Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Flash and Chrome
https://chrome.googleblog.com/2016/08/flash-and-chrome.html
Adobe Flash Player played a pivotal role in the adoption of video, gaming and animation on the Web. Today, sites typically use technologies like HTML5, giving you improved security, reduced power consumption and faster page load times. Going forward, Chrome will de-emphasize Flash in favor of HTML5. Here’s what that means for you. Today, more than 90% of Flash on the web loads behind the scenes to support things like page analytics. This kind of Flash slows you down, and starting this September, Chrome 53 will begin to block it. HTML5 is much lighter and faster, and publishers are switching over to speed up page loading and save you more battery life. You’ll see an improvement in responsiveness and efficiency for many sites.
In December, Chrome 55 will make HTML5 the default experience, except for sites which only support Flash. For those, you’ll be prompted to enable Flash when you first visit the site. Aside from that, the only change you’ll notice is a safer and more power-efficient browsing experience.
Tomi Engdahl says:
Simplifying Security for Developers: 5 New Rules for Success
http://www.techonline.com/electrical-engineers/education-training/tech-papers/4442459/Simplifying-Security-for-Developers-5-New-Rules-for-Success
http://www.techonline.com/asset/download/4442459/tech-papers-download
In order to take advantage of the latest digital business models, organizations need security that remains with their data and protects it no matter where it goes. Security needs to be transparent in solutions, without impacting the user experience. Organizations and developers need to define a resilient security architecture and deploy data-centric security technologies that support agility, speed, cost-effectiveness, and innovation in a highly connected world. For developers of mobile, Cloud or IoT applications, finding the right strategy is not always easy.
Digital Innovation Requires Rethinking Security
Connected digital services and applications are central to business success today. From Internet of Things (IoT) solutions to mobile apps and Cloud offerings, the trend is toward more data, more access, and more connectivity. Developers are now tasked with not only bringing these solutions to market rapidly, but must also ensure that appropriate security and data protection measures are implemented from the beginning – no business can afford the high costs of data theft.
The 5 Rules Developers Must Follow
Clearly, to take advantage of the latest digital business models, organizations need security that can remain with their data and protects the data no matter where it goes. Security needs to be transparent to applications and users, and it cannot impact the user experience. Security must scale to the new business models, and it must be financially viable – a tall order for legacy security solutions. In other words, organizations and developers need to define a resilient security architecture and deploy data-centric security technologies that support agility, speed, cost-effectiveness, and innovation in a highly connected world.
For developers of enterprise applications, Cloud, or IoT solutions, finding the right strategy is not always obvious or easy. Organizations are challenged to choose a way forward that:
Meets not only present requirements, but potentially unknown future requirements
Supports next-generation security capabilities compatible with innovation initiatives such as IoT and Cloud analytics
Delivers high performance for transaction-intensive workloads
Can protect all types of data, in motion and at rest, even if the perimeter defenses are breached
Is affordable, manageable, and reasonably easy to deploy
Allows the company to get to market more rapidly than the competition without forwarding risk to customers or end-users
1) Understand Time to Market is Everything
Do not fall prey to the “rush to release” phenomenon that can impair your ability to mitigate the risks associated with poorly secured application data or ignore security until well after release to market. Unfortunately, the norm for releasing mobile apps is that customer needs often outweigh security measures and security is seen as difficult.
2) Focus on the Data
Developers normally focus on the cleanliness of the software – code that cannot be compromised or have malware injected to the application to stop your service in its tracks. Hackers can turn to code modification or reverse engineering methods to inject malicious code or expose sensitive information such as keys for broader exploitation. “Hardening” the application from such threats is important but it’s only part of the puzzle. The real focus should be on protecting the most valuable piece in the equation – the data flowing through your application before it’s active and in-market with thousands or millions of users.
When a data breach occurs, no one will remember if the developer delivered clean code. The only thing that really matters is if the data were exfiltrated by hackers and the impact to the business.
3) Weigh Buy Vs. Build Security Options
Fundamentally, enterprises, application developers, or IoT providers developing modern apps and services have two main routes they can choose for security: 1) they can assemble security functionality themselves with open source pieces, or 2) they can invest in a private enterprise-level security solution that is supported, tested, and proven. Both choices have pros and cons, but not securing the application is no longer an option.
However, in many other regards, cobbling together a security solution for your application consisting of multiple appliances, services, and software packages from a variety of open source tools and vendors may not be the best choice.
Point solutions sometimes have difficultly sharing data with one another, leading to a fragmented view of security and limitations on threat detection.
And, the added complexity creates friction in the drive towards innovation. New apps and services must be made compatible with an array of specialized technologies, each having their own APIs, policies, and requirements.
With internal security expertise becoming increasingly scarce and expensive, dedicating resources to creating capabilities that already exist in the marketplace may not be the best option. The organization might also be taking focus away from more strategic work, slowing time-to-market.
With a quality security partner, that aspect of development is taken care of—upgrades and vulnerability fixes are handled by the vendor rather than becoming part of the burden on internal IT and development resources.
4) Bet on a Platform and a Partner, Not a Toolbox
For many organizations, a better approach to secure the data of their enterprise, IoT, or Cloud-based offering is to select an overall security platform especially built to meet modern requirements for performance, manageability, and robustness. Technology available today provides end-to-end data lifecycle protection—for data at rest and in motion, on servers, desktops, mobile devices, and the Cloud. Such a partner can be an invaluable asset in the quest to gain a competitive edge through technology.
A data protection partner providing a holistic solution should meet certain criteria.
5) Understand the Simpler, Smarter Security Choice
When you replace Open Source SSL/TLS with CENTRI, your application will never transmit a single byte in the clear. This means there are no vectors for compromise and no possibility of ‘man-in-the-middle’ attacks. CENTRI not only encrypts all traffic using advanced encryption technology with no known vulnerabilities, it also compresses and optimizes all traffic, in a single pass
Conclusion
Developers and security architects have a critical choice to make when securing the data with their next application – use legacy methods and open source tools that have known vulnerabilities and can increase risk, or apply a modern solution designed to protect data throughout mobile, Cloud, and IoT environments. The five rules of getting to market faster, focusing on the data, weighing buy versus build options, betting on a platform and a partner – and understanding the CENTRI way to securing your data can help developers to launch innovations with better preparedness, reduce time to market and, most importantly, lower risk of data exfiltration.
Tomi Engdahl says:
Speaking in Tech: Nope, sorry waiter. I won’t pay with that card reader
PoS issues? It’s not like consumers have any control
http://www.theregister.co.uk/2016/08/10/speaking_in_tech_episode_223/
Tomi Engdahl says:
Annoying ‘Open PDF In Edge’ Default Option Puts Windows 10 Users At Risk
https://tech.slashdot.org/story/16/08/09/2229247/annoying-open-pdf-in-edge-default-option-puts-windows-10-users-at-risk
Microsoft fixed today a serious security flaw in the Windows PDF Library, a standard library used by Windows 10 to open and render PDF files, embedded by default in Edge. Exploiting this flaw allows attackers to execute code on the user’s machine and take over the device, just by tricking a user into accessing a PDF hosted online via Edge.
Annoying “Open PDF in Edge” Default Option Puts Windows 10 Users at Risk
Windows 10 update fixes RCE bug in standard PDF library
Read more: http://news.softpedia.com/news/annoying-open-pdf-in-edge-default-option-puts-windows-10-users-in-danger-507138.shtml#ixzz4GvcPymX3
Tomi Engdahl says:
Alex Dobie / Android Central:
Android’s Verify Apps feature, included in Google Play Services and enabled by default since Android 4.2, can identify and block apps using the QuadRooter flaw
Google confirms ‘Verify Apps’ can block apps using QuadRooter vulnerabilities
http://www.androidcentral.com/google-confirms-verify-apps-can-block-apps-quadrooter-exploits
Latest exploit is roadblocked on 90% of Android devices, thanks to security feature enabled in Android 4.2.
QuadRooter is the latest big Android security scare — a collection of 4 vulnerabilities in Qualcomm-based Android gadgets that could allow a malicious app to gain root access, allowing it to do basically anything on an affected device.
Unlike last year’s Stagefright exploits, QuadRooter needs to be delivered in the form of an app, meaning you’d have to enable “Unknown Sources” and manually install an app from somewhere nefarious in order to become infected. However Android’s “Verify Apps” feature, included in Google Play Services and enabled by default almost four years ago in Android 4.2 Jelly Bean, is designed to protect against exactly this sort of thing.
While devices are technically still “vulnerable” even with Verify Apps, users would have to manually disable yet another security feature to be affected. Apps using an exploit as serious as QuadRooter would likely be roadblocked completely by Verify Apps — Android would display an “Installation has been blocked” message with no option to ignore and install anyway.
Tomi Engdahl says:
James Vincent / The Verge:
Researcher: Samsung Pay flaw could let hackers skim payment tokens, make fraudulent payments; Samsung says attack is extremely difficult, deems risk acceptable
Samsung Pay hack lets attackers skim cards to make fraudulent payments
http://www.theverge.com/2016/8/9/12410716/samsung-mobile-pay-token-hack-defcon
Contactless mobile payments come as standard in Samsung’s latest Galaxy smartphones, but a hacker has found a way to intercept their signals. In a presentation given at Defcon, Salvador Mendoza outlined a number of attacks targeting Samsung Pay, with the smartphone maker responding that it knew about this flaw, but that such attacks are “extremely difficult” to pull off.
The attacks outlined by Mendonza focus on intercepting or fabricating payment tokens — codes generated by the user’s smartphone that stand in for their credit card information. These tokens are sent from the mobile device to the payment terminal during wireless purchases. They expire 24 hours after being generated and are single-use only.
Mendoza outlined a number of attacks targeting this.
a hacker might trick the user by asking to see a demonstration of Samsung Pay. You can see this method in action in a video by Mendoza
In his presentation, Mendoza also claims to have found patterns in Samsung’s method of token generation, allowing a hacker to hypothetically make their own new, usable tokens.
In a blog post, Samsung refuted this part of Mendoza’s presentation, saying: “It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials.” However, in an attached FAQ, the company admits that in certain scenarios an attacker could skim a user’s payment token and make a fraudulent purchase with their card.
TokenGet
https://www.youtube.com/watch?time_continue=11&v=QMR2JiH_ymU
Tomi Engdahl says:
Kashmir Hill / Fusion:
Researchers find Bluetooth-enabled vibrator sends data including temperature and vibration settings to its manufacturer while in use
This sex toy tells the manufacturer every time you use it
http://fusion.net/story/334603/sex-toy-we-vibe-privacy/
The We-Vibe 4 Plus is a rubbery clamp that looks a little like the oversized thumb and forefinger of a Disneyland character pinching down.
But you should know a little something about your pleasure toy: it regularly violates the “don’t-vibrate-and-tell” rule.
When the device is in use, the We-Vibe 4 Plus uses its internet connectivity to regularly send information back to its manufacturer, Standard Innovations Corporation. It sends the device’s temperature every minute, and lets the manufacturer know each time a user changes the device’s vibration level. The company could easily figure out some seriously intimate personal information like when you get off, how long it takes, and with what combinations of vibes.
This was revealed on Friday at hacker conference Defcon in Las Vegas by two security researchers, who wish to be called only by their handles @gOldfisk and @rancidbacon.
Standard Innovation Corporation’s president Frank Ferrari confirmed that the company collects this information and explained why.
Yes, thanks to the connectivity of the internet, your orgasms are now subject to market research.
“We need companies to treat the privacy and security of people’s intimate data seriously,” said researcher @g0ldfisk.
Now you may be thinking, “Why even have a vibrator that connects to the internet?”
Tomi Engdahl says:
Alex Kantrowitz / BuzzFeed:NEW
Reporter uses Facebook to buy an AR-15 assault rifle, despite Facebook banning gun sales — Facebook banned the coordination of private gun sales earlier this year, but it’s still easy to arrange the purchase of firearms on its platform. I should know: I bought one.
https://www.buzzfeed.com/alexkantrowitz/i-bought-an-ar-15-using-facebook?utm_term=.qo6Xv4GVWn#.ayKkxzPQvK
Tomi Engdahl says:
Charlie Osborne / ZDNet:
Researchers find key to unlock Windows devices guarded by Secure Boot; key could allow users to run alternative operating systems, attackers to install rootkits — Security failures have created “golden keys” which unlock Windows devices protected by Secure Boot.
Tomi Engdahl says:
Charlie Osborne / ZDNet:
Researchers find key to unlock Windows devices guarded by Secure Boot; key could allow users to run alternative operating systems, attackers to install rootkits — Security failures have created “golden keys” which unlock Windows devices protected by Secure Boot.
Microsoft Secure Boot key debacle causes security panic
Security failures have created “golden keys” which unlock Windows devices protected by Secure Boot.
http://www.zdnet.com/article/microsoft-secure-boot-key-debacle-causes-security-panic/
Microsoft has accidentally leaked the keys to the kingdom, permitting attackers to unlock devices protected by Secure Boot — and it may not be possible to fully resolve the leak.
The design flaw in the Windows operating system can be used to unlock Windows devices, including smartphones and tablets, which are otherwise protected by Secure Boot in order to run operating systems other than Windows on locked down systems.
This, in turn, allows someone with admin rights or an attacker with physical access to a machine not only to bypass Secure Boot and run any operating system they wish, such as Linux or Android, but also permits the installation and execution of bootkit and rootkits at the deepest level of the device, security researchers MY123 and Slipstream revealed in a blog post on Tuesday.
Tomi Engdahl says:
Cyber-crime cost calculation studies are rubbish: ENISA
Do I have a bid for millions? Hundreds of millions? Security wonks say the auction’s bunk
http://www.theregister.co.uk/2016/08/11/your_cybercrime_cost_studies_are_rubbish_enisa/
ENISA, the European Union Agency For Network And Information Security, has taken a look at “cost of cyber attack” studies and reckons they’re not much good.
The agency is far too polite to put it that way, but in this report, it says there’s no consistent approach to trying to quantify the cost of attacks on what it calls critical information infrastructures (CIIs).
“The measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be quite a challenging task”, the report drily notes.
The agency says there’s plenty of information about, but the studies it analysed “examines the topic from a different perspective, focusing on certain industries, using different metrics, counting only certain types of incidents etc. The lack of a common approach and criteria for performing such an analysis has allowed the development of rarely comparable standalone studies, often relevant only in a certain context.”
The big problem comes when people try to quantify what an attack actually costs. The studies ENISA reviewed put costs anywhere from €425,000 to €20 million per company per year in Germany(from the Ponemon Institute); although it may be between €2.3 million and €15 million per company per year (also from the Ponemon Institute).
The cost of incidents affecting CIIs
https://www.enisa.europa.eu/publications/the-cost-of-incidents-affecting-ciis/
The aim of the study is to assess the economic impact of incidents that affect CIIs in EU, based on existing work done by different parties, and set the proper ground for the future work of ENISA in this area.
Tomi Engdahl says:
Linux malware? That’ll never happen. Ok, just this once then
Nastyware targets badly-secured Redis servers, turns them into coin-mining monsters
http://www.theregister.co.uk/2016/08/11/linux_malware_never_ok_just_this_once_then_if_we_must/
Russian security outfit Dr. Web says it’s found new malware for Linux.
The firms says the “Linux.Lady.1” trojan does the following three things:
1. Collect information about an infected computer and transfer it to the command and control server.
2. Download and launch a cryptocurrency mining utility.
3. Attack other computers of the network in order to install its own copy on them.
The good news is that while the Trojan targets Linux systems, it doesn’t rely on a Linux flaw to run. The problem is instead between the ears of those who run Redis without requiring a password for connections. If that’s you, know that the trojan will use Redis to make a connection and start downloading the parts of itself that do real damage.
Tomi Engdahl says:
Online Drug Sales Triple After Silk Road Closure, Says Report
https://science.slashdot.org/story/16/08/10/2054216/online-drug-sales-triple-after-silk-road-closure-says-report
The closure of Silk Road — a marketplace where internet users could purchase drugs and other illegal goods — in 2013 has had little to no effect on drug sales. According to a new report from RAND, online drug sales have tripled since the site was shut down.
Internet-facilitated drugs trade
An analysis of the size, scope and the role of the Netherlands
http://www.rand.org/pubs/research_reports/RR1607.html
http://www.rand.org/content/dam/rand/pubs/research_reports/RR1600/RR1607/RAND_RR1607.pdf
Tomi Engdahl says:
FreeBSD devs ponder changes to security processes
Flaws were being discussed publicly, but not officially revealed to users
http://www.theregister.co.uk/2016/08/11/freebsd_devs_ponder_changes_to_security_processes/
The developers of FreeBSD have announced they’ll change the way they go about their business, after users queried why known vulnerabilities weren’t being communicated to users.
“As a general rule, the FreeBSD Security Officer does not announce vulnerabilities for which there is no released patch.”
The operating system’s developers and security team are now “reviewing this policy for cases where a proof-of-concept or working exploit is already public.”
That post also explains that the team is considering more detailed security advisories. There’s also an admission that the proposed patch may have broken other things in the OS.
Tomi Engdahl says:
Samsung Pay Hack Lets Attackers Make Fraudulent Payments
https://news.slashdot.org/story/16/08/10/2252257/samsung-pay-hack-lets-attackers-make-fraudulent-payments?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The Verge reports that a security researcher at DefCon outlined a number of attacks targeting Samsung Pay, Samsung’s digital payment system that runs on their smartphones. According to the article, the attack “[focuses] on intercepting or fabricating payment tokens — codes generated by the user’s smartphone that stand in for their credit card information.
Samsung Pay hack lets attackers skim cards to make fraudulent payments
http://www.theverge.com/2016/8/9/12410716/samsung-mobile-pay-token-hack-defcon
Contactless mobile payments come as standard in Samsung’s latest Galaxy smartphones, but a hacker has found a way to intercept their signals. In a presentation given at Defcon, Salvador Mendoza outlined a number of attacks targeting Samsung Pay, with the smartphone maker responding that it knew about this flaw, but that such attacks are “extremely difficult” to pull off.
https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Salvador-Mendoza-Samsung-Pay-Tokenized-Numbers-WP.pdf
Tomi Engdahl says:
Kansas Family Sues Digital Mapping Company That Made Their Farm a Target for Cops
http://time.com/4446838/kansas-family-sues-maxmind-mapping-company/
They’ve been through “digital hell,” their lawyer said
RECOMMENDED FOR YOU
U.S.-Backed Libyan Militia Seizes Control of ISIS Headquarters in Sirte
U.S.-Backed Libyan Militia Seizes Control of ISIS Headquarters…
Gamers around the world have been waiting for this game!
Promoted
Gamers around the world have been waiting for this game!
Recommended by
A Kansas family has sued a digital mapping company over a default setting that made their farm a frequent target for criminal suspicion over the years.
Imagine having a constant stream of inexplicable and upsetting visitors to your house: cops looking for child pornographers; U.S. marshals looking for fugitives; responders rushing to the aid of suicidal people; sheriffs tracking down stolen vehicles. Incidents like this happened repeatedly
The company MaxMind makes digital maps of IP addresses, tracking down the geolocation of Internet usage. It’s a difficult practice, and when an exact address can’t be found, the software defaults to a generic location: in this case, the Taylor farm, which is located roughly in the center of the U.S. Over time, the company’s services mapped 600 million IP addresses to the property.
How an internet mapping glitch turned a random Kansas farm into a digital hell
http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/
Tomi Engdahl says:
Statement on the allegation concerning Samsung Pay security
http://security.samsungmobile.com/spost.html
It is important to note that Samsung Pay does not use the algorithm claimed in the Black Hat presentation to encrypt payment credentials or generate cryptograms.
Samsung Pay is considered safer than payment cards because it transmits one time use data at the vast majority of merchants that do not yet have EMV (smart payment) terminals. With Samsung Pay, users do not have to swipe a static magnetic stripe card.
Tomi Engdahl says:
America uses stealthy submarines to hack other countries’ systems
https://www.washingtonpost.com/news/the-switch/wp/2016/07/29/america-is-hacking-other-countries-with-stealthy-submarines/
Tomi Engdahl says:
Is Security A Priority?
http://semiengineering.com/is-security-a-priority/
In safety critical industries, systems vendors are demanding security. In others, it’s still a risk-benefit equation.
Ask any two executives in the semiconductor industry about security threats and there is a good chance you will get two totally different answers. The disturbing part is they both may be right.
In markets where there is no physical danger to people, security always has been viewed a risk versus profit equation. At conferences over the past year, numerous executives have touted the Transport Layer Security (TLS) as a sufficient safeguard, for example, despite the fact that it has done little to stem the rising number of breaches in markets where it was deployed.
Where lives are at stake, such as the automotive, medical and aerospace markets, attitudes about security are different. From initial architecture through manufacturing and into post-silicon testing, supply chain tracking, and over-the-air updates, security is being taken very seriously.
Adhering to industry best practices always has been a good legal defense. But with breaches involving connected, driver-assisted vehicles, there is no legal precedent. And with an estimated 60 million new cars sold each year, all of them using varying levels of connectivity using technology that is still evolving, risk is significantly higher. Also at issue is damage to a corporation’s image, such as the controversial hack of a Jeep. In light of that, chipmakers and IP vendors say Tier-one and Tier-two automotive suppliers are very focused on improving security and reliability of software and hardware components, as well as internally and externally developed IP blocks that contain both.
“There are hundreds of electronic control units spread through the car, 100 million or more lines of software code, security issues, infotainment, driver assist,”
“The challenge with security is that it is not just a part in a solution,” said Mike Eftimakis, IoT product manager at ARM. “You need to build in trust at every step. And with a divide-and-conquer approach to design, it’s necessary to include lifecycle security. You cannot avoid attacks, and the risk of intruders is increasing. So you need to add control into a device to check what is happening, and you need to be able to program it and restart it from a good base. We call this a chain of trust, and it cannot be impacted by tampering. This is the element used to refresh or reprogram a device. You also need to be able to disconnect a device is that control cannot be recovered.”
Eftimakis said that TLS is simply one protocol in a security stack, which by itself is insufficient. “TLS deals with the communication between devices, but there are other types of security that need to be considered. Complex systems are running many different types of software that are not controlled. The complexity of a device may not be high or the software may be a small part of the whole solution. But what’s clear is that security is not an option for any device. Everyone will require security. It is not a differentiator anymore.”
Vulnerability points
In the past, hardware was assumed to be far less vulnerable to hacking than software. While there was always a risk in certain markets, that risk was generally well understood. “I remember a large company that had acquired a small pacemaker company,” said Aart de Geus, chairman and co-CEO of Synopsys. “They divested it because the large company could not take the insurance risk of the pacemaker killing someone.”
“If the keys leak, security is compromised,” said Asaf Ashkenazi, senior director of product management in Rambus’ Security Division. “If you can crack into a key, you can replace the software and remotely control a device.”
“Sometimes people forget about how a key gets into a device. The provisioning part can be complicated to do securely. There are a lot of devices manufactured in environments that are not secured. It also can be extremely expensive. And sometimes it doesn’t work well. So you may try to hide a key, but once someone gets a hold of that then all the keys are compromised.”
Storing the keys adds its own set of issues. Typically they are stored in memory, which is subject to side-channel attacks or direct attacks in which the package is physically ground down and probes inserted. “No one solution protects against everything,” said Ashkenazi.
Memory IP vendors are well aware of this.
Marvell CTO Zining Wu agrees, noting the problem in many cases is approaching security differently within a design. “Security is one of the most important elements in design, but this is a process change for many people. The technology is already there. You have to make sure a key is secure and in a secure position and that no software or hardware touches it.”
Wu noted that a “chain of trust” handshake needs to be implemented, but he said much of this already has been created on the computer side. The challenge now is getting people to use it correctly.
Moving targets
Adopting this kind of restrictive design is new to most industries outside of defense. But as more markets transect each other with the Internet of Things, the risk equation can change very quickly.
“Even if we have a methodology that truly should capture all security issues, after a product is shipped a new hack may be discovered,” said Synopsys’ de Geus. “We have a capability today that allows us to help our customers find the fingerprint of open source software in binary code. There is a registry of open source software with the vulnerabilities, which is updated all the time. If you are diligent and ship your product and then a new one is discovered, we can inform you. Do you want to know? Do you want your customer know? These are moving targets. That will bring about a set of interesting challenges of how we deal with it.”
On top of that, much of this technology is new.
“It’s a learning experience,” said Lip-Bu Tan, president and CEO of Cadence. “We’re learning with our tier one customers. There are a lot of new problems they’ve never had to deal with before. There is more processing and machine learning and intelligence.”
Conclusion
Technology companies are still trying to comprehend the impact of pervasive and continuous connectivity on increasingly complex technology. Standards are insufficient, not everyone is playing in the same sandbox with equal regard to security, and there are rising concerns that a failure by one company can inadvertently affect another in far more profound ways than in the past.
Tomi Engdahl says:
Got Microsoft? Time to Patch Your Windows
http://krebsonsecurity.com/2016/08/got-microsoft-time-to-patch-your-windows/
Microsoft churned out a bunch of software updates today fix some serious security problems with Windows and other Microsoft products like Internet Explorer (IE), Edge and Office. If you use Microsoft, here are some details about what needs fixing.
Tomi Engdahl says:
Firewall price is growing steadily
The company’s connection was to be able to still more broadband traffic. As a result, the firewall solution for price increases to 2-3 per cent, says a recent report by Gartner.
Cloud services and the increasing use of the number of devices connected to the network growth. Although companies are very cost-aware, firewall and other security-are willing to invest.
According to Gartner, the security will be invested this year to $ 81.6 billion. The sum is 7.9 per cent higher than the previous year.
By 2020, investments will grow the most in security testing, IT outsourcing and DLP technology (Data Loss Prevention).
Source: http://etn.fi/index.php?option=com_content&view=article&id=4812:palomuurin-hinta-kasvaa-tasaisesti&catid=13&Itemid=101
Tomi Engdahl says:
July 2016: A Perfect Vulnerability Storm
http://www.securityweek.com/july-2016-perfect-vulnerability-storm
It turned out to be a tricky month for security admins to take that long-awaited summer vacation because July was one of the busiest months in recent memory in terms of vulnerabilities. The vulns were copious and severe, and all the big vendors seemed to suffer. And while every organization strives to keep all of their technology patched and updated, months like this one remind us that it is virtually impossible to be perfect. Let’s take a quick look at all the recent action and recap what you need to know.
Tomi Engdahl says:
Hadoop Data Encryption: “P.S. Find Robert Langdon”
http://www.securityweek.com/hadoop-data-encryption-ps-find-robert-langdon
encryption was not built into Apache Hadoop from the start – it was added over time and implemented across components. And today it has become a common method used to protect big data at financial institutions, healthcare organizations, telecommunication companies and government agencies.
HDFS Encryption
HDFS natively supports encryption of data via a mechanism called Encryption Zones. How it works is that an Encryption Zone is basically an HDFS directory that has been associated with an encryption key. Once the directory has been associated with the encryption key, all files in the directory and subdirectory will be encrypted automatically.
When using HDFS encryption, not all data in HDFS needs to be encrypted; you can have some directories with public or non-sensitive data in cleartext while sensitive data gets encrypted. Hadoop users can have their own Encryption Zones to protect their data from other users, and I will go more into that in the next section.
A common misconception about native HDFS encryption is the belief that the data is encrypted when written to disk on the data nodes like most disk encryption solutions. In fact, the data actually gets encrypted before it is sent to the data node. That architecture has two nice side effects: one is that the data is also protected in transit and the other is that it also prevents the keys from being exposed on the data nodes where the data is stored.
Tomi Engdahl says:
Containerized Security: The Next Evolution of Virtualization?
http://www.securityweek.com/containerized-security-next-evolution-virtualization
We in the security industry have gotten into a bad habit of focusing the majority of our attention and marketing dollars on raising awareness of the latest emerging threats and new technologies being developed to detect them.
For example, when security became virtualized, it brought with it the promise of several benefits, including increased speed and scalability with decreased overhead and costs of security infrastructure in virtualized data centers and cloud environments. There’s little doubt that this transition to virtualized security has been a positive one for many organizations who are now able to more effectively scale and customize security policies faster than ever before.
But what can we do next to make sure we’re continuing to innovate and keep our security functions ahead of the curve?
One of the most promising new approaches is putting security functions into containers. Just as containers provide a wide range of benefits for applications that need to migrate between computing environments, there are also benefits to using them to secure networks. The decrease in size and power needed to run security operations through a container using one operating system, as opposed to operations through several operating systems, can have a massive effect on cost and scalability, while providing an efficient way to secure your network.
There are several benefits to containerizing your security functions. The most obvious of these is cost savings – with all of your operations able to run through only one container, you can decrease the amount you need to spend on multiple operating systems. From a performance standpoint, you will be able to achieve massive scalability and a significant increase in speed of services. Containers can be booted up almost immediately, while your average virtual machine (VM) may take several minutes to start.
Just as we started with VMs on servers, there was a general perception that there was no need for security. But as adoption of containers progresses in data centers and clouds, many organizations have quickly realized the need to add security in the overall mindset of building virtualized environments.
1) Are you already using Dockers? If your organization is using containers for any other part of their infrastructure, it’s highly logical to extend this practice to security. Once containers are in place, their scalability makes it easy to add other features to their existing functions with minimal additional cost or impact on performance.
2) What kind of environment are you looking to support?
3) What is your long term strategic business direction?
While using containers to secure your organization is a relatively novel approach, it can lead to cost savings and massive scalability. By considering containers for security, you could be an early adopter to an innovative new approach that will allow you to stay ahead of both the competition and the cybercriminals.
Tomi Engdahl says:
Using Cybersecurity to Thrive in the Face of Continuous Change
http://www.securityweek.com/using-cybersecurity-thrive-face-continuous-change
Tomi Engdahl says:
Using Cybersecurity to Thrive in the Face of Continuous Change
http://www.securityweek.com/using-cybersecurity-thrive-face-continuous-change
The ancient Greek philosopher Heraclitus observed, “The only thing that is constant is change.” Fast forward 2,500 years and he could have been speaking about today’s digital era.
Technology is changing. Business models are changing. Products and services are changing. The threat landscape is changing. And the requirements for business success are changing. The common thread woven through all of these changing facets of the modern economy is cybersecurity. With the right approach to cybersecurity organizations can embrace new technologies, adopt new business models, offer more competitive products and services, increase their resilience to evolving threats, and gain a competitive edge.
As a security professional, this puts you at the center of change and your organization’s ability to navigate into the future. You have the power to help position your organization for success and keep it from getting sidetracked. But how do you harness cybersecurity to help your organization take advantage of new opportunities in order to thrive in this digital era?
1. Own it. To succeed in the digital era you need to turn cybersecurity into your growth advantage, ensuring you get your share of digital value at stake.
2. Be a savvy risk-taker. When it comes to digital transformation, mitigate risk by choosing projects with a high opportunity-to-risk ratio, not just a low-risk profile.
3. Trade up. Successful organizations compete and thrive in this new era by recognizing that cybersecurity itself is an engine for digital business transformation.
4. Make it a mindset. The same proactive measures that help your organization excel in cybersecurity can also strengthen product development, risk management, threat analysis, and response in other parts of the business.
5. Measure what matters. Attackers currently have unconstrained time to operate, giving them a higher chance of succeeding. Instead of just measuring the number of blocked threats, time to detection is the real indicator of security effectiveness, allowing you to contain an attack and remediate faster.
Tomi Engdahl says:
Air Gap or Not, Why ICS/SCADA Networks Are at Risk
http://www.securityweek.com/air-gap-or-not-why-icsscada-networks-are-risk
The commonly held belief that ICS/SCADA systems are immune to cyber attacks because they are disconnected from the Internet and the corporate network by an “Air Gap” is no longer true or feasible in an interconnected world. While many organizations will readily admit that the traditional air gap is disappearing, some still believe this is a viable security measure.
In theory, an air gap sounds like a good strategy. In practice, things are never that simple. Even in cases where an organization has taken every measure possible to isolate their ICS network and disconnect it from the outside world, we have seen cyber threats compromise the perimeter. Meanwhile, even if it were possible to completely air gap an ICS network, insiders still pose a threat.
Whether an organization implements an air gap or not, here are several reasons why ICS networks are at risk.
The Need to Exchange Files
Compromised Personal Devices
Vulnerabilities and Human Error
The Insider Threat
Connected Technologies and IIoT
Tomi Engdahl says:
Rio’s Unprecedented New Surveillance System
http://www.thedailybeast.com/articles/2011/10/15/rio-de-janeiro-s-control-room-monitors-the-city-like-big-brother.html
Rio de Janeiro has set up the world’s largest urban-monitoring system, just in time for the World Cup and the Olympics. Julie Ruvolo on how Big Brother got supersized.
The biggest surveillance screen in Latin America spans 860 square feet in a new building called the Ops Center that most residents of Rio de Janeiro don’t even know exists.
But Rio knows that they exist, and the people who run this city are now watching these residents in a way that’s never been tried before, from a huge, state-of-the-art space known simply as the Control Room.
Rio de Janeiro, the second largest city in one of the world’s fastest-emerging economies, has created a survellience system that makes Big Brother live up to its name. Another 30,000 meters of fiber-optic cables criss-cross another 300 LCD screens spread over 100 rooms in the Ops Center.
Tomi Engdahl says:
Charlie Warzel / BuzzFeed:
Ten former employees shed light on Twitter’s 10-year failure to stop abuse on its platform — For nearly its entire existence, Twitter has not just tolerated abuse and hate speech, it’s virtually been optimized to accommodate it. With public backlash at an all-time high and growth stagnating …
“A Honeypot For Assholes”: Inside Twitter’s 10-Year Failure To Stop Harassment
https://www.buzzfeed.com/charliewarzel/a-honeypot-for-assholes-inside-twitters-10-year-failure-to-s?utm_term=.lbVdMpeD9w#.xoqjQlVomk
For nearly its entire existence, Twitter has not just tolerated abuse and hate speech, it’s virtually been optimized to accommodate it. With public backlash at an all-time high and growth stagnating, what is the platform that declared itself “the free speech wing of the free speech party” to do? BuzzFeed News talks to the people who’ve been trying to figure this out for a decade.
The Twitter Blog:
Twitter says BuzzFeed story contains “inaccuracies in the details” and “unfair portrayals” without offering specifics, pledges to continue making Twitter safer — In response to today’s BuzzFeed story on safety, we were contacted just last night for comment and obviously …
Twitter statement on BuzzFeed safety story
https://blog.twitter.com/2016/twitter-statement-on-buzzfeed-safety-story
We feel there are inaccuracies in the details and unfair portrayals but rather than go back and forth with BuzzFeed, we are going to continue our work on making Twitter a safer place. There is a lot of work to
Tomi Engdahl says:
Andy Greenberg / Wired:
Researchers find cryptographic keys shared by millions of Volkswagen vehicles can allow them clone key fobs using cheap radio hardware
A New Wireless Hack Can Unlock 100 Million Volkswagens
https://www.wired.com/2016/08/oh-good-new-hack-can-unlock-100-million-volkswagens/
In 2013, when University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to reveal a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years. But that experience doesn’t seem to have deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year after that hack was finally publicized, Garcia and a new team of researchers are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to practically every car Volkswagen has sold since 1995.
Later this week at the Usenix security conference in Austin, a team of researchers from the University of Birmingham and the German engineering firm Kasper & Oswald plan to reveal two distinct vulnerabilities they say affect the keyless entry systems of an estimated nearly 100 million cars. One of the attacks would allow resourceful thieves to wirelessly unlock practically every vehicle the Volkswagen group has sold for the last two decades, including makes like Audi and Škoda. The second attack affects millions more vehicles, including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.
Both attacks use a cheap, easily available piece of radio hardware to intercept signals from a victim’s key fob, then employ those signals to clone the key.
Arduino board with an attached radio receiver that can be purchased for $40.
100 Million Vehicles, 4 Secret Keys
Of the two attacks, the one that affects Volkswagen is arguably more troubling, if only because it offers drivers no warning at all that their security has been compromised, and requires intercepting only a single button press.
Cracked in 60 Seconds
The second technique that the researchers plan to reveal at Usenix attacks a cryptographic scheme called HiTag2, which is decades old but still used in millions of vehicles.
Volkswagen didn’t immediately respond to WIRED’s request for comment, but the researchers write in their paper that VW acknowledged the vulnerabilities they found. NXP, the semiconductor company that sells chips using the vulnerable HiTag2 crypto system to carmakers, says that it’s been recommending customers upgrade to newer schemes for years. “[HiTag2] is a legacy security algorithm, introduced 18 years ago,”
Plenty of evidence suggests that sort of digitally enabled car theft is already occurring.
Tomi Engdahl says:
Linux Trojan Mines for Cryptocurrency Using Misconfigured Redis Database Servers
Dr.Web discovers new Linux trojan named Linux.Lady.1
Read more: http://news.softpedia.com/news/linux-trojan-mines-for-cryptocurrency-using-misconfigured-redis-database-servers-507115.shtml#ixzz4H3pqBhxg
Tomi Engdahl says:
Linux Botnets Dominate the DDoS Landscape
77.4% of targeted resources were located in China
http://news.softpedia.com/news/linux-botnets-dominate-the-ddos-landscape-507043.shtml
Linux botnets accounted for 70.2 percent of all DDoS attacks initiated in Q2 2016, according to statistics released by Kaspersky Lab’s most recent edition of its DDoS Intelligence Report.
This is not a surprising fact, taking into account that, in the previous three months, security researchers unearthed a DDoS-capable botnet of over 25,000 DVRs running Linux-based firmware, another Linux-based botnet that leverages home routers, and over 100 different botnets based on LizardStresser, a tool developed by the infamous Lizard Squad, also targeting Linux-based IoT equipment.
“IoT botnets to continue to grow”
“It is possible that by the end of this year the world will have heard about some even more ‘exotic’ botnets, including vulnerable IoT devices,” Kaspersky’s team writes in its report.
Read more: http://news.softpedia.com/news/linux-botnets-dominate-the-ddos-landscape-507043.shtml#ixzz4H3q8Rufb
Tomi Engdahl says:
Megan Geuss / Ars Technica:
ATM and PIN-pad hacks demoed at Black Hat security conference show chip cards aren’t impervious to fraud — The good news? Hacks are limited for now. The bad news? Hackers will get better. — Security researchers are eager to poke holes in the chip-embedded credit and debit cards …
An ATM hack and a PIN-pad hack show chip cards aren’t impervious to fraud
The good news? Hacks are limited for now. The bad news? Hackers will get better.
http://arstechnica.com/security/2016/08/an-atm-hack-and-a-pin-pad-hack-show-chip-cards-arent-impervious-to-fraud/
Security researchers are eager to poke holes in the chip-embedded credit and debit cards that have arrived in Americans’ mailboxes over the last year and a half. Although the cards have been in use for a decade around the world, more brains trying to break things are bound to come up with new and inventive hacks. And at last week’s Black Hat security conference in Las Vegas, two presentations demonstrated potential threats to the security of chip cards. The first involved fooling point-of-sale (POS) systems into thinking that a chip card is a magnetic stripe card with no chip, and the second involved stealing the temporary, dynamic number generated by a chip card and using it in a very brief window of time to request money from a hacked ATM.
Tomi Engdahl says:
Brilliant Device Allows You To Find Stolen Bikes, Keys, Dogs… Anything, Really!
http://studylifestyle.com/2016/trackr/3/1/?cid=11&utm_term=aol-techcrunch&sxid=q4i61313v9jd
. You can track your vehicle without breaking the bank and it’s easier than you ever thought it could be!
As you know, most aftermarket GPS tracking units are expensive and must be installed by a professional. Similar services offered by car manufacturers as a “concierge service” are actually expensive monthly subscriptions that they conveniently hide in you car payment. Either way, they are both costly and require you to pay a monthly bill just to maintain the service. But don’t we already pay enough monthly bills?
The good news for you is technology is solving many of life’s most annoying problems: Like losing and forgetting where you parked your car!
One company has created a tiny device with an advanced tracking app that works with iPhone or Android phones and it could be exactly what you’re looking for.
It’s called TrackR, it’s about the size of a quarter and it’s revolutionizing the way we keep track of our important things.
You only need to install the thin battery in the TrackR, download the free app on your iPhone or Android, link the device to the app and then attach TrackR to whatever you want to keep tabs on.
Now, if you ever forget where you parked your car you can quickly find it using your smartphone. All you need to do is open the app on your phone, click on the “find device” icon and it will tell you exactly where the TrackR was last seen and the coordinates of it’s current location.
Tomi Engdahl says:
Dota 2 forum breach leaks 2 million user accounts
The unnamed hacker took usernames, email addresses, and passwords.
http://www.zdnet.com/article/dota-2-players-targeted-by-forum-hackers-in-new-breach/
A hacker has taken off with almost two million accounts associated with the forum for popular online multiplayer game, Dota 2.
The hack was carried out last month on July 10. The copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data.
The hacker took advantage of an SQL injection vulnerability used by the older vBulletin forum software, which powers the community.
Tomi Engdahl says:
Ten years awaited replacement for the Internet finally for trial
MaidSafen The idea is to replace the Internet servers p2p network where everyone would be involved in donating data processing and storage capacity in the kitty. Alpha-version of your computer’s resources have not yet, however, to share access, and the operation is still incomplete anyway. For example, the project’s own browser is not yet active, but the SAFE network (Secure Access For Everyone) to scroll through the pages must use a browser with the proxy settings are set according to the requirements of the SAFE network.
Source: http://www.tivi.fi/Kaikki_uutiset/kymmenen-vuotta-odotettu-internetin-korvaaja-viimein-kokeiltavissa-6573631
After a decade of R&D, MaidSafe’s decentralized network opens for alpha testing
https://techcrunch.com/2016/08/12/after-a-decade-of-rd-maidsafes-decentralized-network-opens-for-alpha-testing/?ncid=rss%3Fncid%3Drss
UK-based MaidSafe, which has been building an alternative, decentralized p2p network since before Steve Jobs announced the original iPhone, is finally — finally! — gearing up for a tentative launch — flicking the switch on its first alpha test network today.
The various downloads to access the alpha are available via its website.
http://www.maidsafe.net/
Tomi Engdahl says:
Under Fire, US Social Security Site Changes Security Policy Again
https://yro.slashdot.org/story/16/08/14/1625212/under-fire-us-social-security-site-changes-security-policy-again?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Social Security Administration has now removed the mandatory cell phone access requirement that was strongly criticized…
The web site now describes the “extra security” of two-factor cellphone authentication as entirely optional — but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now “the SSA is mailing letters if you sign up online, but they don’t take that opportunity to deliver a special code to securely complete the sign up. Go figure.”
Social Security Administration Now Requires Two-Factor Authentication
https://krebsonsecurity.com/2016/08/social-security-administration-now-requires-two-factor-authentication/
The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at ssa.gov. Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves.
Although the SSA’s policy change provides additional proof that the person signing in is the same individual who established multi-factor authentication in the the first place, it does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are.
The SSA does offer other “extra security” options, such as the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:
The last eight digits of your Visa, MasterCard, or Discover credit card;
Information from your W2 tax form;
Information from a 1040 Schedule SE (self-employment) tax form; or
Your direct deposit amount, if you receive Social Security benefits.
Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.
Tomi Engdahl says:
Should Cloud Vendors Decrypt Data For The Government?
https://hardware.slashdot.org/story/16/08/13/2359222/should-cloud-vendors-decrypt-data-for-the-government?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
More than one in three IT pros believe cloud providers should turn over encrypted data to the government when asked, according to Bitglass and the Cloud Security Alliance (CSA). 35 percent believe cloud app vendors should be forced to provide government access to encrypted data while 55 percent are opposed. 64 percent of US-based infosec professionals are opposed to government cooperation, compared to only 42 percent of EMEA respondents.
Should cloud vendors cooperate with the government?
https://www.helpnetsecurity.com/2016/08/12/cloud-vendors-cooperate-government/
More than one in three IT pros believe cloud providers should turn over encrypted data to the government when asked, according to Bitglass and the Cloud Security Alliance (CSA).
Tomi Engdahl says:
The economic impact of security incidents on critical information infrastructures
https://www.helpnetsecurity.com/2016/08/12/economic-impact-security-incidents/
Cyber security incidents affecting CIIs (Critical Information Infrastructures) are considered nowadays global risks that can have significant negative impact for several countries or industries within the next 10 years. But the job of identifying the real impact produced proves to be quite a challenge.
The study demonstrates that the absence of a common approach and criteria for performing such an analysis has led to the development of rarely comparable standalone approaches that are often only relevant to a specific context and to a limited audience. While some studies show annual economic impact per country, other studies provide cost per incident or per organisation.
Major common findings
Finance, ICT and Energy sectors have the highest incident costs
The most common cyber attack types for financial sector and ICTs appear to be DoS/DDoS and malicious insiders, with the latter affecting also public administration/government sectors
The most costly attacks are considered to be insider threats, followed by DDoS and web based attacks
In terms of country losses, the figures demonstrate up to 1.6% GDP in some EU countries. Other studies mention figures like 425,000 to 20 million euro per company per year.
https://www.enisa.europa.eu/publications/the-cost-of-incidents-affecting-ciis/at_download/fullReport
Tomi Engdahl says:
Internal ‘Set Of Blunders’ Crashed Australia’s Census Site
https://yro.slashdot.org/story/16/08/15/0244238/internal-set-of-blunders-crashed-australias-census-site
Slashdot reader River Tam explains the crash of Australia’s online census site, citing the account of a security researcher who says IBM and the Australian Bureau of Statistics “were offered DDoS prevention services from their upstream provider…and said they didn’t need it.”
Census 2016: Patrick Gray blows the lid on set of blunders behind Australia’s failed census
http://www.cso.com.au/article/605022/patrick-gray-blows-lid-set-blunders-behind-australia-failed-census/
Respected information security journalist and podcaster Patrick Gray has blown the lid on the spectacular set of blunders behind Australia’s failed online census.
The most egregious failure, according to Mr Gray, was that IBM and the ABS opted to forego the use of denial-of-service attack defence technology offered by one of its upstream network providers.
What then unfolded was a series of missteps and misjudgements as it evolved that the technology was very badly needed.
The ABS and IBM gambled on a plan to ask its upstream network provider to block traffic from outside Australia in the event that a denial-of-service attack was detected. A small attack was detected and offshore traffic to the site was blocked in line with the plan however, another attack, for which the ABS had no contingency to repel was directed at it from within Australia.
The strength of the attack is currently unknown but the ABS was essentially defenceless.
The attack crippled the ABS firewall and the census site’s operators opted to restart it and fall back to a secondary firewall. However, they forgot to check that it had the same configuration as the primary firewall. That crippled the census site.
In an unfortunate confluence of events, IBM’s security warning systems started flagging some unusual activity, which indicated that information on the ABS servers was heading offshore. The site’s operators, thinking the DDoS activity was a distraction, interpreted the alarms as a successful hack and they suspected cyber attackers were stealing census data information.
“The ABS’s decision to shut down the website — to avoid any prospect that the DoS attack could include or otherwise facilitate a data breach — was, in the circumstances, a pro-privacy precaution.
Tomi Engdahl says:
J.M. Porup / Ars Technica:
Two-man startup Copperhead ships a hardened version of Android that fixes its security problems and currently works with Nexus devices
Copperhead OS: The startup that wants to solve Android’s woeful security
A multi-billion-dollar megacorp, Google, apparently needs help to secure its OS.
http://arstechnica.com/security/2016/08/copperhead-os-fix-android-security/
Dan Guido, CEO of Trail of Bits, has also puzzled over the vulnerability gap between the stock Android OS and Copperhead, and points out that the same could not be said for Apple’s iOS.
“If I had to imagine a world where there’s a Copperhead for iOS, I don’t even know what I’d change,” he tells Ars. “The Apple team almost always picked the more secure path to go and has found a way to overcome all these performance and user experience issues.”
A billion people around the world rely on Android to secure their digital lives. This number is only going to grow. How did we get here, and can Copperhead—or even Google—put out the garbage fire?
A deal with the devil
Google did a deal with the devil for market share, says Soghoian, who has described the current parlous state of Android security as a human rights issue. By giving Original Equipment Manufacturers (OEMs) and wireless carriers control over the end-user experience, Google allowed handset manufacturers to find ways to differentiate their products, and wireless carriers to disable features they thought would threaten their business model.
As a result, Google’s power over OEMs—such as Samsung or Motorola, who manufacture and sell Android handsets—consists solely of the Android license and access to the Google Play Store. The AOSP code base is licensed with Apache 2.0, and the kernel uses GPL2, which means there’s nothing stopping OEMs from deploying stock Android under a different name. But doing so would also mean losing access to the Play Store. This gives Google significant leverage over OEMs, but by no means absolute control—a competitor willing to forgo the Android trademark and offer customers access to their own app store, as Amazon has done, can walk away from the negotiating table with little to no consequence.
But Soghoian thinks Google isn’t trying very hard. The company could, he points out, demand that OEMs implement default full-disk encryption as part of the Android and Play Service licence terms. The company currently requires FDE when the hardware supports it, but extending that requirement to lower-end Android manufacturers might scare off a non-trivial fraction of OEMs—and that would hurt Google’s bottom line as an advertising company.
Tomi Engdahl says:
Pentagon bans Pokemon Go over spying fears
http://www.washingtontimes.com/news/2016/aug/11/pentagon-bans-pokemon-go-over-spying-fears/
A Pentagon source tells Inside the Ring that the Defense Department has banned the playing of the mobile video game Pokemon Go within Defense Department facilities, over concerns the popular application could facilitate foreign spying.
A memorandum sent July 19 warned all officials and defense contractors that playing Pokemon Go, the hugely popular Japanese video game, poses a potential a security risk to secure and sensitive facilities.
Pokemon Go uses the Global Positioning System satellite network for maps of areas around the handheld mobile devices that utilize the application.
The game also could provide personal data on Pentagon officials with access to secrets
Tomi Engdahl says:
POS malware stings 20 US hotels
Coincidence, or more MICROS fallout?
http://www.theregister.co.uk/2016/08/15/pos_malware_stings_20_us_hotels/
Another 20 US hotels have been identified as being infected with point-of-sale malware earlier this year.
The dozen affected hotels are run by HEI Hotels & Resorts and bear the Starwood, Westin, Marriott International, Hyatt and InterContinental brands.
The chain says the malware campaign ran as far back as March 2015, with fourteen hotels affected after December 2, and didn’t end until June 21 of this year.
According to Reuters, card data from tens of thousands of transactions could be at risk HEI is still working out how many individual customers might have their names, card numbers, card expiry dates, and CCV numbers compromised.
It’s been a horror month for the hospitality sector, which is scrambling to respond to the high-profile Oracle MICROS vulnerability.
A Russian cyber-gang, the Oracle MICROS hack, and five more POS makers in crims’ sights
Who, what, when, why, how?
http://www.theregister.co.uk/2016/08/12/micros_pos_attack_expands/
Tomi Engdahl says:
Joseph Cox / Motherboard:
US court documents show Australian authorities hacked Tor users in US as part of a child pornography investigation and shared the findings with the FBI
Australian Authorities Hacked Computers in the US
http://motherboard.vice.com/read/australian-authorities-hacked-computers-in-the-us
Australian authorities hacked Tor users in the US as part of a child pornography investigation, Motherboard has learned.
The contours of this previously-unreported hacking operation have come to light through recently-filed US court documents. The case highlights how law enforcement around the world are increasingly pursuing targets overseas using hacking tools, raising legal questions around agencies’ reach.
In one case, Australian authorities remotely hacked a computer in Michigan to obtain the suspect’s IP address.
“I think that’s problematic, because they’ve got no jurisdiction,”
Tomi Engdahl says:
The Intercept:
New Zealand intel requested and received emails, Facebook chats of Fiji pro-democracy activists from NSA; first publicly confirmed PRISM target is a NZ citizen
The Raid
In Bungled Spying Operation, NSA Targeted Pro-Democracy Campaigner
https://theintercept.com/2016/08/14/nsa-gcsb-prism-surveillance-fullman-fiji/
Tomi Engdahl says:
Ellen Mitchell / Politico:
How Palantir muscled its way into national security contracting via investment from In-Q-Tel, effective narrative, and well-funded lobbyists
How Silicon Valley’s Palantir wired Washington
Armed with effective narrative and backed by aggressive lawmakers, the upstart has steadily landed more federal business and is now shouldering its way into the Army acquisition system.
Read more: http://www.politico.com/story/2016/08/palantir-defense-contracts-lobbyists-226969#ixzz4HQ3YLxRK
Tomi Engdahl says:
Security News This Week: The DNC Hack Was Worse Than We Thought
https://www.wired.com/2016/08/security-news-week-dnc-hack-worse-thought/
As the annual mega-week of hacking conferences wound down in Las Vegas, more news surfaced about the DNC hack, and the usual trickle of vulnerabilities and breaches continued. A researcher showed methods for unlocking “high security” consumer electronic safes without leaving any evidence of the attack, Oracle’s payment system Micros (which is used at roughly 330,000 cash registers around the world) was hacked, and a Windows vulnerability served as a reminder of why putting backdoors in secure processes doesn’t make sense.
WIRED reported on vulnerabilities in the keyless entry systems of roughly 100 million Volkswagens, open Internet advocates are petitioning to keep web access unfettered in Brazil, and hacking newswires to get embargoed press releases is actually a decent way to do insider trading. Oh, and a hardware vulnerability exposed 900 million Android devices. Casual.
Scope of the DNC Hack Is Larger Than Officials Originally Thought
On top of breaching the Democratic National Committee and Democratic Congressional Campaign Committee, investigators say that Russian hackers targeted and compromised personal email accounts and the accounts of other organizations related to Hillary Clinton’s presidential campaign. The evidence is strong enough that officials have been notifying people associated with the Clinton campaign that their email data may have been compromised. Information about who was actually hacked is trickling out slowly.
Law enforcement officials say they’re confident Russia was behind the attacks, but it’s still unclear whether Moscow was doing routine surveillance or actively looking to impact the US presidential election.
Meanwhile, White House Weighs Imposing Sanctions on Russia Over DNC Hack
White House officials are considering using economic sanctions against Russia as retaliation for the DNC hack.
Tomi Engdahl says:
Millions of Volkswagens Can Be Unlocked By Hackers
http://spectrum.ieee.org/cars-that-think/transportation/safety/millions-of-volkswagens-can-be-unlocked-by-hackers?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+IeeeSpectrum+%28IEEE+Spectrum%29&utm_content=FaceBook
Millions of Volkswagen cars could in principle be unlocked from a distance by hackers, according to a new report. It’s one more strike against a German company that’s had more than its share of bad news, what with VW’s admitted cheating on diesel-emissions tests.
But there’s plenty of bad news to go around: the report notes that many models from other companies have vulnerabilities of their own. And the problem is worse with older cars, designed before carmakers gave much thought to cybersecurity.
Kasper told the BBC that the researchers informed Volkswagen of the vulnerability in late 2015 and that the company was taking steps to mitigate the problem. But he said there are “at least 10 more, very widespread” vulnerabilities affecting other car brands, which the researchers won’t publish until the manufacturers have had time to do something about them.
The report describes two weaknesses.
Tomi Engdahl says:
Julia Fioretti / Reuters:
EU considers extending rules governing telecoms to apps like Skype and WhatsApp, mandating weakened encryption, limiting the data apps can collect about users
EU plans to extend some telecom rules to web-based providers
http://www.reuters.com/article/us-eu-telecoms-idUSKCN10Q154
The European Union is planning to extend telecom rules covering security and confidentiality of communications to web services such as Microsoft’s Skype and Facebook’s WhatsApp which could restrict how they use encryption.
The rules currently only apply to telecoms providers such as Vodafone and Orange.
According to an internal European Commission document seen by Reuters, the EU executive wants to extend some of the rules to web companies offering calls and messages over the Internet.
Telecoms companies have long complained that web groups such as Alphabet Inc’s Google, Microsoft and Facebook are more lightly regulated despite offering similar services and have called for the EU’s telecoms-specific rules to be repealed.
They have also said that companies such as Google and Facebook can make money from the use of customer data.
Under the existing “ePrivacy Directive”, telecoms operators have to protect users’ communications and ensure the security of their networks and may not keep customers’ location and traffic data.
The EU rules also allow national governments to restrict the right to confidentiality for national security and law enforcement purposes.
Many tech companies such as Facebook and Google already offer end-to-end encryption on their messaging and email services.
Tomi Engdahl says:
Kate Conger / TechCrunch:
LinkedIn files suit against 100 anonymous data scrapers, invoking the Computer Fraud and Abuse Act
LinkedIn sues anonymous data scrapers
https://techcrunch.com/2016/08/15/linkedin-sues-scrapers/
LinkedIn is trying to lock down its exclusive relationship with its users.
The professional networking company filed suit against 100 unnamed individuals last week for using bots to harvest user profiles from its website. The lawsuit is a preliminary step to revealing the identities of the scrapers — LinkedIn intends to ask the court to reveal the true identities behind the scrapers’ IP addresses — and a way to maintain its exclusive hold on users’ resumes.
But LinkedIn’s lawsuit also raises questions about how to police bot use. The company, which was recently snapped up by Microsoft for $26.2 billion, has invoked the controversial Computer Fraud and Abuse Act (CFAA) in its suit against the unidentified scrapers, claiming that collecting user profiles from the site amounts to hacking.
“During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as ‘bots’) have extracted and copied data from many LinkedIn pages,” the lawsuit claims.
“To access this information on LinkedIn’s site, the Doe Defendants circumvented several technical barriers employed by LinkedIn that prevent mass automated scraping, and have knowingly and intentionally violated various access and use restrictions in LinkedIn’s User Agreement, which they agreed to abide by in registering LinkedIn member accounts. In so doing, they have violated an array of federal and state laws, including the Computer Fraud and Abuse Act.”