Security trends for 2016 |

Here are my predictions for trends in information security and cyber security for year 2016.

Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.

Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.

EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.

After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.

New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.

The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.

Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.

Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.

But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.

Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.

The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.

The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.

Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.

Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.

Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”

Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?

Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.

Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.

IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.

Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.

Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.

Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.

2,232 Comments

July 7, 2016 at 9:26 am
Tomi Engdahl says:

The customer should be informed if the information were exported

The European Parliament has adopted new rules, which govern the EU-wide minimum levels with regard to security. The regulations apply mainly to businesses that provide essential services to the digital infrastructure as well as energy, transport, banking or health-related companies.

Now approved in the EU’s Network and Information Security Directive defines the security and reporting requirements for providers of essential services. EU Member States will decide what national companies are those companies to which the provisions will apply.

Rules, the EU set up a working group to facilitate the exchange of information. Member States must also set up a network security breach responsive and intelligence units (CSIRT operators), which deals with deviations and the associated risks, to discuss cross-border security incidents and defines the coordinated responses.

Yesterday, the European Commission said it will invest almost EUR half a billion data security development and industry. At the same time, it was decided to create a joint security certification, to enable enterprises to grow within the European Union without the need to obtain separate certifications for each country.

Source: http://www.tivi.fi/Kaikki_uutiset/nyt-loppuu-tietoturvamokailujen-peittely-asiakkaalle-pitaa-kertoa-jos-tiedot-vietiin-6565148

Reply
July 7, 2016 at 9:35 am
Tomi Engdahl says:

5 years, 2,300 data breaches. What’ll police do with our Internet Connection Records?
Big Brother Watch report
http://www.theregister.co.uk/2016/07/05/revelations_over_2300_police_data_breaches_prompt_privacy_fears/

Police forces across the UK have been responsible for “at least 2,315 data breaches” over the last five years, according to research by Big Brother Watch, prompting concerns about the increasing amount of data they’re holding.

Titled Safe in Police Hands? the 138-page report is released today after months of requests made by the campaign group under the Freedom of Information Act, covering police forces’ breaches of the Data Protection Act from June 2011 to December 2015.

The issues span improper disclosure of information, accessing police systems for non-policing purposes, inappropriate use of data for personal reasons and more, says BBW. It continued:

Digital by default is the future for the country. In response to this the levels of data the police handle will increase. Whilst there have been improvements in how forces ensure data is handled correctly this report reveals there is still room for improvement. Forces must look closely at the controls in place to prevent misuse and abuse.

“With the potential introduction of Internet Connection Records (ICRs) as outlined in the Investigatory Powers Bill, the police will be able to access data which will offer the deepest insight possible into the personal lives of all UK citizens,” the group reported, adding that any breach of this information would be “over and above” what was included in the report.

Reply
July 7, 2016 at 9:36 am
Tomi Engdahl says:

Nasty BIOS bug slugs Gigabyte, hackers say
Vendors queue for punishment as ‘ThinkPwn’ fallout spreads
http://www.theregister.co.uk/2016/07/06/nasty_bios_bug_slugs_gigabyte_hackers_say/

Gigabyte has been swept into turmoil surrounding low-level security vulnerabilities that allows attackers to kill flash protection, secure boot, and tamper with firmware on PCs by Lenovo and other vendors.

Unconfirmed reports suggest the hardware vendor has used the “ThinkPwn” vulnerable code, thought to be born of Intel reference code, on four of its motherboards: Z68-UD3H, Z77X-UD5H, Z87MX-D3H, and Z97-D3H.

Researcher Dmytro Oleksiuk revealed the vulnerabilities in a post to Github stating that can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise” thanks to a flaw in the SystemSmmRuntimeRt UEFI driver.

Reply
July 7, 2016 at 9:41 am
Tomi Engdahl says:

Hacker Lexicon: What Are CNE and CNA?
https://www.wired.com/2016/07/hacker-lexicon-cne-cna/

For years, the US government’s offensive hacking operations were kept in dark shadows, neither acknowledged nor discussed. That changed with the discovery of Stuxnet in 2010—a computer sabotage operation reportedly conducted by the US and Israel to destroy machines used in Iran’s once-illicit nuclear program.

Stuxnet was the first US digital sabotage operation to be exposed, but it’s not the first government hacking operation ever conducted. Documents leaked by Edward Snowden in 2013 shone a light on a vast underground operation conducted by the NSA’s Tailored Access Operations team (TAO), responsible for what the government refers to as computer network exploitation and computer network attacks. Those may sound similar, but there are important differences between them.

Computer network exploitation, or CNE, refers to espionage and reconnaissance operations. These are conducted to steal data from a system or simply to obtain intelligence about networks, to understand how they work and are configured. Examples of CNE include Flame, a massive spy tool used to gather intelligence from Iran and other targets, and Regin, which was used to hack the European Commission and Belgium’s partially state-owned telecom Belgacom. The Regin operations have been attributed to the UK spy agency GCHQ.

In 2011, the NSA launched 231 offensive computer operations, according to Snowden documents. This included placing covert implants in more than 80,000 machines around the world.

If you think of CNE as the Ocean’s Eleven of cyberattacks, CNA is more like Die Hard.

CNA operations are designed to damage, destroy, or disrupt computers—or operations controlled by computers—such as the Stuxnet attack that targeted centrifuges used by Iran to enrich uranium hexafluoride gas. Another CNA operation attributed to nation states is the air-to-ground hack conducted by Israel in 2007 against Syria’s air defense system. That hack, launched from Israeli planes, was designed to prevent Syria’s automated air-defense system from seeing bomber jets flying in to conduct an air strike against the Al-Kibar complex, believed to be an illicit nuclear reactor Syria was building.

The recent hack of power distribution plants in Ukraine was a CNA, as was the Wiper attack that targeted Iran’s oil industry in 2012.

The hack of Sony, attributed to North Korea, would also be considered a CNA operation

Although CNE and CNA operations might seem to be technically distinct—since one involves espionage and the other destruction or disruption—they aren’t necessarily. Many CNA attacks begin as CNE operations

Because some tools can be used for both CNE and CNA attacks—for example zero days are used to install both espionage tools and attack tools on targeted systems—it can be difficult for victims who find such malware on their machines to know whether the operation is a spy mission or an attack mission; at least, that is, until their systems get destroyed.

Reply
July 7, 2016 at 11:50 am
Tomi Engdahl says:

Jonathan Keane / Tech.eu:
Antivirus software firm AVG acquired by Avast Software for $1.3 billion
http://tech.eu/brief/avg-avast-software/

Antivirus software company AVG Technologies has been acquired by rival Avast Software for $1.3 billion.

Both companies were founded in the Czech Republic and expanded globally with AVG going public in 2012. With this deal Avast will purchase AVG, now based in The Netherlands, at $25 per share.

Avast said in statement that the acquisition will help it scale ahead of growing challenges and opportunities in the cybersecurity industry both for consumers and business, particularly with the burgeoning internet of things. The combined company will have more than 400 million users.

“We are in a rapidly changing industry, and this acquisition gives us the breadth and technological depth to be the security provider of choice for our current and future customers,” said Vince Steckler, CEO of Avast.

Reply
July 8, 2016 at 6:27 am
Tomi Engdahl says:

FBI Director: Guccifer Admitted He Lied About Hacking Hillary Clinton’s Email
https://politics.slashdot.org/story/16/07/07/221228/fbi-director-guccifer-admitted-he-lied-about-hacking-hillary-clintons-email

The Romanian hacker known as Guccifer (real name Marcel Lehel Lazar) admitted to the FBI that he lied to the public when he said he repeatedly hacked into Hillary Clinton’s email server in 2013. FBI Director James Comey testified before members on Congress on Thursday that Guccifer never hacked into Clinton’s servers and in fact admitted that he lied.

FBI director says Guccifer admitted he lied about hacking Hillary Clinton’s email
http://www.dailydot.com/layer8/guccifer-clinton-server-hack-lie/

The Romanian hacker known as Guccifer admitted to the FBI that he lied to the public when he said he repeatedly hacking into Hillary Clinton’s email server in 2013.

Guccifer, real name Marcel Lehel Lazar, told Fox News and NBC News in May 2016 about his alleged hacking. Despite offering no proof, the claim caused a huge stir, including making headline news on some of America’s biggest publications.

FBI Director James Comey testified under oath before Congress on Thursday that Guccifer never hacked into Clinton’s servers

Following his extradition from Romania, Lazar is now in custody in Alexandria, Virginia, awaiting trial for hacking charges. He’s most famous for hacking former President George W. Bush and releasing Bush’s paintings.

The testimony came while Comey was being questioned before the House Committee on Oversight and Government Reform about his recent decision to not recommend criminal charges against former Secretary of State Clinton, now the presumptive Democratic nominee, or her staff for their use of a private email set-up and handling of classified material during Clinton’s tenure at the State Department.

Reply
July 8, 2016 at 6:36 am
Tomi Engdahl says:

Baton Rouge Police Database Hacked In Retaliation For Killing of Alton Sterling
https://developers.slashdot.org/story/16/07/07/2022213/baton-rouge-police-database-hacked-in-retaliation-for-killing-of-alton-sterling

Just days after the fatal shooting of a black man by Baton Rouge police prompted international outrage and a Justice Department investigation, the Baton Rouge city government’s servers have been hacked and 50,000 city police records leaked including names, addresses, emails, and phone numbers.

A hacker that goes by the name @ox2Taylor claimed responsibility for the breach, which was confirmed by security intelligence analyst at Patch Penguin, Jamie-Luke Woodruff. He told the Daily Dot that the administrators of the website had failed to implement proper security measures.

Baton Rouge police database ‘hacked’ in retaliation for killing of Alton Sterling
http://www.dailydot.com/layer8/alton-sterling-baton-rouge-website-hack/

The database was confirmed as legitimate by Jamie-Luke Woodruff, a security intelligence analyst who works at Patch Penguin, a British cybersecurity firm. Woodruff, who communicated with Taylor by phone to further confirm the hacker’s claims, told the Daily Dot in a private Facebook chat that the administrators of the website had failed to implement proper security measures.

The “breach”—for lack of a better term—appears to have simply been a case of unauthorized access through the use of discovered login credentials rather than through any kind of technical attack.

“The website had its permissions set wrong and shouldn’t have been left open for the public to see this data,” Woodruff explained

“The reason i did it is because of what that officer did to alton sterling,” Taylor told the Daily Dot in a private Twitter message. “i’m sick of seeing police abuse their power and all the killings.”

Reply
July 8, 2016 at 6:41 am
Tomi Engdahl says:

Android KeyStore Encryption Scheme Broken
https://tech.slashdot.org/story/16/07/07/1819233/android-keystore-encryption-scheme-broken

The default implementation for KeyStore, the system in Android designed to store user credentials and cryptographic keys, is broken, researchers say.>In an academic paper published this week, researchers argue that the particular encryption scheme that KeyStore uses fails to protect the integrity of keys and could be exploited to allow an attacker to modify stored keys through a forgery attack.
KeyStore, which performs key-specific actions through the OpenSSL library, allows Android apps to store and generate their own cryptographic keys.

Android KeyStore Encryption Scheme Broken, Researchers Say
https://threatpost.com/android-keystore-encryption-scheme-broken-researchers-say/119092/

In a an academic paper published this week, researchers argue that the particular encryption scheme that KeyStore uses fails to protect the integrity of keys and could be exploited to allow an attacker to modify stored keys through a forgery attack.

The two point out in their paper “Breaking Into the KeyStore: A Practical Forgery Attack Against Android KeyStore,” that it’s the hash-then-encrypt (HtE) authenticated encryption (AE) scheme in cipher block chaining mode (CBC) in KeyStore that fails to guarantee the integrity of keys.

In a forgery attack, an attacker could exploit the weakness to reduce the length of symmetric keys protected by the system. The crux of the attack is based around tricking a victim into installing a malicious app on the device that can be granted read-write permission on the KeyStore directory.

“The success of our attack depends on how likely the malicious application is to bypass the access control mechanisms of Android,” the two say, adding that this could be done by executing arbitrary code, through code injection or reuse, or obtaining root or kernel-level privileges.

“Intuition often goes wrong when security is concerned,” the two write, “Unfortunately, system designers still tend to choose cryptographic schemes not for their proved security but for their apparent simplicity. We show, once again, that this is not a good choice, since it usually results in severe consequences for the whole underlying system.”

Researchers discovered a flaw in a popular mobile processor used in Android devices last week. Researcher Gal Beniamini described how the encryption in devices running Qualcomm chips, more than half of Android devices currently in use, can be bypassed.

Cryptology ePrint Archive: Report 2016/677
Breaking Into the KeyStore: A Practical Forgery Attack Against Android KeyStore
http://eprint.iacr.org/2016/677/20160706:055348

Encryption Bypass Vulnerability Impacts Half of Android Devices
https://threatpost.com/encryption-bypass-vulnerability-impacts-half-of-android-devices/119039/

A flaw in chipmaker Qualcomm’s mobile processor, used in 60 percent of Android mobiles, allows attackers to crack full disk encryption on the device. Only 10 percent of Android devices running Qualcomm processors are not vulnerable to this type of attack.

Researchers at Duo Labs said the vulnerability is tied to Android’s problem-plagued mediaserver component coupled with a security hole in Qualcomm’s Secure Execution Environment (QSEE). Together, these vulnerabilities could allow someone with physical access to the phone to bypass the full disk encryption (FDE).

Duo Labs estimates 57 percent of Android phones are still vulnerable to related mediaserver attacks. “Compared to 60 percent of Android phones that were vulnerable to the Android attack in January, the security posture of our dataset has improved slightly, with 57 percent of Android phones vulnerable to the latest attack,” according to a Duo Labs blog post.

Reply
July 8, 2016 at 6:46 am
Tomi Engdahl says:

Wendy’s Says More Than 1,000 Restaurants Affected By Hack
https://news.slashdot.org/story/16/07/07/2050211/wendys-says-more-than-1000-restaurants-affected-by-hack

The fast food giant Wendy’s has reported today that hackers were able to steal customers’ credit and debit card information at 1,025 of its U.S. restaurants. The company said Thursday hackers were able to obtain card numbers, names, expiration dates and codes on the card, beginning in late fall. Some customers’ cards were used to make fraudulent purchases at other stores.

Wendy’s Says More Than 1,000 Restaurants Affected by Hack
http://abcnews.go.com/Technology/wireStory/wendys-1000-restaurants-affected-hack-40407208

The Dublin, Ohio, company first announced it was investigating a possible hack in January. In May, it said malware was found in fewer than 300 restaurants. About a month later, it said two types of malware were found and the number of restaurants affected was “considerably higher.”

There are more than 5,700 Wendy’s restaurants in the U.S.

Reply
July 8, 2016 at 6:56 am
Tomi Engdahl says:

Russian President Vladimir Putin has approved a law that obliges operators operating in the country to record the call data for three years and calls itself for six months. According to experts, this will be costly for operators.

The aim of the new law is to improve safety.

Source: http://www.tivi.fi/Kaikki_uutiset/putin-asetti-operaattoreille-kalliit-velvoitteet-6565351

Reply
July 8, 2016 at 8:07 am
Tomi Engdahl says:

CloudFlare pros pen paranoid phone plan for pwn-free peregrination
New iPhone or GTFO
http://www.theregister.co.uk/2016/07/08/cloudflare_boffins_pens_paranoid_phone_guide_to_pwnless_travelling/

Travelling executives should use modern iPhones with burner SIMs, no PINs, and minimal apps, CloudFlare security boffin Filippo Valsorda says.

Valsorda of the anti- distributed denial of service attack firm’s London office says his ‘paranoid’ guide focuses on iOS because he considers it the most secure operating system currently available.

The travelling executive should start with a burner Apple ID with Touch ID activated, and a ridiculously long log-in password which will frustrate physical attackers but not the user, thanks to the biometric option.

“Use Airplane mode extensively,” Valsorda says. “Turn off WiFi when you don’t need it.”

Apple security questions should be passwords, not personal information which can be obtained from Facebook and other leaky sources.

1Password with Touch ID and syncing killed is your best option for handling passwords.

Safe travel requires protection, so USB condoms which prevent data theft over the port during charging are a must. Alternatively the traveller must label their trusted charger and only ever use that.

Siri is off. As is Bluetooth, voice dial, Safari’s Javascript, and nine other options.

If Javascript is required, use the Brave browser as it uses the HTTPS Everywhere extension and blocks possibly malicious advertising.

Do not use your normal email address, but instead set up a temporarily one that contains the emails you’ll need, sans anything with the phrases password, reset, recover, or subject:login, all of which can be nixed with a blacklist.

After 10 failed password attempts, the modern iPhone should obliterate data held within, while two factor authentication must be used to help protect the burner Apple ID.

Valsorda continues; install only essential apps before travelling, refuse updates, slap encryption on the Notes app and avoid writing sensitive things on the first line, which remains unencrypted.

A spare SIM card should be taken with the original kept hidden, and PINs set on both. “It’s not much, but it’s all you can do against a SS7 attack,” Valsorda says.

Snowden’s Signal, and WhatsApp are your communications apps to be tied to the disposable SIM.

Reply
July 8, 2016 at 8:09 am
Tomi Engdahl says:

Big Pharma Is So 2015. Welcome to the Era of Big Software
http://www.wired.com/2016/07/entering-age-big-software/

Kellogg’s uses a cartoon tiger and elves to sell $14 billion dollars worth of refined carbohydrates each year. But this calorie-laden corporation was once an idealistic startup. Created by the eccentric Dr. John Harvey Kellogg, Corn Flakes were intended as a health food that made it easier for the masses to adopt a vegetarian lifestyle. Kellogg’s was the Soylent of its day.

Today, Pfizer is a $188 billion dollar drug conglomerate. But there was a time when the biggest of “Big Pharma” companies was a lot like today’s Young Turks.

These companies that we now think of as the epitomes of “Big Food” and “Big Pharma” were once humble startups. But as success beget success, they managed to dominate their markets for over a century. Over the next hundred years, we could see the same thing happen with the most high-minded tech of tech companies. Google, Amazon, Apple, and Facebook could grow to dominate the market in the same way Pfizer and Kellogg’s have dominated theirs. We could be witnessing the dawn of a new era: “Big Software.”

Accelerating Innovation

Conglomeration hasn’t hurt entrepreneurship in pharma or food. In fact, it has accelerated it.

Efficient Entrepreneurship

There are downsides to this new reality. Exits will likely be much smaller. We may not see another software startup approach Google’s half trillion dollar market value in the near term. Even Facebook’s $250 billion dollar market cap will be hard to match. Founders and investors will just have to “settle” for more “humble” single billion dollar valuations—or maybe double digit.

Every tech invention doesn’t need to become a company and not every business is built to last, but if you set out to create more value than you capture, everyone can win.

Reply
July 8, 2016 at 8:13 am
Tomi Engdahl says:

Google Is Working To Safeguard Chrome From Quantum Computers
https://tech.slashdot.org/story/16/07/07/1811216/google-is-working-to-safeguard-chrome-from-quantum-computers

Quantum computing could potentially someday be used to retroactively break any communications that were encrypted with today’s standard encryption algorithms. Google realizes this, and hence, is ensuring that it doesn’t happen. Today, it announced that it has begun to deploy a new type of cryptography called the New Hope algorithm in its Chrome Canary browser that is designed to prevent such decryption attacks.

Google is working to safeguard Chrome from quantum computers
Using software called the New Hope algorithm
http://www.theverge.com/2016/7/7/12120280/google-chrome-canary-quantum-computing-encryption-new-hope

Google is working on safeguarding Chrome against the potential threat of quantum computers, the company announced today. It’s doing so by implementing post-quantum cryptography in an experimental version of the browser. While there exist hardware defenses against the vastly superior computing power of quantum machines, Google is using a new so-called post-quantum key-exchange algorithm. This software, called the New Hope algorithm, is enabled in Chrome Canary, a kind of testing ground for new browser technology, on only a small number of connections between the browser and Google servers.

Although quantum computers of this variety are only small and experimental at this stage, Google is taking precautions for the worst case scenario. “While they will, no doubt, be of huge benefit in some areas of study, some of the problems that they [quantum computers] are effective at solving are the ones that we use to secure digital communications,” writes Matt Braithwaite, a Google software engineer, in a blog post. “Specifically, if large quantum computers can be built then they may be able to break the asymmetric cryptographic primitives that are currently used in TLS, the security protocol behind HTTPS.” In other words, quantum computers could undermine the security of the entire internet.

Google Tests New Crypto in Chrome to Fend Off Quantum Attacks
https://www.wired.com/2016/07/google-tests-new-crypto-chrome-fend-off-quantum-attacks/

For anyone who cares about Internet security and encryption, the advent of practical quantum computing looms like the Y2K bug in the 1990s, a countdown to an unpredictable event that might just break everything. The concern: hackers and intelligence agencies could use advanced quantum attacks to crack current encryption techniques and learn, well, anything they want. Now Google is starting the slow, hard work of preparing for that future, beginning with a web browser designed to keep your secrets even when they’re attacked by a quantum computer more powerful than any the world has seen.

No Quantum Secrets?

“The reason we’re doing this experiment is because the possibility that large quantum computers could be built in the future is not zero. We shouldn’t panic about it, but it could happen,” says Google security engineer Adam Langley. Google’s also considering the possibility that sophisticated eavesdroppers could record scrambled secrets now and then crack them with techniques developed years or even decades later. For many ubiquitous forms of crypto including many forms of the TLS or SSL encryption protecting our web browsing, that would mean “any information encrypted today could be decrypted in the future by a quantum computer,” Langley says.

Post-quantum key exchange – a new hope
https://eprint.iacr.org/2015/1092.pdf

Reply
July 8, 2016 at 8:22 am
Tomi Engdahl says:

Most Wanted? Hacker puts German interior minister on Interpol list for 5 weeks
https://www.rt.com/news/350027-hacker-german-minister-interpol/

Markus Ulbig, the interior minister of Saxony, Germany, has appeared on Interpol’s official website with a “wanted” poster next to his name after a hacker tried to prove a point to the international police. It took five weeks for the warrant to be noticed.

An Interpol “wanted” page said that Ulbig had been charged with “requesting the mass surveillance of over 55,000 cellular phones and gathering over one million call detail records” and was “wanted by the judicial authorities of Germany for prosecution.”

It turned out to have been an attempt by Saxony-based hacker and internet security expert Matthias Ungethum to draw the Interpol’s attention to a digital security hole he exposed in the organization’s website.

The expert informed Interpol about the detected security hole on May 30.

He said he used Cross Site Scripting to put the profiles of the German minister and Pac Man among the listed murderers and terrorists.

The hacker explained that he did not directly manipulate Interpol’s website but rather extended a link leading to one of its pages to add desired content, as reported by the German broadcasting company MDR. He warned, however, that similar techniques could be used to spread various viruses via the website that would not be directly affected.

Reply
July 9, 2016 at 12:09 pm
Tomi Engdahl says:

‘Secret Conversations:’ End-to-End Encryption Comes to Facebook Messenger
https://www.wired.com/2016/07/secret-conversations-end-end-encryption-facebook-messenger-arrived/

Just a few years ago, end-to-end encryption was a nerdy niche: a tiny collection of obscure software let you encrypt communication so only your recipient could read it, but the vast majority left you no option to hide your words from hackers or eavesdroppers. This year, that balance shifted. And now, roughly 900 million more people are about to be invited into the crypto club.

On Friday, Facebook plans to roll out a beta version of a new feature it calls “secret conversations.” It’s encrypted messages, end-to-end, so that in theory no one—not a snoop on your local network, not an FBI agent with a warrant, not even Facebook itself—can intercept them. For now, the feature will be available only to a small percentage of users for testing; everyone with Facebook Messenger gets it later this summer or in early fall.

Though Facebook-owned WhatsApp rolled out full end-to-end encryption to its billion-plus users in April, this is the social media giant’s first step toward bringing a core part of its main product in line with the encryption trend. Apple has used a form of end-to-end encryption in iMessage for years; Viber added the protection to its 700 million users’ messages just weeks after WhatsApp, and Google announced in May that its new messaging app Allo would offer end-to-end encryption as an option.

The ‘Opt-In’ of It All

One key difference between Facebook’s approach and WhatsApp or Apple is the issue of opt-in encryption versus default. Facebook encrypts messages only when users choose to turn on secret conversations manually. The other two companies automatically encrypt every message, despite complaints from law enforcement agencies that the feature hampers surveillance capabilities.

Reply
July 9, 2016 at 12:15 pm
Tomi Engdahl says:

BBC:
EU-US Privacy Shield data pact gets approval from European governments, paving the way for the formal adoption early next week — A revised pact governing EU-US data flows has been approved by European governments. — The Privacy Shield agreement replaces the previous accord …

Privacy Shield data pact gets European approval
http://www.bbc.com/news/technology-36744928

A revised pact governing EU-US data flows has been approved by European governments.

The Privacy Shield agreement replaces the previous accord, called Safe Harbour, that was struck down in October 2015.

Safe Harbour let US companies self-certify that they were doing enough to protect data about Europeans.

The European Court of Justice threw out Safe Harbour after leaks showed data was being spied upon.

Flawed premise

Member states of the European Commission have given “strong support” to the Privacy Shield said the EC’s Justice Commissioner Vera Jourova in a statement.

Ms Jourova said the approval paved the way for the formal adoption of the agreement early next week.

“The EU-US Privacy Shield will ensure a high level of protection for individuals and legal certainty for business,” said Commissioner Jourova. “It is fundamentally different from the old Safe Harbour.”

The Safe Harbour pact let US companies skirt tough European rules that govern how this data can be treated, by letting them generate their own reports about the steps they took to stop it being misused.

Revelations about the US National Security Agency’s widespread surveillance using data which was supposedly protected by Safe Harbour, led to it being struck down.

The Privacy Shield put in place “clear limitations, safeguards and oversight mechanisms” for how data should be protected in the future, said Commissioner Jourova.

The Privacy Shield pact states that data stored in the US about EU citizens must be given “equivalent” protection by law to what it would receive if stored in the EU.

The Digital Europe industry group that represents tech firms such as Google and Apple welcomed the decision.

“Our members are ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand from companies,” said John Higgins, Digital Europe’s director general.

Reply
July 14, 2016 at 6:18 am
Tomi Engdahl says:

Google notifies users of 4,000 state-sponsored cyber attacks per month: executive
http://www.reuters.com/article/us-google-cyberattack-idUSKCN0ZR2IU

A senior executive of Alphabet Inc’s (GOOGL.O) Google unit said on Monday that the company was notifying customers of 4,000 state-sponsored cyber attacks per month.

has led the way in notifying users of government spying. Others, including Microsoft Corp (MSFT.O), have since followed suit.

Reply
July 14, 2016 at 6:19 am
Tomi Engdahl says:

The FBI has collected 430,000 iris scans in a so-called ‘pilot program’
Critics say the agency project includes few privacy protections
http://www.theverge.com/2016/7/12/12148044/fbi-iris-pilot-program-ngi-biometric-database-aclu-privacy-act

As a modestly sized department — policing 2 million citizens with just over 1,800 sworn officers — the San Bernardino Sheriff’s Department doesn’t seem like it would be on the cutting edge of surveillance technology. But the department has quietly become one of the most productive nodes in a nationwide iris-scanning project, collecting iris data from at least 200,000 arrestees over the last two and a half years, according to documents obtained by The Verge.

“The fact these systems have gone forward without any public debate or oversight that we’ve been able to find is very troubling,” says Nicole Ozer, Technology and Civil Liberties Policy director at the ACLU of California, who likened the project to other programs, such as facial recognition and cell site simulators, that have also been put in place in the state.

Reply
July 15, 2016 at 9:23 am
Tomi Engdahl says:

Jonathan Stempel / Reuters:
Microsoft wins US appeal over warrant for emails held on server in Ireland — A federal appeals court on Thursday said Microsoft Corp (MSFT.O) and other companies cannot be forced to turn over customer emails stored on servers outside the United States. — The 3- decision by a panel …

Microsoft wins landmark appeal over seizure of foreign emails
http://www.reuters.com/article/us-microsoft-usa-warrant-idUSKCN0ZU1RJ

A federal appeals court on Thursday said the U.S. government cannot force Microsoft Corp and other companies to turn over customer emails stored on servers outside the United States.

The 3-0 decision by the 2nd U.S. Circuit Court of Appeals in Manhattan is a defeat for the U.S. Department of Justice and a victory for privacy advocates and for technology companies offering cloud computing and other services around the world.

Circuit Judge Susan Carney said communications held by U.S. service providers on servers outside the United States are beyond the reach of domestic search warrants issued under the Stored Communications Act, a 1986 federal law.

“Congress did not intend the SCA’s warrant provisions to apply extraterritorially,” she wrote. “The focus of those provisions is protection of a user’s privacy interests.”

Microsoft had been challenging a warrant seeking emails stored on a server in Dublin, Ireland

Reply
July 16, 2016 at 10:50 am
Tomi Engdahl says:

MIT Thinks It Can One-Up TOR With New Anonymity Network: Riffle
http://hackaday.com/2016/07/12/mit-thinks-it-can-one-up-tor-with-new-anonymity-network-riffle/

Tor is the household name in anonymous networks but the system has vulnerabilities, especially when it comes to an attacker finding out who is sending and receiving messages. Researchers at MIT and the École Polytechnique Fédérale de Lausanne think they have found a better way in a system called Riffle.

The strength at the core of Tor is the Onion Routing that makes up the last two letters the network’s name. Riffle keeps that aspect, building upon it in a novel way.

Riffle starts by sending the message to every server in the network. It then uses Mix Networking to route the message to its final destination in an unpredictable way.
tampering will be discovered when verifying that initial message (or through subsequent authenticated encryption checks as the message passes each server).

The combination of Mix Networking with the message verification are what is novel here.

You can dig into the whitepaper but the MIT news article does a great job of providing an overview.
http://people.csail.mit.edu/devadas/pubs/riffle.pdf

Reply
July 16, 2016 at 11:58 am
Tomi Engdahl says:

Devin Coldewey / TechCrunch:
Facebook, Twitter, and YouTube reportedly blocked or slowed in Turkey during military coup attempt; Instagram and Vimeo still available — The Turkish military has deployed in Istanbul and Ankara, and the government has apparently blocked social media in response to what is being reported as an attempted coup.

Facebook, Twitter and YouTube blocked in Turkey during reported coup attempt
https://techcrunch.com/2016/07/15/facebook-twitter-and-youtube-blocked-in-turkey-during-reported-coup-attempt/

The Turkish military has deployed in Istanbul and Ankara, and the government has apparently blocked social media in response to what is being reported as an attempted coup.

Turkey Blocks, a Twitter account that regularly checks if sites are being blocked in the country, reported at 11:04 PM Istanbul time that Facebook, Twitter and YouTube were all unresponsive, though Instagram and Vimeo remained available. Access was restored after about an hour-and-a-half, according to the research agency Dyn Research.

Some residents of Turkey appeared able to access social media, likely via a VPN or some other anonymizing service. Anyone affected might want to try Tor Browser for Windows and Mac OS or Orbot for Android (or try some of the other circumvention techniques listed here).

Reply
July 16, 2016 at 12:05 pm
Tomi Engdahl says:

Washington Post:
US Department of Defense acknowledges it created a cyber-offensive unit in May, called Joint Task Force Ares, to develop weapons to target ISIS
https://www.washingtonpost.com/world/national-security/us-militarys-digital-war-against-the-islamic-state-is-off-to-a-slow-start/2016/07/15/76a3fe82-3da3-11e6-a66f-aa6c1883b6b1_story.html

Reply
July 16, 2016 at 12:10 pm
Tomi Engdahl says:

Natasha Lomas / TechCrunch:
Encrypted comms company Silent Circle closes $50M Series C — Encrypted comms company Silent Circle, which also makes a security-focused Android smartphone called the Blackphone, has announced it’s closed a $50 million Series C round of financing, led by Santander Bank.

Encrypted comms company Silent Circle closes $50M Series C
https://techcrunch.com/2016/07/15/encrypted-comms-company-silent-circle-closes-50m-series-c/

Reply
July 16, 2016 at 8:54 pm
Tomi Engdahl says:

the grugq:
Attempted coup’s failure to block internet in Turkey allowed President Erdogan and civilians to organize resistance through FaceTime, Periscope, Facebook Live

Cyberpower Crushes Coup
Rewriting the rulebook on coups, time to add cyberpower
https://medium.com/@thegrugq/cyberpower-crushes-coup-b247f3cca780#.bpgtn49ij

Mere hours after the putsch in Turkey has failed, it is still too early to understand exactly what went on. Given those constraints, I still want to discuss something which has altered “the game” so much that the existing guidebook needs to be significantly revised.

The Good Coup Guide

A coup is basically a sucker punch. The trick is to end the fight before it even begins.

Essentially, the existing leaders need to be removed from positions of power and their ability to coordinate and organise a resistance must be blocked. This is easier when there are only a few means of mass communication (e.g the TV station, or the radio station.)

eys To A Successful Putsch

The basic process is something like the following, preferably all at the same time:

Detain the existing leadership (failing that, act when they are unable to mount an effective defence, e.g. outside the country)
Seize the mass communication channels, such as TV and radio stations (to prevent any elements of the leadership coordinating an effective defense)
Restrict freedom of assembly, speech, and movement, to hinder the ability of the opposition to mount an effective defense
Finally, keep troops on the street to maintain “order” while everyone gets used to having a new ruling class

Everything has to be done quickly to minimize the period of vulnerability — from when the coup begins until it has achieved mission success (the majority of people accept them as the new rulers.)

Mobile Messengers, What Can’t They Do?

The coup in Turkey was organized and coordinated using an end to end encrypted messenger (WhatsApp), and the call to defence was sent out via an end to end encrypted messenger (FaceTime). The future is amazing.

Classic Coup Opening Move

The putsch takes over the main TV station (TRT) has the news reader read a statement announcing the coup

This is very standard stuff. Take over the means of mass communication and keep the civilians out of the way so they can’t interfere.

Don’t Forget The Cyber

But, this is the era of cyberpower. Simply taking over the TV stations is not enough. The Internet is a more powerful means of communication than TV, and it is more resilient — especially with a sophisticated population.

The failure to block the Internet meant that the coup was battling a leadership that still had a very powerful capability: cyberpower. The ability to push out information that allowed them to coordinate a defence. In addition, both Twitter’s Periscope and Facebook Live allowed civilians to share their experiences, disseminate information, and build moral support for direct action.

It is an Intelligence service axiom that intelligence is of no value if not disseminated. Facebook Live, Twitter, and Periscope, provide a means of real time raw intelligence collection and dissemination. The civilian population is able to stay informed and make individual decisions, that collectively, can alter the course of events.

Erdogan left his holiday hotel and boarded a jet
without access to the TV stations (he was on a plane, after all) he turned to cyberpower as a means to deliver his message and organise a resistance.

Erdogan’s call to the people to take to the streets and protect democracy and their country was successful. He was able to rally support using FaceTime (video calling) to TV stations, all from his jet above Turkey.

His calls where shown live on at least two channels, and later the mosques took up the call and were used to help organize resistance.

Cyberpower is structural

Today, the TV and radio are not the only means available to get information to people. The Turkish putsch took over some TV stations and did the standard coup style announcement: “we’re doing this for you, blah blah blah.” But they failed to eliminate the Internet, and any blocking that they were able to do was ineffective.

FaceTime Is A Cyberweapon

The Turkish people turned out in droves, watching what was happening over Twitter and Facebook and then flooding the streets to stop the tanks.

The putsch’s “sucker punch” had failed — they failed to neutralize the leadership (Erdogan was alive and free), and they failed to undermine his ability to organise a resistance.

A coup succeeds when people believe it has succeeded.

Lessons Learned

What should we learn about taking over a country with a coup in the modern age? Don’t ignore the cyber. Here are a few key things to consider which can effectively neutralize cyberweapons during a putsch:

Cut power to the city
Neutralize the leadership immediately
Capture the: telephone companies; the ISPs, and all the TV stations
Have a political party for support

Reply
July 18, 2016 at 5:30 am
Tomi Engdahl says:

Hackers using Google Dorking Tool for Mayhem
http://www.kamranmohsin.com/hackers-using-google-dorking-tool-mayhem/

Since these hackers are constantly looking for vulnerabilities that they can exploit to gain unauthenticated access to group of networks that may include industrial control systems, financial data etc. Google Dorking is a latest toolkit for the hackers to exploit any vulnerable website.

Google dorking is very much used to find the vulnerable websites or systems that could be easily exploitable with any malicious code. Google helps in this case and pretty much share the results with us.

the global IT security spend will reach $92 billion in 2016 and is expected to grow to $116 billion by 2019. Despite these huge investments in perimeter defense, the industry is still struggling to get a leg up on cyber-attackers. The steady stream of data breaches at Hyatt, DNC, Twitter, SWIFT, and others continues to raise doubts about the effectiveness of these investments.

a suspected Iranian hacker used a simple technique called Google Dorking to access the computer system that controlled a water dam in New York

Google Dorking, isn’t as simple as performing a traditional online search. It uses advanced operators in the Google search engine to locate specific information (e.g., version, file name) within search results.

How could an organization minimize the risk of being hacked via Google Dorking?

After a research, we placed some techniques to reduce the risks of being hacked via Google Dorking:

1. Avoid Putting Sensitive Information on the Internet – The underlying threat associated with Google Dorking is that search engines are constantly scanning the Internet, monitoring, and indexing every device, port, and unique IP address connected to the Web. While most of this indexed data is meant for public consumption, some is not and is unintentionally made “reachable” by search engine bots.

2. Exclude Sensitive Websites / Pages from Search Index – Make sure that websites / pages that contain sensitive information cannot be indexed by search engines. For example, Google USPER provides tools to remove entire sites, individual URLs, cached copies, and directories from Google’s index. Another option is to use the robots.txt fil

3. Use Google Dorking for Web Vulnerability Testing – Implement routine Web vulnerability testing as part of your standard security practices and turn Google Dorking into your own pro-active security tool using online repositories like the Google Hacking Database (GHDB)

Google Hacking Database
https://www.offensive-security.com/community-projects/google-hacking-database/

Originally created by Johnny Long of Hackers for Charity, The Google Hacking Database (GHDB) is an authoritative source for querying the ever-widening reach of the Google search engine. In the GHDB, you will find search terms for files containing usernames, vulnerable servers, and even files containing passwords.

Reply
July 18, 2016 at 5:34 am
Tomi Engdahl says:

White Hat turned into Black Hat Hackers
http://www.kamranmohsin.com/white-hat-turned-black-hat-hackers/

The very recent news exposed the reality of most cyber security experts who were paid to defend the enterprises for which they were hired (contract based or permanent). The ethical hackers were on contract to protect the credentials of any particular company. But these security researchers who were white hat turned into black hat hackers.

The news reveals that the hired employees were involved in security breaches. This seriously shocked the enterprise’s owners and directors about their data integrity over the internet. Now what are the steps to be taken to ensure that the hired security experts aren’t the real black hat hackers who are meant to breach any security firewall for their own means.

According to the revealed information in the last year so far, there are some real case stories about stealing sensitive data by the paid security researchers who were authorized to protect the sensitive data from breach but they done it like a black hat. Oops!

To talk about good and bad guys, we can make them separate by saying good guys are ‘ethical hackers’ who are trained to work for the benefit of an organization and bad guys are ‘black hat’ who can just damage the enterprise’s infrastructure or business for its own means. Though there are some ‘grey hat’ who know the standards and lay between the two categories.

Reply
July 19, 2016 at 5:35 am
Tomi Engdahl says:

Taiwan seeks two Russian suspects in $2 million ATM malware heist
http://www.reuters.com/article/us-taiwan-banks-theft-idUSKCN0ZT0Y6

Taiwan investigators suspect two Russian nationals hacked into a major domestic bank’s ATMs last weekend, using malware to withdraw more than $2 million from dozens of machines in the country’s first recorded case of its kind.

Combining cybercrime with daylight robbery after a typhoon battered greater Taipei, the suspects may have used a cellphone to trigger 41 First Bank ATMs to dispense fat wads of bills

Since discovering the theft on Monday, a range of Taiwan’s biggest state-run banks have frozen withdrawals from nearly 1,000 ATMs of the kind used in the heist, supplied by Germany’s Wincor Nixdorf. About 4 percent of Taiwan’s national ATM network of 27,200 machines is affected, leaving customers obliged to use other machines.

First Bank reported T$70 million ($2.2 million) was stolen from its ATMs

Hackers used malware to steal $2 million from ATMs in Taiwan
http://securityaffairs.co/wordpress/49429/cyber-crime/taiwan-atm-hacking.html

Taiwanese law enforcement agencies are investigating malware-based attacks against ATMs of a national bank that resulted in a $2 million theft.

According to the video footage recorded by the security cameras, the hackers haven’t used skimmers to steal payment card data, they likely used a malware to control the ATM.

The images show the crooks using a “connected device,” likely a smartphone, to instruct the ATM i release the cash.

The targeted ATMs are produced by the Wincor Nixdorf, the company admitted that some of its ATM in Taiwan were hacked as part of a “premeditated attack.”

“Attacks follow a similar pattern, irrespective of their make or brand, and we as well as the banks are aware of them,” a Wincor official in Germany told Reuters by email. “The details of the attack are being examined by the police, banks as well as experts from Wincor Nixdorf. To support the local teams we have sent security experts.” is the Wincor statement reported by the Reuters Agency.

Investigators have discovered three different strains of malware on the hacked ATMs,

Reply
July 19, 2016 at 5:51 am
Tomi Engdahl says:

ATM Attacks Are Skyrocketing
http://resources.infosecinstitute.com/atm-attacks-are-skyrocketing/

Security and fraud experts are observing a significant increase in the number of cyber attacks against the ATMs, in particular, skimming and malware-based attacks. The popular investigator Brian Krebs recently published an interesting post that warns about an alarming increase in skimming attacks for both American and European banks.

“Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers.” wrote Krebs. “The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.”

the number of ATM attacks is increasing worldwide, as confirmed by the data shared by the European ATM Security Team (EAST)

September 2015 –Suceful, the first multi-vendor ATM malware
Every vendor has its implementation of the XFS Manager despite they also support the default XFS Manager template.
SUCEFUL was designed to read payment card data, and suppressing ATM sensors to avoid detection

September 2015 – GreenDispenser
The installation of the GreenDispenser requests a physical access to the targeted ATM; then the crooks send commands to the machine directly from the PIN pad and order it to dispense cash.
“GreenDispenser provides an attacker the ability to walk up to an infected ATM and drain its cash vault. When installed, GreenDispenser may display an ‘out of service’ message on the ATM — but attackers who enter the correct pin codes can then drain the ATM’s cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed.” states the experts at Proofpoint.
Also, in this case, the ATM malware implements the XFS, the Extension for Financial Services DLL library(MSXFS.dll), to control the peripherals connected to the ATM, including the ATM’s PIN pad and the cash dispenser.

November 2015 –ATMs vulnerable during the update process
The expert tried to interact with the ATM and observed a Windows command prompt showing on ongoing update process
The status change was caused by a software update
The expert highlighted that the ATM keyboard was not disabled during the process, allowing an attacker to execute system commands via the command prompt, the card reader also remained usable during the update.
A video recording of the process allowed the expert to analyze the information displayed on the screen that included many sensitive data such as the bank’s main system branch usernames, serial numbers, network and firewall configurations, device IDs, ATM settings, and two system passwords.
The ATMs analyzed by the researcher are manufactured by Wincor Nixdorf, one of the most important vendors in the banking industry. The terminals were running Windows 7 and Windows XP operating systems.
The attacker could use the information disclosed during the update process to run a man-in-the-middle (MitM) attack on the targeted bank’s local network.

November 2016 – “The Russian Job.”

GroupIB estimated that the Reverse ATM Attack allowed crooks in Russia to steal 252 Million Rubles (roughly US$3.8 Million) from at least five different banks.

The attacker would deposit sums of 5,000, 10,000 and 30,000 Rubles into legitimate bank accounts using ATMs, and immediately withdraw the same amounts of money accompanied by a printed receipt of the payment transaction.
The partner would then use the details on the receipt to perform a reversal operation on a POS terminal that would lead them into believing that the withdrawals were canceled
When ATM Withdrawals were made in one country and canceled/reversed in another, the verification process fails.

May 2016 – Skimer, the last ATM threat

Security experts at Kaspersky Lab have recently spotted a new strain of the malware dubbed ‘Skimer’ (Backdoor.Win32.Skimer). Skimer is an old threat that has been around since 2009; it is used by cyber criminals to steal money and payment card data from ATMs.
“Kaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting ATMs made by just one manufacturer. The most recent version was discovered at the beginning of May 2016.”
Kaspersky noticed that hackers can control the Skimer malware by using two types of cards that are specifically crafted. The authors of the malware use data stored in the Track 2 to discriminate the two kinds of cards, one type for executing commands hard-coded in Track 2, the other to execute one of 21 predefined commands using the PIN pad and the malware interface.

And again …
Hacking an ATM with a Samsung Galaxy 4 Smartphone

A smartphone could be enough to compromise an ATM system and force it to dispense the cash; the attack was described by the popular investigator Brian Krebs
Poorly protected ATMs result more exposed to this type of attacker; hackers compromise their case to connect the mobile device and establish a connection with the ATM.
the criminal crews isolated the cash dispenser from the ATM PC and connected it a PC they control using the smartphone. Krebs reported that the “black box attacks,” have been conducted against ATMs made by the NCR vendor.

Black box attack, hacking an ATM with Raspberry Pi

A variant of the previous attack relies on a Raspberry Pi that could be hidden inside an ATM enclosure without arousing suspicion of those who are involved in the maintenance of the ATM.

“Regardless of the vendor, cash machines and payment terminals share the same API for accessing and manipulating various modules and use the Windows platform by the Extensions for Financial Services (XFS). Knowing the API, one may easily gain access to an ATM host and directly manage multiple peripheral devices installed inside the money machine, e.g. a card reader, PIN pad,touchscreendisplay, dispenser unit, etc. Do not forget about ATM OS vulnerabilities — Windows has a lot of those in stock for many years to come.” reads ablog post published by the Positive Research Center.

Conclusion

The experts have no doubt; the ATM will continue to be a privileged instrument for crooks that will improve their malicious code to avoid detection.

Reply
July 19, 2016 at 5:53 am
Tomi Engdahl says:

Taiwan Says Foreign Suspects Arrested Over $2 Million ATM Cyber Robbery
http://fortune.com/2016/07/17/taiwan-atm-cyber-robbery-arrest/

An international heist team used malware for mega withdrawals.

Police in Taiwan said on Sunday they had arrested three out of 16 foreign suspects they believe hacked into the cash machines of a major local bank, withdrawing more than $2 million.

They are accused of targeting First Bank’s ATMs last week, using malware to withdraw more than T$80 million ($2.5 million) from dozens of machines.

“This is the first time that an international team of ATM thieves has committed a crime in Taiwan,”

In May, a gang stole $13 million from Japanese ATMs in a three-hour spree.

Investigators have identified three different malware programs that were used to trigger withdrawals.

Reply
July 19, 2016 at 9:02 am
Tomi Engdahl says:

Kim Nash / Wall Street Journal:
IBM launches platform to let companies test using blockchain technology for supply chain record-keeping

IBM Pushes Blockchain into the Supply Chain
IBM’s new service will help companies test online ledger technology to track high-value goods as they move through supply chains
http://www.wsj.com/articles/ibm-pushes-blockchain-into-the-supply-chain-1468528824

International Business Machines Corp. said Thursday it has launched a platform for companies to test “blockchain” record-keeping technology in their supply chains.

The service is an attempt to expand the use of blockchain beyond the financial services industry, where the technology underpins the bitcoin digital currency and is used by banks and exchanges to track financial transactions. While firms such as Nasdaq Inc., Depository Trust & Clearing Corp., J.P. Morgan Chase & Co. and Bank of America Corp. are experimenting with blockchain, only a handful of companies, including Toyota Motor Corp. , have explored using it to monitor their supply chains.

Proponents say these traits make blockchain well-suited for logging and monitoring large amounts of data, such as short-term loans or the millions of parts coursing through the aviation industry’s supply chain.

Everledger is building systems to record the movement of diamonds from mines to jewelry stores and has been using various blockchain tools, including Bitcoin’s ledger. Everledger is testing IBM Blockchain

By creating a permanent record that can’t be altered, blockchain is well-suited for tracking diamonds and other goods where buyers want to know the origins and previous owners, said Bill Fearnley Jr., a research director at International Data Corp.

“Valuable assets of any kind could be tracked better, with an unerasable history, on a blockchain,” he said.

Supply chain is the most likely application for the technology after financial services

Reply
July 19, 2016 at 10:27 am
Tomi Engdahl says:

Stephanie Condon / ZDNet:
Google says government requests for user data reached an all-time high: more than 40K in 2nd half of 2015, with US issuing 12.5K requests affecting 27.1K users

Google: Government requests for user data hit all-time high in second half of 2015
http://www.zdnet.com/article/google-government-requests-for-user-data-hit-all-time-high-in-second-half-of-2015/

Governments from around the globe made 40,677 requests for user data from Google during the last half of 2015.

Reply
July 21, 2016 at 12:51 pm
Tomi Engdahl says:

DDoS, the cloud and you
Who are you rubbing shoulders with?
http://www.theregister.co.uk/2016/07/21/ddos_the_cloud_and_you/

Private cloud computing can be a useful way to offload some computing overhead and manage your costs effectively. The switch to operating expenses from capital expenses, the elasticity, the business continuity benefits – they’re all real. But so are the dangers of DDoS disaster.

There’s a problem with moving your servers and data up to the cloud: it increases your attack surface. Suddenly, you’re not the only one at risk from a DDoS attack. The cloud service provider’s other customers are too, and that can have implications for you.

In this sense, private cloud is like getting into the same bath as everyone else. Who are you sharing your servers with? No matter whether your environment is collocated, or a single or multi-tenant hosted environment, you may be rubbing shoulders with other companies less salubrious than yours, that draw more attention online. If that attention includes denial of service traffic, your business could suffer.

When a DDoS attack hits the cloud service provider’s (CSP) data centre, the traffic may be targeted at a particular tenant, but because the attacker is using the CSP’s internet connection to reach that tenant, it will naturally choke off others’ traffic, too.

Reply
July 25, 2016 at 6:46 am
Tomi Engdahl says:

UK Cybersecurity Executives Plead Guilty To Hacking A Rival Firm
https://news.slashdot.org/story/16/07/24/0010231/uk-cybersecurity-executives-plead-guilty-to-hacking-a-rival-firm?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

“Five employees from cybersecurity firm Quadsys have admitted to hacking into a rival company’s servers to allegedly steal customer data and pricing information,” ZDNet is reporting.

Cybersecurity company executives plead guilty to hacking rival firm
Not only did the Quadsys staff reportedly break into servers, they were caught doing it.
http://www.zdnet.com/article/cybersecurity-firm-staff-plead-guilty-to-hacking-rival-firm/

Five employees from cybersecurity firm Quadsys have admitted to hacking to a rival company’s servers to allegedly steal customer data and pricing information.

According to The Register, members of the top Quadsys ranks pleaded guilty to hacking charges following a string of hearings.

Oxfordshire, UK-based Quadsys is a reseller of IT and cybersecurity products, hardware and services.

Reply
July 26, 2016 at 3:37 pm
Tomi Engdahl says:

Denmark sent sensitive health data to Chinese by mistake
http://www.swissinfo.ch/eng/reuters/denmark-sent-sensitive-health-data-to-chinese-by-mistake/42314050

COPENHAGEN (Reuters) – Sensitive health information about almost the entire population of Denmark ended up in the wrong hands when a letter by mistake was sent to a Chinese visa office in Copenhagen, the Danish Data Protection Agency said on Wednesday.

The incident happened when two unencrypted CDs containing the data was sent last year by the Serum Institute, a public enterprise under the Danish health ministry, in an envelope to the country’s statistics office.

The letter contained information on cancer, diabetes and psychiatric diagnoses as well as other data such as social security numbers, according to documents seen by Reuters.

The “sensitive personal data” of about 5.3 million individuals living in Denmark between 2010 and 2012 was of “very comprehensive nature,” the agency said.

The visa centre is, according to its website, operated by a wholly owned unit of state-controlled Bank of China.

Reply
July 26, 2016 at 3:39 pm
Tomi Engdahl says:

Search the AKP email database
https://wikileaks.org/akp-emails/

Today, 11pm Anakara Time, WikiLeaks releases part one of the AKP Emails. AKP, or the Justice & Development Party, is the ruling party of Turkey and is the political force behind the country’s president, Recep Tayyip Erdoğan

Reply
July 26, 2016 at 3:41 pm
Tomi Engdahl says:

All Signs Point to Russia Being Behind the DNC Hack
http://motherboard.vice.com/read/all-signs-point-to-russia-being-behind-the-dnc-hack

In the wee hours of June 14, the Washington Post revealed that “Russian government hackers” had penetrated the computer network of the Democratic National Committee. Foreign spies, the Post claimed, had gained access to the DNC’s entire database of opposition research on the presumptive Republican nominee, Donald Trump, just weeks before the Republican Convention. Hillary Clinton said the attack was “troubling.

CrowdStrike linked both groups to “the Russian government’s powerful and highly capable intelligence services.” APT 29, suspected to be the FSB, had been on the DNC’s network since at least summer 2015. APT 28, identified as Russia’s military intelligence agency GRU, had breached the Democrats only in April 2016, and probably tipped off the investigation.

This was big. Democratic political operatives suspected that not one but two teams of Putin’s spies were trying to help Trump and harm Clinton. The Trump campaign, after all, was getting friendly with Russia.

Digitally exfiltrating and then publishing possibly manipulated documents disguised as freewheeling hacktivism is crossing a big red line and setting a dangerous precedent

This tactic and its remarkable success is a game-changer: exfiltrating documents from political organisations is a legitimate form of intelligence work. The US and European countries do it as well. But digitally exfiltrating and then publishing possibly manipulated documents disguised as freewheeling hacktivism is crossing a big red line and setting a dangerous precedent: an authoritarian country directly yet covertly trying to sabotage an American election.

Reply
July 28, 2016 at 9:51 am
Tomi Engdahl says:

Xen Patches Serious Privilege Escalation Flaw
http://www.securityweek.com/xen-patches-serious-privilege-escalation-flaw

The Xen Project has released patches for two vulnerabilities, including a serious issue that could allow an attacker to escape the guest virtual machine.

According to an advisory made public on Tuesday, a malicious paravirtual (PV) guest administrator can escalate their privileges to the ones of the host. The Xen Project pointed out that while all Xen versions are vulnerable, only PV guests running on x86 hardware are exposed. The vulnerability does not affect hardware virtual machine (HVM) guests.

The vulnerability, discovered by Jérémie Boutoille of Quarkslab and tracked as CVE-2016-6258, has also been analyzed by the developers of the security-oriented, open-source operating system Qubes, which uses Xen hypervisor for security isolation between domains.

Reply
July 28, 2016 at 10:01 am
Tomi Engdahl says:

New Presidential Policy Directive Details U.S. Cyber Incident Response
http://www.securityweek.com/new-presidential-policy-directive-details-us-cyber-incident-response

Presidential Policy Directive PPD-41 Describes a National Cyber Incident Response Plan

The U.S. Government finally has its own incident response plan. In reality it is more like the framework for the development of an incident response plan (IRP); but it is a good high level start. IRP for a nation is more complex than IRP for an organization; but Obama’s new Presidential Policy Directive on Cyber Incident Coordination (PPD-41), approved on Tuesday, begins to define what constitutes a cyber incident, and who is responsible for responding to that incident.

PPD describes a cyber incident severity schema specifying six color-coded levels from zero to five. Level zero, colored white, is an unsubstantiated or inconsequential event. Incidents then rise in severity through level one (green): unlikely to impact public health or national security; level two (yellow): may impact public health or national security; level three (orange): likely to result in a demonstrable impact to public health or national security; level four (red): likely to result in a significant impact to public health or national security; and finally black: poses an imminent threat to the provision of wide-scale critical infrastructure services. Each of these levels is given additional definition, including economic effects, foreign relations, national stability, etcetera; but the point to note is that an incident ranking level three and upwards is categorized as ‘significant’ and will trigger a national response.

One noticeable aspect of this PPD is that the level of highest severity is not classified as an ‘act of war’.

Reply
July 28, 2016 at 10:08 am
Tomi Engdahl says:

Wireless Keyboards Vulnerable to Sniffing, Injection Attacks
http://www.securityweek.com/wireless-keyboards-vulnerable-sniffing-injection-attacks

Wireless keyboards from several vendors don’t use encryption when communicating with their USB dongle, allowing remote attackers to intercept keystrokes or send their own commands to the targeted computer.

The attack method, dubbed KeySniffer, was discovered by researchers at IoT security company Bastille. Experts tested non-Bluetooth wireless keyboards from 12 manufacturers and determined that devices from eight of them are vulnerable to KeySniffer attacks.

Bastille said the affected products are inexpensive wireless keyboards from HP, Toshiba, Insignia, Kensington, Radio Shack, Anker, General Electric and EagleTec. It’s possible that products from other companies are impacted as well. Experts determined that higher-end keyboards produced by firms like Lenovo, Dell and Logitech are not affected as they encrypt communications.

Kensington informed the security firm that it has released a firmware update to address the issue.

This is not the first time Bastille has found such vulnerabilities. Earlier this year, the company warned that wireless mice and keyboards from several top vendors were vulnerable to so-called MouseJack attacks, where malicious actors send key press packets to a targeted computer through the affected device’s USB dongle in an effort to conduct arbitrary actions. MouseJack is particularly effective against wireless mice because these devices typically don’t use encryption and proper authentication mechanisms.

BASTILLE RESEARCH ALERT
KEYSNIFFER
http://www.keysniffer.net/

KeySniffer is a set of security vulnerabilities affecting non-Bluetooth wireless keyboards from eight vendors. The wireless keyboards susceptible to KeySniffer use unencrypted radio communication, enabling an attacker up to several hundred feet away to eavesdrop and record all the keystrokes typed by the victim. This means an attacker can see personal and private data such as credit card numbers, usernames, passwords, security question answers and other sensitive or private information all in clear text. The equipment needed to do the attack costs less than $100 putting it in reach of many teenage hackers.

The keyboard manufacturers affected by KeySniffer include: Anker, EagleTec, General Electric, Hewlett-Packard, Insignia, Kensington, Radio Shack and Toshiba.

KeySniffer exposes personally identifiable information such as:

Card Numbers, expiration date, CVV code
Bank account usernames and passwords
Answers to security questions: Name of your first pet, mother’s maiden name, etc.
Network access passwords
Any secrets: business or personal typed into a document or email
Date of birth
Employer confidential information

“When we purchase a wireless keyboard we reasonably expect that the manufacturer has designed and built security into the core of the product. Unfortunately, we tested keyboards from 12 manufacturers and were disappointed to find that eight manufacturers (two-thirds) were susceptible to the KeySniffer hack.”
— Marc Newlin, Bastille Research Team member responsible for the KeySniffer discovery.

Reply
July 28, 2016 at 10:12 am
Tomi Engdahl says:

Analysts Reveal Arsenal of Cyber Tools Used by Islamic Terrorists
http://www.securityweek.com/analysts-reveal-arsenal-cyber-tools-used-islamic-terrorists

Jihadist groups use a variety of digital tools and online services that allow them to maintain a strong online presence, while also helping them remain undetected by adversaries, a recent report from Flashpoint reveals.

In a new report (PDF) called Tech for Jihad: Dissecting Jihadists’ Digital Toolbox, the intelligence firm reveals the findings of an analysis of the tools employed by various jihadist groups, including the Islamic State (also known as IS, ISIS, ISIL, and Daesh).

According to the report, the online activity of these groups remains relatively unknown to the general public, although their use of social media has attracted significant attention over the past months.

Overall, Flashpoint provided analysis of 36 specific tools and services used by radical Islamic terrorist groups.

According to Flashpoint, which recently raised $10 million to expand its business, Jihadists use complex ways to maintain robust yet secretive online presences, given that confidentiality and privacy are paramount to their survival. However, the report also points out that mainstream communication applications do not offer the sophistication these groups require for their security needs, meaning that jihadists are constantly forced to seek alternative ways to communicate.

https://www.flashpoint-intel.com/home/assets/Media/TechForJihad.pdf

Reply
July 28, 2016 at 10:13 am
Tomi Engdahl says:

ISIS Cyber Capabilities Weak, Poorly Organized: Report
http://www.securityweek.com/isis-cyber-capabilities-weak-poorly-organized-report

While threats emanating from ISIS-inspired cyberattacks are of high concern, intelligence analysts have concluded that, as of now, the cyber capabilities of the Islamic State and its supporters are still relatively weak and appear to be underfunded and poorly organized.

According to a new report from intelligence firm Flashpoint, a growing pro-ISIS community of hackers is expected to expand following the formal merger of several ISIS hacking groups into a new group called the “United Cyber Caliphate”.

Reply
July 28, 2016 at 1:16 pm
Tomi Engdahl says:

BitCluster Brings a New Way to Snoop Through BitCoin Transactions
http://hackaday.com/2016/07/23/bitcluster-brings-a-new-way-to-snoop-through-bitcoin-transactions/

Mining the wealth of information in the BitCoin blockchain is nothing new, but BitCluster goes a long way to make sense of the information you’ll find there.

Every time you transfer BitCoin (BTC) you send the network the address of the transaction when you acquired the BTCs and sign it with your key to validate the data. If you reuse the same wallet address on subsequent transactions — maybe because you didn’t spend all of the wallet’s coins in one transaction or you overpaid and have the change routed back to your wallet. The uniqueness of that signed address can be tracked across those multiple transactions. This alone won’t dox you, but does allow a clever piece of software to build a database of nodes by associating transactions together.

Both Ransomware and illicit markets can be observed using this technique. Successful, yet not-so-cautious ransomers sometimes use the same BitCoin address for all payments.

A good illicit market won’t use just one wallet address. But to protect customers they use escrow address and these do get reused making cluster analysis possible.

It’s fascinating to peer into transactions in this manner. And the good news is that there’s plenty of interesting stuff just waiting to be discov

https://www.bit-cluster.com/

Reply
July 28, 2016 at 2:24 pm
Tomi Engdahl says:

Victoria Craw / NEWS.com.au:
Researcher: to avoid creating copycats, media outlets should treat terror attacks like suicides, scaling back coverage

Expert calls for terror attacks to be treated same way as suicide when it comes to media coverage
http://www.news.com.au/world/europe/expert-calls-for-terror-attacks-to-be-treated-same-way-as-suicide-when-it-comes-to-media-coverage/news-story/04d99ebfd2092d9be952928a92995360

MEDIA should treat terrorist attacks the same way as suicide when it comes to reporting in order to reduce the threat of copycat attempts, a leading expert has warned.

University of Western Australia professor Michael Jetter has previously found “media attention does indeed predict future terrorist activities”. He’s now working on an in-depth analysis of Islamist-inspired attacks and has called for an open discussion on terror and reporting in light of a wave of violence that has blighted Europe.

“The purpose of not reporting suicides fully is to not encourage copycats,” he said, having recently returned from Germany which has suffered five violent incidents in eight days.

“What German newspapers are doing is they’re blowing it up so much that everybody who is seeking attention is really given the signal that, ‘I will be famous.’ That is very likely a reason why you see so many more of those things. It’s a scary development and I do think they need to think about how they cover things.”

Reply
July 29, 2016 at 5:32 am
Tomi Engdahl says:

Reuters:
Sources: FBI investigates cyber intrusion into DCCC, following DNC breach, and its potential ties to Russian hackers

Exclusive: FBI probes hacking of Democratic congressional group – sources
http://www.reuters.com/article/us-usa-cyber-democrats-exclusive-idUSKCN1082Y7

The FBI is investigating a cyber attack against another U.S. Democratic Party group, which may be related to an earlier hack against the Democratic National Committee

The newly disclosed breach at the DCCC may have been intended to gather information about donors

For some time, internet traffic associated with donations that was supposed to go to a company that processes campaign donations instead went to the bogus site

“It’s no coincidence someone is hacking into Democratic Party computers. It’s almost sounding like a repeat of Watergate,”

“Until proven otherwise, I would suggest that everyone involved with the campaign committee operate under the assumption Russians have access to everything in their computer systems,” Manley said.

Reply
July 29, 2016 at 7:04 am
Tomi Engdahl says:

Security-versed writer Petteri Järvinen considering how trades capturing consumer purchasing information can be used for many purposes in the future.

Security-versed Petteri Järvinen warns Finnish loss of privacy, from the Trade “seeming reductions” and the use of data collected unpredictability.

- Finns are afraid of on-line monitoring and observation might be too much, but then many are willing to give all the consumption data as soon as they get a little bonus, and seemingly a discount. This is the follow-up, security-versed Järvinen says.

security risks

Järvinen says that the security risk is always there, even if the S-Group will do their best to be reassured.

- No one can prevent it, if someone really wants to break into the data. Even hackers were not interested consumer data, but they would be commercially exploitable.

Järvinen is surprised that the shops may spend millions to maintain the system.

- In Finland, the trade is anyway an extremely concentrated. The first merchant to increase prices to cover ten percent of IT and marketing expenses. Then he gives five percent discount for customers who have a bonus card. Then, the client imagines that he benefited from.

Järvinen says that Finnish stores are constantly going more and more towards the targeting of advertisements using data collected from clients.

- It will be easy for intimate, private areas. Shopping define what kind of are. The merchant receives the same information as Facebook and Google.

Source: http://www.iltalehti.fi/uutiset/2016072821972738_uu.shtml

Reply
July 30, 2016 at 2:02 pm
Tomi Engdahl says:

Bruce Schneier / Schneier on Security:
Recent hacks indicate US election systems and voting machines could be targeted too; government must take urgent steps to secure them, and consider retaliation — Russia was behind the hacks into the Democratic National Committee’s computer network that led to the release of thousands …

The Security of Our Election Systems
https://www.schneier.com/blog/archives/2016/07/the_security_of_11.html

Russia was behind the hacks into the Democratic National Committee’s computer network that led to the release of thousands of internal emails just before the party’s convention began, U.S. intelligence agencies have reportedly concluded.

The FBI is investigating. WikiLeaks promises there is more data to come. The political nature of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation’s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November that our election systems and our voting machines could be vulnerable to a similar attack.

If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is essential. If foreign governments learn that they can influence our elections with impunity, this opens the door for future manipulations, both document thefts and dumps like this one that we see and more subtle manipulations that we don’t see.

Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy

Even more important, we need to secure our election systems before autumn. If Putin’s government has already used a cyberattack to attempt to help Trump win, there’s no reason to believe he won’t do it again especially now that Trump is inviting the “help.”

Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are insecure and vulnerable to attack.

Last April, the Obama administration issued an executive order outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical.

Reply
July 30, 2016 at 2:23 pm
Tomi Engdahl says:

British Spies Used a URL Shortener to Honeypot Arab Spring Dissidents
http://motherboard.vice.com/read/gchq-url-shortener-twitter-honeypot-arab-spring

A shadowy unit of the British intelligence agency GCHQ tried to influence online activists during the 2009 Iranian presidential election protests and the 2011 democratic uprisings largely known as the Arab Spring, as new evidence gathered from documents leaked by Edward Snowden shows.

The GCHQ’s special unit, known as the Joint Threat Research Intelligence Group or JTRIG, was first revealed in 2014, when leaked top secret documents showed it tried to infiltrate and manipulate—using “dirty trick” tactics such as honeypots—online communities including those of Anonymous hacktivists, among others.

The group’s tactics against hacktivists have been previously reported, but its influence campaign in the Middle East has never been reported before. I was able to uncover it because I was myself targeted in the past, and was aware of a key detail, a URL shortening service, that was actually redacted in Snowden documents published in 2014.

A now-defunct free URL shortening service—lurl.me—was set up by GCHQ that enabled social media signals intelligence. Lurl.me was used on Twitter and other social media platforms for the dissemination of pro-revolution messages in the Middle East.

The project is linked to the GCHQ unit called the Joint Threat Research Intelligence Group or JTRIG, whose mission is to use “dirty tricks” to “destroy, deny, degrade [and] disrupt” enemies by “discrediting” them, according to leaked documents.

The Internet Archive shows that the website was active as early as June 2009 and was last seen online on November 2013. A snapshot of the website shows it was a ”free URL shortening service” to ”help you get links to your friends and family fast.”

Reply
July 30, 2016 at 2:24 pm
Tomi Engdahl says:

Jonathan Zdziarski / Zdziarski’s Blog of Things:
Deleted WhatsApp messages leave behind forensic artifacts that could be reconstructed by someone with access to your device or iCloud backups — Sorry, folks, while experts are saying the encryption checks out in WhatsApp, it looks like the latest version of the app tested leaves forensic trace …

WhatsApp Forensic Artifacts: Chats Aren’t Being Deleted
http://www.zdziarski.com/blog/?p=6143

Sorry, folks, while experts are saying the encryption checks out in WhatsApp, it looks like the latest version of the app tested leaves forensic trace of all of your chats, even after you’ve deleted, cleared, or archived them… even if you “Clear All Chats”. In fact, the only way to get rid of them appears to be to delete the app entirely.

Reply
July 30, 2016 at 4:19 pm
Tomi Engdahl says:

Brian Fung / Washington Post:
Navy officials say the US uses submarines to carry out cyberattacks

America uses stealthy submarines to hack other countries’ systems
https://www.washingtonpost.com/news/the-switch/wp/2016/07/29/america-is-hacking-other-countries-with-stealthy-submarines/

When Donald Trump effectively called for Russia to hack into Hillary Clinton’s emails Wednesday, the GOP nominee’s remarks touched off a (predictable) media firestorm. Here was a presidential candidate from a major U.S. party encouraging a foreign government to target American interests with cyberspying — an act that could not only expose national security information but also potentially undermine the actual security infrastructure of the United States.

Cyberwarriors working for Moscow and other regimes are already poking and prodding at our networks, so there’s little reason to think Trump’s words were all that damaging in themselves. But it’s a good opportunity to talk about the state of state-sponsored hacking, and to offer a reminder that the United States is just as active in this space as the next government.

n fact, subs represent an important component of America’s cyber strategy. They act defensively to protect themselves and the country from digital attack, but — more interestingly — they also have a role to play in carrying out cyberattacks, according to two U.S. Navy officials at a recent Washington conference.

“There is a — an offensive capability that we are, that we prize very highly,” said Rear Adm. Michael Jabaley, the U.S. Navy’s program executive officer for submarines.

The so-called “silent service” has a long history of using information technology to gain an edge on America’s rivals. In the 1970s, the U.S. government instructed its submarines to tap undersea communications cables off the Russian coast, recording the messages being relayed back and forth between Soviet forces.

It’s unclear how far behind — or ahead — other navies may be when it comes to submarine-based cyber offense. Many of the cybersecurity and military experts we interviewed for this story had hardly heard of the Defense Department’s own undersea cyber capabilities.

Reply
August 1, 2016 at 6:16 am
Tomi Engdahl says:

Privacy International:
European Commission is preparing export regulations on cyber-surveillance technologies that could lead to human rights violations, leaked document shows

Landmark changes to EU surveillance tech export policy proposed, leaked document shows
https://www.privacyinternational.org/node/909

This is an initial reaction by Privacy International to a leaked proposal by the European Commission specifically as it relates to surveillance technologies. A full analysis, including wider implications of the proposed changes, is forthcoming.

The European Commission is proposing to amend the Dual Use regulation to control the export of surveillance technology on human rights grounds, a leaked copy of the proposal obtained by Euractiv shows.

The landmark move comes after years of campaigning by European Parliamentarians, some EU member states, and human rights organisations, including Privacy International.

The proposed Regulation, if approved, will be binding upon EU member states and controls their policies on exports of “dual use” goods – previously defined as those that have both a civilian and military application.

The proposal suggests creating an entirely new section devoted to “cyber-surveillance technology” to be subject to restriction. At this stage, it only indicates what types of items “related to” broad categories of technology could be included within the definition of “cyber-surveillance technology”. A full control list, to be contained within a new annex with specific control language detailing what will actually be controlled as envisaged by the proposal, is not currently available.

The proposed Regulation falls short on transparency. A key benefit of a licensing system for surveillance technology is that it compels transparency around the industry and market by providing data around exports.

These essential transparency elements need to be included in any final Regulation.

IT Security Research?

PI sees the spread of technological tools for offensive purposes as a substantial threat to the right to privacy. They can be used by governments, and potentially private sector contractors, for internal repression by targeting devices and infrastructure. Further, the reach of these tools is not limited by geographic borders – purchased by one government it can then be used against individuals in other countries, including citizens of the countries who exported it. However, PI recognises the central role offensive tools play in producing defensive countermeasures to keep us all safe. As such, these technologies must not be controlled where they are exported for defensive purposes or where the purpose has not been determined.

There has been rightly a significant level of concern over the impacts of export licencing regimes on security research and the impact it will have on the safety of our devices, networks and services.

Reply

Security trends for 2016

2,232 Comments

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Tomi Engdahl says:

Leave a Comment Cancel reply