Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
DDoS script kiddies are also… actual kiddies, Europol arrests reveal
Young ‘uns hire tools to hit infrastructure, info systems
http://www.theregister.co.uk/2016/12/12/europol_arrests_34_ddos_kiddies/
Law enforcement bods at Europol have arrested 34 users of Distributed Denial of Service (DDoS) cyber-attack tools and interviewed and cautioned 101 suspects in a global crackdown.
Unsurprisingly, the users identified by Europol’s European Cybercrime Centre (EC3) were mainly young adults under the age of 20.
The body worked with regional agencies to identify cyber-attackers that had targeted critical infrastructure and information systems in the European Union.
The individuals arrested are suspected of paying for stressers and booters services to maliciously deploy software to launch DDoS attacks.
The tools used are part of the criminal “DDoS for hire” facilities for which hackers can pay and aim at targets of their choosing, said Europol in its press release.
“Today’s generation is closer to technology than ever before, with the potential of exacerbating the threat of cybercrime. Many IT enthusiasts get involved in seemingly low-level fringe cybercrime activities from a young age, unaware of the consequences that such crimes carry.”
Europol is currently conducting a prevention campaign in all participating countries in order to raise awareness of the risk of young adults getting involved in cybercrime.
Tomi Engdahl says:
Will Evans / Reveal:
5 ex-Uber employees say there was broad access to “God View” and abuse of it to track users including celebrities and politicians, even after initial news broke
Uber said it protects you from spying. Security sources say otherwise
https://www.revealnews.org/article/uber-said-it-protects-you-from-spying-security-sources-say-otherwise/
For anyone who’s snagged a ride with Uber, Ward Spangenberg has a warning: Your personal information is not safe.
Internal Uber employees helped ex-boyfriends stalk their ex-girlfriends and searched for the trip information of celebrities such as Beyoncé, the company’s former forensic investigator said.
“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” Spangenberg wrote in a court declaration, signed in October under penalty of perjury.
Tomi Engdahl says:
Obama orders review of 2016 election cyber attacks
http://www.reuters.com/article/us-usa-election-cyber-idUSKBN13Y1U7
U.S. President Barack Obama has ordered intelligence agencies to review cyber attacks and foreign intervention into the 2016 election and deliver a report before he leaves office on Jan. 20, the White House said on Friday.
In October, the U.S. government formally accused Russia of a campaign of cyber attacks against Democratic Party organizations ahead of the Nov. 8 presidential election
“The president has directed the intelligence community to conduct a full review of what happened during the 2016 election process … and to capture lessons learned from that and to report to a range of stakeholders, to include the Congress,”
“I don’t believe they interfered,” Trump told Time magazine
Monaco said cyber attacks were not new but might have crossed a “new threshold” this year.
Tomi Engdahl says:
Biometrics Ensure Security
Devices Don’t Need Altering
http://www.eetimes.com/document.asp?doc_id=1330938&
Password security can now been replaced with a bulletproof alternative using up to 12 biometric parameters for mobile users, according to ImageWare Systems Inc. (San Diego, Calif.) Called GoVerifyID, the system resides on an enterprise’s server, requiring no modification of the mobile device by taking advantage of its already existing sensors.
“Password security is hopelessly antiquated — the ancient Greeks used passwords that were hacked leading to their slaughter by the Spartans,” claimed Jim Miller, chairman and chief executive officer (CEO) of Image Ware. “Still today two-thirds of computer system breeches are the result of the insecurity of passwords and their reset process.”
Tomi Engdahl says:
Users Warned of Zcash Miner Infections
http://www.securityweek.com/users-warned-zcash-miner-infections
Cybercriminals could be making a significant profit by infecting computers with programs that mine for Zcash, a new cryptocurrency that still has a relatively high value.
Launched in late October, Zcash (ZEC) is similar to Bitcoin, but the sender, recipient and value of transactions can be hidden. It was initially worth $30,000 per unit, but its value declined steadily as the number of units increased. At the time of writing, one ZEC is worth 0.06 BTC or $49.
Tomi Engdahl says:
Samas Ransomware Gang Made $450,000 in One Year Analysis
http://www.securityweek.com/samas-ransomware-gang-made-450000-one-year-analysis
The cybercriminals behind a piece of ransomware known as Samas or SamSa collected roughly $450,000 in ransom payments over the past year, according to Palo Alto Networks researchers.
The malware was initially detailed in March this year, but its origins were traced back to the fourth quarter of 2015 when Microsoft discovered that the ransomware required additional tools and components during deployment. The threat would make use of pen-testing/attack tools for a more targeted attack, researchers discovered.
The SamSa actors have been targeting the healthcare industry with their attacks, and Palo Alto Networks researchers say that they made around $450,000 in ransom payments over the past 12 months. T
Tomi Engdahl says:
Unpatched Flaw Exposes Netgear Routers to Hacking
http://www.securityweek.com/unpatched-flaw-exposes-netgear-routers-hacking
Netgear has launched an investigation following reports that some of its routers are affected by a critical vulnerability that can be remotely exploited to hijack the devices.
The flaw is believed to affect Netgear R7000, R6400, R8000 and possibly other models. According to CERT CC, the security hole can be exploited to execute arbitrary commands with root privileges on affected routers by getting the targeted user to visit a specially crafted web page.
Tomi Engdahl says:
Dozens of Teens Arrested Over DDoS Attacks
http://www.securityweek.com/dozens-teens-arrested-over-ddos-attacks
Europol on Monday announced that 34 arrests were made as part of an operation targeting users of Distributed Denial of Service (DDoS) cyber-attack tools.
The operation was conducted between December 5 and 9, 2016, and received cooperation from law enforcement agencies all around the world, including Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States. In addition to the 34 arrests, 101 suspects were interviewed and cautioned, Europol says.
The agency believes that the arrested individuals were paying for stressers and booters services to maliciously deploy software to launch DDoS attacks. The attacks flooded web servers with massive amounts of data, thus rendering them inaccessible to users.
Tomi Engdahl says:
Network attacks cause losses
More and more companies suffer from disruption to business due to cyber attacks. For example, The Wall Street Journal estimates that in 2015, European companies lost due to cyber attacks revenue of more than EUR 60 billion.
Deloitte’s survey, launch cyber-attacks cause companies significant financial losses, but the study shows that companies are not prepared for attacks caused by latent and emerging over time, the costs well enough.
Cyber attacks in case the company is often prepared for a direct and easily observable costs, but 95 per cent of costs are incurred in the far-reaching and less predictable costs.
Including the cost of various functional disorders, a decline in market value and customer relationships, as well as the loss of intellectual property rights.
According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5573:verkkohyokkaykset-aiheuttavat-jattitappioita&catid=13&Itemid=101
Tomi Engdahl says:
Exclusive: SWIFT confirms new cyber thefts, hacking tactics
http://www.reuters.com/article/us-usa-cyber-swift-exclusive-idUSKBN1412NT
Cyber attacks targeting the global bank transfer system have succeeded in stealing funds since February’s heist of $81 million from the Bangladesh central bank as hackers have become more sophisticated in their tactics, according to a SWIFT official and a previously undisclosed letter the organization sent to banks worldwide.
The messaging network in a Nov. 2 letter seen by Reuters warned banks of the escalating threat to their systems, according to the SWIFT letter. The attacks and new hacking tactics underscore the continuing vulnerability of the SWIFT messaging network, which handles trillions of dollars in fund transfers daily.
“The threat is very persistent, adaptive and sophisticated – and it is here to stay,”
Tomi Engdahl says:
Quest Diagnostics Says Personal Health Information of 34,000 Customers Hacked
https://science.slashdot.org/story/16/12/13/0133237/quest-diagnostics-says-personal-health-information-of-34000-customers-hacked
Quest Diagnostics has said in a statement that a hack of an internet application on its network has exposed the personal health information of nearly 34,000 people. “Quest Diagnostics has notified affected individuals via mail and established a dedicated toll-free number to call with questions regarding this incident,”
Quest Diagnostics says personal health information of 34,000 customers hacked
http://www.cbsnews.com/news/quest-diagnostics-says-personal-health-information-of-34000-customers-hacked/
NEW YORK — Medical laboratory operator Quest Diagnostics Inc. says a hack of an internet application on its network has exposed the personal health information of about 34,000 people.
The Madison, New Jersey-based company says “an unauthorized third party” on Nov. 26 gained access to customer information including names, dates of birth, lab results and in some instances, telephone numbers.
Quest said Monday it is working with a cybersecurity firm and law enforcement to investigate the breach
Tomi Engdahl says:
Approximately 15 million Americans each year fall victim to identity theft—and these losses total upwards of $50 billion. Each year, criminals develop more advanced ways to steal identities, putting millions of Americans at risk. Our personal security is more at risk than ever, leaving many people to seek out a simple solution to a growing problem.
Source: https://www.eeweb.com/blog/eeweb/blustors-cybergatetm-a-secure-solution-to-a-global-problem
Tomi Engdahl says:
Fiber-optic line hacks now take only minutes
http://www.cablinginstall.com/articles/2016/12/ciena-fo-line-hacks.html?cmpid=enl_CIM_CablingInstallationMaintenanceDataCenterNewsletter_2016-12-12
In today’s world, hackers can easily obtain tools to tap into a fiber-optic line, what with a host of freely available YouTube videos that explain exactly how to do it.
In the Lab: Hacking an Optical Fiber Line in Minutes
https://www.youtube.com/watch?v=6ImKA6PVEH0
From our R&D lab in Ottawa, Ciena’s Patrick Scully demonstrates how simple it is to steal massive amounts of data by quickly and easily taping a fiber optic cable, and explains how optical encryption can be used to protect against this threat ensuring the security of all in-flight data.
Tomi Engdahl says:
Worried by Hacker Threat, France Prepares Army Response
http://www.securityweek.com/worried-hacker-threat-france-prepares-army-response
France announced its first cyber-warfare army unit on Monday, aimed at increasing the country’s hacking skills as concerns grow in Europe and the United States about Russian capabilities.
Defense Minister Jean-Yves Le Drian likened the impact of hacking on warfare to the effect of the first aircraft on conflicts in the early 20th century.
“The emergence of a new area, a new cyber-battlefield, must make us rethink profoundly our way of approaching the art of war,” Le Drian said as he unveiled a new doctrine for the army in northwest France.
If hackers were identified as coming from a country that had failed to stop them, “the responsibility of this state could be called into question,” he said
“Our offensive cyber-capabilities must allow us to breach the systems and networks of our enemies to cause damage, service suspensions or temporary or definitive neutralizations,” he added.
Tomi Engdahl says:
New York Times:
How Russia executed an effective, hard to trace and mitigate cyber offensive on the DNC, aided by an FBI response that lacked speed, urgency, comprehensiveness — WASHINGTON — When Special Agent Adrian Hawkins of the Federal Bureau of Investigation called the Democratic National Committee …
The Perfect Weapon: How Russian Cyberpower Invaded the U.S.
http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html
When Special Agent Adrian Hawkins of the Federal Bureau of Investigation called the Democratic National Committee in September 2015 to pass along some troubling news about its computer network, he was transferred, naturally, to the help desk.
His message was brief, if alarming. At least one computer system belonging to the D.N.C. had been compromised by hackers federal investigators had named “the Dukes,” a cyberespionage team linked to the Russian government.
The F.B.I. knew it well: The bureau had spent the last few years trying to kick the Dukes out of the unclassified email systems of the White House, the State Department and even the Joint Chiefs of Staff, one of the government’s best-protected networks.
“I had no way of differentiating the call I just received from a prank call,”
It was the cryptic first sign of a cyberespionage and information-warfare campaign devised to disrupt the 2016 presidential election, the first such attempt by a foreign power in American history. What started as an information-gathering operation, intelligence officials believe, ultimately morphed into an effort to harm one candidate, Hillary Clinton, and tip the election to her opponent, Donald J. Trump.
An examination by The Times of the Russian operation — based on interviews with dozens of players targeted in the attack, intelligence officials who investigated it and Obama administration officials who deliberated over the best response — reveals a series of missed signals, slow responses and a continuing underestimation of the seriousness of the cyberattack.
The low-key approach of the F.B.I. meant that Russian hackers could roam freely through the committee’s network for nearly seven months before top D.N.C. officials were alerted to the attack and hired cyberexperts to protect their systems. In the meantime, the hackers moved on to targets outside the D.N.C., including Mrs. Clinton’s campaign chairman, John D. Podesta, whose private email account was hacked months later.
By last summer, Democrats watched in helpless fury as their private emails and confidential documents appeared online day after day — procured by Russian intelligence agents, posted on WikiLeaks and other websites, then eagerly reported on by the American media, including The Times. Mr. Trump gleefully cited many of the purloined emails on the campaign trail.
The fallout included the resignations of Representative Debbie Wasserman Schultz of Florida, the chairwoman of the D.N.C., and most of her top party aides.
In recent days, a skeptical president-elect, the nation’s intelligence agencies and the two major parties have become embroiled in an extraordinary public dispute over what evidence exists that President Vladimir V. Putin of Russia moved beyond mere espionage to deliberately try to subvert American democracy and pick the winner of the presidential election.
The United States, too, has carried out cyberattacks, and in decades past the C.I.A. tried to subvert foreign elections. But the Russian attack is increasingly understood across the political spectrum as an ominous historic landmark — with one notable exception: Mr. Trump has rejected the findings of the intelligence agencies he will soon oversee as “ridiculous,” insisting that the hacker may be American, or Chinese, but that “they have no idea.”
“This tale of ‘hacks’ resembles a banal brawl between American security officials over spheres of influence,”
The D.N.C. had a standard email spam-filtering service, intended to block phishing attacks and malware created to resemble legitimate email. But when Russian hackers started in on the D.N.C., the committee did not have the most advanced systems in place to track suspicious traffic, internal D.N.C. memos show.
Mr. Tamene’s initial scan of the D.N.C. system — using his less-than-optimal tools and incomplete targeting information from the F.B.I. — found nothing.
In November, Special Agent Hawkins called with more ominous news. A D.N.C. computer was “calling home, where home meant Russia,”
A second team of Russian-affiliated hackers began to target the D.N.C. and other players in the political world, particularly Democrats.
Billy Rinehart, a former D.N.C. regional field director who was then working for Mrs. Clinton’s campaign, got an odd email warning from Google.
“Someone just used your password to try to sign into your Google account,” the March 22 email said, adding that the sign-in attempt had occurred in Ukraine. “Google stopped this sign-in attempt. You should change your password immediately.”
Without thinking much about the notification, he clicked on the “change password”
What he did not know until months later is that he had just given the Russian hackers access to his email account.
Hundreds of similar phishing emails were being sent to American political targets
During this second wave, the hackers also gained access to the Democratic Congressional Campaign Committee, and then, through a virtual private network connection, to the main computer network of the D.N.C.
With the new monitoring system in place, Mr. Tamene had examined administrative logs of the D.N.C.’s computer system and found something very suspicious: An unauthorized person, with administrator-level security status, had gained access to the D.N.C.’s computers.
No one knew just how bad the breach was
“Three most important questions,” Mr. Sussmann wrote to his clients the night the break-in was confirmed. “1) What data was accessed? 2) How was it done? 3) How do we stop it?”
The D.N.C. immediately hired CrowdStrike, a cybersecurity firm, to scan its computers, identify the intruders and build a new computer and telephone system from scratch. Within a day, CrowdStrike confirmed that the intrusion had originated in Russia, Mr. Sussmann said.
It was Cozy Bear, CrowdStrike concluded, that first penetrated the D.N.C. in the summer of 2015, by sending spear-phishing emails to a long list of American government agencies, Washington nonprofits and government contractors. Whenever someone clicked on a phishing message, the Russians would enter the network, “exfiltrate” documents of interest and stockpile them for intelligence purposes.
“Once they got into the D.N.C., they found the data valuable and decided to continue the operation,”
In mid-June, on Mr. Sussmann’s advice, D.N.C. leaders decided to take a bold step. Concerned that word of the hacking might leak, they decided to go public in The Washington Post with the news that the committee had been attacked. That way, they figured, they could get ahead of the story, win a little sympathy from voters for being victimized by Russian hackers and refocus on the campaign.
But the very next day, a new, deeply unsettling shock awaited them. Someone calling himself Guccifer 2.0 appeared on the web, claiming to be the D.N.C. hacker — and he posted a confidential committee document detailing Mr. Trump’s record and half a dozen other documents to prove his bona fides.
“And it’s just a tiny part of all docs I downloaded from the Democrats networks,” he wrote. Then something more ominous: “The main part of the papers, thousands of files and mails, I gave to WikiLeaks. They will publish them soon.”
It was bad enough that Russian hackers had been spying inside the committee’s network for months. Now the public release of documents had turned a conventional espionage operation into something far more menacing: political sabotage, an unpredictable, uncontrollable menace for Democratic campaigns.
In addition to what Guccifer 2.0 published on his site, he provided material directly on request to some bloggers and publications. The steady flow of Guccifer 2.0 documents constantly undercut Democratic messaging efforts.
Julian Assange, the WikiLeaks founder and editor, has resisted the conclusion that his site became a pass-through for Russian hackers
Mr. Assange disputed the conclusion of the Oct. 7 statement from the intelligence agencies that the leaks were “intended to interfere with the U.S. election process.”
Inside the White House, as Mr. Obama’s advisers debated their response
“It took forever,” one senior administration official said, complaining about the pace at which the intelligence assessments moved through the system.
In August a group that called itself the “Shadow Brokers” published a set of software tools that looked like what the N.S.A. uses to break into foreign computer networks and install “implants,” malware that can be used for surveillance or attack. The code came from the Tailored Access Operations unit of the N.S.A., a secretive group that mastered the arts of surveillance and cyberwar.
The assumption — still unproved — was that the code was put out in the open by the Russians as a warning: Retaliate for the D.N.C., and there are a lot more secrets, from the hackings of the State Department, the White House and the Pentagon, that might be spilled as well.
New York Times:
Russian hackers gave reporters and bloggers access to documents on Democratic House Candidates from DCCC hack, trying to influence nearly a dozen House races — WASHINGTON — South Florida has long been a laboratory for some of the nation’s roughest politics, with techniques …
Democratic House Candidates Were Also Targets of Russian Hacking
http://www.nytimes.com/2016/12/13/us/politics/house-democrats-hacking-dccc.html
South Florida has long been a laboratory for some of the nation’s roughest politics, with techniques like phantom candidates created by political rivals to siphon off votes from their opponents, or so-called boleteras hired to illegally fill out stacks of absentee ballots on behalf of elderly or disabled voters.
But there was never anything quite like the 2016 election campaign, when a handful of Democratic House candidates became targets of a Russian influence operation that made thousands of pages of documents stolen by hackers from the Democratic Congressional Campaign Committee in Washington available to Florida reporters and bloggers.
“It was like I was standing out there naked,”
Tomi Engdahl says:
Bypass all anti-viruses by Encrypted Payloads with C#
https://www.linkedin.com/pulse/bypass-all-anti-viruses-encrypted-payloads-c-damon-mohammadbagher
Some people asked me about how you can bypass all AV anti-viruses?
My answer is: very simple. But this is Secretly Technique and the most Pentester or hackers never share that for other people. They have their reason for that like me and I can tell you the most reason is because their methods and codes After share will detect by Anti-viruses Companies very soon.But I want to share one method for you all with C# programming and Encryption method.
Tomi Engdahl says:
6 ways to add cybersecurity protections to outsourcing deals
http://www.networkworld.com/article/3141346/malware-cybercrime/6-ways-to-add-cybersecurity-protections-to-outsourcing-deals.html
There is growing concern about how third-party IT services providers are protecting corporate data. Here are six ways IT leaders can better negotiate cybersecurity and data privacy issues.
As cybersecurity has become one of the most important strategic imperatives for the enterprise, concerns about how third-party IT services providers are protecting corporate data have grown. As a result, negotiation of cybersecurity and data privacy issues has become one of the most challenging areas in IT outsourcing contract negotiations, says Rebecca Eisner, partner in the Chicago office of law firm Mayer Brown.
There are six steps IT leaders can take to strengthen data privacy and cybersecurity protections in their IT supplier relationships, according to Eisner:
1. Understand which suppliers either process or have access tot the company’s most sensitive personal or regulated data, and data that represents the “crown jewels” of the company.
2. Collaborate with the company’s security, vendor management, and legal teams to determine which supplier relationships create the highest risks for the company
3. Take a look at existing IT service provider agreements
4. Make sure that IT’s vendor management, compliance, or security team is monitoring high-risk suppliers, including updating vendor security assessment questionnaires on an annual or bi-annual basis; reviewing audit reports, certifications, and penetration tests; and, where appropriate, conducting site visits and annual security reviews.
5. Review the company’s standard security and privacy contract terms regularly with legal counsel to ensure that those baseline requirements are kept up to date. “This is particularly necessary due to rapidly evolving privacy regulation in the U.S. and around the world,”
6. Take the time to educate the company’s board of directors, officers and employees about security and privacy risks
Tomi Engdahl says:
Mergers create greater security risk
Companies should use a risk-based approach to merger review
http://www.networkworld.com/article/3119668/security/mergers-create-greater-security-risk.html
Corporate mergers and acquisitions (M&A) can be fraught with risks related to financial matters, company culture, personnel, IT systems integration and other areas.
Security risks, both cyber and physical, certainly belong on the list of concerns. And with the ongoing shortage of professionals who are expert in various aspects of data protection—coupled with the seemingly endless stream of reports about data breaches and other security threats—this has become an even bigger concern for companies that are considering or in the midst of M&A deals.
“Any M&A activity involves an assumption of risk,”
Tomi Engdahl says:
Persistent ad and dialler trojans found on 28 Android phones
Mostly landfill Androids from odd places, but Lenovo makes the list too
http://www.theregister.co.uk/2016/12/14/persistent_ad_and_dialler_trojans_found_on_28_android_phones/
More than two dozen cheap Androids have been found to host pre-installed malicious apps capable of downloading persistent adware and making phone calls.
The phones, which include Lenovo’s A6000 and A319, were discovered bearing the pre-installed malicious apps by security researchers with antivirus firm Dr Web.
Dr Web reckons resellers and firms in the supply chain are to blame.
It says there are likely to be many more compromised handsets bearing the apps capable of quietly downloading various trojans from remote servers.
Most of the downloads appear to be adware
Entire companies have been found pushing advertising malware apps onto devices, ignoring the option to steal passwords and data using the acquired root privileges.
One firm based in Xingdu, China, was this year fingered for slinging the Hummingbad malware and was said to be making $US300,000 a month through some 10 million infected devices.
Tomi Engdahl says:
‘Tesco Bank’s major vulnerability is its ownership by Tesco,’ claims ex-employee
Links to supermarket’s systems may have exposed vulnerability
http://www.theregister.co.uk/2016/11/30/tesco_bank_breach_former_insider_breach_theory/
A former techie at the UK’s Tesco Bank reckons the recent high-profile breach may be down to security shortcomings at the bank’s parent supermarket.
Earlier this month Tesco Bank admitted that an estimated £2.5m had been stolen from 9,000 customer accounts in the biggest cyber-heist of its kind to affect a UK bank. The National Crime Agency (NCA), with technical support from the newly established UK National Cyber Security Centre (NCSC), is leading a criminal investigation into the breach. NCSC issued a statement saying it was “unaware” of any threat to the wider UK banking sector.
“TB [Tesco Bank] use all the standard security processes, and have significant numbers of ex-RBS staff. Security architecture is sound, and vulnerabilities are patched in a timely manner. Fraud monitoring systems are industry standard. A full breach is very unlikely, and there are much bigger and better targets if a gang has access to relevant zero-days.
All staff are vetted as per standard processes – TB is no more vulnerable to an internal breach than anyone else.”
Various theories about what might have caused the breach at Tesco Bank have already been suggested. Security watchers have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach.
Around 136,000 customers hold current accounts with Tesco Bank. Holders of other accounts were not affected by the breach.
“So often it’s the incidental systems that cause issues,” Munro told El Reg. “One builds a secure app, but then has to hook it up to an existing access/authorisation system, or something similar. I remember a pen test a few years back of a network that was pretty much bulletproof – up to date, pretty well configured, reasonable passwords etc.
“Then we found an old fax server that was on the same domain. It didn’t take long to compromise that flaky fax box and from there the domain controller. All the good work was undone by some failed oversight of one box.
“You’re probably only as secure as your least secure system,” Munro concluded.
Tesco Bank provided this statement: “On 5 and 6 November, Tesco Bank was targeted by fraud, which affected 9000 of our customers and cost us £2.5m.
Tomi Engdahl says:
If you bought a dildo in Denver, the government must legally be told
Or smut in South Dakota, Anarchist Cookbook in Alabama or Windows 10 in Wyoming
http://www.theregister.co.uk/2016/12/13/us_purchase_government_spying/
Online retailers in America will soon be required by law to disclose to state governments what purchases their customers – meaning, you – have made.
That extraordinary situation is the result of a long-running legal case that the US Supreme Court this week refused to hear. This means a decision by the Tenth Circuit [PDF] requiring out-of-state retailers to report to the Colorado state government the details of all purchases – including what that purchase was and who bought it – stands.
So if you bought a dildo in Denver, some bureaucrat is going to be informed about it.
Colorado is not the only state pushing the requirement. Vermont will also make the same requirement three months after Colorado starts imposing the law. And other states including Alabama, South Dakota, Tennessee and Wyoming have approved similar rules.
Unsurprisingly, businesses and privacy advocates are up in arms.
Why?
The idea behind the law is for state governments to be able to claim sales tax on purchases from companies that do not have a physical presence in the state.
Challenge
All that means that the Tenth Circuit decision stands, and companies like eBay and Amazon will have to start filing detailed reports on sales to the Colorado state government – as well as the other states that have passed similar rules
At the moment all of this has only really been noticed by the legal profession and e-commerce policy wonks, but as NetChoice executive director DelBianco noted, now that it is law, it’s almost certainly going to come as a “rude privacy shock” to people living across the country.
Tomi Engdahl says:
Apple Patches 12 Vulnerabilities in iOS, tvOS, and watchOS
http://www.securityweek.com/apple-patches-12-vulnerabilities-ios-tvos-and-watchos
Apple on Monday released security updates for iOS, tvOS, and watchOS platforms to resolve a total of 12 vulnerabilities that impact iPhone, iPad, iPod touch, Apple TV, and Apple Watch devices.
All 12 vulnerabilities were found to impact iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later, and all were addressed with the release of iOS 10.2 this week. Affected components included Accessibility, Accounts, Find My iPhone, Graphics Driver, Image Capture, Local Authentication, Mail, Media Player, Profiles, and SpringBoard.
Tomi Engdahl says:
Serious Vulnerabilities Found in McAfee Enterprise Product
http://www.securityweek.com/serious-vulnerabilities-found-mcafee-enterprise-product
Intel Security’s McAfee VirusScan Enterprise product for Linux is affected by ten vulnerabilities, including serious flaws that can be chained for remote code execution with root privileges.
Intel Security has classified four of the flaws as having high severity, while the rest have been rated medium severity. According to the researcher, four of the security holes can be chained to achieve remote code execution with root privileges.
The attack starts with a flaw that allows the remote use of authentication tokens (CVE-2016-8022) that have been brute-forced (CVE-2016-8023). The attacker then deploys a malicious update server and leverages CVE-2016-8022 to configure the product to use that server.
McAfee Virus Scan for Linux
https://nation.state.actor/mcafee.html
A system running Intel’s McAfee VirusScan Enterprise for Linux can be compromised by remote attackers due to a number of security vulnerabilities. Some of these vulnerabilities can be chained together to allow remote code execution as root.
The vulnerabilities described here are present from at least v1.9.2 (released 2/19/2015) through version 2.0.2, (released 4/22/16).
Tomi Engdahl says:
Flaws Allow Remote Hacking of Moxa MiiNePort Devices
http://www.securityweek.com/flaws-allow-remote-hacking-moxa-miineport-devices
Flaws affecting Moxa’s MiiNePort embedded serial device servers can be exploited remotely to gain control of vulnerable systems. The vendor has released firmware updates to address the security holes.
ICS-CERT informed organizations last week that MiiNePort E1, E2 and E3 devices are affected by two vulnerabilities. One of them, tracked as CVE-2016-9344, can be exploited to brute-force an active session cookie and download a device’s configuration file.
The second weakness, tracked as CVE-2016-9346, refers to the fact that the configuration data is stored in a file without being encrypted.
https://ics-cert.us-cert.gov/advisories/ICSA-16-343-01
Tomi Engdahl says:
TP-Link Debug Protocol Give Up Keys To Kingdom
http://hackaday.com/2016/12/14/tp-link-debug-protocol-give-up-keys-to-kingdom/
If the headline makes today’s hack sound like it was easy, rest assured that it wasn’t. But if you’re interested in embedded device hacking, read on.
[Andres] wanted to install a custom OS firmware on a cheap home router, so he bought a router known to be reflashable only to find that the newer version of the firmware made that difficult. We’ve all been there. But instead of throwing the device in the closet, [Andres] beat it into submission, discovering a bug in the firmware, exploiting it, and writing it up for the manufacturer.
TP-LINK TDDP Buffer Overflow / Missing Authentication
https://cxsecurity.com/issue/WLB-2016110201
Tomi Engdahl says:
Silicon Valley Engineers Pledge To Never Build A Muslim Registry
https://www.buzzfeed.com/nitashatiku/never-again-tech-pledge?utm_term=.yiEjvgVqz#.qpG1vNzVl
Engineers and employees from major tech companies — including Google, IBM, Slack, and Stripe — have pledged never to build a database of people based on their religious beliefs.
A group of nearly 60 employees at major tech companies have signed a pledge refusing to help build a Muslim registry. The pledge states that signatories will advocate within their companies to minimize collection and retention of data that could enable ethnic or religious targeting under the Trump administration, to fight any unethical or illegal misuse of data, and to resign from their positions rather than comply.
The group describes themselves as “engineers, designers, business executives, and others whose jobs include managing or processing data about people.”
Silicon Valley tech companies themselves have, for the most part, stayed silent or declined to comment when asked about similar commitments to upholding civil rights.
Right now within tech companies, “there’s a lot of conversation happening about what people’s ethical lines are,” Honeywell told BuzzFeed. “I think that’s really important. We don’t know what’s ahead, but we can at least lay down some ethical boundaries for our own behavior, and hopefully encourage others to do the same.”
Facebook Spokesperson Calls Muslim Registry “Straw Man”
https://www.buzzfeed.com/nitashatiku/facebook-trump-muslim-registry?utm_term=.uxQvqenVK#.lrlzp1yK9
The company subsequently refused to comment on whether it would decline to participate in building such a registry, or endorse data collection policies championed by a group of Silicon Valley technology employees.
Tomi Engdahl says:
Filmmakers and journalists ask camera companies to embrace encryption
Hard drives can be encrypted, so why not cameras and the files they create?
http://www.theverge.com/2016/12/14/13952744/freedom-of-the-press-open-letter-canon-nikon-sony-camera-encrypt
The Freedom of the Press Foundation is asking major companies like Canon, Nikon, Sony, and Fujifilm to build encryption features into their products in a new open letter published today. The letter was signed by over 150 filmmakers and photojournalists, including Citizenfour director Laura Poitras.
Encryption has become an increasingly prominent (and hotly debated) topic in the tech world over the last few years, especially with respect to messaging apps and mobile phones in general. But while encryption has become standard in those parts of our lives, camera and memory card companies are well behind that curve, the FPF argues
Poitras, who is on the board of directors for the FPF, somewhat famously had to destroy some of the SD cards she used when filming Edward Snowden for her Citizenfour documentary. While there are encrypted hard drives and even USB sticks, cameras (and the memory cards they use) don’t have built-in file protection. That means a journalist or filmmaker’s work is in jeopardy if those things get confiscated at any point in the time between shooting and storing those files.
150 Filmmakers Ask Nikon and Canon to Sell Encrypted Cameras
https://www.wired.com/2016/12/200-filmmakers-ask-nikon-canon-sell-encrypted-cameras/
Tomi Engdahl says:
Give us encrypted camera storage, please – filmmakers, journos
Photojournalists plead for secured data in professional cams
http://www.theregister.co.uk/2016/12/14/photojournalists_say_cameras_need_encryption/
Over 150 prominent filmmakers and photojournalists have asked leading camera makers to add support for data encryption to their devices.
An open letter published on Wednesday by the Freedom of the Press Foundation – a group that includes Academy Award winners Laura Poitras and Alex Gibney – states that encryption is absent from all commercial cameras being sold today and that the technology is needed to protect both those capturing images and those depicted in them.
“Without encryption capabilities, photographs and footage that we take can be examined and searched by the police, military, and border agents in countries where we operate and travel, and the consequences can be dire,” the letter states.
The list of camera makers contacted includes Canon, Fuji, Nikon, Olympus, and Sony.
https://www.documentcloud.org/documents/3238288-Camera-Encryption-Letter.html
Tomi Engdahl says:
Yahoo Suffers Biggest Hack, Affecting 1 Billion
https://www.yahoo.com/news/yahoo-suffers-biggest-hack-affecting-031722484.html
Yahoo has discovered a 3-year-old security breach that enabled a hacker to break into more than 1 billion user accounts, breaking the company’s own humiliating record for the biggest security breach in history. (Dec. 14)
Yahoo Suffers History’s Biggest Known Data Breach
Hackers stole data from more than a billion user accounts.
https://www.theatlantic.com/technology/archive/2016/12/hackers-steal-data-from-more-than-a-billion-yahoo-accounts/510716/
A hacker stole information from more than one billion Yahoo email accounts in August 2013, the company announced Wednesday.
The data included names, email addresses, telephone numbers, dates of birth, and password hashes, which are strings of characters that help a website check whether or not an entered password is correct. Some people may have also had answers to their security questions stolen, which, if published, could make it easier for hackers to gain access to other accounts that use the same security answers.
Earlier this year, Yahoo announced that information from 500 million user accounts was stolen. At the time, that looked like one of the largest single data breaches in existence—but it’s now been eclipsed in scale by the latest hack. The company says the data breach it announced Wednesday is separate from the one it notified users about in September.
Yahoo says it discovered the billion-account breach with the help of law enforcement, which shared with the company a trove of stolen user data that it had uncovered. The “same state-sponsored actor” behind the 500 million-account breach was likely involved in this cyberattack, too, according to Yahoo.
Tomi Engdahl says:
Important Security Information for Yahoo Users
http://www.businesswire.com/news/home/20161214006239/en/
December 14, 2016 04:51 PM Eastern Standard Time
SUNNYVALE, Calif.–(BUSINESS WIRE)–Yahoo! Inc. (NASDAQ:YHOO) has identified data security issues concerning certain Yahoo user accounts. Yahoo has taken steps to secure user accounts and is working closely with law enforcement.
As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data. The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016.
For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
Additional information is available on the Yahoo Account Security Issues FAQs page: https://yahoo.com/security-update
Tomi Engdahl says:
Yahoo suffers world’s biggest hack on one billion users
Embarrassing breach breaks company’s own humiliating record set months ago when another huge hack compromised users.
http://www.aljazeera.com/news/2016/12/yahoo-suffers-world-biggest-hack-1-billion-users-161215034225047.html
Yahoo has discovered a three-year old security breach that enabled a hacker to compromise more than one billion user accounts, breaking the company’s own humiliating record for the biggest security breach in history.
The digital heist disclosed on Wednesday occurred in August 2013, more than a year before a separate hack that Yahoo announced nearly three months ago. That breach affected at least 500 million users, which had been the most far-reaching hack until the latest revelation.
“Simply everyone that has a Yahoo account should be concerned,”
Yahoo suffers world’s biggest hack affecting 1 billion users
http://www.thehindu.com/business/Yahoo-suffers-worlds-biggest-hack-affecting-1-billion-users/article16832669.ece
Earlier in 2016, Yahoo agreed to sell its digital operations to Verizon Communications for $4.8 billion a deal that may now be imperiled by the hacking revelations.
Yahoo has discovered a 3-year-old security breach that enabled a hacker to compromise more than 1 billion user accounts.
The digital heist disclosed Wednesday occurred in August 2013, more than a year before a separate hack that Yahoo announced nearly three months ago. That breach affected at least 500 million users, which had been the most far-reaching hack until the latest revelation.
“It’s shocking,” security expert Avivah Litan of Gartner Inc.
Both lapses occurred during the reign of Yahoo CEO Marissa Mayer, a once-lauded leader who found herself unable to turn around the company in the four years since her arrival. Earlier this year, Yahoo agreed to sell its digital operations to Verizon Communications for $4.8 billion a deal that may now be imperiled by the hacking revelations.
Two hacks, more than a billion accounts
Yahoo didn’t say if it believes the same hacker might have pulled off two separate attacks. The Sunnyvale, California, company blamed the late 2014 attack on a hacker affiliated with an unidentified foreign government, but said it hasn’t been able to identify the source behind the 2013 intrusion.
Yahoo has more than a billion monthly active users, although some have multiple accounts and others have none at all. An unknown number of accounts were affected by both hacks.
Security experts said the 2013 attack was likely the work of a foreign government fishing for information about specific people.
Investors appeared worried about the Verizon deal. Yahoo’s shares fell 96 cents, or 2 percent, to $39.95 after the disclosure of the latest hack.
Tomi Engdahl says:
An Important Security Lesson Taken from the Printing Press
http://www.securityweek.com/important-security-lesson-taken-printing-press
It’s Time to Bring the Capability to Achieve a Mature Security Posture Through a Robust Security Operations Function to the Masses
The printing press was invented around the year 1440 by Johannes Gutenberg. Before the printing press, books were produced by hand, and thus were extremely expensive. After the invention of the printing press, it became possible to mass produce books
What does this have to do with security? Let’s dive in to find out.
It has always surprised me that given all we know about the negative consequences of poor security, so few organizations achieve the security maturity that they should. In my experience, there is no function within security where this is felt more acutely than the security operations and incident response function.
I don’t think that lack of awareness is the main issue.
There are many people and organizations that understand the need to perform security operations and incident response perfectly well. They know that they need visibility across their enterprise and cloud environments. They know that they need to prioritize risks and threats. They know that they need to write incisive, targeted, high fidelity alerting to identify behaviors matching the very risks and threats they are concerned about. They know they need to manage, prioritize, and enrich their work queue with the right context at the right time. They know that they ultimately need to make educated, informed decisions about what type of action may or may not be required in a given instance. They know that they need response capabilities across their enterprise and cloud environments.
If they know all this, you ask, why don’t they take action where action is required? Unfortunately, the answer is quite simple. Money.
To better understand why budget can be such a challenge, let’s take a look at even a partial list (in no particular order) of what is required to build a mature security operations and incident response function above and beyond just meeting compliance requirements:
● Processes and procedures
● Trained people
● Intelligence
● Visibility on the network
● Visibility on a wide variety of endpoints
● Visibility in the cloud
● Application level visibility
● Security Information and Event Management (SIEM)
● Case management (ticketing)
● High fidelity, low noise alerting
● Supporting evidence/data to enrich alerting
● Investigative and forensics capabilities
● Analytics
● Metrics
● Reporting
● Response capability
I could go on and on here, but this list isn’t meant to be complete by any means.
● A mature security posture with a robust security operations and incident response function requires both a diverse ecosystem of people, process, and technology, as well as an understanding of how to use that ecosystem properly.
● A mature security posture with a robust security operations and incident response function takes a considerable investment in both time and money that most organizations simply cannot afford.
Tomi Engdahl says:
What Security Teams Need to Know about DevOps
http://www.securityweek.com/what-security-teams-need-know-about-devops
DevOps is already in use among 19% of IT organizations, with another 19% in a pilot phase. Another 35% intend to implement DevOps in 2017, thereby “crossing the chasm” next year, according to survey results announced by a major analyst firm whose conference on data center, infrastructure and operations was held last week.
As DevOps becomes mainstream, there is an inevitable draw to incorporate security into the discipline. Whether the term “DevSecOps” catches on or not, the idea that security must “shift-left” to move earlier into the software supply chain is an idea whose time has come.
DevOps supports these big principles:
• DevOps exists to help the business win
• The scope is broad, but centered on IT
• The foundations are in Agile and Lean
• (Collaborative) culture is important
• Feedback is fuel for innovation
• Automation helps
Ultimately, DevOps is about a collaborative, agile approach to solving business problems or seizing business opportunities with information technology.
How does DevOps intersect with security?
If DevOps is being used in your organization, here are ways that security can support the effort using the six principles listed above:
1. DevOps exists to help the business win – Security has the reputation of being the “department of no”.
2. The scope is broad, but centered on IT
3. The foundations are in Agile and Lean – Understanding the Agile manifesto and lean principles, taken from manufacturing operations at Toyota, will go a long way towards helping security professionals join in on DevOps.
4. Culture is very important – One of the most critical differences between DevOps and what has come before is the emphasis on collaboration.
5. Feedback is fuel for innovation
6. Automation helps – Automation brings the advantages of faster and more consistent delivery with higher quality. Tools are a force multiplier for DevOps, but aren’t the foundation. Automation can’t force collaboration, but it does make it easier. Security tools to test, certify or monitor should be included in the tool chain for DevOps, and their output shared broadly for the sake of improvement.
2017 is the year for information security teams to align to the work being done in DevOps – whether you call it DevSecOps or not, to be a better partner to both the business and the rest of IT.
Tomi Engdahl says:
This industry must be to protect against cyber attacks:
breeding and training of personnel kyberturvallisuustietoisuuden
Clear instructions and its own policy
Consideration of cyber security in automation systems for the procurement phase, for example. requirements by
Monitor the situation in the automation network
Design and implementation of secure remote access concepts
Defining and implementing a secure network architecture
Cyber security testing for automation systems (in particular, system vendors)
Source: http://www.uusiteknologia.fi/2016/12/15/__trashed-4/
Tomi Engdahl says:
Chris Conlon: Device Security 101
http://hackaday.com/2016/12/14/chris-conlon-device-security-101/
We all wring our hands over the security (or lack thereof!) of our myriad smart devices. If you haven’t had your home network hacked through your toaster, or baby cam, you’re missing out on the zeitgeist. But it doesn’t have to be this way — smart devices can be designed with security in mind, and [Chris Conlon] came to Pasadena to give us a talk on the basics.
He starts off the talk with three broad conceptual realms of data security: data in transit, data at rest on the device, and the firmware and how it’s updated.
Tomi Engdahl says:
very little contaminated servers in Finland
Microsoft has released the latest version of the twice-yearly publish only the Security Intelligence Report (SIR) -tietoturvaraportistaan, which clarified during the first half of the security situation globally in over 100 countries and territories. Finland stands out once again report his advantage: the number of malicious website in Finland is considerably lower than the world average.
the number of servers that contain harmful programs in Finland was 14.8 thousand servers per server, while the global average was 36.8. In the first half of 2016 the level of malicious software infections and observations in Finland was typically about half of the world average.
While the world average number of malware incidents is on the rise, there is a trend in Finland and the other Nordic countries decreasing. In the first quarter of 2016 the level of malware incidents in Finland was 9.2 per cent and 7.9 per cent in the second quarter, as the global average in the first quarter by 18.3 per cent and 21.2 per cent in the second.
- Finland is based on the findings of computer networks purity once the world leaders together with Japan. In Finland, an average of 93.9 percent of the computers is protected with real-time security software.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5596:suomessa-hyvin-vahan-saastuneita-palvelimia&catid=13&Itemid=101
Tomi Engdahl says:
Many afraid of the cloud
Check Point Software Technologies yesterday announced a survey on cloud security results. As many as 93 per cent of the respondents were worried or very worried about security risks posed by the use of cloud services for companies and organizations.
Security Managers worst fear is falling into a cloud of company data extortion malware by locking. 44 percent of respondents were very concerned and 38 percent worried about this.
Other common fears were accessed by unauthorized access to company files in the cloud (67%), as well as information leaks (65%), and denial of service attacks (52%) of the cloud environment.
Checkpoint also asked what kind of measures are considered most effective for the protection of data in the cloud. The most frequently mentioned data encryption (72%), traffic encryption (VPN) (60%) and user authentication (56%).
Source: http://etn.fi/index.php?option=com_content&view=article&id=5594:moni-pelkaa-pilvea&catid=13&Itemid=101
Tomi Engdahl says:
Cyber-attacks Against SWIFT Ongoing, Sophisticated
http://www.securityweek.com/cyber-attacks-against-swift-ongoing-sophisticated
Cyber-attacks against the SWIFT global banking network have continued throughout the year since the successful theft of $81 million from the Bangladesh central bank in February 2016. A letter seen by Reuters and dated Nov 2 warned member banks, “The threat is very persistent, adaptive and sophisticated — and it is here to stay.”
Tomi Engdahl says:
Calls for Security Vendors to Guarantee Products
http://www.securityweek.com/calls-security-vendors-guarantee-products
Insurance is an increasingly important option for cyber defense — but a new survey shows a remarkable difference in attitude between different geographical areas. Against an overall average of 72%, only 49% of UK companies have a cyber insurance policy in place; despite London’s dominant position in world insurance and reinsurance.
In a recent survey by Vanson Bourne for SentinelOne, details published Tuesday show the US as the most insurance-conscious area, with 83% of organizations already cyber insured.
While 7% of French organizations, 3% of US organizations and only 2% of German organizations have no plans to implement cyber insurance, fully 20% of UK companies take the same attitude.
SentinelOne believes that cyber insurance is important now and will be even more important in the future. Chief security consultant Tony Rowan told SecurityWeek that increasing regulatory pressure and fines would force business to look closely at cyber insurance. The survey shows this is already beginning, where the impending EU GDPR regulations and the threat of fines of up to €20 million or 4 per cent of turnover is causing another 52% of those that don’t currently have insurance to investigate the possibility.
SentinelOne offers a variation on the insurance theme: it guarantees against customers’ loss through ransomware, and uses the insurance market to underwrite the guarantee.
“We’re proud to have been the first,” said Rowan, “and still only, next generation endpoint protection company to launch a cyber security guarantee with our $1,000 per endpoint, or $1 million per company pay out in the event they experience a ransomware attack after installing our product.”
A few other companies are now offering their own guarantees, such as Cymmetria, Trusona and WhiteHat Security — but Rowan told SecurityWeek that he would like to see all security vendors guaranteeing their own performance.
He fears however, that not all security vendors could provide a guarantee. “I suspect the difficulty for some vendors would be getting the insurance companies to underwrite them;” although this is really an admission that some security products are just not good enough.
Two processes could force vendors to offer guarantees. The first would be legislative insistence. Governments generally shy away from such steps citing jurisdictional problems and the fear of stifling innovation.
The second process would be customer pressure. As more and more vendors begin to offer guarantees, there will be pressure for all vendors to follow suit, or simply be ignored by customers.
The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report from Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
Tomi Engdahl says:
Hack Brief: Hackers Breach a Billion Yahoo Accounts. A Billion
https://www.wired.com/2016/12/yahoo-hack-billion-users/
In September, Yahoo had the unfortunate distinction of disclosing an enormous 500 million-account breach. Tough stuff. Somehow, though, the company seems to have topped even that staggering figure. Yahoo announced on Wednesday that hackers, in what’s likely a separate attack, compromised one billion of the company’s user accounts in August 2013. One billion. That makes this the biggest known hack of user data ever, and it’s not really close.
The most important thing we know so far is that Yahoo says “this incident is likely distinct from the incident we disclosed on September 22, 2016.” That other breach happened in late 2014, so this new (even bigger) one took place about a year earlier.
Security! experts! slam! Yahoo! management! for! using! old! crypto!
Suits should have done more to protect users, rather than user numbers
http://www.theregister.co.uk/2016/12/15/yahoos_password_hash/
Fallen web giant Yahoo! has been branded negligent for failing to tackle the prodigious challenge of upgrading its MD5 password security before some one billion accounts were stolen.
The security-battered organisation revealed today that attackers had stolen more than a billion accounts in August 2013 in history’s biggest breach.
Hackers stole names, addresses, phone numbers, and MD5 hashed passwords in a coup for social engineers who could use the information to compromise the very identity of users.
That eye-watering news followed the company’s September admission that 500 million accounts had been stolen in seperate attacks by alleged state-sponsored hackers in 2014, an incident that came two years after staff became first aware of the hack.
Yahoo! has since replaced its MD5 hashing with the far superior bcrypt, moving from the world’s worst password protection mechanism to the best.
Yet it is little comfort for those who use legitimate personal details when signing up to Yahoo!’s service, including scores of American subscribers to major cable and DSL telcos including AT&T which use Yahoo! for its default email services, along with Kiwi carrier Spark which ditched the service in September.
It is not known if the MD5 hashes were salted
“What is most important is whether the hashes, be they MD5, SHA1, or SHA256, are salted,” Goldberg says. “There is absolutely no excuse to use unsalted hashes.”
“The MD5 hashing algorithm has been considered not just insecure, but broken, for two decades,”
“I consider it negligent of an organisation such as Yahoo!, which has an obligation to protect the private data of over one billion users, to be using such an outdated and ineffective control to protect the passwords of its customers.”
Take this with a pinch of salt
Administrators were salting password hashes in the 1980s, but many still fail to apply the complexity additive today. The cryptography measure introduces random data into one-way functions preventing the use of rainbow tables by ensuring identical passwords have unique hashes.
Goldberg points to the 2012 breach at LinkedIn to demonstrate the importance of salting, something the security boffin wrote about at the time.
“LinkedIn had used SHA1, an improvement over MD5 in general, but it really didn’t matter that it was SHA1 instead of MD5,” Goldberg tells The Register. “What mattered is that it was not salted. I argued in 2012 that it was irresponsible for LinkedIn to have used unsalted hashes, and so that certainly applies to Yahoo! using unsalted hashes in 2013, if indeed, their hashes were unsalted.”
Put simply, a bland salt-free password earns the “contempt” of Goldberg and his kin, while the use of slow hashes like bcrypt, PBKDF2, or the upcoming Argon2 wins their praise.
Attackers can guess salted passwords, whereas bcrypt and friends slow the rate at which those guesses can be made. “With a simple cryptographic hash function [like] SHA256, MD5, etcetera, an attacker might be able to make 10 million guesses per second on a single hash. But with the ‘slow hashing’ functions, that might be reduced to a few tens of thousands of guesses per second,” he says.
Not easy
Yahoo!, like so many other companies offering free technology services, wants to attract the highest possible number of subscribers and has been criticised for perceived attempts to kneecap fleeing users.
“The only practical way to speed up the conversion process (to bcrypt) is to force a password reset, maybe across the board, but more likely on a web property by web property basis,”
An email shipped to users asking them to log in so their passwords may be upgraded from MD5 hashing to bcrypt risks a “virtually overnight mass exodus of users” and a social media complaint storm that sends more rats from the burning Palace, he says.
“Consider the legacy managed business mail systems,” White says. “The myriad e-commerce shopping cart apps, ad accounts, to say nothing of Flickr, Yahoo! IM, and the hundreds of millions of webmail users who hadn’t logged in for years, and you begin to see the scope of the engineering challenge.”
Tomi Engdahl says:
Most Businesses Pay Ransomware Demands, IBM Finds
https://it.slashdot.org/story/16/12/14/2156238/most-businesses-pay-ransomware-demands-ibm-finds
According to an IBM Security report released on December 14, 70 percent of businesses impacted by ransomware end up paying the attackers. The amount varies but a majority of business respondents said they paid tens of thousands of dollars.
IBM Finds Most Businesses Pay Ransomware Demands
http://www.eweek.com/security/ibm-finds-most-businesses-pay-ransomware-demands.html
IBM Security report reveals that 70 percent of businesses impacted by Ransomware pay attackers, but there is hope in sight, as IBM’s Resilient Incident Response Platform adds a new Dynamic Playbook to help organizations respond to attacks.
There has been a chorus line of vendors in 2016 proclaiming an increase in ransomware threats. IBM is now adding to the mix with a security study released on Dec. 14, reporting that 70 percent of businesses impacted by ransomware end up paying the ransom. IBM is going a step beyond just reporting on ransomware, with a new Dynamic Playbook for Ransomware capabilities in its Resilient Incident Response platform.
The amount paid to ransomware attackers varies, but of those business respondents that paid a ransom, 20 percent paid over $40,000, 25 percent paid between $20,000 and $40,000 and 11 percent paid between $10,00 to $20,000.
On the consumer side, IBM’s study found that the propensity to pay a ransom varies depending on whether or not the victim is a parent. 55 percent of consumers that identified themselves as being parents said they would pay a ransom to recover access to photos that had been encrypted, versus only 39 percent for consumers that don’t have children.
Other industry research into ransomware has found some similar results.
Tomi Engdahl says:
Newly Uncovered Site Suggests NSA Exploits For Direct Sale
https://news.slashdot.org/story/16/12/14/2342247/newly-uncovered-site-suggests-nsa-exploits-for-direct-sale
The Shadow Brokers — a hacker or group of hackers that stole computer exploits from the National Security Agency — has been quiet for some time. After their auction and crowd-funded approach for selling the exploits met a lukewarm reception, the group seemingly stopped posting new messages in October. But a newly uncovered website, which includes a file apparently signed with The Shadow Brokers’ cryptographic key, suggests the group is trying to sell hacking tools directly to buyers one by one, and a cache of files appears to include more information on specific exploits.
Newly Uncovered Site Suggests NSA Exploits for Direct Sale
http://motherboard.vice.com/read/newly-uncovered-site-suggests-nsa-exploits-for-direct-sale?asd?utm_source=mbtwitter
Tomi Engdahl says:
PwC sends ‘cease and desist’ letters to researchers who found critical flaw
The researchers disclosed details of the flaw, despite receiving two written legal threats.
http://www.zdnet.com/article/pwc-sends-security-researchers-cease-and-desist-letter-instead-of-fixing-security-flaw/
A security research firm has released details of a “critical” flaw in a security tool, despite being threatened with legal action.
Munich-based ESNC published a security advisory last week detailing how a remotely exploitable bug in a security tool, developed by auditing and tax giant PwC, could allow an attacker to gain unauthorized access to an affected SAP system.
The advisory said that an attacker could “manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions,” which could result in “fraud, theft or manipulation of sensitive data,” as well as the “unauthorized payment transactions and transfer of money.”
An attacker could also add a backdoor to the affected server, it read.
The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published.
Three days later, the corporate giant responded with legal threats.
“We believe in responsible disclosure,” said Ertunga Arsal, chief executive of ESNC, in an email on Monday.
“We are security company, which is publicly credited by SAP and other companies for discovery of over 100 security vulnerabilities to date,” he said.
Arsal said that this was the first time his company had submitted a vulnerability report to PwC, but it was also the first time that his company received a legal threat.
In an email, a spokesperson for PwC acknowledged the existence of the vulnerability and confirmed that it had been fixed.
The corporate giant argued that ESNC shouldn’t have had access to the software in the first place, as it wasn’t a licensed partner.
“ESNC did not receive authorized access or a license to use this software.”
“We informed PwC about the vulnerability and how it can be used to add a backdoor SAP admin account on the system during a meeting with their experts,” said Arsal. “We gave them sufficient time to patch the vulnerability and to inform their customers.”
Realizing the severity of the flaw, Arsal said that he “offered [PwC] our help during this process.”
Given the hostility that some researchers face, it makes you wonder why some people bother to report vulnerabilities in the first place.
Tomi Engdahl says:
U.S. Officials: Putin Personally Involved in U.S. Election Hack
http://www.nbcnews.com/news/us-news/u-s-officials-putin-personally-involved-u-s-election-hack-n696146
U.S. intelligence officials now believe with “a high level of confidence” that Russian President Vladimir Putin became personally involved in the covert Russian campaign to interfere in the U.S. presidential election, senior U.S. intelligence officials told NBC News.
Two senior officials with direct access to the information say new intelligence shows that Putin personally directed how hacked material from Democrats was leaked and otherwise used. The intelligence came from diplomatic sources and spies working for U.S. allies, the officials said.
Tomi Engdahl says:
Data use rules set to be loosened under new EU e-Privacy laws – report
WhatsApp, Skype face tighter constraints
http://www.theregister.co.uk/2016/12/15/data_use_rules_set_to_be_loosened_under_new_eu_eprivacy_laws_report_says/
New EU laws set to be proposed in January will give telecoms companies more options over how they might use data they gather that relates to customers’ communications, according to a media report.
Telecoms companies can currently process “traffic” or location data if it has been anonymised or if they have consent to do so from customers, but only for limited purposes set out in the EU’s Privacy and Electronic Communications (e-Privacy) Directive. Traffic data is information that is processed when electronic communications are transmitted.
Traffic data can be processed, providing consent has been obtained, for the purpose of marketing electronic communications services or for the provision of value added services. Location data other than traffic data can only be processed with consent “to the extent and for the duration necessary for the provision of a value added service”.
Telecoms industry bodies have long bemoaned the rules. They believe the rules place them at a disadvantage compared to other communication providers that are not subject to the e-Privacy regime. Over-the-top communication (OTT) service providers, such as Skype and WhatsApp, offer services that fall outside the scope of the rules and so their use of customer data is governed by more general data protection laws.
Tomi Engdahl says:
BlackEnergy power plant hackers target Ukrainian banks
Follow the money – they did
http://www.theregister.co.uk/2016/12/15/ukraine_banks_apt/
The same hackers who turned out the lights at Ukrainian utilities last December have been running attacks against the same country’s banks over recent months.
Security firm ESET reports that the gang slinging the TeleBots malware against Ukrainian banks shares a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December, 2015 and January, 2016. ESET thinks that the BlackEnergy crew has evolved into what it calls the TeleBots group.
As with campaigns attributed to BlackEnergy group, the attackers used spear-phishing emails with Microsoft Excel documents containing malicious macros as their main means of spreading infection.
The rise of TeleBots: Analyzing disruptive KillDisk attacks
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
Tomi Engdahl says:
Moscow says writing infrastructure attack code is a thought crime
Bill suggests sending malware authors to the gulag archipelago
http://www.theregister.co.uk/2016/12/09/moscow_draft_bill_could_jail_hacking_tool_writers/
Malware writers whose wares are used by separate attackers to pop Russian national infrastructure could end up fined and in jail, if a new Russian bill become law.
The bill (Number 47571-7, Russian) reported by local media threatens those involved in the manufacture of malware subsequently used in damaging attacks against telecommunications, transport, or energy with up to a decade in jail, forced work for the state, or up to a million rubles (US$15,765, £12,526, A$21,145) fine.
Authors would not need to be directly responsible for attacks: merely having written “deliberately nefarious” tools required to pull off the hacks would be enough for a conviction.
Attacks are considered in scope of the bill if they involve blocking or modificating critical infrastructure data, copying it, or disabling relevant security controls.
It is unknown how such laws could impact authors of legitimate hacking tools, although the bill states wares must be deliberately built for offensive hacking.
Tomi Engdahl says:
Germany warns Moscow will splash cash on pre-election propaganda and misinformation spree
Top security agency issues warning ahead of 2017 poll
http://www.theregister.co.uk/2016/12/12/moscow_on_cashedup_hack_campaign_to_skew_german_election_berlin/
Germany’s intelligence agency has accused Russia of hacking its politicians and election systems under the guise of online activism.
Federal Office for the Protection of the Constitution (BfV) chief Hans-Georg Maassen says Russia is intending to “weaken or destabilise the Federal Republic of Germany”.
Germany’s national election is expected in September 2017.
Maassen says Russia is tipping money into misinformation campaigns in “aggressive and elevated” spying against “German Government officials, members of parliament, and employees of democratic parties”.
Tomi Engdahl says:
Bluetooth-enabled safe lock popped after attackers win PINs
If you use one, stop now. If you write heist movies, write safe-crackers out of your script
http://www.theregister.co.uk/2016/12/15/bluetooth_commercial_safe_lock_popped_attackers_win_pins/
Attackers can locate and pop safes protected with high security commercial locks thanks to poor Bluetooth implementations, say researchers at Somerset Recon say.
The SecuRam ProLogic B01 locks are badged as the industry’s only Bluetooth-packing lock for safes that can be paired with smartphones.
“The end result was a fully-automated attack that allows us to remotely compromise any Prologic B01 lock up to 100 yards away,” the team says.
“… attackers can execute cheap and practical attacks to locate and map these devices, know when they are unlocked over Bluetooth low energy (BLE), and extract the PIN with which they were unlocked.
“We have contacted SecuRam about this vulnerability, but since these devices are not capable of over-the-air firmware updates, it does not look promising that they will be patched.”
Attackers could identify the devices by wardriving with an Ubertooth One and a 5dBi antenna capable of detecting the locks from the maximum 90 metres distance.
Tomi Engdahl says:
Kate Conger / TechCrunch:
Evernote’s new privacy policy, set to take effect on Jan. 23, would let some employees read user notes to aid with machine learning, although users can opt-out — Evernote announced that it will roll out a new privacy policy on January 23, and the changes have users threatening to abandon the service.
Evernote’s new privacy policy allows employees to read your notes
https://techcrunch.com/2016/12/14/evernotes-new-privacy-policy-allows-employees-to-read-your-notes/
Evernote announced that it will roll out a new privacy policy on January 23, and the changes have users threatening to abandon the service.
The policy changes have to do with machine learning, which Evernote says it is using to “help you get the most out of your Evernote experience.” Evernote wants to let its machine learning algorithms crunch your data, but it doesn’t want to stop there — the company also wants to let some of its employees read your notes so it can ensure that the machine learning is functioning properly.
“The latest update to the Privacy Policy allows some Evernote employees to exercise oversight of machine learning technologies applied to account content,” Evernote said in an announcement of the new privacy policy. “While our computer systems do a pretty good job, sometimes a limited amount of human review is simply unavoidable in order to make sure everything is working exactly as it should.”