Security trends for 2016

2,232 Comments

1. January 21, 2016 at 2:21 pm

   Tomi Engdahl says:

   Securing a wireless application
   http://www.controleng.com/single-article/securing-a-wireless-application/3b6559f5017e8773396d0cba486163e7.html

   Industrial wireless applications are being used by leading manufacturers and operators to improve availability and reduce costs, and there are plenty of protection techniques such as defense-in-depth to keep a network from being compromised by a security breach.

   Industrial wireless applications are seeing more and more action by leading manufacturers and operators to improve availability and reduce costs. In theory, that sounds great, but it is worth considering how difficult it is to make sure these industrial networks are secure before using them in a facility.

   The good news is the best practices, technologies, and products currently available make implementing wireless applications securely straightforward for engineering teams. Wireless applications are no different than wired applications when it comes to an essential industrial control system (ICS) security best practice-defense-in-depth (DiD). DiD is a holistic approach built on three core concepts:

   1. Multiple layers of defense: A variety of security solutions end up used so if an attacker bypasses one area, another can provide the needed defense.
   2. Differentiated layers of defense: Each security layer is slightly different so an attacker can′t automatically get through all layers of defense.
   3. Threat-specific layers of defense: Each defense is for the specific context and threat, allowing protection based on the behavior and context of the systems using these protocols.

   Whether a threat is an accidental internal incident or a deliberate external attack, a DiD approach will detect, isolate, and control it.

   A challenge with WLAN transmission paths is they can broadcast outside a company’s property boundaries. Thus attackers don′t need direct, physical access to an industrial network in order to interfere with its operation and capture critical and confidential information.

   Industry cooperation has led to standards such as IEEE 802.11i/WPA2 that protect the confidentiality and integrity of wireless data. All current products on the market must comply with these standards, ensuring control system communications are authentic, and attackers cannot extract sensitive data.

   In regard to WPA2, be sure to implement its Enterprise mode for strong device authentication.

   Protected management frames (PMF) are useful because they are designed to protect against forgery by extending the mechanism for authentication and encryption present in WPA2 to management frames.

   Even the most effective WLAN encryption doesn’t offer protection when a security incident originates inside the network. But, by selectively limiting communication to only what is required to run the industrial application, additional barriers are established that are designed to limit the impact of internal attacks.

   This type of limitation is another defense-in-depth mechanism that considerably increases the all-around security of a network. Other strategies for limiting communication within the network include:

   Protect WLAN data by implementing a configurable Layer 2 firewall at the Ethernet level. To do this you need to make sure you are using Access Points with a built-in Layer 2 firewall. The best ones can filter routed and bridged traffic as well as packet-filter traffic between WLAN clients.
   Apply stateful deep-packet inspection (DPI) to secure protocols. After the Layer 2 firewall rules are applied, the DPI firewall inspects the content of the contained messages and applies more detailed rules. For example, a Modbus DPI firewall can determine if the Modbus message is a read or a write message and then drop all write messages. Good DPI firewalls can also “sanity check” traffic for strangely formatted messages or unusual behaviors.

   Reply
2. January 23, 2016 at 6:04 pm

   Tomi Engdahl says:

   The Trouble With Intel’s Management Engine
   http://hackaday.com/2016/01/22/the-trouble-with-intels-management-engine/

   Something is rotten in the state of Intel. Over the last decade or so, Intel has dedicated enormous efforts to the security of their microcontrollers. For Intel, this is the only logical thing to do; you really, really want to know if the firmware running on a device is the firmware you want to run on a device. Anything else, and the device is wide open to balaclava-wearing hackers.

   Intel’s first efforts toward cryptographically signed firmware began in the early 2000s with embedded security subsystems using Trusted Platform Modules (TPM). These small crypto chips, along with the BIOS, form the root of trust for modern computers. If the TPM is secure, the rest of the computer can be secure, or so the theory goes.

   The TPM model has been shown to be vulnerable to attack, though. Intel’s solution was to add another layer of security: the (Intel) Management Engine (ME). Extremely little is known about the ME, except for some of its capabilities. The ME has complete access to all of a computer’s memory, its network connections, and every peripheral connected to a computer. It runs when the computer is hibernating, and can intercept TCP/IP traffic. Own the ME and you own the computer.

   There are no known vulnerabilities in the ME to exploit right now: we’re all locked out of the ME. But that is security through obscurity. Once the ME falls, everything with an Intel chip will fall. It is, by far, the scariest security threat today, and it’s one that’s made even worse by our own ignorance of how the ME works.

   What the Management Engine Is

   The best description of what the Management Engine is and does doesn’t come from Intel. Instead, we rely on [Igor Skochinsky] and a talk he gave at REcon 2014. This is currently the best information we have about the ME.

   The Intel ME has a few specific functions, and although most of these could be seen as the best tool you could give the IT guy in charge of deploying thousands of workstations in a corporate environment, there are some tools that would be very interesting avenues for an exploit. These functions include Active Managment Technology, with the ability for remote administration, provisioning, and repair, as well as functioning as a KVM. The System Defense function is the lowest-level firewall available on an Intel machine. IDE Redirection and Serial-Over-LAN allows a computer to boot over a remote drive or fix an infected OS, and the Identity Protection has an embedded one-time password for two-factor authentication. There are also functions for an ‘anti-theft’ function that disables a PC if it fails to check in to a server at some predetermined interval or if a ‘poison pill’ was delivered through the network. This anti-theft function can kill a computer, or notify the disk encryption to erase a drive’s encryption keys.

   Reply
3. January 23, 2016 at 6:31 pm

   Tomi Engdahl says:

   Eric Yoder / Washington Post:
   Obama administration says a newly-created agency will conduct federal background checks, and DOD will store records, after internal review following OPM breach’

   Pentagon to take over control of background investigation information
   https://www.washingtonpost.com/news/federal-eye/wp/2016/01/22/pentagon-to-take-over-control-of-background-investigation-information/

   The Defense Department will take over responsibility for storing sensitive information on millions of federal employees and others from the Office of Personnel Management and the government will create a new entity to oversee background investigations, Obama administration officials announced Friday.

   Those changes and others are the result of an internal review of how the government conducts those investigations and how it stores and uses the information gathered following the disclosure last summer that OPM’s computer system had been breached in 2014.

   A new entity to be called the National Background Investigations Bureau will take over responsibility for conducting background investigations government-wide. That includes some 600,000 investigations annually for new or renewed security clearances, plus other checks, such as on those seeking access to certain government facilities.

   Reply
4. January 23, 2016 at 7:02 pm

   Tomi Engdahl says:

   Tap the Potential of Shadow IT
   Give employees tools they love while keeping your company safe
   https://apps.google.com/learn-more/tap_the_potential_of_shadow_it.html?utm_source=Techmeme&utm_medium=social&utm_campaign=na-us-en-gafw-social-all-trial%2520&utm_content=techmeme-post4

   IT and business leaders today are grappling with the ever-increasing use of personal devices and unauthorized apps at the office, often referred to as “Shadow IT.”

   This rapidly emerging trend comes as a natural response to employees looking for ways to create and collaborate with the same ease, efficiency and freedom that they do in their everyday lives. While the rise of Shadow IT can pose numerous security risks to companies, it also offers unique opportunities for businesses to rethink their traditional tools and processes in ways that both support productivity and innovation while minimizing risk.

   At Google, we believe companies should not have to choose between agility and security. This white paper examines the role of IT in the new landscape, offering insights from IT and businesses that have leveraged Google Apps for Work to empower employees with collaboration tools they know and love while providing robust security and controls that protect data.

   Reply
5. January 25, 2016 at 12:56 pm

   Tomi Engdahl says:

   NSA director: ‘Encryption is foundational to the future’
   And we’re wasting time arguing about whether or not to do away with it.
   http://www.engadget.com/2016/01/22/nsa-director-on-encryption/

   While the US government continues to argue the pros and cons of encryption, one official is actually defending the practice. NSA director Admiral Mike Rogers said Thursday encryption is “foundational to the future,” and that we’re wasting our time debating its use. Rather than arguing whether or not encryption should be commonplace, Rogers suggests it’s not time to sacrifice privacy for security. Instead, there has to be a solution that tackles both, which will be a lot easier said than done.

   “Concerns about privacy have never been higher. Trying to get all those things right, to realize that it isn’t about one or the other,” Rogers explained. He went on to say that security shouldn’t be the focus “to drive everything,” like many government officials argue.

   FBI director James Comey has been pushing for backdoor access for law enforcement for quite some time, citing the dangers of the “bad parts” of encryption. Of course, those backdoors for government would give hackers a way in, too.

   US CYBERCOM AND THE NSA: A Strategic Look with ADM Michael S. Rogers
   https://www.youtube.com/watch?v=wnTGO6OFgCo

   Reply
6. January 25, 2016 at 12:57 pm

   Tomi Engdahl says:

   Warning: JSocket RAT malware spreads in Finland
   http://www.epanorama.net/newepa/2016/01/25/warning-jsocket-rat-malware-spreads-in-finland/

   Finnish National Bureau of Investigation (Keskusrikospoliisi) has begun to explore its dissemination campaign on JSocket RAT malware that has plagued widely. National Bureau of Investigation investigates, according to it malware is sent to 15 000 Finnish people through e-mail.

   Reply
7. January 25, 2016 at 1:01 pm

   Tomi Engdahl says:

   Internet of Things security is so bad, there’s a search engine for sleeping kids
   Shodan search engine is only the latest reminder of why we need to fix IoT security.
   http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/?utm_source=digg

   Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.

   The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security.

   “It’s all over the place,” he told Ars Technica UK. “Practically everything you can think of.”

   We did a quick search and turned up some alarming results:

   The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. The image feed is available to paid Shodan members at images.shodan.io. Free Shodan accounts can also search using the filter port:554 has_screenshot:true.

   Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the new script takes a snap and moves on.

   While the privacy implications here are obvious, Shodan’s new image feed also highlights the pathetic state of IoT security, and raises questions about what we are going to do to fix the problem.

   Of course insecure webcams are not exactly a new thing. The last several years have seen report after report after report hammer home the point. In 2013, the FTC sanctioned webcam manufacturer TRENDnet for exposing “the private lives of hundreds of consumers to public viewing on the Internet.”

   So why are things getting worse and not better?

   The curse of the minimum viable product

   Tentler told Ars that webcam manufacturers are in a race to bottom. Consumers do not perceive value in security and privacy. As a rule, many have not shown a willingness to pay for such things. As a result, webcam manufacturers slash costs to maximize their profit, often on narrow margins. Many webcams now sell for as little as £15 or $20.

   “The consumers are saying ‘we’re not supposed to know anything about this stuff [cybersecurity],” he said. “The vendors don’t want to lift a finger to help users because it costs them money.”

   If consumers were making an informed decision and that informed decision affected no one but themselves, perhaps we could let the matter rest. But neither of those conditions are true. Most consumers fail to appreciate the consequences of purchasing insecure IoT devices. Worse, such a quantity of insecure devices makes the Internet less secure for everyone. What botnet will use vulnerable webcams to launch DDoS attacks? What malware will use insecure webcams to infect smart homes?

   “The bigger picture here is not just personal privacy, but the security of IoT devices,” security researcher Scott Erven told Ars Technica UK. “As we expand that connectivity, when we get into systems that affect public safety and human life—medical devices, the automotive space, critical infrastructure—the consequences of failure are higher than something as shocking as a Shodan webcam peering into the baby’s crib.”

   Admiring the problem is easy. Finding solutions is harder. For his part, Tentler is sceptical that raising consumer awareness will be enough to solve the problem. Despite tons of press harping on about the privacy implications of webcams, it’s pretty clear, according to Tentler, that just telling people to care more about security isn’t going to make a difference.

   Instead, he argues it’s time to start arm-twisting vendors to release more secure products.

   FTC to the rescue?

   The FTC takes action against companies engaged in deceptive or unfair business practices, she explained. That includes IoT manufacturers who fail to take reasonable measures to secure their devices.

   “The message from our enforcement actions is that companies can’t rush to get their products to market at the expense of security,” she said. “If you don’t have reasonable security then that could be a violation of the FTC Act.”

   This is all sensible, top-notch security advice. The FTC even followed up with an official guidance document in June and a series of workshops for businesses on improving their security posture.

   Erven told us that these new guidance documents are a warning to businesses to improve—or else. “The thing that really does come next after guidance is regulation, if they don’t pick up their game and implement [the official security guidance].”

   Start with Security: A Guide for Business
   https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business

   Reply
8. January 25, 2016 at 1:38 pm

   Tomi Engdahl says:

   Ransomware Hits Three Indian Banks, Causes Millions In Damages
   http://yro.slashdot.org/story/16/01/25/000239/ransomware-hits-three-indian-banks-causes-millions-in-damages

   Ransomware has locked computers in three major Indian banks and one pharmaceutical company. While the ransom note asks for 1 Bitcoin, so many computers have been infected that damages racked up millions of dollars. According to an antivirus company that analyzed the ransomware, it’s not even that complex, and seems the work of some amateur Russians.

   LeChiffre Ransomware Hits Three Indian Banks, Causes Millions in Damages
   http://news.softpedia.com/news/lechiffre-ransomware-hits-three-indian-banks-causes-millions-in-damages-499350.shtml

   An unknown hacker has breached the computer systems of three banks and a pharmaceutical company and infected most of their computers with crypto-ransomware.

   The incident took place at the start of January, all companies were located in India, and the hacker(s) used the LeChiffre ransomware family to encrypt files on the infected computers.

   LeChiffre is a hand-cranked ransomware

   LeChiffre is not your typical ransomware and works only if launched into execution manually. The hacker managed to infiltrate the networks of all companies, and then escalated his access to other computers via unprotected Remote Desktop ports.

   Once he gained access to a computer, the hacker would download the ransomware from his server and then double-click it to start the encryption process.

   LeChiffre caused millions in damages

   Victims infected with LeChiffre have to contact the ransomware’s author via an email address shown in the ransom message. The standard ransom payment is 1 Bitcoin (approximately $400 / €370 today’s price) per computer.

   As India Times reports, the hacker managed to infect so many computers that total damages are running into millions of dollars. At this moment, the same publication reports that ransoms were paid only for some top executives.

   In September 2015, two Middle East hackers also breached two Indian companies, stole data, and then successfully blackmailed them for $5 million each, threatening to release private files to the government, files which would have involved the companies in illegal activities.

   LeChiffre, Ransomware Ran Manually
   https://blog.malwarebytes.org/intelligence/2016/01/draft-lechiffre-a-manually-run-ransomware/

   LeChiffre is yet another ransomware that recently has been observed to cause some major damage (in Mumbai – read more here). Not much material about it is available, so we decided to take a look.

   It is different than most of the ransomware present nowadays. Instead of spreading to users and automatically infecting their machines, LeChiffre needs to be run manually on the compromised system. Common scenario of infection is that attackers are automatically scanning network in search of poorly secured Remote Desktops, cracking them, and after logging remotely they manually run an instance of LeChiffre.

   It encrypts files and appends to their names an extension “.LeChiffre”.

   Reply
9. January 25, 2016 at 1:39 pm

   Tomi Engdahl says:

   Sainsbury’s Bank web pages stuck on crappy 20th century crypto
   ‘Someone there should be beaten to a pulp with a keyboard’
   http://www.theregister.co.uk/2016/01/25/sainsburys_bank_weak_crypto/

   Sainsbury’s Bank website still relies on insecure cryptography protocols that more security conscious organisations have abandoned as obsolete.

   The UK supermarket-owned bank’s “secure” site rates an “F” in tests using the industry standard Qualys’ SSL Labs service – chiefly because of the support for protocols security experts reckon are well past their sell-by date.

   “Shocking really: RC4, SHA-1 cert and other issues,” Mal M, the Reg reader who brought the issue to our attention, commented. “Someone there should be beaten to a pulp with a keyboard.”

   The practical upshot here is that Sainsbury’s Bank is not following industry best practice, creating an added risk as a result, not that customer details have been exposed much less leaked.

   Reply
10. January 26, 2016 at 10:44 am

    Tomi Engdahl says:

    Lucas Matney / TechCrunch:
    Uber Using Smartphone Gyrometer Data To Monitor Speeding Drivers
    http://techcrunch.com/2016/01/26/uber-using-smartphone-gyrometer-data-to-monitor-speeding-drivers/

    We’ve all been in an Uber where the driver seems to be in a little bit more of a hurry than need be. Once you hop out of the Uber and complete the ride, you’re left with the app asking you how you’d rate your experience.

    In order to get the lowdown, Uber announced today that it has been running a pilot program that uses drivers’ smartphone gyrometer data to gather information about rides. Whether it’s checking to see if the driver is checking his phone too much during the ride or it’s measuring how fast the driver is going, Uber believes that this move can help them assess which of their drivers are being rated fairly and which ones may be getting a bad rap.

    Now, this obviously has applications a little bit more far-reaching than just talking about customer satisfaction. This is really allowing Uber to harness a greater deal of data to see how their drivers are operating their vehicles in different areas.

    The company says there’s a pretty clear safety benefit to collecting this data, in that they can more easily identify driver’s who fall outside the norm in terms of speeding.

    Reply
11. January 26, 2016 at 10:51 am

    Tomi Engdahl says:

    How a Small Company in Switzerland Is Fighting a Surveillance Law — And Winning
    https://theintercept.com/2016/01/25/how-a-small-company-in-switzerland-is-fighting-a-surveillance-law-and-winning/

    A small email provider and its customers have almost single-handedly forced the Swiss government to put its new invasive surveillance law up for a public vote in a national referendum in June.

    “This law was approved in September, and after the Paris attacks, we assumed privacy was dead at that point,” said Andy Yen, co-founder of ProtonMail, when I spoke with him on the phone. He was referring to the Nachrichtendienstgesetzt (NDG), a mouthful of a name for a bill that gave Swiss intelligence authorities more clout to spy on private communications, hack into citizens’ computers, and sweep up their cellphone information.

    The climate of fear and terrorism, he said, felt too overwhelming to get people to care about constitutional rights when people first started organizing to fight the NDG law. Governments around the world, not to mention cable news networks, have taken advantage of tragedy to expand their reach under the guise of protecting people, even in classically neutral Switzerland — without much transparency or public debate on whether or not increased surveillance would help solve the problem.

    But thanks to the way Swiss law works — if you get together 50,000 signatures within three months of the law passing — you can force a nationwide referendum where every citizen gets a say.

    By gathering its users and teaming up with political groups including the Green and Pirate parties, as well as technological and privacy advocates including Chaos Computer Club Switzerland and Digitale Gesellschaft Switzerland, ProtonMail was able to collect over 70,000 signatures before the deadline.

    The new law is the first of two surveillance laws that have been circulating through the Swiss Parliament. The NDG law was fully passed in September, but can’t take full effect until after the referendum vote in June.

    The NDG would “create a mini NSA in Switzerland,” Yen wrote — allowing Swiss intelligence to spy without getting court approval. It would authorize increased use of “Trojans,” or remote hacking tactics to investigate suspects’ computers, including remotely turning on Webcams and taking photos, as well as hacking abroad to protect Swiss infrastructure. It would legalize IMSI catchers, or Stingrays, which sweep up data about cellphones in the area.

    The second law, known as the “BÜPF,” might come up for a vote in the Parliament’s spring session, but may be revised or delayed. The BÜPF would expand the government’s ability to retain data for longer, including communications and metadata, as well as deputize private companies to help spy on their users, or face a fine.

    ProtonMail, created by scientists and engineers with know-how in particle physics, software, cryptology, and civil liberties, provides unbreakable end-to-end encryption by default to its users for free — making it easy for ordinary people to protect their communications and preserve their anonymity.

    With end-to-end encryption, only the person who sends the message and the person who receives it can access the content; not even the company can see what was written. Encryption protects transactions on the internet, so that criminals can’t read messages, steal credit card information, or impersonate others.

    The Swiss surveillance bill does not compel ProtonMail to decrypt its users’ communications, so if the Swiss intelligence service forces it to hand over data, all the intelligence service will get is gobbledygook. But ProtonMail still feels the measure threatens Swiss privacy — something the company hopes to defend, regardless of its bottom line.

    Reply
12. January 26, 2016 at 11:08 am

    Tomi Engdahl says:

    Tech Support Scammers Lure Users With Fake Norton Warnings, Turn Out To Be Symantec Reseller
    https://blog.malwarebytes.org/fraud-scam/2016/01/tech-support-scammers-lure-users-with-fake-norton-warnings-turn-out-to-be-symantec-reseller/

    Fraudulent tech support companies are well-known for taking advantage of unsavvy computer users by reeling them in with scare tactics and charging large amounts of money for bogus services.

    In many cases, these crooks sell free security products (or straight up pirate them) for hundreds of dollars more than their actual retail price. Security vendors may not be aware of these practices let alone what kind of sales pitch scammers use to force those sales.

    In one of the worst cases of abuse we have seen so far, a company that happens to be an active member of the Symantec Partner Program is scamming people with fake warnings designed to look like Symantec’s flagship product, Norton Antivirus.

    The alert message is displayed via a web page hosted on quicklogin.us/norton and urges users to call for support immediately

    Of course this screen is completely fake, but combined with an alarming audio message playing in the background, it may be enough to dupe some users.

    We were instructed to go to fastsupport.com to allow the technician to take remote control of our computer, therefore enabling him to perform a diagnostic. (Note: we strongly advise to never let anyone or any company you do not feel comfortable about, get remote access to your computer.)

    This process is a core part of the scam because it allows crooks to tighten their hold on potential victims. With remote access, scammers can literally do whatever they want on the user’s machine including stealing documents to installing (real) malware.

    Once the technician was logged in, he wasted no time in going for the most infamous trick used by tech support scammers, the Windows EventViewer.

    Sadly, Microsoft’s central log and error reporting tool can all too easily be leveraged thanks to those yellow and red warnings, which the majority of the time are perfectly normal. Of course, for a scammer it’s the perfect way of claiming those are infections or viruses.

    Not satisfied with this, the technician figured he could pull another well-known trick to seal the deal. This time he opened up the TaskManager and pointed out a particular process called csrss.exe.

    This file is a core Windows program but as is often the case, malware authors often rename their samples to look like a legit file and use the same naming conventions.

    Googling for csrss.exe returns several pages that promote registry scanners to look for errors associated with that file name, as well as descriptions labeling this process as a Trojan.

    Having finished the diagnostic in a record 5 minutes, the technician proceeds to the sales part of his script. A couple of different support plans are offered:

    A one time fix and installation of Norton for $199.
    A one year warranty with Norton for $249.

    We immediately reported all of our evidence to Symantec who took this case very seriously

    Reply
13. January 26, 2016 at 2:55 pm

    Tomi Engdahl says:

    Jan 16
    Firm Sues Cyber Insurer Over $480K Loss
    http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/

    A Texas manufacturing firm is suing its cyber insurance provider for refusing to cover a $480,000 loss following an email scam that impersonated the firm’s chief executive.

    At issue is a cyber insurance policy issued to Houston-based Ameriforge Group Inc. (doing business as “AFGlobal Corp.“) by Federal Insurance Co., a division of insurance giant Chubb Group. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but that the insurer nevertheless denied a claim filed in May 2014 after scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China.

    The company said it attempted to recover the $480,000 wire from its bank, but that the money was already gone

    In a letter sent by Chubb to the plaintiff, the insurance firm said it was denying the claim because the scam, known alternatively as “business email compromise” (BEC) and CEO fraud, did not involve the forgery of a financial instrument as required by the policy.

    “Federal disagrees with your contention that forgery coverage is implicated by this matter,” the insurer wrote in a Oct. 9, 2014 letter to AFGlobal.

    Law360 notes that this is actually the second time in the past year that Chubb Corp. unit Federal Insurance was taken to court over coverage after its policyholder was fraudulently swindled out of money.

    “Research technology company Medidata Solutions Inc. sued Federal in February for denying reimbursement of $4.8 million after a company employee, also contacted by a fake CEO and fake attorney, instructed him to also wire the money to a Chinese bank,” wrote Steven Trader for Law360.

    BEC or CEO Fraud schemes are an increasingly common and costly form of cybercrime. According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.

    CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name.

    On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.

    The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media.

    Reply
14. January 26, 2016 at 3:01 pm

    Tomi Engdahl says:

    Windows 7/8/8.1/10 vulnerable to Hot Potato exploit by hackers
    http://www.digitalmunition.me/2016/01/ya9jvvyujexmyccqfjrcj/

    Windows versions 7, 8, 10, Server 2008 and Server 2012 vulnerable to Hot Potato exploit which gives total control of PC/laptop to hackers

    Security researchers from Foxglove Security have discovered that almost all recent versions of Microsoft’s Windows operating system are vulnerable to a privilege escalation exploit. By chaining together a series of known Windows security flaws, researchers from Foxglove Securityhave discovered a way to break into PCs/systems/laptops running on Windows 7/8/8.1/10 and Windows Server 2008/2010.

    The Foxglove researchers have named the exploit as Hot Potato. Hot Potato relies on three different types of attacks, some of which were discovered back at the start of the new millennium, in 2000. By chaining these together, hackers can remotely gain complete access to the PCs/laptops running on above versions of Windows.

    Surprisingly, some of the exploits were found way back in 2000 but have still not been patched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system.

    Hot Potato is a sum of three different security issues with Windows operating system. One of the flaw lies in local NBNS (NetBIOS Name Service) spoofing technique that’s 100% effective. Potential hackers can use this flaw to set up fake WPAD (Web Proxy Auto-Discovery Protocol) proxy servers, and an attack against the Windows NTLM (NT LAN Manager) authentication protocol.

    Exploiting these exploits in a chained manner allows the hackers to gain access to the PC/laptop by elevating an application’s permissions from the lowest rank to system-level privileges, the Windows analog for a Linux/Android root user’s permissions.

    Mitigation

    The researchers said that using SMB (Server Message Block) signing may theoretically block the attack. Other method to stop the NTNL relay attack is by enabling “Extended Protection for Authentication” in Windows.

    Reply
15. January 26, 2016 at 3:09 pm

    Tomi Engdahl says:

    Shmoocon 2016: Phishing for the Phishers
    http://hackaday.com/2016/01/16/shmoocon-2016-phishing-for-the-phishers/

    After years of ignoring the emails it’s finally time to get into a conversation with that Nigerian prince you keep hearing from. Robbie Gallagher — an Application Security Engineer with Atlassian in Austin, TX — wanted to find out where perpetrators of phishing emails actually live. Of course you can’t count on the headers of the emails they send you. A better way to track them down is to actually draw them into a conversations, and this means making yourself a juicy target

    Robbie gave an excellent talk on his project Honey-Phish at this year’s Shmoocon. Part of what made it stand out is his narrative on each step of exploring the social engineering technique. For instance, there is already a vibrant community that specializes in forming relationships with scammers. Those who frequent 419 Eater have literally made it into a sport called Scambaiting. The ultimate goal is to prove you’ve baited a scammer is to get the person to take a picture of themselves balancing something on their head. Now the image a the top of this post makes sense, right?

    Writing personal emails to your scammer is a great system if you have a lot of time and only want to track down one scammer at a time. Robbie wants to catalog geographic locations for as many as possible and this means automation.

    The needs for the project are as follows: collect as many phishing emails as possible, parse each email and send replies that are believable, include a method of collecting the information from the people on the other end.

    One response isn’t appropriate in all situations, Honey-Phish needed a way of responding that had the highest likelihood of eliciting clicks from the Phishers.

    Does It Work?

    The early results include a sample size of 41 unique email exchanges, there were 2 click-throughs (4.9% success rate). Using Jack Spirou’s ClientJS library a lot of data was collected on these two clicks… for the purposes of this post the countries are enough: Brazil and Romania.

    Device information and digital fingerprinting written in pure JavaScript. https://clientjs.org
    https://github.com/jackspirou/clientjs

    Reply
16. January 26, 2016 at 3:13 pm

    Tomi Engdahl says:

    Shmoocon 2016: GPUs and FPGAs to Better Detect Malware
    http://hackaday.com/2016/01/17/shmoocon-2016-gpus-and-fpgas-to-better-detect-malware/

    One of the big problems in detecting malware is that there are so many different forms of the same malicious code. This problem of polymorphism is what led Rick Wesson to develop icewater, a clustering technique that identifies malware.

    Presented at Shmoocon 2016, the icewater project is a new way to process and filter the vast number of samples one finds on the Internet. Processing 300,000 new samples a day to determine if they have polymorphic malware in them is a daunting task. The approach used here is to create a fingerprint from each binary sample by using a space-filling curve. Polymorphism will change a lot of the bits in each sample, but as with human fingerprints, patterns are still present in this binary fingerprints that indicate the sample is a variation on a previously known object.

    Once the fingerprint is made, it’s simple to compare and cluster together samples that are likely the same. The expensive part of this method is running the space-filling curve. It take a lot of time to run this using a CPU. FPGAs are idea, but the hardware is comparatively costly. In its current implementation, GPUs are the best balance of time and expense.

    This expense measurement gets really interesting when you start talking Internet-scale problems; needing to constantly processing huge amounts of data. The current GPU method can calculate an object in about 33ms, allowing for a couple hundred thousand samples per day. This is about four orders of magnitude better than CPU methods. But the goal is to transition away form GPUs to leverage the parallel processing found in FPGAs.

    Rick’s early testing with Xenon Phi/Altera FPGAs can calculate space-filling curves at a rate of one object every 586µs. This represents a gain of nine orders of magnitude over CPUs but he’s still not satisfied. His goal is to get icewater down to 150µs per object which would allow 10 million samples to be processed in four hours with a power cost of 4000 Watts.

    Reply
17. January 26, 2016 at 3:29 pm

    Tomi Engdahl says:

    This talk is the continuation of [Jean-Philippe]’s DEF CON 23 talk that covered the basics of quantum computing (PDF) In short, quantum computers are not fast – they’re just coprocessors for very, very specialized algorithms. Quantum computers do not say P=NP, and can not be used on NP-hard problems, anyway. The only thing quantum computers have going for them is the ability to completely destroy public key cryptography. Any form of cryptography that uses RSA, Diffie-Hellman, Elliptic curves is completely and totally broken. With quantum computers, we’re doomed. That’s okay, according to the DEF CON talk – true quantum computers may never be built.

    Source: http://hackaday.com/2016/01/16/shmoocon-2016-computing-in-a-post-quantum-world/

    Reply
18. January 26, 2016 at 3:33 pm

    Tomi Engdahl says:

    Logs are Just One Piece of the Puzzle
    https://www.youtube.com/watch?v=XGz6qW2TB_M

    Relying on logs alone is no longer enough to protect organizations from advanced threats. In order to detect and investigate advanced threats you need complete visibility from the endpoint to the cloud.

    Reply
19. January 26, 2016 at 3:34 pm

    Tomi Engdahl says:

    KeysForge will give you printable key blueprints using a photo of a lock
    Smartphone photo of lock keyways enough to produce ready-to-print CAD drawings
    http://www.theregister.co.uk/2016/01/18/keysforge_will_give_you_printable_key_blueprints_using_a_photo_of_a_lock/

    The KeysForge application developed by an academic trio drastically simplifies the complexities in developing keys, allowing amateurs to snap a photo of a lock and have the respective key 3D printed.

    University of Colorado infosec assistant professor Eric Wustrow and two colleagues revealed the work at the Chaos Communications Congress in Hamburg last month.

    “We made an automatically generating 3D model program [which] takes a single picture of the keyway (lock) and produces a model in CAS (computer assisted design),” Wustrow says, adding that a smartphone photo will suffice.

    keysforge
    https://keysforge.com/

    What is this?

    This is a tool that can produce a 3D printable CAD model of a key blank (or with cuts if provided) from a single picture of the lock face.

    Reply
20. January 26, 2016 at 3:36 pm

    Tomi Engdahl says:

    Replication Prohibited:
    Attacking Restricted Keyways with 3D Printing
    https://keysforge.com/paper.html

    Several attacks against physical pin-tumbler locks require access to one or more key blanks to perform. These attacks include bumping, impressioning, rightsamplification, and teleduplication. To mitigate these attacks, many lock systems rely on restricted keyways and use blanks that are not sold to the general public, making it harder for attackers to obtain them. Often the key blank designs themselves are patented, further discouraging distribution or manufacture by even skilled machinists.

    In this paper we investigate the impact that emerging rapid prototyping—or 3D printing—tools have on the security of these restricted keyway systems. We find that commodity 3D printers are able to produce key blanks and pre-cut keys with enough resolution to work in several commonly used pin-tumbler locks and that their material is strong enough to withstand the requirements to perform the aforementioned attacks

    Reply
21. January 26, 2016 at 4:02 pm

    Tomi Engdahl says:

    Updated Android malware steals voice two factor authentication
    Unconditional call forwarding and silent mode means potent pwning.
    http://www.theregister.co.uk/2016/01/18/updated_android_malware_steals_voice_two_factor_authentication/

    Malware-makers are stepping up the assault on Android handsets and are now quietly redirecting phone calls to steal voice-based two factor authentication details.

    An update to the Android.Bankosy trojan horse means it not only locks down handsets but steals data from hacked devices.

    Symantec threat-throttler Dinesh Venkatesan says the trojan malware opens a backdoor which turns on unconditional call forwarding and silent mode such that victims are never alerted about redirected incoming calls.

    “To improve the security of OTP (one time password) delivery, some financial organisations started delivering OTP through voice calls instead of SMS,” Venkatesan says.

    “Once the malware is installed on the victim’s device, it opens a backdoor, collects a list of system-specific information, and sends it to the command and control server to register the device and then get a unique identifier for the infected device.

    Reply
22. January 26, 2016 at 4:03 pm

    Tomi Engdahl says:

    LastPass in 2FA lock down after ‘fessing up to phishing attack
    Password vault-plundering phishing bait lands on Github
    http://www.theregister.co.uk/2016/01/18/lastpass_in_2fa_lock_down_yeah_actually_thats_a_legit_attack/

    Cloud castle for passwords LastPass has introduced mandatory sign in requirements for all new devices after security researcher Sean Cassidy dropped code allowing criminals to plunder vaults with mirror-perfect phishing attacks.

    As of today, users who set two factor authentication will need to hop to their registered email accounts to approve the device they are using to sign into LastPass.

    It was previously a requirement for daredevils not using two factor.

    The change is a rapid move to quell online anarchy in the wake of research finding most users would likely be hosed in phishing attacks that request users enter their details including two factor authentication credentials into very legitimate-looking alerts.

    Until hours ago it meant criminals could very quickly spin up pre-fab phishing pages or simply direct users to cross-site scripting -vulnerable legitimate sites .

    Reply
23. January 26, 2016 at 4:07 pm

    Tomi Engdahl says:

    Emulating and Cloning Smart Cards
    http://hackaday.com/2016/01/18/emulating-and-cloning-smart-cards/

    A few years ago, we saw a project from a few researchers in Germany who built a device to clone contactless smart cards. These contactless smart cards can be found in everything from subway cards to passports, and a tool to investigate and emulate these cards has exceptionally interesting implications. [David] and [Tino], the researchers behind the first iteration of this hardware have been working on an improved version for a few years, and they’re finally ready to release it. They’re behind a Kickstarter campaign for the ChameleonMini, a device for NFC security analysis that can also clone and emulate contactless cards.

    While the original Chameleon smart card emulator could handle many of the contactless smart cards you could throw at it, there at a lot of different contactless protocols. The new card can emulate just about every contactless card that operates on 13.56 MHz.

    The board itself is mostly a PCB antenna, with the electronics based on an ATXMega128A4U microcontroller.

    ChameleonMini – A Versatile NFC Card Emulator, and more…
    https://www.kickstarter.com/projects/1980078555/chameleonmini-a-versatile-nfc-card-emulator-and-mo

    A freely programmable, standalone tool for NFC security analysis: emulate & clone contactless cards, read RFID tags and sniff RF data.

    Reply
24. January 26, 2016 at 4:26 pm

    Tomi Engdahl says:

    PDF redaction is hard, NSW Medical Council finds out – the hard way
    Actually, it’s easy, you just have to pay attention
    http://www.theregister.co.uk/2016/01/17/pdf_redaction_is_hard_nsw_medical_council_finds_out_the_hard_way/

    Australian public sector agencies have a persistent problem trying to redact PDFs: this time, the guilty party is the Medical Council of NSW.

    The council breached the privacy of a doctor and her son, the Medical Tribunal found earlier this month, because it mishandled redacting their names out of a PDF it published on its Website.

    Instead of completely removing the names from the document, as this decision explains, someone in the Medical Council drew a black square over the names – which anybody adept with PDF documents will know leaves the names intact.

    The names in the document then got indexed by Google, so as well as deleting the document from its own site, the Medical Council’s legal director Miranda St Hill had to work through the business of getting the Chocolate Factory to de-index the names.

    Reply
25. January 26, 2016 at 4:27 pm

    Tomi Engdahl says:

    Ongoing MD5 support endangers cryptographic protocols
    http://www.computerworld.com/article/3020066/security/ongoing-md5-support-endangers-cryptographic-protocols.html?token=%23tk.CTWNLE_nlt_computerworld_security_2016-01-08&idg_eid=051598d6597df87056c54033166b3242&utm_source=Sailthru&utm_medium=email&utm_campaign=Computerworld%20Security%202016-01-08&utm_term=computerworld_security#tk.cw_nlt_computerworld_security_issues_2016-01-08

    Researchers showed authentication and impersonation attacks against protocols that still support MD5 in some of their components

    he old and insecure MD5 hashing function hasn’t been used to sign SSL/TLS server certificates in many years, but continues to be used in other parts of encrypted communications protocols, including TLS, therefore weakening their security.
    Learn to use R PDF cover
    Learn R programming basics with our PDF

    It’s all here in one place — our popular “Beginner’s guide to using R.” You’ll learn how to get your
    Read Now

    Researchers from the INRIA institute in France have devised several attacks which prove that the continued support for MD5 in cryptographic protocols is much more dangerous than previously believed.

    They showed that man-in-the-middle attackers can impersonate clients to servers that use TLS client authentication and still support MD5 hashing for handshake transcripts. Intercepting and forwarding credentials through protocols that use a TLS channel binding mechanism is also possible.

    The same will apply in the future to the SHA-1 hashing function which is currently being phased out from digital certificate signing.

    Reply
26. January 26, 2016 at 5:33 pm

    Tomi Engdahl says:

    Sending a single link can cause anyone’s smartphone to crash
    http://thenextweb.com/insider/2016/01/25/sending-a-single-link-can-cause-anyones-smartphone-to-crash/

    There’s a link doing the rounds on social media today that can crash almost any smartphone, just by opening it in your browser.

    The aptly named crashsafari.com [this will crash your browser — even Chrome] does what it says on the box — it crashes the browser by writing thousands of characters in the address bar every second, exhausting memory.

    Sending link to website lets you crash Safari and anyone’s iPhone
    Prank website forces iPhones to reboot and will cause computers and Android devices to hang
    http://www.theguardian.com/technology/2016/jan/25/sending-link-to-website-lets-you-crash-safari-and-anyones-iphone?CMP=twt_a-technology_b-gdntech

    Reply
27. January 26, 2016 at 9:44 pm

    Tomi Engdahl says:

    The Dark Arts: Meet the LulzSec Hackers
    http://hackaday.com/2016/01/26/the-dark-arts-meet-the-lulzsec-hackers/

    It’s difficult to say if [Aaron Barr], then CEO of software security company HBGary Federal, was in his right mind when he targeted the notorious hacking group known as Anonymous. He was trying to correlate Facebook and IRC activity to reveal the identities of the group’s key figures.

    Perhaps [Aaron Barr] expected Anonymous to come after him…maybe he even welcomed the confrontation. After all, he was an ‘expert’ in software security. He ran his own security company.

    It took the handful of hackers less that 24 hours to take complete control over the HBGary Federal website and databases. They also seized [Barr’s] Facebook, Twitter, Yahoo and even his World of Warcraft account.

    It became clear that these handful of Anonymous hackers were good. Very good. This article will focus on the core of the HBGary hackers that would go on to form the elite LulzSec group. Future articles in this new and exciting Dark Arts series will focus on some of the various hacking techniques they used. Techniques including SQL injection, cross-site scripting, remote file inclusion and many others. We will keep our focus on how these techniques work and how they can be thwarted with better security practices.

    Reply
28. January 27, 2016 at 8:23 am

    Tomi Engdahl says:

    Emil Protalinski / VentureBeat:
    Firefox 44 arrives with ability for sites to send notifications after webpage closed with the user’s permission and RC4 encryption support discontinued — Firefox 44 arrives with push notifications that sites can send even after users close the page — Mozilla today launched Firefox 44 for Windows, Mac, Linux, and Android.

    Firefox 44 arrives with push notifications that sites can send even after users close the page
    http://venturebeat.com/2016/01/26/firefox-44-arrives-with-push-notifications-that-sites-can-send-even-after-users-close-the-page/

    Mozilla today launched Firefox 44 for Windows, Mac, Linux, and Android. Notable additions to the browser include push notifications, the removal of RC4 encryption, and new powerful developer tools.

    Firefox 44 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play.

    Reply
29. January 27, 2016 at 2:13 pm

    Tomi Engdahl says:

    Safe Harbor 2.0: US-Europe talks on privacy go down to the wire
    End-of-month deadline looms for vital data sharing pact
    http://www.theregister.co.uk/2016/01/25/safe_harbor_countdown_to_armageddon/

    United States and European Commission officials have promised they are doing everything possible to reach agreement over transatlantic data-sharing before a critical deadline at the end of this week.

    After the Safe Harbor agreement – put in place in 2000 – was struck down by Europe’s highest court back in October due to NSA spying, officials have been scrambling to find a solution or risk causing enormous disruption to US-Europe commerce.

    Both sides are desperate to make it work before the January 31 deadline imposed by the Europe’s privacy guardians, the Article 29 Working Party, which warned it would “take all necessary and appropriate actions, which may include coordinated enforcement actions” if the deadline was not met.

    Under the Safe Harbor agreement, personal and private information on European citizens was allowed to leave the Continent and be stored in America – provided the US respected people’s privacy. The revelations of the NSA’s blanket surveillance of the internet shattered that trust, and so the agreement was scrapped. That’s a big problem for Silicon Valley.

    The negotiations have been a remarkable battle between an economically dominant US and privacy-respecting Europe.

    Also speaking at the conference, the EU’s digital economy representative to the US, Andrea Glorioso, pointed to the fact that the European Commission had developed 13 recommendations for changing the Safe Harbor agreement more than two years ago after the extent of US government spying, which included grabbing and storing internet data from such services as Facebook, Google and Twitter, was revealed.

    “Following Snowden’s revelations and the impact they had on the European public, rather than suspending the arrangement, we said Safe Harbor has to be improved, strengthened,” noted Glorioso. “We have been in discussion since October 2013 on those recommendations.”

    Not one of those recommendations was implemented by the US before the European Court of Justice struck down the agreement.

    Executive decision time

    For his part, Glorioso noted there had been no calls for legislative changes in the US and that recent changes – including executive orders issued by President Obama – should provide sufficient “flexibility” for the EC to achieve its main goal: resolution of the 13 recommendations made back in October 2013.

    “In Europe, we have these fundamental rights, but they are not always enforced,

    Reply
30. January 27, 2016 at 2:15 pm

    Tomi Engdahl says:

    Show us the code! You should be able to peek inside the gadgets you buy – FTC commish
    Worried about privacy, security? McSweeny has an answer
    http://www.theregister.co.uk/2016/01/25/source_code_ftc_commissioner/

    FTC Commissioner Terrell McSweeny supports the idea of giving people access to the source code to stuff to ensure better security and privacy in the era of the internet of things.

    The idea is that obvious bad bugs and poor security mechanisms can be quickly spotted and either fixed or the item stays on the store shelf.

    Speaking at the State of the Net conference in Washington DC on Monday, McSweeny noted that US consumer watchdog the FTC was looking closely at the proliferation of connected devices that gather and store highly personal information.

    “It’s not just federal trade commissioners that are concerned about this, consumers are as well,” she noted, adding that she and the FTC are “deeply worried” about the security practices of many in the industry.

    McSweeny also stepped into the ongoing debate over encryption and backdoors.

    Speaking just moments after Assistant Attorney General Leslie Caldwell had given a keynote arguing what it was vital that law enforcement be able to access electronic information, McSweeney took the opposite tack and said she was opposed to backdoor being introduced or mandated because of the risk to consumer privacy.

    Caldwell told the conference “there really aren’t any more [physical] paper trails for us to follow, there are only virtual ones” and said that she hadn’t seen a single case in the past eight years, except for the most basic cases, in which electronic data wasn’t a component.

    The ability to access electronic material was in a timely manner was “essential”, she argued, but that it was becoming “more and more difficult to obtain data even when we have court orders to do so”.

    She also noted that there are “very real physical threats” and that without access to emails, instant messages and so on, it creates obstacles “that can and do stop our investigations in their tracks”. The ability to access encrypted information was a “public need”, she argued.

    Reply
31. January 27, 2016 at 2:18 pm

    Tomi Engdahl says:

    Retailers urged to create ‘CCTV-like’ symbol to inform customers of mobile tracking
    You’re being followed… on your mobile… in the mall
    http://www.theregister.co.uk/2016/01/26/retailers_urged_to_create_cctvlike_symbol_to_inform_customers_of_mobile_tracking/

    Retailers have been urged to create a standard symbol, similar to the one used to denote the use of CCTV, to inform customers that their location within shopping areas is being tracked through their mobile device.

    The recommendation was contained in a new working paper that has been issued by an international working group on data protection in telecommunications on the topic of location tracking from communications of mobile devices.

    The working paper said that retailers that use location tracking technologies, whether through Wi-Fi, Bluetooth or other mobile communication tools, could potentially collect personal data by doing so. Organisations that collect and use personal data are subject to data protection laws. Retailers should disclose to customers that they are using location tracking technology using both physical and digital notices, it said.

    “Organisations must ensure that there is sufficient information, including a range of physical and digital signage, to clearly inform individuals that location technology is in operation,” the working paper said. “The information must clearly state the purpose for collection and identify the organisation responsible.”

    The working group’s paper said retailers should not “seek to collect and monitor outside their premises” and can avoid doing so “through careful placement of receivers, limiting data collection through a sampling method and to specified time periods or times of day”.

    Retailers were also advised to gain customers’ consent before they combine personal location data they collect with other data they hold on them. Consent should also be obtained before sharing “individually identifiable data with third parties”, the guidance said.

    “Retailers have for some time now been looking into the use of technology to enhance their customer offering from using beacon technologies and mobile apps to targeted billboards,” Livesey said. “Retailers should pay close attention to the working group’s recommendations because even if they do not intend to collect personal data by their use of in-store technologies they may inadvertently be doing so, particularly when communicating with customer’s smartphones.”

    “Retailers should be aware of the risks involved with using such technology and implement policies to minimise these risks”

    Reply
32. January 27, 2016 at 3:24 pm

    Tomi Engdahl says:

    What if China went all GitHub on your website? Grab this coding tool
    But testing tool’s taking flak from top infosec bods
    http://www.theregister.co.uk/2016/01/15/china_github_attack_defence_test/

    A security developer has released a coding tool that aims to help websites test their defences against a China-style GitHub attack.

    China upgraded its infamous website blocking system, dubbed The Great Firewall, last year so that it was capable of blasting foreign businesses and orgs off the internet.

    The weaponised censorship tool was reportedly deployed against US-based GitHub.com, which was hosting two projects that circumvented the Great Firewall’s censorship mechanisms at the time, and GreatFire.org, a free speech website dedicated to fighting China’s web censorship last March.

    The Great Firewall of China was used to change JavaScript files being returned for requests to Baidu, in order to push a massive Layer 7 traffic flood against Github.

    GitHub mitigated the assault but concerns remained that follow-ups, and perhaps even more powerful JavaScript-based DDoS assaults, might be launched.

    In response, internet plumbers developed a technique called Subresource Integrity (SRI), which is geared towards pulling the fangs from this type of attack, as previously reported. The technique, backed by the Word Wide Web Consortium (W3C), assigns a cryptographic hash to Content Delivery Network-hosted JavaScript and Cascading Style Sheet (CSS) assets to protect them against tampering.

    In order to boost this security protection technique, Gabor Szathmari has published a new service to scan and grade websites for SRI hashes. The sritest.io service scans submitted websites and grades them against compliance.

    Slow train to SRI

    SRI seems to be akin to DNSSec in that there’s a genuine debate about how useful the technology is and that this may be a factor in its slow roll-out, it seems to El Reg’s security desk.

    Szathmari has his own take on the slow adoption of SRI.“The technology is relatively new and the adoption rate is poor, because website developers need to modify their HTML source code to include SRI hashes in the script and link tags,” he told El Reg.

    https://sritest.io/

    Reply
33. January 27, 2016 at 3:55 pm

    Tomi Engdahl says:

    Sending a single link can cause anyone’s smartphone to crash
    http://thenextweb.com/insider/2016/01/25/sending-a-single-link-can-cause-anyones-smartphone-to-crash/

    There’s a link doing the rounds on social media today that can crash almost any smartphone, just by opening it in your browser.

    The aptly named crashsafari.com [this will crash your browser — even Chrome] does what it says on the box — it crashes the browser by writing thousands of characters in the address bar every second, exhausting memory.

    The attack is just four lines of code, and can cause an iPhone or Android phone to crash both Safari or Chrome, or reboot the entire phone itself. It even works against some desktop browsers, depending on how much RAM and CPU the machine has available.

    It leverages HTML5’s history.pushState, a JavaScript function used by many single page applications to update the address bar, even though the underlying page being viewed doesn’t change.

    People are sending the link around on social media disguised by a short URL, to trick others into opening it and cause them to be unable to open their browsers until a reboot is completed.

    The bug isn’t exactly malicious — it doesn’t break anything and can be easily rectified, but it is annoying.

    Reply
34. January 27, 2016 at 3:55 pm

    Tomi Engdahl says:

    Sending link to website lets you crash Safari and anyone’s iPhone
    Prank website forces iPhones to reboot and will cause computers and Android devices to hang
    http://www.theguardian.com/technology/2016/jan/25/sending-link-to-website-lets-you-crash-safari-and-anyones-iphone?CMP=twt_a-technology_b-gdntech

    Reply
35. January 28, 2016 at 10:34 am

    Tomi Engdahl says:

    TP-LINK’s WiFi Defaults to Worst Unique Passwords Ever
    http://hackaday.com/2016/01/27/tp-links-wifi-defaults-to-worst-unique-passwords-ever/

    This “security” is so outrageous we had to look for hidden cameras to make sure we’re not being pranked. We don’t want to ruin the face-palming realization for you, so before clicking past the break look closely at the image above and see if you can spot the exploit. It’s plain as day but might take a second to dawn on you.

    The exploit was published on [Mark C.’s] Twitter feed after waiting a couple of weeks to hear back from TP-LINK about the discovery. They didn’t respond so he went public with the info.

    During the design phase someone had the forethought to make a WiFi AP password that isn’t merely a default. But that’s where this went off the rails. They did the next worst thing, which is to assign a password that gets broadcast publicly: the last eight characters of the MAC address. This will be unique for each device, but it is also promiscuously broadcast to any device that cares to listen.

    We know what you’re thinking. Users should always change default passwords anyway. But our devices need to be secure by default.

    https://twitter.com/LargeCardinal/status/682591420969029632
    @TPLINK Spot the #zeroday in your TL-WR702N routers. Do you even test your #infosec? This is so stupid, it’s funny.

    Reply
36. January 29, 2016 at 10:03 am

    Tomi Engdahl says:

    Goodbye Applets: Another Cruddy Piece of Web Tech Is Finally Going Away
    http://www.wired.com/2016/01/goodbye-applets-another-cruddy-piece-of-web-tech-is-finally-going-away/

    Another piece of old, insecure web infrastructure is about to be killed off.

    Oracle says that it’s discontinuing its Java browser plugin starting with the next big release of the programming language. No, Oracle isn’t killing the Java programming language itself, which is still widely used by many companies. Nor is it killing off JavaScript, which is a completely different language that Oracle doesn’t control. What Oracle is getting rid of is a plugin that allows you to run programs known as “Java applets” in your browser.

    You not think you even have the Java plugin installed, but if you’ve ever installed Java, or if Java came pre-installed on your computer, then you probably do, even if you never use it. The good news is that Oracle won’t be automatically installing the Java plugin when you install Java anymore. The bad news is that it won’t be providing security updates anymore either, so you should go ahead and uninstall it now. In fact, there’s a good chance you can uninstall Java entirely.

    With Microsoft dropping support for old versions of Internet Explorer and Adobe slowly phasing out Flash, it looks like a nightmarish era for web security is finally drawing to an end.

    Reply
37. January 29, 2016 at 10:09 am

    Tomi Engdahl says:

    NSA Hacker Chief Explains How to Keep Him Out of Your System
    http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-out-of-your-system/

    Joyce is head of the NSA’s Tailored Access Operations—the government’s top hacking team who are responsible for breaking into the systems of its foreign adversaries, and occasionally its allies.

    Joyce himself did little to shine a light on the TAO’s classified operations. His talk was mostly a compendium of best security practices. But he did drop a few of the not-so-secret secrets of the NSA’s success, with many people responding to his comments on Twitter.

    How the NSA Gets You

    In the world of advanced persistent threat actors (APT) like the NSA, credentials are king for gaining access to systems. Not the login credentials of your organization’s VIPs, but the credentials of network administrators and others with high levels of network access and privileges that can open the kingdom to intruders. Per the words of a recently leaked NSA document, the NSA hunts sysadmins.

    The NSA is also keen to find any hardcoded passwords in software or passwords that are transmitted in the clear—especially by old, legacy protocols—that can help them move laterally through a network once inside.

    And no vulnerability is too insignificant for the NSA to exploit.

    “Don’t assume a crack is too small to be noticed, or too small to be exploited,” he said. If you do a penetration test of your network and 97 things pass the test but three esoteric things fail, don’t think they don’t matter. Those are the ones the NSA, and other nation-state attackers will seize on, he explained. “We need that first crack, that first seam. And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”

    Even temporary cracks—vulnerabilities that exist on a system for mere hours or days—are sweet spots for the NSA.

    If you’ve got trouble with an appliance on your network, for example, and the vendor tells you to briefly open the network for them over the weekend so they can pop in remotely and fix it, don’t do it. Nation-state attackers are just looking for an opportunity like this

    The heating and cooling systems and other elements of building infrastructure also provide unexpected pathways into your network. Retail giant Target, of course, is very familiar with how a company’s HVAC system can be a gateway for attackers.

    Left unsaid were a lot of the other nifty ways the NSA gets into systems, such as its Quantum insert code injection technique, which allowed it and the British spy agency GCHQ to hack the Belgium telecom Belgacom.

    In general, Joyce noted, spies have little trouble getting into your network because they know better than you what’s on it.

    “We put the time in …to know [that network] better than the people who designed it and the people who are securing it,”

    How to Keep the NSA Out

    If you really want to make the NSA’s life hard, he ticked off a list of things to do: limit access privileges for important systems to those who really need them; segment networks and important data to make it harder for hackers to reach your jewels; patch systems and implement application whitelisting; remove hardcoded passwords and legacy protocols that transmit passwords in the clear.

    Another nightmare for the NSA? An “out-of-band network tap”—a device that monitors network activity and produces logs that can record anomalous activity—plus a smart system administrator who actually reads the logs and pays attention to what they say.

    Reply
38. January 29, 2016 at 10:51 am

    Tomi Engdahl says:

    California Police Used Stingrays in Planes to Spy on Phones
    http://www.wired.com/2016/01/california-police-used-stingrays-in-planes-to-spy-on-phones/

    The government’s use of a controversial invasive technology for tracking phones just got a little more controversial.

    The Anaheim Police Department has acknowledged in new documents that it uses surveillance devices known as Dirtboxes—plane-mounted stingrays—on aircraft flying above the Southern California city that is home to Disneyland, one of the most popular tourist destinations in the world.

    According to documents obtained by the American Civil Liberties Union of Northern California, the Anaheim Police Department have owned the Dirtbox since 2009 and a ground-based stingray since 2011, and may have loaned out the equipment to other cities across Orange County in the nearly seven years it has possessed the equipment.

    “This cell phone spying program—which potentially affects the privacy of everyone from Orange County’s 3 million residents to the 16 million people who visit Disneyland every year—shows the dangers of allowing law enforcement to secretly acquire surveillance technology,” Matt Cagle, technology and civil liberties policy attorney for ACLU-NC, wrote in a blog post about the new documents.

    Reply
39. January 30, 2016 at 11:17 am

    Tomi Engdahl says:

    Sean Gallagher / Ars Technica:
    NSA, GCHQ used open source software to spy on Israeli, Syrian drones
    http://arstechnica.com/information-technology/2016/01/nsa-gchq-used-open-source-software-to-spy-on-israeli-syrian-drones/

    Image tools unscrambled encrypted analog video feeds, documents reveal.

    Documents provided to The Intercept by National Security Agency whistleblower Edward Snowden show new evidence of a long-running surveillance campaign against drones flown by the Israelis, Syrians, and other nations in the region. The operation by the United Kingdom’s Government Communications Headquarters (GCHQ) signals intelligence organization, with the assistance of the NSA, intercepted scrambled analog video feeds from remotely piloted aircraft and tracked the movement of drones. In some cases, the operation even intercepted video from Israeli fighter aircraft during combat missions.

    There was no supercomputing magic involved in at least most of the video interceptions. As part of an operation codenamed “Anarchist,” NSA and GCHQ analysts used Image Magick (an open source image manipulation tool) and other open source software developed to defeat commercial satellite signal encryption. One of the tools, called antisky, was developed by Dr. Markus Kuhn of the University of Cambridge’s Computer Laboratory. The tools could be used by anyone able to intercept satellite signal feeds then exhibit the patience and skill to sort through the pixels. However, the conversion to digital video feeds on some drones has apparently made video interception more difficult.

    Many of the images captured were from low-resolution analog feeds used to check the condition of the drones themselves. This allowed the GCHQ and NSA to get a view of the payload of the drones but not necessarily their surveillance data.

    Reply
40. January 31, 2016 at 8:39 pm

    Tomi Engdahl says:

    Eduard Kovacs / SecurityWeek:
    Attackers using Word documents to deliver BlackEnergy malware linked to recent attacks targeting Ukraine’s critical infrastructure

    Attackers Use Word Docs to Deliver BlackEnergy Malware
    http://www.securityweek.com/attackers-use-word-docs-deliver-blackenergy-malware

    The advanced persistent threat (APT) actor behind the recent attacks targeting Ukraine has started delivering BlackEnergy malware using specially crafted Word documents with embedded macros.

    BlackEnergy malware, which is leveraged by one or multiple groups, has become increasingly sophisticated and its operators have been using it to target energy and ICS/SCADA companies from across the world. A recent campaign involving BlackEnergy malware has been seen targeting Ukraine’s critical infrastructure.

    A coordinated attack launched against the country’s energy sector in December resulted in power outages in the Ivano-Frankivsk region. Investigators found BlackEnergy malware on infected systems, along with a destructive plugin known as KillDisk that is designed to delete data and make systems inoperable. However, experts believe the malware is not directly responsible for the outages, and instead it only helped attackers cover their tracks and make it more difficult to restore service.

    Ukrainian security firm Cys Centrum reported last year that the attackers had leveraged PowerPoint presentations to deliver the malware. In mid-2015, threat actors started using specially crafted Excel spreadsheets with embedded macros to drop the Trojan onto targeted systems.

    Reply
41. January 31, 2016 at 8:40 pm

    Tomi Engdahl says:

    Guardian:
    How Facebook tracks voters’ political habits and contact information for targeted campaign ads across devices

    How Facebook tracks and profits from voters in a $10bn US election
    http://www.theguardian.com/us-news/2016/jan/28/facebook-voters-us-election-ted-cruz-targeted-ads-trump

    Social network lets campaigns match profiles with political habits and contact info, as Silicon Valley influence becomes ‘game-changer’ for targeted ads

    Reply
42. February 1, 2016 at 10:00 am

    Tomi Engdahl says:

    Mokes-known as one of the first malware made the Linux platform. It was a Trojan, which, for example, Dr. Web and Kaspersky identified.

    Now Mokes has become the Windows side and a more senior.
    Now Mokesista have emerged functioning version of Windows. Unfortunate for users is that, for example, the previously dormant keylogger feature is now active.
    Windows Mokes installs itself on pre-defined Windows system folders. After the program connects capable servers. The abduction of the data it stores locally and on the server information is sent when the server requests it.
    Mokes is coded in C ++ and Qt.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=3921:linux-troijalainen-tuli-vahvempana-windowsiin&catid=13&Itemid=101

    Reply
43. February 1, 2016 at 12:45 pm

    Tomi Engdahl says:

    Lincolnshire County Council ‘will not pay cyber ransom’
    http://www.bbc.com/news/uk-england-lincolnshire-35453801

    A council whose computer systems were closed down by a cyber attack has said it will not be paying out a ransom.

    Lincolnshire County Council’s systems were closed on Tuesday after an email was opened that triggered the malware attack.

    Initially thought to have been asked for a £1m ransom, the council said it was actually asked to pay $500 (£350).

    Judith Hetherington-Smith, from the council, said: “We are not going to pay… we wouldn’t pay a ransom fee.”

    ‘Pen and paper’

    Mrs Hetherington Smith said the council’s systems had been closed down so they could not be compromised.

    The council has scanned and checked 458 servers and 70 terabytes of data “to make sure it’s clean”.

    Reply
44. February 1, 2016 at 12:48 pm

    Tomi Engdahl says:

    Which european country is worse and more aggressive than it looks in terms of collecting our data? And why is that?

    UK is pretty bad and it shows.

    FR appears less in the public debate but – yeah – they collect lots of material in bulk.

    DE has a reputation of being privacy-concious. And at the same time their intelligence services have repeatedlly been exposed of conducting something nasty.

    SE was markedly open in their intentions, I give them plus on that one.

    FI is now following the lead of .. yeah, whose..?

    Source: https://www.reddit.com/r/IAmA/comments/433mgv/im_erka_koivunen_a_finnish_cybersecurity_expert_i/

    Reply
45. February 1, 2016 at 1:54 pm

    Tomi Engdahl says:

    Joseph Cox / Motherboard:
    Tech Firms Are Unclear on New UK Surveillance Laws, Warns Government Committee
    http://motherboard.vice.com/read/tech-firms-are-unclear-on-new-uk-surveillance-laws-warns-government-committee

    The wording of the UK’s proposed surveillance law is so vague that tech companies have little idea what data it would require them to store, a new government report has said. Companies are also concerned about the cost and feasibility of collecting such data, and are unclear on the law’s position regarding encryption.

    “The Government must urgently review the legislation so that the obligations on the industry are clear and proportionate,” wrote Nicola Blackwood MP, chair of the Science and Technology Committee, in a statement. The committee has been taking evidence from activists, academics, and tech companies around the draft Investigatory Powers Bill, a proposed piece of legislation that will force internet service providers (ISPs) to store all customers’ browsing history for 12 months, among other things.

    This data collection includes the creation of so-called internet connection records, or ICRs. An ICR is, according to Home Secretary Theresa May, “a record of the communications service that a person has used, not a record of every web page they have accessed.” That could include information such as a record of when you visit a specific website or when you use WhatsApp on your phone.

    Reply
46. February 1, 2016 at 2:00 pm

    Tomi Engdahl says:

    Danny Yadron / Guardian:
    Ashkan Soltani, who contributed to reporting on Snowden docs, departs White House Office of Science and Technology Policy after being denied security clearance

    White House denies clearance to tech researcher with links to Snowden
    http://www.theguardian.com/technology/2016/jan/29/white-house-tech-researcher-denied-security-clearance-edward-snowden-nsa

    Pulitzer prize-winning journalist and security researcher Ashkan Soltani says he has been denied security clearance for his new job with White House

    The White House has denied a security clearance to a member of its technology team who previously helped report on documents leaked by Edward Snowden.

    His departure raises questions about the US government’s ability to partner with the broader tech community, where people come from a more diverse background than traditional government staffers.

    It also suggests that nearly three years later, the Snowden episode remains a highly charged issue inside the Obama administration. Recently some current and former administration officials said the former NSA contractor sparked a “necessary debate” on surveillance, even if they disagreed with his tactics.

    Reply
47. February 1, 2016 at 2:06 pm

    Tomi Engdahl says:

    Obama: ‘we can do better’ on surveillance programs respecting privacy – as it happened
    http://www.theguardian.com/us-news/live/2015/jan/16/obama-cameron-joint-press-conference-meeting-live

    Reply
48. February 1, 2016 at 2:19 pm

    Tomi Engdahl says:

    DNA Got a Kid Kicked Out of School—And It’ll Happen Again
    http://www.wired.com/2016/02/schools-kicked-boy-based-dna/

    A few weeks into sixth grade, Colman Chadam had to leave school because of his DNA.

    The situation, odd as it may sound, played out like this. Colman has genetic markers for cystic fibrosis, and kids with the inherited lung disease can’t be near each other because they’re vulnerable to contagious infections.

    Yes, genetic discrimination. Get used to those two words together, because they’re likely to become a lot more common. With DNA tests now cheap and readily available, the number of people getting tests has gone way up—along with the potential for discrimination based on the results. When Colman’s school tried to transfer him based on his genetic status, the lawsuit alleges, the district violated the Americans With Disabilities Act and Colman’s First Amendment right to privacy. “This is the test case,” says the Chadam’s lawyer, Stephen Jaffe.

    To experts in genetics law, four letters are conspicuously missing from the legal wrangling: GINA, or the federal Genetic Information Nondiscrimination Act of 2008. GINA bars genetic discrimination in just two cases: employment or health insurance. That obviously doesn’t include getting education and housing and plenty of other situation where discrimination might happen. “This case is an useful reminder about the limitations of the federal statute,”

    In the fifteen years since Colman got a DNA test as a baby, tests have only gotten cheaper and more popular. You have 23andMe’s $199 spit test, of course, but also the National Institutes of Health pumping $25 million into baby sequencing studies.

    Reply
49. February 1, 2016 at 2:20 pm

    Tomi Engdahl says:

    123456 is still the world’s most popular password
    Because morons
    http://www.theinquirer.net/inquirer/news/2442375/123456-is-still-the-worlds-most-popular-password

    WE ARE still a few years off the so-called ‘post password age’ and yet the message about not using obvious passwords is failing to get through.

    The fifth annual password survey from Splash Data has shown that there is still a huge chunk of people who think that ’123456′ and ‘password’ are safe. In fact, they’re the two most popular.

    ’12345678′ has gone up one place, and so has ‘qwerty’, while ’12345′ is down two places. In other words, there’s been a shift about, but essentially the top five is identical to last year’s.

    Let’s pause here for a Public Service Announcement: CHANGE THESE PASSWORDS. THEY ARE NOT SAFE!!!

    Reply
50. February 1, 2016 at 2:22 pm

    Tomi Engdahl says:

    Intel’s security extensions are SGX: secure until you look at the detail
    MIT research suggests Intel’s taking risks with its locked-down container tech
    http://www.theregister.co.uk/2016/02/01/sgx_secure_until_you_look_at_the_detail/

    A pair of cryptography researchers have published a graduate thesis that accuses Intel of breaking its “Software Guard Extensions” (SGX) security model by bad implementation decisions.

    Victor Costan and Srinivas Devadas of MIT write (PDF) the SGX architecture operates by sending symmetric keys over the Internet.

    Launched in 2013, SGX added a set of CPU commands that let programmers create locked containers, with hardware enforcing access to both the code and data inside the container.

    The long and very detailed analysis of SGX was published at the respected International Association for Cryptologic Research, and gets out the chainsaw when it comes to describing the system’s “attestation model”.

    What’s at issue here is that there seems to be a serious gap between how the model works, and how Chipzilla explained how it works to developers.

    Green’s concerns are directed to a detailed and technical analysis in Section 5.8 of the paper, perhaps best crystallised in this (from Section 6.6.1):

    “Once initialised, an enclave is expected to participate in a software attestation process, where it authenticates itself to a remote server. Upon successful authentication, the remote server is expected to disclose some secrets to an enclave over a secure communication channel”.

    The problem is that, as the image in Green’s Tweet (from the paper, reproduced in full left) shows, Intel intends the symmetrical provisioning key to reside both in the SGX-enabled chip and in Intel servers.

    That puts Intel in a position of huge power, they write: “Intel has a near-monopoly on desktop and server-class processors, and being able to decide which software vendors are allowed to use SGX can effectively put Intel in a position to decide winners and losers in many software markets.”

    Intel SGX Explained
    http://eprint.iacr.org/2016/086.pdf

    Reply