Security trends for 2016

2,232 Comments

1. November 23, 2016 at 12:13 pm

   Tomi Engdahl says:

   ATMs are ‘spitting out’ cash after being infected with malware
   https://www.neowin.net/news/atms-are-spitting-out-cash-after-being-infected-with-malware

   It seems like every single week we hear of a new major security breach, or data dump, or record-setting DDoS attack, all of which highlight the important role of cyber security in our online world. Today, a new attack is in the news, though it seems to have been inspired by movies: hackers are attacking ATMs and making them “spit money”.

   Though the security researchers haven’t named the actual institutions affected, they claim attacks like these have taken place in the UK, Russia, Spain, Poland, the Netherlands, Romania, Estonia, Armenia, Bulgaria and others.

   Two of the biggest cash machine manufacturers, Diebold Nixdorf and NCR Corp, have confirmed that they are aware of the threat.

   Reply
2. November 23, 2016 at 12:18 pm

   Tomi Engdahl says:

   Israeli Firm Can Steal Phone Data in Seconds
   http://www.securityweek.com/israeli-firm-can-steal-phone-data-seconds

   Petah Tikva, Israel – It only takes a few seconds for an employee of one of the world’s leading hacking companies to take a locked smartphone and pull the data from it.

   The company has contracts in more than 115 countries, many with governments, and it shot to global prominence in March when it was reported the FBI used its technology to crack the iPhone of one of the jihadist-inspired killers in San Bernardino, California.

   There have since been reports that Cellebrite was in fact not involved, and the company itself refuses to comment.

   Regardless, it is recognized as one of the world’s leaders in such technology.

   ‘Cat and mouse’

   Cellebrite’s technology is not online hacking. It only works when the phone is physically connected to one of the firm’s devices.

   The company recently demonstrated its capabilities for an AFP journalist.

   The password on a phone was disabled and newly taken photos appeared on a computer screen, complete with the exact location and time they were taken.

   The phone in the demonstration, an LG G4 run on Google’s Android operating system, is a model Cellebrite had already cracked, so the extraction did not take long.

   In the firm’s lab they have 15,000 phones — with around 150-200 new models added each month.

   When a new phone is launched, Ben-Peretz said, their 250-person research team races against competitors to find a chink in its armor, a process that can range from a few days to months.

   Legitimate means?

   According to Ben-Peretz, there is no phone on the market that is impossible to crack.

   “Yes it is getting harder, it is getting more complex,” he said. “But we still deliver results and they are results on the latest devices and latest operating systems.”

   Among the data the firm claims to be able to access are text messages deleted years previously.

   “Any company, including Cellebrite, has a responsibility to ensure their business activities don’t contribute to or benefit from serious human rights violations,” said Sari Bashi, Israel advocacy director at Human Rights Watch.

   Reply
3. November 23, 2016 at 12:20 pm

   Tomi Engdahl says:

   Several DoS Vulnerabilities Patched in NTP
   http://www.securityweek.com/several-dos-vulnerabilities-patched-ntp

   The CERT Coordination Center and the Network Time Foundation announced on Monday the availability of NTP 4.2.8p9, which includes nearly 40 security patches, bug fixes and improvements.

   The latest version of the Network Time Protocol daemon (ntpd) addresses a total of ten security holes. The most serious of them, tracked as CVE-2016-9312 and rated “high severity,” has been described as an oversized UDP packet denial-of-service (DoS) issue that only affects Windows.

   “If a vulnerable instance of ntpd on Windows receives a crafted malicious packet that is ‘too big’, ntpd will stop working,” CERT and NTF wrote in their advisories.

   NTP 4.2.8p9 also patches two medium, two medium-low, and five low severity vulnerabilities. One of the medium severity flaws (CVE-2016-9310) affects the control mode (mode 6) functionality of ntpd and it can be exploited by a remote, unauthenticated attacker.

   “If, against long-standing BCP recommendations, ‘restrict default noquery’ is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring,” reads a description of the vulnerability.

   The second medium severity flaw (CVE-2016-7431) is related to a regression in the handling of some Zero Origin timestamp checks.

   Reply
4. November 23, 2016 at 12:24 pm

   Tomi Engdahl says:

   Hacker Explains How He Hacked Into Tel Aviv’s Public Wi-Fi Network In Three Days
   https://mobile.slashdot.org/story/16/11/22/2132255/hacker-explains-how-he-hacked-into-tel-avivs-public-wi-fi-network-in-three-days

   Israeli hacker Amihai Neiderman needed three days to hack into Tel Aviv’s free public Wi-Fi. He only worked during the evenings, after he came home from his full-time job as a security researcher. The 26-year-old said the difficulty level was “a solid 5″ on a scale from 1 to 10. The hack, performed in 2014 and recently explained in detail during the DefCamp conference in Bucharest, Romania, shows how vulnerable public networks can be and why we should encrypt our web traffic while accessing them.

   A Hacker Took Over Tel Aviv’s Public Wi-Fi Network to Prove That He Could
   http://motherboard.vice.com/en_au/read/a-hacker-took-over-tel-avivs-public-wi-fi-network-to-prove-that-he-could

   He hacked his city out of curiosity. One day, he was driving home from work and he noticed the “FREE_TLV” displayed on his smartphone. He had no idea what it was, but got intrigued. It turned out to be Tel Aviv’s free municipal Wi-Fi network.

   The hacker connected to it and checked what his IP was, using http://whatismyip.com. This way, you usually find the address of the router that links you to the internet. To hack Tel Aviv, he needed to take control over this device.

   Neiderman got home and found out that the router had one port open. He tried it. This step allowed him to determine the manufacturer of the router. It turned out to be Peplink, a company he had never heard of. It made the mistake of having the administration interfaces online.

   He finally found out it was a high-end load balancing router.

   All he needed was a vulnerability to exploit.

   He tested the hack at home, emulating the city’s network, and it worked.

   The hacker notified Peplink. He was amazed by how fast they replied to his email, and how dedicated they were to patching the flaw.

   Reply
5. November 23, 2016 at 12:35 pm

   Tomi Engdahl says:

   English FlexEnable plans to introduce the Cannes Trustech show next week in technology that can revolutionize the way we all used by the smart card. Enable tech has developed a highly accurate fingerprint sensor that can be implanted on the surface of the banking and credit card.
   the sensor is only 0.3 millimeters thick. This is less than half of the bank card standard 0.76 millimeter thickness.

   Biometric authentication is rapidly becoming, or in addition to the PIN codes in place, especially in the banking sector, where security is improved all the time.

   Source: http://etn.fi/index.php?option=com_content&view=article&id=5448:seuraava-pankkikorttisi-lukee-sormenjalkesi&catid=13&Itemid=101

   Reply
6. November 23, 2016 at 2:00 pm

   Tomi Engdahl says:

   Europe Cracks Down on Money Mules: 178 Arrested in Global Operation
   http://www.securityweek.com/europe-cracks-down-money-mules-178-arrested-global-operation

   178 individuals have been arrested across Europe for money laundering activities. More specifically, the individuals were acting as money mules helping criminals move stolen money out of the country of theft to criminal bank accounts abroad. The action was coordinated by Europol and Eurojust with assistance from law enforcement agencies in 16 European countries, together with the FBI and the U.S. Secret Services.

   A total of 580 money mules were identified during the action week: 14-18 November 2016. Of these, 380 suspects were interviewed by the national law enforcement agencies. 106 banks and private partners supported the action.

   Reply
7. November 23, 2016 at 2:01 pm

   Tomi Engdahl says:

   Proactive Security – Does It Exist?
   http://www.securityweek.com/proactive-security-does-it-exist

   For years, security experts have been struggling to create proactive security products and proactive cyber defense strategies. If we had them, would we have been better prepared for all the major attack campaigns the industry has experienced of late – from the Target breach in 2013 to the Sony hack in 2014 to the recent IoT DDoS hacks and the DNC-related attacks?

   What these “successful” attacks tell us is that we are more reactive than proactive. Sometimes we are quick enough to react in time and companies which are frequent targets of cyberattacks seem to be satisfied with their ability to swiftly minimize the damage. But the question remains – does proactivity exist or are we in search of an unattainable goal?

   First, we should consider whether proactive defense strategies exist in the realm of real battlefields. If we examine battlefield defense strategies, “proactive strategies” are a rarity.

   Rather, we usually encounter strategies quickly identifying the “main effort” which the attacker chooses to achieve their goals, and then organizing defense resources quickly enough to neutralize it.

   Instead of counting on proactive systems to significantly improve our chances of winning cybersecurity confrontations, there are two main questions we should consider, the answers to which will determine our odds of winning the battle:

   1. How nimble is our cybersecurity apparatus?

   2. How quickly can we collaborate with others in order to deploy new defense strategies?

   Reply
8. November 23, 2016 at 2:04 pm

   Tomi Engdahl says:

   Five Reasons to be Thankful for IT Security
   http://www.securityweek.com/five-reasons-be-thankful-it-security

   After a year of a divisive political climate, Thanksgiving comes at a welcome time.

   Unlike the political arena, or even other divisions of the technology industry, when working in IT security, people rarely notice when everything is done perfectly.

   #1 IT security saves money

   Sticky NoteThis one might be controversial, as many see security expenses more like insurance – a line item in case something bad happens. But, in today’s threat environment, it’s not a matter of “if” but “when” a disruptive attack will occur.

   #2 IT security retains customers

   The same 2016 Ponemon Institute study revealed that “churn” (loss of customers as a result of a data breach) was highest in the financial, health and service organizations, and lowest in public sector and education organizations.

   #3 IT security improves productivity

   While cat videos and social media have been disruptive to the productivity of many office workers, they are nothing compared to the attention that a data breach investigation and recovery effort can command from IT teams, communications teams, and even executive leadership.
   “In almost all cases, repairing damaged systems, rolling back to a pre-breach state and replacing/repairing the data were consistently mentioned as high-cost items.”

   #4 IT security will help you keep your job

   What do the breaches at the Office of Personnel Management (OPM), Target, and Sony Pictures all have in common? They all cost their CEOs

   # 5 IT security is ethical

   Regulations require compliance, and boards are interested in effective demonstration of policies and controls to satisfy auditors.
   But beyond compliance, much of the regulation we deal with as an industry is in place to protect customers, shareholders and employees. Doing the right things to protect their privacy and intellectual property

   Reply
9. November 23, 2016 at 5:05 pm

   Tomi Engdahl says:

   Tech firms seek to frustrate internet history log law
   http://www.bbc.com/news/technology-38068078

   Plans to keep a record of UK citizens’ online activities face a challenge from tech firms seeking to offer ways to hide people’s browser histories.

   Internet providers will soon be required to record which services their customers’ devices connect to – including websites and messaging apps.

   The Home Office says it will help combat terrorism, but critics have described it as a “snoopers’ charter”.

   Critics of the law have said hackers could get access to the records.

   “It only takes one bad actor to go in there and get the entire database,”

   “You can try every conceivable thing in the entire world to [protect it] but somebody will still outsmart you.

   “Mistakes will happen. It’s a question of when. Hopefully it’s in tens or maybe a hundred years. But it might be next week.”

   Now, several virtual private network (VPN) operators have seized on its introduction to promote their offerings.

   VPNs digitally scramble a user’s internet traffic and send it to one of their own servers before passing it on to a site or app in a form they can make sense of. A similar process happens in reverse, helping mask the person’s online activity.

   As a result, instead of ISPs having a log of everywhere a customer has visited, the only thing they can provide to the authorities is the fact that a subscriber used a VPN.

   “We saw a boom in Australia last year correlated to when its data retention law went into effect,”

   “Our biggest advantage is we have a zero log policy,”

   “And even in the worst-case scenario that our servers are confiscated, there would be nothing on them because of the way they are configured.”

   One of the UK’s smaller internet providers, Andrews & Arnold, is looking into other ways to help its users circumvent the law.

   “Customers can install a Tor browser, which encrypts traffic to one of thousands of different internet connections throughout the world hiding what they are doing,” said managing director Adrian Kennard.

   “We are also working with a company called Brass Horn, which is planning to sell Tor-only internet access.

   Reply
10. November 23, 2016 at 5:06 pm

    Tomi Engdahl says:

    Surveillance Firm ‘Geofeedia’ Cuts Half of Staff After Losing Access To Twitter, Facebook
    https://yro.slashdot.org/story/16/11/22/2146252/surveillance-firm-geofeedia-cuts-half-of-staff-after-losing-access-to-twitter-facebook

    In mid-October, an American Civil Liberties Union issued a report accusing police of using Geofeedia — a CIA-backed social-media monitoring platform — to track protests and other large gatherings. As a result, Instagram, Facebook and eventually, Twitter cut the company off from its valuable data stream, causing them to cut half of their staff to “focus on a variety of innovations”

    Geofeedia cuts half of staff after losing access to Twitter, Facebook
    http://www.chicagotribune.com/bluesky/originals/ct-geofeedia-cuts-jobs-surveillance-bsi-20161121-story.html

    Reply
11. November 24, 2016 at 5:42 am

    Tomi Engdahl says:

    FBI Hacked Over 8,000 Computers In 120 Countries Based on One Warrant
    https://yro.slashdot.org/story/16/11/23/153212/fbi-hacked-over-8000-computers-in-120-countries-based-on-one-warrant?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    In January, Motherboard reported on the FBI’s “unprecedented” hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site. Now, it has emerged that the campaign was actually several orders of magnitude larger. In all, the FBI obtained over 8,000 IP addresses, and hacked computers in 120 different countries,

    The FBI’s ‘Unprecedented’ Hacking Campaign Targeted Over a Thousand Computers
    https://motherboard.vice.com/read/the-fbis-unprecedented-hacking-campaign-targeted-over-a-thousand-computers

    Reply
12. November 24, 2016 at 5:43 am

    Tomi Engdahl says:

    No super-kinky web smut please, we’re British
    UK ISPs will be asked to block streams of stuff it’s legal to do, but too dirtty to watch
    http://www.theregister.co.uk/2016/11/24/internet_censors_to_block_certain_acts/

    Film censors in the United Kingdom will be able to ban Brits from accessing websites that stream especially kinky X-rated videos, if a proposed change in the law gets up.

    The Digital Economy bill, which is due to hit the statute books in early 2017, is set to include a provision that will allow the British Board of Film Classification to order internet service providers to block webpages that feature non-conventional sex acts – basically anything that you can’t sell on a porno DVD in the UK, you won’t be able to watch online either.

    Reply
13. November 24, 2016 at 5:43 am

    Tomi Engdahl says:

    Men overboard! US Navy spills data on 134k sailors
    In the Navy, we sink thanks to HPE! In the Navy, we leak data with much ease!
    http://www.theregister.co.uk/2016/11/24/in_the_navy_we_sink_thanks_hpe_in_the_navy_we_lose_data_with_ease/

    The United States Navy has revealed that the names and social security numbers on 134,386 current and former has leaked, thanks to the compromise of a laptop used by a Hewlett Packard Enterprise Services staffer.

    The IT contractor and the Naval Criminal Investigative Service probed the data loss finding that “unknown individuals” accessed the records.

    The Navy says there is as yet no evidence the data was misused.

    No information was released on the detail of the incident, so we’re uncertain if the laptop was stolen, infected with malware or otherwise compromised.

    Reply
14. November 24, 2016 at 5:52 am

    Tomi Engdahl says:

    J. Alex Halderman / Medium:
    UMich security expert says Clinton should petition for recount in PA, MI, WI given the insecurity of voting machines and sophistication of state-sponsored hacks — You may have read at NYMag that I’ve been in discussions with the Clinton campaign about whether it might wish to seek recounts in critical states.

    Want to Know if the Election was Hacked? Look at the Ballots
    https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba#.c9xfwlqiq

    How might a foreign government hack America’s voting machines to change the outcome of a presidential election? Here’s one possible scenario. First, the attackers would probe election offices well in advance in order to find ways to break into their computers. Closer to the election, when it was clear from polling data which states would have close electoral margins, the attackers might spread malware into voting machines in some of these states, rigging the machines to shift a few percent of the vote to favor their desired candidate. This malware would likely be designed to remain inactive during pre-election tests, do its dirty business during the election, then erase itself when the polls close. A skilled attacker’s work might leave no visible signs — though the country might be surprised when results in several close states were off from pre-election polls.

    Could anyone be brazen enough to try such an attack? A few years ago, I might have said that sounds like science fiction, but 2016 has seen unprecedented cyberattacks aimed at interfering with the election.

    Russia is not the only country with the ability to pull off such an attack on American systems — most of the world’s military powers now have sophisticated cyberwarfare capabilities.

    Were this year’s deviations from pre-election polls the results of a cyberattack? Probably not. I believe the most likely explanation is that the polls were systematically wrong, rather than that the election was hacked. But I don’t believe that either one of these seemingly unlikely explanations is overwhelmingly more likely than the other.

    There is one absolutely essential security safeguard that protects most Americans’ votes: paper.

    I know I may sound like a Luddite for saying so, but most election security experts are with me on this: paper ballots are the best available technology for casting votes. We use two main kinds of paper systems in different parts of the U.S.

    Reply
15. November 24, 2016 at 8:35 am

    Tomi Engdahl says:

    Hacked or Not, Audit This Election (And All Future Ones)
    https://www.wired.com/2016/11/hacked-not-audit-election-rest/

    After an election marred by hacker intrusions that breached the Democratic National Committee and the email account of one of Hillary Clinton’s top staffers, Americans are all too ready to believe that their actual votes have been hacked, too. Now those fears have been stoked by a team of security experts, who argue that voting machine vulnerabilities mean Clinton should demand recounts in key states.

    Dig into their argument, however, and it’s less alarmist than it might appear. If anything, it’s practical. There’s no evidence that the outcome of the presidential election was shifted by compromised voting machines. But a statistical audit of electronic voting results in key states as a routine safeguard—not just an emergency measure—would be a surprisingly simple way to ease serious, lingering doubts about America’s much-maligned electoral security. “Auditing ought to be a standard part of the election process,” says Ron Rivest, a cryptographer and computer science professor at MIT. “It ought to be a routine thing as much as a doctor washing his hands.”

    Electronic Elections Need Audits

    On Wednesday, University of Michigan computer security researcher Alex Halderman published a blog post arguing that Wisconsin, Michigan, and Pennsylvania should perform recounts due to risks that the election was hacked. The article followed a far more sensational report from New York Magazine the evening before stating that Halderman and a team of experts tried to persuade Clinton staffers to request that recount

    Want to Know if the Election was Hacked? Look at the Ballots
    https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba#.40v5oeim2

    Reply
16. November 24, 2016 at 8:37 am

    Tomi Engdahl says:

    CERT tells Microsoft to keep EMET alive because it’s better than Win 10′s own security
    Vuln seeker saus EMET has 13 protections Win 10 doesn’t
    http://www.theregister.co.uk/2016/11/24/cert_no_microsoft_even_win_7_emet_is_better_than_solo_win_10/

    Microsoft should reverse its planned axing of the lauded Enhanced Mitigation Toolkit (EMET) as Windows 10 cannot yet match its level of security, according to Carnegie Mellon University CERT furniture Will Dormann.

    The vulnerability analyst, who has pushed out security alerts and advice from the world’s first CERT for around a decade, says even a Windows 7 machine running EMET trumps Windows 10′s native defences.

    Redmond plans to rid the world of the exploit mitigation toolkit in mid 2018, after recently extending its end of life date by 18 months.

    Reply
17. November 24, 2016 at 8:40 am

    Tomi Engdahl says:

    Conviction by computer: Ministry of Justice wants defendants to plead guilty online
    Do you really trust prosecutors to upload all their evidence
    http://www.theregister.co.uk/2016/09/19/ministry_of_justice_conviction_by_computer_plans/

    Train fare and telly licence dodgers will be invited to plead guilty from the comfort and convenience of their phones, according to court reform plans unveiled by the Ministry of Justice.

    In a paper issued jointly last week by Lord Chancellor Liz Truss MP, the Lord Chief Justice, Lord Thomas of Cwmgiedd, and the senior president of tribunals, Lord Justice Ryder, are plans to allow the justice system to take advantage of brand spanking new technologies such as the internet.

    The paper, titled Transforming Our Justice System (PDF, 20 pages), sets out how the ministry wants to move England and Wales’ court system away from 15th-century paper-based filing systems and to adopt long-overdue digital document handling processes.

    https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/553261/joint-vision-statement.pdf

    Reply
18. November 24, 2016 at 8:42 am

    Tomi Engdahl says:

    How to confuse a Euro-cop: Survey reveals the crypto they love to hate
    Bits of Freedom research discovers unsavoury continental back-door preferences
    http://www.theregister.co.uk/2016/11/24/foi_sparks_backdoor_debate_in_europe/

    European Union (EU) citizens can now get an idea of what their governments want – and are doing about – cryptography regulation.

    The new opprtunity comes courtesy of an freedom of information request by Bits of Freedom, summarised by privacy researcher Lukas Olejnik here.

    The news is bleak: the responses to a survey sent to EU governments indicate widespread support for restricting citizens’ access to encrypted communications.

    It’s quite accurate, for example, for the Italian response to note that it’s seeing HTTPS all over the place, given the concerted push by ‘net luminaries to persuade site operators to employ it and therefore offer better protection to sensitive data.

    However, even other countries that say their law enforcement often encounters encryption didn’t nominate HTTPS as something they encountered in the course of their investigations (Finland and Poland, for example). It’s feasible, even likely, that such countries didn’t tick the “HTTPS” box because peoples’ day-to-day banking isn’t the topic of investigation – rather, it’s the communications over Tor, or in comms apps like Skype and WhatsApp, that they want to crack.

    There is, as Olejnik notes, a common complaint among EU countries that they don’t have the money, technology, or skills to fight cybercrime (reading the responses we have to agree there’s a lack of skills).

    Which is probably why if Sweden wants to decrypt a device, its approach is to question the user [Hopefully not using rubber-hose decryption

    Reply
19. November 24, 2016 at 8:46 am

    Tomi Engdahl says:

    Evaluating Risks to Identity and Access When Moving to the Cloud
    http://www.securityweek.com/evaluating-risks-identity-and-access-when-moving-cloud

    Are Too Many Companies Putting Identity and Access at Unnecessary Risk in Their Move to the Cloud?

    “I know you guys don’t do cloud,” I began, “but are you moving to Office 365?”

    “Probably. Eventually. I think we’re going to get dragged there whether we want to go or not,”

    Microsoft Office has long been the most popular business productivity software suite. Now the Redmond-based giant is aggressively promoting their cloud-based version, Office 365, to organizations of all sizes.

    For small businesses particularly, the lure of a few dollars each month for the cloud version instead of hundreds of dollars per employee for the desktop suite is a huge temptation and given the choice, they’ll just go with it. I would, skinflint that I am.

    most Office 365 deployments result in user credentials (including C-level usernames and passwords) going to the cloud whether they mean to or not.

    Don’t believe me? Let’s look at the three identity and access management models used by Office 365.

    Cloud Identity Model – All your passwords belong to Microsoft.
    Synchronized Identity Model – Passwords hashed on-premises and in the cloud.
    Federated Identity Model—The most secure, but still sees mobile user passwords.

    What’s the Threat Model Here, Anyway?

    Here’s a short list of possible threat vectors you’d consider if you were doing a threat model assessment for any of cloud passwords management models (including the three above):

    · Cloud breach
    · Man-in-the-middle attack
    · Rogue cloud employee
    · Nation-state (subpoena)
    · Accidental credential logging
    · Phishing attack

    Many organizations have decided that they are comfortable with this gap. No model is 100 percent secure, right? But a few CSOs want to close the gap before they make the switch. Right now, the way to do it is to intercept and proxy ActiveSync connections from the client to an on-premises proxy which then encrypts the passwords before they transit to Azure AD.

    The final step is to implement adaptive multi-factor authentication (MFA). Adaptive MFA is risk-based authentication and can include certificate checks and context-aware, one-time passwords (OTP) via email.

    Reply
20. November 24, 2016 at 8:47 am

    Tomi Engdahl says:

    Office 365 identity and Azure Active Directory
    https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9#BK_Sync

    Office 365 uses the cloud-based user authentication service Azure Active Directory to manage users. You can choose from three main identity models in Office 365 when you set up and manage user accounts:

    Cloud identity. Manage your user accounts in Office 365 only. No on-premises servers are required to manage users; it’s all done in the cloud.

    Synchronized identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they will have to sign in again to use Office 365.

    Federated identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Office 365. This is often referred to as single sign-on.

    Reply
21. November 24, 2016 at 8:49 am

    Tomi Engdahl says:

    Gatak Trojan Continues to Target Healthcare Organizations
    http://www.securityweek.com/gatak-trojan-continues-target-healthcare-organizations

    Organizations in the healthcare sector continue to be the main targets of the Gatak Trojan, a piece of malware that can steal information and perform backdoor functions, Symantec researchers warn.

    Also known as Stegoloader and targeting mainly enterprise networks, Gatak (Trojan.Gatak) has been around since 2011, primarily focusing on organizations in the United States. Spreading through websites that promise licensing keys for pirated software, the malware hasn’t spared international organizations either, and the healthcare sector has suffered the most.

    Gatak spreads bundled with product keys for pirated software, via dedicated websites. The attackers lure victims by supposedly offering product keys for software usually used in professional environments, but the keys don’t work and users end up infected.

    The malware has two main components: a lightweight deployment module that gathers information on the infected machine and can install additional payloads; and the main module, a fully-fledged backdoor Trojan designed to steal information from the infected computer and achieve persistence.

    Reply
22. November 24, 2016 at 8:50 am

    Tomi Engdahl says:

    Six in Philippines May Face Charges Over Bangladesh Bank Heist Charges
    http://www.securityweek.com/six-philippines-may-face-charges-over-bangladesh-bank-heist-charges

    The Philippines said Wednesday it has launched criminal proceedings against six bankers accused of failing to stop the laundering of tens of millions of dollars stolen by cyber-criminals from Bangladesh’s central bank.

    The electronic thieves in February shifted $81 million from the bank’s account with the US Federal Reserve in New York to the Rizal Commercial Banking Corp. (RCBC) in Manila in one of the world’s biggest bank heists.

    The money was transferred to four accounts at an RCBC branch from where it was funnelled into local casinos, according to regulators who fined the bank a record $21 million in August.

    No one has been arrested in the Philippines over the heist but the government has recovered about $15 million, some of it from a Manila-based casino operator who has pledged to cooperate with the criminal enquiry.

    Reply
23. November 24, 2016 at 8:52 am

    Tomi Engdahl says:

    Meet Matrix, an Open Standard for De-centralized Encrypted Communications
    http://www.securityweek.com/meet-matrix-open-standard-de-centralized-encrypted-communications

    In the early days of the internet, communication was by email. Originally siloed by companies like Compuserve, AT&T and Sprint so that messages could only be exchanged with others on the same system, email is now ubiquitous. Pretty much anyone can communicate with anyone else without worrying about app or device or browser.

    Today there are additional methods of communicating via the internet, such as chat and voice. These new methods, however, are currently similar to early email: siloed by different vendors so that users can communicate only with other users on the same system. Matrix.org aims to change this, so that any user on one system can communicate with any user on a different system; just like email today.

    Matrix is an open standard for interoperable, decentralized, real-time communication over IP. It can be used for any type of IP communication: IM, VoIP, or IoT data.

    To this end, Matrix has announced and launched the formal beta of the new Olm end-to-end encryption implementation across Web, iOS and Android. “With Matrix.org and Olm,” commented Hodgson, “we have created a universal end-to-end encrypted communication fabric — we really consider this a key step in the evolution of the Internet.”

    Olm is the Matrix implementation of the Double Ratchet algorithm designed by Trevor Perrin and Moxie Marlinspike.

    http://matrix.org/

    Reply
24. November 24, 2016 at 10:39 am

    Tomi Engdahl says:

    The block chain market is divided now

    Block chains seem to be years operated the largest trends. During the autumn, we have seen a number of initiatives on cooperation between the financial sector and consulting companies, and appearances by celebrities in the news, if some kind of product ideas related to the block chains and launch startups.

    The chain block, for example, refers to the underlying Bitcoin virtual currency technology. It is infinitely long cryptographic data structure that records up money transfers between users. Ethereum has extended the original model, so that the block chain is suitable for addition to money transfers Other Uses book keeping and even the signing of agreements.

    the main feature of the block chains is their decentralization among all users. The data structure is not held by any single party.

    The financial sector can not imagine the attitude towards the block a little chains in the same way as the Internet media companies. Internet was believed to be the early stages of a big moneymaker. On the other hand it is also feared and belittled because of its effects are not yet known.

    During the first few years will also be distributed block chain infrastructure market.

    Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM, in turn, has jumped Hyperledger consortium bandwagon and offering their own lblock chains to Bluemix service.

    Google and Amazon still shine by their absence from this market. Apparently, neither of them do not want to be bound to any particular technology too early.

    Microsoft’s Azure-block chain is still in its infancy.
    IBM Block Chain again is taken more seriously product.

    Amateurs – and suffering from paranoia – can drive a block chains in their own servers. It is likely to be tinkering with a relatively small group. Who would like today to invest in new servers and maintenance personnel?

    Even banks may prefer to see the use of cloud case, the block chains. They would otherwise need to open the fire walls to fairly low-level access to the block chain applications.

    Also, end users are shifting a growing share of data processing to the cloud. Block chains require a lot of capacity and electric current, so they perform poorly in cell phones.

    Source: http://www.tivi.fi/blogit/lohkoketjujen-markkinat-jaetaan-nyt-6601722

    Reply
25. November 24, 2016 at 6:00 pm

    Tomi Engdahl says:

    Andy Greenberg / Wired:
    Experts say election results should be audited to ease lingering doubts about voting systems — After an election marred by hacker intrusions that breached the Democratic National Committee and the email account of one of Hillary Clinton’s top staffers, Americans are all too ready to believe …

    Hacked or Not, Audit This Election (And All Future Ones)
    https://www.wired.com/2016/11/hacked-not-audit-election-rest/

    Electronic Elections Need Audits

    Reply
26. November 24, 2016 at 10:52 pm

    Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Google has been warning prominent journalists and professors that their accounts are under attack from “government-backed attackers”

    Google warns journalists and professors: Your account is under attack
    A flurry of social media reports suggests a major hacking campaign has been uncovered.
    http://arstechnica.com/security/2016/11/google-warns-journalists-and-professors-your-account-is-under-attack/

    Google is warning prominent journalists and professors that nation-sponsored hackers have recently targeted their accounts, according to reports delivered in the past 24 hours over social media.

    The people reportedly receiving the warnings include Nobel Prize-winning economist and New York Times columnist Paul Krugman, Stanford University professor and former US diplomat Michael McFaul, GQ correspondent Keith Olbermann, and according to this tweet, Politico, Highline, and Foreign Policy contributor/columnist Julia Ioffe; New York Magazine reporter Jonathan Chait; and Atlantic magazine writer Jon Lovett. Reports of others receiving the warnings are here and here.

    One of the red banners included large white text that stated: “Warning: Google may have detected government-backed attackers trying to steal your password.” It included a link that led to advice for securing accounts

    It’s not certain that the PowerDuke campaign and the flurry of Google warnings are connected, but there are enough similarities to entertain the possibility.

    Reply
27. November 25, 2016 at 12:02 am

    Tomi Engdahl says:

    McKenzie Funk / New York Times:
    How Cambridge Analytica, which was hired by the Trump and Brexit “Leave” campaigns, builds psychological profiles of Facebook users with personality quizzes

    The Secret Agenda of a Facebook Quiz
    http://www.nytimes.com/2016/11/20/opinion/the-secret-agenda-of-a-facebook-quiz.html

    Do you panic easily? Do you often feel blue? Do you have a sharp tongue? Do you get chores done right away? Do you believe in the importance of art?

    If ever you’ve answered questions like these on one of the free personality quizzes floating around Facebook, you’ll have learned what’s known as your Ocean score: How you rate according to the big five psychological traits of Openness, Conscientiousness, Extraversion, Agreeableness and Neuroticism. You may also be responsible the next time America is shocked by an election upset.

    For several years, a data firm eventually hired by the Trump campaign, Cambridge Analytica, has been using Facebook as a tool to build psychological profiles that represent some 230 million adult Americans.

    Cambridge Analytica worked on the “Leave” side of the Brexit campaign. In the United States it takes only Republicans as clients

    No data point is very informative on its own, but profiling voters, says Cambridge Analytica, is like baking a cake. “It’s the sum of the ingredients,”

    The explosive growth of Facebook’s ad business has been overshadowed by its increasing role in how we get our news, real or fake.

    One recent advertising product on Facebook is the so-called “dark post”: A newsfeed message seen by no one aside from the users being targeted.

    Imagine the full capability of this kind of “psychographic” advertising.

    In the immediate wake of Mr. Trump’s surprise election, so many polls and experts were so wrong that it became fashionable to declare that big data was dead. But it isn’t, not when its most obvious avatar, Facebook, was so crucial to victory.

    Reply
28. November 25, 2016 at 5:38 am

    Tomi Engdahl says:

    Craig Timberg / Washington Post:
    Experts: a Russian propaganda campaign to undermine Clinton helped spread fake news during election using botnets, networks of sites, paid human “trolls”, more

    Russian propaganda effort helped spread ‘fake news’ during election, experts say
    https://www.washingtonpost.com/business/economy/russian-propaganda-effort-helped-spread-fake-news-during-election-experts-say/2016/11/24/793903b6-8a40-4ca9-b712-716af66098fe_story.html

    The flood of “fake news” this election season got support from a sophisticated Russian propaganda campaign that created and spread misleading articles online with the goal of punishing Democrat Hillary Clinton, helping Republican Donald Trump and undermining faith in American democracy, say independent researchers who tracked the operation.

    Russia’s increasingly sophisticated propaganda machinery — including thousands of botnets, teams of paid human “trolls,” and networks of websites and social-media accounts — echoed and amplified right-wing sites across the Internet as they portrayed Clinton as a criminal hiding potentially fatal health problems and preparing to hand control of the nation to a shadowy cabal of global financiers. The effort also sought to heighten the appearance of international tensions and promote fear of looming hostilities with nuclear-armed Russia.

    Two teams of independent researchers found that the Russians exploited American-made technology platforms to attack U.S. democracy at a particularly vulnerable moment

    The sophistication of the Russian tactics may complicate efforts by Facebook and Google to crack down on “fake news,” as they have vowed to do after widespread complaints about the problem.

    There is no way to know whether the Russian campaign proved decisive in electing Trump, but researchers portray it as part of a broadly effective strategy of sowing distrust in U.S. democracy and its leaders.

    “They want to essentially erode faith in the U.S. government or U.S. government interests,”

    “This was their standard mode during the Cold War. The problem is that this was hard to do before social media.”

    more than 200 websites as routine peddlers of Russian propaganda during the election season, with combined audiences of at least 15 million Americans. On Facebook, PropOrNot estimates that stories planted or promoted by the disinformation campaign were viewed more than 213 million times.

    Some players in this online echo chamber were knowingly part of the propaganda campaign, the researchers concluded, while others were “useful idiots”

    harnessing the online world’s fascination with “buzzy” content that is surprising and emotionally potent

    Some of these stories originated with RT and Sputnik

    On other occasions, RT, Sputnik and other Russian sites used social-media accounts to amplify misleading stories already circulating online, causing news algorithms to identify them as “trending” topics that sometimes prompted coverage from mainstream American news organizations.

    The speed and coordination of these efforts allowed Russian-backed phony news to outcompete traditional news organizations for audience.

    The final weeks of the campaign featured a heavy dose of stories about supposed election irregularities, allegations of vote-rigging and the potential for Election Day violence should Clinton win, researchers said.

    “The way that this propaganda apparatus supported Trump was equivalent to some massive amount of a media buy,”

    He and other researchers expressed concern that the U.S. government has few tools for detecting or combating foreign propaganda.

    The Kremlin has repeatedly denied interfering in the U.S. election or hacking the accounts of election officials.

    “They use our technologies and values against us to sow doubt,” said Robert Orttung, a GWU professor who studies Russia. “It’s starting to undermine our democratic system.”

    “For them, it’s actually a real war, an ideological war, this clash between two systems,” said Sufian Zhemukhov, a former Russian journalist conducting research at GWU. “In their minds, they’re just trying to do what the West does to Russia.”

    Reply
29. November 25, 2016 at 9:49 am

    Tomi Engdahl says:

    Mozilla hackers audit cURL file transfer toolkit, give it a tick for security
    Four remote code execution holes patched along the way
    http://www.theregister.co.uk/2016/11/25/mozilla_hackers_give_curl_security_audit_tick/

    Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities.

    Of those found in the free security review were four high severity vulnerabilities leading to potential remote code execution, and the same number of medium risk bugs. One low risk man-in-the-middle TLS flaw was also uncovered.

    Audit vulnerabilities:

    CRL -01-021 UAF via insufficient locking for shared cookies ( High)
    CRL -01-005 OOB write via unchecked multiplication in base 64_ encode () ( High)
    CRL -01-009 Double – free in krb 5 read _ data () due to missing realloc () check ( High)
    CRL -01-014 Negative array index via integer overflow in unescape _ word () ( High)
    CRL -01-001 Malicious server can inject cookies for other servers ( Medium)
    CRL -01-007 Double – free in aprintf () via unsafe size _t multiplication ( Medium)
    CRL -01-013 Heap overflow via integer truncation ( Medium)
    CRL -01-002 ConnectionExists () compares passwords with strequal () ( Medium)
    CRL -01-011 FTPS TLS session reuse ( Low)

    https://curl.haxx.se/changes.html#7_51_0

    Reply
30. November 25, 2016 at 9:52 am

    Tomi Engdahl says:

    IBM pays up after ‘clearly failing’ DDoS protection for Australia’s #censusfail
    Two reports suggest this is what happens when government agencies hollow out
    http://www.theregister.co.uk/2016/11/25/ibm_clearly_failed_ddos_protection_for_australias_censusfail/

    Australia’s census all-but failed due to a combination of poor design, bad operational decisions, human error and numerous lazy and/or bad decisions that could have been avoided had warnings about corporate culture been heeded and Australian government agencies properly educated about what it takes to deliver digital services.

    That’s The Register’s summary of two reports into the contentious events of August 9th, when Australia’s online census went down after a suspected denial of service attack saw a router rebooted, but fail to restart because IBM had never tested what would happen if it turned it on and off again. IBM has claimed it would never have had to touch the power button if ISPs it hired did their jobs properly.

    Enough back story for now: to the reports

    That worries MacGibbon as much as anything else: his report says the failure of the census shows that beyond a couple of dedicated agencies, Australia’s government just doesn’t know what it takes to run digital services.
    Dud DDoS defences

    The organisational issues both reports identify led to the adoption of what proved to be a dud DDoS defence.

    The Senate Committee report offers the observation that “It goes without saying that the eCensus website should have had the capacity to withstand what was a relatively minor attack.”

    “Further, the appropriateness of Island Australia must also be questioned given that some components of the eCensus—such as password resets—required access to international servers.”

    MacGibbon criticises IBM for its approach to implementing Island Australia, which saw it test the DDoS protection only once the census form was live and then only for ten minutes. Those tests did not consider the impact the “Island Australia” plan to block traffic from non-Australian IP addresses would have on other internet service providers (ISPs). IBM is also felt not to have issued proper instructions to one of its contracted ISPs. That ISP didn’t help matters by failing to configure its service for IBM’s data centre.

    Even if all the DDoS protection plans had worked, MacGibbon finds it the “Island Australia” plan is not a widely-accepted DDoS defence tactic. He also points out that geo-blocking had the potential to harm the census.

    Reply
31. November 25, 2016 at 9:53 am

    Tomi Engdahl says:

    Poison .JPG spreading ransomware through Facebook Messenger
    Cick-to-self-p0wn attack sneaks Locky ransomware past Zuck’s security model
    http://www.theregister.co.uk/2016/11/25/selfharming_jpg_hack_hole_may_be_key_to_lockys_fb_spread/

    Checkpoint has found an image obfuscation trick it thinks may be behind a recent massive phishing campaign on Facebook that’s distributing the dangerous Locky ransomware.

    The security firm has not released technical details as the flaw it relies on still impacts Facebook and LinkedIn, among other unnamed web properties.

    The flaw as described is, in this writer’s opinion, ultimately of little risk to El Reg’s tech savvy readers, but folks who can be conned into downloading and running unknown executables are at risk.

    The attack is also significant in that it breaks Facebook’s security controls.

    The victim must click the attachment, an act that generates a Windows save file prompt asking the victim for the save directory to which the now .hta file will be downloaded.

    They must then double-click the saved .hta file to unleash the Locky ransomware.

    While the attack is not automated and, it does break Facebook’s hypervigilant security model and is fairly regarded by Checkpoint as a Facebook “misconfiguration”.

    Reply
32. November 25, 2016 at 9:58 am

    Tomi Engdahl says:

    Russian Hacker Conspiracy Theory is Weak, But the Case For Paper Ballots is Strong
    https://politics.slashdot.org/story/16/11/24/178217/russian-hacker-conspiracy-theory-is-weak-but-the-case-for-paper-ballots-is-strong

    On Wednesday, J. Alex Halderman, the director of the University of Michigan’s Center for Computer Security & Society and a respected voice in computer science and information society, said that the Clinton Campaign should ask for a recount of the vote for the U.S. Presidential election. Later he wrote,

    The Outline, a new publication by a dozen of respected journalists, has published a post (on Facebook for now, since their website is still in the works), in which former Motherboard’s reporter Adrianne Jeffries makes it clear that we still don’t have concrete evidence that the vote was tampered with, but why still the case for paper ballots is strong.

    The Russian hacker conspiracy theory is weak, but the case for paper ballots is strong.
    https://www.facebook.com/notes/the-outline/the-russian-hacker-conspiracy-theory-is-weak-but-the-case-for-paper-ballots-is-s/708744602609346

    It would be very, very hard for Russia to hack the US vote, as The Outline reported last week, due to the way the US voting system works. However, a respected voice in computer science and information security has given new weight to the push for examining the voting results, hackers or not.
    J. Alex Halderman is the director of the University of Michigan’s Center for Computer Security & Society and the author of an online course on election technology. Halderman has been lobbying the Hillary Clinton campaign behind the scenes to ask for a recount of the vote, as first reported by New York magazine’s Gabriel Sherman. The professor wrote a post on Medium to clarify his views.

    Reply
33. November 25, 2016 at 10:04 am

    Tomi Engdahl says:

    Nearly 40% of Americans Would Give Up Sex For Better Online Security, Survey Finds
    https://yro.slashdot.org/story/16/11/23/2338221/nearly-40-of-americans-would-give-up-sex-for-better-online-security-survey-finds

    A recent survey of over 2,000 adults conducted by Harris Poll on behalf of Dashlane, a “leader in online identity and password management,” found that nearly 40 percent of Americans would give up sex for an entire year if it meant they’d never have to worry about being hacked.

    Nearly 40% of Americans Would Give Up Sex for a Year in Exchange for Better Online Security
    http://www.huffingtonpost.com/entry/58360acee4b050dfe6187992?timestamp=1479937849453

    Would you sacrifice sex as a trade for online security? Because 40 percent of Americans said they would do just that.

    According to a recent survey of over 2,000 adults conducted by Harris Poll on behalf of Dashlane, an online password management and identity service, almost 4 in 10 Americans (39% to be exact) would go without making love for one entire year if it meant they’d never have to worry about identity theft, being hacked, or losing an online account ever again.

    Over two-thirds of adults in the United States shop online at least once a month and many others use the internet to bank, pay bills, or conduct other important transactions. And when you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. But just how far some people would go if it meant they’d never have to deal with identify theft will probably surprise you may be surprising to many.

    And sex wasn’t all. 40 percent of people also said they’d give up their favorite food for one month in the name of peace of mind online.

    If all of this sounds drastic, the truth is that it probably is. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password.

    10 years ago, anti-virus was the primary method of online security. But since the Internet has left the desktop and is on laptops, tablets, and cell phones, and since so many people now use the cloud for backing up their sensitive data, following proper password protocol is critical.

    Of course, having a solid password doesn’t do a lot of good if you’re giving it out to people. And nearly 50% of people have shared a password to an e-mail account or to an account like Netflix with a friend or had a friend share theirs

    A look at the password habits of Americans showed that about 30% have used a pet’s name, almost 25% have used a family member’s name, 21% a birthday, and 10% each have used an anniversary, a sports team, an address, or a phone number.

    [Press Release] A New Study Reveals Extremes People Go To for Online Protection
    https://blog.dashlane.com/study-reveals-extremes-people-go-online-protection/

    Reply
34. November 25, 2016 at 11:01 am

    Tomi Engdahl says:

    Delete yourself from the internet by pressing this button
    http://thenextweb.com/apps/2016/11/24/delete-internet/

    The internet can be a beautiful and horrible place at the same time, and it isn’t weird to sometimes feel like you want to leave — there’s wasn’t an easy way out, until now.

    Swedish developers Wille Dahlbo and Linus Unnebäck created Deseat.me, which offers a way to wipe your entire existence off the internet in a few clicks.

    When logging into the website with a Google account it scans for apps and services you’ve created an account for, and creates a list of them with easy delete links.

    Every account it finds gets paired with an easy delete link pointing to the unsubscribe page for that service. Within in a few clicks you’re freed from it, and depending on how long you need to work through the entire list, you can be account-less within the hour.

    https://www.deseat.me/

    Reply
35. November 25, 2016 at 11:18 am

    Tomi Engdahl says:

    If You’re Only as Strong as Your Allies, Should You Trust Third-Party Code?
    http://www.securityweek.com/if-youre-only-strong-your-allies-should-you-trust-third-party-code

    Doing business is a highly interactive endeavor and software is increasingly at the heart of those interactions. Agility becomes a key component of staying competitive, so organizations are seeking allies to help them obtain the software they need to stay in the race. Notice I said “obtain” rather than “build” or “code,” because help from one’s allies may come in the form of software components or fully grown application code.

    Allies may bring software to the game, but they also bring risk. The vulnerabilities in your allies’ software now become the vulnerabilities of your organization. This is not a new phenomenon—industries have turned to supply chain partners for a variety of business drivers in all sorts of markets and quickly realized they were inheriting risks from their allies. The growing use of open source components in agile and CI/CD environments have simply pushed the software supply chain and the need to trust your allies center stage.

    So what is the source of these software vulnerabilities? Heinlein’s Razor tells us, “Never attribute to malice that which can be adequately explained by incompetence, but don’t rule out malice.” A study of software vulnerabilities proves Heinlein to be quite prophetic when it comes to assessing the strengths, weaknesses, and potential risks of your allies.

    Got your attention? Good. Now consider your own coding practices. Does your team write bugless code? Have you eliminated the OWASP Top 10 from your software? Your honest answer will be no. So why would you assume that your allies have achieved some form of bug-free coding Nirvana? After all, they are competing against other would-be suppliers in the chain, and are under the same pressures as you. Who has time for security? Suffice it to say you should expect to inherit vulnerabilities from the incompetence of your ally at writing secure code.

    Now that we have covered off incompetence, remember Heinlein warns to never rule out malice.

    The insider threat represents real risk because traditional static and dynamic application security tests (SAST and DAST) that lie at the heart of most software security initiatives won’t find these vulnerabilities. Seasoned security experts can find the malicious constructs through source code analysis, but the majority of the code from your allies comes in binary form and you won’t have access to the source code. There are a limited number of tools that can detect insider threat constructs in binary code (full disclosure, Cigital offers such a tool), but they are not widely deployed. So while open source component analysis is getting all the press, it may be the insider threat that stands to cause the most harm.

    So what is the solution? The best place to start is to establish the policies and processes necessary to ensure that your organization takes the steps to reduce the vulnerabilities introduced by the software supply chain. Create policies around open source usage and the testing of third-party applications. Create guidelines that define the gates necessary for software from the software supply chain to make it into production.

    https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

    Reply
36. November 25, 2016 at 11:50 am

    Tomi Engdahl says:

    Ransomware: The most profitable malware in history
    http://cisco.ziffdavis.com/ransomware/

    Ransomware is expected to gross cyberthieves $1 billion this year. In fact, just one ransomware program, Cryptowall, is estimated to have generated $325 million from U.S. victims last year alone. And ransomware can have catastrophic consequences. Combat ransomware now or pay the price later.

    For example, ransomware now affects Mac OS, and so-called Ransomware-as-a-Service (RaaS) is spreading. Indeed, anyone can now attack a specific user or organization’s network by paying a professional hacker to do so.

    Reply
37. November 25, 2016 at 12:25 pm

    Tomi Engdahl says:

    Security Researchers Can Turn Headphones Into Microphones
    https://news.slashdot.org/story/16/11/24/0142232/security-researchers-can-turn-headphones-into-microphones

    As if we don’t already have enough devices that can listen in on our conversations, security researchers at Israel’s Ben Gurion University have created malware that will turn your headphones into microphones that can slyly record your conversations

    The proof-of-concept, called “Speake(a)r,” first turned headphones connected to a PC into microphones and then tested the quality of sound recorded by a microphone vs. headphones on a target PC. In short, the headphones were nearly as good as an unpowered microphone at picking up audio in a room. It essentially “retasks” the RealTek audio codec chip output found in many desktop computers into an input channel. This means you can plug your headphones into a seemingly output-only jack and hackers can still listen in. This isn’t a driver fix, either.

    The researchers have published a video on YouTube demonstrating how this malware works.
    https://www.youtube.com/watch?v=ez3o8aIZCDM

    Security researchers can turn headphones into microphones
    https://techcrunch.com/2016/11/23/security-researchers-can-turn-headphones-into-microphones/

    Security researchers at Israel’s Ben Gurion University have created a proof-of-concept exploit that lets them turn headphones into microphones to secretly record conversations. The PoC, called “Speake(a)r,” first turned headphones connected to a PC into microphones and then tested the quality of sound recorded by a microphone vs. headphones on a target PC. In short, the headphones were nearly as good as an unpowered microphone at picking up audio in a room.

    The hack is fairly ingenious. It essentially “retasks” the RealTek audio codec chip output found in many desktop computers into an input channel. This means you can plug your headphones into a seemingly output-only jack and hackers can still listen in. “Our experiments demonstrate that intelligible audio can be acquired through earphones and can then be transmitted distances up to several meters away,” wrote researcher Mordecai Guri. “In addition, we showed that the same setup achieves channel capacity rates close to 1 Kbps in a wide range of frequencies.”

    “Most of today’s built-in sound cards are to some degree retaskable, which means that they can be used for more than one thing. …the kernel exposes an interface that makes it possible to retask your jacks, but almost no one seems to use it, or even know about it,” wrote Linux sound engineer David Henningsson. That’s exactly the exploit Speak(a)r uses.

    SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit
    https://arxiv.org/ftp/arxiv/papers/1611/1611.07350.pdf

    Reply
38. November 25, 2016 at 12:45 pm

    Tomi Engdahl says:

    Android Malware Used To Hack and Steal Tesla Car
    https://it.slashdot.org/story/16/11/25/1139233/android-malware-used-to-hack-and-steal-tesla-car

    By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn’t that difficult according to a demo video from Norwegian firm Promon.

    This malicious app can use many of the freely available Android rooting exploits to take over the user’s phone, steal the OAuth token from the Tesla app and the user’s login credentials.

    Android Malware Used to Hack and Steal a Tesla Car
    http://www.bleepingcomputer.com/news/security/android-malware-used-to-hack-and-steal-a-tesla-car/

    By infecting a Tesla owner’s phone with Android malware, a car thief can hack and then steal a Tesla car, security researchers have revealed this week.

    Previous attempts to hack Tesla cars attacked the vehicle’s on-board software itself. This is how Chinese security researchers from Keen Lab have managed to hack a Tesla Model S last month, allowing an attacker to control a car from 12 miles away.

    Security experts from Norwegian security firm Promon have taken a different approach, and instead of trying complicated attacks on the car’s firmware, they have chosen to go after Tesla’s Android app that many car owners use to interact with their vehicle.

    Reply
39. November 26, 2016 at 6:56 pm

    Tomi Engdahl says:

    Toronto blockchain security startup hires antivirus pioneer John McAfee as chief security officer (update)
    http://venturebeat.com/2016/11/24/toronto-blockchain-security-startup-hires-antivirus-pioneer-john-mcafee-as-chief-security-officer/

    The epic and unpredictable adventures of John McAfee have taken their most startling turn yet: He’s accepted a job working for someone else.

    Toronto-based Equibit Development Corporation said in a press release today that McAfee has been hired as the company’s chief security officer. In a somewhat unusual arrangement, however, McAfee will be reporting to the board and not the CEO.

    Update November 25 at 2:15 p.m.: Equibit issued a clarification to their previous press release to clarifying that McAfee would be only an adviser to the company’s board and not an actual employee.

    Reply
40. November 26, 2016 at 6:57 pm

    Tomi Engdahl says:

    XSS game area
    https://xss-game.appspot.com/

    Cross-site scripting (XSS) bugs are one of the most common and dangerous types of vulnerabilities in Web applications. These nasty buggers can allow your enemies to steal or modify user data in your apps and you must learn to dispatch them, pronto!

    At Google, we know very well how important these bugs are.

    In this training program, you will learn to find and exploit XSS bugs. You’ll use this knowledge to confuse and infuriate your adversaries by preventing such bugs from happening in your applications.

    Reply
41. November 26, 2016 at 7:00 pm

    Tomi Engdahl says:

    Melbourne man arrested for broadcasting fake messages to pilots
    Commerical kit, not hacking, all that’s needed.
    http://www.theregister.co.uk/2016/11/24/melbourne_man_arrested_for_broadcasting_fake_messages_to_pilots/

    Melbourne man Paul Sant has been charged with unauthorised broadcasting over to pilots over radio bands restricted to aviation users, causing one plane to abort a landing to Tullamarine Airport.

    Sant, 19, is alleged to have placed 16 separate transmissions to pilots at Tullamarine and Avalon airports between 5 September and 3 November.

    He faces up to a maximum 20 years jail.

    Aviation transmission gear capable of communicating with pilots can be bought online for around AU$200.

    Enthusiasts regularly tune into the broadcasts which are sent unencrypted meaning no hacking is required to make transmissions.

    Reply
42. November 27, 2016 at 7:27 pm

    Tomi Engdahl says:

    The UK wants to ban citizens from accessing websites that feature “non-conventional” porn
    The UK also wants more stringent age verification checks for porn sites
    http://www.techspot.com/news/67168-uk-wants-ban-citizens-accessing-websites-feature-non.html

    Not content with introducing the most extreme surveillance law ever passed in a democracy, the UK government also feels its citizens need to be protected from the horrors of online pornography. As such, it plans to ban websites that display “non-conventional” sex acts.

    The proposal, which is part of the digital economy bill, would see the same UK pornography restrictions that are in place for adult DVDs and video-on-demand services applied to online content.

    ISPs would be forced to block sites featuring material that would not be certified for commercial sale by the British Board of Film Classification (BBFC) – the UK’s version of MPAA.

    Basically, porn sites would need to block about half of their content from UK audiences in order to comply.

    Additionally, even those site that host so-called conventional adult material could suffer under the bill, as they will be forced to verify British users’ ages before allowing them access. The age checks could be carried out using credit cards – because nobody would have any issues with typing their Visa number into a porn site, obviously.

    The Digital Economy Bill could be amended before it becomes law but, unless the government pays attention to the numerous anti-censorship protesters, completely legal adult content could soon be banned.

    Reply
43. November 27, 2016 at 7:30 pm

    Tomi Engdahl says:

    Ransomware Compromises San Francisco’s Mass Transit System
    https://news.slashdot.org/story/16/11/27/1819205/ransomware-compromises-san-franciscos-mass-transit-system

    Buses and light rail cars make San Francisco’s “Muni” fleet the seventh largest mass transit system in America. But yesterday its arrival-time screens just displayed the message “You Hacked, ALL Data Encrypted” — and all the rides were free, according to a local CBS report shared by RAYinNYC

    ‘You Hacked,’ Cyber Attackers Crash Muni Computer System Across SF
    http://sanfrancisco.cbslocal.com/2016/11/26/you-hacked-cyber-attackers-crash-muni-computer-system-across-sf/

    That was the message on San Francisco Muni station computer screens across the city, giving passengers free rides all day on Saturday.

    Inside sources say the system has been hacked for days.

    SFMTA has officially confirmed the hack, but says it has not affected any service.

    A spokesperson with the transit agency tells KPIX 5 it is an ongoing investigation.

    “There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact,” said Muni spokesperson Paul Rose. “Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.”

    “I was like, is this part of Black Friday deal, or something?”

    Reply
44. November 27, 2016 at 7:30 pm

    Tomi Engdahl says:

    Grand App Auto: Tesla smartphone hack can track, locate, unlock, and start cars
    Musk’s lot better get on this
    http://www.theregister.co.uk/2016/11/25/tesla_car_app_hack_enables_car_theft/

    A smartphone app flaw has left Tesla vehicles vulnerable to being tracked, located, unlocked, and stolen.

    Security experts at Norwegian app security firm Promon were able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality. A lack of security in the Tesla smartphone app opened the door to all manner of exploits, as explained in a blog post here. The cyber-attack unearthed by Promon provides additional functionality to that exposed by Keen Security Labs in a different hack in late September.

    Tom Lysemose Hansen, founder and CTO at Promon, said: “Keen Security Labs’ recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car.”

    Reply
45. November 28, 2016 at 11:04 am

    Tomi Engdahl says:

    Trump Tower briefly identified as ‘Dump Tower’ on Google Maps
    http://www.digitaltrends.com/web/dump-tower-google-maps/

    Google may have disabled Map Maker earlier this year to stop the public at large from trolling Google Maps, but apparently, where there’s a will, there’s a way. On Saturday, November 26, someone succeeded in changing the name of Trump Tower to “Dump Tower” on Google Maps, because trolls will always be trolls.

    Of course, the vigilant Google Maps team soon corrected the spelling to its original version,

    While the team managed to put out this first fire, another quickly arose to take its place (as is often the case on the internet), and later in the day on Saturday, Trump International Hotel & Tower in Columbus Circle was renamed Dump International Hotel & Tower.

    It is still unclear who was behind the name-changing prank

    Reply
46. November 28, 2016 at 11:08 am

    Tomi Engdahl says:

    48 Organizations Now Have Access To Every Brit’s Browsing Hstory
    https://news.slashdot.org/story/16/11/28/0430248/48-organizations-now-have-access-to-every-brits-browsing-hstory

    For those who missed our original reports, here is the new law in a nutshell: it requires telecom companies to keep records of all users’ web activity for a year, creating databases of personal information that the firms worry could be vulnerable to leaks and hackers. Civil liberties groups say the law establishes mass surveillance of British citizens

    These Are The 48 Organizations That Now Have Access To Every Brit’s Browsing History
    http://www.zerohedge.com/news/2016-11-26/these-are-48-organizations-now-have-access-every-brits-browsing-history

    Reply
47. November 28, 2016 at 12:34 pm

    Tomi Engdahl says:

    Backdoored Phishing Templates Advertised on YouTube
    http://www.securityweek.com/backdoored-phishing-templates-advertised-youtube

    Scammers are abusing YouTube as a new way to promote backdoored phishing templates and provide potential buyers with information on how to use the nefarious software, Proofpoint researchers warn.

    Because cybercrime is a business, crooks are constantly searching for new means to advertise their products to increase gains. For some, YouTube seemed like a good selling venue, and they decided to promote their kits on this legitimate website.

    A search for “paypal scama” returns over 114,000 results, but buyers are in for a surprise, Proofpoint reveals. To be more precise, while the kits work as advertised, they also include a backdoor that automatically sends the phished information back to the author.

    Reply
48. November 28, 2016 at 12:36 pm

    Tomi Engdahl says:

    Microsoft Azure Flaws Exposed RHEL Instances
    http://www.securityweek.com/microsoft-azure-flaws-exposed-rhel-instances

    Vulnerabilities in Microsoft’s Azure cloud platform could have been exploited by attackers to gain administrator access to Red Hat Enterprise Linux (RHEL) instances and storage accounts, according to a software engineer.

    Azure and Amazon Web Services (AWS) rely on the Red Hat Update Infrastructure (RHUI) to manage yum repository content for RHEL instances. Red Hat Update Appliances, which contact the Red Hat Network to fetch new and updated packages, have been created by Microsoft and Amazon for each region.

    Reply
49. November 28, 2016 at 12:39 pm

    Tomi Engdahl says:

    U.S. Navy Warns 130,000 Sailors of Data Breach
    http://www.securityweek.com/us-navy-warns-130000-sailors-data-breach

    The U.S. Navy has launched an investigation into a data breach involving the personal information of more than 130,000 current and former sailors.

    The organization was informed by Hewlett Packard Enterprise Services on October 27 that the laptop of an employee supporting a Navy contract had been “compromised.” An investigation revealed that the device contained the personal details, including names and social security numbers (SSNs), of 134,386 current and former sailors.

    Reply
50. November 28, 2016 at 12:40 pm

    Tomi Engdahl says:

    Researchers Hijack Tesla Car by Hacking Mobile App
    http://www.securityweek.com/researchers-hijack-tesla-car-hacking-mobile-app

    Researchers at Norway-based security firm Promon have demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android application.

    In a video released this week, experts showed how they could obtain the targeted user’s credentials and leverage the information to track the vehicle and drive it away. There are several conditions that need to be met for this attack and the victim must be tricked into installing a malicious app on their mobile phone, but the researchers believe their scenario is plausible.

    According to Promon, the Tesla mobile app uses HTTP requests and an OAuth token to communicate with the Tesla server. The token is valid for 90 days and it allows users to authenticate without having to enter their username and password every time they launch the app.

    Tesla cars can be stolen by hacking the app
    https://promon.co/blog/tesla-cars-can-be-stolen-by-hacking-the-app/

    Reply