Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
UK nuke warhead builders shift IT gear into public cloud
End well: Will it, dear readers?
http://www.theregister.co.uk/2016/09/01/atomic_weapons_establishment_moves_to_public_cloud/
The Atomic Weapons Establishment (AWE) is moving some of its internal tech to the public cloud, in a move to “embrace the opportunities that modern IT can bring”.
The AWE has a £1bn-per-year contract with the UK Ministry of Defence lasting 25 years covering the design, manufacture and support of warheads for Blighty’s nuclear deterrent Trident.
A spokeswoman said: “AWE has gone through a process to identify a range of trusted suppliers to support the business, as we continue to embrace the opportunities that modern IT can bring.
“In common with all such activity, security arrangements have been assessed against AWE’s robust security requirements.”
Security experts took a mixed view of the move.
Of course, organisations remain vulnerable to breaches regardless of where their data is stored. In July last year, the US Office of Personnel Management admitted that 21.5 million people’s records had been stolen from its databases.
Tomi Engdahl says:
L0phtCrack’s back! Crack hack app whacks Windows 10 trash hashes
PC Master Race rig? Get ready to crack passwords up to FIVE HUNDRED times faster!
http://www.theregister.co.uk/2016/09/01/l0phtcracks_back_crack_hack_app_whacks_windows_10_trash_hashes/
Ancient famed Windows cracker L0phtCrack has been updated after seven years, with the release of the “fully revamped” version seven.
The password cracker was first released 19 years ago gaining much popularity in hacker circles and leading Microsoft to change the way it handled password security at the time.
No new versions have been released since version six in March 2009, launched at the Source Boston conference.
The latest iteration sports a revamped cracking engine designed to exploit modern multi-core CPUs and GPUs, blitzing the previous version’s time to crack on four-core CPUs by at least a factor of five.
A 1998 Pentium II 400 MHz CPU computer running version one of L0phtCrack would take a day to crack an eight-character long alphanumeric Windows NT password.
Today L0phtCrack 7 could do the job on a gaming machine much more cheaply busting a Windows 10 password in about two hours.
“Windows passwords have become much less secure over time and are now much more easily cracked than in the era of Windows NT,” the hacker outfit says.
To that end L0phtCrack 7 is pitched as a means for admins and testers to audit Windows domain passwords to quickly find weak passwords in a few hours.
The revamped app also sports a shiny GUI and auditing wizard, plus scheduling, and reporting.
It works with all versions of Windows and supports new types of UNIX password hashes, and will work with other password importers and crackers using a plug in feature.
There is not yet a consensus on password selection best practice.
Britain’s GCHQ spy agency reckons admins ought to stop punishing users with regular password resets which studies show leads to weaker combinations being set over time.
Revamped L0phtCrack 7 Audits Windows and Unix Passwords Up to 500 Times Faster
http://www.l0phtcrack.com/2016/08/646/
Tomi Engdahl says:
Solving the Case With Sense Analytics and Security Intelligence
https://securityintelligence.com/solving-the-case-with-sense-analytics-and-security-intelligence/?cm_mmc=Display_Taboola-_-IBM+Security_Detect+Threats+With+Security+Intelligence-_-WW_US-_-18447998_Find+more+clues+blog-If+you+are&cm_mmca1=000000MI&cm_mmca2=10000108
The process of developing actionable security intelligence requires gathering multiple insights regarding the identity, methods and motivation of the attacker and the device or technique used to breach an organization’s defenses. Just one data point makes for bad guesses, kind of like the early play in the classic board game Clue.
Using Sense Analytics to Solve the Puzzle
IBM Security QRadar powered by the Sense Analytics Engine helps security teams focus their defensive efforts on the most damaging conditions by reducing the number of variables at play.
From the moment it’s installed, QRadar begins building intelligence using mathematical models, observations, network scans and external vulnerability and threat intelligence feeds. It stores this information within itself to help refine the real-time processing of security data. It also eliminates false positives (the guesses) by knowing that it couldn’t have been Miss Scarlet — because she has limited access credentials to critical data and never visits malicious websites. Colonel Mustard, however, clicks on any link that strikes his fancy.
The Benefits of QRadar
The presence of new devices is automatically sensed to create asset and user profiles that highlight the presence of risks, vulnerabilities and linkages to contextual pieces of information. Application traffic is also tracked and the packets deeply inspected.
Sensitive data is monitored and tracked to detect movement outside the norm in volume, time of day or the account accessing it.
Integrating Security Solutions
Sense analytics and security intelligence work best if you can cover the complete environment made up of endpoints, network, cloud resources and applications. This eliminates the blind spots — kind of like visiting all the rooms in Clue’s Tudor mansion.
Tomi Engdahl says:
Betabot steals passwords, downloads ransomware
https://www.helpnetsecurity.com/2016/09/02/betabot-downloads-ransomware/
The infamous and ever-changing Betabot information-stealing Trojan is back again, and has been observed downloading another well-known threat – the Cerber ransomware.
Of course, before doing that, Betabot does its own routine, and slurps all passwords stored in all local browsers.
Tomi Engdahl says:
How much does your kid hate exams? This lad hacked his government to skip them
Teen cuffed in policy rewrite stunt
http://www.theregister.co.uk/2016/09/01/sri_lankan_lad_hacks_president/
A teenager from Sri Lanka is in hot water after he admitted to hacking the website of the nation’s president in order to get his exams cancelled.
The local Daily News reports that the 17-year-old, whose name was not released, accessed the official site of President Maithripala Sirisena – president.gov.lk – and replaced the front page with a demand that the nation’s A‑level examinations be moved.
The message, which presented itself as being the work of a hacker group called Sri Lanka Youth, complained that the scheduled April exam time coincided with Hindu New Year festivals.
Tomi Engdahl says:
Romanian hacker ‘Guccifer’ sentenced to 52 months in U.S. prison
http://www.reuters.com/article/us-usa-cyber-guccifer-idUSKCN1175FB
A Romanian hacker nicknamed “Guccifer” who helped expose the existence of a private email domain Hillary Clinton used when she was U.S. secretary of state was sentenced on Thursday to 52 months in prison by a federal court in Alexandria, Virginia.
Lazar has said in interviews he breached Clinton’s private server at her home in Chappaqua, New York, but law enforcement and national security officials say that claim is meritless.
Lazar is believed to have hacked into email accounts of about 100 victims between 2012 and 2014.
Tomi Engdahl says:
Niantic Responds To Senate Inquiry Into Pokemon Go Privacy
https://games.slashdot.org/story/16/09/01/2129231/niantic-responds-to-senate-inquiry-into-pokemon-go-privacy
Senator Al Franken has questioned Niantic, the makers of Pokemon Go, about how it handles user’s information. He asked the company to explain several key details about how Pokemon Go works, including whether all the data collection was necessary, how data will be shared and how parental consent is obtained for kids who play the game. The game was under the spotlight soon after it launched when it was revealed that users had to provide the game full access and control over their Google accounts. Niantic general counsel Courtney Greene Power responded to Franken via a letter (PDF)
http://www.franken.senate.gov/files/documents/160826NianticResponse.pdf
Tomi Engdahl says:
New Cloud Attack Takes Full Control of Virtual Machines With Little Effort
https://yro.slashdot.org/story/16/09/01/2049234/new-cloud-attack-takes-full-control-of-virtual-machines-with-little-effort
The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It’s a technique that’s so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment. Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened.
In effect, Rowhammer was more a glitch than an exploit. Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources
New cloud attack takes full control of virtual machines with little effort
Existing crypto software “wholly unequipped” to counter Rowhammer attacks.
http://arstechnica.com/security/2016/08/new-attack-steals-private-crypto-keys-by-corrupting-data-in-computer-memory/
“Surprisingly practical and effective”
“Prior work has demonstrated that co-hosted VMs can spy on each other to a certain extent (e.g. cryptographic keys can be leaked), but this attack is fundamentally more damaging and the first of its kind,” Ben Gras, one of the Vrije Universiteit Amsterdam researchers who devised the technique, told Ars. “We can reliably corrupt the memory of a target VM in a highly precise and controlled way. Scientifically, this is our contribution—we show for the first time it is possible to effect this seemingly random corruption on data anywhere in the software stack in a highly precise and controlled way.”
The research team, which also included a member from Belgium’s Katholieke Universiteit Leuven, went on to show how an attacker VM can use Flip Feng Shui to compromise RSA cryptography keys stored on another VM hosted in the same cloud environment. In one experiment, the attacker VM compromised the key used to authenticate secure shell access, a feat that allowed the VM to gain unauthorized access to the target. In a separate experiment, the attacker VM compromised the GPG key used by developers of the Ubuntu operating system to verify the authenticity of updates. With the compromised GPG key, the attacker VM was able to force the target to download and install a malicious update.
Tomi Engdahl says:
Windows 10 now rules the weekend, taking over from Windows 7
Redmond’s latest is climbing nicely, mostly at Windows 7′s expense
http://www.theregister.co.uk/2016/09/02/windows_10_now_rules_the_weekend_taking_over_from_windows_7/
Tomi Engdahl says:
Lightspeed PoS vendor breached, sensitive database tapped
Vendor: ‘We’ve applied new patches and access controls!’ Sys admin: ‘Whaddya mean NEW?!’
http://www.theregister.co.uk/2016/09/02/lightspeed_pos_vendor_breached_sensitive_database_tapped/
Point of sales vendor Lightspeed has been breached with password, customer data, and API keys possibly exposed.
Lightspeed has notified customers in an email saying that the information was contained in a compromised database but was not confirmed to be stolen.
It boats more than 38,000 customers transacting US$12 billion annually.
He says attackers could feasibly destroy his small book store’s sales and accounting reports using any stolen Lightspeed data.
Point of sales data doubles as accounting data for many businesses meaning critical business information could be potentially stolen
Vendors in the point of sales business have been a recent target of financially-driven hackers who deploy various instances of point of sales -specific and backdoor malware to gain access to the financial systems of clients.
Tomi Engdahl says:
LeakedSource:
In the 2012 Last.fm hack, details of 43.57M accounts were stolen; 96% of hashed passwords were able to be cracked within 2 hours — LeakedSource has exposed every single mega breach of 2016 including LinkedIn, MySpace, and VK.com but because we are the most effective breach notification service in the world, we’re back with more.
http://www.leakedsource.com/blog/lastfm
Tomi Engdahl says:
New York Times:
Analysis shows WikiLeaks’ high-profile releases often benefit Russia; US officials say WikiLeaks, Assange probably have no direct ties to Russian intelligence
How Russia Often Benefits When Julian Assange Reveals the West’s Secrets
http://www.nytimes.com/2016/09/01/world/europe/wikileaks-julian-assange-russia.html?_r=0
American officials say Mr. Assange and WikiLeaks probably
have no direct ties to Russian intelligence services. But the
agendas of WikiLeaks and the Kremlin have often dovetailed.
Tomi Engdahl says:
Nicole Perlroth / New York Times:
Leaked NSO Group documents reveal capabilities of its Pegasus spying software, with prices like $500K setup fee plus $650K to track 10 iPhone or Android users — SAN FRANCISCO — Want to invisibly spy on 10 iPhone owners without their knowledge? Gather their every keystroke, sound, message and location?
How Spy Tech Firms Let Governments See Everything on a Smartphone
http://www.nytimes.com/2016/09/03/technology/nso-group-how-spy-tech-firms-let-governments-see-everything-on-a-smartphone.html
Want to invisibly spy on 10 iPhone owners without their knowledge? Gather their every keystroke, sound, message and location? That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like — just check out the company’s price list.
The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user’s location and personal contacts. These tools can even turn the phone into a secret recording device.
Since its founding six years ago, the NSO Group has kept a low profile. But last month, security researchers caught its spyware trying to gain access to the iPhone of a human rights activist in the United Arab Emirates. They also discovered a second target, a Mexican journalist who wrote about corruption in the Mexican government.
The cyberarms industry typified by the NSO Group operates in a legal gray area, and it is often left to the companies to decide how far they are willing to dig into a target’s personal life and what governments they will do business with. Israel has strict export controls for digital weaponry, but the country has never barred the sale of NSO Group technology.
Zamir Dahbash, an NSO Group spokesman, said that the sale of its spyware was restricted to authorized governments and that it was used solely for criminal and terrorist investigations.
Among the Pegasus system’s capabilities, NSO Group contracts assert, are the abilities to extract text messages, contact lists, calendar records, emails, instant messages and GPS locations. One capability that the NSO Group calls “room tap” can gather sounds in and around the room, using the phone’s own microphone.
Pegasus can use the camera to take snapshots or screen grabs. It can deny the phone access to certain websites and applications, and it can grab search histories or anything viewed with the phone’s web browser. And all of the data can be sent back to the agency’s server in real time.
In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.
NSO Group documents say, is “unlimited access to a target’s mobile devices.”
Tomi Engdahl says:
Ruslan Stoyanov / Securelist:
Kaspersky Lab details how they helped catch the Lurk cybercriminal gang, suspected of stealing nearly 3B rubles — In early June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk. The police suspected Lurk of stealing nearly three billion rubles …
The Hunt for Lurk
How we helped to catch one of the most dangerous gangs of financial cybercriminals
https://securelist.com/analysis/publications/75944/the-hunt-for-lurk/
In early June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk. The police suspected Lurk of stealing nearly three billion rubles, using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations, including banks.
When we first encountered Lurk, in 2011, it was a nameless Trojan. It all started when we became aware of a number of incidents at several Russian banks that had resulted in the theft of large sums of money from customers. To steal the money, the unknown criminals used a hidden malicious program that was able to interact automatically with the financial institution’s remote banking service (RBS) software; replacing bank details in payment orders generated by an accountant at the attacked organization, or even generating such orders by itself.
In 2016, it is hard to imagine banking software that does not demand some form of additional authentication, but things were different back in 2011.
We participated in the investigation of several incidents involving the nameless malware, and sent samples to our malware analysts. They created a signature to see if any other infections involving it had been registered, and discovered something very unusual: our internal malware naming system insisted that what we were looking at was a Trojan that could be used for many things (spamming, for example) but not stealing money.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
Apple issues patch for desktop Safari browser and OS X to fix zero-day vulnerabilities, which are similar to those used in NSO’s iOS attack discovered last week
Apple Patches OS X Vulnerabilities After Cyberattack on Human Rights Dissident
http://motherboard.vice.com/read/apple-patches-safari-os-x-vulnerabilities-after-iphone-jailbreak-nso
Apple has issued an urgent security update to fix critical vulnerabilities in the laptop and desktop version of the Safari browser and the OS X operating system, which allowed sophisticated hackers to remotely take control of Apple computers.
The new fixes come a week after malware hunters caught government hackers trying to exploit unknown flaws in the iPhone’s operating system to hack into the phones of a Dubai-based human rights activist and a Mexican journalist. Last week, Apple patched those vulnerabilities in an iOS update.
But as it turns out, those unknown flaws, or zero-days, also affected Safari and Apple’s computer operating system OS X, given that the mobile and regular version of Safari share the same codebase. Apple quietly released the patch for Safari and for OS X on Thursday.
Tomi Engdahl says:
Bloomberg:
Apple, Google, Amazon, others back Microsoft in lawsuit against DOJ’s gag orders preventing disclosure to customers of government requests for their data — Microsoft seeks to report undisclosed access by government — Companies say future of cloud computing at stake in court case
Apple, Google Back Microsoft Over ‘Sneak-and-Peek’ Searches
http://www.bloomberg.com/news/articles/2016-09-02/airlines-energy-companies-back-microsoft-over-secret-warrants
Apple Inc., Google and Amazon.com Inc. were among the tech leaders that rallied behind Microsoft Corp. in its battle to stop the U.S. government from conducting so-called sneak-and-peek searches of customer e-mails.
Microsoft and its supporters argue the very future of mobile and cloud computing is at stake if customers can’t trust that their data will remain private. A group of 11 technology firms including Google said Friday in its court filing that the federal law allowing the searches goes “far beyond any necessary limits” while infringing users’ fundamental rights.
“The government’s ability to engage in surreptitious searches of homes and tangible things is practically and legally limited,” the companies said in the filing. “But the act allows the government to search personal data stored in the cloud without ever notifying an account owner that her data has been searched.”
Tomi Engdahl says:
Steve Ranger / TechRepublic:
A detailed look at NATO’s Locked Shields, the largest cyber defense exercise in the world
Governments and nation states are now officially training for cyberwarfare: An inside look
http://www.techrepublic.com/article/governments-and-nation-states-are-now-officially-training-for-cyberwarfare-an-inside-look/
Europe, Canada, USA, Australia, and others are now running training exercises to prepare for the outbreak of cyberwar. Locked Shields is the largest simulation and we take you inside.
Berylia is under attack. Again.
Over two hectic days, the teams will have to battle against mounting attacks on their systems, hijacking of their drones, and questions from a sometimes hostile press.
And it’s not the first time Berylia has come under attack: strangely these cyber onslaughts happen every year at around the same time. And these incursions won’t be the last time the country comes under attack either, because the fictional drone-building country is the setting for the NATO annual cyber defence wargame, Locked Shields.
The exercise is run from Estonia by NATO’s cyberwarfare think tank, the Cooperative Cyber Defence Centre of Excellence (CCD COE). The annual event, which has been running since 2010, aims to train the security experts who protect national IT systems on a daily basis. While the exact scenario changes every year, the setting—the embattled Berylia—remains the same, and arch-rival Crimsonia often makes an appearance too.
Berylia might be a fictional state, but Estonia itself has first hand experience of these sort of digital attacks: back in 2007 its banks and government systems suffered weeks of disruption from hackers after Estonian authorities proposed moving a Soviet war memorial.
The wargame pits 20 ‘blue team’ sets of defenders from NATO’s member states, against a ‘red team’ of attackers which attempt to disrupt their networks. A separate ‘white team’ of experts runs the game systems. In total, the exercise involves around 550 people across 26 nationalities, 250 of which are the core planning team in Tallinn, where the main action takes place over a two-day period.
Cyber Defence Exercises /
Locked Shields 2016
https://ccdcoe.org/locked-shields-2016.html
Locked Shields 2016 is the biggest and most advanced international live-fire cyber defence exercise in the world. The annual scenario-based real-time network defence exercise, organised since 2010 by the Tallinn-based NATO Cooperative Cyber Defence Centre of Excellence, focuses on training the security experts who protect national IT systems on a daily basis.
Over 550 people and a total of 26 nations are involved in Locked Shields 2016. 20 Blue Teams representing 19 nations and NATO Computer Incident Response Capability (NCIRC) participate in the exercise. 2016 is seeing a record number of joint teams. While the organizers of the exercise will gather in Tallinn, Estonia, the participating Blue Teams will have online access to the exercise networks and typically work from their home countries.
Tomi Engdahl says:
Gertrude Chavez-Dreyfuss / Reuters:
Study: between Bitcoin’s creation in 2009 and March 2015, 33% of all Bitcoin exchanges were hacked, and 48% closed
Cyber threat grows for bitcoin exchanges
http://www.reuters.com/article/us-bitcoin-cyber-analysis-idUSKCN11411T
When hackers penetrated a secure authentication system at a bitcoin exchange called Bitfinex earlier this month, they stole about $70 million worth of the virtual currency.
The cyber theft — the second largest by an exchange since hackers took roughly $350 million in bitcoins at Tokyo’s MtGox exchange in early 2014 — is hardly a rare occurrence in the emerging world of crypto-currencies.
New data disclosed to Reuters shows a third of bitcoin trading platforms have been hacked, and nearly half have closed in the half dozen years since they burst on the scene.
“There is a general sense in the bitcoin community that any centralized repository is at risk,”
“I am skeptical there’s going to be any technological silver bullet that’s going to solve security breach problems. No technology, crypto-currency, or financial mechanism can be made safe from hacks,” said Tyler Moore, assistant professor of cyber security at the University of Tulsa’s Tandy School of Computer Science who will soon publish the new research on the vulnerability of bitcoin exchanges.
of the 6,000 operational U.S. banks, only 67 banks experienced a publicly-disclosed data breach between 2009 and 2015. That’s roughly 1 percent of U.S. banks.
Among the world’s stock exchanges, however, security breaches are much higher, with hackers attracted to the large pools of cash moving in and out of these trading venues.
“A 48 percent closure is not acceptable, but not surprising given that bitcoin is a new technology,”
Tomi Engdahl says:
Nearly 800,000 Brazzers Porn Site Accounts Exposed in Forum Hack
http://motherboard.vice.com/en_uk/read/nearly-800000-brazzers-porn-site-accounts-exposed-in-forum-hack
Nearly 800,000 accounts for popular porn site Brazzers have been exposed in a data breach. Although the data originated from the company’s separate forum, Brazzers users who never signed up to the forum may also find their details included in the dump.
Motherboard was provided the dataset by breach monitoring site Vigilante.pw for verification purposes. The data contains 790,724 unique email addresses, and also includes usernames and plaintext passwords. (The set has 928,072 entries in all, but many are duplicates.)
Troy Hunt, a security researcher and creator of the website Have I Been Pwned? helped verify the dataset by contacting subscribers to his site, who confirmed a number of their details from the data.
Tomi Engdahl says:
‘Catastrophic’ DDoS Attack Hits Linode Servers Over Labor Day Weekend
https://news.slashdot.org/story/16/09/06/0543234/catastrophic-ddos-attack-hits-linode-servers-over-labor-day-weekend
A coordinated DDoS attack hit Linode (VPS provider) over the weekend, which the company has described as “catastrophic.” The attack targeted the company’s Atlanta data center, and was timed for the extended Labor Day weekend when the company had fewer employees on hand to deal with the incident.
“Catastrophic” DDoS Attack Pummels Linode Servers over Labor Day Weekend
http://news.softpedia.com/news/catastrophic-ddos-attack-pummels-linode-servers-over-the-weekend-507985.shtml#ixzz4JTscgP4q
Linode, one of the world’s top providers of virtual private servers (VPS), battled over the weekend with a DDoS attack that targeted its Atlanta data center and that the company has described as “catastrophic.”
Tomi Engdahl says:
President Obama Wants To Prevent a Cyber Weapon ‘Arms Race’
https://yro.slashdot.org/story/16/09/05/1949200/president-obama-wants-to-prevent-a-cyber-weapon-arms-race
During an address to reporters at the G-20 international summit in China, President Obama stated that he’d like to prevent an “arms race” among countries that have various cyber weapons at their disposal. The remarks come after Russian president Vladimir Putin denied having any involvement with the hack of the Democratic National Committee’s emails earlier this summer.
President Obama wants to prevent a cyber weapon ‘arms race’
You can’t hug your kids with cyber arms
http://www.theverge.com/2016/9/5/12798836/president-obama-prevent-cyber-weapon-arms-race
During an address to reporters at the G-20 international summit in China, President Obama stated that he’d like to prevent an “arms race” among countries that have various cyber weapons at their disposal.
Obama said that the world is “moving into a new era where a number of countries have significant capacities”, before noting that the United States has “more capacity than anybody, both offensively and defensively” when it comes to cyber weapons.
Instead of starting a Cold War-like arms race with cyber weapons, however, Obama wants “to start instituting some norms so that everybody’s acting responsibly.” He said that “we’re going to have enough problems in the cyber space with nonstate actors who are engaging in theft and using the internet for all kinds of illicit practices,” before stating that we “cannot have a situation where this becomes the Wild Wild West, where countries have significant cyber capacity start engaging in … unhealthy competition or conflict through these means.”
Tomi Engdahl says:
Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops
‘Whaling’ attackers fall for poison PDF ‘invoices’
http://www.theregister.co.uk/2016/09/06/hacker_hacks_ceo_wire_transfer_scammers_sends_win_10_creds_to_cops/
Florian Lukavsky hacks criminals profiting from out-of-control multi-billion dollar CEO wire transfer scams… and they hate him for it.
The director of SEC Consult’s Singapore office has made a name striking back at so-called “whaling” scammers by sending malicious Word documents that breach their Windows 10 boxes and pass on identity information to police.
Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations. Whalers’ main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts.
It works. The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year. Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015.
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Google fixes final two “Quadrooter” Android flaws, which were rated as “critical”, a month after their disclosure
Google fixes final ‘Quadrooter’ flaws with new security patch
The outstanding flaws were fixed a month after the initial disclosure.
http://www.zdnet.com/article/google-fixes-quadrooter-flaws-in-latest-round-of-android-security-patches/
What took Google a month to fix took others just a couple of weeks.
In the latest round of Android security fixes released Tuesday, the company fixed two remaining flaws that were part of the so-called “Quadrooter” set of vulnerabilities announced last month.
Quadrooter was particularly troublesome because the set of four flaws (hence the name “quad”) affected at least 900 million Android devices. These high-risk vulnerabilities would allow a dedicated and well-trained attacker to gain complete access to an affected phone and its data.
Google, which develops Android, said that most phones had received at least two or even three of the fixes in previous security bulletins. But the rest would remain outstanding for a month, until now, when the company released its regularly-scheduled monthly patches.
According to the bulletin, Google confirmed that the two escalation of privilege bugs — CVE-2016-2059 (rated “high”) and CVE-2016-5340 (rated “critical”) — were fixed.
The Android software and phone maker also fixed six more critical bugs in the mobile operating system, including two remote code execution flaw in core Android components.
Tomi Engdahl says:
Security TV: Ignore the email threat at your peril
Simply throwing an anti-virus scanner in front of an email server is a recipe for being owned.
http://www.zdnet.com/article/security-tv-ignore-the-email-threat-at-your-peril/
The techniques that are employed in other security situations can also apply to email as well: Using whitelists, disabling Microsoft Office macros, and sandboxing potentially malicious content.
Tomi Engdahl says:
LeakedSource:
Over 98M records leaked online from 2012 hack of Russia’s Yahoo-like service Rambler.ru, each record contains: username/email address, plaintext password, more
http://www.leakedsource.com/blog/rambler
Tomi Engdahl says:
Forging the USB Armory
https://www.youtube.com/watch?v=MsK2V_iO9Z4
The availability of modern System on a Chip (SoC) parts, having low power consumption and high integration of most computer components in a single chip, empowers the open source community in creating all kind of embedded systems.
The presentation illustrates the journey that we have taken to develop an open hardware board first of its kind: the USB armory, an open source hardware design, implementing a flash drive sized computer for security applications.
The security features of the USB armory System on a Chip (SoC), combined with the openness of the board design, is meant to empower developers and users with a fully customizable USB trusted device for open and innovative personal security applications.
Tomi Engdahl says:
From Zero to Secure in One Minute
https://www.youtube.com/watch?v=nknwsqP01F0
Cloud instances lifecycles are changing fast and forces us to improve the way we secure those IaaS instances. Nowadays we can find servers that are installed, launched, process data and terminate – all within a range of minutes. This new accelerated lifecycle makes traditional security processes such as periodic patches, vulnerability scanning, hardening, and forensics impossible. In this accelerated lifecycle, there are no maintenance windows for patches or ability to mitigate vulnerability, so the security infrastructure must adapt to new methods. In this new thinking, we require automation of instance security configuration, hardening, monitoring, and termination. Because there are no maintenance windows, Servers must be patched before they boot up, security configuration and hardening procedures should be integrated with server installation and vulnerability scanning and mitigation processes should be automatic. In this presentation, we announce a new open source tool called “Cloudefigo” and explain how it enables accelerated security lifecycle.
Tomi Engdahl says:
Intel Spins out Security Group
http://www.eetimes.com/document.asp?doc_id=1330421&
Intel Corp. will sell 51% of its security group to a private equity company for $3.1 billion in cash, spinning it off as an independent company to be called McAfee. Under former chief executive Paul Otellini, the x86 giant bought McAfee in 2010 for $7.68 billion.
Intel will retain 49% ownership of the new company in a transaction valuing the business at $4.2 billion. In a written statement, Intel called the new company “one of the world’s largest cybersecurity companies.”
An estimated 7,500 McAfee employees will leave Intel at the close of transaction, expected in the second quarter of 2017. The move follows a broader reorg announced in April in which Intel said it is laying off 12,000 workers.
Tomi Engdahl says:
Andy Greenberg / Wired:
Google’s think tank Jigsaw develops program to dissuade aspiring ISIS recruits by redirecting them away from propaganda; 300K people averted in two-month pilot — Google has built a half-trillion-dollar business out of divining what people want based on a few words they type into a search field.
Google’s Clever Plan to Stop Aspiring ISIS Recruits
http://www.wired.com/2016/09/googles-clever-plan-stop-aspiring-isis-recruits/
Google has built a half-trillion-dollar business out of divining what people want based on a few words they type into a search field. In the process, it’s stumbled on a powerful tool for getting inside the minds of some of the least understood and most dangerous people on the Internet: potential ISIS recruits. Now one subsidiary of Google is trying not just to understand those would-be jihadis’ intentions, but to change them.
Jigsaw, the Google-owned tech incubator and think tank—until recently known as Google Ideas—has been working over the past year to develop a new program it hopes can use a combination of Google’s search advertising algorithms and YouTube’s video platform to target aspiring ISIS recruits and ultimately dissuade them from joining the group’s cult of apocalyptic violence. The program, which Jigsaw calls the Redirect Method and plans to launch in a new phase this month, places advertising alongside results for any keywords and phrases that Jigsaw has determined people attracted to ISIS commonly search for. Those ads link to Arabic- and English-language YouTube channels that pull together preexisting videos Jigsaw believes can effectively undo ISIS’s brainwashing
Tomi Engdahl says:
Emily Schechter / Google Online Security Blog:
Chrome will start marking HTTP pages with password and credit card form fields as non-secure in January 2017 — To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure
Moving towards a more secure web
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
Tomi Engdahl says:
Emily Schechter / Google Online Security Blog:
Chrome will start marking HTTP pages with password and credit card form fields as non-secure in January 2017 — To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure.
Moving towards a more secure web
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Tomi Engdahl says:
Fake Doctors will soon be joined by pseudo-engineers, fake oild riller , pseudo-teachers …
TheNextWeb-site interview with Sixgill security company CEO Avi Kasztan has noticed a clear trend emerging in the dark online. Drugs, weapons, drugs, counterfeit identity papers and passports in addition, there are increasingly fake diplomas.
There are papers so big and prestigious universities such as Oxford, Cambridge and Harvard, but also from smaller schools
Bitcoin payable for paper accumulates in the price, depending on the degree of 200-400 euros.
The services are also offered a genuinely educational bench-hungry students.
American universities use this evaluation system hacking instructions, in turn, came off the do-it-yourself-men fifteen dollars.
Source: http://www.tivi.fi/Kaikki_uutiset/valelaakarit-saavat-pian-seurakseen-valeinsinooreja-valeoljynporaajia-valeopettajia-6581403
Tomi Engdahl says:
Israeli DDoS Provider ‘vDOS’ Earned $600,000 In Two Years
https://developers.slashdot.org/story/16/09/08/2050238/israeli-ddos-provider-vdos-earned-600000-in-two-years
Brian Krebs writes that he has obtained the hacked database of an Israeli company that is responsible for most of the large-scale DDoS attacks over the past (at least) 4 years. The vDOS database
Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years
http://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/
vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.
The vDOS database, obtained by KrebsOnSecurity.com at the end of July 2016, points to two young men in Israel as the principal owners and masterminds of the attack service, with support services coming from several young hackers in the United States.
To say that vDOS has been responsible for a majority of the DDoS attacks clogging up the Internet over the past few years would be an understatement. The various subscription packages to the service are sold based in part on how many seconds the denial-of-service attack will last. And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic.
Although I can’t prove it yet, it seems likely that vDOS is responsible for several decades worth of DDoS years.
The hack of vDOS came about after a source was investigating a vulnerability he discovered on a similar attack-for-hire service called PoodleStresser.
vDOS had a reputation on cybercrime forums for prompt and helpful customer service, and the leaked vDOS databases offer a fascinating glimpse into the logistical challenges associated with running a criminal attack service online that supports tens of thousands of paying customers — a significant portion of whom are all trying to use the service simultaneously.
Multiple vDOS tech support tickets were filed by customers who complained that they were unable to order attacks on Web sites in Israel. Responses from the tech support staff show that the proprietors of vDOS are indeed living in Israel and in fact set the service up so that it was unable to attack any Web sites in that country — presumably so as to not attract unwanted attention to their service from Israeli authorities.
As we can see from the above responses from vDOS’s tech support, the owners and operators of vDOS are young Israeli hackers who go by the names P1st a.k.a. P1st0, and AppleJ4ck.
vDOS appears to be the longest-running booter service advertised on Hackforums, and it is by far and away the most profitable such business. Records leaked from vDOS indicate that since July 2014, tens of thousands of paying customers spent a total of more than $618,000 at the service using Bitcoin and PayPal.
Incredibly, for brief periods the site even accepted credit cards in exchange for online attacks,
The proprietors of vDOS set their service up so that anytime a customer asked for technical assistance the site would blast a text message to six different mobile numbers tied to administrators of the service, using an SMS service called Nextmo.com.
The $618,000 in earnings documented in the vDOS leaked logs is almost certainly a conservative income figure.
Turns out, AppleJ4ck and p1st routinely recruited other forum members on Hackforums to help them launder significant sums of PayPal payments for vDOS each week.
“The paypals that the money are sent from are not verified,” AppleJ4ck says in one recruitment thread. “Most of the payments will be 200$-300$ each and I’ll do around 2-3 payments per day.”
In reality, the methods that vDOS uses to sustain its business are practically indistinguishable from those employed by organized cybercrime gangs, said Damon McCoy, an assistant professor of computer science at New York University.
Tomi Engdahl says:
US-CERT tells network operators to pay attention and harden up
Recent exploits and golden oldies are making packets perilous
http://www.theregister.co.uk/2016/09/09/cisco_exploit_disco_too_hot_for_cert_admins_check_your_patches/
The US-CERT is warning organisations to harden their networks, because resurgent malware plus the recent publication of powerful exploits proved too hot to ignore.
The organisation says that threats like the a leak of Equation Group Adaptive Security Appliance (ASA) tooling are bad enough by themselves, but warns plenty of organisations are also yet to knock 2015′s SYNful Knock on the head, too.
Together, the two attacks should put Cisco users in a state of alert.
US-CERT is not alone in its fears: security outfit Rapid 7 reckons it has found more than 50,000 ASA-susceptible devices, many un-patched..
US-CERT made the warnings about the advanced attacks in an alert this week detailing how the exploits occur and offering admins defensive strategies.
“The rising threat levels place more demands on security personnel and network administrators to protect information systems,” US-CERT says.
The agency is also warning of separate ASA attacks in which net scum lure admins to payload websites that exploit a crustier vulnerability (CVE-2014-3393). It says “several reports” of attacks using that malicious code injection in June.
Alert (TA16-250A)
The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
https://www.us-cert.gov/ncas/alerts/TA16-250A
Tomi Engdahl says:
Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January
Web giant will start labeling insecure websites insecure
http://www.theregister.co.uk/2016/09/08/chrome_to_shame_non_https_sites/
Starting New Year’s Day, Google will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP.
If you use the ad giant’s Chrome browser, and a lot of people do, in its 56th build and onwards any website that does not use a security certificate will feature a red exclamation mark and the text “Not secure,” also in red, at the start of the web address.
Those that do use certificates and so have an HTTPS connection will continue to get a nice little green padlock icon.
The decision was announced on Google’s security blog and will “help users browse the web safely.” It is part of “a long-term plan to mark all HTTP sites as non-secure.”
Tomi Engdahl says:
Top smut site stops Flashing, adopts HTML5
When even the pornographers think you’ve got a problem, you’ve really got a problem
http://www.theregister.co.uk/2016/09/09/pornhub_dashes_flash/
Security sentient smut site Pornhub has decommissioned Flash and will swap to HTML5 in a bid to modernise and protect its estimated 60 million daily visitors.
The site is famed for among other things offering a bug bounty to researchers who disclose security holes in the site upping payments and hiring staff to better compete with industry standards.
Pornhub will now switch to the new industry standard HTML5 which sports better load times, power consumption, and avoids the battery of vulnerabilities that make Adobe Flash one of the exploit kit market’s favourite p0wn platforms.
Pornhub’s part of a colossal web conglomerate called MindGeek that operates several other adult sites, runs an affiliate marketing network, has over 1,000 people on the payroll and millions of paying customers. It’s not difficult to see why an organisation of that scale would be keen to drop a buggy, proprietary plugin and instead adopt a standard.
The smut-streamer’s decision brings the site in line with browsers such as Chrome and Firefox which have moved to sound the death knell of Flash. Most online assets support both HTML5 and Flash while the latter is decommissioned.
Tomi Engdahl says:
From Linux to Windows – New Family of Cross-Platform Desktop Backdoors Discovered
https://securelist.com/blog/research/73503/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/
Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only that, but the Windows version was additionally equipped with a valid code signing signature. Let´s have a look at both of them.
DropboxCache aka Backdoor.Linux.Mokes.a
This backdoor for Linux-based operating systems comes packed via UPX and is full of features to monitor the victim’s activities, including code to capture audio and take screenshots.
The Missing Piece – Sophisticated OS X Backdoor Discovered
https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/
n a nutshell
Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). Please see also our analysis on the Windows and Linux variants.
This malware family is able to steal various types of data from the victim’s machine (Screenshots, Audio-/Video-Captures, Office-Documents, Keystrokes)
The backdoor is also able to execute arbitrary commands on the victim’s computer
To communicate it’s using strong AES-256-CBC encryption
Background
Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx. 14MB. Let’s have a look into this very fresh sample.
Tomi Engdahl says:
U.S. personnel management hack preventable, congressional probe finds
http://www.reuters.com/article/us-usa-cyber-opm-idUSKCN11D0AM
The U.S. Office of Personnel Management (OPM) did not follow rudimentary cyber security recommendations that could have mitigated or even prevented major attacks that compromised sensitive data belonging to more than 22 million people, a congressional investigation being released on Wednesday has found.
Two breaches at the federal agency detected in 2014 and 2015 were made worse by lax security culture and ineffective leadership, which failed to harness available tools that could have stopped or limited the intrusions
“The OPM data breach and the resulting generational national security consequences cannot happen again,” said Republican Representative Jason Chaffetz, the committee’s chairman, in the report.
OPM ignored repeated inspector general reports dating back to 2005 that warned of cyber security shortcomings.
Tomi Engdahl says:
Did you see the work in a strange man’s overalls?
Security point of view it is important that the company is operating in access control. In addition, the company supports the build up, where appropriate, regions with different security classifications. Then come in from one door to the intruder, can not as easily to the area where the most critical information.
“Some companies access control has been removed from a particular use of the door, so that was going to be easier. However, it can backfire, ”
The starting point, he says, that his own employee ID card must be firm and the visitors will have an escort. If your employee sees, for example, without a pass passing overalls maintenance man, he might want to ask: “What things are moving, and whose mandate?” The validity of the story is still worthwhile to make sure the client.
“Physical security is often considered a police matter, which is not directly related to information security,” Rinne says.
The intruder could have servers to sabotage or steal them up information.
In another company offered visitors wireless network range extended far beyond the walls of the property.
Source: http://www.tivi.fi/Kaikki_uutiset/naitko-toissa-oudon-haalarimiehen-kysy-heti-tama-kysymys-6580926
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Largest online DDoS service vDOS hacked, with details of customers and targets revealed; service earned $600K+ for 150K+ DDoS attacks over past two years — vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 …
http://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/
Brian Krebs / Krebs on Security:
Two Israeli men alleged to be co-owners of the recently hacked DDoS service vDOS arrested in Israel on Thursday in connection with FBI investigation — Two young Israeli men alleged to be the co-owners of a popular online attack-for-hire service were reportedly arrested in Israel on Thursday.
http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/
Tomi Engdahl says:
Cory Doctorow / Locus Online Perspectives:
Proliferation of the Internet of Things and unchecked data collection will escalate the privacy wars, possibly leading to a storm of class action lawsuits
Cory Doctorow:
The Privacy Wars Are About to Get A Whole Lot Worse
http://www.locusmag.com/Perspectives/2016/09/cory-doctorowthe-privacy-wars-are-about-to-get-a-whole-lot-worse/
It used to be that server logs were just boring utility files whose most dramatic moments came when someone forgot to write a script to wipe out the old ones and so they were left to accumulate until they filled the computer’s hard-drive and crashed the server.
Then, a series of weird accidents turned server logs into the signature motif of the 21st century, a kind of eternal, ubiquitous exhaust from our daily lives, the CO2 of the Internet: invisible, seemingly innocuous, but harmful enough, in aggregate, to destroy our world.
Here’s how that happened: first, there were cookies.
Then, Google and a few other companies came up with a business model.
Google and the other early ad-tech companies worked out that they could place ads on other people’s websites, and that those ads could act as a two-way conduit between web users and Google.
The idea caught the zeitgeist, and soon everyone was trying to figure out how to gather, aggregate, analyze, and resell data about us as we moved around the web.
Of course, there were privacy implications to all this.
As more and more companies twigged to the power of ‘‘surveillance capitalism,’’ these agreements proliferated, as did the need for them, because before long, everything was gathering data. As the Internet everted into the physical world and colonized our phones, we started to get a taste of what this would look like in the coming years. Apps that did innocuous things like turning your phone into a flashlight, or recording voice memos, or letting your kids join the dots on public domain clip-art, would come with ‘‘permissions’’ screens that required you to let them raid your phone for all the salient facts of your life: your phone number, e-mail address, SMSes and other messages, e-mail, location – everything that could be sensed or inferred about you by a device that you carried at all times and made privy to all your most sensitive moments.
When a backlash began, the app vendors and smartphone companies had a rebuttal ready: ‘‘You agreed to let us do this. We gave you notice of our privacy practices, and you consented.’’
This ‘‘notice and consent’’ model is absurd on its face, and yet it is surprisingly legally robust.
Notice and consent is an absurd legal fiction.
Indeed, you can’t examine the terms of service you interact with in any depth – it would take more than 24 hours a day just to figure out what rights you’ve given away that day. But as terrible as notice-and-consent is, at least it pretends that people should have some say in the destiny of the data that evanescences off of their lives as they move through time, space, and information.
The next generation of networked devices are literally incapable of participating in that fiction.
The coming Internet of Things – a terrible name that tells you that its proponents don’t yet know what it’s for, like ‘‘mobile phone’’ or ‘’3D printer’’ – will put networking capability in everything: appliances, lightbulbs, TVs, cars, medical implants, shoes, and garments. Your lightbulb doesn’t need to be able to run apps or route packets, but the tiny, commodity controllers that allow smart lightswitches to control the lights anywhere (and thus allow devices like smart thermostats and phones to integrate with your lights and home security systems) will come with full-fledged computing capability by default, because that will be more cost-efficient that customizing a chip and system for every class of devices.
That fact of general-purposeness is inescapable and wonderful and terrible
You will ‘‘interact’’ with hundreds, then thousands, then tens of thousands of computers every day. The vast majority of these interactions will be glancing, momentary, and with computers that have no way of displaying terms of service, much less presenting you with a button to click to give your ‘‘consent’’ to them. Every TV in the sportsbar where you go for a drink will have cameras and mics and will capture your image and process it through facial-recognition software and capture your speech and pass it back to a server for continuous speech recognition (to check whether you’re giving it a voice command). Every car that drives past you will have cameras that record your likeness and gait, that harvest the unique identifiers of your Bluetooth and other short-range radio devices, and send them to the cloud, where they’ll be merged and aggregated with other data from other sources.
In theory, if notice-and-consent was anything more than a polite fiction, none of this would happen. If notice-and-consent are necessary to make data-collection legal, then without notice-and-consent, the collection is illegal.
But that’s not the realpolitik of this stuff: the reality is that when every car has more sensors than a Google Streetview car, when every TV comes with a camera to let you control it with gestures, when every medical implant collects telemetry that is collected by a ‘‘services’’ business and sold to insurers and pharma companies, the argument will go, ‘‘All this stuff is both good and necessary – you can’t hold back progress!’’
The returns from data-acquisition have been declining for years.
But diminishing returns can be masked by more aggressive collection.
The best way to secure data is never to collect it in the first place. Data that is collected is likely to leak. Data that is collected and retained is certain to leak. A house that can be controlled by voice and gesture is a house with a camera and a microphone covering every inch of its floorplan.
The IoT will rupture notice-and-consent, but without some other legal framework to replace it, it’ll be a free-for-all that ends in catastrophe.
I’m frankly very scared of this outcome and have a hard time imagining many ways in which we can avert it, but I do have one scenario that’s plausible: class action lawsuits.
Right now, companies that breach their users’ data face virtually no liability.
Eventually, some lawyer is going to convince a judge that, say, 1% the victims of a deep-pocketed company’s breach will end up losing their houses to identity thieves as a result of the data that the company has leaked, and that the damages should be equal to 1% of all the property owned by a 53 million (or 500 million!) customers whom the company has wronged. It will take down a Fortune 100 company, and transfer billions from investors and insurers to lawyers and their clients.
When that day comes, there’ll be blood in the boardroom. Every major investor will want to know that the company is insured for a potential award of 500X the company’s net worth
The danger, of course, is the terms of service. If every ‘‘agreement’’ you click past or flee from includes forced arbitration – that is, a surrender of your right to sue or join a class action – then there’s no class to join the class action.
Tomi Engdahl says:
395,000 uTorrent Forum Accounts Put Up For Sale By Hackers
https://torrentfreak.com/395000-utorrent-forum-accounts-put-up-for-sale-by-hackers-160909/
In June, it was revealed that uTorrent’s forums had been hacked, putting at risk the personal details of hundreds of thousands of users. Now it being reported that the database has been put up for sale on a darknet marketplace. The package is said to contain almost 395,000 accounts but data is cheap. The asking price? Just one bitcoin.
Tomi Engdahl says:
Are Governments Denying Internet Access To Their Political Opponents?
https://yro.slashdot.org/story/16/09/11/229215/are-governments-denying-internet-access-to-their-political-opponents
Whether or not your ethnic group has political power is a crucial factor determining your access to the Internet, according to a new analysis. The effect varies from country to country, and is much less pronounced in democratic nations. But the study, published today in Science, suggests that besides censorship, another way national governments prevent opposing groups from organizing online is by denying them Internet access in the first place
Governments Around the World Deny Internet Access to Political Opponents
Keeping your enemies offline can cripple their chances of overthrowing you.
https://www.technologyreview.com/s/602310/governments-around-the-world-deny-internet-access-to-political-opponents/?set=602333
Whether or not your ethnic group has political power in the country where you live is a crucial factor determining your access to the Internet, according to a new analysis.
Tomi Engdahl says:
Cyber Defense 101: Arming the Next Generation of Government Employees
http://www.govexec.com/govexec-sponsored/transformed-it/2016/08/cyber-defense-101-arming-next-generation-government-employees/130436/?oref=ob
“We are all cyborgs now,” declared anthropologist Amber Case in her 2010 TED Talk, and her observation is strange, provocative, funny, and, above all, startlingly true. Our cell phones, tablets, and laptops are as axiomatically indispensable to us as our very limbs; our social media profiles operate as virtual second selves.
However, opportunity walks hand-in-hand with risk, and as we explore the boundaries of our digital landscape, we expose ourselves to a host of new, unprecedented dangers.
Tomi Engdahl says:
The popular shopping center became a privacy nightmare – HS: to know our family relationships, followed by Facebook, monitors your movements …
Helsingin Sanomat reported that in the Big Apple became the supervising Big Brother. It promises to impose the application of free parking time, but at the same time it collects massive amounts of users’ personal information.
Iso Omena is the first step in the application, but hardly the last. on the back of the application namely Citycon manages dozens of shopping centers around Finnish.
Application penetrates the user’s life by providing access to membership of Iso Omena to the Community, the members of which are in the mall for two additional hours of free parking time.
However, after a longer parking time customers associated with the Community fall into the evil trap, because the application deployment provides Citycon permission to collect a massive amount of personal data of users, level of income, including family relations, the vehicle register, and social media, as well as give the company to track the user’s movements inside the shopping center in the mobile phone location information.
Source: http://www.tivi.fi/Kaikki_uutiset/suositusta-kauppakeskuksesta-tuli-yksityisyyden-painajainen-hs-tietaa-perhesuhteesi-seuraa-facebookiasi-valvoo-liikkeitasi-6581697
Tomi Engdahl says:
Bug-free Code? That’s a lie!
https://thelasttechie.com/2016/09/09/bug-free-code-thats-a-lie/
Tomi Engdahl says:
Google Will Mark Unencrypted Websites “Insecure”
Not too long ago, the standard for a secure website was to not offer gaping holes for hackers to exploit or infect visitors with malware. Now even plain-old HTTP itself, that venerable web protocol, is about to be considered insecure. Google has announced that its web browser Chrome will soon take a more aggressive stance on web encryption, marking any site as insecure if it doesn’t use HTTPS, a protocol that encrypts web pages with the encryption schemes SSL or TLS, and putting a red “X” over a padlock in the corner of the address bar. The rollout will begin in January by applying the rule to any site that asks for a password or credit card information. It will later expand to all sites when the user is browsing in Chrome’s incognito mode. Eventually, Chrome will label all HTTP sites as insecure. In other words, the web giant is taking a giant step toward a fully encrypted web and putting anyone who isn’t taking HTTPS seriously on notice: If your website isn’t already encrypted, start working on it or become the subject of shaming messages in millions of users’ browsers.
Source: https://www.wired.com/2016/09/security-news-week-google-ups-ante-web-encryption/
Tomi Engdahl says:
IoT Devices With Default Telnet Passwords Used As Botnet
https://it.slashdot.org/story/16/09/11/1155202/iot-devices-with-default-telnet-passwords-used-as-botnet
IoT devices, like DVR recorders or webcams, which are running Linux with open telnet access and have no passwords or default passwords are currently a target of attacks which try to install malware which then makes the devices a node of a botnet for DDoS attacks. As the malware, called Linux/Mirai, only resides in memory, once the attack has been successful, revealing if your device got captured isn’t so easy, and also analyzing the malware is difficult, as it will vanish on reboot.
Experts from MalwareMustDie spotted a new ELF trojan backdoor, dubbed ELF Linux/Mirai, which is now targeting IoT devices.
http://securityaffairs.co/wordpress/50929/malware/linux-mirai-elf.html
Experts from MalwareMustDie have analyzed in August samples of a particular ELF trojan backdoor, dubbed ELF Linux/Mirai, which is now targeting IoT devices. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild.
The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service.
“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.” states the analysis from MalwareMustDie Blog.
And continues: “The threat was starting campaign in early August even if this ELF is not easy to be detected since it is not showing its activity soon after being installed: it sits in there and during that time, no malware file will be left over in system, all are deleted except the delayed process where the malware is running after being executed.”
This means that when the infections succeeded, it is not easy to distinguish an infected system by a not infected one, except than from the memory analysis, and we are talking about a kind of devices that are not easy to analyze and debug. The normal kind of analysis conducted from the file system or from the external network traffic doesn’t give any evidence, at the beginning.
“Countries that are having Linux busybox IoT embedded devices that can connect to the internet, like DVR or Web IP Camera from several brands, and countries who have ISP serving users by Linux routers running with global IP address, are exposed as target, especially to the devices or services that is not securing the access for the telnet port (Tcp/23) service“
At the moment for all the sysadmins who want to protect their systems there is a list of mitigations actions:
If you have an IoT device, please make sure you have no telnet service open and running.
Blocking the used TCP/48101 port if you don’t use it, it’s good to prevent infection & further damage,
Monitor the telnet connections because the Botnet protocol used for infection is the Telnet service,
Reverse the process looking for the strings reported in the MalwareMustDie detections tool tips.
But, what we know about this Linux/Mirai ELF malware exactly, and why it is not so common among the malware analysts?
Tomi Engdahl says:
Major cyberattack seller knocked offline as it faces arrests
Two teens may have made over $600,000 offering to knock websites offline.
https://www.engadget.com/2016/09/11/major-cyberattack-seller-busted/
One of the more popular cyberattack peddlers just came crashing down. Israeli law enforcement has arrested Yarden Bidani and Itay Huri as part of an FBI investigation into their alleged control of vDOS, one of the most popular paid attack platforms. According to information unearthed by security guru Brian Krebs from a third-party hack targeting vDOS, the two teens raked in at least $618,000 launching “a majority” of the distributed denial of service campaigns you’ve seen in recent years. The platform itself is also offline, although that’s due to one of vDOS’ victims (BackConnect Security) using a bogus internet address claim to stem the flood of traffic hitting its servers.
Bidani and Huri weren’t exactly careful about covering their tracks, Krebs says.
Tomi Engdahl says:
33 million CLEARTEXT creds for Russian IM site dumped by chap behind Last.FM mess
Leaker tells El Reg his dumps are justified because they trigger password resets
33 million CLEARTEXT creds for Russian IM site dumped by chap behind Last.FM mess
Leaker tells El Reg his dumps are justified because they trigger password resets
Instant messaging platform QIP.ru has suffered the loss of approximately 33 million user records, which have emerged as cleartext.
“The database contains user email addresses, usernames, passwords and other related fields dating from 2009-2011,” Semanek says.
“The passwords within the database were stored in plaintext with no encryption or hashing.”