Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Comodo’s ‘security’ kit installed a lame VNC server on PCs on the sly
Modern antivirus: Easily crackable password, lets malware gain admin privileges
http://www.theregister.co.uk/2016/02/18/comodo_flaw/
Google’s Project Zero has found yet another blunder in Comodo’s internet “security” software – a VNC server enabled by default with a predictable password.
Earlier this month, Googler Tavis Ormandy pointed out that Comodo’s custom web browser, dubbed Chromodo, was about as unsafe as a lace condom thanks to terrible security settings. Now Ormandy has found Comodo’s software included a remote desktop tool that is ideal for hackers.
When installing Comodo Anti-Virus, Comodo Firewall, or Comodo Internet Security on a Windows PC, you’ll get a program called GeekBuddy, which Comodo staff can use to carry out remote technical support on people’s PCs (in exchange for money).
GeekBuddy allows this by installing a VNC server that has admin-level privileges, is enabled by default, and is open to the local network.
Tomi Engdahl says:
IRS Warns Of 400% Flood In Phishing and Malware This Tax Year Alone
http://it.slashdot.org/story/16/02/18/1837246/irs-warns-of-400-flood-in-phishing-and-malware-this-tax-year-alone
There has been a 400% surge in phishing and malware incidents in this tax season alone, the Internal Revenue Service warned this week.
IRS warns: 400% flood in phishing and malware this tax year alone
http://www.networkworld.com/article/3034608/security/irs-warns-400-flood-in-phishing-and-malware-this-tax-year-alone.html
IRS says 363 incidents were reported from Feb. 1-16, compared to the 201 incidents reported for the entire month of February 2015
According to the IRS:
There were 1,026 incidents reported in January, up from 254 from a year earlier.
The trend continued in February, nearly doubling the reported number of incidents compared to a year ago.
In all, 363 incidents were reported from Feb. 1-16, compared to the 201 incidents reported for the entire month of February 2015.
This year’s 1,389 incidents have already topped the 2014 yearly total of 1,361, and they are halfway to matching the 2015 total of 2,748.
The IRS said that when citizens people click on these email links, they are taken to sites designed to imitate an official-looking website, such as IRS.gov. The sites ask for Social Security numbers and other personal information. The sites also may carry malware, which can infect people’s computers and allow criminals to access your files or track your keystrokes to gain information.
IRS Scam: 5,000 victims cheated out of $26.5 million since 2013
http://www.networkworld.com/article/3029655/security/irs-scam-5-000-victims-cheated-out-of-26-5-million-since-2013.html
IRS, Treasury Dept. say once scammers have your attention, they will say anything to con you out of your hard-earned cash
The Treasury Inspector General for Tax Administration in January said it has received reports of roughly 896,000 contacts since October 2013 and have become aware of over 5,000 victims who have collectively paid over $26.5 million as a result of the scam.
“The phone fraud scam has become an epidemic, robbing taxpayers of millions of dollars of their money,” said J. Russell George, the Treasury Inspector General for Tax Administration in a statement. “We are making progress in our investigation of this scam, resulting in the successful prosecution of some individuals associated with it over the past year.”
The Treasury Inspector General’s office said that callers who commit this fraud often:
Utilize an automated robocall machine.
Use common names and fake IRS badge numbers.
May know the last four digits of the victim’s Social Security Number.
Make caller ID information appear as if the IRS is calling.
Send bogus IRS e-mails to support their scam.
Call a second or third time claiming to be the police or department of motor vehicles, and the caller ID again supports their claim.
“There are many variations. The caller may threaten you with arrest or court action to trick you into making a payment,”
Tomi Engdahl says:
Stealing Keys From a Laptop In Another Room — and Offline
http://it.slashdot.org/story/16/02/18/1626205/stealing-keys-from-a-laptop-in-another-room-and-offline
Motherboard carries a report that with equipment valued at about $3,000, a group of Israeli researchers have been able to extract cryptographic keys from a laptop that is not only separated by a physical wall, but protected by an air gap. This, they say, “is the first time such an approach has been used specifically against elliptic curve cryptography running on a PC.”
How White Hat Hackers Stole Crypto Keys from an Offline Laptop in Another Room
https://motherboard.vice.com/read/how-white-hat-hackers-stole-crypto-keys-from-an-offline-laptop-in-another-room?utm_content=30237422&utm_medium=social&utm_source=facebook
In recent years, air-gapped computers, which are disconnected from the internet so hackers can not remotely access their contents, have become a regular target for security researchers. Now, researchers from Tel Aviv University and Technion have gone a step further than past efforts, and found a way to steal data from air-gapped machines while their equipment is in another room.
“By measuring the target’s electromagnetic emanations, the attack extracts the secret decryption key within seconds, from a target located in an adjacent room across a wall,” Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer write in a recently published paper. The research will be presented at the upcoming RSA Conference on March 3.
“The attack in its current form uses lab equipment that costs about $3000 and, as
shown in the photos, is somewhat unwieldy,” Tromer told Motherboard in an email. “However, experience shows that once the physical phenomena are understood in the lab, the attack setup can be miniaturized and simplified.”
Although similar research on “listening” to steal crypto keys has been carried out before, this is the first time such an approach has been used specifically against elliptic curve cryptography running on a PC, the authors say. Elliptic curve cryptography, or ECC, is a robust approach to crypto, used in everything from securing websites to messages.
Specifically, the researchers obtained the private key from a laptop running GnuPG, a popular implementation of OpenPGP. (The developers of GnuPG have since released countermeasures to the method. Tromer said that the changes make GnuPG “more resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.”)
“The attacks are completely non-intrusive, we did not modify [the] targets or open their chassis,” the researchers write.
Tomi Engdahl says:
Google submits patent application for online voting
https://thestack.com/world/2016/02/18/google-submits-patent-for-online-voting/
In a patent submitted to the U.S. Patent and Trademark Office, Google has outlined a concept for real-time online voting, right on the Google home page.
Tomi Engdahl says:
New York Times:
Apple had asked the FBI to issue application for iPhone passcode cracking tool under seal, but government made it public, prompting Tim Cook’s public remarks — How Tim Cook Became a Bulwark for Digital Privacy — SAN FRANCISCO — Letters from around the globe began pouring into the inbox …
How Tim Cook, in iPhone Battle, Became a Bulwark for Digital Privacy
http://www.nytimes.com/2016/02/19/technology/how-tim-cook-became-a-bulwark-for-digital-privacy.html?_r=0
Tomi Engdahl says:
New York Times:
Apple and the US goverment have been at odds over iPhone encryption since the debut of iOS 8
Apple’s Line in the Sand Was Over a Year in the Making
http://www.nytimes.com/2016/02/19/technology/a-yearlong-road-to-a-standoff-with-the-fbi.html
Time and again after the introduction of the iPhone nearly a decade ago, the Justice Department asked Apple for help opening a locked phone. And nearly without fail, the company agreed.
Then last fall, the company changed its mind.
“We’re being forced to become an agent of law enforcement,” the company’s lawyer, Marc Zwillinger, protested in court.
That stance foreshadowed this week’s showdown between the Obama administration and Apple over the locked iPhone belonging to one of the suspects in the San Bernardino, Calif., shooting rampage. By the time of Mr. Zwillinger’s statement, Apple and the government had been at odds for more than a year, since the debut of Apple’s new encrypted operating system, iOS 8, in late 2014.
The new technology repeatedly stymied investigators — the New York authorities said on Thursday that they had been locked out of 175 iPhones in cases they were pursuing. But both sides held out hope for a compromise that would avoid the type of confrontation that occurred this week when a federal magistrate judge ordered Apple to comply with the Justice Department’s request.
Local law enforcement officials, too, were sounding alarms. “This has become, ladies and gentlemen, the Wild West in technology,” Cyrus R. Vance Jr., the district attorney in Manhattan, said at a news conference Thursday, echoing complaints he and others have made for many months. “Apple and Google are their own sheriffs. There are no rules.”
Tomi Engdahl says:
The Contrarian Response To Apple’s Need For Encryption
http://hackaday.com/2016/02/18/the-contrarian-response-to-apples-need-for-encryption/
Tomi Engdahl says:
Michael Riley / Bloomberg Business:
Secret National Security Council memo directs government agencies to find ways to access encrypted data on consumer devices
Secret Memo Details U.S.’s Broader Strategy to Crack Phones
http://www.bloomberg.com/news/articles/2016-02-19/secret-memo-details-u-s-s-broader-strategy-to-crack-phones
Silicon Valley celebrated last fall when the White House revealed it would not seek legislation forcing technology makers to install “backdoors” in their software — secret listening posts where investigators could pierce the veil of secrecy on users’ encrypted data, from text messages to video chats. But while the companies may have thought that was the final word, in fact the government was working on a Plan B.
In a secret meeting convened by the White House around Thanksgiving, senior national security officials ordered agencies across the U.S. government to find ways to counter encryption software and gain access to the most heavily protected user data on the most secure consumer devices, including Apple Inc.’s iPhone, the marquee product of one of America’s most valuable companies, according to two people familiar with the decision.
Tomi Engdahl says:
DoJ files motion to compel Apple to comply with FBI order
http://www.cnbc.com/2016/02/19/doj-files-motion-to-compel-apple-to-comply-with-fbi-order.html
The Justice Department is seeking to force Apple to comply with an order to help the FBI crack a phone used by one of the San Bernardino attackers, CNBC confirmed Friday.
Apple previously had been given three extra days to respond to the order, with a Feb. 26 deadline. Apple CEO Tim Cook and other tech executives denounced a court order this week amid a renewed debate over how much access tech companies should give authorities to investigate or prevent attacks.
Apple: Terrorist’s Apple ID Password Changed In Government Custody, Blocking Access
http://www.buzzfeed.com/johnpaczkowski/apple-terrorists-appleid-passcode-changed-in-government-cust#.wk7dbv9vP
Company executives said they had been helping federal officials with the investigation when the password change was discovered. The comments came hours after the Department of Justice criticized Apple’s response to a court order that the company help the government access Syed Farook’s phone.
The Apple ID password linked to the iPhone belonging to one of the San Bernardino terrorists was changed less than 24 hours after the government took possession of the device, senior Apple executives said Friday. If that hadn’t happened, Apple said, a backup of the information the government was seeking may have been accessible.
Now, the government, through a court order, is demanding Apple build what the company considers a special backdoor way into the phone — an order that Apple is challenging. The government argues Apple would not be creating a backdoor.
The executives said the company had been in regular discussions with the government since early January, and that it proposed four different ways to recover the information the government is interested in without building a backdoor.
Apple sent trusted engineers to try that method, the executives said, but they were unable to do it. It was then that they discovered that the Apple ID password associated with the iPhone had been changed. (The FBI claimed earlier Friday that this was done by someone at the San Bernardino Health Department.)
Tomi Engdahl says:
Eric Lichtblau / New York Times:
Justice Department Calls Apple’s Refusal to Unlock iPhone a ‘Marketing Strategy’ — WASHINGTON — The Justice Department, impatient over its inability to unlock the iPhone of one of the San Bernardino killers, demanded Friday that a judge immediately order Apple to give it the technical tools to get inside the phone.
Justice Department Calls Apple’s Refusal to Unlock iPhone a ‘Marketing Strategy’
http://www.nytimes.com/2016/02/20/business/justice-department-calls-apples-refusal-to-unlock-iphone-a-marketing-strategy.html
Tomi Engdahl says:
Joseph Cox / Motherboard:
Encrypted messaging service Ricochet, which uses Tor hidden services to avoid storing metadata, passes security audit by NCC Group
‘Ricochet’, the Messenger That Beats Metadata, Passes Security Audit
http://motherboard.vice.com/read/ricochet-encrypted-messenger-tackles-metadata-problem-head-on
Tomi Engdahl says:
Charlie Savage / New York Times:
Sources: Obama administration set to permit NSA to share its raw surveillance information with other US intelligence agencies — Obama Administration Set to Expand Sharing of Data That N.S.A. Intercepts — WASHINGTON — The Obama administration is on the verge of permitting …
http://www.nytimes.com/2016/02/26/us/politics/obama-administration-set-to-expand-sharing-of-data-that-nsa-intercepts.html
Tomi Engdahl says:
Linux Mint Hacked Briefly – Bad ISOs, Compromised Forum
http://hackaday.com/2016/02/22/linux-mint-hacked-briefly-bad-isos-compromised-forum/
On February 20th, servers hosting the Linux Mint web site were compromised and the site was modified to point to a version of Mint with a backdoor installed. Very few people were impacted, fortunately; only those who downloaded Mint 17.3 Cinnamon on February 20th. The forum user database was also compromised.
What is most impressive here is not that Linux Mint was compromised, but the response and security measures that were already in place that prevented this from becoming a bigger problem. First, it was detected the same day that it was a problem, so the vulnerability only lasted less than a day. Second, it only affected downloads of a specific version, and only if they clicked a specific link, so anyone who was downloading from a direct HTTP request or a torrent is unaffected. Third, they were able to track down the names of three people in Bulgaria who are responsible for this hack.
Tomi Engdahl says:
Security alarm systems have security issues:
Breaking SimpliSafe Security Systems With Software Defined Radio
http://hackaday.com/2016/02/23/breaking-simplisafe-security-systems-with-software-defined-radio/
The SimpliSafe home security system is two basic components, a keyboard and a base station. Sensors such as smoke detectors, switches, and motion sensors can be added to this system, all without a wired installation. Yes, this security system is completely wireless. Yes, you can still buy a software defined radio for ten dollars. Yes, the device has both “simple” and “safe” in its name. We all know where this is going, right?
Last week, [Andrew Zonenberg] at IOActive published a security vulnerability for the SimpliSafe wireless home security system. As you would expect from an off-the-shelf, wireless, DIY security system, the keypad and base station use standard 433 MHz and 315 MHz ISM band transmitters and receivers. [Dr. Zonenberg]’s attack on the system didn’t use SDR; instead, test points on the transmitters were tapped and messages between the keypad and base station were received in cleartext. When the correct PIN is entered in the keypad, the base station replies with a ‘PIN entered’ packet. Replaying this packet with a 433 MHz transmitter will disable the security system.
[Michael Ossmann] took this one step further with a software defined radio. [Ossmann] used a HackRF One to monitor the transmissions from the keypad and turned to a cheap USB SDR dongle to capture packets. Replaying keypad transmissions were easy, but with a little bit more work new attacks can be found. The system can be commanded to enter test mode even when the system is armed bypassing notifications to the owner.
Low Cost SimpliSafe Attacks
http://greatscottgadgets.com/2016/02-19-low-cost-simplisafe-attacks/
Tomi Engdahl says:
Nanette Asimov / San Francisco Chronicle:
University of California Berkeley notifies 80K of cyber attack from last December that accessed its financial management software
Hacker broke into UC Berkeley system with info of 80K UC Berkeley students, workers, alumni
http://www.sfgate.com/news/article/Hacker-broke-into-UC-Berkeley-system-with-info-of-6856471.php
UC Berkeley officials have alerted 80,000 current and former students and employees that someone hacked into the campus financial system and they should check if their Social Security numbers and bank account numbers have been stolen
Tomi Engdahl says:
Android malware downloaded more than two billion times
Malware is no longer an exception, but the rule of smartphones. Research tells us that users have downloaded the Android malware cell phones for more than two billion times.
Proofpoint research institute found the study of the official Android app stores, ie, 12 thousand malware. They steal the user’s information and create devices backdoors.
And the world of the iPhone in the camp not much better. Proofpoint’s software is used to protect mobile devices from companies and statistics, up to 40 per cent of businesses iPhones contained some kind of malicious software. The reading is shockingly high.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4043:android-haittoja-ladattu-yli-kaksi-miljardia-kertaa&catid=13&Itemid=101
Tomi Engdahl says:
Chris Ziegler / The Verge:
Nissan pulls the Leaf’s phone app after security vulnerabilities come to light
http://www.theverge.com/2016/2/25/11116724/nissan-nissanconnect-app-hack-offline
Just a day after news spread that Nissan Leaf’s NissanConnect app could be compromised by hackers to control fan settings (potentially draining the battery) and download logs of past drives, Nissan has pulled the functionality, saying that it is “looking forward to launching updated versions of [its] apps very soon.”
Information security has been a particularly pressing concern in the auto industry, where the concept of the connected car has, at times, moved faster than the industry’s ability to keep hackers at bay. The NissanConnect hack, which allows an individual to download and manipulate settings if they have a Leaf’s VIN number, is not the most serious hack — there doesn’t appear to be any situation where it would put a moving vehicle in harm’s way — but it could effectively disable a car by draining the battery. In the worst case, hackers could also use drive logs to get a sense of when the car’s owner is at home, at work, or elsewhere.
Tomi Engdahl says:
MIT Technology Review:
Google unveils PlaNet neural network that outperforms humans at guessing the location of an image — Google Unveils Neural Network with “Superhuman” Ability to Determine the Location of Almost Any Image — Guessing the location of a randomly chosen Street View image is hard, even for well-traveled humans.
Google Unveils Neural Network with “Superhuman” Ability to Determine the Location of Almost Any Image
https://www.technologyreview.com/s/600889/google-unveils-neural-network-with-superhuman-ability-to-determine-the-location-of-almost/
Tomi Engdahl says:
Brian Barrett / Wired:
IRS now says hackers accessed 700K+ taxpayer accounts, not 334K it disclosed in August, will begin mailing affected taxpayers on Feb. 29 — Hack Brief: Last Year’s IRS Hack Was Way Worse Than We Realized — Last year, a hack of the US Office of Personnel Management exposed the personal information …
Hack Brief: Last Year’s IRS Hack Was Way Worse Than We Realized
http://www.wired.com/2016/02/irs-hack-700000-accounts/
When the IRS first reported a hack that exposed taxpayer accounts’ vulnerable information, it pegged the number of affected people at a little over 100,000. Today, in its second upward revision, the number of affected people now stands at over 700,000.
As WIRED originally reported last spring, the hack gave attackers access to entire tax returns, which means people’s social security numbers, address, and incomes were all compromised. The hackers used personal information already in hand to get unauthorized access through an IRS application called “Get Transcript.”
In other words, much of the information had already been acquired, including SSNs and dates of birth. “Get Transcript” has been offline since the first indications of a breach last May.
How Serious Is This?
In terms of the type of information that’s been compromised, it’s no worse than it was last May. That’s still plenty bad, though; if there’s information about yourself you might consider sensitive, it’s probably on your tax return somewhere.
What’s more serious at this point is the extent to which the IRS underestimated the severity of the breach. It’s been nearly a year. That’s a long time for 390,000 people to have been vulnerable but not know it.
Tomi Engdahl says:
Wall Street Journal:
Regulatory hurdles stymie lenders’ efforts to use social media to judge creditworthiness
Facebook Isn’t So Good at Judging Your Credit After All
Lenders drop plans to use social media to gauge creditworthiness as regulators balk; plus, one startup says, ‘It’s creepy’
http://www.wsj.com/article_email/lenders-drop-plans-to-judge-you-by-your-facebook-friends-1456309801-lMyQjAxMTI2MjIzNDMyMTQwWj
In the growing business of online lending, Facebook was supposed to be the new FICO. No longer.
Regulatory hurdles have stymied efforts by online lenders and credit-data providers to use information from social media to judge American borrowers’ creditworthiness.
In 2014, venture capitalist Charles Moldow at Foundation Capital, an early Netflix backer, wrote that online lenders could beat banks by using better data than credit scores—including potentially “the number of friends on Facebook.” Last year, a report from consultancy PwC on online lending said that “embracing social media fits in with millennials’ expectations.” Facebook discussed the possibility with lenders and others around 2014, people familiar with the matter say, and even secured a patent connected with the idea.
But the enthusiasm has faded, startups say.
Last May, Facebook limited the amount of information that third-party services could pull from a user’s profile. The move affected a broad swath of businesses, including lenders that wanted to make decisions based on a borrower’s map of Facebook relationships.
“In order to protect privacy,” social networks including Facebook “limited the depth you can get through a profile,”
Tomi Engdahl says:
Apple, FBI Talks Need Engineers
http://www.eetimes.com/author.asp?section_id=36&doc_id=1329038&
A panel of experts need to study and report to the public on the legal and technical alternatives in security and privacy, and engineers need a seat at that table.
The dispute between Apple and the FBI has created an opportunity for security experts in the government and industry to gather around a table. At this stage, all sides need such a group to define the technology and policy issues clearly.
There are a lot of moving parts in both the technological and social aspects of security and privacy. Understanding exactly how companies implement security on client devices and cloud services is as important as refining the line in the digital era between individual rights and public safety.
The current debate has been widespread and lively though, as usual in a democracy, not always focused or informed. For example, a lot of highly prioritized bits have been fired up to argue just whose side Bill Gates is on — a question that really doesn’t matter.
it seems clear to me there is a widening gulf in front of us.
Private companies are responsible to build the most secure products possible. Governments are charged to guard their citizens’ safety and freedom. Today we are moving toward an extreme in which the two sides are adversaries. It’s time to take a step toward the center of collaboration.
Tomi Engdahl says:
Reinvented ransomware shifts from pwning PC to wrecking websites
‘CTB Locker’ targets WordPress, offers live chat to help victims pay up
http://www.theregister.co.uk/2016/02/29/reinvented_ransomware_shifts_from_pwning_pc_to_wrecking_websites/
A new ransomware variant appears to be ripping through WordPress sites encrypting data and demanding a payment of half a bitcoin to release files.
The website variant of CTB Locker is encrypting all files on WordPress-powered sites and replacing the index.php with a file that displays instructions for paying the ransom.
It even sports a chat room support feature where verified victims can exchange words with ransomware scum.
Researchers Benkow Wokned (@benkow_) and Tomas Meskauskas (@pcrisk) found the malware, warning it has likely infected hundreds of sites.
A random scattering of sites and businesses have been affected.
Tomi Engdahl says:
John McAfee: NSA’s Back Door Has Given Every US Secret To Enemies
http://news.slashdot.org/story/16/02/28/178258/john-mcafee-nsas-back-door-has-given-every-us-secret-to-enemies
John McAfee, American computer programmer and contributing editor of Business Insider, explains how the NSA’s back door has given every U.S. secret to its enemies. He begins by mentioning the importance of software, specifically meta- software, which contains a high level set of principles designed to help a nation survive in a cyberwar. Such software must not contain any back doors under any circumstances, otherwise it can and may very likely allow perceived enemies of the U.S. to have access to top-secret information.
JOHN MCAFEE: The NSA’s back door has given every US secret to our enemies
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2?IR=T
Deng Xiaoping, in 1979 – his second year as supreme leader of China – perceived a fundamental truth that has yet to be fully grasped by most Western leaders: Software, if properly weaponized, could be far more destructive than any nuclear arsenal.
Under Deng’s leadership, China began one of the most ambitious and sophisticated meta- software development programs ever undertaken.
And what is meta-software? It’s the one science that the entire Western World has entirely overlooked. It is a high level set of principles for developing software that are imperative if a nation is to survive in a cyberwar.
For example, programmers must constantly be audited. Every line of code written by every programmer is audited by two senior programmers, and these auditors are rotated each month and the same two are never paired more than once. You will see very clearly, later in this article, why such a principle is vital to a society’s survival.
Another principal is that back doors into software can never, under any circumstances, be allowed. Under Deng Xiaoping, the penalty for back doors, and for violating any of the meta- software principles, was death.
I will give an example of what happens in the real world when back doors are put into software. On December 17th of last year, Juniper Networks – a major provider of secure network systems, who’s customers include nearly every US government agency, announced that it had discovered two “unauthorized” back doors in its systems.
For those of my readers who do not understand how back doors are created – they can only be created by the manufacturers of the software. There is, absolutely, no other way.
So, the company had to have a rogue employee in the software development department. This much is clear.
Over half of Juniper’s customers are in parts of the world in which the NSA has extreme interest.
Now, a legitimate TOP-SECRET document. Released by Anonymous and dated February 2011 reveals that the British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks.
I hope we all understand now what “acquired the capability” means. The NSA planted a programmer within Jupiter Networks. The was no other way to “acquire” this capability.
So, in 2011 he NSA surreptitiously got their back door into a powerful piece of security software used by many enemies of the US. They could now monitor these enemies easily.
The Internet underground knew of these back doors within weeks of their release, and so did the Chinese, and so did the Russians. An so did every hacker on the planet. Monitoring changes within major software systems is the simplest if all things. Every hacker toolkit contains a compare program that will outline all changes made to a piece of software by the manufacturer. Disassembly tools tell the hacker what each change does.
So, while the NSA was monitoring our perceived Middle Eastern enemies, the Chinese and Russians, and god knows who else, were making off with every important secret in the US, courtesy of the NSA’s back door. The NSA failed to notice that 50% of Jupiter Network users were American, and the majority of those were within the US Government.
Whatever gains the NSA has made through the use of their back door, it cannot possibly counterbalance the harm done to our nation by everyone else’s use of that same back door.
We have to get our act together, and soon. We can no longer act like children in a playground playing with real guns. We have to grow up. Our technology has outgrown us, because we have failed to grasp it’s subtle implications.
Tomi Engdahl says:
Inside The Obama Administration’s Attempt To Bring Tech Companies Into The Fight Against ISIS
http://www.buzzfeed.com/sheerafrenkel/inside-the-obama-administrations-attempt-to-bring-tech-compa#.gdb4QXAWE2
Dozens of U.S. government officials, tech executives, and entertainment representatives gather in D.C., under a cloud of growing anti-Muslim sentiment and the spiralling fight between Apple and the FBI.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Study: 3.67% of sites in Alexa 1,000 are either blocking or presenting CAPTCHAs to Tor users, often carried out by CDNs like CloudFlare or Akamai
Some websites turning law-abiding Tor users into second-class citizens
Tor users blocked or faced with CAPTCHA if IP address matches known exit node.
http://arstechnica.com/tech-policy/2016/02/some-websites-turning-law-abiding-tor-users-into-second-class-citizens/
About 1.3 million IP addresses—including those used by Google, Yahoo, Craigslist, and Yelp—are turning users of the Tor anonymity network into second-class Web citizens by blocking them outright or degrading the services offered to them, according to a recently published research paper.
Titled “Do You See What I See? Differential Treatment of Anonymous Users,” the paper said 3.67 percent of websites in the Alexa 1,000 discriminated against computers visiting with known Tor exit-node IP addresses. In some cases, the visitors are completely locked out, while in others users are required to complete burdensome CAPTCHAs or are limited in what they can do. The authors said the singling out was an attempt by the sites to limit fraud and other online crime, which is carried out by a disproportionately high percentage of Tor users. In the process, law-abiding Tor users are being treated as second-class Web citizens.
“While many websites block Tor to reduce abuse, doing so inadvertently impacts users from censored countries who do not have other ways to access censored Internet content,” the authors wrote.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Largely undetected Mac malware suggests disgraced HackingTeam has returned — Researchers have uncovered what appears to be newly developed Mac malware from HackingTeam, a discovery that’s prompting speculation that the disgraced malware-as-a-service provider has reemerged since last July’s hack …
Largely undetected Mac malware suggests disgraced HackingTeam has returned
Until recently, sample wasn’t detected by any of the top antivirus programs.
http://arstechnica.com/security/2016/02/largely-undetected-mac-malware-suggests-disgraced-hackingteam-has-returned/
Researchers have uncovered what appears to be newly developed Mac malware from HackingTeam, a discovery that’s prompting speculation that the disgraced malware-as-a-service provider has reemerged since last July’s hack that spilled gigabytes worth of the group’s private e-mail and source code.
The sample was uploaded on February 4 to the Google-owned VirusTotal scanning service, which at the time showed it wasn’t detected by any of the major antivirus programs. (Ahead of this report on Monday, it was detected by 10 of 56 AV services.) A technical analysis published Monday morning by SentinelOne security researcher Pedro Vilaça showed that the installer was last updated in October or November, and an embedded encryption key is dated October 16, three months after the HackingTeam compromise.
Tomi Engdahl says:
Great news! Only 707,509,815 records breached in 2015
Things were worse in 2014, but governments are trying to drag us down with sloppy security
http://www.theregister.co.uk/2016/03/01/707509815_records_breached_last_year/
More than 700 million records were breached last year, according to security researchers at Gemalto.
The firm’s 2015 Breach Level report considered 1673 hacking incidents recorded during 2015, of which 964 were thanks to outsides and a whopping 398 thanks to bumbling staff and developers.
Those figures are surprisingly smaller than 2014 with total pwnage falling by 39 percent and breach incidents by 3.4 percent, according to the company’s 2014 report.
Still, the figures equate to nearly two million lost or stolen records a day.
Giant breaches including the Turkish Citizenship agency, Korea Pharmaceutical Information Center, and the Office of Personnel Management contributed a respective 50 million, 43 million, and 22 million records a piece, and making government the most prolific of leak sectors.
Nation states were responsible for a total of 307 million breached records, ahead of healthcare with 84 million data sets compromised. Of this the Anthem breach contributed an eye-watering 78.8 million breached records.
The United States remains as usual the largest target for attacks with some 1222 breaches recorded by the company. The UK comes in second with a measly 154 breaches, Canada with 59 incidents, and Australia with a paltry 42 publicly-recorded hacks and gaffes.
The United Kingdom dominates the Europe wall of shame list with Germany in second spot sporting only 11 known breaches.
Tomi Engdahl says:
DDoS attacks up 149 percent as brassy booter kids make bank
Akamai report finds surge in weighty packets.
http://www.theregister.co.uk/2016/03/01/ddos_attacks_up_149_percent_as_brassy_booter_kids_make_bank/
The number of distributed denial of service attacks rose 149 percent in dying months of 2015 according to Akamai’s networking wonks.
The latest figures in the State of the Internet Q4 2015 report (PDF) tracked some 3693 DDoS attacks during the final quarter finding 169 percent uptick in infrastructure attacks.
Akamai finds each customer copped an average of 24 DDoS attacks compared to 17 in 2014, with each four hours shorter averaging 14.95 hours compared to as those tracked the year previous.
The report says botnet booter services are increasing using DNS, chargen, ntp, and other vulnerable servers to increase packet size. Those service have been made popular by hacking groups like Lizard Squad which built its fleet vulnerable hacked routers.
“In other words, while the average gigabits per second per attack increased, the average number of packets per second decreased,” the report says.
“In fact, only three attacks exceeded 30 million packets per second in Q4, a statistic that has steadily decreased for several quarters.
“Sites offering booter tools are purportedly set up to allow administrators to load test their own sites. However, many of the sites are used as DoS-for-hire tools, relying on reflection attacks to generate traffic.”
The attacks are short-lived contributing to the drop in the average time of DDoS, the researchers say.
Five of the tracked attacks tipped 100Gbps, down from the eight registered the last months of 2014. One beast clocked 309Gbps.
The report further finds DNS-based traffic rose 92 percent, chargen traffic up 52 percent, and udp floods up 20 percent.
https://www.stateoftheinternet.com/downloads/pdfs/2015-Q4-cloud-security-report.pdf
Tomi Engdahl says:
Censorware Failure: Kiddle’s “Child-Safe” Search Engine
http://search.slashdot.org/story/16/03/01/052236/censorware-failure-kiddles-child-safe-search-engine
In a bid to protect young internet users from inappropriate content, a new visual search engine designed for children has launched this week. Kiddle.co filters its results so that only ‘safe’ sites are displayed and page descriptions are written in simple language. It also claims to get rid of indecent images and ‘bad words.’ However, tests have revealed that the odd risque image will still slip by into the listings.
Child-safe internet search returns some ‘worrying’ results
https://thestack.com/security/2016/02/29/child-safe-internet-search-returns-some-worrying-results/
In a bid to protect young internet users from inappropriate content, a new visual search engine designed for children has launched this week.
Kiddle.co filters its results so that only ‘safe’ sites are displayed and page descriptions are written in simple language. It also claims to get rid of indecent images and ‘bad words.
Kiddle
Visual search engine for kids, powered by editors and Google safe search
http://kiddle.co/
Tomi Engdahl says:
IBM to buy security expertise
IBM to buy security company Resilient Systems. The company supplied to IBM moves to Bruce Schneier, one of the most renowned experts in the field. The companies have not told the purchase price.
The main product is a resilient platform that automates and organizes cyber security problems such as intrusion detection or lost devices and helps companies react to them faster. According to IBM, the company will acquire the industry’s first platform to offer services to the end from the beginning, which includes everything from analytics to the investigation of security breaches, vulnerabilities, control and response.
Source: http://www.tivi.fi/Kaikki_uutiset/ibm-ostaa-tietoturvaosaamista-alan-guru-kuuluu-kauppaan-6308588
Tomi Engdahl says:
Google screening missed hundreds of malicious Android apps, researchers say
Scamming ad-men send fake ad clicks to smut sites
http://www.theregister.co.uk/2016/02/29/worlds_worst_android_play_store_attack_sends_millions_to_p0rn_sites/
Malicious apps that have breached Google’s defences and made it onto the Play store have netted 1.2 million victims, often hijacking phones to place fraudulent clicks on pornography sites.
ESET researcher Peter Stancik says his team found some 343 malicious Android applications that were uploaded to the official Google Play store since August.
Around 10 of the malicious apps are being created and successfully uploaded to Google Play each week, evading the ad giant’s code-checking defence mechanisms. Each app has been downloaded an average of 3600 times.
“In one of the largest malware campaigns on the Google Play Store yet, criminals continue to upload further variants of these malicious apps to the official app store for the Android mobile platform,” Stancik says.
“These porn clickers not only made it into the store, but they also successfully compromised user devices.
“After installation, they generate fake clicks on advertisements to generate revenue for their operators, robbing advertisers and harming advertising platforms.”
Tomi Engdahl says:
US, EU release details on data transfer agreement
Privacy Shield places new restrictions on American tech companies and intelligence agencies
http://www.theverge.com/2016/2/29/11132180/us-eu-privacy-shield-full-text
The US and the European Union today released the full text of a transatlantic data transfer agreement that was reached earlier this month, detailing new rules for American tech companies and intelligence agencies. The framework, known as the EU-US Privacy Shield, places tighter restrictions on how American intelligence agencies can access data on European citizens, and calls for the creation of an ombudsman to handle individual complaints of data misuse.
American and European officials agreed to the framework this month after a European court struck down the longstanding Safe Harbor agreement in October. Safe Harbor had been in place since 2000, but was invalidated amid concerns over mass surveillance in the US. EU member states are expected to ratify the new agreement, though European data regulators have yet to approve it, and some privacy groups are planning to challenge it in court.
“a strong agreement that enables transatlantic commerce while safeguarding privacy.”
“The new EU-US Privacy Shield provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online,”
Tomi Engdahl says:
“Privacy Shield” proposed to replace US-EU Safe Harbor, faces skepticism
Unlikely to satisfy Europe’s data protection watchdogs—or the EU’s top court.
http://arstechnica.com/tech-policy/2016/02/privacy-shield-doomed-from-get-go-nsa-bulk-surveillance-waved-through/
The European Commission has published details of its transatlantic “Privacy Shield” agreement, which is designed to ensure that personal information of citizens is protected to EU standards when it is sent to the US—even though it would appear that the NSA will continue to carry out bulk collection of data under the new pact.
The new deal replaces the earlier Safe Harbour framework, which was struck down by the Court of Justice of the European Union (CJEU) following a complaint by privacy activist Max Schrems.
An accompanying Privacy Shield FAQ released by Brussels’ officials explained that there are four main elements. According to the commission, the new agreement will “contain effective supervision mechanisms to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply.”
Restoring trust in transatlantic data flows through strong safeguards: European Commission presents EU-U.S. Privacy Shield
http://europa.eu/rapid/press-release_IP-16-433_en.htm
Tomi Engdahl says:
EU-U.S. Privacy Shield: Frequently Asked Questions
http://europa.eu/rapid/press-release_MEMO-16-434_en.htm
What is the EU-US Privacy Shield?
After two years of negotiations, the European Commission and the U.S. Department of Commerce reached on 2 February 2016 a political agreement on a new framework for transatlantic exchanges of personal data for commercial purposes: the EU-U.S. Privacy Shield (IP/16/216). This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.
The EU-U.S. Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid.
The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes written commitments and assurance by the U.S. that any access by public authorities to personal data transferred under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalised access. The newly created Ombudsperson mechanism will handle and solve complaints or enquiries raised by EU individuals in this context.
An “adequacy decision” is a decision adopted by the European Commission, which establishes that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law and international commitments.
The EU-U.S. Privacy Shield framework ensures an adequate level of protection for personal data transferred to the U.S. The EU-US Privacy Shield consists of Privacy Principles that companies must abide by and commitments on how the arrangement will be enforced
Tomi Engdahl says:
Is this physical vault for passwords clever or just weird?
http://thenextweb.com/insider/2016/02/29/i-cant-tell-if-this-physical-vault-for-passwords-is-clever-or-just-weird/
For most of us, a password manager is a perfectly acceptable way of keeping all your access codes in one-safe place. But for the people behind Vaulteq, this just isn’t secure enough.
According to its Indiegogo campaign, we’re all being misled to think that companies such as 1Password and Dashlane aren’t safe enough for us to entrust them to be the gatekeepers for our digital crown jewels.
“Cloud-based password managers replace one security problem with another and lack any real transparency over what’s happening to data and where it’s stored,” explains Frederik Derksen, co-founder and CEO of Vaulteq.
I can completely understand the two-factor authentication that Vaulteq has built in to the device. I can see the merits in military grade encryption. I like the idea of a password generator built-in, so that you’re not taking your existing passwords and changing the last letter and number to make them ‘fool-proof’.
But do you know what gets me? It’s the idea that something in your home is safer than something held somewhere else. Sure, cloud based security systems mean your data is stored in any number of locations around the world. You can’t walk into to a server centre and demand access to your digital stuff. But why would you need to?
It’s a bit like people not trusting banks with their cash – choosing instead to keep it under the mattress. Sure, it’s physically closer to you, but the chances of you being burgled compared to that of a multinational financial institution is well, ridiculous.
Tomi Engdahl says:
Gmail’s new security features just might save you from getting fired one day
http://thenextweb.com/google/2016/03/01/forget-driverless-cars-its-security-updates-like-this-that-will-truly-change-your-life/
Google Apps for Work Unlimited customers can now benefit from better attachment scanning in Gmail that uses optical character recognition to check before sensitive document copies or images are sent out of your company via email.
Google’s Data Loss Prevention (DLP) launched late last year to automatically check all outgoing emails as per policies set up by your company admin and this new scanning feature can now be turned on in the backend.
There are also now some additional, customizable parameters for assessing the risk of content within your company email system, including one that counts the volume of Personally Identifiable Information contained in an email before flagging it to admins.
DLP tools will be coming to Drive later this year.
“Google has a long history of accelerating innovation and facilitating the adoption of new technology — like two-step verification (2SV), Security Keys, SSL encryption and even removing spam in email.”
Tomi Engdahl says:
Peter Bright / Ars Technica:
Microsoft announces Windows Defender Advanced Threat Protection service for enterprise, uses cloud to detect breaches by analyzing system behavior
Windows Defender Advanced Threat Protection uses cloud power to figure out you’ve been pwned
New service can detect network breaches by spotting unusual system behavior.
http://arstechnica.com/information-technology/2016/03/windows-defender-advanced-threat-protection-uses-cloud-power-to-figure-out-youve-been-pwned/
Microsoft is beefing up Windows Defender, the anti-malware program that ships with Windows 10, to give it the power to tell companies that they’ve been hacked after the fact.
Attacks that depend on social engineering rather than software flaws, as well as those taking advantage of unpatched zero-day vulnerabilities, can evade traditional anti-malware software. Microsoft says that there were thousands of such attacks in 2015 and that on average they took 200 days to detect and a further 80 days to contain, giving attackers ample time to steal data and incurring average costs of $12 million per incident. The catchily named Windows Defender Advanced Threat Protection is designed to detect this kind of attack, not by looking for specific pieces of malware, but rather by detecting system activity that looks out of the ordinary.
Tomi Engdahl says:
EFF’s Cindy Cohn On Why ‘Code Is Speech’ Is Key To Apple vs. FBI
http://yro.slashdot.org/story/16/03/01/1451211/effs-cindy-cohn-on-why-code-is-speech-is-key-to-apple-vs-fbi
federal courts held that computer code merited protection under the First Amendment. Cohn, now the executive director of the Electronic Frontier Foundation, endorsed Apple’s repeated citations of her cases in its fight against a court order to unlock a terrorism suspect’s iPhone for the FBI
‘Code is speech’ expert Cindy Cohn explains key argument in Apple’s fight with the FBI
http://www.dailydot.com/politics/apple-iphone-doj-fbi-code-speech-calea-cindy-cohn-interview/
Apple’s argument that a court order forcing it to write software code violates its First Amendment rights is legally sound and raises serious concerns, according to one of the lawyers most responsible for establishing the precedent that computer code is a form of speech.
In a series of court battles in the late 1990s and early 2000s, Cindy Cohn represented plaintiffs challenging restrictions on DVD copying and the publication of cryptographic code. In all three cases—Bernstein v. United States, Universal City Studios v. Reimerdes, and Junger v. Daley—federal courts held that computer code merited protection under the First Amendment.
Apple repeatedly pointed to this precedent in its motion last Friday to vacate a ruling ordering it to help the FBI unlock the iPhone of one of the San Bernardino shooters.
The company argued that, if it were forced to write code to assist in that effort, it would set a precedent that could lead to more intrusive government demands. It suggested, for example, that the government could use the same legal argument to compel it to add surveillance code to a future iOS software update, thus enabling authorities to monitor a suspect using an updated phone.
Cohn, now the executive director of the Electronic Frontier Foundation, endorsed Apple’s repeated citations of her cases. But she said that the controversial iPhone-unlocking order impinged even further on Apple’s free-speech rights than the restrictions in her cases.
Tomi Engdahl says:
Inside The Obama Administration’s Attempt To Bring Tech Companies Into The Fight Against ISIS
http://www.buzzfeed.com/sheerafrenkel/inside-the-obama-administrations-attempt-to-bring-tech-compa#.af3PrAabL8
Dozens of U.S. government officials, tech executives, and entertainment representatives gather in D.C., under a cloud of growing anti-Muslim sentiment and the spiralling fight between Apple and the FBI.
representatives of the country’s top tech and entertainment companies brainstorming with U.S. counterterrorism officials to tackle one tough question: how to stop the spread of ISIS online.
The goal is a relatively uncontroversial one. The militant Islamist group has developed a keen propaganda machine and tech companies like Twitter have been going after accounts run by their supporters.
But inside the conference room, as dozens of participants met and workshopped various tactics for battling ISIS’s seemingly inexhaustible PR machine, one thing became abundantly clear — there remains, inside the U.S. government, a huge cognitive dissonance.
The standoff between Apple and the FBI did not come up during the meeting, though the issues it involves are at the heart of the very things being discussed.
“It’s a weird time to come out to the Valley and ask for help,”
“They wanted to figure out how to fight ISIS online, how to understand the psychology of those who support ISIS, and they invited almost no one who speaks for those of us in the Arab world, and from Arab communities, who have everything to lose from ISIS’s growing popularity,” said one Arab attendee, who estimated that less than 10% of the attendants were of Middle Eastern descent. “They don’t understand this community. That has been proven time and time again with their tone deaf messages. Why hold an event like this where there are ten white men outnumbering every Arab?”
“They are asking the wrong questions.”
“The Administration is committed to taking every action possible to confront and interdict terrorist activities wherever they may occur, including in cyberspace,”
“It’s not just about ISIS communication online, it’s about why that communication is effective. Why Arabs, even those like us that are second- and third-generation Arabs in the West, feel isolated.”
“We need help, but it’s like, one part of government keeps fucking this up for other parts of government. We can’t seem to get it right.”
White House Asked Google & Facebook To Change Their Algorithms To Fight ISIS; Both Said No
https://www.techdirt.com/articles/20160225/23143333717/white-house-asked-google-facebook-to-change-their-algorithms-to-fight-isis-both-said-no.shtml
Earlier this year, we wrote about how ridiculous the federal government’s view of Silicon Valley seemed to be, in that they had this weird belief that by nerding a little harder, we could somehow “disrupt” ISIS. The thinking seemed confused, and somewhat typical of people who don’t understand technology or how Silicon Valley works. It’s “magic wand” thinking. People who don’t understand technology tend to view technology as a sort of magic — and thus, they assume it can do anything. And, right now, a bunch of those people in the White House want that magic wand to make ISIS disappear from the Internet.
Google already cracked open that Pandora’s box when it allowed its search results to be impacted by copyright takedown requests.
Even so, as the quote above notes, even suggesting this to companies is profoundly pointless. Not only is it a bad idea for the precedent it sets, it’s unlikely to work at all. It’s magic wand thinking of desperate people who don’t want to actually confront the real reasons why ISIS has been successful.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Over 13M HTTPS websites and email services using the TLS protocol vulnerable to new decryption attack, including over 97K of the top 1M most popular sites
More than 11 million HTTPS websites imperiled by new decryption attack
Low-cost DROWN attack decrypts data in hours, works against TLS e-mail servers, too.
http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/
More than 11 million websites and e-mail services protected by the transport layer security protocol are vulnerable to a newly discovered, low-cost attack that decrypts sensitive communications in a matter of hours and in some cases almost immediately, an international team of researchers warned Tuesday. More than 81,000 of the top 1 million most popular Web properties are among the vulnerable HTTPS-protected sites.
The attack works against TLS-protected communications that rely on the RSA cryptosystem when the key is exposed even indirectly through SSLv2, a TLS precursor that was retired almost two decades ago because of crippling weaknesses. The vulnerability allows an attacker to decrypt an intercepted TLS connection by repeatedly using SSLv2 to make connections to a server. In the process, the attacker learns a few bits of information about the encryption key each time. While many security experts believed the removal of SSLv2 support from browser and e-mail clients prevented abuse of the legacy protocol, some misconfigured TLS implementations still tacitly support the legacy protocol when an end-user computer specifically requests its use.
Recent scans of the Internet at large show that more than 5.9 million Web servers, comprising 17 percent of all HTTPS-protected machines, directly support SSLv2. The same scans reveal that at least 936,000 TLS-protected e-mail servers also support the insecure protocol. That’s a troubling finding, given widely repeated advice that SSLv2—short for secure sockets layer version 2—be disabled.
Tomi Engdahl says:
Tackling The Future Of Digital Trust — While It Still Exists
http://news.slashdot.org/story/16/02/27/2353201/tackling-the-future-of-digital-trust—-while-it-still-exists?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Tackling the Future of Digital Trust—While It Still Exists
http://spectrum.ieee.org/view-from-the-valley/telecom/security/tackling-the-future-of-digital-trustwhile-it-still-exists
Tomi Engdahl says:
Dan Goodin / Ars Technica:
13M+ HTTPS sites, email services using TLS protocol open to decryption attack, made possible due to weak ciphers added prior to 2000 as part of US export regs — More than 13 million HTTPS websites imperiled by new decryption attack — Low-cost DROWN attack decrypts data in hours, works against TLS e-mail servers, too.
More than 11 million HTTPS websites imperiled by new decryption attack
Low-cost DROWN attack decrypts data in hours, works against TLS e-mail servers, too.
http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/
The vulnerability joins a swarm of other critical bugs that over the past five years have given attackers the ability to break TLS. With names including BEAST, CRIME, BREACH, and FREAK, the proof-of-concept exploits have demonstrated dangerous holes in a protocol that’s the sole means for most websites and e-mail servers to encrypt and authenticate communications over an Internet that was never designed to be secure or private. TLS security hit a new low last May with the discovery of Logjam, a vulnerability caused by deliberately weakened cryptography that allowed eavesdroppers to read and modify data passing through tens of thousands of Web and e-mail servers. The researchers have dubbed the latest vulnerability DROWN, short for Decrypting RSA with Obsolete and Weakened eNcryption.
Tomi Engdahl says:
Alan Travis Home affairs / Guardian:
Revised Investigatory Powers Bill introduced in UK parliament, said to include safeguards for privacy but requires ISPs store browsing data for 12 months
Snooper’s charter: wider police powers to hack phones and access web history
http://www.theguardian.com/uk-news/2016/mar/01/snoopers-charter-to-extend-police-access-to-phone-and-internet-data
Latest version of investigatory powers bill will allow police to hack people’s computers and view browsing history
The bill is designed to provide the first comprehensive legal framework for state surveillance powers anywhere in the world. It has been developed in response to the disclosure of state mass surveillance programmes by the whistleblower Edward Snowden. The government hopes it will win the backing of MPs by the summer and by the House of Lords this autumn.
The bill will now allow police to access all web browsing records in specific crime investigations, beyond the illegal websites and communications services specified in the original draft bill.
It will extend the use of state remote computer hacking from the security services to the police in cases involving a “threat to life” or missing persons. This can include cases involving “damage to somebody’s mental health”, but will be restricted to use by the National Crime Agency and a small number of major police forces.
“Terrorists and criminals are operating online and we need to ensure the police and security services can keep pace with the modern world and continue to protect the British public from the many serious threats we face.”
Tomi Engdahl says:
John Markoff / New York Times:
Cryptography pioneers Whitfield Diffie and Martin Hellman win $1M Turing Award
Cryptography Pioneers Win Turing Award
http://www.nytimes.com/2016/03/02/technology/cryptography-pioneers-to-win-turing-award.html?_r=0
Whitfield Diffie, then a young programmer at the Stanford Artificial Intelligence Laboratory, read Mr. McCarthy’s paper and began to think about the question of what would take the place of an individual signature in a paperless world. Mr. Diffie would spend the next several years pursuing that challenge and in 1976, with Martin E. Hellman, an electrical engineer at Stanford, invented “public-key cryptography,” a technique that would two decades later make possible the commercial World Wide Web.
On Tuesday, the Association for Computing Machinery announced that the two men have won this year’s Turing Award. The award is frequently described as the Nobel Prize for the computing world and since 2014, it has included a $1 million cash award, after Google quadrupled its size.
This year, it was announced during the RSA Conference, a security technology symposium held here this week.
Tomi Engdahl says:
Financial Times:
US House committee skeptical of some FBI claims, also critical of Apple for offering no solution after both sides ask for laws on new encryption technologies — Apple and FBI in plea for encryption legislation — The FBI and Apple on Tuesday both urged Congress to produce legislation …
Apple and FBI in plea for encryption legislation
http://www.ft.com/intl/cms/s/0%2F994168ce-df3b-11e5-b072-006d8d362ba3.html#axzz41ima9nvv
The FBI and Apple on Tuesday both urged Congress to produce legislation on new encryption technologies, as they showed little sign of compromise in their ongoing war of words.
Both sides made their case at a congressional hearing on Tuesday that was sparked by the legal dispute over how to access the iPhone of one of the San Bernardino killers.
James Comey, director of the FBI, said that the introduction of enhanced encryption on smartphones was creating a new area of communication and information “that nobody else can get into”, even with a court order.
Bruce Sewell, Apple’s chief counsel, said the company was “in an arms race with criminals, cyberterrorists and hackers”.
“There is probably more information stored on that iPhone than a thief could steal by breaking into your house,” he said. “The only way we know to protect that data is through strong encryption.”
Susan Landau, a technology expert at Worcester Polytechnic Institute, said that other parts of the US government had the tools to get access to the phone without trying to guess the logon — which was the most dangerous way to override encryption because the technique could be stolen by hackers.
Comments:
The comments of Gen. Michael Hayden, former head of both the NSA and CIA, stating that “America is more secure — America is more safe — with unbreakable end-to-end encryption”
http://www.cnbc.com/2016/02/23/us-safer-with-fully-encrypted-phones-former-nsa-cia-chief-michael-hayden.html
Meanwhile, the Investigatory Powers Bill to be published soon in the UK includes “Proposals include giving the police and security services access to the records of every citizen’s internet use without the need for judicial authorisation”. From http://www.ft.com/cms/s/0/145bf2a6-df1c-11e5-b072-006d8d362ba3.html#axzz41YjkvJ2v
Telegraph reports “Police given new powers to hack into phones and computers for ‘routine investigations”. http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/12178483/Google-Apple-and-others-not-forced-to-break-in-to-encryption-unless-practicable-snoopers-bill-to-say.html
Time to get more encryption !
Tomi Engdahl says:
Sean Gallagher / Ars Technica:
US military launches cyber attacks on ISIS in Mosul, openly announces it probably for the first time — US military launches cyber attacks on ISIS in Mosul, and announces it — Secretary of defense reveals cyber attacks in advance of ground battle for city.
US military launches cyber attacks on ISIS in Mosul, and announces it
Secretary of defense reveals cyber attacks in advance of ground battle for city.
http://arstechnica.com/information-technology/2016/03/us-military-launches-cyber-attacks-on-isis-in-mosul-and-announces-it/
In a briefing Monday afternoon, Defense Department leaders announced that the US was participating in a coalition operation with Iraqi and Kurd forces to recapture the city of Mosul from the Islamic State (also known as ISIS, ISIL, and Daesh). The leading edge of that effort, Defense Secretary Ashton Carter said, is an ongoing cyberwarfare operation against the communications infrastructure of the city.
This may be the first time that the US has openly announced that it is using network-based electronic attacks as an integrated part of a military operation. Electronic warfare efforts such as radio jamming have long been part of military operations, and the US allegedly used electronic sabotage against Iraq in the 1991 Gulf War. But while cyberattacks in the past have been attributed to the US (such as the Stuxnet attack on Iran’s nuclear program), and the US has used electronically gathered intelligence to target individuals in the past, the US has rarely acknowledged offensive computer and network attacks. And the DOD has never announced these sorts of attacks as part of an ongoing broader military operation.
Secretary Carter would not give details of the attack. “We don’t want the enemy to know when, where, and how we’re conducting cyber operations,” he said.
Tomi Engdahl says:
‘X’ is the most popular password exploited by hackers
Be warned, Xzibit
http://www.theinquirer.net/inquirer/news/2449293/x-is-the-most-popular-password-exploited-by-hackers
IDIOTS WITH IDIOT PASSWORDS are still a big problem after a new report from Rapid7 revealed the examples that see hackers rubbing their hands with glee.
Rapid7′s year-long Project Heisenberg experiment examined the passwords that hackers try to exploit, instead of highlighting the most popular dumb passwords picked by dumb users.
“The honeypots run on IP addresses which we have not published, and we expect that the only traffic directed to the honeypots would come from projects or services scanning a wide range of IP addresses.
“When an unsolicited connection attempt is made to one of our honeypots, we store all the data sent to the honeypot in a central location for further analysis.”
Rapid7 monitored more than 221,000 log-in attempts and then studied the credentials that attackers used.
We assume that Xzibit has found himself the target of hackers, as the experiment revealed that ‘x’ is the password that hackers most commonly have a stab at.
The Attacker’s Dictionary
https://community.rapid7.com/community/infosec/blog/2016/03/01/the-attackers-dictionary
Tomi Engdahl says:
John McAfee unlocks an iPhone and does not eat a shoe
Shock development in case about privacy and civil liberty
http://www.theinquirer.net/inquirer/news/2449330/john-mcafee-unlocks-an-iphone-and-does-not-eat-a-shoe
SHOE CONSERVATIONISTS should be glad that colourful security character John McAfee has lived up to his word and managed to unlock an iPhone.
McAfee, a not-camera shy man, took to the telly to show off the exploit and let off the espadrille. This is a win for McAfee, mono-phobic shoes and TV, but perhaps not for privacy, people and Apple.
The presidential candidate and FBI-taunting antivirus pioneer reckons that any hacker or software and hardware engineer could pull off the same trick. He used a disassembler and looked for evidence of the log-in, and claimed that it took only 30 mins.
McAfee told the television programme’s host that he allowed himself three weeks in case he got ill, and that he really did not want to eat his shoe. He added that the hack was “trivial” and was repeated often.
McAfee suggested in a later television interview that former FBI officer Steve Rogers and his peers were clueless about technology, and that unlocking the iPhone would not aid the American people.
Comments:
Ah, this article is ridiculous. It states that he’s broken into the iPhone, but he hasn’t. In fact, he doesn’t seem to understand how this works. He thinks that millions of lines of code can be read by a programmer in a half hour.
I agree with most of your points, but then you do realize McAfee is running a stunt, not an actual unlocking of a phone. To be fair, he’s proposing to HACK the phone along the lines of the court’s order to Apple, which also does not unlock the phone for the reasons you’ve stated.
So the whole debacle with FBI and Apple is not that they actually want access to this particular phone for information, they want remote access to all iPhones (Worldwide) !
I don’t think the FBI want’s REMOTE access to all iPhones. I think they would realize that’s pushing it. They do want to access all phones, iPhone or otherwise.
It proves conspiracy theorists right again. It was an intentional push to use a terrorist incident to pry into civil liberties and continue to destroy citizens privacy. The FBI is an embarrassment, but likely done on behalf of the White House.
Tomi Engdahl says:
Bruce Schneier: We’re sleepwalking towards digital disaster and are too dumb to stop
Coders and tech bros playing chance with the future
http://www.theregister.co.uk/2016/03/02/sleepwalking_towards_digital_disaster/
RSA 2016 Security guru Bruce Schneier has issued a stark warning to the RSA 2016 conference – get smart or face a whole world of trouble.
The level of interconnectedness of the world’s technology is increasing daily, he said, and is becoming a world-sized web – which he acknowledged was a horrible term – made up of sensors, distributed computers, cloud systems, mobile, and autonomous data processing units. And no one is quite sure where it is all heading.
“The world-sized web will change everything,” he said. “It will cause more real-world consequences, has fewer off switches, and gives more power to the powerful. It’s less being designed than created and it’s coming with no forethought or planning. And most people are unaware that it’s coming.”
People are fairly good at predicting where technology is going, but have a very poor record at predicting the knock-on social effects, he opined. Some of the stuff written about the information superhighway by himself and others was embarrassingly wrong, he said, but this isn’t a new phenomenon.
The problem is in the design. Traditionally we build complex systems like buildings and aircraft with a safety first principle. Time is spent in the design phase making sure that breakages are unlikely, and if things do go wrong then the effects are somewhat mitigated.
But software isn’t like that. Instead you code fast and hard and then fix things when problems crop up. The merging of these two design styles poses almost insurmountable security problems for all of us.
Governments are going to have a hard time dealing with this, since they tend to focus on specific silos of influence, like defense, agriculture or energy. Markets won’t deal with it because they are profit focused and motivated for short-term gain.
Schneier cited the current explosion of internet-of-things devices as an example of the latter issue. Almost none of these devices take security seriously because there’s no money in addressing security issues for the makers, and the same is true for the world-sized web.
The issue is that, for such a global system, attackers have a distinct advantage. Defenders have to protect an entire system, where as an attacker only has to find one flaw to achieve their objective.
Tomi Engdahl says:
‘OAuth please do grow up’ say IETF boffins
Lightweight token-passing protocol suggested to deliver single sign-on
http://www.theregister.co.uk/2016/01/11/sick_of_passwords_deploy_oauth_20_as_your_single_signon/
OAuth is a standard, but like so many standards, there’s a lot of implementations to choose from and that can make it hard to pass around tokens.
Ideally, to help thin out the number of passwords a user needs, they can authenticate to one OAuth service, which can verify a user to other servers.
A bunch of IETF ‘net boffins has run up an Internet-Draft to deal with this with a simple and standard token exchange mechanism that needs only HTTP and JSON at the client side (rather than the heavyweight WS-Trust protocol).
The idea is that OAuth 2.0-style logins would be easier to extend beyond the world of Facebook, Twitter and the rest. It’s an extension to what already exists, giving OAuth 2.0 authorisation servers the ability to act as fully-fledged security token services (STSs).
The work-in-progress explains that the OAuth 2.0 Authorisation Framework and OAuth 2.0 Bearer Tokens (RFCs 6749 and 6750 respectively) “do not provide everything necessary to facilitate token exchange interactions”.