Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Brian Wheeler / BBC:
UK’s Investigatory Powers Tribunal rules computer hacking by GCHQ is not illegal after GCHQ admitted to using the practice in UK and abroad
Tribunal rules computer hacking by GCHQ is not illegal
http://www.bbc.com/news/uk-politics-35558349
GCHQ is operating within the law when it hacks into computers and smart phones, a security tribunal has ruled.
Campaigners Privacy International have lost a legal challenge claiming the spying post’s hacking operations are too intrusive and break European law.
The case was launched after revelations by US whistleblower Edward Snowden about the extent of US and UK spying.
GCHQ admitted its agents hack devices, in the UK and abroad, for the first time during the hearings.
Its previous policy had been to “neither confirm nor deny” the existence of such operations.
Tomi Engdahl says:
Mark Bergen / Re/code:
European Commission VP Andrus Ansip on leading the Digital Single Market initiative, cybersecurity, opposition to encryption back doors
Meet the Politician Trying to Shove Europe Into the Digital Future
http://recode.net/2016/02/11/meet-the-politician-trying-to-shove-europe-into-the-digital-future/
Andrus Ansip has a problem with Tim Cook.
At his Brussels office, Ansip opens his iPhone 6 to the step-counting health tracker. “It’s putting you under pressure,” he told me. “How many steps did I make today? Aah!” After falling behind in a competition with his staff in Davos, he suspects the Apple chief of stealing his steps.
It’s sarcasm, and fairly obvious. Yet Ansip felt the need to qualify it. “They provide an excellent service,” he said.
Ansip’s opinion on tech matters. As vice president for the European Commission, the chief EU governing body, he leads the Digital Single Market, a landmark attempt to unify regulation of Internet companies and transactions across the 28 member countries of the EU. It touches nearly everything — from e-commerce and digital music to cyber security and privacy.
Several people in European tech describe him as a determined diplomat, fighting an uphill slog against European industries and politicians reluctant to accept digital deregulation, or the accompanying benefits to Silicon Valley firms. And many expect the Digital Single Market to ease burdensome red tape, like that around e-commerce transactions and streaming. But it also has elements that may displease the Valley, like tighter regulation of over-the-top services and platforms.
“In the European Union, we were able to create this single market in physical form. We were able to tear down all those barriers dividing our member states. But a digital single market doesn’t exist,” he told Re/code in an interview last month. “Instead of having single rules, we have 28 different rules dealing with online sales of perishable goods, for example. And potentially we have 28 different rules dealing with online sales of digital content. Fifty-six different rules.”
It’s not just e-commerce. Many European countries are considering drafting their own laws regulating sharing economy startups like Airbnb and Uber
On Encryption, Security and Streaming
On political attention to cyber security: “In your country, maybe because of ‘Die Hard 4’ and Bruce Willis, you pay attention on cyber security issues.” (He traces Europe’s awakening to the cyber attacks in Estonia in 2007.)
On the blame laid on tech for recent terrorist attacks: “Some people would like to say the Internet is guilty. Those are people killing other people. We have to keep our Internet open. As it is right now, I’m against fragmentation of the Internet.”
Unlike some U.S. politicians, Ansip is opposed to forcing tech companies to open “back doors,” giving governments access to encrypted services. “If we have those back doors, then sooner or later somebody will misuse those back doors anyway,” he said. “I’ve stated it many, many times: Trust is a must. If our people cannot trust those Internet based e-services, they will not start to use them.”
A particular fixation of Ansip’s is “geo-blocking,” the practice, common in Europe, of blocking services based on location.
Where Ansip disagrees with Valley tech companies is on Europe’s stance toward tech firms across the Atlantic.
EU’s byzantine digital rules hold back companies from both sides of the Atlantic, Ansip argued. Hence the importance of his Digital Single Market push
“Why do startups move out to scale up?” he asked. “It’s mainly because of fragmentation. It’s so difficult to cross those digital borders.”
Tomi Engdahl says:
Wall Street Journal:
Facebook exploring counter speech tactics to discredit extremist speech, including giving up to $1K in ad credits and funding student competitions
Facebook Adds New Tool to Fight Terror: Counter Speech
http://blogs.wsj.com/digits/2016/02/11/facebook-adds-new-tool-to-fight-terror-counter-speech/
Tuesday mornings, Monika Bickert and her team of content cops meet to discuss ways to remove hate speech and violent posts from Facebook Inc., the world’s largest social network. Recently, the group added a new tool to the mix: “counter speech.”
Counter speakers seek to discredit extremist views with posts, images and videos of their own. There’s no precise definition
Facebook Chief Operating Officer Sheryl Sandberg appeared to endorse the idea during a panel at the World Economic Forum in Davos, Switzerland, last month, suggesting a similar “like” attack could hurt groups like Islamic State.
“Google and Facebook have latched onto this notion as a means of responding to objectionable or harmful content and now they are beginning to do things to try to encourage it,” said Susan Benesch, a faculty associate of the Berkman Center for Internet and Society at Harvard University and director of the Dangerous Speech Project
Facebook also has provided ad credits of up to $1,000 to counter speakers
“We need narratives that promote tolerance, peace and understanding,” Ms. Bickert told the group assembled for judging. “Those narratives can’t come from us. Those voices are you.”
“The violent extremists have put a lot of money behind their propaganda and their voices in different ways,” said Erin Saltman, a senior counter extremism researcher for the Institute for Strategic Dialogue. The counter speech movement “really does need a little help at this point.”
Tomi Engdahl says:
Don’t Be Hacker Bait: Do This One-Hour Security Drill
5 Steps to make your digital self less attractive to hackers, phishers and overly aggressive marketers
http://www.wsj.com/articles/do-this-one-hour-security-drill-5-steps-to-being-safer-online-1454528541
Ask a hacker if your digital security is at risk, and the answer is always yes. You could hide in a mountain bunker lined with tin foil and twigs, and somebody still might drain your bank account.
It’s no reason to feel helpless. You can make yourself less of an easy target for hackers, money-hunting phishers and overly aggressive marketers by bolstering your security and data privacy. I’ll show you how to do it in an hour or less.
The answer isn’t the antivirus software we were all trained to run on our PCs. That can be useful to identify problems, and now antivirus is built into Microsoft ’s Windows 10. But viruses don’t spread the ways they used to—and the bad guys change their strategies so quickly, traditional antivirus can’t keep up.
The foundation of smartphone and laptop safety is software updates, smarter passwords and more defensive Web browsers. Then it comes down to learning a few new digital habits to avoid being duped by criminals who exploit our own good natures.
Tomi Engdahl says:
Cade Metz / Wired:
Coinbase throws support behind Bitcoin Classic as Bitcoin community faces schism over block size issue
The Schism Over Bitcoin Is How Bitcoin Is Supposed to Work
http://www.wired.com/2016/02/the-schism-over-bitcoin-is-how-bitcoin-is-supposed-to-work/
The bitcoin community can’t even agree on whether it’s breaking up.
Last month, Mike Hearn—an ex-Googler and one of the biggest names working on the software underpinning bitcoin—made more than a few headlines when he called the digital currency “a failed experiment.” He not only parted ways with the bitcoin community. He sold all his bitcoin. He said he was fed up because the bitcoin system—software that runs across a vast network independent machines spread across the globe—was “completely controlled by just a handful of people” and “on the brink of technical collapse.”
Hearn had been part of a group trying to change the bitcoin software so it could avoid that “technical collapse,” and this group ran into fierce opposition from that “handful of people” at the heart of the bitcoin community—i.e. other core developers with different opinions on the future of the digital currency. He called it “open civil war.”
Tomi Engdahl says:
Warning: Bug in Adobe Creative Cloud deletes Mac user data without warning
Adobe has stopped distribution of an update believed to be triggering the deletions.
http://arstechnica.com/apple/2016/02/warning-bug-in-adobe-creative-cloud-deletes-mac-user-data-without-warning/
Adobe Systems has stopped distributing a recently issued update to its Creative Cloud graphics service amid reports a Mac version can delete important user data without warning or permission.
The deletions happen whenever Mac users log in to the Adobe service after the update has been installed, according to officials from Backblaze, a data backup service whose users are being disproportionately inconvenienced by the bug
“This caused a lot of our customers to freak out,”
On Friday morning, Adobe Creative Cloud users flooded Twitter with complaints about the unauthorized data deletions.
https://backblaze.zendesk.com/entries/98786348
Tomi Engdahl says:
Bomb hoax server hoster reportedly cuffed in France
Log-less network service targeted in wake of global bomb threats.
http://www.theregister.co.uk/2016/02/15/bomb_hoax_server_hoster_reportedly_cuffed_in_france/
French police have arrested the operator of a log-free Extensible Messaging and Presence Protocol (XMPP) service allegedly used by a hacking gang responsible for making dozens of fake bomb threats to schools around the world.
Les Gendarmes say they’ve cuffed Vincent Lauton, 18, allegedly operator of runs darkness.su which positions itself firmly a service for those seeking high anonymity. The outfit promises customers it does not store user logs “in any manner” other than for debugging, and does not require customer information to setup accounts. The site sports an advertisement for carding website ValidShop.
Le Monde reports Lauton is being investigated for possible links to the group calling itself Ev4cuati0nSquad, which over the last month has phoned in dozens of fake bomb threats to schools in countries including the UK, the US, and Australia causing closures and widespread panic.
Tomi Engdahl says:
No, VTech cannot simply absolve itself of security responsibility
http://www.troyhunt.com/2016/02/no-vtech-cannot-simply-absolve-itself.html
A few months ago, the Hong Kong based toy maker VTech allowed itself to be hacked and millions of accounts exposed including hundreds of thousands of kids complete with names, ages, genders, photos and their relationships to their parents replete with where they (and assumedly their children) could be located. I chose this term deliberately – “allowed itself to be hacked” – because that’s precisely what happened. In an era where major incidents such as Ashley Madison and TalkTalk were front page news in the mainstream press, VTech continued to run a service with such egregious security flaws as the SQL injection risk the hacker originally exploited, unsalted MD5 password hashes, no SSL encryption anywhere, SQL statements returned in API calls (it’s actually in the JSON response body of my post above) and massively outdated web frameworks. What I didn’t write about at the time but reported privately was that they also had multiple serious direct object reference risks; the API that returned information on both kids and parents could be easily exploited just by manipulating an ID. Here’s what I shared with VTech via the reporter who originally broke the story (this is about the available methods on one of their APIs):
I actually created two accounts in order to demonstrate that whilst logged on as one, I could access the data from the other. The level of sophistication involved here is being able to count, yet in a subsequent press release, VTech claimed that the incident was an “orchestrated and sophisticated attack on our network”. No, it was neither of these things firstly because it was a single individual therefor they weren’t exactly orchestrating anything with anyone and secondly, because being able to add numbers does not make for a sophisticated attack nor does being able to mount a SQL injection attack using some automated tools (indeed this was how a 15-year-old kid was able to compromise TalkTalk). As much as the attacker’s actions were illegal and he deserves to be held accountable, VTech has some serious blame to wear.
Here’s the bit I have a really hard time fathoming:
YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES
But it’s their responsibility to secure it! Look, I’m the first person to acknowledge that there are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility. Certainly that’s the expectation of the customer – that the information they provide will remain secure – and VTech (or anyone else for that matter) cannot simply just absolve themselves of that responsibility in their terms and conditions. People don’t even read these things!
The bigger picture here is that companies are building grossly negligent software – not just one mistake in otherwise well-written software (the Patreon incident is a good example of this) – and then simply not being held accountable when it all goes wrong. I genuinely hope the proposed EU data protection laws requiring up to 4% of gross revenue to be paid in the incident of a data breach serves as incentive for orgs to get their act together because as it stands, too many companies just aren’t taking this seriously.
When VTech meets the GDPR
https://www.pentestpartners.com/blog/when-vtech-meets-the-gdpr/
Following my my comments on the BBC yesterday (where I called for a boycott of VTech products) I thought it would useful to point out some coming legislation that will scupper this lawyer-driven dribble in the future: The General Data Protection Regulation or GDPR.
If you’re not up-to-speed on the situation (have you been living in a cave?) a few days ago Troy Hunt pointed out the change to VTech’s T&Cs.
With the change they made it clear that they in no way would accept any responsibility for the loss or abuse of their customers’ data if their systems were compromised.
Based on their attitude I’m guessing ‘when’ rather than ‘if’, but that’s by-the-by.
Who does the GDPR affect?
As of spring 2018 any organisation trading in any EU Member State (that’ll include you VTech) that collects personal data is legally obliged to properly protect that data. It’s not a wishy-washy regulation either; it’s MANDATORY. National legislation can be introduced to augment the GDPR, to make it even more robust nationally.
It will apply to all personal data, regardless of the age of the people it relates to (that includes children VTech in case you’re not clear), in whatever format it is held (including structured paper files) and whenever it was collected.
What is ‘Personal Data’?
The new wider definition of ‘personal data’ covers any information about an identified or identifiable individual.
…but to identify someone you do not need to know their name.
It is enough if you can single them out from a group, by means of an identification number, location data or online identifier (such as an IP address) or something that is specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
The challenge of the GDPR
The GDPR will be a priority for organisations across Europe (and beyond) throughout 2016, but even so many organisations will find that two years is not long enough to do all that needs to be done.
Conclusion
So VTech, you have two years to get your house in order, otherwise you’ll get the sort of fine you deserve for your cock-up: €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
Tomi Engdahl says:
vTech – ignorance is no defence (and neither are weasel words)
http://countermeasures.trendmicro.eu/vtech-ignorance-is-no-defence-and-neither-are-weasel-words/#.VrnIWFzH03c.twitter
This limitation of liabilities clause in their T&Cs is incredible! Here is a selection of words I would use to describe it; outrageous, unforgivable, ignorant, opportunistic, and indefensible.
vTech appear to have learned only that they have a legal liability to protect consumer data, sensitive data of children and parents, MY data and that and my own children in fact. And that a failure to fulfil that obligation may result in substantial costs to the business. As a (former) customer of vTech I can say with certainty that these new T&Cs have not been communicated to me.
With this clause vTech appear to be attempting to completely absolve themselves of responsibility when it comes to protecting customer data,. The only possible motivation for inclusion of a clause such as this could be to attempt to take advantage of their customer’s ignorance of the law, to attempt to brush aside consumer complaints in the event of a breach. This is not only morally unacceptable, it would also be struck down as a defence by any European court and in fact I would not be surprised if they were obliged to remove this clause from their T&Cs within the EU by national data protection agencies.
Tomi Engdahl says:
‘Adobe Creative Cloud update ate my backup!’
Photoshop giant pulls download after directories go missing
http://www.theregister.co.uk/2016/02/13/adobe_creative_cloud/
How about this for bizarre bug of the week: the latest version of Adobe Creative Cloud deletes the first hidden directory in root directories on Macs.
That’s bad news for users of BackBlaze: the backup software stores a .bzvol folder in the top level of every drive it backs up, and uses these folders to store information about the drives. Adobe’s Creative Cloud app wipes away these directories, leaving BackBlaze’s users faced with “your drive is no longer backed up” errors.
Another issue is that Adobe’s software may also delete the first file or folder in a root directory that starts with a space character
The deletions are triggered when installing version 3.5.0.206 of the Adobe app, or signing into the cloud service with that build. Adobe has since pulled that download while it investigates the programming cockup.
Tomi Engdahl says:
BlackEnergy trojan also hit Ukrainian mining firm and railway operator
There be nasties out east, y’know
http://www.theregister.co.uk/2016/02/15/blackenergy_trojan_trend_micro/
Security researchers have linked attacks against Ukrainian power utilities in Dec 2015, which used the BlackEnergy trojan, to similar attacks against a mining company and a large railway operator in Ukraine.
The new research, by Kyle Wilhoit of Trend Micro, casts fresh light on what’s arguably the most significant malware-based hack attack since Stuxnet hobbled Iranian nuclear centrifuges back in 2010.
Wilhoit and his team identified the new victims after looking for traces of original indicators of compromise associated with BlackEnergy, including reconnaissance and lateral movement tools and KillDisk, a disk-wiping malware payload, among others.
The Ukrainian mining company and a large Ukrainian train company were identified as victims based on a combination of telemetry data from open-source intelligence and data from Trend Micro’s Smart Protection Network.
The two unnamed organisations were affected by some BlackEnergy and KillDisk infrastructure that were seen in attacks against energy firms Prykarpattya, Oblenergo and Kyivoblenergo.
Tomi Engdahl says:
KillDisk and BlackEnergy Are Not Just Energy Sector Threats
http://blog.trendmicro.com/trendlabs-security-intelligence/killdisk-and-blackenergy-are-not-just-energy-sector-threats/
Our new intelligence on BlackEnergy expands previous findings on the first wide-scale coordinated attack against industrial networks. Based on our research that we will further outline below, attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine.
This proves that BlackEnergy has evolved from being just an energy sector problem; now it is a threat that organizations in all sectors—public and private—should be aware of and be prepared to defend themselves from. While the motivation for the said attacks has been the subject of heavy speculation, these appear to be aimed at crippling Ukrainian public and criticial infrastructure in what could only be a politically motivated strike.
During the course of our investigation, we saw an overlap between the BlackEnergy samples used in the Ukrainian power incident and those apparently used against the Ukrainian mining company.
Similar Malware in a Large Ukrainian Train/Railway Operator
Like the attacks against the Ukrainian mining company, we also witnessed KillDisk possibly being used against a large Ukrainian railway company that is part of the national Ukrainian railway system.
Tomi Engdahl says:
Vulnerability In Font Processing Library Affects Linux, OpenOffice, Firefox
http://linux.slashdot.org/story/16/02/15/143206/vulnerability-in-font-processing-library-affects-linux-openoffice-firefox
If an application can embed fonts with special characters, then it’s probably using the Graphite font processing library. This library has several security issues which an attacker can leverage to take control of your OS via remote code execution scenarios. The simple attack would be to deliver a malicious font via a Web page’s CSS.
Vulnerability in Font Processing Library Affects Linux, OpenOffice, Firefox
http://news.softpedia.com/news/vulnerability-in-font-processing-library-affects-linux-openoffice-firefox-500027.shtml
Four vulnerabilities in the Graphite (or libgraphite) font processing library allow attackers to compromise machines by supplying them with malicious fonts.
“One Graphite vulnerability is very easy to exploit”
According to an advisory put out by the Cisco Talos security team, this library includes four vulnerabilities. The worst is an out-of-bounds read bug (CVE-2016-1521) that allows attackers to crash the system and even execute arbitrary code on the machine.
“Firefox and one malicious font can compromise your computer”
Users don’t even have to click on the attacker’s links and can be forced to access the malicious Web page hosting weaponized Graphite-enabled fonts via hidden redirects, often used by malvertising campaigns.
Once the user reaches a page delivering malicious Graphite-enabled fonts, the vulnerability allows the attacker to get a foothold on the user’s system.
Besides the out-of-bounds issue, Cisco has also discovered a buffer overflow issue that led to remote code execution (CVE-2016-1523) and two DoS (Denial of Service) issues, but not as severe as the first two.
UPDATE: Mr. Hosken from the Graphite team has confirmed to Softpedia that these issues have been fixed in Graphite 2-1.3.5.
Tomi Engdahl says:
British teenager suspected of being a mystery hacker who stole CIA boss emails
http://www.telegraph.co.uk/news/uknews/crime/12154592/British-teenager-suspected-of-being-a-mystery-hacker-who-stole-CIA-boss-emails.html
The 16-year-old boy was arrested in the East Midlands as part of an investigation in to the data breach of John Brennan’s emails last year.
A British teenager is suspected of being a mystery hacker who infiltrated the personal email account of the director of the CIA and posting personal details online.
The 16-year-old boy was arrested in the East Midlands on Tuesday as part of an investigation in to the data breach of John Brennan’s emails last year.
He is suspected of being a hacker known as “Cracka” who has claimed responsibility for the incident and part of a wider group that calls itself “Crackas with Attitude”, which has been behind a series of high-profile attacks.
Tomi Engdahl says:
Steve Ragan / CSO:
Hollywood Presbyterian Medical Center’s network down for more than a week after ransomware attack; hackers demand $3.6M
Ransomware takes Hollywood hospital offline, $3.6M demanded by attackers
http://www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-36m-demanded-by-attackers.html
Network has been offline fore more than a week, $3.6 million demanded as ransom
The computers at Hollywood Presbyterian Medical Center have been down for more than a week as the Southern California hospital works to recover from a Ransomware attack.
Password entry
Sample password protection policy
The password protection policy of a large financial services institution with more than 5,000 employees.
Read Now
According to officials HPMC, they’re cooperating fully with the LAPD and FBI, as law enforcement attempts to discover the identity of the attackers.
However, in the meantime the network is offline and staff are struggling to deal with the loss of email and access to some patient data.
The hospital’s President and CEO, Allen Stefanek, said the situation was declared an internal emergency, telling NBC LA that the hospital’s emergency room systems have been sporadically impacted by the malware.
Some patients were transported to other hospitals due to the incident. In other parts of the hospital, computers essential for various functions, including CT scans, documentation, lab work, and pharmacy needs are offline.
The hospital’s network has been down for at least a week, forcing staff to rely on fax machines and telephones to get work done.
Registrations and medical records are being logged on paper and staff have been told to leave their systems offline until told otherwise.
The type of Ransomware responsible for shutting down the hospital remains unknown
Tomi Engdahl says:
The 4 most typical wireless network hacks
http://www.cablinginstall.com/articles/pt/2016/02/the-4-most-typical-wireless-network-hacks.html?cmpid=Enl_CIM_CablingNews_February152016&eid=289644432&bid=1309993?cmpid=Enl_CIM_CablingNews_February152016&eid=289644432&bid=1309993
Wi-Fi networks are inherently vulnerable, but there are steps organizations can take to protect themselves.
Grey says, “If you have Wi-Fi, then you definitely have vulnerabilities. The point is to know what they are and have a solution in place so you know when you’re being attacked, and can mitigate the risk and consequences. These increases match the growth of the wireless industry: ”
The top 4 key attack vectors used to hack wireless networks, as identified by Netscout include snooping, Denial of Service (DoS) attacks, password cracking, and information theft.
Grey adds, “It’s no coincidence that security incidents are increasing at a faster rate than ever before and are costing organizations significantly more. The more we have connected people on the Web, the more we have security incidents.”
Tomi Engdahl says:
Phone Hacking Group Is Trading Fake Bomb Threats For Bitcoin
http://yro.slashdot.org/story/16/02/15/1811249/phone-hacking-group-is-trading-fake-bomb-threats-for-bitcoin
French police arrested a suspect in connection to a group of hackers that are selling fake bomb threats for Bitcoin. The group has been terrorizing cities in France, UK, USA, and Australia for months. Police suspect they are doing this by using a anonymity XMPP service to hack into VoIP phones and make the fake bomb threats and swatting calls.
Phone Hacking Group Is Selling Fake Bomb Threats for Bitcoin
http://news.softpedia.com/news/phone-hacking-group-is-selling-fake-bomb-threats-for-bitcoin-500435.shtml
French police have arrested Vincent L., 18, from Paris, for failing to cooperate with authorities in an investigation related to a series of fake bomb threats that took place in France, but also in other countries such as Australia, the UK, and the US, LeMonde reports.
Vincent L. is the owner of the Darkness.su website, which provides anonymous XMPP services for its users. According to French law enforcement, the service has been used by Evacuation Squad, a group that has terrorized cities across the globe by calling in fake bomb threats and sending SWAT teams to various celebrities and high-profile public figures (a phenomenon known as swatting).
“Evacuation Squad is selling fake bomb threats per Bitcoin”
Evacuation Squad has been active in the past months, mainly via the @Ev4cuati0nSquad and @SwatTheW0rld Twitter accounts, now suspended.
On January 26, the group posted a PasteBin note (now deleted) in which it said it was taking free requests until March 1, 2016, for locations where it would make bomb threats. After March 1, the group announced it would take payments in Bitcoin for further bomb threats on custom targets.
The group was charging $5 worth of Bitcoin for schools and company headquarters, $10 worth of Bitcoin for courthouses and entire school districts, $20 worth of Bitcoin for sports events and major conventions, and $50 worth of Bitcoin for “major” sports events.
Tomi Engdahl says:
Expert for Yle: “We have a soft spot for cyber attacks – Russian spy obvious”
F-Secure kyberturvallisuusneuvonantaja Erka Koivunen warned yesterday kyberiskuista, which, for example, Russia may target the Finnish key persons. He said today YLE interview that Finland is poorly prepared.
We wrote yesterday in an interview that Koivunen had to Ilta-Sanomat . In it, he warned that the whole society would be paralyzed if, for example, would target Russia’s strategic impact in a small case with a stuffed ranks.
Source: http://www.tivi.fi/Kaikki_uutiset/asiantuntija-ylella-olemme-pehmea-kohde-kyberiskuille-venajan-vakoilu-paivanselvaa-6304271
More:
http://yle.fi/uutiset/f-securen_koivunen_kyberiskuista_on_paivanselvaa_etta_venaja_vakoilee_suomea/8675815
http://www.iltasanomat.fi/kotimaa/art-1455500301364.html
Tomi Engdahl says:
Feb 16
Critical Fixes Issued for Windows, Java, Flash
http://krebsonsecurity.com/2016/02/criticial-fixes-issued-for-windows-java-flash/
Microsoft Windows users and those with Adobe Flash Player or Java installed, it’s time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security fixes for its Flash Player software that plugs at least 22 security holes in the widely-used browser component. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks.
brokenwindowsOne big critical update from Redmond mends more than a dozen security problems with Internet Explorer. Another critical patch addresses flaws Microsoft Edge — including four that appear to share the same vulnerability identifiers (meaning Microsoft re-used the same vulnerable IE code in its newest Edge browser). Security vendor Qualys as usual has a good roundup of the rest of the critical Microsoft updates.
Tomi Engdahl says:
Misconfigured Database Exposed Microsoft Site to Attacks
http://www.securityweek.com/misconfigured-database-exposed-microsoft-site-attacks
A researcher discovered that a database connected to the mobile version of Microsoft’s careers website was not properly configured, potentially allowing malicious actors to abuse it for various purposes.
According to Chris Vickery, a researcher who over the past months discovered hundreds of millions of records exposed online due to misconfigured databases, unauthenticated attackers could have accessed and modified the content of a MongoDB database maintained by mobile web development firm Punchkick Interactive for Microsoft’s careers site (m.careersatmicrosoft.com).
Vickery, who recently joined MacKeeper, found that the database contained the details of some Microsoft employees, including their name, email address, password hash and token.
Another problem was that since the database was not write-protected, an attacker could have inserted arbitrary HTML code. This could have been exploited to host a phishing page or to launch watering hole attacks against the site’s visitors.
Tomi Engdahl says:
Mozilla Updates Firefox to Patch Critical Flaws
http://www.securityweek.com/mozilla-updates-firefox-patch-critical-flaws
Mozilla released updates for the standard and ESR versions of Firefox last week to address vulnerabilities classified as having “critical” impact.
Earlier this month, researchers at Cisco’s Talos team reported finding several vulnerabilities in the Libgraphite library, used for font processing in Linux, OpenOffice, Firefox and other popular applications. Experts discovered a total of four vulnerabilities that can be exploited for arbitrary code execution and denial-of-service (DoS) attacks.
In the case of Firefox, the vulnerabilities affect Graphite 2 version 1.2.4, which is used in Firefox 42 and earlier, and Firefox Extended Support Release (ESR) 38.x prior to version 38.6.1.
“To exploit these vulnerabilities, an attacker simply needs the user to run a Graphite-enabled application that renders a page using a specially crafted font that triggers one of these vulnerabilities,” Cisco’s Yves Younan said in a blog post. “Since Mozilla Firefox versions 11-42 directly support Graphite, the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server (since Graphite supports both local and server-based fonts).”
Tomi Engdahl says:
Skimmers Hijack ATM Network Cables
http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/
If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data.
In an alert sent to customers Feb. 8, NCR said it received reliable reports of NCR and Diebold ATMs being attacked through the use of external skimming devices that hijack the cash machine’s phone or Internet jack.
“These devices are plugged into the ATM network cables and intercept customer card data. Additional devices are attached to the ATM to capture the PIN,” NCR warned. “A keyboard overlay was used to attack an NCR ATM, a concealed camera was used on the Diebold ATM. PIN data is then likely transmitted wirelessly to the skimming device.”
The ATM maker believes these attacks represent a continuation of the trend where criminals are finding alternative methods to skim magnetic strip cards.
Tomi Engdahl says:
Malware Targets All Android Phones — Except Those In Russia
http://mobile.slashdot.org/story/16/02/16/1414249/malware-targets-all-android-phones-except-those-in-russia
MazarBOT, a malware program that can take full control of Android phones, appears to be targeting online bank accounts. The malware has been seen advertised on Russian underground forums in the last few months and surfaced over the weekend. ‘[On] Friday, a swarm of SMSs were sent to random phone numbers in Denmark and likely elsewhere.
http://www.csoonline.com/article/3032111/security/russian-cyberspy-group-uses-simple-yet-effective-linux-trojan.html
The Fysbis Trojan runs without root and has an extensible, modular architecture
A cyberespionage group of Russian origin known as Pawn Storm is infecting Linux systems with a simple but effective Trojan program that doesn’t require highly privileged access.
Password entry
Sample password protection policy
The password protection policy of a large financial services institution with more than 5,000 employees.
Read Now
Pawn Storm, also known as APT28, Sofacy or Sednit, is a group of attackers that has been active since at least 2007. Over the years, the group has targeted governmental, security and military organizations from NATO member countries, as well as defense contractors and media organizations, Ukrainian political activists and Kremlin critics.
Tomi Engdahl says:
How To Defeat VPN Location-Spoofing By Mapping Network Delays
http://tech.slashdot.org/story/16/02/16/1346214/how-to-defeat-vpn-location-spoofing-by-mapping-network-delays
An interesting paper from a PhD student in Ontario outlines a system which in initial tests has proved 97% effective at unmasking geo-spoofing VPN users. The Client Presence Verification (CPV) system presented in the paper utilises analysis of delays in network packets in order to determine the user’s location, disregarding the IP address geolocation information
How to defeat VPN location-spoofing by mapping network delays
https://thestack.com/cloud/2016/02/16/vpn-network-time-delay-abdelrahman-abdou-cpv/
An interesting paper from a PhD student in Ontario outlines a system which in initial tests has proved 97% effective at unmasking geo-spoofing VPN users, such as Netflix customers who fake their geographic location in order to access catalogues outside of their country.
The Client Presence Verification (CPV) system presented in the paper [PDF] utilises analysis of delays in network packets in order to determine the user’s location, disregarding the IP address geolocation information which currently underpins the efforts of content providers such as Netflix to prevent VPN users accessing content which is not licensed in their country.
Tomi Engdahl says:
Red Hat, Google Disclose Severe Glibc DNS Vulnerability; Patched But Widespread
http://linux.slashdot.org/story/16/02/16/1724222/red-hat-google-disclose-severe-glibc-dns-vulnerability-patched-but-widespread
Today Google’s online security team publicly disclosed a severe vulnerability in the Gnu C Library’s DNS client. Due to the ubiquity of Glibc, this affects an astounding number of machines and software running on the internet, and raises questions about whether Glibc ought to still be the preferred C library when alternatives like musl are gaining maturity.
The flaw, CVE-2015-7547, is a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. The flaw is triggered when the getaddrinfo() library function is used, Google said today in its advisory.
CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
https://googleonlinesecurity.blogspot.fi/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
Issue Summary:
Our initial investigations showed that the issue affected all the versions of glibc since 2.9. You should definitely update if you are on an older version though. If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack.
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.
Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.
Tomi Engdahl says:
Check glibc version for a particular gcc compiler
http://stackoverflow.com/questions/9705660/check-glibc-version-for-a-particular-gcc-compiler
Tomi Engdahl says:
Tim Cook / Apple:
Apple opposes court order over shooter’s iPhone, says US government is asking it to build a backdoor to the iPhone, calls it a “dangerous precedent” — A Message to Our Customers — The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers.
A Message to Our Customers
http://www.apple.com/customer-letter/
The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.
This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.
Tomi Engdahl says:
Ellen Nakashima / Washington Post:
Court orders Apple to disable 10-tries-and-wipe feature on San Bernadino shooter’s iPhone to allow government to crack password through brute force — U.S. wants Apple to help unlock iPhone used by San Bernardino shooter — A federal judge has ordered Apple to help the government unlock …
Judge orders Apple to help unlock iPhone used by Calif. shooter
https://www.washingtonpost.com/world/national-security/us-wants-apple-to-help-unlock-iphone-used-by-san-bernardino-shooter/2016/02/16/69b903ee-d4d9-11e5-9823-02b905009f99_story.html
A federal judge has ordered Apple to help the government unlock the iPhone used by one of the shooters who carried out the Dec. 2 San Bernardino, Calif., terrorist attacks after the government said that the firm failed to provide assistance voluntarily.
The Justice Department sought the order “in the hopes of gaining crucial evidence” about the shooting rampage, which killed 14 people and injured 22.
The order, signed Tuesday by a magistrate judge in Riverside, Calif., does not ask Apple to break the phone’s encryption but rather to disable the feature that wipes the data on the phone after 10 incorrect tries at entering a password. That way, the government can try to crack the password using “brute force” — attempting tens of millions of combinations without risking the deletion of the data.
The order comes a week after FBI Director James B. Comey told Congress that the bureau has not been able to open the phone belonging to one of the killers. “It has been two months now, and we are still working on it,” he said.
The issue illustrates the frustration of law enforcement in gaining access to data in high-profile investigations. It also raises the pressure on Apple to find a way to comply, as the phone was used in the deadliest terrorist attack on U.S. soil since Sept. 11, 2001.
The Silicon Valley giant has steadfastly maintained that it is unable to unlock its newer iPhones for law enforcement, even when officers obtain a warrant, because they are engineered in such a way that Apple does not hold the decryption key. Only the phone’s user — or someone who knew the password — would be able to unlock the phone.
The FBI’s efforts may show how impervious the new technology is to efforts to circumvent it. According to industry officials, Apple cannot unilaterally dismantle or override the 10-tries-and-wipe feature. Only the user or person who controls the phone’s settings can do so.
In a strongly worded message posted to Apple’s website, chief executive Tim Cook said: “Up to this point, we have done everything that is both within our power and within the law to help [the FBI]. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a back door to the iPhone.”
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Vulnerability in GNU C library since 2008 that left apps and hardware open to attacks is patched in new update — Extremely severe bug leaves dizzying number of apps and devices vulnerable — Since 2008, vulnerability has left apps and hardware open to remote hijacking.
Extremely severe bug leaves dizzying number of software and devices vulnerable
Since 2008, vulnerability has left apps and hardware open to remote hijacking.
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
Researchers have discovered a potentially catastrophic flaw in one of the Internet’s core building blocks that leaves hundreds or thousands of apps and hardware devices vulnerable to attacks that can take complete control over them.
The vulnerability was introduced in 2008 in GNU C Library, a collection of open source code that powers thousands of standalone applications and most distributions of Linux, including those distributed with routers and other types of hardware. A function known as getaddrinfo() that performs domain-name lookups contains a buffer overflow bug that allows attackers to remotely execute malicious code. It can be exploited when vulnerable devices or apps make queries to attacker-controlled domain names or domain name servers or when they’re exposed to man-in-the-middle attacks where the adversary has the ability to monitor and manipulate data passing between a vulnerable device and the open Internet. All versions of glibc after 2.9 are vulnerable.
Tomi Engdahl says:
IBM Claims Tamper-Resistant Server
Patented HD/SW keeps data safe from breaches
http://www.eetimes.com/document.asp?doc_id=1328942&
IBM claims its newest z13s server family —announced today at the IBM PartnerWorld Leadership Conference 2016 (February 16 and 17, Orlando, Fla.)—dovetails with hybrid cloud transactions with Internet of Things (IoT) devices by keeping user data safe even if the system is tampered with or breached.
The key, says IBM, is an end-to-end solution using a hardware/software security infrastructure that guards user-data before, during and after potential breaches. Instead of mere signature spotting, IBM uses analytics to identify malicious behavior even before its signature is known, based on learned behaviors using ever-improving machine-learning. IBM calls the z13s the “world’s most secure server” because all data is encrypted and the decryption keys are erased if a hacker tries to gain entrance.
“Nothing else comes close to IBM’s z-Systems, including the new z13s,”
IBM is following its own “big-brother/little-brother” strategy for systems somewhat similar to Intel’s tick-tock strategy for processors, but different in that a smaller “s” version is released after every major mainframe release,
“To handle today’s analytics-heavy workloads, the z13s comes with a maximum of 4TBs of RAIM (Redundant Array of Independent Memory), while the z13 has a maximum of 10TBs.
According to DiDio and other analysts, IBM’s z Systems are already predominant at banks and finance, health and welfare organizations as well as in government and defense, and that the former z13, introduced last year, gave mid-sized businesses an expandable mainframe base with a low cost of entry. Now the latest z13s follow-up this year, is giving mid-sized businesses an even lower priced entry point (starting at $75,000) albeit without the expandability of z13—to take advantage of faster more reliable encryption/decryption hardware/software as well as the superior up-time of IBM’s platform.
“Important to this announcement are many new security offerings, some available through IBM’s newly-announced partners. These focus on the hybrid cloud that can be created within the mainframe (say, with z/OS or with Linux) and the need to secure the ecosystem and to identify threats (both internal and external) as they are happening by using cognitive analysis,” Kahn told us.
IBM’s security offerings include Guardium—a data activity monitor that keeps track of who is accessing what data complete with an audit trail—identifying inappropriate access attempts by hackers before they decrypt it. The Cyber Security Analytics option (free to try out) uses cognitive analytics running on IBM supercomputers off-site to learn each z13s’s typical usage, becoming more effective as it learns over time, and alerting security personnel when unusual activities are taking place. Working with Cyber Security Analytics is QRadar which does additional analytics correlating data from more than 500 sources to aid in deciding whether anomalous behaviors are potential threats.
IBM zSecure provides integration that harnesses security-relevant information from across the entire organization using real-time analytics to provide a context that helps detect threats faster, identify vulnerabilities, prioritize risk, and automate compliance activities.
IBM Security Identity Governance and Intelligence software likewise augments identity and authentication management by coordinating policies and preventing critical data from being accessed by inappropriate parties.
Tomi Engdahl says:
Barcodes that Hack Devices
http://hackaday.com/2016/02/17/barcodes-that-hack-devices/
[virustracker] put a few different pieces together and came up with a viable attack.
The trick is that many POS terminals and barcode readers support command characters in their programming modes. Through use of these Advanced Data Formatting (ADF) modes, [virustracker] sends Windows-Key-r
Barcode attack technique (Badbarcode)
http://en.wooyun.io/2016/01/28/Barcode-attack-technique.html
Barcode is everywhere in our daily life, especially in supermarkets, convenience stores and logistics industry. However, is it safe? The barcode attack that @Tk described on PacSec and included in his demo video on twitter are so cool that I bought a scanner for research as well. During my research, I went through all information whether it is at home or abroad, but none covers the possible attack techniques. So here is one.
Almost everyone has seen a barcode scanner in supermarkets, logistics, hospitals and lottery office. A scanner is used to read the information of a barcode. A conventional one often uses infrared ray to do that and its embedded chip outputs the result through processing. Some popular scanner brands in the world include Symbol, Honeywell and Datalogic. Amongst Symbol has been acquired by Motorola.
Advanced Data Formatting (ADF) is an advanced input method developed by Motorola for scanners according to the rules you set for each step to customize input data
ADF is a programming method which you may construct based on your need and it uses barcode instead of code for programming. ADF represents all rules by using barcode, such as Prefix/Suffix, Replacement and Character Input.
If you know these ADF barcodes, you can construct a cmd popup and use control characters to execute commands that mainly include Enter.
Use ADF to plant malware
The concept of using barcode to launch attack is raised years ago, but no one digs deep. By using SQL barcode, it’s able to launch SQL injection, XSS and overflow attack.
Whatever the device is, once part of the input can be manipulated, it is risky.
Tomi Engdahl says:
Barcode Infiltrator
http://hackaday.com/2010/09/02/barcode-infiltrator/
Whenever someone manages to expose vulnerabilities in everyday devices, we love to root for them. [Adrian] over at Irongeek has been inspired to exploit barcodes as a means to attack a POS database. Based on an idea from a Pauldotcom episode, he set out to make a rapid attack device, using an LED to spoof the signals that would be received by scanning a barcode.
Barcode Fuzzer, Bruteforcer, SQL/XSS Injector using a flashing LED
http://www.irongeek.com/i.php?page=security/barcode-flashing-led-fuzzer-bruteforcer-injector
Tomi Engdahl says:
Elise Viebeck / Washington Post:
A look at early reactions from lawmakers and candidates Trump and Kasich to Apple’s encryption standoff with the FBI — Should Apple unlock a phone tied to the San Bernardino attack? Lawmakers say yes and no — Add this to the list of controversies facing Capitol Hill.
Should Apple unlock a phone tied to the San Bernardino attack? Lawmakers say yes and no
https://www.washingtonpost.com/news/powerpost/wp/2016/02/17/should-apple-unlock-a-phone-tied-to-the-san-bernardino-attack-lawmakers-say-yes-and-no/
Add this to the list of controversies facing Capitol Hill.
Apple made big news Tuesday when it refused to help crack a cellphone tied to the San Bernardino terrorist attacks. The decision goes against a federal court order and deepens conflict between Apple and the FBI, which argues the company must help unlock the iPhone5C used by Syed Rizwam Farook so that law enforcement can continue to investigate the case.
Apple CEO Tim Cook was not shy Tuesday night about voicing his opposition, saying a choice to help unlock the phone would set a “dangerous precedent.”
“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe,” Cook wrote in a message posted on Apple’s website.
Jordan Novet / VentureBeat:
Google CEO Sundar Pichai tweets in support of Apple, says forcing companies to enable hacking could compromise user privacy
Google CEO Sundar Pichai backs Tim Cook over Apple-FBI controversy
http://venturebeat.com/2016/02/17/heres-google-ceo-sundar-pichais-response-to-the-apple-fbi-controversy/
Google chief executive Sundar Pichai just weighed in on the ongoing issue over device encryption between Apple and the Federal Bureau of Investigation (FBI). And he did it not on Google+, but on Twitter.
Here is his five-tweet comment:
1/5 Important post by @tim_cook. Forcing companies to enable hacking could compromise users’ privacy
— sundarpichai (@sundarpichai) February 17, 2016
2/5 We know that law enforcement and intelligence agencies face significant challenges in protecting the public against crime and terrorism
— sundarpichai (@sundarpichai) February 17, 2016
3/5 We build secure products to keep your information safe and we give law enforcement access to data based on valid legal orders
— sundarpichai (@sundarpichai) February 17, 2016
4/5 But that’s wholly different than requiring companies to enable hacking of customer devices & data. Could be a troubling precedent
— sundarpichai (@sundarpichai) February 17, 2016
5/5 Looking forward to a thoughtful and open discussion on this important issue
— sundarpichai (@sundarpichai) February 17, 2016
Tomi Engdahl says:
Apple’s Noble Stand Against the FBI Is Also Great Business
http://www.wired.com/2016/02/apples-noble-stand-against-the-fbi-is-also-great-business/
Apple CEO Tim Cook has vowed to fight a court order demanding that the company help the FBI unlock the iPhone belonging to one of the San Bernardino shooters. The move is, to say the least, polarizing.
Whistleblower Edward Snowden slammed the FBI on Twitter. The Electronic Frontier Foundation has vowed to back Apple in its legal fight, and Google CEO Sundar Pichai tweeted support. Republican presidential candidate Donald Trump, meanwhile, took to Fox News to call on Apple to help the FBI.
You may see Tim Cook as a champion of privacy or as an enabler of terrorism. Either way, it makes good business sense for Apple to stand up to the FBI.
Apple has been trying to position itself as a protector of privacy, a kind of anti-Google, since long before the FBI’s court order.
That positioning stands in stark contrast to Google, which is heavily dependent on advertising revenue and has an incentive to gather as much user data as possible. Yes, Apple runs the iAds network, so there’s a bit of spin involved in the Cupertino company’s positioning, but it’s true that Google and Apple have very different business models overall.
A Global Disadvantage
Meanwhile, some of Apple’s most crucial buyers may be seriously put off if Apple complies with the FBI’s request, namely large corporate customers and consumers outside the US. The consensus among security researchers is that building a back door for law enforcement will make Apple’s products inherently less secure, says Gartner analyst Peter Firstbrook. “The iPhone is the preferred mobile phone for security,” he says. “I’m not sure if this particular move would affect enterprise sales, but anything they do to reduce security would be negatively appreciated.”
That goes double for overseas markets. There’s already a degree of mistrust between the US and foreign firms and governments thanks to Edward Snowden’s disclosures of the National Security Agency’s digital dragnet.
Tomi Engdahl says:
Hospital pays hackers $17,000 in Bitcoins to return computer network
http://www.zdnet.com/article/hospital-pays-hackers-17000-in-bitcoins-to-return-computer-network/
In a “ransomware” case, hackers have been paid roughly $17,000 worth of Bitcoins to restore a hospital’s computer network.
A Los Angeles hospital has paid 40 Bitcoins, worth roughly $16,700, for access back to its network that was taken down in a type of hack called “ransomware” at the beginning of February.
The disruption caused emergency rooms and treatments to be affected, and fax lines at the hospital were jammed from lack of access to email, an unnamed doctor told NBC 4 last week.
Cloud security: Think you’re blocking staff access to certain sites? Think again
Cloud security: Think you’re blocking staff access to certain sites? Think again
Stopping staff using certain web services may be in decline outside regulatory environments, but even where it is being attempted it may be falling well short of its aims.
Hollywood Presbyterian Medical Center began noticing issues with its computer network on February 5. The ransomware attack held the computer network hostage, and in the case of hospitals, not having access to computer networks for patient data can prove dangerous.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Allen Stefanek, CEO of the hospital, said in a letter. “In the best interest of restoring normal operations, we did this.”
Tomi Engdahl says:
Cisco licks lips, eyes UK’s cyber, analytics and fin-tech startups
Try to look delicious, Blighty firms
http://www.theregister.co.uk/2016/02/18/cisco_looking_at_uk_cyber_analytics_and_fintech_startups/
Acquisition-hungry network giant Cisco is looking to gobble a string of UK businesses this year – specifically in cyber, “fin-tech” and analytics, Tom Kneen, head of business development at Cisco UK has said.
Speaking to The Register at Cisco Live in Berlin, Kneen said he “doesn’t see acquisitions stopping” at the pace the company has been going of late.”
Cisco’s most recent high-profile buy was of US Internet of Things outfit Jasper – but it has also snapped up a number of outfits in Blighty.
Tomi Engdahl says:
Surveillance Culture Brought To the Masses, Courtesy of Verizon
http://tech.slashdot.org/story/16/02/17/1822217/surveillance-culture-brought-to-the-masses-courtesy-of-verizon
Verizon is now offering a way to secretly track your family members’ whereabouts and driving habits with your smartphone: “Do you have a teen driver in your household and want to know every time they get a little overzealous with the accelerator? Or maybe you’re pretty sure your spouse’s frequent trips to ‘the office’ are not so innocent?”
Verizon’s “Hum” Device For Your Car Will Rat Out Speeding Teens, Wandering Spouses
http://consumerist.com/2016/02/17/verizons-hum-device-for-your-car-will-now-rat-out-your-speeding-teen-wandering-spouse/
Do you have a teen driver in your household and want to know every time they get a little overzealous with the accelerator? Or maybe you’re pretty sure your spouse’s frequent trips to “the office” are not so innocent? If so, then an upcoming update for Verizon’s “hum” in-car smart device might be just what you’re looking for.
The $15/month hum service was originally launched to collect vehicle diagnostics, connect users to roadside assistance, provide maintenance reminders. But this morning Verizon announced that it will be adding a slew of new features for the hum, including:
Boundary alerts: Lets you set up a boundary and receive alerts when your vehicle exits and enters the area.
Speed alerts: While the hum doesn’t know the speed limit of every road your vehicles on, you will be able to set up maximum speed limits so that you get an alert — through the app, via email or text — whenever a driver crosses that threshold.
Vehicle location: Even more precise than the geofencing of the boundary alerts, the hum will provide map-based tracking of your vehicle’s location, speed and travel direction.
Driving history: And just in case you missed all the alerts or your kid was savvy enough to change the account so that all the texts went to some other phone, the hum will provide “trip-based driving information to track driving efficiency, including duration, start and end times, idle times and max/avg. speeds.”
Tomi Engdahl says:
Indonesia has banned Tumblr over ‘pornographic content’
http://uk.businessinsider.com/indonesia-blocks-tumblr-hundreds-more-sites-over-pornographic-content-2016-2?r=US&IR=T
Indonesia has banned Tumblr.
According to the BBC and local reports, the country’s Information Ministry took the decision to block the blogging platform over “pornographic content.”
According to an Indonesian-language news report, the ban is part of a larger internet crackdown — 477 other sites have also apparently been blocked in the country.
The Muslim-majority country only has a “partly free” internet according to a 2015 report from Freedom House.
https://freedomhouse.org/report/freedom-net/2015/indonesia
Tomi Engdahl says:
JOHN MCAFEE: I’ll decrypt the San Bernardino phone free of charge so Apple doesn’t need to place a back door on its product
http://www.businessinsider.com/john-mcafee-ill-decrypt-san-bernardino-phone-for-free-2016-2?IR=T
Cybersecurity expert John McAfee is running for president in the US as a member of the Libertarian Party. This is an op-ed article he wrote
Using an obscure law, written in 1789 — the All Writs Act — the US government has ordered Apple to place a back door into its iOS software so the FBI can decrypt information on an iPhone used by one of the San Bernardino shooters.
It has finally come to this. After years of arguments by virtually every industry specialist that back doors will be a bigger boon to hackers
This is a black day and the beginning of the end of the US as a world power. The government has ordered a disarmament of our already ancient cybersecurity and cyberdefense systems, and it is asking us to take a walk into that near horizon where cyberwar is unquestionably waiting, with nothing more than harsh words as a weapon and the hope that our enemies will take pity at our unarmed condition and treat us fairly.
Any student of world history will tell you that this is a dream. Would Hitler have stopped invading Poland if the Polish people had sweetly asked him not to do so? Those who think yes should stand strongly by Hillary Clinton’s side, whose cybersecurity platform includes negotiating with the Chinese so they will no longer launch cyberattacks against us.
The FBI, in a laughable and bizarre twist of logic, said the back door would be used only once and only in the San Bernardino case.
No matter how you slice this pie, if the government succeeds in getting this back door, it will eventually get a back door into all encryption, and our world, as we know it, is over. In spite of the FBI’s claim that it would protect the back door, we all know that’s impossible. There are bad apples everywhere, and there only needs to be in the US government. Then a few million dollars, some beautiful women (or men), and a yacht trip to the Caribbean might be all it takes for our enemies to have full access to our secrets.
The fundamental question is this: Why can’t the FBI crack the encryption on its own? It has the full resources of the best the US government can provide.
And why do the best hackers on the planet not work for the FBI? Because the FBI will not hire anyone with a 24-inch purple mohawk, 10-gauge ear piercings, and a tattooed face who demands to smoke weed while working and won’t work for less than a half-million dollars a year. But you bet your ass that the Chinese and Russians are hiring similar people with similar demands and have been for many years. It’s why we are decades behind in the cyber race.
Cyberscience is not just something you can learn. It is an innate talent. The Juilliard school of music cannot create a Mozart. A Mozart or a Bach, much like our modern hacking community, is genetically created. A room full of Stanford computer science graduates cannot compete with a true hacker without even a high-school education.
So here is my offer to the FBI. I will, free of charge, decrypt the information on the San Bernardino phone, with my team. We will primarily use social engineering, and it will take us three weeks.
Tomi Engdahl says:
The Contrarian Response To Apple’s Need For Encryption
http://hackaday.com/2016/02/18/the-contrarian-response-to-apples-need-for-encryption/
On December 2, 2015, [Syed Rizwan Farook] and [Tashfeen Malik] opened fire at a San Bernardino County Department of Public Health training event, killing 14 and injuring 22. This was the third deadliest mass shooting in the United States in recent memory, and began a large investigation by local, state, and federal agencies. One piece of evidence recovered by the FBI was an iPhone 5C belonging to one of the shooters. In the days and months after the shooting, the FBI turned to Apple to extract data from this phone.
A few days ago in an open letter to customers, [Tim Cook], CEO of Apple, stated they will not comply with FBI’s request to build a backdoor for the iPhone.
Apple does not publish open letters to its customers often. Having one of the largest companies on the planet come out in support of privacy and encryption is nearly unprecedented. There is well-founded speculation this open letter to the public will be exhibit A in a supreme court case. Needless to say, the Internet has gone a little crazy after this letter was published, and rightly so: just imagine how better off we would be if AT&T said no to the NSA in 2002 – [Snowden] might just be another IT geek working for a government contractor.
A Message to Our Customers
http://www.apple.com/customer-letter/
The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.
This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.
Tomi Engdahl says:
GuardBunny Active RFID Protection Going Open Hardware
http://hackaday.com/2016/02/18/guardbunny-active-rfid-protection-going-open-hardware/
There are two sides to every coin. Instead of swiping or using a chip reader with your credit card, some companies offer wireless cards that you hold up to a reader for just an instant. How convenient for you and for anyone who might what to read that data for their own use. The same goes for RFID enabled passports, and the now ubiquitous keycards used for door access at businesses and hotels. I’m sure you can opt-out of one of these credit cards, but Gerald in human resources isn’t going to issue you a metal key — you’re stuck hauling around that RFID card.
It is unlikely that someone surreptitiously reading your card will unlock your secrets. The contactless credit cards and the keylock cards are actually calculating a response based on a stored key pair. But you absolutely could be tracked by the unique IDs in your cards. Are you being logged when passing by an open reader? And other devices, like public transit cards, may have more information stored on them that could be harvested. It’s not entirely paranoid to want to silence these signals when you’re not using them.
One solution is to all of this is to protect your wallet from would-be RFID pirates. At this point all I’m sure everyone is thinking of a tin-foil card case. Sure, that might work unless the malicious reader is very powerful. But there’s a much more interesting way to protect against this: active RFID scrambling with a project called GuardBunny.
Mimicking Contactless Systems at 13.56 MHz
RFID is a catch-all word for Radio Frequency IDentification. In this case, we’re talking about any system that operates in the 13.56 MHz band, including NFC, MiFare, Smart Cards, and the like.
GuardBunny protects against unauthorized reads by activating in the same way any standards-compliant tag would. It uses a tuned antenna that activates a power supply when exposed to 13.56 MHz electromagnetic waves. This feeds a 4-bit counter IC whose output is connected to a modulator and limiter circuit. The result is a transmitted signal with the specifications the reader is listening for, but carrying a payload that is gibberish. As long as this is in the same path as the card you’re trying to protect, this gibberish will prevent the reader from getting an appropriate response from the real contactless card.
Files for GuardBunny, an RFID shield presented at Shmoocon 2016
https://github.com/kristinpaget/GuardBunny
Tomi Engdahl says:
Barcodes that Hack Devices
http://hackaday.com/2016/02/17/barcodes-that-hack-devices/
Tomi Engdahl says:
Magnitude of glibc Vulnerability Coming To Light
http://linux.slashdot.org/story/16/02/18/157239/magnitude-of-glibc-vulnerability-coming-to-light
The glibc vulnerability disclosed this week has some experts on edge because of how DNS can leveraged in exploits. Dan Kaminsky said that while man-in-the-middle attacks are one vector, it would appear that it’s also possible to exploit the bug and attack most Linux servers via DNS caching-only servers. ‘This would be substantially worse if it went through the caching ecosystem; 99 percent of attack vectors go through that system,’
Magnitude of glibc Vulnerability Coming to Light
https://threatpost.com/magnitude-of-glibc-vulnerability-coming-to-light/116296/
Not since Stagefright have we had a vulnerability with the scale and reach of the glibc flaw disclosed on Tuesday.
“It’s pretty bad; you don’t get bugs of this magnitude too often,” said Dan Kaminsky, researcher, cofounder and chief scientist at White Ops. “The code path is widely exposed and available, and it yields remote code execution.”
The flaw affects most Linux servers, along with a number of web frameworks and services that make use of the open source GNU C library, including ssh, sudo, curl, PHP, Rails and others. Initial reports about the impact on Android were incorrect given that the OS uses the Bionic libc implementation and not glibc.
The harshness of the bug, a stack-based buffer overflow, rests in the fact that it lives in the glibc DNS client-side resolver, or libresolv library. Since DNS is a core network technology and most services rely on it, the horizontal scale of this bug is massive.
“An attack would first force a system to make specific DNS queries, using domain names controlled by the attacker. The attacker would then have to run custom-written DNS server software, which generates crafted responses that trigger the vulnerability,”
“A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches,”
Adding to the severity of the issue is the fact that the vulnerability was introduced in glibc 2.9, which dates back to May 2008
The bug, CVE-2015-7547, was discovered independently by researchers at Red Hat and Google who privately disclosed the issue to upstream glibc maintainers, Weimer told Threatpost. Coordination between the two camps began on Jan. 6, though the initial bug disclosure was made last July, according to an advisory on the glibc mailing list.
Weimer said that most Linux distributions that use glibc have patches available and a regular system upgrade followed by a reboot will address the issue. Source code patches for those who have their own software builds are also available.
“Most GNU/Linux distributions release glibc updates multiple times per year,”
Google’s Fermin Serna said there are temporary mitigations that can be implemented until Linux machines can be patched, including limiting the size of a UDP or TCP response accepted by a DNS resolver, and to ensure that DNS queries are sent only to servers that limit the response size. Kaminsky, however, said that most network admins would be unlikely to implement those mitigations for fear of breaking other services.
“They’re still finding bugs of this magnitude accidentally,” Kaminsky said. “Using ambient bug discovery on core infrastructure is too slow. This was written in 2008 and it sat there year after year. We need to stop accidentally finding these bugs and start comprehensively finding them.”
Tomi Engdahl says:
Funny, I haven’t heard of any showstopper bugs in OpenBSD libc – not this year, not ever
This bug, after ghost, would be a good opportunity to take a step back for a serious assessment of what must be removed for a secure system.
If this would have been a vulnerability in MSVCRT, everyone would have mocked Microsoft and Windows.
However as this is a Linux vulnerability, the attention is turned to the used programming language instead.
Source: comments at http://linux.slashdot.org/story/16/02/18/157239/magnitude-of-glibc-vulnerability-coming-to-light
Tomi Engdahl says:
Mozilla Warns of SHA-1 Deprecation Side Effects
https://threatpost.com/mozilla-warns-of-sha-1-deprecation-side-effects/115822/
As promised, Mozilla officially began rejecting new SHA-1 certificates as of the first of the year. And as promised, there have been some usability issues.
Mozilla yesterday said that some security scanners and antivirus products are keeping some from reaching HTTPS websites.
“When a user tries to connect to an HTTPS site, the man-in-the-middle device sends Firefox a new SHA-1 certificate instead of the server’s real certificate,” said Richard Barnes of Mozilla. “Since Firefox rejects new SHA-1 certificates, it can’t connect to the server.”
A number of experts voiced their concerns late last year as most of the major browsers inched toward self-imposed deadlines for rejecting SHA-1 certificates that significant portions of the Internet would be cut off.
Facebook chief security officer Alex Stamos put the number at tens of millions, while CloudFlare CEO Matthew Prince was more specific saying that as many as 37 million would be stranded.
“A disproportionate number of those people reside in developing countries, and the likely outcome in those counties will be a serious backslide in the deployment of HTTPS by governments, companies and NGOs that wish to reach their target populations,” Stamos said.
- See more at: https://threatpost.com/mozilla-warns-of-sha-1-deprecation-side-effects/115822/#sthash.9Nd9PZzS.dpuf
Tomi Engdahl says:
Jessica Guynn / USA Today:
Facebook pledges to fight against demands to weaken system security, Twitter adds its support to Apple in San Bernadino iPhone case
Facebook, Twitter side with Apple in iPhone fight
http://www.usatoday.com/story/tech/news/2016/02/18/facebook-support-apple-iphone-san-bernardino-fbi/80578754/
Facebook and Twitter sided with Apple in the public spat with the Obama administration over its refusal to help the FBI break into the iPhone of San Bernardino, Calif., shooter Syed Rizwan Farook.
Facebook warned that a federal judge’s order this week to force Apple bypass security functions on the iPhone used by Farook, one of the assailants in the December mass shootings in San Bernardino, Calif., that killed 14 people, would set a “chilling precedent.”
The social media giant pledged to “fight aggressively” against government efforts to “weaken the security” of consumer tech products.
“We condemn terrorism and have total solidarity with victims of terror. Those who seek to praise, promote, or plan terrorist acts have no place on our services. We also appreciate the difficult and essential work of law enforcement to keep people safe,” the statement reads. “When we receive lawful requests from these authorities we comply. However, we will continue to fight aggressively against requirements for companies to weaken the security of their systems. These demands would create a chilling precedent and obstruct companies’ efforts to secure their products.”
Tomi Engdahl says:
Threat Feeds Feature in UserInsight: Detect Common Attack Scenarios
http://www.rapid7.com/resources/videos/threat-feeds-in-userinsight.jsp?CS=newsletter&utm_source=email&utm_medium=email&mkt_tok=3RkMMJWWfF9wsRonv67McO%2FhmjTEU5z16u0tWKOxiokz2EFye%2BLIHETpodcMTcJrM73YDBceEJhqyQJxPr3BJdUN0dtpRhPlDw%3D%3D
In this week’s Feature Friday, Jordan Schroeder, a Rapid7 UserInsight customer and Security Architect at Visier, will discuss the threat feeds feature in our UserInsight product.
The threat feeds feature is a simple framework to track and alert on security threats important to your network and powered by Rapid7 and the UserInsight community.
Tomi Engdahl says:
PVS-Studio Analyzer Spots 40 Bugs In the FreeBSD Kernel
http://tech.slashdot.org/story/16/02/19/001202/pvs-studio-analyzer-spots-40-bugs-in-the-freebsd-kernel
Svyatoslav Razmyslov from PVS-Studio Team published an article on the check of the FreeBSD kernel. PVS-Studio developers are known for analyzing various projects to show the abilities of their product, and do some advertisement, of course. Perhaps, this is one of the most acceptable and useful ways of promoting a proprietary application. They have already checked more than 200 projects and detected 9355 bugs. At least that’s the number of bugs in the error base of their company.
So now it was FreeBSD kernel’s turn.
PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++ and C#. It performs static code analysis and generates a report that helps a programmer find and fix the errors in the code.
PVS-Studio delved into the FreeBSD kernel
http://www.viva64.com/en/b/0377/
Tomi Engdahl says:
Researchers Find Method To Own VoIP Phones, Silently Listen To Any Call
http://it.slashdot.org/story/16/02/18/2229226/researchers-find-method-to-own-voip-phones-silently-listen-to-any-call
Researchers have uncovered a simple method for compromising some common VoIP phones, enabling them to listen to victims’ calls covertly or use the phones to make expensive or fraudulent calls. The attack takes advantage of the fact that the affected phones don’t have any authentication set up by default, but do have a vulnerability that is open to remote exploitation.
Owning VOIP Phones With Zero Clicks
https://www.onthewire.io/owning-voip-phones-with-zero-clicks/
Researchers have uncovered a simple method for compromising some common VOIP phones, enabling them to listen to victims’ calls covertly or use the phones to make expensive or fraudulent calls.
The attack takes advantage of the fact that the affected phones don’t have any authentication set up by default, but do have a vulnerability that is open to remote exploitation. A victim who has one of the vulnerable phones connected to a network and uses a PC on that network to visit a malicious site can be open to the attack. Paul Moore, a security consultant in the U.K., detailed the problem and demonstrated an attack on a Snom 320, a popular VOIP phone.
Users setup their phones by connecting to them through a browser and Moore and his colleagues showed that by exploiting the vulnerability in the phone, they could eavesdrop on a victim’s supposedly private conversations.
“Simply by opening a malicious site (or a genuine site containing the malicious payload), the attacker has complete control over our VoIP phone,” Moore wrote in an analysis of the attack.
In the demo, the victim browses to a malicious web site, where the exploit code launches and silently takes control of the phone. The attacker then uses the victim’s compromised phone to call his own phone and stays connected to the victim phone. The victim then makes a Skype call to a third party, and the attacker has the ability to listen to the entire call, unnoticed.
The attacker can use the phone to make, receive, and redirect calls, and also could upload new firmware to the device, Moore said.
“The term ‘covert surveillance’ is usually only associated with nation states, certain 3-letter agencies and those closed-minded individuals pushing the Investigatory Powers Bill (IPBill / Snoopers Charter),” Moore said.
“In this demonstration, the attacker has not only compromised your phone & privacy with just a browser, but you’ve paid him for the privilege!”
PwnPhone: Default passwords allow covert surveillance.
https://paul.reviews/pwnphone-default-passwords-allow-covert-surveillance/
Tomi Engdahl says:
PCI Council says bye-bye to big bang standards upgrades
PCI DSS version 3.2 will land in March or April and be 2016′s only update
http://www.theregister.co.uk/2016/02/19/pci_dss_3_2_release_march_april_2016/
The PCI Security Standards Council is inching towards a “March/April timeframe” release of version 3.2 of the PCI DSS standard.
The headline item in the update will be the revised and rather later dates for migration away from Secure Sockets Layer (SSL)/Early Transport Layer Security (TLS). The Council originally planned for migrations to be complete by the middle of this year, but in the shadow of Christmas 2015 decided June 2018 is a better date as big banks have struggled to make the move.