Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Fred Wilson / AVC:
Blockchain technology and crypto-tokens enable new business models for creating open protocols, financed by the tokens protocol creators retain at launch
The Golden Age Of Open Protocols
http://avc.com/2016/07/the-golden-age-of-open-protocols/
Open protocols are at the heart of many of the most important systems that we have. The Internet works because of TCP/IP. The web works because of HTTP. Email works because of SMTP. These are open systems that developers can build applications on top of. There are plenty of proprietary protocols out there too. But proprietary protocols tend to lock in users and drive value to the owners of the proprietary protocol, like Microsoft, Apple, Google, etc.
This is super important because the more open protocols we have, the more open systems we will have.
But, as I have said many times here at AVC, I believe that business model innovation is more disruptive that technological innovation.
Tomi Engdahl says:
Jonathan Vanian / Fortune:
Cisco cybersecurity report: 9.5K ransomware victims pay ransoms each month, the average ransom is about $300, generating up to $34M a year for hackers
5 Takeaways From Cisco’s Big Cybersecurity Report
http://fortune.com/2016/07/29/cisco-cyber-security-report/
1. Hackers love ransomware
2. Adobe Flash is still bad for cybersecurity
3. Hackers are setting up shop in abandoned WordPress websites
4. Companies with old, outdated technology are at risk of attacks
5. Security teams are losing their confidence
Tomi Engdahl says:
Kim Zetter / The Intercept:
Sarah and Peiter “Mudge” Zatko create Cyber Independent Testing Lab to test and score the security of software
A Famed Hacker Is Grading Thousands of Programs — and May Revolutionize Software in the Process
https://theintercept.com/2016/07/29/a-famed-hacker-is-grading-thousands-of-programs-and-may-revolutionize-software-in-the-process/
At the Black Hat cybersecurity conference in 2014, industry luminary Dan Geer, fed up with the prevalence of vulnerabilities in digital code, made a modest proposal: Software companies should either make their products open source so buyers can see what they’re getting and tweak what they don’t like, or suffer the consequences if their software failed. He likened it to the ancient Code of Hammurabi, which says that if a builder poorly constructs a house and the house collapses and kills its owner, the builder should be put to death.
No one is suggesting putting sloppy programmers to death, but holding software companies liable for defective programs, and nullifying licensing clauses that have effectively disclaimed such liability, may make sense, given the increasing prevalence of online breaches.
Tomi Engdahl says:
Bruce Schneier / Motherboard:
How the rise of the Internet of Things threatens to make it much easier for cyberattacks to cause damage in the real world
The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters
http://motherboard.vice.com/read/the-internet-of-things-will-cause-the-first-ever-large-scale-internet-disaster
Disaster stories involving the Internet of Things are all the rage. They feature cars (both driven and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and realistic one, near-future fiction published last month in New York Magazine, described a cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and the power grid. In these stories, thousands of people die. Chaos ensues. While some of these scenarios overhype the mass destruction, the individual risks are all real. And traditional computer and network security isn’t prepared to deal with them.
Classic information security is a triad: confidentiality, integrity, and availability. You’ll see it called “CIA,” which admittedly is confusing in the context of national security. But basically, the three things I can do with your data are steal it (confidentiality), modify it (integrity), or prevent you from getting it (availability).
The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.
So far, internet threats have largely been about confidentiality. These can be expensive; one survey estimated that data breaches cost an average of $3.8 million each. T
On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home.
With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.
The increased risks come from three things: software control of systems, interconnections between systems, and automatic or autonomous systems. Let’s look at them in turn:
Software Control. The Internet of Things is a result of everything turning into a computer. This gives us enormous power and flexibility, but it brings insecurities with it as well.
Interconnections. As these systems become interconnected, vulnerabilities in one lead to attacks against others.
Autonomy. Increasingly, our computer systems are autonomous.
The Internet of Things will allow for attacks we can’t even imagine.
We’re building systems that are increasingly powerful, and increasingly useful. The necessary side effect is that they are increasingly dangerous. A single vulnerability forced Chrysler to recall 1.4 million vehicles in 2015.
We’re used to computers being attacked at scale—think of the large-scale virus infections from the last decade—but we’re not prepared for this happening to everything else in our world.
With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the internet hands and feet: the ability to directly affect the physical world.
Tomi Engdahl says:
Vlad’s glad —
Russian spies claim they can now collect crypto keys—but don’t say how
Putin gave KGB’s successor two weeks to find a way to deal with encrypted services.
http://arstechnica.co.uk/tech-policy/2016/08/russian-spies-say-they-are-able-to-collect-crypto-keys-but-dont-say-how/
Russia’s intelligence agency the FSB, successor to the KGB, has posted a notice on its website claiming that it now has the ability to collect crypto keys for Internet services that use encryption. This meets a two-week deadline given by Vladimir Putin to the FSB to develop such a capability. However, no details have been provided of how the FSB is able to do this.
The FSB’s announcement follows the passage of Russia’s wide-ranging surveillance law, which calls for metadata and content to be stored for six months, plus access to encrypted services, as Ars reported back in June.
The new capability seems to go even further, since the FSB notice (in Russian) speaks of obtaining the “information necessary for decoding the electronic messaging received, sent, delivered, and (or) processed by users of the ‘Internet’ network.
Tomi Engdahl says:
Bitcoin Sinks After Hackers Steal $65 Million From Exchange
http://www.bloomberg.com/news/articles/2016-08-03/bitcoin-plunges-after-hackers-breach-h-k-exchange-steal-coins
Hong Kong-based Bitfinex halts trading, deposits, withdrawals
Digital currency is down almost 20 percent this week
Bitcoin plunged after one of the largest exchanges halted trading because hackers stole about $65 million of the digital currency.
“Yes – it is a large breach,”
Bitfinex confirmed in a message to Bloomberg News on Wednesday that the hackers took 119,756 bitcoin, or about $65 million at current prices. More than $1.5 billion has been wiped out from bitcoin’s market capitalization this week, according to research from CoinDesk.
The Hong Kong exchange was the largest for U.S. dollar-denominated transactions over the past month
Tomi Engdahl says:
NIST declares the age of SMS-based 2-factor authentication over
http://www.epanorama.net/newepa/2016/07/27/nist-declares-the-age-of-sms-based-2-factor-authentication-over-techcrunch/
NIST blog clarifies SMS deprecation in wake of media tailspin
http://www.epanorama.net/newepa/2016/07/31/nist-blog-clarifies-sms-deprecation-in-wake-of-media-tailspin-zdnet/
Tomi Engdahl says:
Joseph Cox / Motherboard:
Hacker known as Peace is selling a dump of alleged user credentials for 200M+ Yahoo accounts from 2012 for 3 BTC; Yahoo is investigating — A notorious cybercriminal is advertising 200 million of alleged Yahoo user credentials on the dark web, and the company has said it is “aware” …
Yahoo ‘Aware’ Hacker Is Advertising 200 Million Supposed Accounts on Dark Web
http://motherboard.vice.com/read/yahoo-supposed-data-breach-200-million-credentials-dark-web
A notorious cybercriminal is advertising 200 million of alleged Yahoo user credentials on the dark web, and the company has said it is “aware” of the hacker’s claims, but has not confirmed nor denied the legitimacy of the data.
According to a sample of the data, it contains usernames, hashed passwords (created with md5 algorithm), dates of birth, and in some cases back-up email addresses. The data is being sold for 3 bitcoins, or around $1,860, and supposedly contains 200 million records from “2012 most likely,” according to Peace. Until Yahoo confirms a breach, however, or the full dataset is released for verification, it is possible that the data is collated and repackaged from other major data leaks.
Tomi Engdahl says:
YouTube is now 97% encrypted so you can watch your cat videos in peace
http://thenextweb.com/google/2016/08/01/youtube-now-97-encrypted-can-watch-cat-videos-peace/
In a blog post, YouTube today announced that its video service is now 97 percent encrypted.
The company blames not being at 100 percent on some devices being unable to support modern HTTPS, and it hopes to “phase out insecure connections” over time. How long that’ll take remains a mystery, but given that it was at 77 percent in November 2014, full encryption shouldn’t be too far from the future.
HTTPS is important in services like video streaming because it can protect users from hackers planting malware via insecure connections.
YouTube’s road to HTTPS
https://youtube-eng.blogspot.se/2016/08/youtubes-road-to-https.html
We’re proud to announce that in the last two years, we steadily rolled out encryption using HTTPS to 97 percent of YouTube’s traffic.
We’re also proud to be using HTTP Secure Transport Security (HSTS) on youtube.com to cut down on HTTP to HTTPS redirects. This improves both security and latency for end users. Our HSTS lifetime is one year, and we hope to preload this soon in web browsers.
97 percent is pretty good, but why isn’t YouTube at 100 percent? In short, some devices do not fully support modern HTTPS.
In the real world, we know that any non-secure HTTP traffic could be vulnerable to attackers. All websites and apps should be protected with HTTPS
Tomi Engdahl says:
Glassdoor sued by user whose email was ‘leaked’ instead of BCC’ed
https://techcrunch.com/2016/08/01/glassdoor-sued-by-user-whose-email-was-leaked-instead-of-bcced/
A little over a week ago, Glassdoor began emailing its users to let them know of an update to the site’s terms of service. But rather than BCC’ing its anonymous reviewers, Glassdoor dumped their email addresses into a regular ol’ CC field, effectively outing at least 600,000 members of the site.
Now, one of those outed users is suing.
Melissa Levine, a Los Angeles-based television researcher, filed a class-action lawsuit against Glassdoor today, claiming the employment review site violated state law by including her email address in the CC field and exposed her to potential retribution from her former employers.
Glassdoor encourages employees to review their current and former employers anonymously — users can’t view other reviews without first adding their own.
The email went out to approximately 2 percent of Glassdoor’s 30 million active monthly users and was sent in batches of 1,000 users at a time, so each user could see the email address of 999 other Glassdoor users.
Glassdoor just raised a $40 million round in June and is valued at $1 billion. The terms of service update included a provision that forbids users from engaging in class action lawsuits
Tomi Engdahl says:
You think Donald Trump is insecure? Check out his online store
Yuge security flaws, the best kind of security flaws, guaranteed incredible flaws
http://www.theregister.co.uk/2016/08/01/donald_trump_store_insecure/
Republican presidential nominee Donald Trump has been widely and repeatedly mocked for being thin-skinned; something not helped by his compulsive need to insult anyone who criticizes him.
Despite being an alleged billionaire and having the backing of millions of supporters, it seems that those behind the official Trump site haven’t grasped basic web security.
What you won’t find, however, is an HTTPS-secured connection.
That’s right, despite having installed a valid SSL certificate for the main Donald Trump website and his donations sub-domain, for some reason the online store is happy to spill out all of your personal and credit card details in plain text across the internet via good old HTTP.
For a man who has made great play over the alleged lack of security around Hillary Clinton’s private email server, you would expect a little more protection for those souls who want to pay a billionaire more money
And before you ask, yes, Hillary Clinton also has an online store, and yes, it is secure.
Updated to add at 2235 UTC
Trump’s store is now using HTTPS by default – albeit a mix of HTTP and HTTPS,
Tomi Engdahl says:
Fun fact of the day: Network routers are illegal in Japan
http://www.theregister.co.uk/2016/08/02/routers_are_illegal_in_japan/
under a very Japanese rule, the ability of electronic equipment to read a packet header both violates the law and “seems not illegal.”
Of course, routers (and switches, and network management tools, and content blocking) can’t actually function properly without reading packet headers in order to properly direct them, so that process is seen as being a “reasonable act.”
As such, Ogawa explains, it “violates the law, but seems not illegal.”
Routers and switches violate Japanese law, but seems not illegal
https://blog.apnic.net/2016/08/02/routers-switches-violate-japanese-law-not-illegal/
It’s well known that without reading the packet header, routers cannot forward packets.
In Japan, however, when an ISP’s router reads an IP header field to forward packets, it violates the Secrecy of Communications legislation. Although this necessary requirement of Internet communication is theoretically violating the law, at the same time, it does not seem to be illegal.
The Japanese Constitution (Article 21) and the Telecommunications Business Act (Article 4) include “Preservation of Secrecy”.
The “interpretation” of the law
This, “violates the law, but seems not illegal” interpretation can be seen in many places in the management of the Internet in Japan.
It is used to justify various ISP operations, for example; bandwidth control (legitimate act), traffic classification (legitimate act), and child porn blocking (to prevent harm from exposure to content).
Some of the “interpretations” of the law are compiled as guidelines”
Tomi Engdahl says:
Kaminsky: The internet is germ-ridden and it’s time to sterilize it
Three pieces of tech to make computing safer
http://www.theregister.co.uk/2016/08/03/kaminsky_its_time_to_sterilize_the_internet/
Black Hat Dan Kaminsky, the savior of DNS and chief scientist for White Ops, has used the opening keynote of Black Hat 2016 to outline three technologies he has been working on that could make working online a lot safer – if they are adopted.
First, and most importantly, Kaminsky has been developing a micro-sandboxing system that spins up small virtual machines (VMs) to carry out sensitive tasks, limiting their ability to infect other parts of the system.
Tomi Engdahl says:
Two first-gen flaws carried over to HTTP/2, warn security bods
Quartet of weaknesses include ancient vuln from 2009
http://www.theregister.co.uk/2016/08/03/http2_flaws/
Security researchers have unearthed four high-profile vulnerabilities in HTTP/2, a new version of the protocol.
HTTP/2 introduces new mechanisms that effectively increase the attack surface of business critical web infrastructure, according to a study by researchers at data centre security vendor Imperva and released at the Black Hat conference on Wednesday.
Imperva’s researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2.
Tomi Engdahl says:
Microsoft Live Account Credentials Leaking From Windows 8 And Above
http://hackaday.com/2016/08/02/microsoft-live-account-credentials-leaking-from-windows-8-and-above/
Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user’s Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).
The bug itself seems to be present in all Windows systems since Windows 95 / NT, although only Windows 8 and above are effectively compromised.
Security Issue in Windows leaks Login Data
Perfect Privacy, 1. August 2016
https://www.perfect-privacy.com/blog/2016/08/01/security-issue-in-windows-leaks-login-data/
Basically this attack can compromise any service the user signed up with his Microsoft acccount. If the computer is set up to allow remote logins, this also allows remote code execution.
We were notified of this issue by ValdikSS from the Russian provider ProstoVPN who has more information about this issue at his blog.
To trigger this leak, the attacker needs to set up a network share and trick the victim into visiting any IP address of that share. This can be done by simply embedding an image into a Website if the victim uses Internet Explorer or Edge (Chrome and Firefox are not affected). However, another possibility is embedding the network share into an email. If the victim uses Microsoft Outlook, this will also leak his login credentials.
More specifically, a successful attack leaks the login name and the NTML hash of the password and Windows domain.
While this is not a VPN related issue, it also affects VPN connections: When using an IPSec VPN connection, a successful attack will not reveal your Windows credentials but the username and password of your VPN connection.
Mitigation:
Do not use Microsoft software that is accessing network shares over the internet (such as Internet Explorer, Edge or Outlook)
Do not use a Microsoft login for your local Windows machine
Tomi Engdahl says:
Ingrid Lunden / TechCrunch:
Dashlane and Google unveil OpenYOLO, an open-source API for apps to securely access passwords stored in password managers
Dashlane, Google launch ‘OpenYOLO’, an API-based password project for Android apps
https://techcrunch.com/2016/08/04/dashlane-google-launch-openyolo-an-api-based-password-project-for-android-apps/
Password management is one of the key defences — or key weaknesses — when it comes to protecting your data and identity online, and today Dashlane — the digital wallet and password manager startup — announced that it has teamed up with Google to develop another route to trying to fix that. The two have unveiled OpenYOLO — not this YOLO, but short for “you only login once” — an open-source API project for app developers to access passwords stored in password managers, whichever one you happen to use.
OpenYOLO will first target apps built for Android, but the hope is to include other platforms over time, “universal implementation by various apps and password managers across all platforms and operating systems,” Dashlane said in a separate release.
Tomi Engdahl says:
‘Pokemon Go’ and Five Security Requirements for Using Cloud Apps
https://securityintelligence.com/pokemon-go-and-five-security-requirements-for-using-cloud-apps/?cm_mmc=Display_Taboola-_-IBM+Security_Secure+the+Cloud-_-WW_WW-_-18612658_Pokemon-IBM+Cloud&cm_mmca1=000000PI&cm_mmca2=10000499
Five Lessons From ‘Pokemon Go’
In the workplace, cloud apps such as “Pokemon Go” are wildly popular — and have been for a while. We all want to play, but CISOs must consider some general security requirements to be both efficient and safe.
Here are five requirements from “Pokemon Go” that can be applied to adopting cloud apps in your organization.
1. Visibility Is Essential
2. Connectivity Matters
3. Policies Must Be Enforced
4. Have a Mobile Strategy
5. Education Is the Best Defense
Just Discovering Shadow IT Isn’t Enough to Improve a Company’s Cloud Security Posture
https://securityintelligence.com/just-discovering-shadow-it-isnt-enough-to-improve-a-companys-cloud-security-posture/?cm_mmc=Display_Taboola-_-IBM+Security_Secure+the+Cloud-_-WW_WW-_-18612663_Shadow+IT-Dark+Cloud&cm_mmca1=000000PI&cm_mmca2=10000500
Tomi Engdahl says:
2016 Gartner Magic Quadrant for IDaaS Names IBM a Visionary for Cloud Identity Service
https://securityintelligence.com/2016-gartner-magic-quadrant-for-idaas-names-ibm-a-visionary-for-cloud-identity-service/
Gartner’s 2016 Magic Quadrant for Identity and Access Management as a Service (IDaaS)[1] named IBM a Visionary for Cloud Identity Service for its innovative approach to cloud-based IAM technology, methodology and delivery.
Can the cloud-based identity and access management (IAM) solution you choose today scale up to the challenges you encounter tomorrow?
http://www-03.ibm.com/security/cloud/cloud-identity-service/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US
Tomi Engdahl says:
Five Steps to Overcome Customer Authentication Chaos
https://securityintelligence.com/events/five-steps-overcome-customer-authentication-chaos/
As digital, mobile commerce crescendos, Identity and Access Management (IAM) techniques are key to providing a consistent, individualized experience, regardless of the device used or communications channel employed. Providing secure access from a trusted device was hard enough. Now customers control their device-of-choice, channel-of-choice and time-of-choice. It is important to develop and employ technologies that make authentication friction-free and pleasant.
Opus Research has coined the term “Intelligent Authentication” (IAuth) to describe simple, secure and seamless ways to authenticate individuals and support digital commerce, including:
Moving beyond “replacing passwords” for single sign-on
Building apps with IAuth in mind: Communicate the importance of simple authentication to internal staff or third-party developers.
Taking a multi-factor, multi-layered, risk-aware approach: Security experts tout the use of multiple authentication factors, applied in a multi-layered manner.
Comparing existing standards (and quasi-standards): You know the old saying, “The nice thing about standards is that there are so many to choose from.”
Minding the gaps: There are a number of open issues to tackle.
Tomi Engdahl says:
Warren Strobel / Reuters:
Sources: US is preparing to separate Pentagon’s Cyber Command from NSA and make it equal in stature to the combat branches like Central and Pacific commands
Obama prepares to boost U.S. military’s cyber role: sources
http://www.reuters.com/article/us-usa-cyber-idUSKCN10G254
The Obama administration is preparing to elevate the stature of the Pentagon’s Cyber Command, signaling more emphasis on developing cyber weapons to deter attacks, punish intruders into U.S. networks and tackle adversaries such as Islamic State, current and former officials told Reuters.
Under the plan being considered at the White House, the officials said, U.S. Cyber Command would become what the military calls a “unified command” equal to combat branches of the military such as the Central and Pacific Commands.
Cyber Command would be separated from the National Security Agency, a spy agency responsible for electronic eavesdropping, the officials said.
“Adapting to new functions will include changes in how we manage ourselves in cyberspace,”
Tomi Engdahl says:
Zack Whittaker / ZDNet:
New “Quadrooter” flaws affect 900M+ Android phones, could let malicious apps get root access
‘Quadrooter’ flaws affect over 900 million Android phones
http://www.zdnet.com/article/quadrooter-security-flaws-affect-over-900-million-android-phones/
All versions of Android are vulnerable to these flaws, which won’t be fully patched until the September security release next month.
Four previously undisclosed security vulnerabilities found in Android phones and tablets that ship with Qualcomm chips could let a hacker take full control of an affected device.
Almost a billion Android devices are affected by the “high” risk privilege escalation vulnerabilities, dubbed “Quadrooter,” say researchers at security firm Check Point
Adam Donenfeld, the firm’s lead mobile security researcher who found the flaws, explained the vulnerabilities in greater detail at the Def Con security conference on Sunday.
An attacker would have to trick a user into installing a malicious app, which unlike some malware wouldn’t require any special permissions. (Most Android phones don’t allow the installation of third-party apps outside of the Google Play app store, but attackers have slipped malicious apps through the security cracks before.)
One patch to come
Check Point said most phone makers have devices that are vulnerable.
Google’s Nexus 5X, Nexus 6, and Nexus 6P, HTC’s One M9 and HTC 10, and Samsung’s Galaxy S7 and S7 Edge are some of those named vulnerable to one or more of the flaws.
Frustration at fragmentation
Google confirmed that the fourth flaw will be fixed in the upcoming September update, due out a little after the start of next month.
But because Qualcomm has already provided the code to partners, it’s possible that phone makers could issue patches to the individual devices sooner.
“Qualcomm has a significant position in the development chain, in that a phone maker isn’t taking the Android open-source code directly from Google, they’re actually taking it from Qualcomm,” he said.
“No-one at this point has a device that’s fully secure,” he said. “That basically relates to the fact that there is some kind of issue of who fixes what between Qualcomm and Google.”
In other words, blame the complex, messy supply chain.
Tomi Engdahl says:
Rich / Securosis Highlights:
Apple’s bug bounty program is a good start, focuses on finding high-quality exploits in a few key areas on iOS and iCloud, will grow and evolve over time
Thoughts on Apple’s Bug Bounty Program
https://securosis.com/blog/thoughts-on-apples-bug-bounty-program
It should surprise no one that Apple is writing their own playbook for bug bounties. Both bigger, with the largest potential payout I’m aware of, and smaller, focusing on a specific set of vulnerabilities with, for now, a limited number of researchers. Many, including myself, are definitely free to be surprised that Apple is launching a program at all. I never considered it a certainty, nor even necessarily something Apple had to do.
Tomi Engdahl says:
Cade Metz / Wired:
Inside DARPA’s first Cyber Grand Challenge, which pitted bot against bot to exploit security holes — Last night, at the Paris Hotel in Las Vegas, seven autonomous bots proved that hacking isn’t just for humans. — The Paris ballroom played host to the Darpa Cyber Grand Challenge …
Hackers Don’t Have to Be Human Anymore. This Bot Battle Proves It
http://www.wired.com/2016/08/security-bots-show-hacking-isnt-just-humans/
Last night, at the Paris Hotel in Las Vegas, seven autonomous bots proved that hacking isn’t just for humans.
The Paris ballroom played host to the Darpa Cyber Grand Challenge, the first hacking contest to pit bot against bot—rather than human against human. Designed by seven teams of security researchers from across academia and industry, the bots were asked to play offense and defense, fixing security holes in their own machines while exploiting holes in the machines of others. Their performance surprised and impressed some security veterans, including the organizers of this $55 million contest—and those who designed the bots.
During the contest, which played out over a matter of hours, one bot proved it could find and exploit a particularly subtle security hole similar to one that plagued the world’s email systems a decade ago—the Crackaddr bug. Until yesterday, this seemed beyond the reach of anything other than a human. “That was astounding,” said Mike Walker, the veteran white-hat hacker who oversaw the contest. “Anybody who does vulnerability research will find that surprising.”
In certain situations, the bots also showed remarkable speed, finding bugs far quicker than a human ever could. But at the same time, they proved that automated security is still very flawed.
According to preliminary and unofficial results, the $2 million first place prize will go to Mayhem, a bot fashioned inside startup ForAllSecure, which grew out of research at Carnegie Mellon.
The Challenge
The problem, of course, is that software is littered with security holes. This is mostly because programmers are humans who make mistakes. Inevitably, they’ll let too much data into a memory register, allow outside code to run in the wrong place, or overlook some other tiny flaw in their own code that offers attackers a way in. Traditionally, we needed other humans—reverse engineers, white-hat hackers—to find and patch these holes. But increasingly, security researchers are building automated systems that can work alongside these human protectors.
As more and more devices and online services move into our everyday lives, we need this kind of bot.
The idea wasn’t just for the contest to spur the development of the competing new security systems, but to inspire other engineers and entrepreneurs toward the same goal. “A Grand Challenge is about starting technology revolutions,”
Held each year in Las Vegas, the Defcon security conference has long included a hacking contest called Capture the Flag. But last night’s contest wasn’t Capture the Flag. The contestants were machines, not humans. And with its Tron-like visualization
Rematch with the Past
The seven teams loaded their autonomous systems onto the seven supercomputers late last week, and sometime Thursday morning, Darpa set the contest in motion. Each supercomputer launched software that no one outside Darpa had ever seen, and the seven bots looked for holes. Each bot aimed to patch the holes on its own machine, while working to prove it could exploit holes on others. Darpa awarded points not just for finding bugs, but for keeping services up and running.
Tomi Engdahl says:
Joseph Cox / Motherboard:
After losing in the UK, Privacy International takes its case against government’s bulk hacking powers abroad to the European Court of Human Rights
Challenge Over UK Bulk Hacking Powers Taken to European Court of Human Rights
http://motherboard.vice.com/read/challenge-over-uk-bulk-hacking-powers-taken-to-european-court-of-human-rights
On Friday, activist group Privacy International and five internet and communications providers lodged an application before the European Court of Human Rights to challenge the UK’s use of bulk hacking powers abroad.
“The European Court of Human Rights has a strong track record of ensuring that intelligence agencies act in compliance with human rights law. We call on the Court to hold GCHQ accountable for its unlawful bulk hacking practices,” Scarlet Kim, legal officer at Privacy International, said in a statement.
Tomi Engdahl says:
Survey finds a third of employers prioritize productivity over safety
http://www.controleng.com/single-article/survey-finds-a-third-of-employers-prioritize-productivity-over-safety/c69694d729227699562f51013660b7b4.html?OCVALIDATE&ocid=101781
The National Safety Council released survey results showing 33% of the employees surveyed believe safety takes a backseat to productivity at their organizations.
The National Safety Council released survey results showing 33% of the 2,000 employees surveyed across the nation believe safety takes a backseat to productivity at their organizations. The percentage was even higher among employees in high-risk industries.
Sixty percent of respondents in the construction industry, and 52% of those working in agriculture, forestry, fishing and hunting, felt safety was less of a priority than finishing tasks. These findings are particularly alarming because those industries are at the top when it comes to the number of occupational deaths each year.
“Every employee deserves a safe workplace,”
Tomi Engdahl says:
Securing physical security
http://www.controleng.com/single-article/securing-physical-security/386f1ff96e44c4c2090e1ebdda857e44.html?OCVALIDATE&ocid=101781
Physical security is now intersecting with cybersecurity in information technology (IT) and operational technology (OT) environments and there is a greater need for cybersecurity awareness as interconnectivity increases.
Physical security is now intersecting with cybersecurity in information technology (IT) and operational technology (OT) environments. The opportunities for physical security system manufacturers, integrators and end users to improve the cyber posture of their assets are growing.
For the physical security industry, this was a great opportunity to learn about the cyber impacts of further integration into the Internet of Things (IoT), and how physical security connects with OT assets. The expo’s core theme was ‘Bridging the Gap between Cyber and Physical Security,’ which refers to the convergence of cyber and physical environments. ISC West presented a platform to educate the physical security audience about the emerging cybersecurity landscape in OT environments that have significant links to physical security systems.
Physical, cybersecurity education
In my keynote at the event, I mentioned educating professionals in the physical security industry about cybersecurity best practices is a key element to ensuring they contribute positively to the overall security posture of the organization they protect.
Without adequate cyber protection to connected physical security systems protecting critical infrastructure, OT environments may end up exposed and vulnerable; every single connection and connected device is an entry point, an opportunity for a breach. As physical security practitioners remain concerned with maintaining control and protection of their assets, it is vital for them to understand the cyber-security threats that can arise with the increased implementation of connected physical security devices into their systems.
Tomi Engdahl says:
Cybersecurity faces critical skill gap
http://www.epanorama.net/newepa/2016/08/04/cybersecurity-faces-critical-skill-gap/
http://dfgr-ltd.com/cybersecurity-faces-critical-skill-gap/
There is lack of skilled people that can keep our networks safe.
Tomi Engdahl says:
Cybersecurity in manufacturing: How much is needed?
http://www.controleng.com/single-article/cybersecurity-in-manufacturing-how-much-is-needed/17af9102a1473e7f8f452a1426b5c308.html?OCVALIDATE&ocid=101781
The cybersecurity situation for manufacturing is changing as the scale of attacks on the manufacturing sector and proportional loss to businesses has demonstrated the necessity of secure integrated control systems.
In your day-to-day routine, how focused are you on topics of cybersecurity? Do you follow exploits published by SANS, ICS-CERT, etc and relish in unique zero-day findings? Or, do you passively hear of hacks on the news and think, “I’m glad that wasn’t my company.”
For most of us, the answer would be the latter. However, the scale of attacks on the manufacturing sector and proportional loss to businesses in recent years has demonstrated the necessity of secure integrated control systems (ICSs).
The constantly shifting threat landscape can be daunting to follow—and it shows—in fact, the 2016 Vormetric Data Threat Report states that, “64% of IT execs think achieving basic compliance will stop most breaches.” With the increasing nation-state threat, breaches are becoming more sophisticated and creating advanced persistent threats (APTs) with new levels of potency.
The “script-kiddies” of yesterday, taking advantage of single exploits, have grown up to become a highly trained, educated, and government-sponsored team of professionals. This team is dedicated to stealing a target’s intellectual property (IP) and/or using that company’s weaknesses to damage an entire industry. The scale is massive, and the threat is real.
It is still true that most exploited vulnerabilities—99% in fact, according to Verizon’s 2015 Data Breach Investigations Report (DIBR) —came over a year after that exploit had been discovered and patched.
A coming of age of the cybersecurity threat landscape can be shown not only through the scale of attacks, but also through attackers’ focus, complexity, and funding. The situation is changing and the sophistication of these attacks, such as the one that hit Saudi Aramco, is evolving in ways that hadn’t been anticipated.
Tomi Engdahl says:
The Terrible Security Of Bluetooth Locks
http://hackaday.com/2016/08/08/the-terrible-security-of-bluetooth-locks/
Bluetooth devices are everywhere these days, and nothing compromises your opsec more than a bevy of smartphones, smart watches, fitbits, strange electronic conference badges, and other electronic ephemera we adorn ourselves with to make us better people, happier, and more productive members of society.
Bluetooth isn’t limited to wearables, either; deadbolts, garage door openers, and security systems are shipping with Bluetooth modules. Manufacturers of physical security paraphernalia are wont to add the Internet of Things label to their packaging, it seems. Although these devices should be designed with security in mind, most aren’t, making the state of Bluetooth smart locks one of the most inexplicable trends in recent memory.
At this year’s DEF CON, [Anthony Rose] have given a talk on compromising BTLE locks from a quarter-mile away. Actually, that ‘quarter mile’ qualifier is a bit of a misnomer – some of these Bluetooth locks are terrible locks, period.
The attacks on these Bluetooth locks varied, from sniffing the password sent in plain text to the lock (!), replay attacks, to more advanced techniques such as decompiling the APK used to unlock these smart locks. When all else fails, brute forcing locks works surprisingly well
What was the takeaway from this talk? Secure Bluetooth locks can be made. These locks use proper AES encryption, a truly random nonce, two factor authentication, no hard-coded keys, allow the use of long passwords, and cannot be opened with a screwdriver.
Comment:
For a garden shed/ garage door/ bike lock, the proximity-based opening is a great idea, because it trades a lot of inconvenience for a little less security, in theory
For front-door mechanisms, this might be different, indeed.
Anyway, any lock’s function is *always*, and has always been, a trade-off between security, convenience and cost. You could buy a 10 000€ lock for your front door, but maybe then a burglar would just throw in a window. You could reinforce all windows with steel bars, but that would make your 14yo daughter, rightfully so, feel like in prison.
I do agree that locks, to have any justification for being called “locks”, need to provide a certain minimum amount of security, and these locks don’t keep their promise on the convenience/security tradeoff scale.
But let’s not act like wireless automatic entry systems are a new thing. They’ve been used on commercial grounds for decades now
Oh, and cheap-as-straw garage door openers. Technology of the 80’s. Deployed in millions. “hacked” thousandfold.
Right, even if using some well implemented excessively paranoid encryption, the use case for bluetooth proximity locks is highly limited if they automatically unlock.
To be fair, Defcon do release all the presentations eventually. Usually something like 4-6 months after the con.
That said, it’s an incredible feat of wizardry that the CCC folks get a) their talks streamed live, b) raw footage online just after they end, and c) finished versions edited, and sometimes subtitled, usually within a day. That’s some amazing technical and organizational skills. Chaos? Bah! More professional than the professionals.
Tomi Engdahl says:
Delta Meltdown Reflects Problems With Aging Technology
U.S. carrier says power outage in Atlanta disrupted its systems world-wide
http://www.wsj.com/article_email/delta-air-lines-says-computers-down-everywhere-1470647527-lMyQjAxMTI2MDA3ODAwNTgwWj
A power outage at Delta Air Lines Inc. grounded thousands of passengers world-wide during the height of the summer travel season, wreaking havoc on the carrier’s reservations system and drawing attention to antiquated technology that has plagued many airlines.
The meltdown highlights the vulnerability in Delta’s computer system
companies too large and too reliant on IT systems that date from the 1990s
These systems—which run everything from flight dispatching to crew scheduling, passenger check-in, airport-departure information displays, ticket sales and frequent-flier programs—gradually have been updated but are still vulnerable, IT experts said.
Tomi Engdahl says:
Google password fill effort could kill Android malware’s best tricks
Small boost to login speed could be a big roadblock for Marshmallow malware
http://www.theregister.co.uk/2016/08/09/google_password_fill_effort_could_kill_android_malwares_best_tricks/
Google may be paving the way to kill one of the few remaining avenues to compromise modern Android handsets in its bid to improve password security with a new open source API.
The feature, dubbed OpenYOLO (You Only Log In Once), will allow users to permanently log into all apps by entering their password manager credentials once.
Users who have turned up security settings must log into their password managers each time to access applications in what is a minor inconvenience.
The initiative is being sold as one that will make sign-in seamless.
Password management outfit Dashlane’s community manager Malaika Nicholas says the company is working with “… other top password management companies, who will contribute their unique security and software development expertise to improve the design and implementation of this open API.”
However an underlying benefit could be in the reduced use of special permissions on the latest Android platforms version five Lollipop and version six Marshmallow.
It could feasibly allow Google to better lock down the controls behind security PIN screens, frustrating malware writers’ efforts to trick users.
Tomi Engdahl says:
Data Breach At Oracle’s MICROS Point-of-Sale Division
https://it.slashdot.org/story/16/08/08/1848244/data-breach-at-oracles-micros-point-of-sale-division
A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.
More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems. Asked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal. MICROS is among the top three point-of-sale vendors globally.
Data Breach At Oracle’s MICROS Point-of-Sale Division
http://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-sale-division/
MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.
The size and scope of the break-in is still being investigated, and it remains unclear when the attackers first gained access to Oracle’s systems. Sources close to the investigation say Oracle first considered the breach to be limited to a small number of computers and servers at the company’s retail division.
A source briefed on the investigation says the breach likely started with a single infected system inside of Oracle’s network that was then used to compromise additional systems. Among those was a customer “ticketing portal” that Oracle uses to help MICROS customers remotely troubleshoot problems with their point-of-sale systems.
Oracle declined to answer direct questions about the breach, saying only that Oracle’s corporate network and Oracle’s other cloud and service offerings were not impacted. The company also sought to downplay the impact of the incident, emphasizing that “payment card data is encrypted both at rest and in transit in the MICROS hosted customer environments.”
This breach could be little more than a nasty malware outbreak at Oracle. However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them.
Indeed, Oracle’s own statement seems to suggest the company is concerned that compromised credentials for customer accounts at the MICROS support portal could be used to remotely administer — and, more importantly, to upload card-stealing malware to — some customer point-of-sale systems. The term “on-premise” refers to POS devices that are physically connected to cash registers at MICROS customer stores.
“This [incident] could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider,” Litan said. “I’d say there’s a big chance that the hackers in this case found a way to get remote access” to MICROS customers’ on-premises point-of-sale devices.
Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors.
The breach comes at a pivotal time for Oracle, which has been struggling to compete with other software giants like Amazon and Google in cloud-based services.
Tomi Engdahl says:
Researchers crack open unusually advanced malware that hid for 5 years
Espionage platform with more than 50 modules was almost certainly state sponsored.
http://arstechnica.com/security/2016/08/researchers-crack-open-unusually-advanced-malware-that-hid-for-5-years/
Security experts have discovered a malware platform that’s so advanced in its design and execution that it could probably have been developed only with the active support of a nation state.
The malware—known alternatively as “ProjectSauron” by researchers from Kaspersky Lab and “Remsec” by their counterparts from Symantec—has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus.
THE PROJECTSAURON APT
https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf
Tomi Engdahl says:
75 Percent of Bluetooth Smart Locks Can Be Hacked
https://it.slashdot.org/story/16/08/08/1724246/75-percent-of-bluetooth-smart-locks-can-be-hacked
It turns out, the majority of Bluetooth smart locks you see on the market can easily be hacked and opened by unauthorized users. The news comes from DEF CON hacker conference in Las Vegas, where security researchers revealed the vulnerability, adding that concerned OEMs are doing little to nothing to patch the hole. Tom’s Guide reports
75 Percent of Bluetooth Smart Locks Can Be Hacked
http://www.tomsguide.com/us/bluetooth-lock-hacks-defcon2016,news-23129.html
LAS VEGAS — Many Bluetooth Low Energy smart locks can be hacked and opened by unauthorized users, but their manufacturers seem to want to do nothing about it, a security researcher said yesterday (Aug. 6) at the DEF CON hacker conference here.
Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks — including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion — had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit.
“We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don’t care,” Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.’”
The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.
Tomi Engdahl says:
Google: Unwanted Software Is Worse Than Malware
https://news.slashdot.org/story/16/08/08/228235/google-unwanted-software-is-worse-than-malware
A year-long study between Google and New York University has determined that unwanted software unwittingly downloaded as part of a bundle is a larger problem for users than malware. Google Safe Browsing currently generates three times as many Unwanted Software (UwS) warnings than malware warnings — over 60 million per week. Types of unwanted software fall into five categories: ad injectors, browser settings hijackers, system utilities, anti-virus, and major brands.
studies suggest that ad injection affects 5% of browsers, and that deceptive extensions in the Chrome Web store affect over 50 million users
Google study shows unwanted software worse than malware
https://thestack.com/security/2016/08/08/google-study-shows-unwanted-software-worse-than-malware/
In a year-long study in conjunction with New York University, researchers at Google found that unwanted software unwittingly downloaded as part of a bundle to be a larger problem for users than malware. Google Safe Browsing currently generates three times as many Unwanted Software (UwS) warnings than malware warnings, over 60 million per week.
The study found that the pay-per-install (PPI) scheme, whereby a company succeeds in monetizing end user access by paying $0.10 to $1.50 every time their software in installed on a new device, to be the primary source of unwanted software proliferation. To get a payout from a commercial PPI organization, companies bundle regular software with unwanted software, which is then unwittingly downloaded by the user.
Ad injectors, browser setting hijackers, and scareware presenting as system clean-up utilities dominate the commercial PPI landscape. Google found that the bundles were promoted through fake software updates and spoofed brands, “Techniques openly discussed on underground forums as ways to trick users into unintentionally downloading software and accepting the installation terms.”
Tomi Engdahl says:
Hacker Uses Fake Boarding Pass App To Get Into Fancy Airline Lounges
https://it.slashdot.org/story/16/08/08/2232226/hacker-uses-fake-boarding-pass-app-to-get-into-fancy-airline-lounges
Przemek Jaroszewski, the head of Poland’s Computer Emergency Response Team (CERT), says anyone can bypass the security of the automated entrances of airlines’ airport lounges by using a specially crafted mobile app that spoofs boarding pass QR codes. He created one for himself, and successfully tried it out on a number of European airports.
Fake Boarding Pass App Gets Hacker Into Fancy Airline Lounges
https://www.wired.com/2016/08/fake-boarding-pass-app-gets-hacker-fancy-airline-lounges/
As the head of Poland’s Computer Emergency Response Team, Przemek Jaroszewski flies 50 to 80 times a year, and so has become something of a connoisseur of airlines’ premium status lounges. (He’s a particular fan of the Turkish Airlines lounge in Istanbul, complete with a cinema, putting green, Turkish bakery and free massages.) So when his gold status was mistakenly rejected last year by an automated boarding pass reader at a lounge in his home airport in Warsaw, he applied his hacker skills to make sure he’d never be locked out of an airline lounge again.
The result, which Jaroszewski plans to present Sunday at the Defcon security conference in Las Vegas, is a simple program that he’s now used dozens of times to enter airline lounges all over Europe. It’s an Android app that generates fake QR codes to spoof a boarding pass on his phone’s screen for any name, flight number, destination and class.
Fake boarding passes are hardly a new hacker trick. Cryptographer Bruce Schneier wrote about the technique to make them back in 2003 and privacy activist Chris Soghoian was investigated by the FBI for creating a website that automatically generated the fake passes
Spoofing boarding pass QR codes with simple app
https://www.helpnetsecurity.com/2016/08/08/spoofing-boarding-pass-qr-codes-simple-app/
Przemek Jaroszewski, the head of Poland’s CERT, says anyone can bypass the security of the automated entrances of airlines’ airport lounges by using a specially crafted mobile app that spoofs boarding pass QR codes.
He created one for himself, and successfully tried it out on a number of European airports.
Usually, to enter these lounges, travellers need to let the scanner at the entrance scan the QR code on their boarding pass, and the doors open automatically.
Jaroszewski created an Android app that creates fake but acceptable QR codes. He says that aside from a valid flight number, the QR code doesn’t have to include correct information (traveller’s name, flight destination, etc.).
The fake QR codes were also accepted at duty free shops on airports.
It’s very unlikely that the trick would allow an attacker to get on an actual flight, as other security measures in place would probably reveal that the attacker is not in possession of a legitimate boarding pass. Nevertheless, Jaroszewski has proven that boarding pass security issues continue to crop up.
Tomi Engdahl says:
Qualcomm’s leaking circuit threatens to Android users
Qualcomm’s dominant position of Android phones is now proving to be quite a security problem. The Snapdragon application processor code hole threatens to end the attackers up to 900 million Android device user access.
The problem makes wider the fact that almost all manufacturers have the Snapdragon-based devices. This includes, for example, Samsung’s new S7 series flagship models.
If the user installs malware on their phones, giving the program a remote attacker full access to Snapdragonin due to code error.
A total of four errors. Any of them allow an attacker root-level rights to the device, if necessary in malicious software being installed. This means access to files, applications, and hardware, including the camera and the microphone.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4798:qualcommin-vuotava-piiri-uhkaa-android-kayttajia&catid=13&Itemid=101
Tomi Engdahl says:
I do not know what causes anyone would break into another computer, but if such a need would be one of the ways is superior hacking. Let’s leave lying around near the USB stick, which is breaking into enabling files or applications.
Google security investigative Elie Bursztein presented the Blackhat USA -tietoturvatapahtumassa research, which he left lying around 300 sticks of different parts of an American university campus.
The results are stunning. 98 per cent of the sticks were picked
t of the sticks were picked – maybe two percentage Ajai Väin undiscovered. More worrying is the fact that as many as 45 per cent of sticks were plugged to laptop and files were opened.
68 percent of survey respondents said they clicked your files to find out who stick could be restored. Nearly one in five had a “curious”.
Similar “testing” has been arranged in the past with similar results.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4799:tama-on-helpoin-tapa-murtautua-toisen-tietokoneelle&catid=13&Itemid=101
Tomi Engdahl says:
BBC:
Iran becomes first country to ban and block access to Pokémon Go, following a years-old religious ruling issued against an earlier Pokémon card game — Authorities in Iran have banned the Pokemon Go app because of unspecified “security concerns”.
Pokemon Go banned by Iranian authorities over ‘security’
http://www.bbc.com/news/world-middle-east-36989526
Authorities in Iran have banned the Pokemon Go app because of unspecified “security concerns”.
The decision was taken by the High Council of Virtual Spaces, the official body overseeing online activity.
Iran follows a number of other countries in expressing its worries over security related to the game.
But it becomes the first country to issue a ban of Pokemon Go, that challenges players to visit real-world locations to catch cartoon monsters.
Indonesia has banned police officers from playing the game while on duty, and a French player was arrested last month after straying on to a military base while trying to catch Pokemon.
Tomi Engdahl says:
Where in the world is my data and how secure is it?
http://www.bbc.com/news/business-36854292
When Max Schrems, an Austrian privacy activist, requested to see his personal data that Facebook stored on its servers, he was mailed a CD-ROM containing a 1,222-page document.
offered a glimpse into Facebook’s appetite for the private details of its 1.65 billion users.
The information included phone numbers and email addresses of Mr Schrems’ friends and family; a history of all the devices he used to log in to the service; all the events he had been invited to; everyone he had “friended” (and subsequently de-friended); and an archive of his private messages.
It even included transcripts of messages he’d deleted.
But Mr Schrems, who says he only used Facebook occasionally over a three-year period, believes a sizeable chunk of information was withheld from him.
Mr Schrems’ experience vividly illustrates the challenges we face in a digital age full of messaging apps, social networks, tailored search engines, email clients, and banking apps, all collecting personal data about us and storing it, somewhere, in the cloud.
But where is all this data exactly, how is it being used, and how secure is it?
The Big Four
More than half of the world’s rentable cloud storage is controlled by four major corporations. Amazon is by far the biggest, with about a third of the market share and 13 massive data centres in the US, three in South America, five in Europe, 11 spread across Asia, and three in Australia.
The next three biggest providers are Microsoft, IBM and Google, and each of them adopts a similar global pattern of server farms.
These major public cloud providers habitually duplicate user data across their networks. It means that information uploaded to the cloud in, say, the UK or the US, is likely to be transferred at some point to servers in major cities around the world, from Sydney to Shanghai.
The problem with this, says Prof Dan Svantesson, an internet law specialist at Bond University, Australia, is that “there is always a risk that the country your data goes to doesn’t have the same level of protection [as your own].
“No-one really quite knows how the sausage is made,” says Mr Caudill, whose work includes testing firms’ defences though “ethical hacking”.
“It’s very difficult to understand where your data is stored. A lot of times the companies themselves aren’t sure where all the data could reside.”
He says a client of his, who was using Microsoft’s Azure cloud service, fell victim to a hack – all data and back-ups were deleted.
But after some digging, it emerged that a portion of the lost data had been stored elsewhere on Azure’s servers
“No-one really knows how secure the cloud services are from the major providers,” says Mr Caudill, who suspects that “both Amazon and Azure have had major security compromises at some point.”
“The data of your Gmail account is absolutely on more than one server. It’s absolutely in more than one country,” says Prof Svantesson.
But why should we care?
The more of our data that’s out there scattered throughout the world, the more vulnerable it is to hackers, argues Mr Caudill – a supposition borne out by the fact that identity fraud is on the rise.
As people continue to upload their digital information online, into a marsh of territorial legal complexities and undisclosed national security protocols, Prof Svantesson offers some practical advice – which many people still do not follow.
“I would suggest never putting anything sensitive on the cloud, such as credit card information, or personal images that you don’t want others to see.
“Some things you should just leave to yourself,” he advises.
Tomi Engdahl says:
A story what can happen when scammers try to hit security professional:
How I got tech support scammers infected with Locky
https://blog.kwiatkowski.fr/?q=en/node/30
A few days ago, I received a panicked call from my parents who had somehow managed to land on a (now defunct) web page (snapshot here) claiming they had been infected by Zeus. This horrible HTML aggregate had it all: audio message with autoplay, endless JavaScript alerts, a blue background with cryptic file names throwing us back to Windows’ BSoD days, and yet somehow it displayed a random IP address instead of the visitor’s one.
After everyone had a good laugh on Twitter, I decided I would give them a call to know more about what they hoped to accomplish. So I fire up an old Windows XP VM, and get in touch with the “tech support”. I am greeted with a pre-recorded message, then Patricia is kind enough to anwser my call.
it turns out that her French is quite poor so going off-script is a no-no
She guides me through the steps needed to download some kind of remote-assistance client: Windows+R, type in iexplore remote.join360.net, jump through a few more hoops and run whatever executable is offered to you. From what I gather, this is actually a legitimate tech-support program, it being digitally signed and all.
The fun starts now.
In the end, she reaches the following conclusion: my computer has been infected, and now it needs to be cleaned up. I’m encouraged to buy either ANTI SPY or ANTI TROJAN, for the measly sum of $189.90.
I assume that this is not how you scam people. She must have been a scammer trainee or something. At this point I realize that some of the screenshots I had taken were no good, so I wait half an hour or so and I call again.
He goes on to tell me that my machine is infected as well, that he just cleaned it for free but he recommends that I purchase a Tech Protection subscription so I don’t get viruses ever again. This package costs €299.99
In the end, I suggest using my second credit card and give him another random yet valid (as far as the Luhn algorithm is concerned) number.
I open my “junk” e-mail folder where I find many samples of the latest Locky campaign – those .zip files containing a JS script which downloads ransomware. I grab one at random, drag it into the VM.
he remote-assistance client I installed has a feature allowing me to send files to the operator. I upload him the archive and say:
— I took a photo of my credit card, why don’t you input the numbers yourself? Maybe that’ll work.
And while a background process quietly encrypts his files, we try paying a couple more times with those random CC numbers
Their business model relies on the fact that only gullible people will reply. Now were they spammed back, their workload would increase so much that scamming wouldn’t be a profitable activity anymore.
Tomi Engdahl says:
Meet Danger Drone – a flying computer designed to hack into all your unprotected devices
http://www.digitaltrends.com/cool-tech/danger-drone-hacker-laptop/
Feeling inspired, Brown went on to co-create Danger Drone — or, as he puts, “a hacker’s laptop that can fly.” In essence, the concept is a $500 Raspberry Pi-based quadcopter drone, kitted out with all the regular hacking software security firms deal with on a regular basis.
“[The goal was] to make a cheap, easy-to-create hacking drone so that security professionals can test out the defenses that they’re rolling out,” he continues. “It’s a drone for penetration testing, to see how effective the defenses against this kind of thing actually are.”
You may, of course, be wondering why hackers would have need of a drone. After all, some of the most publicized hacking attacks of recent times have come from thousands of miles away — in places like North Korea. This is true, but as Brown points out, there has also been a rise in proximity-based “over the air” attacks, where people are able to gain access to other people’s devices, which are physically located nearby. Danger Drone takes “over the air” attacks and raises the stakes. You could say it deals with “into the air” attacks.
“Today there’s an abundance of targets that are ripe for hacking,” Brown explained. “The appeal of drones is that you can fly them over buildings, land on people’s roofs, and attack not just their WiFi and their phones, but their FitBit, the Google Chromecast hooked up to their TV, their smartwatches, their smart refrigerators. A drone would be perfect for attacking them.”
“What protects a lot of devices right now is that you need to be close,” Brown’s colleague David Latimer continued. “You need to be close to the wireless signal to be able to read it. [Danger Drone] removes that barrier of physical access.”
Tomi Engdahl says:
Cyberthreats Are Real, Costly, and Deceptive
http://www.allanalytics.com/author.asp?section_id=3624&doc_id=281186&
Reviewing the latest A2 infographic, Detect Advanced Cyberthreats with Security Analytics, I can see why those conference goers — security pros themselves — are extra cautious. The numbers are frightening.
A total of 64,199 cybersecurity incidents were reported by organizations around the globe in 2015. Of those incidents, 2,260 resulted in confirmed breaches. However, given what we know about security issues and how many organizations don’t report them or often don’t even know about them, I wonder how much higher the real number of breaches might be.
What type of damage could someone do to your data, your finances, your brand in three or four months.
Cybersecurity analytics tools might not prevent bad people from trying to break into your systems, but advanced analytics can make their visits to your network very brief. Those tools are designed to sniff out and act on intrusion attempts from massive amounts of legitimate network activity, and do it much faster than any human admin can.
If you have ever wondered why there is so much interest in the adoption of advanced analytics for cybersecurity, take a look through the infographic and the ebook, “Close the Detection Deficit with Security Analytics.”
Detect Advanced Cyberthreats with Security Analytics
http://www.allanalytics.com/document.asp?doc_id=281107
Preventing zero-day and advanced persistent threats is no easy task. Security professionals are dealing with enormous volumes of data and are buried under loads of alerts generated by the very security tools that are meant to protect.
The median number of days from the time of first intrusion to detection is now more than 80, according to Trustwave’s “2016 Global Security Report.” And the average cost of a single breach is several million dollars.
A security analytics solution can help.
Tomi Engdahl says:
How To Detect And Find Rogue Cell Towers
http://hackaday.com/2016/08/09/how-to-detect-and-find-rogue-cell-towers/
Software defined radios are getting better and better all the time. The balaclava-wearing hackers know it, too. From what we saw at HOPE in New York a few weeks ago, we’re just months away from being able to put a femtocell in a desktop computer for under $3,000. In less than a year, evil, bad hackers could be tapping into your cell phone or reading your text message from the comfort of a van parked across the street. You should be scared, even though police departments everywhere and every government agency already has this capability.
These rogue cell sites have various capabilities, from being able to track an individual phone, gather metadata about who you have been calling and for how long, to much more invasive surveillance such as intercepting SMS messages and what websites you’re visiting on your phone. The EFF calls them cell-site simulators, and they’re an incredible violation of privacy.
No matter where the threat comes from, rogue cell towers still exist. Simply knowing they exist isn’t helpful – a proper defence against governments or balaclava wearing hackers requires some sort of detection system..
Stingrays, IMSI catchers, cell site simulators, and real, legitimate cell towers all broadcast beacons containing information. This information includes the radio channel number, country code, network code, an ID number unique to a large area, and the transmit power. To make detecting rogue cell sites harder, some of this information may change; the transmit power may be reduced if a tech is working on the site, for instance.
To build his rogue-cell-site detector, [Eric] is logging this information to a device consisting of a Raspberry Pi, SIM900 GSM module, an Adafruit GPS module, and a TV-tuner Software Defined Radio dongle.
Data received from a cell site is logged to a database along with GPS coordinates.
This data was thrown at QGIS, an open source Geographic Information System package, revealing a heatmap with the probable locations of cell towers highlighted in red.
This device really isn’t a tool to detect only rogue cell towers – it finds all cell towers. Differentiating between a rogue and legitimate tower still takes a bit of work.
Cell-Site Simulators
https://www.eff.org/sls/tech/cell-site-simulators
Cell-site simulators, also commonly known as IMSI catchers or Stingrays, are devices that masquerade as a legitimate cell phone tower, tricking phones nearby into connecting to the device in order to log the IMSI numbers of mobile phones in the area or capture the content of communications.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers uncover advanced malware with 50+ modules that’s existed since 2011 and infected government agencies and telcos in Russia, Iran, Sweden, China, more — Espionage platform with more than 50 modules was almost certainly state sponsored. — Security experts have discovered …
Researchers crack open unusually advanced malware that hid for 5 years
Espionage platform with more than 50 modules was almost certainly state sponsored.
http://arstechnica.com/security/2016/08/researchers-crack-open-unusually-advanced-malware-that-hid-for-5-years/
Security experts have discovered a malware platform that’s so advanced in its design and execution that it could probably have been developed only with the active support of a nation-state.
The malware—known alternatively as “ProjectSauron” by researchers from Kaspersky Lab and “Remsec” by their counterparts from Symantec—has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus.
Tomi Engdahl says:
QuadRooter: New Android Vulnerabilities in Over 900 Million Devices
http://blog.checkpoint.com/2016/08/07/quadrooter/
Check Point today disclosed details about a set of four vulnerabilities affecting 900 million Android smartphones and tablets that use Qualcomm® chipsets. The Check Point mobile threat research team, which calls the set of vulnerabilities QuadRooter, presented its findings in a session at DEF CON 24 in Las Vegas.
QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device.
Some of the latest and most popular Android devices found on the market today use these chipsets, including:
BlackBerry Priv
Blackphone 1 and Blackphone 2
Google Nexus 5X, Nexus 6 and Nexus 6P
HTC One, HTC M9 and HTC 10
LG G4, LG G5, and LG V10
New Moto X by Motorola
OnePlus One, OnePlus 2 and OnePlus 3
Samsung Galaxy S7 and Samsung S7 Edge
Sony Xperia Z Ultra
How are Android devices exposed to this vulnerability?
An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.
How can I protect employee’s devices from attacks using these vulnerabilities?
Without an advanced mobile threat detection and mitigation solution on the Android device, there is little chance a user would suspect any malicious behavior has taken place.
What Android devices are at risk?
QuadRooter vulnerabilities are found in software drivers that ship with Qualcomm chipsets. Any Android device built using these chipsets is at risk.
What are the risks if an attacker exploits the vulnerability on a device?
If exploited, QuadRooter vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them. Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio.
Check Point continues to recommend that organizations encourage employees to follow these best practices to help keep Android devices safe from attacks
QuadRooter Scanner
https://play.google.com/store/apps/details?id=com.checkpoint.quadrooter&hl=en
The Check Point QuadRooter Scanner analyzes your Android smartphone or tablet to discover if it’s vulnerable to the newly-discovered QuadRooter vulnerabilities. QuadRooter allows attackers to take complete control of Android devices, potentially exposing your sensitive data to cybercrime. The scanner app is designed to give you clear indications of the threat risk to your device and provides more information about QuadRooter, including which vulnerabilities affect your device and how they work.
Tomi Engdahl says:
Example how a random baseless social medial posting can become very expensive to business, cause personal danger and the person who posted it:
A man was awarded $115,000 after a random Facebook post destroyed his life and business
http://www.businessinsider.com/man-gets-115000-after-facebook-post-destroyed-his-life-2016-8?r=US&IR=T&IR=T
A 74-year-old Australian man was awarded $115,000 in damages caused by a libelous Facebook post about his business, and it’s a good reminder that you can’t just say anything on social media.
Here’s what happened.
“The anonymity, instaneousness and wide ranging reach of the Internet and social media make it a dangerous tool in the hands of persons who see themselves as caped crusaders or whistleblowers,” Judge Gibson said.
Tomi Engdahl says:
Android Apps know your position, like it or not
Android smartphone is now possible, for example, to prohibit the use of location information on the application. The American researchers say this does not help. The application is able to find your location, you wanted it or not.
Noubirin team developed an application that passed the sensor data generated by the server. The server machine was driven algorithm, which calculates the route traveled by the user and the location very carefully.
Examples of such location data collecting a lot of applications. For example, Brightest Flashlight app collected the data even though it was on the surface simple flashlight application.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4808:android-sovellukset-tietavat-sijaintisi-halusit-tai-et&catid=13&Itemid=101
Study:
Inferring User Routes and Locations using Zero-Permission Mobile Sensors
http://www.ccs.neu.edu/home/noubir/publications-local/NVBN2016.pdf
Leakage of user location and traffic patterns is a
serious security threat with significant implications on privacy
as reported by recent surveys and identified by the US Congress
Location Privacy Protection Act of 2014. While mobile phones
can restrict the
explicit
access to location information to appli-
cations authorized by the user, they are ill-equipped to protect
against side-channel attacks. In this paper, we show that a zero-
permissions Android app can infer vehicular users’ location
and traveled routes, with high accuracy and without the users’
knowledge, using gyroscope, accelerometer, and magnetometer
information. We modeled this problem as a maximum likelihood
route identification on a graph. The graph is generated from
the OpenStreetMap publicly available database of roads.
Tomi Engdahl says:
The First Evil Maid-Proof Computer
http://hackaday.com/2016/08/09/the-first-evil-maid-proof-computer/
It doesn’t matter how many bits your password has, how proven your encryption is, or how many TrueCrypt volumes are on your computer. If someone wants data off your device, they can get it if they have physical access to your device.
Today, Design Shift has released ORWL (as in George Orwell), the first computer designed with physical security in mind. This tiny disc of a computer is designed to defeat an Evil Maid through some very clever engineering on top of encryption tools we already use.
At its heart, ORWL is a relatively basic PC. The CPU is an Intel Skylake, graphics are integrated Intel 515 with 4K support over a micro HDMI connection, RAM is either 4 or 8GB, storage is a 120 or 480GB SSD with AES 256-bit encryption, and wireless is Bluetooth 4.1 and 802.11 a/b/g/n/AC. Power is delivered through one of the two USB 3.0 Type C connectors.
The reason ORWL exists is to be a physically secure computer, and this is where the fun happens. ORWL’s entire motherboard is surrounded by an ‘active secure mesh’ – an enclosure wrapped with electronic traces monitored by the MAX32550 DeepCover Secure Cortex-M3 microcontroller.
If this microcontroller detects a break in this mesh, the SSD auto-encrypts, the CPU shuts down, and all data is lost. Even turning on the computer requires a secure key with NFC and Bluetooth LE. If ORWL is moved, or inertial sensors are tripped when the key is away, the secure MCU locks down the system.
We first heard of ORWL a few months ago from Black Hat Europe. Now this secure computer is up on Crowdsupply, with an ORWL available for $700
https://www.crowdsupply.com/design-shift/orwl/
Tomi Engdahl says:
Unexpected Betrayal From Your Right Hand Mouse
http://hackaday.com/2016/08/09/unexpected-betrayal-from-your-right-hand-mouse/
We’ve heard of the trusted peripheral being repurposed for nefarious uses before. Sometimes they’ve even been modified for more benign purposes. All of these have a common trend. The mouse itself must be physically modified to add the vulnerability or feature. However, the advanced mice with macro support can be used as is for a vulnerability.
The example in this case is a Logitech G-series gaming mouse. The mouse has the ability to store multiple personal settings in its memory. That way someone could take the mouse to multiple computers and still have all their settings available.
Your Mouse Got Sick and You Don’t Know it. aka “Reverse Shell via Mouse”
https://www.insinuator.net/2016/07/your-mouse-got-sick-and-you-dont-know-it-aka-reverse-shell-via-mouse/
Ever got a backdoor installed on your computer by your beloved mouse? Here’s the story of a poor mouse that got really, really sick.
Do you remember the times where people put Teensy-boards and USB hubs in their mouses? [Chris? ;)] Their aim was to attach an additional Human Interface Device (HID, like keyboards or mouses) with some payload in kind of e.g. keystrokes or mouse movements. Also, there are devices available like the USB Rubber Ducky in the housing of a USB thumb drive.
The principle is easy: The tools are using a programmable microcontroller with the capability to emulate USB HID. That’s it. Just program your board of choice with the payload fitting your needs and plug it in at the target computer. The latter will recognize it as a keyboard/mouse and the payload-keystrokes will be entered.
But why should external hardware be used? Many modern gaming peripherals provide functions to store macros on them, including enough onboard memory for little payloads.
But wait – macros and profiles stored on the mouse? Recall the lines above concerning the HID story.
Could it be possible to store a macro big enough to drop a reverse shell on a Windows target?
Actually – it could.
It’s just as simple as using the Logitech Gaming Software’s Command Editor. Choose a button, put a macro on it, fit the timings and go!
The only thing you should consider, that you’re limited to about 100 keystrokes. If there should be something dropped on the target, like an executable or a script, you should think about using FTP or Powershell to download it externally, like I did here.
In this Proof of Concept the marco opens the Windows Command Line and downloads