by miscreants to attack other systems.
“It is not new that attackers have been using IoT devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long,” said Daniel Cid, CTO of Sucuri.
There’s not a lot victims can do to avoid this botnet other than buying more internet-facing bandwidth or putting their servers behind large anti-DDoS services. The only way to truly stop the assaults is to get the camera operators to patch their own systems.
With the Internet of Things growing, this problem is only going to get worse.
Tomi Engdahl says:
US hospitals hacked with ancient exploits
Deliberately doused vulns the right medicine for XP backdoor bliss
http://www.theregister.co.uk/2016/06/28/medjack/
Attackers have popped three prominent US hospitals, using deliberately ancient malware so old that it slips under the radar of modern security controls to compromise Windows XP boxes and gain network beacheads.
The attacks were foiled using deceptive honeypot-style frameworks, according to California-based TrapX.
Hospitals were attacked between late 2015 and early this year, potentially compromising medical systems such as x-ray machines, and fluoroscopy radiology systems.
TrapX detailed the attacks in its paper MEDJACK.2 Hospitals Under Siege [PDF] descrbing how the three hospitals contained a “multitude of backdoors and botnet connections” under attacker control.
“The malware utilized for this attack was specifically selected to exploit older versions of Windows,” TrapX researchers wrote of the attacks.
Tomi Engdahl says:
Eat my reports! Bart ransomware slips into PCs via .zip’d JavaScript
¡Ay caramba!
http://www.theregister.co.uk/2016/06/28/bart_ransomware/
The cybercrooks behind ransomware Dridex and Locky have started distributing a new file-scrambling software nasty dubbed Bart.
Bart has a payment screen just like Locky’s, and encrypts documents without first connecting to a remote command-and-control server to receive its orders. Bart may therefore be able to encipher Windows PC filesystems behind corporate firewalls that would otherwise block such malicious traffic.
Miscreants are pushing the Bart ransomware onto PCs via RockLoader. This precursor malware is distributed as script code in email attachments, says security firm Proofpoint.
“Proofpoint researchers detected a large campaign with .zip attachments containing JavaScript code,” the biz explained.
“If opened, these attachments download and install the intermediary loader RockLoader (previously discovered by Proofpoint and used with Locky), which in turn downloads the new ransomware called ‘Bart’.”
Tomi Engdahl says:
Proxy.sh hints at gag order after VPN node is withdrawn from warrant canary
Company promises to commit “corporate seppuku” if need be.
http://arstechnica.co.uk/tech-policy/2016/06/proxy-sh-warrant-canary-gag-order-vpn/
The Seychelles-based VPN provider Proxy.sh has withdrawn an exit node from its warrant canary—a statement certifying that “to the date of publication, no warrants, searches, or seizures that have not been reported in our Transparency Report, have actually taken place.”
The blog post in question simply states: “We would like to inform our users that we do not wish any longer to mention France 8 (85.236.153.236) in our warrant canary until further notice.” The statement implies that the France 8 node has been subject to a warrant, but that a gag order forbids Proxy.sh from revealing that fact directly.
“We recommend our users to no longer connect to it. We are striving to do whatever it takes to include that node into our warrant canary again.”
Significantly, the policy now includes the following section: “We are based in the Republic of Seychelles and if any domestic law or constraint contradicts our mission and values, we will not hesitate to relocate into another location. Additionally, if we cannot find a right location to strive for such principles, we will submit ourselves to ‘Corporate Seppuku’. We will close business and provide refund to all our present customers within the cash budget we have at our disposal.”
Tomi Engdahl says:
From file-sharing to prison: A Megaupload programmer tells his story
Programmer Andrew Nõmm: “I had to be made an example of as a warning to all IT people.”
http://arstechnica.com/tech-policy/2016/06/from-file-sharing-to-prison-a-megaupload-programmer-tells-his-story/
Soon after the domain was registered in Hong Kong, the now-defunct Megaupload.com grew into one of the world’s most popular file-sharing sites. At its peak, the site engaged nearly 50 million users a day and took up around four percent of the world’s Internet traffic. Users uploaded nearly 12 billion files overall.
But the infamy of the site’s rise is only matched by the infamy of its fall. In January 2012, US authorities closed down Megaupload.com and the network related to it. The feds arrested seven people and froze $50 million in assets.
Take for instance self-taught programmer Andrus Nõmm. The now 37-year-old grew up in a small Estonian town called Jõhvi. When he built up the Mega advertising platform Megaclick and the video hosting service Megavideo, Nõmm earned as much as $10,000 a month—more than he could’ve ever imagined as a child. But when US authorities came after the entire Megaupload operation, suddenly he found himself in the middle of the world’s most sensational criminal copyright infringement scandal.
Nõmm pleaded guilty to felony copyright infringement and was sentenced to a year and a day in a US federal prison. The US Attorney General’s office called the conviction, “a significant step forward in the largest criminal copyright case in US history.” In court documents, Nõmm acknowledged the financial harm to copyright holders “exceeded $400 million.”
While in prison, Nõmm’s teenage son and Turkish wife lived through all of this drama back in their home in Izmir, Turkey. Today, Nõmm is back with them. He’ a free man looking to set his life back on track.
Deep down, did you feel guilty of anything?
I still think I shouldn’t have been on the list of defendants.
Tomi Engdahl says:
Edward Snowden is not a fan of Russia’s ‘Big Brother’ bill
“It’s an unworkable, unjustifiable violation of rights.”
https://www.engadget.com/2016/06/27/edward-snowden-is-not-a-fan-of-russia-s-big-brother-bill/
With Russia about to pass a law that will make it even more Orwellian than it already is, one of the nation’s most famous residents has chimed in. Edward Snowden tweeted that “Russia’s new Big Brother law is an unworkable, unjustifiable violation of rights that should never be signed.” The NSA whistleblower added that “mass surveillance doesn’t work. This bill will take money and liberty from every Russian without improving safety.”
The legislation will force service providers to decrypt all messages, something telecoms in the nation say will be unreasonably expensive to implement. It also means that anyone who voices approval for terrorism on social networks can get up to seven years in prison, and it’ll soon be a crime a crime to not report information about terrorist attacks.
Snowden has been criticized for hypocrisy by seeking asylum in a country with a checkered record on human rights, especially in recent years under President Vladimir Putin.
‘Store 6 months of content’ is not just dangerous, it’s impractical. What is that, [around] 100PB of storage for even a tiny … ISP?
Tomi Engdahl says:
Moroccan Hacker Defaces 37 Escort Sites for Religious Reasons
Read more: http://news.softpedia.com/news/moroccan-hacker-defaces-37-escort-sites-for-religious-reasons-505675.shtml#ixzz4Cs6ma8Jz
Tomi Engdahl says:
Concrete Problems in AI Safety
https://arxiv.org/pdf/1606.06565v1.pdf
Rapid progress in machine learning and artificial intelligence (AI) has brought increasing attention to the potential impacts of AI technologies on society.
In this paper we discuss one such potential impact: the problem of accidents in machine learning systems, defined as unintended and harmful behavior that may emerge from poor design of real-world AI systems.
Tomi Engdahl says:
We are a “US e-citizens” – these five companies know what you’re doing and where you’re going
“The Internet has become the world’s largest spy ring,” warns the Internet inventor Tim Berners-Lee.
Do you use Google, Apple, Amazon, Facebook, or Microsoft’s services? The answer is yes, if you are using a mobile device or computer.
These companies know what you’re doing, you buy and spend. When, where, and from the IP address you are using different services.
Google grabs for 40 per cent of Internet of all traffic, according to experts. Facebook has a similar share of smart phones. Together these companies collect two-thirds of the network advertising.
More than half of the Internet traffic takes place via smart phone, a step in a more limited environment, as Google’s Android and Apple’s iOS operating systems dominate the mobile world almost perfectly.
Digital services using the data uploaded to the cloud services, which are dominated by Amazon, Microsoft and Google.
Traditionally, states have kept track of its citizens population register. Now companies know more about us.
The beginning of economic progress and the physical and digital world to integrate identity-related confidence is a key part of becoming a working and acting in everyday life.
Professor cyber security Jarno Limnéll has described the physical and digital security are now an integral part of each other.
George Orwell wrote of a world where power is at the top of Big Brother, a mesh continuously monitors the housing telecommunications screens and ear environment of hidden microphones.
Orwell seems to currently turn over in his grave.
Source: http://www.tivi.fi/Kaikki_uutiset/olemme-usa-n-e-kansalaisia-nama-viisi-yritysta-tietavat-mita-teet-ja-mihin-menet-6562810
Tomi Engdahl says:
Medicos could be world’s best security bypassers, study finds
Hospitals plastered with password sticky notes
http://www.theregister.co.uk/2016/06/27/medicos_could_be_worlds_best_security_bypassers_study_finds/
Medicos are so adept at mitigating security controls that their bypassing exploits have become official policy, a university-backed study has revealed.
The work finds that nurses, doctors, and other medical workers will so often bypass information security controls in a bid to administer rapid health care that the shortcuts are taught to other staff.
It is built on face to face and phone interviews with hundreds of medical workers, chief technology officers, and 19 security boffins by an academic team of Sean Smith and Vijay Kothari of Dartmouth College, Ross Koppela of the University of Pennsylvania, and Jim Blythe of the University of Southern California.
“We find, in fact, that workarounds to cyber security are the norm, rather than the exception,” the team writes in the paper Workarounds to Computer Access in Healthcare Organisations: You Want My Password or a Dead Patient?
“They not only go unpunished, they go unnoticed in most settings — and often are taught as correct practice.
“Cyber security efforts in healthcare settings increasingly confront workarounds and evasions by clinicians and employees who are just trying to do their work in the face of often onerous and irrational computer security rules.”
“Entire hospital units” have shared a single login for a medical device. Passwords are plastered everywhere on sticky notes, some on the back of official advice from tech vendors.
It is part of what the quartet call “endemic circumvention” of password authentication.
The team says healthcare workers are some of the most creative in bypassing controls given their critical mission of healthcare delivery.
Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?
http://www.cs.dartmouth.edu/~sws/pubs/ksbk15-draft.pdf
Tomi Engdahl says:
The hacker will sell 10 million patient information
The hacker claims to the theft of up to 10 million individual patient data. The gigantic data packet is on sale in the dark online.
At TheDarkOverlord functional hacker announced a questionable sales announcement titled The Real Deal on a trading venue. The deal is only accessible by Tor connection.
Patient information includes names, addresses, dates of birth and social security numbers. They can be successful criminal identity theft and cheat their way to other private data.
The majority of the 9.3 million patient information is derived from the large American life insurance company.
Three other group data are derived from the American health care operators. Data were acquired using stolen passwords and IDs.
The sales price is 1280 Bitcoin, which is equivalent to about $ 830 000, or approximately EUR 750 000.
Source: http://www.tivi.fi/Kaikki_uutiset/hakkeri-myy-10-miljoonaa-potilastietoa-hinta-on-kova-6562971
Tomi Engdahl says:
Ingrid Lunden / TechCrunch:
Cisco to acquire API-based app security startup CloudLock for $293M
https://techcrunch.com/2016/06/28/cisco-to-acquire-api-based-security-startup-cloudlock-for-293m/
Twilio isn’t the only company banking on API-based services as the way forward for enterprises. Today, Cisco announced it plans to pay $293 million in a mix of cash and equity to acquire CloudLock, a cloud-based security provider that uses APIs to let enterprises apply and monitor security on documents and other content that they share and store in cloud-based applications.
CloudLock works with Office365, Google Drive, and Salesforce applications, among thousands of other apps and software. Its focus is on offering security and enforcing policies to protect documents, regardless of device used to access it, and allowing for specific controls based on location. In that regard, CloudLock is tapping into another big trend beyond the use of APIs to implement services: that of “consumerization” in IT, where people are using their own (unsecured) devices for work purposes, and in a range of environments from their homes to places where they are connecting by (also unsecured) public WiFi networks. The company has more than 700 customers, Cisco says.
Tomi Engdahl says:
Libarchive Security Flaw Discovered
http://www.linuxjournal.com/content/libarchive-security-flaw-discovered?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
When it comes to security, everyone knows you shouldn’t run executable files from an untrustworthy source. Back in the late 1990s, when web users were a little more naive, it was quite common to receive infected email messages with fake attachments.
The attachments usually were disguised as images or mp3s, but a quick look would tell you they were executables. Nevertheless, the promise of illicit images often overwhelmed common sense, and millions of machines were infected.
Since then, we’ve learned not to open dodgy executable files. But other file types are okay, right? Surely nothing bad could happen if you opened an archive and looked inside it?
Well, it turns out that very bad things can happen—even to Linux users. You don’t have to run an executable file compressed in the archive, just opening or decompressing the archive is enough.
How can this happen? It’s because of a security flaw in a popular library used by many projects. The library is used in file managers, archive browsers, office software, package managers and many other places too. It’s present in open-source software and proprietary applications.
Libarchive is an open-source library that can create and read archives in a range of different formats. It’s a very popular library, and it’s used in hundreds of applications on several operating systems, including Linux, Chrome OS and OS X. And on Tuesday, June, 21, 2016, Cisco’s Talos team revealed that it contains three serious security flaws.
The Poisoned Archives
http://blog.talosintel.com/2016/06/the-poisoned-archives.html
Tomi Engdahl says:
US Senator Wyden: Why I had to halt FBI’s latest internet spying push
He tells El Reg he’ll never surrender on privacy
http://www.theregister.co.uk/2016/06/28/wyden_blocks_intelligence_authorization_bill_to_stop_fbi_internet_surveillance/
US Senator Ron Wyden (D-OR) has placed a hold on the 2017 Intelligence Authorization Bill – because it would allow the FBI to snoop on people’s browser histories without a court order, and weakens oversight of the intelligence community.
The bill as it stands would allow the Feds to use National Security Letters (NSLs) – which don’t require a court order – to monitor a suspect’s internet activity, including which websites they visit and how long they stay on them.
Tomi Engdahl says:
China cybersec legislation inches towards law
Controversial regulation gets second reading
http://www.theregister.co.uk/2016/06/29/china_cybersec_legislation_inches_towards_law/
China has moved ahead with new Internet censorship security laws, with its upcoming cybersecurity bill getting a second reading in the country’s legislature.
Official news agency Xinhua says under the law, network operators will have to “comply with social and business ethics and accept supervision by both government and the public”.
The law also calls on the government to be more forceful in responding to security threats from abroad, the Xinhua report says.
That draft gave the Cyberspace Administration the right to shut down Internet access during “major” security incidents.
Tomi Engdahl says:
Man-in-the-middle biz Blue Coat bought by Symantec: Infosec bods are worried
HTTPS-buster and root cert bods joining up? Hmm
http://www.channelregister.co.uk/2016/06/14/symantec_blue_coat_analysis/
ymantec’s deal to to buy Blue Coat, the controversial web filtering firm, for $4.65bn will bolster its enterprise security business.
But some security experts are concerned about the potential for conflict of interest created by housing Symantec’s digital certificate business and Blue Coat’s man-in-the-middle SSL inspection technologies under the same roof. Business dealings between the two firms have already prompted cause for concern.
Blue Coat sells a range of web and network security appliances and technologies such as ProxySG, a technology that offers content filtering, authentication and caching functionality. One of its products is an SSL Visibility Appliance, which sits in the middle of encrypted traffic flows in order to identify threats (such as botnet communications, data exfiltration by hackers and so on).
Blue Coat technology masquerades as legit websites while Symantec, who bought VeriSign’s certification business six years ago, is the biggest provider of SSL certificates.
Tomi Engdahl says:
The Latest Android Overlay Malware Spreading via SMS Phishing in Europe
https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html?mkt_tok=eyJpIjoiWlRCaVl6UXlabVk0T1dKaiIsInQiOiJTemFKVkYreWZxMVQydXlqXC9vSWpDcHExSzFvRkhXZlwvcmJVOEdqQTRDa3N0aFF3eWVMTWhNOFJzWmh2ZWlJYUs5WmdSSlhZeGd
In April 2016, while investigating a Smishing campaign dubbed RuMMS that involved the targeting of Android users in Russia, we also noticed three similar Smishing campaigns reportedly spreading in Denmark (February 2016), in Italy (February 2016), and in both Denmark and Italy (April 2016).
Unlike the RuMMS campaign, these three campaigns in Europe used view overlay techniques (the same technique we described being used by SlemBunk malware) to present nearly identical credential input UIs as seen in benign apps, subsequently tricking unwary users into providing their banking credentials.
Tomi Engdahl says:
Brexit: What Does it Mean for Cybersecurity and Privacy?
http://www.securityweek.com/brexit-what-does-it-mean-cybersecurity-and-privacy
The British decision to leave the European Union seems to have surprised everyone and caused knee-jerk reactions around the world. The immediate response has sent the pound tumbling and raised suggestions that Britain is now a sitting target for cyber criminals. Let’s start with the facts. Firstly, Britain is not yet leaving the EU. The referendum has only advisory status on the government, and only the government can choose to leave.
The primary security concerns revolve around General Data Protection Regulation (GDPR) issues, a loss of threat intelligence cooperation with Europe, an increasing cost of security (because of the falling value of the pound), and the loss of access to European technical expertise. Each one of these should be considered rationally.
Tomi Engdahl says:
Android Malware Targets Europe via Smishing Campaigns
http://www.securityweek.com/android-malware-targets-europe-smishing-campaigns
Over the past few months, researchers at FireEye have observed several smishing campaigns whose goal was to deliver Android malware to users in Europe.
Between February and June 2016, the security firm spotted five smishing, or SMS phishing, operations targeting people in Denmark, Italy, Germany, Austria and possibly some other European countries.
Researchers have identified a total of 55 malicious binaries used in these campaigns. The attackers set up command and control (C&C) servers, uploaded the Android malware to hosting websites, and then sent out links in SMS messages in an effort to trick recipients into installing the malware on their devices.
Tomi Engdahl says:
Hard Rock Hotel & Casino Hit By PoS Malware
http://www.securityweek.com/hard-rock-hotel-casino-hit-pos-malware
Memory Scraping Point-of-Sale Malware Infects Hard Rock Hotel & Casino Las Vegas…Again.
Hard Rock Hotel & Casino Las Vegas said on Monday that hackers managed to access customer payment card data through card scraping malware installed on systems running the resort’s payment card system.
The gaming resort said it was was tipped off after receiving reports of fraudulent activity associated with payment cards used at its Las Vegas location.
After hiring an un-named cybersecurity firm to investigate the breach, it was determined in May that hackers managed to access to the resort’s payment card environment.
Tomi Engdahl says:
U.S. Government Expands Authority in Cyberspace
http://www.securityweek.com/us-government-expands-authority-cyberspace
DHS Proposal Requests Visitors Provide Social Media Account Names
The US government is continuing its quest for greater authority in cyberspace in order to fight crime and protect national security, despite its failure to force Apple to provide access to iPhones earlier this year. Current proposals include changes to Rule 41 of the Federal Rules of Criminal Procedure; a proposal by Senate Majority Leader Mitch McConnell to expand the scope of national security letters (NSLs); and a proposal from the U.S. Customs and Border Protection agency (part of DHS) for visitors to America to provide social media details.
Tomi Engdahl says:
Air-Gapped Systems Vulnerable to Data Exfiltration via Fan-Controlling Malware, According to Israeli Researchers
http://www.hotforsecurity.com/blog/air-gapped-systems-vulnerable-to-data-exfiltration-via-fan-controlling-malware-according-to-israeli-researchers-14176.html
New research into data exfiltration by compromising air-gapped systems has proven that malware can control the acoustic waveform emitted by a CPU’s cooling fan to transmit audio binary data to a remote microphone up to eight meters away.
While previous vulnerabilities in air-gapped systems have been reported and suspected to have been used in the wild, Fansmitter (as it’s called by the researchers) poses new risks as it demonstrates once again that malware can communicate by transmitting sonic and ultrasonic signals, without requiring specialized hardware, such as built-in speakers.
“Using our method we successfully transmitted data from air-gapped computer without audio hardware, to a smartphone receiver in the same room,” reads the paper’s submission. “We demonstrated the effective transmission of encryption keys and passwords from a distance of zero to eight meters, with bit rate of up to 900 bits/hour.”
Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers
http://arxiv.org/abs/1606.05915
Tomi Engdahl says:
Don’t Become a Cybersecurity Data Pack Rat
http://www.securityweek.com/dont-become-cybersecurity-data-pack-rat
Enterprise Security Teams Must Think More About How to Reduce Big Data Into Real-time Answers
Security teams are always looking for new and efficient ways to find threats, and the emerging field of security analytics is proving to be one of the most promising areas of innovation. Security analytics encompasses a wide range of analytical techniques which can be performed on an equally diverse set of data sources, such as network traffic, host-based indicators, or virtually any type of event log.
In many ways this description sounds like a version of big data analytics – the analysis of very large data sets to find unexpected correlations. However, while big data is obviously a powerful tool, it is not a silver bullet for every problem. When it comes to finding active attacks, too much data can actually overwhelm staff to the point that threats get lost in the noise. Without a clear notion of how to use the data, a big-data security analytics project can turn IT teams into the cybersecurity version of pack rat, with data piled up to the point that it becomes unusable and paralyzes the organization.
Tomi Engdahl says:
Hackers using Google Dorking Tool for Mayhem
http://www.kamranmohsin.com/hackers-using-google-dorking-tool-mayhem/
It is already knew that hackers are active from a long time. Since these hackers are constantly looking for vulnerabilities that they can exploit to gain unauthenticated access to group of networks that may include industrial control systems, financial data etc. Google Dorking is a latest toolkit for the hackers to exploit any vulnerable website.
Google dorking is very much used to find the vulnerable websites or systems that could be easily exploitable with any malicious code. Google helps in this case and pretty much share the results with us. Now the question arises how it works and how to stop it from the exposure or disclosure of such information.
It is acknowledged at the last week’s at Gartner Security and Risk Management Summit in National Harbor, MD, analysts Sid Deshpande and Ruggero Contu revealed that the global IT security spend will reach $92 billion in 2016 and is expected to grow to $116 billion by 2019. Despite these huge investments in perimeter defense, the industry is still struggling to get a leg up on cyber-attackers. The steady stream of data breaches at Hyatt, DNC, Twitter, SWIFT, and others continues to raise doubts about the effectiveness of these investments.
How could an organization minimize the risk of being hacked via Google Dorking?
After a research, we placed some techniques to reduce the risks of being hacked via Google Dorking:
1. Avoid Putting Sensitive Information on the Internet – The underlying threat associated with Google Dorking is that search engines are constantly scanning the Internet, monitoring, and indexing every device, port, and unique IP address connected to the Web.
2. Exclude Sensitive Websites / Pages from Search Index – Make sure that websites / pages that contain sensitive information cannot be indexed by search engines.
3. Use Google Dorking for Web Vulnerability Testing – Implement routine Web vulnerability testing as part of your standard security practices and turn Google Dorking into your own pro-active security tool using online repositories like the Google Hacking Database (GHDB), which documents the expanding number of search terms for files containing usernames, vulnerable servers, and even files containing passwords.
Google Hacking Database (GHDB)
Your Home for “googledorks”
https://www.offensive-security.com/community-projects/google-hacking-database/
Originally created by Johnny Long of Hackers for Charity, The Google Hacking Database (GHDB) is an authoritative source for querying the ever-widening reach of the Google search engine. In the GHDB, you will find search terms for files containing usernames, vulnerable servers, and even files containing passwords.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Google Project Zero researchers uncover severe vulnerabilities in 25 Symantec and Norton products, exposing millions of users; patches issued — If you use a Symantec or Norton product, now would be a good time to update. — Much of the product line from security firm Symantec contains …
High-severity bugs in 25 Symantec/Norton products imperil millions
If you use a Symantec or Norton product, now would be a good time to update.
http://arstechnica.com/security/2016/06/25-symantec-products-open-to-wormable-attack-by-unopened-e-mail-or-links/
Much of the product line from security firm Symantec contains a raft of vulnerabilities that expose millions of consumers, small businesses, and large organizations to self-replicating attacks that take complete control of their computers, a researcher warned Tuesday.
“These vulnerabilities are as bad as it gets,” Tavis Ormandy, a researcher with Google’s Project Zero, wrote in a blog post. “They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
The post was published shortly after Symantec issued its own advisory, which listed 17 Symantec enterprise products and eight Norton consumer and small business products being affected.
The flaws reside in the engine the products use to reverse the compression tools malware developers use to conceal their malicious payloads. The unpackers work by parsing code contained in files before they’re allowed to be downloaded or executed. Because Symantec runs the unpackers directly in the operating system kernel, errors can allow attackers to gain complete control over the vulnerable machine. Ormandy said a better design would be for unpackers to run in a security “sandbox,” which isolates untrusted code from sensitive parts of an operating system.
Tomi Engdahl says:
Efe Kerem Sözeri / Vocativ:
Turkish government bans publication of news, interviews, visuals about Istanbul bombing — Once again, Turkey’s government has cracked down on media after a terror attack — Less than an hour after a coordinated suicide attack on Istanbul’s Ataturk Airport that left dozens dead and many more wounded …
Turkey Blocks News Sites, Twitter, Facebook After Deadly Attack
Once again, Turkey’s government has cracked down on media after a terror attack
http://www.vocativ.com/334890/turkey-blocks-news-sites-twitter-facebook-after-deadly-attack/
Less than an hour after a coordinated suicide attack on Istanbul’s Ataturk Airport that left dozens dead and many more wounded, Turkey’s government resumed a tactic frequently seen since last summer: a gag order for the country’s media outlets. Less than an hour later, watchdog groups reported Twitter and Facebook were inaccessible inside the country.
The order, issued by the Turkish Prime Minister’s office on the grounds of “national security and public order,” bans sharing of any visuals of the moment of explosion, blast scene, emergency work, of the wounded and dead, or any “exaggerated narrative” about the scene. It also bans the act of sharing any information about the suspects.
Tomi Engdahl says:
Jon Fingas / Engadget:
Mozilla launches Codemoji, a web-based game that illustrates how ciphers work through emoji — Sure, people will tell you that encryption is important to maintaining your online privacy, but how do you wrap your head around the concept? Mozilla wants to help.
Mozilla made a game to teach you the basics of encryption
Codemoji turns ciphers into an emoji messaging system.
https://www.engadget.com/2016/06/28/mozilla-encryption-game/
Sure, people will tell you that encryption is important to maintaining your online privacy, but how do you wrap your head around the concept? Mozilla wants to help. It’s introducing a web-based game, Codemoji, that illustrates how ciphers work through emoji.
https://learning.mozilla.org/codemoji/#/welcome
Tomi Engdahl says:
Global terror database World-Check leaked
Thomson Reuters ‘working furiously’ to secure 2.2 million sensitive records
http://www.theregister.co.uk/2016/06/29/global_terror_database_worldcheck_leaked_online/
The terrorist database used by global banks and intelligence agencies World-Check has reportedly leaked online.
The mid-2014 version of the database contains some 2.2 million records and is used by 49 of the world’s 50 largest banks, along with 300 government and intelligence agencies.
The Thomson Reuters database is accused of falsely designating citizens and organisations as terrorists. Banks have used this data in whole or in part to shutter accounts, effectively locking people out of vast swathes of the global banking system.
Established security researcher Chris Vickery found the database and told The Register it is still exposed online after he disclosed its location to Thomson Reuters.
“As far as I know, the original location of the leak is still exposed to the public internet,” Vickery says. “Thomson Reuters is working feverishly to get it secured.”
Thomson Reuters says it will provide citizens and organisations information about their designation on individual request.
Thomson Reuters requests that banks and other customers use multiple sources alongside World-Check and requests that the secretive database not be cited in any public decision-making materials.
Vickery has reported recent large-scale breaches including information on 93 million Mexican voters in April. The records were exposed thanks to a configuration error in a MongoDB database.
He also earlier revealed the exposure of 13 million records of MacKeeper, Zeobit, and Kromtech, and some 1700 records of children from website uKnowKids.
Tomi Engdahl says:
You know how that data breach happened? Three words: eBay, hard drives
Social Security Numbers, financial data, CVs and more
http://www.theregister.co.uk/2016/06/28/ebay_hard_drives_still_contain_sensitive_data_study/
Users are unwittingly selling sensitive and unencrypted data alongside their devices through the likes of eBay and Craigslist.
Secure data erasure firm Blancco Technology Group (BTG) purchased 200 second-hand hard disk drives and solid state drives before conducting a forensic analysis to find out what data was recoverable. Two-thirds (67 per cent) contained personally identifiable information and 11 per cent contained sensitive company information, it said. The data found includes social security numbers, CVs, company emails, CRM records, spreadsheets containing sales projections and product inventories.
Blancco experts found company emails on nine per cent of the drives, followed by spreadsheets containing sales projections and product inventories (five per cent) and CRM records (one per cent).
Two in five of the drives (36 per cent) showed evidence of an attempt to delete data
Out of the 200 used HDDs and SSDs, only 10 per cent had a secure data erasure method performed on them.
Tomi Engdahl says:
Libarchive Security Flaw Discovered
http://www.linuxjournal.com/content/libarchive-security-flaw-discovered
Since then, we’ve learned not to open dodgy executable files. But other file types are okay, right? Surely nothing bad could happen if you opened an archive and looked inside it?
Well, it turns out that very bad things can happen—even to Linux users. You don’t have to run an executable file compressed in the archive, just opening or decompressing the archive is enough.
Libarchive is an open-source library that can create and read archives in a range of different formats. It’s a very popular library, and it’s used in hundreds of applications on several operating systems, including Linux, Chrome OS and OS X. And on Tuesday, June, 21, 2016, Cisco’s Talos team revealed that it contains three serious security flaws.
These flaws mean that attackers can cause your PC to execute arbitrary malicious code when you open or extract an archive. All they have to do is trick you into downloading it.
How is this possible? Each of the weaknesses revolves around a memory management error that attackers can exploit.
The Talos team has worked with the libarchive maintainers to fix the flaws, and they have written three patches that address each issue.
The Poisoned Archives
http://blog.talosintel.com/2016/06/the-poisoned-archives.html
ibarchive is an open-source library that provides access to a variety of different file archive formats, and it’s used just about everywhere. Cisco Talos has recently worked with the maintainers of libarchive to patch three rather severe bugs in the library. Because of the number of products that include libarchive in their handling of compressed files, Talos urges all users to patch/upgrade related, vulnerable software.
Tomi Engdahl says:
Congressman Wants Ransomware Attacks To Trigger Breach Notifications
https://yro.slashdot.org/story/16/06/30/0340220/congressman-wants-ransomware-attacks-to-trigger-breach-notifications
A powerful California congressman is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients. The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department’s plan to issue guidance to health care organizations about ransomware attacks.
Ransomware Attacks May Trigger Breach Notifications
https://www.onthewire.io/ransomware-attacks-may-trigger-breach-notifications/
Tomi Engdahl says:
2 Million-Person Terror Database Leaked Online
https://developers.slashdot.org/story/16/06/30/0255250/2-million-person-terror-database-leaked-online?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
A 2014 version of the World-Check database containing more than 2.2 million records of people with suspected terrorist, organized crime, and corruption links has been leaked online. The World-Check database is administered by Thomson-Reuters and is used by 4,500 institutions, 49 of the world’s 50 largest banks and by over 300 government and intelligence agencies. The unregulated database is intended for use as “an early warning system for hidden risk” and combines records from hundreds of terror and crime suspects and watch-lists into a searchable resource.
A Reddit user named Chris Vickery says he obtained a copy of the database, saying he won’t reveal how until “a later time.
“Thomas Reuters is working feverishly to get it secured.”
Global ‘terror’ database leak reveals 2.2mn people tracked by spy agencies
https://www.rt.com/news/348874-world-check-database-leaked/
Thomson Reuters are reportedly “working feverishly” to recover more than 2.2 million records which form their ‘World Check’ database of “heightened risk individuals and entities” used by governments, banks, and law firms around the world.
Reddit user Chris Vickery says he obtained a copy of the database, although he won’t reveal how until “a later time.”
Forming part of the company’s “risk management solutions,” Thomson Reuters says it’s used by more than 300 government and intelligence agencies around the world, as well as 49 of the world’s top 50 banks and nine of the top 10 global law firms.
To access the database, customers must pay an annual subscription charge, which can reach up to $1 million, according to Vice, with potential subscribers then vetted before approval.
Vickery says he understands that the “original location of the leak is still exposed to the public internet.”
“Thomson Reuters is working feverishly to get it secured,”
Described on its website as a tool to “screen for heightened risk individuals and entities globally to help uncover hidden risks in business relationships and human networks,” the company says it covers more than 240 countries and territories, and monitors more than 530 “sanction, watch, regulatory and law enforcement lists.”
The discovery of such leaks isn’t new for Vickery who in the last the seven months alone has uncovered three major security breaches in databases.
Tomi Engdahl says:
Thomson Reuters World-Check
http://financial.thomsonreuters.com/content/dam/openweb/documents/pdf/governance-risk-compliance/fact-sheet/world-check-risk-screening-fact-sheet.pdf
Tomi Engdahl says:
Hackers steal $10 million from a Ukrainian bank through SWIFT loophole
https://www.kyivpost.com/article/content/ukraine-politics/hackers-steal-10-million-from-a-ukrainian-bank-through-swift-loophole-417202.html
Hackers have stolen $10 million from an unnamed Ukrainian bank, according to an independent IT monitoring organization.
The Kyiv branch of ISACA, the Information Systems Audit and Control Association, reported this week that the theft had occurred via the SWIFT international banking system, the organization responsible for managing money transfers between financial institutions worldwide.
ISACA announced the theft after being hired by a Ukrainian bank to investigate. It did not name which bank had hired it to conduct the investigation.
“At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars,” ISACA said in a release.