Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Do you think that activity bracelet data is protected?
Activity or fitnessrannekkeita were sold during the first quarter of the year over 20 million copies. They collect all sorts of information to the user. Unfortunately, the data is easy to capture on their way to the cloud.
Technical University of Darmstadt, cyber security now Professor Ahmad-Reza Sadeghi explained that almost all of the data is outside the bracelets to capture. The study included 17 different bracelets from large manufacturers such as Xiaomi and Garmin.
While all cloud-based solutions for transferring data wristbands encrypted protocols, such as HTTPS, only four of the wristband was ylipääätän done anything about it, that the data would remain protected. According to Sadeghin even these methods do not prevent a motivated hacker.
Sadeghin team was able to make the so-called. man-in-the-middle attack, or to manipulate the data the way to cloud services. For example, five bracelets saved data only in raw text format in smartphone, which is a big security risk.
Sadegh says that insurance companies and others who build services upon monitoring of the activity, should be given to information security professionals manage storage, transfer and verification of data. This is becoming more and more important position in the activity bracelet data will be taken, for example, to accept the court as evidence.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5031:luuletko-etta-aktiivisuusrannekkeen-data-on-suojassa&catid=13&Itemid=101
Tomi Engdahl says:
Bruce Schneier / Lawfare:
Companies running critical Internet infrastructure are observing recent probe-like DDoS attacks at a scale that points to state actors, likely China or Russia
Someone Is Learning How to Take Down the Internet
https://www.lawfareblog.com/someone-learning-how-take-down-internet
Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large a large nation state. China and Russia would be my first guesses.
First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it’s overwhelmed. These attacks are not new: hackers do this to sites they don’t like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense.
Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing.
The attacks are also configured in such a way as to see what the company’s total defenses are.
I am unable to give details, because these companies spoke with me under condition of anonymity. But this all is consistent with what Verisign is reporting.
There’s more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.
Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering.
What can we do about this? Nothing, really.
But this is happening. And people should know.
Tomi Engdahl says:
Russell Brandom / The Verge:
Viacom, Hasbro, and others fined $835,000 for ad tracking on children’s websites — The Attorney General’s investigation found that websites for Barbie, Dora the Explorer, and other popular children’s brands were tracking users to serve ads. While common on the web, ad tracking is forbidden
Viacom, Hasbro, and others fined $835,000 for ad tracking on children’s websites
‘The law has been very clear on this’
http://www.theverge.com/2016/9/13/12902588/child-tracking-online-ads-viacom-hasbro-mattell-barbie
Today, New York Attorney General Eric Schneiderman announced an $835,000 settlement with Viacom, Hasbro, Mattel, and Jumpstart over online tracking on children’s websites.
The Attorney General’s investigation found that websites for Barbie, Dora the Explorer, and other popular children’s brands were tracking users to serve ads. While common on the web, ad tracking is forbidden for sites directed at children under 13 by the Children’s Online Privacy Protection Rule (or COPPA).
“While the law has been very clear on this,” Schneiderman said in an announcement. “It’s not been clear what companies have been doing to comply with it.”
As part of the settlement, each company has agreed to withdraw third-party trackers, as well as conducing regular scans and vetting vendors to ensure they’re in compliance with COPPA in the future.
Despite COPPA’s specific protections for services directed at children, third-party tracking is nearly inescapable on the modern web, and Google is by far the most popular source for that tracking. A Princeton Web Census survey conducted earlier this year found that more than 45 percent of the top million sites included a tracker for Google’s Doubleclick for Publishers service.
Tomi Engdahl says:
Steven Scheer / Reuters:
Israel’s Cyber-security start-up Claroty exits stealth, raises $32M from Bessemer Venture Partners, Eric Schmidt’s Innovation Endeavors, others
Israeli cyber-security firm Claroty exits ‘stealth mode,’ raises $32 million
http://www.reuters.com/article/us-tech-israel-claroty-idUSKCN11J1DD
“The reason these critical systems are increasingly exposed to cyber threats is twofold: Industrial and IT networks are becoming considerably more interconnected in order to achieve important business goals, but industrial control systems were originally designed with safety and resilience, not cyber-security, as primary objectives,” said Amir Zilberstein, Claroty’s CEO.
Tomi Engdahl says:
Commercial software chokkas with ancient brutal open source vulns
Closed source, open holes
http://www.theregister.co.uk/2016/05/04/commercial_software_chokkas_with_ancient_brutal_open_source_vulns/
Commercial software is riddled with old critical open source flaws that are largely hidden from the eyes of enterprises, according to Black Duck Software.
The manual audit report The State of Open Source Security in Commercial Applications [PDF] by the open source security tester studied 200 applications over a six month period to March finding 67 percent of open source componentry had unpatched holes, or about 23 holes a piece.
The holes were five years old on average with 40 percent classified as high severity with CVSS scores of seven and above, and 52 percent as medium severity.
Ten percent of the flaws were POODLE (Padding Oracle On Downgraded Legacy Encryption) revealed by El Reg in October.
https://info.blackducksoftware.com/rs/872-OLS-526/images/OSSAReportFINAL.pdf
Tomi Engdahl says:
Wired:
Changes to Rule 41 of Federal Rules of Criminal Procedure to let FBI hack unspecified number of PCs with single warrant, starting Dec. 1, unless Congress blocks
The Feds Will Soon Be Able to Legally Hack Almost Anyone
https://www.wired.com/2016/09/government-will-soon-able-legally-hack-anyone/
Digital devices and software programs are complicated. Behind the pointing and clicking on screen are thousands of processes and routines that make everything work. So when malicious software—malware—invades a system, even seemingly small changes to the system can have unpredictable impacts.
That’s why it’s so concerning that the Justice Department is planning a vast expansion of government hacking. Under a new set of rules, the FBI would have the authority to secretly use malware to hack into thousands or hundreds of thousands of computers that belong to innocent third parties and even crime victims. The unintended consequences could be staggering.
The new plan to drastically expand the government’s hacking and surveillance authorities is known formally as amendments to Rule 41 of the Federal Rules of Criminal Procedure, and the proposal would allow the government to hack a million computers or more with a single warrant.
Tomi Engdahl says:
Michael Kan / PCWorld:
The World Anti-Doping Agency says Russian cyber espionage group hacked its database, stole medical information about Olympic athletes — The hacking group Fancy Bear has also been blamed for breaching the DNC — The same Russian state-sponsored hackers that allegedly breached …
Russian hackers allegedly target the World Anti-Doping Agency
The hacking group Fancy Bear has also been blamed for breaching the DNC
http://www.pcworld.com/article/3119880/russian-hackers-allegedly-target-the-world-anti-doping-agency.html
The same Russian state-sponsored hackers that allegedly breached the Democratic National Committee may have also targeted the World Anti-Doping Agency.
On Tuesday, the sports drug-testing agency blamed a recent breach of its network on a Russian hacking group known as APT 28 or Fancy Bear.
The hackers gained access to the agency’s database and stole information about athletes including confidential medical data. Some of that data has already been publicly released, and the hackers have threatened to release more, the agency said in a statement.
It’s unclear when the breach occurred. However, in August, another hacking incident also targeted the whistleblower, Yuliya Stepanova, who exposed Russian-backed doping of Olympic teams.
Tomi Engdahl says:
A Teenage Hacker Figured Out How to Get Free Data on His Phone
http://motherboard.vice.com/read/a-teenage-hacker-figured-out-how-to-get-free-data-on-his-phone-t-mobile
Jacob Ajit is 17 and he just hacked his way to getting free phone data, presumably so that he can do whatever it is that Teens do online these days without alerting his parents with overage fees.
“Honestly, I just investigated this out of curiosity, and to learn a bit about how these networks are configured,” Ajit wrote me when I reached him over email. “T-Mobile will likely fix this soon, but I wanted to share my findings with the community in the meantime.”
According to a Medium post Ajit posted on Wednesday, he made his discovery while playing around with a prepaid T-Mobile phone with no service. The phone was still able to connect to the network, although it would only take him to a T-Mobile portal asking him to renew the prepaid phone plan. For some reason, though, Ajit wrote that his internet speed test app still worked, albeit through a T-Mobile server.
Ajit figured out that he was able to access media sent from any folder labelled “/speedtest,” possibly because T-Mobile whitelists media files from speed tests regardless of the host.
How I gained access to TMobile’s national network for free
We’ll see how long this survives after this post, of course…
https://medium.com/@jacobajit/how-i-gained-access-to-tmobiles-national-network-for-free-f9aaf9273dea#.z8ufclqax
Important edit: I wanted to clarify that I have reached out to TMobile and am awaiting a response. However, I made a decision to go ahead and publish this in the meantime since this unintentional flaw does not pose any harm to TMobile or their customers. It’s a trivial fix to whitelist Speedtest servers based on their official host list, as I point out in this post, and the educational benefits of sharing with the my findings with community in this case outweighed the case for waiting for a [possible] response from TMobile.
Tomi Engdahl says:
Timeline of computer security hacker history
https://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history
1903
Magician and inventor Nevil Maskelyne disrupts John Ambrose Fleming’s public demonstration of Guglielmo Marconi’s purportedly secure wireless telegraphy technology, sending insulting Morse code messages through the auditorium’s projector
Tomi Engdahl says:
Lucian Constantin / PCWorld:
Google releases Verified Access API for enterprise that will cryptographically validate identity of Chrome OS devices — New Verified Access API provides cryptographic guarantees about the identify and security state of Chrome OS devices — Companies will now be able to cryptographically validate …
Chrome OS gets cryptographically verified enterprise device management
http://www.pcworld.com/article/3120698/security/chrome-os-gets-cryptographically-verified-enterprise-device-management.html
New Verified Access API provides cryptographic guarantees about the identify and security state of Chrome OS devices
Companies will now be able to cryptographically validate the identity of Chrome OS devices connecting to their networks and verify that those devices conform to their security policies.
On Thursday, Google announced a new feature and administration API called Verified Access. The API relies on digital certificates stored in the hardware-based Trusted Platform Modules (TPMs) present in every Chrome OS device to certify that the security state of those devices has not been altered.
Many organizations have access controls in place to ensure that only authorized users are allowed to access sensitive resources and they do so from enterprise-managed devices conforming to their security policies.
Most of these checks are currently performed on devices using heuristic methods, but the results can be faked if the devices’ OSes are compromised. With Verified Access, Google plans to make it impossible to fake those results in Chromebooks.
Organizations will be able to integrate their WPA2 EAP-TLS networks, VPN servers, and intranet pages that use mutual TLS-based authentication with the Verified Access API through the cloud-based Google Admin console.
Tomi Engdahl says:
David Meyer / Fortune:
De-Cix, operator of the world’s largest Internet exchange point, is suing German government over Federal Intelligence Service’s mass surveillance requests
World’s Biggest Internet Hub Sues German Government Over Surveillance
http://fortune.com/2016/09/16/de-cix-surveillance-germany/
Massive surveillance by BND spy agency is illegal, says De-Cix.
The operator of the world’s largest Internet exchange point, De-Cix, is suing the German government in an attempt to stop mass surveillance by the country’s spies.
Internet exchange points are the hubs where the Internet’s core lines cross paths, so information can flow from anywhere to anywhere. De-Cix’s main hub is in Frankfurt, Germany, and it is the largest of its kind in the world.
On Friday, De-Cix said it was pushing back against the legal orders it receives from the German Federal Intelligence Service (Bundesnachrichtendienst, or BND, for short) that force it to allow the mass monitoring of communications flowing through its Frankfurt Internet exchange point.
De-Cix said it wanted to show that the orders were illegal under the so-called G10 Act, which is analogous to the controversial U.S. Foreign Intelligence Surveillance Act (FISA), and allows the strategic monitoring of international communications that flow through Germany.
The German government is currently trying to pass a new law governing the BND that, critics say, would legalize the agency’s illegal activities.
Tomi Engdahl says:
Ingrid Lunden / TechCrunch:
Oracle buys Palerra, a cloud security startup co-founded by Oracle alums Rohit Gupta and Ganesh Kirti, which had raised $25M
Oracle buys Palerra to boost its security stack
https://techcrunch.com/2016/09/18/oracle-buys-palerra-to-boost-its-security-stack/
Oracle is kicking off a big customer confab in San Francisco this week, and to mark the event, it’s announced an acquisition. Oracle is buying Palerra, a cloud security startup co-founded by Oracle alums Rohit Gupta (its CEO) and Ganesh Kirti (CTO).
Terms of the deal were not disclosed but we will try to find out. Palerra was founded in 2013 (originally called Apprity) and raised $25 million with investors including Norwest Venture Partners and August Capital.
Tomi Engdahl says:
Global Internet of Things Security Market to Be Worth $9 Bn in 2016
https://www.asdreports.com/news-18241/global-internet-things-security-market-be-worth-9-bn-2016?utm_source=IIoT+Newsletter&utm_medium=email&utm_campaign=Sept
This 246 page, now available on ASDReports, Internet of Things (IoT) Security Market 2016-2021: Cyber Security Forecasts for Medicine (Connected Health, Telemedicine, Hospital Equipment, mHealth, Health & Fitness Wearable Technology), Transport (Automotive, Connected Car, Connected Aircraft / Aviation, Maritime Vessels, Public Transport), Industrial Internet of Things (IIoT) (Industrial Control Systems (ICS), Critical Infrastructure, Buildings, Machine-to-Machine (M2M), Manufacturing, Retail, Utilities, Energy, Agriculture, Supply Chain Management), Connected Home (Consumer Connected Devices, Smartphones, Tablets, Fixed Line Broadband & Mobile Communications, Smart Appliances) indicates that the IoT Security market is set to reach from $9bn in 2016 as IoT enabled devices become a more ubiquitous part of global society.
The Internet of Things (IoT) Security Market 2016-2021: Cyber Security Forecasts for Medicine (Connected Health, Telemedicine, Hospital Equipment, mHealth, Health & Fitness Wearable Technology), Transport (Automotive, Connected Car, Connected Aircraft / Aviation, Maritime Vessels, Public Transport), Industrial Internet of Things (IIoT) (Industrial Control Systems (ICS), Critical Infrastructure, Buildings, Machine-to-Machine (M2M), Manufacturing, Retail, Utilities, Energy, Agriculture, Supply Chain Management), Connected Home (Consumer Connected Devices, Smartphones, Tablets, Fixed Line Broadband & Mobile Communications, Smart Appliances will be of impressive value to current, and future investors within the IoT Security market, as well as to companies and research centres who wish to broaden their knowledge of the IoT Security industry.
Tomi Engdahl says:
Do you think that activity bracelet data is protected?
Activity or fitnessrannekkeita were sold during the first quarter of the year over 20 million copies. They collect all sorts of information to the user. Unfortunately, the data is easy to capture on their way to the cloud.
Technical University of Darmstadt, cyber security now Professor Ahmad-Reza Sadeghi explained that almost all of the data is outside the bracelets to capture. The study included 17 different bracelets from large manufacturers such as Xiaomi and Garmin.
While all cloud-based solutions for transferring data wristbands encrypted protocols, such as HTTPS, only four of the wristband was done anything about it, that the data would remain protected. According to Sadeghin even these methods do not prevent a motivated hacker.
Sadeghin team was able to make the so-called. man-in-the-middle attack, or to manipulate the data the way to cloud services. For example, five bracelets saved data only raw text a smartphone, which is a big security risk.
Sadeghin by insurance companies and others who build services upon monitoring of the activity, should be given to information security professionals manage storage, transfer and verification of data.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5031&via=n&datum=2016-09-14_11:28:28&mottagare=30929
Tomi Engdahl says:
The Importance of Automating Web Application Security Testing & Penetration Testing
http://www.firewall.cx/general-topics-reviews/security-articles/1074-automation-web-application-security-testing.html
Without automation of web application security testing, a true strong security posture is impossible to achieve. Of course, many other layers ultimately exist – least-privilege practice, segregated (jail, chroot, virtual machine) systems, firewalls, etc. – but if the front door is not secure, what does it matter if the walls are impenetrable? With the speed afforded by automation, a strong and capable web vulnerability scanner, and of course patching found flaws and risks, security testing guarantees as best as reasonably possible that the front door to your web application and underlying infrastructure remains reinforced and secure.
Tomi Engdahl says:
Choosing a Web Application Security Scanner – The Importance of Using the Right Security Tools
http://www.firewall.cx/general-topics-reviews/security-articles/1083-choosing-web-application-security-scanner.html
Tomi Engdahl says:
Cryptomining malware on NAS servers
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Cryptomining-malware-on-NAS-servers.pdf?la=en
A couple of years ago, coin mining was a bubbling story. There were many threats that used
infected machines to mine cryptocurrencies at the expense of the victim. Mining coins on
someone else’s machine could provide the attacker with free CPU resources from each infected system, so there was no need to steal directly from the victim. The infected machine would also
deliver the block rewards from the mining operations into the attacker’s wallet.
The idea was perfect from the criminal’s point of view
Although mining Bitcoins is no longer profitable, there are plenty of other digital currencies
that are quite new and are significantly less difficult to mine. Many of them have very good cryptographic protections, which can effectively hide their users. One of these cryptocurrencies
is Monero.
In this state, mining this type of cryptocurrency is profitable. Criminals recognized this and
started to spread a new malware payload that uses infected machines to mine coins at the
expense of the system owner’s CPU and GPU resources
Telemetry of the threat
In
the
first
6 months of this year we
counted
1
,
702
,
476
individual instances
of this threat.
H
owever
,
the
number of
unique IP
addresses
corresponding to
these
instances was only
3
,
150
.
The reason
for this
is simple
:
The threat
is
trying to log in to FTP services with
embedded
credentials (anonymous, root, admin
, etc)
with
default and
frequently used weak passwords. If
successful
-
and the account has write access
with
using the
FTP
service
-
they will copy
Photo.scr
and
info.zip
to each
folder
recursively. Thus, if
a single
FTP server is infected, it is
infected
with multiple instances
Tomi Engdahl says:
NIST Seeks Comments on Cybersecurity Reports
http://www.eetimes.com/document.asp?doc_id=1330481&
The US National Institute of Standards and Technology (NIST) has recently issued two draft reports on cybersecurity issues of interest to industrial IoT users, and is seeking industry comment before making their final revisions. One report describes the proposed manufacturing profile for NIST’s Cybersecurity Framework. The other addresses cryptography standards and practices for resource-constrained processors.
Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, NIST created in 2014 a voluntary Cybersecurity Framework, which is a compendium of industry standards and best practices to help organizations manage cybersecurity risks. Created through collaboration between government and the private sector, the Framework helps guide cybersecurity activities and encourages organizations to consider cybersecurity risks as part of their risk management processes. Profiles, a key element of the Framework, help an organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. A profile is intended both to help identify opportunities for improving cybersecurity as well as providing a touchstone to compare against in order to prioritize process improvement activities.
While organizations are encouraged to develop their own custom profiles, NIST-issued profiles can serve as a roadmap for that effort in specific industry sectors. The recently-released draft Manufacturing Profile focuses on the desired cybersecurity outcomes for manufacturing systems and provides an approach for achieving those outcomes.
The second cybersecurity report, DRAFT NISTIR 8114 — Report on Lightweight Cryptography, outlines NIST’s effort to develop a strategy for the standardization of lightweight cryptographic primitives such as block ciphers,
http://csrc.nist.gov/publications/drafts/nistir-8114/nistir_8114_draft.pdf
Tomi Engdahl says:
OpenSSL to Patch High Severity Vulnerability
http://www.securityweek.com/openssl-patch-high-severity-vulnerability-0
The OpenSSL Project announced on Monday that it will soon release updates that patch several vulnerabilities, including one rated as having “high” severity.
OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u will be released on Thursday, September 22, at around 8:00 UTC. There are only few details about the upcoming versions, but the OpenSSL Project said one of the issues has high severity, one has moderate severity, while the rest have low impact.
High severity flaws are less likely to be exploitable compared to critical vulnerabilities. OpenSSL developers typically try to address these bugs within a month after learning of their existence.
The OpenSSL Project has once again reminded users that support for version 1.0.1 will end on December 31. The 1.1.0 branch was launched on August 25.
Tomi Engdahl says:
Oracle Buys Cloud Security Firm Palerra
http://www.securityweek.com/oracle-buys-cloud-security-firm-palerra
Oracle announced on Sunday that it has agreed to acquire Cloud Access Security Broker (CASB) firm Palerra for an undisclosed sum.
Founded in 2013, Santa Clara, Calif.-based Palerra’s flagship “LORIC” platform helps customers secure applications, workloads and sensitive data stored across cloud services, while also helping them meet compliance requirements.
Palerra explains that its platform provides threat visibility and ensures compliance of cloud footprint by combining threat detection, predictive analytics, security configuration management, and automated incident response.
Oracle explained that the combination of Oracle’s Identity Cloud Service (IDaaS) and Palerra’s CASB solution will provide protection for users, applications and APIs, data, and infrastructure to secure customer adoption of cloud.
Tomi Engdahl says:
US Confident in Election Security Despite Threats
http://www.securityweek.com/us-confident-election-security-despite-threats
The US homeland security chief said Friday authorities have confidence in the integrity of electoral systems despite growing cybersecurity threats.
Department of Homeland Security Secretary Jeh Johnson offered his agency’s assistance to state and local election authorities in protecting voting systems.
Johnson’s comments come amid reports of cyberattacks on Democratic Party systems and on voter databases in some jurisdictions. Some reports have said Russia may be behind some attacks, although US officials have not confirmed this.
“In recent months, we have seen cyberintrusions involving political institutions and personal communications,” Johnson said in a statement. “We have also seen some efforts at cyberintrusions of voter registration data maintained in state election systems. We have confidence in the overall integrity of our electoral systems. It is diverse, subject to local control, and has many checks and balance built in.”
Tomi Engdahl says:
Hackers Leak More Confidential Athlete Data
http://www.securityweek.com/hackers-leak-more-confidential-athlete-data
The hacker group calling itself Fancy Bears has leaked another batch of athlete medical records stolen from the systems of the World Anti-Doping Agency (WADA). The organization has confirmed the leak and again blamed Russia for the attack on its systems.
Tomi Engdahl says:
Chinese Researchers Remotely Hack Tesla Model S
http://www.securityweek.com/chinese-researchers-remotely-hack-tesla-model-s
Security researchers from China-based tech company Tencent have identified a series of vulnerabilities that can be exploited to remotely hack an unmodified Tesla Model S while it’s parked or on the move.
An 8-minute video published on Monday by Tencent’s Keen Security Lab shows that researchers managed to perform various actions. While the vehicle was parked, the experts demonstrated that they could control the sunroof, the turn signals, the position of the seats, all the displays, and the door locking system.
Tomi Engdahl says:
Bringing Cybersecurity to the Data Center
http://www.securityweek.com/bringing-cybersecurity-data-center
Data centers are the heart of many enterprises, providing scalable, reliable access to the information and applications that define the organization. As these data centers have become more valuable, so too has the job of securing and monitoring them. However, data centers come with their own unique requirements, challenges, and threats.
Yet, in many ways, data center and virtualized security has been built in the image of the traditional campus network security. The problem is that the data center is not the perimeter. While porting over the models from the perimeter may feel familiar and safe, it can lead to dangerous gaps in security.
Moving Beyond Segmentation to Cyber
Using the network perimeter as its model, the industry has sought to virtualize perimeter controls and move them into the data center. This approach began with the bedrock of perimeter security, the firewall. Initially this included simply porting traditional firewalls to run as virtual machines, and then progressed into more agent-based segmentation models that were closely integrated with the virtualization platform software itself. In both cases, the focus remained on enforcing policy within the data center.
However, creating and enforcing rules is not the same thing as catching an intruder. On the perimeter, firewalling functions are complemented with a variety of threat detection and prevention technologies such as IDS/IPS, anti-malware solutions and web filtering, just to name a few. And like their firewall brethren, many of these perimeter threat-prevention technologies have been ported over to the virtual environment.
Tomi Engdahl says:
You Can’t Find What You’re Not Looking For Because of Goat Parkour
http://www.securityweek.com/you-cant-find-what-youre-not-looking-because-goat-parkour
Following the “Snowden leaks” of 2013, the trend toward encrypting all Internet traffic spread faster than Pokemon GO. Pre-Snowden, it’s estimated that less than three percent of all Internet traffic was encrypted. Today, estimates run as high as 70 percent.
While an all-encrypted Internet is great for personal privacy, it’s a double-edged sword for organizations trying to protect their networks and internal resources from fraud, malware, and data theft. The problem is that the same encryption measures designed to protect data also hide the bad stuff from administrators.
When a system on a corporate network (or any network, for that matter) is infected with malware and becomes part of a botnet, it’s under the control of a botmaster who sends the bot instructions to carry out any number of nefarious deeds. In the past, security solutions like firewalls, IDSs, and sandboxes, would alert you to this kind of malicious activity because these solutions were able to intercept and inspect unencrypted traffic.
Today, that’s all changed with the majority of Internet traffic being encrypted. Among the many methods hackers use to communicate and send instructions to bots, one of the most popular is a “call back” via HTTPS to the attacker’s command and control (C2 or C&C but not C&C music factory) site. It’s a clever tactic, because Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted traffic has become so common today that the attack communication with bots now goes undetected by these security solutions. The unfortunate result is that the security solutions IT has relied on for years to alert them to malicious code are sending out far fewer alerts.
So that’s the problem. But how bad is it?
Numbers on exactly how much enterprise traffic is encrypted are hard to come by. Yes, some ISPs can tell you, but they’re seeing lots of encrypted Netflix and goat parkour videos on YouTube. And that’s not what we’re interested in.
The survey found that 90 percent of respondents believe their visibility into network traffic is significantly diminished by SSL-encrypted traffic. Yet, surprisingly, only 25 percent said their organizations decrypt and inspect inbound and outbound communications for potential threats.
Tomi Engdahl says:
Chicago woman launches lawsuit against Canadian maker of app-based vibrator
http://ottawa.ctvnews.ca/chicago-woman-launches-lawsuit-against-canadian-maker-of-app-based-vibrator-1.3071873
An American woman has launched a proposed class-action lawsuit against the Canadian-owned maker of a smartphone-enabled vibrator, alleging the company sells products that secretly collect and transmit “highly sensitive” information.
to fully operate the device, users download the We-Connect app on a smartphone, allowing them and their partners remote control over the Bluetooth-equipped vibrator’s settings.
In particular, the app’s “connect lover” feature — which promises a secure connection
“(N.P.) would never have purchased a We-Vibe had she known that in order to use its full functionality, (Standard Innovation) would monitor, collect and transmit her usage information through We-Connect,” the statement of claim said.
The suit alleges that unbeknownst to its customers, Standard Innovation designed the We-Connect app to collect and record intimate and sensitive data on use of the vibrator, including the date and time of each use as well as vibration settings.
It also alleges the usage data and the user’s personal email address was transmitted to the company’s servers in Canada.
The statement of claim alleges the company’s conduct demonstrates “a wholesale disregard” for consumer privacy rights and violated a number of state and federal laws.
The lawsuit filed against Standard Innovation asks the court for an injunction prohibiting the company from monitoring, collecting and transmitting consumer usage information, damages arising from the invasion of personal privacy, and damages arising from the purchase of the We-Vibe.
Tomi Engdahl says:
Federal Judge Rules Bitcoin Is Money In Case Tied To JPMorgan Hack
https://yro.slashdot.org/story/16/09/20/0225212/federal-judge-rules-bitcoin-is-money-in-case-tied-to-jpmorgan-hack
Roughly two months ago, a Miami-Dade judge ruled that bitcoin does not actually qualify as money. Now, it appears that bitcoin does indeed qualify as money, according to U.S. District Judge Alison Nathan in Manhattan. “Bitcoins are funds within the plain meaning of that term,” Nathan wrote.
Bitcoin is money, U.S. judge says in case tied to JPMorgan hack
http://www.reuters.com/article/us-jpmorgan-cyber-bitcoin-idUSKCN11P2DE
Murgio had argued that bitcoin did not qualify as “funds” under the federal law prohibiting the operation of unlicensed money transmitting businesses.
But the judge, like her colleague Jed Rakoff in an unrelated 2014 case, said the virtual currency met that definition.
“Bitcoins are funds within the plain meaning of that term,” Nathan wrote. “Bitcoins can be accepted as a payment for goods and services or bought directly from an exchange with a bank account. They therefore function as pecuniary resources and are used as a medium of exchange and a means of payment.”
Tomi Engdahl says:
Cisco Scrambles To Patch Second Shadow Brokers Bug In Firewalls
https://it.slashdot.org/story/16/09/19/1623233/cisco-scrambles-to-patch-second-shadow-brokers-bug-in-firewalls
Cisco is scrambling to patch another vulnerability in many of its products that was exposed as part of the Shadow Brokers dump last month. The latest vulnerability affects many different products, including all of the Cisco PIX firewalls. The latest weakness lies in the code that Cisco’s IOS operating system uses to process IKEv1 packets. IKE is used in the IPSec protocol to help set up security associations, and Cisco uses it in a number of its products.
Cisco Warns of Second Firewall Bug Exposed by Shadow Brokers
https://www.onthewire.io/cisco-warns-of-second-firewall-bug-exposed-by-shadow-brokers/
Cisco is scrambling to patch another vulnerability in many of its products that was exposed as part of the Shadow Brokers dump last month. The latest vulnerability affects many different products, including all of the Cisco PIX firewalls.
Tomi Engdahl says:
Anonymous Hacker Explains His Attack On Boston Children’s Hospital
https://it.slashdot.org/story/16/09/19/234217/anonymous-hacker-explains-his-attack-on-boston-childrens-hospital
Martin Gottesfeld of Anonymous was arrested in connection with the Spring 2014 attacks on a number of healthcare and treatment facilities in the Boston area. The attacks were in response/defense of a patient there named Justina Pelletier. Gottesfeld now explains why he did what he did, in a statement provided to The Huffington Post.
Here’s an excerpt from his statement: [Why I Knocked Boston Children's Hospital Off The Internet] The answer is simpler than you might think: The defense of an innocent, learning disabled, 15-year-old girl. In the criminal complaint, she’s called ‘Patient A,’ but to me, she has a name, Justina Pelletier. Boston Children’s Hospital disagreed with her diagnosis
POLITICS
Why I Knocked Boston Children’s Hospital Off The Internet: A Statement From Martin Gottesfeld
The high-profile 2014 cyber attack is explained for the first time.
http://www.huffingtonpost.com/entry/why-i-knocked-boston-childrens-hospital-off-the-internet-a-statement-from-martin-gottesfeld_us_57df4995e4b08cb140966cd3?
In the spring of 2014, the hacker collective Anonymous took credit for hitting a number of health care and treatment facilities in the Boston area in defense of a patient there named Justina Pelletier. For background on her controversial case, which became the focus of national attention
The attacks became somewhat less anonymous when a man named Martin Gottesfeld was arrested in connection with them in February of this year
Here is his statement, published in full:
Why I Knocked Boston Children’s Hospital Off The Internet
The answer is simpler than you might think: The defense of an innocent, learning disabled, 15-year-old girl. In the criminal complaint, she’s called “Patient A,” but to me, she has a name, Justina Pelletier. Boston Children’s Hospital disagreed with her diagnosis. They said her symptoms were psychological. They made misleading statements on an affidavit, went to court, and had Justina’s parents stripped of custody.
They stopped her painkillers, leaving her in agony. They stopped her heart medication, leaving her tachycardic. They said she was a danger to herself, and locked her in a psych ward. They said her family was part of the problem, so they limited, monitored, and censored her contact with them.
Tomi Engdahl says:
Joseph Cox / Motherboard:
ICANN to change DNSSEC master key for the first time; new 2048 key will appear in DNS July 11, 2017 — Soon, one of the most important cryptographic key pairs on the internet will be changed for the first time. — The Internet Corporation for Assigned Names and Numbers (ICANN) …
The Cryptographic Key That Secures the Web Is Being Changed for the First Time
http://motherboard.vice.com/read/the-encryption-key-that-secures-the-web-is-being-changed-for-the-first-time
Soon, one of the most important cryptographic key pairs on the internet will be changed for the first time.
The Internet Corporation for Assigned Names and Numbers (ICANN), the US-based non-profit responsible for various internet infrastructure tasks, will change the key pair that creates the first link in a long chain of cryptographic trust that lies underneath the Domain Name System, or DNS, the “phone book” of the internet.
DNS translates easy-to-remember domain names—such as Google.com—into their numerical IP addresses, so computers can visit them. But DNS was never built with security in mind. “The domain name system was designed when the internet was a friendlier place, and there wasn’t much thought of security put into it,”
As a result, a particular problem has been something called DNS cache poisoning or DNS spoofing, where a server doing the phone book-like lookups is forced to return an incorrect IP address, resulting in traffic being diverted somewhere else, such as a malicious site controlled by a hacker.
To deal with this problem, many domains use DNS Security Extensions (DNSSEC). With DNSSEC, crypto keys authenticate that DNS data is coming from the correct place.
In 2010, ICANN, along with other organisations, introduced DNSSEC to protect the internet’s top DNS layer, the DNS root zone.
“If you had this key … You would be in the position to redirect a tremendous amount of traffic”
Each organisation in this structure has its own keys for making signatures, and must sign the key of the entity below it.
Not everyone uses DNSSEC, but adoption has increased over the years: Comcast turned it on for its customers in 2012, and in 2013, Google’s own DNS service started to fully support DNSSEC.
The key pair at the top of this chain, or the Root Zone Signing Key, is what ICANN is changing for the first time.
“If you had this key, and were able to, for example, generate your own version of the root zone, you would be in the position to redirect a tremendous amount of traffic,”
Tomi Engdahl says:
The WADA Hack of Olympic Athletes’ Medical Data – A Timeline
http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/the-wada-hack-of-olympic-athletes-medical-data-a-timeline/
Whenever there’s a big event like the Olympic Games, there’s a concern that fraudsters will target spectators and attempt to compromise their digital security. That’s why we at The State of Security published some tips on how attendees of the 2016 Summer Olympics in Rio de Janeiro, Brazil could avoid getting hacked and defend themselves against computer criminals’ traps.
Most of us are inclined to focus on protecting the information security of unsuspecting visitors. We don’t think about attackers setting their sights on the Games themselves, but it does happen.
Just this year, a group of actors launched a sustained distributed denial-of-service (DDoS) attack against organizations affiliated with the Olympics that lasted for several months. Fortunately, those organizations were prepared. By leveraging anti-DDoS mitigation technologies, they were able to carry out the Games without a hitch.
Not every defender encountered success, however. A month after the closing ceremony, news emerged of attackers hacking into the databases of the World Anti-Doping Agency (WADA), an organization which stores records on all of the Olympic athletes.
Here’s how the hack has unfolded so far.
Tomi Engdahl says:
Anonymous Hacks Four Italian Healthcare Organizations
Hackers are protesting Italy’s policies on ADHD treatments
http://news.softpedia.com/news/anonymous-hacks-four-italian-healthcare-organizations-against-adhd-508445.shtml#ixzz4KtVYgeIb
Anonymous Italia and AntiSec-Italia, two hacktivist groups associated with the Anonymous hacker collective, have hacked and defaced four Italian healthcare organizations and leaked data from two.
The group leaked the data online on August 21 as part of an Anonymous operation named #OpSafePharma, a campaign launched only in Italy to protest the government’s stance on ADHD (Attention-Deficit/Hyperactivity Disorder), which involves recommendations for heavy doses of prescription medicine, even for the mildest signs of the disorder, and before any other type of alternative therapy.
The hacktivists are arguing that officials should mandate alternative therapies before medication, and not allow big pharma companies to influence doctors to prescribe heavy doses of ADHD medicine out of the gate.
The hacktivist group launched the campaign on March 16, 2016, with DDoS attacks against the Ministry of Health, the Higher Institute of Health, and numerous local health authorities.
These were followed a few days later by database breaches at AIFA (Associazione Italiana Famiglie ADHD / Italian Association of ADHD Families) and the Italian Red Cross branch.
Cyber-security firm SenseCy was able to get hold of the data and analyze its content.
“Our assessment is that this latest iteration of #OperationSafePharma originates more from a one-time opportunity window that the hacktivist group AntiSec-Italia spotted in vulnerable websites associated with Italian medical centers and hospitals, than a concerted effort by multiple Anonymous-affiliated collectives to launch a massive hacktivist campaign against the Italian healthcare sector as a whole,” the SenseCy team says.
Read more: http://news.softpedia.com/news/anonymous-hacks-four-italian-healthcare-organizations-against-adhd-508445.shtml#ixzz4KtW0cuQF
Tomi Engdahl says:
CloudFlare Adds Support for TLS 1.3
http://www.securityweek.com/cloudflare-adds-support-tls-13
CloudFlare announced on Tuesday the introduction of three new encryption features, including support for TLS 1.3, automatic HTTPS rewrites and opportunistic encryption.
The Transport Layer Security (TLS) protocol, the successor of Secure Sockets Layer (SSL), is a critical component for the protection of online communications. Version 1.2 of TLS has been around since 2008 and while it’s still fairly secure, researchers have started identifying some vulnerabilities. Another problem with TLS 1.2 is that it’s often not configured properly, leaving websites vulnerable to attacks.
TLS 1.3 is still under development, but a final version is expected soon. The new version of the protocol eliminates the problematic features that have been leveraged in many of the attack methods disclosed over the past years, including RSA key transport, the SHA-1 hash function, arbitrary Diffie-Hellman groups, and various ciphers (e.g. CBC, RC4, export ciphers). This makes it less likely for administrators to misconfigure the protocol.
Another advantage of TLS 1.3 is improved speed. In the case of TLS 1.2, completing a handshake when the connection is initiated can have a significant impact on the load time, particularly on mobile networks. TLS 1.3 cuts the initial handshake in half, significantly improving load times.
Tomi Engdahl says:
Brian Krebs site hit with 665 Gbps DDoS attack; Largest Internet has ever seen
https://www.hackread.com/brian-krebs-website-665-gbps-ddos-attack/
Brian Krebs’ Blog Hit by 665 Gbps DDoS Attack
http://www.securityweek.com/brian-krebs-blog-hit-665-gbps-ddos-attack
Tomi Engdahl says:
SWIFT Moves to Combat Inter-Bank Fraud
http://www.securityweek.com/swift-moves-combat-inter-bank-fraud
The Society for Worldwide Interbank Financial Telecommunication, better known as SWIFT, announced Tuesday that it will be introducing two new Daily Validation Reports to supplement its customers’ existing fraud reports.
The new effort is part of a program designed to strengthen customers’ security following the theft of $81 million from the Bangladesh central bank, and several other successful and failed bank thefts.
The reports include Activity Reports and Risk Reports comprising, says the SWIFT announcement, “a snapshot view of each day’s messaging activity against which to detect unusual patterns.” They are designed to provide SWIFT customer banks with a focused review of large or unusual payment flows and new combinations of payment parties. They will be provided to customers’ payments and compliance teams ‘out-of-band’ to ensure that any incumbent hackers will not be able to alter or hide them.
“A key step in the modus operandi in recent wire fraud cases at customer firms,”
These Reports are just one of several new procedures designed to strengthen the overall security within the use of SWIFT. The SWIFT network itself was not compromised during the recent thefts, but the organization clearly feels it is incumbent on itself to help customers improve their own security. However, there is some concern over whether daily reports of what has already happened will have much effect on fraud prevention – timed correctly, the fraud may have already occurred before the banks see the reports.
The earlier thefts at Bangladesh and an Ecuadorian bank led to suggestions that the reserve banks holding the cash had some liability for the loss. Indeed, early suggestions from Bangladesh suggested that SWIFT itself was responsible for leaving the Bangladesh bank insecure. SWIFT has responded with recommendations to its customers.
To a degree SWIFT has to tread carefully in the requirements it makes, since it is owned by the same organizations it is trying to police. However, Reuters reported Sept. 15 that the world’s major central banks are now getting involved.
Tomi Engdahl says:
German Political Parties Hit by Cyber Attacks
http://www.securityweek.com/german-political-parties-hit-cyber-attacks
German political parties have fallen victim to a new round of cyber attacks, documents showed Wednesday, after Berlin’s domestic spy agency accused Russia of a series of operations aimed at spying and sabotage.
Politicians and employees of several parties received emails purporting to be sent from NATO headquarters, but which instead contained a link that installed spyware on the recipient’s computer, the Sueddeutsche Zeitung daily and regional broadcasters NDR and WDR reported.
Citing unnamed security experts, German media said the attacks on August 15 and 24 appeared to have been carried out by state-backed Russian hackers.
Tomi Engdahl says:
Three Questions Every ICS Security Team Should Ask
http://www.securityweek.com/three-questions-every-ics-security-team-should-ask
Securing ICS networks is an extremely challenging task. Primarily because they lack many of the threat monitoring, detection, and response capabilities commonly found in IT infrastructures. To put ICS security in context, let’s consider the top three questions every organization should ask themselves about securing their network.
1. Do we know what needs to be protected?
2. What is happening in the ICS network?
3. Can we effectively manage and respond to security events?
Tomi Engdahl says:
Dutch brothers in court for bitcoin mining with stolen power
goo.gl/RfQlMQ
Prosecutors in the Netherlands are seeking prison sentences for two brothers who they say used stolen electricity to power computers they used to mine bitcoins worth an estimated 200,000 euros ($223,500).
Equipment in the nursery and the computers were running on illegally tapped electricity when they were discovered in 2014. The brothers, whose identities were not released, are charged with money laundering.
Tomi Engdahl says:
Hudson Hongo / Gizmodo:
Trump backs Cruz in opposing transfer of Domain Name System to ICANN in October, claiming Internet freedom would be at risk
Surprise, Donald Trump Has No Idea How Internet Censorship Works
http://gizmodo.com/surprise-donald-trump-has-no-idea-how-internet-censors-1786921203
Back in December, Donald Trump suggested fighting terrorism online by “closing the internet in some way,” openly mocking potential First Amendment concerns. Since then, the alleged computer user seems to have changed his mind, joining Ted Cruz’s bizarre crusade for an American takeover of the internet’s address book in the name of freedom of speech.
At the end of the month, the Department of Commerce is scheduled to end its supervision of ICANN—the organization in charge of supervising domain names—as part of a long-planned transition toward oversight by the global community the internet represents. On Wednesday, however, the Trump campaign released a statement condemning the change as President Obama’s “plan to surrender internet control to foreign powers.”
This argument, recently advanced in a Senate hearing by Ted Cruz, fails to explain how domain name administration is tied to government censorship, which (despite Trump’s claims) is already wielded by oppressive regimes across the world.
Sen. Cruz: Obama’s Internet Handover Endangers Free Speech Online
https://www.cruz.senate.gov/?p=press_release&id=2810
Tomi Engdahl says:
Kara Swisher / Recode:
Sources: Yahoo expected to confirm data breach of 200M+ user credentials that was detailed in August — A hacker named “Peace” is bringing chaos to the Internet giant just as its sale to Verizon is pending. — Yahoo is poised to confirm a massive data breach of its service …
Yahoo is expected to confirm massive data breach, impacting hundreds of millions of users
A hacker named “Peace” is bringing chaos to the Internet giant just as its sale to Verizon is pending.
http://www.recode.net/2016/9/22/13012836/yahoo-is-expected-to-confirm-massive-data-breach-impacting-hundreds-of-millions-of-users
Yahoo is poised to confirm a massive data breach of its service, according to several sources close to the situation, hacking that has exposed several hundred million user accounts.
While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious.
Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and was selling them online. “It’s as bad as that,” said one source. “Worse, really.”
Tomi Engdahl says:
Kif Leswing / Business Insider:
Yahoo confirms data from 500M+ accounts was stolen in 2014 by “state-sponsored actor”; info includes email addresses, hashed passwords, security questions, more — Yahoo on Thursday revealed a massive data breach of its services. — Yahoo “has confirmed that a copy …
Yahoo confirms major breach that could be the largest hack of all time
http://nordic.businessinsider.com/yahoo-hack-by-state-sponsored-actor-biggest-of-all-time-2016-9?op=1?r=US&IR=T
As expected, Yahoo revealed a massive data breach of its services on Thursday.
Yahoo “has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” the company posted on its investor relations page.
Yahoo believes that “at least” 500 million user accounts were stolen, which would make it the biggest breach of all time, bigger than the MySpace breach of 427 million user accounts.
“SUNNYVALE, Calif.–(BUSINESS WIRE)– A recent investigation by Yahoo! Inc.(NASDAQ:YHOO) has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
Tomi Engdahl says:
Reports Outline Current Threat Landscape
http://www.securityweek.com/reports-outline-current-threat-landscape
Check Point has published two major reports into the current threat landscape: its own 2016 Security Report, and the SANS Exploits at the Endpoint: SANS 2016 Threat Landscape Survey (sponsored by Check Point).
The report defines three major attack patterns: the growth in the use of code execution attacks (36 happened every day in 2015); DDoS attacks (a new one every 20 minutes); and spear-phishing / whaling. Check Point’s recommendations are a unified architecture to cover the entire environment that includes protection against zero-day malware; security management through a single pane of glass; and the development of an effective incident response plan.
“The impact of cybercrime costs more than the value of the stolen information,” says the report. “The ripple effects are often more damaging than the actual theft.” This is getting worse in both volume (business data records lost over the past three years have increased by more than 400%), and cost (as the cost and complexity of compliance increases). The specific recommendations focus on awareness. Staff must be aware of consequences; security teams must be aware of the efficacy of their controls and have clear visibility into network activity; and leadership must be aware, or be made aware, of current threat levels and potential business impacts.
Staying ahead of the security threat is a complex issue and the most complex section of the report. One approach is to use best practice frameworks and compliance regulations; but the reality is that most organizations fail to implement either completely. “Our researchers,” notes the report, “were shocked to find only 53.3 percent of configuration settings were defined according to industry best practices.” It goes on to suggest, “Forward-looking security starts with having a best-of-breed set of fundamental security tools. Advanced Threat Prevention, mobile device protection, and segmenting your network so it can be monitored closely are critical to fully protecting your organization.” Check Point’s recommendations here have all been covered in the previous sections — but it makes perhaps the most contentious recommendation of the entire report: “Ideally, scarce IT resources are better invested in preventing threats than on chasing alerts and responding to security incidents.”
Check Point 2016 Security Report
https://www.checkpoint.com/downloads/resources/2016-security-report.pdf
SANS Threat Landscape Survey
https://www.checkpoint.com/downloads/resources/survey-threat-landscape.pdf
One interesting suggestion from the survey is that while threats and their discovery are similar across geographic regions, “the European respondents may be ahead of their U.S. counterparts in deploying automated monitoring and alerting solutions.”
The most prevalent discovered threats are phishing (in 80% of organizations) followed by spear-phishing and whaling (58% of organizations). Third is the non-specific category of ‘trojan’ found by 53% of respondents; but fourth (49% of respondents) is ransomware. Ransomware is often delivered by phishing attacks.
“As these phishing and ransomware trends intersect,” writes SANS, “they create the perfect storm for legitimate user actions to result in significant, costly consequences to the organization, such as having to pay tens of thousands of dollars in ransom to retrieve critical access to maliciously encrypted data or to regain control of keys, or experiencing service denials that cause loss of business.”
No threat detection tool is currently given total confidence. Eighty-three percent of respondents find endpoint scanning helpful, while 70% find IDS/IPS/unified threat management (UTM) systems useful. Only 47% responded with behavior modeling/DLP; but this “is an area that Gartner predicts will grow as the use of analytics to detect threat increases.” But it will need to be coupled with automated means to block detections as “analysts don’t have time to implement new controls manually before the threat manifests itself.”
Summary
While these two reports mirror each other in the description of the current threat landscape, they actually come to two different conclusions.
The Check Point 2016 Security Report says, “Benjamin Franklin’s axiom that ‘an ounce of prevention is worth a pound of cure’ is especially apt in the era of unknown malware and zero-day vulnerabilities. Ideally, scarce IT resources are better invested in preventing threats than on chasing alerts and responding to security incidents.” Behavioral analysis for threat detection is given scarce mention.
The SANS report, however, recognizes that behavioral analysis is not yet common, but suggests that security needs to be enhanced by the ability “to detect malicious activity that may have started.”
Tomi Engdahl says:
Hosting Provider OVH Hit by 1 Tbps DDoS Attack
http://www.securityweek.com/hosting-provider-ovh-hit-1-tbps-ddos-attack
OVH, one of the world’s largest hosting companies, reported on Thursday that its systems were hit by distributed denial-of-service (DDoS) attacks that reached nearly one terabit per second (Tbps).
Octave Klaba, the founder and CTO of OVH, revealed on Twitter that the company detected a “lot of huge DDoS” in the past days. A screenshot posted by Klaba shows multiple attacks that exceed 100 Gbps, including simultaneous attacks that totaled nearly 1 Tbps. The largest single attack recorded by OVH peaked at 799 Gbps and 93 MMps.
This is not the only major DDoS attack reported in recent days. Earlier this week, investigative cybercrime journalist Brian Krebs said his blog, KrebsOnSecurity.com, had been targeted in an attack that peaked at 665 Gbps. While it hasn’t been confirmed, some evidence suggests that the attack was carried out in retaliation to a recent blog post exposing the operators of a booter service called vDOS.
He pointed out that Akamai had been providing service at no cost. Before this attack, the largest DDoS attack mitigated by the company measured only 336 Gbps.
CloudFlare is confident it can help and it has already offered its services to Krebs. The company’s founder and CEO, Matthew Prince, said they had seen this type of attack before.
Krebs said the attack on his website appears to have been powered almost exclusively by a very large botnet of compromised IoT devices, such as webcams and routers, and no amplification has been used. The expert suggested the same “cannon” has also been tested against OVH and other organizations.
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Sex cam site Megacams implements face search using Microsoft facial recognition API to let you “find a live sex doppelganger of someone you know”
Is this the creepiest use of facial recognition tech yet?
https://techcrunch.com/2016/09/23/is-this-the-creepiest-use-of-facial-recognition-tech-yet/
Welcome to the future, where you can face search for a live sex webcam performer and be served real-life humans to your telescreen who vaguely resemble the object of your desire within, well, hours depending on how busy the site’s servers are.
But TechCrunch understands the API in question belongs to Microsoft — namely its Cognitive Services (née Project Oxford) visual image recognition APIs, and specifically its Face API which lets developers add the ability to detect human faces and compare similar ones, organize people into groups according to visual similarity, and identify previously tagged people in images.
Pricing for Microsoft’s Face API offers 30,000 free look-ups per month, after which it charges $1.50 per 1,000 transactions, supporting a rate of 10 transactions per second.
Tomi Engdahl says:
Kevin Hartnett / Quanta Magazine:
DARPA prevented hackers from taking control of an unmanned drone using “formal methods”, a technique that can verify whether programs are error-free — In the summer of 2015 a team of hackers attempted to take control of an unmanned military helicopter known as Little Bird.
Hacker-Proof Code Confirmed
https://www.quantamagazine.org/20160920-formal-verification-creates-hacker-proof-code/
Computer scientists can prove certain programs to be error-free with the same certainty that mathematicians prove theorems. The advances are being used to secure everything from unmanned drones to the internet.
In the summer of 2015 a team of hackers attempted to take control of an unmanned military helicopter known as Little Bird. The helicopter, which is similar to the piloted version long-favored for U.S. special operations missions, was stationed at a Boeing facility in Arizona. The hackers had a head start: At the time they began the operation, they already had access to one part of the drone’s computer system.
When the project started, a “Red Team” of hackers could have taken over the helicopter almost as easily as it could break into your home Wi-Fi. But in the intervening months, engineers from the Defense Advanced Research Projects Agency (DARPA) had implemented a new kind of security mechanism — a software system that couldn’t be commandeered. Key parts of Little Bird’s computer system were unhackable with existing technology, its code as trustworthy as a mathematical proof. Even though the Red Team was given six weeks with the drone and more access to its computing network than genuine bad actors could ever expect to attain, they failed to crack Little Bird’s defenses.
“They were not able to break out and disrupt the operation in any way,” said Kathleen Fisher, a professor of computer science at Tufts University and the founding program manager of the High-Assurance Cyber Military Systems (HACMS) project. “That result made all of DARPA stand up and say, oh my goodness, we can actually use this technology in systems we care about.”
The technology that repelled the hackers was a style of software programming known as formal verification.
“You’re writing down a mathematical formula that describes the program’s behavior and using some sort of proof checker that’s going to check the correctness of that statement,” said Bryan Parno, who does research on formal verification and security at Microsoft Research.
The aspiration to create formally verified software has existed nearly as long as the field of computer science. For a long time it seemed hopelessly out of reach, but advances over the past decade in so-called “formal methods” have inched the approach closer to mainstream practice. Today formal software verification is being explored in well-funded academic collaborations, the U.S. military and technology companies such as Microsoft and Amazon.
Block-Based Security
Between the lines it takes to write both the specification and the extra annotations needed to help the programming software reason about the code, a program that includes its formal verification information can be five times as long as a traditional program that was written to achieve the same end.
This burden can be alleviated somewhat with the right tools — programming languages and proof-assistant programs designed to help software engineers construct bombproof code.
Then came the internet, which did for coding errors what air travel did for the spread of infectious diseases: When every computer is connected to every other one, inconvenient but tolerable software bugs can lead to a cascade of security failures.
“Here’s the thing we didn’t quite fully understand,” Appel said. “It’s that there are certain kinds of software that are outward-facing to all hackers in the internet, so that if there is a bug in that software, it might well be a security vulnerability.”
By the time researchers began to understand the critical threats to computer security posed by the internet, program verification was ready for a comeback. To start, researchers had made big advances in the technology that undergirds formal methods: improvements in proof-assistant programs like Coq and Isabelle that support formal methods; the development of new logical systems (called dependent-type theories) that provide a framework for computers to reason about code; and improvements in what’s called “operational semantics” — in essence, a language that has the right words to express what a program is supposed to do.
“If you start with an English-language specification, you’re inherently starting with an ambiguous specification,” said Jeannette Wing, corporate vice president at Microsoft Research. “Any natural language is inherently ambiguous. In a formal specification you’re writing down a precise specification based on mathematics to explain what it is you want the program to do.”
The HACMS project illustrates how it’s possible to generate big security guarantees by specifying one small part of a computer system.
The team also rewrote the software architecture, using what Fisher, the HACMS founding project manager, calls “high-assurance building blocks” — tools that allow programmers to prove the fidelity of their code. One of those verified building blocks comes with a proof guaranteeing that someone with access inside one partition won’t be able to escalate their privileges and get inside other partitions.
Later the HACMS programmers installed this partitioned software on Little Bird.
Verifying the Internet
Security and reliability are the two main goals that motivate formal methods. And with each passing day the need for improvements in both is more apparent. In 2014 a small coding error that would have been caught by formal specification opened the way for the Heartbleed bug, which threatened to bring down the internet. A year later a pair of white-hat hackers confirmed perhaps the biggest fears we have about internet-connected cars when they successfully took control of someone else’s Jeep Cherokee.
As the stakes rise, researchers in formal methods are pushing into more ambitious places.
Over at Microsoft Research, software engineers have two ambitious formal verification projects underway. The first, named Everest, is to create a verified version of HTTPS, the protocol that secures web browsers and that Wing refers to as the “Achilles heel of the internet.”
The second is to create verified specifications for complex cyber-physical systems such as drones. Here the challenge is considerable.
Tomi Engdahl says:
Security
Report: NSA hushed up zero-day spyware tool losses for three years
Investigation shows staffer screw-up over leak
http://www.theregister.co.uk/2016/09/23/report_nsa_covered_up_zeroday_losses_for_three_years/
Sources close to the investigation into how NSA surveillance tools and zero-day exploits ended up in the hands of hackers has found that the agency knew about the loss for three years but didn’t want anyone to know.
It appears at this stage that the staffer, who has since left the NSA for other reasons, stashed the sensitive tools on an outside server – likely a bounce box – after an operation. Miscreants then found that machine, raided it and hit the jackpot. The staffer informed his bosses after the incident, but rather than warning companies like Cisco that their customers were at risk, the NSA kept quiet.
The reasoning for this secrecy seems to have been that the NSA wanted to see who was going to use them. It monitored the world’s internet traffic to try and catch sight of the tools or someone using the software or the holes it exploited. Since no signs appeared the agency didn’t tell anyone of the loss.
Tomi Engdahl says:
IoT used for censorship and more
http://www.epanorama.net/newepa/2016/09/25/iot-used-for-censorship-and-more/
Tomi Engdahl says:
Chris Brook / Threatpost:
Facebook brings osquery, its open source SQL-powered detection tool for monitoring OS processes and networks, to Windows
Facebook Debuts Open Source Detection Tool for Windows
https://threatpost.com/facebook-debuts-open-source-detection-tool-for-windows/120897/
Facebook successfully ported its SQL-powered detection tool, osquery, to Windows this week, giving users a free and open source method to monitor networks and diagnose problems. The framework, which converts operating systems to relational databases, allows users to write SQL-based queries to detect intrusions and other types of malicious activity across networks. Facebook debuted the open source tool in 2014 as cross-platform, but for the last two years it was only supported on Ubuntu, CentOS, and Mac OS X operating systems. Facebook isn’t the biggest Windows shop, but the company confirmed in March that because so many users were asking for it, it was building a version of the tool for Windows 10.
See more at: Facebook Debuts Open Source Detection Tool for Windows https://wp.me/p3AjUX-vrX
Tomi Engdahl says:
Mary Jo Foley / ZDNet:
Windows 10 surpasses 400M active devices, up from 300M in May, and announces new container-based isolation security feature for Edge browser, coming next year
Microsoft: Windows 10 now on 400 million devices
http://www.zdnet.com/article/microsoft-windows-10-now-on-400-million-devices/
Microsoft officials said Windows 10 has hit the 400 million ‘active’ device milestone, up from 300 million in early May.
They also said that Windows Insider testers working with early Windows 10 “Redstone 2″ builds soon should get their hands on a new Edge browser security feature that’s been rumored for some time: Container-based isolation in the browser.
That container-based isolation is technology codenamed “Barcelona.” While Windows 10 Enterprise currently supports containers for development purposes, Barcelona is specific to the browser baked into the operating system.
Microsoft execs have christened Barcelona “Windows Defender Application Guard,” they said today. The feature will use virtualization-based security, isolating potentially malicious code in containers so it can’t spread across company networks. Starting “early next year,” Microsoft will start testing this feature with enterprise customers who’ve expressed interest, officials said.
Microsoft officials also said at Ignite today that the Windows Defender Advanced Threat Protection (ATP) and Office 365 ATP services now “share intelligence mutually.”
Tomi Engdahl says:
New Windows 10 and Office 365 features for the secure productive enterprise
Read more at https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/#3YpzgwVj4MDJsa8D.99