Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
No Prizes Awarded in Google’s Android Hacking Contest
http://www.securityweek.com/no-prizes-awarded-googles-android-hacking-contest
Google reported last week that its Project Zero Prize contest was not as successful as the company hoped it would be – no valid Android exploits were submitted and no prizes were awarded.
Tomi Engdahl says:
WikiLeaks Releases CIA Tool Used to Impede Malware Attribution
http://www.securityweek.com/wikileaks-releases-cia-tool-used-impede-malware-attribution
WikiLeaks has released information and source code for a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to make analysis of its tools and attribution more difficult.
Tomi Engdahl says:
How to Find a Twitter Account
http://hackaday.com/2017/04/04/how-to-find-a-twitter-account/
When James Comey (the current Director of the Federal Bureau of Investigation for the United States of America) let slip that he has a secret Twitter and Instagram account, [Ashley] knew what she had to do.
This Is Almost Certainly James Comey’s Twitter Account
http://gizmodo.com/this-is-almost-certainly-james-comey-s-twitter-account-1793843641
Digital security and its discontents—from Hillary Clinton’s emails to ransomware to Tor hacks—is in many ways one of the chief concerns of the contemporary FBI. So it makes sense that the bureau’s director, James Comey, would dip his toe into the digital torrent with a Twitter account. It also makes sense, given Comey’s high profile, that he would want that Twitter account to be a secret from the world, lest his follows and favs be scrubbed for clues about what the feds are up to. What is somewhat surprising, however, is that it only took me about four hours of sleuthing to find Comey’s account, which is not protected.
Tomi Engdahl says:
Dean Takahashi / VentureBeat:
Intel Security spins out as independent company McAfee at a valuation of $4.2B, with Intel retaining a 49% stake and private equity firm TPG owning 51%
Intel Security finally spins out as independent McAfee
https://venturebeat.com/2017/04/03/intel-security-finally-spins-out-as-independent-mcafee/
Intel has followed through on its pledge to divest itself of its Intel Security division, which it acquired for $7.68 billion in 2010. Now the new company will go by its old name, McAfee, and it is valued at $4.2 billion.
Intel will still own 49 percent of the new company, while private equity firm TPG Capital will own the rest, and McAfee will function independently as a cybersecurity company based in Santa Clara, Calif.
Intel Security general manager Christopher Young has been named McAfee CEO. As a standalone business, McAfee is one of the world’s largest pure-play cybersecurity firms.
Tomi Engdahl says:
NEED HELP unlocking your digital life without paying your attackers*?
https://www.nomoreransom.org/
Ransomware is malware that locks your computer and mobile devices or encrypts your electronic files. When this happens, you can’t get to the data unless you pay a ransom. However this is not guaranteed and you should never pay!
Good news
Nevertheless, it is sometimes possible to help infected users to regain access to their encrypted files or locked systems, without having to pay. We have created a repository of keys and applications that can decrypt data locked by different types of ransomware.
Tomi Engdahl says:
Samsung’s Android Replacement Is a Hacker’s Dream
https://motherboard.vice.com/en_us/article/samsung-tizen-operating-system-bugs-vulnerabilities
A security researcher has found 40 unknown zero-day vulnerabilities in Tizen, the operating system that runs on millions of Samsung products.
Tomi Engdahl says:
Records show deep ties between FBI and Best Buy computer technicians looking for child porn
https://www.washingtonpost.com/news/true-crime/wp/2017/04/03/records-show-deep-ties-between-fbi-and-best-buy-computer-technicians-looking-for-child-porn/?utm_term=.50d0036163b3
Technicians for Best Buy’s “Geek Squad City” computer repair facility had a long, close relationship with the FBI in “a joint venture to ferret out child porn,” according to claims in new federal court documents, which also note that Best Buy’s management “was aware that its supervisory personnel were being paid by the FBI” and that its technicians were developing a program to find child pornography with the FBI’s guidance.
The allegations are made by lawyers for a California doctor charged with possessing child pornography, after the doctor took his computer to a Best Buy store for repair. Computers which require data recovery are typically sent from Best Buy stores around the country to a central Geek Squad City facility in Brooks, Ky., and customers consent to having their computers searched — and turned over to authorities if child porn is found.
Defense lawyers for the doctor argue that Geek Squad City’s technicians acted as government agents by receiving payments from the FBI
Tomi Engdahl says:
It’s Official: McAfee Breaks Away from Intel With New Logo
http://www.securityweek.com/its-official-mcafee-breaks-away-intel-new-logo
McAfee Spins Out from Intel as a New Independent Company With Refreshed Logo
McAfee, one of the best known and persistent brands in cybersecurity, has re-emerged from Intel as an independent company. It was acquired by Intel for $7.68 billion in 2010. In 2014, Intel announced the McAfee brand would be phased out and replaced by Intel Security, although retaining the red shield logo. In September 2016, Christopher Young, SVP and GM of the Intel Security Group, announced that McAfee would again be an independent company — 49% owned by Intel and 51% owned by TPG. This transaction values the company at $4.2 billion.
The spin out is now complete, and McAfee is again an independent company. In this incarnation, the name is retained, but the original red shield logo is replaced by a stylized red shield and includes the epithet ‘Together is power.’ Chris Young is the CEO.
Tomi Engdahl says:
Honeywell SMX Protects Industrial Sites From USB Threats
http://www.securityweek.com/honeywell-smx-protects-industrial-sites-usb-threats
Honeywell announced on Tuesday the launch of a new product designed to protect industrial facilities from USB-borne threats by providing a simple way for organizations to track the removable media devices connected to their systems.
The new product, Secure Media Exchange (SMX), has two main components: an intelligence gateway and a piece of software installed on endpoints.
When a contractor wants to use a USB drive in a protected organization, they need to check the device at the intelligence gateway, a touchscreen system that can reside at the physical front desk or another location where it can be easily accessed by visitors.
Before entering the facility, users are prompted to complete a check-in procedure by connecting their USB drive to the gateway. The files stored on the drive are verified by Honeywell’s Advanced Threat Intelligence Exchange (ATIX) cloud service, which relies on both signatures and behavior analysis (i.e. running suspicious files in a special ICS sandbox) to identify known and zero-day threats.
According to Honeywell, the check-in process typically takes as long as a regular malware scan, depending on the size of the drive and the number of files. The ATIX service checks for known good and known bad files to expedite the process, and the scan can also be sped up by quarantining all files except for the ones that need to be used.
In order to prevent malware from entering an organization, suspicious files are quarantined inside a password-protected archive file. Administrators can also block specific file types from getting into the facility
When a contractor leaves the site, they will need to complete a check-out process at the SMX gateway. Failure to complete the process can result in the inability to access the files on the removable media device from a different computer. However, Honeywell says there are mechanisms in place to allow users to conduct the check-out process at a later time (e.g. a contractor could forget to complete the process when leaving an offshore platform via helicopter).
In addition to giving the user access to his/her files, the check-out process is designed to scan the device once again for malware in an effort to identify any threats that may already be inside the plant.
Tomi Engdahl says:
NoMoreRansom Expands with New Decryptors, Partners
http://www.securityweek.com/nomoreransom-expands-new-decryptors-partners
NoMoreRansom, a project launched in 2016 by Europol, the Dutch National Police, Kaspersky Lab and Intel Security (now once again McAfee) has published its latest progress report. NoMoreRansom collects the available ransomware decryption tools into a single portal that victims can use to recover encrypted files without having to pay the criminals.
https://www.nomoreransom.org/decryption-tools.html
Tomi Engdahl says:
Malware Allows Remote Administration of ATMs
http://www.securityweek.com/malware-allows-remote-administration-atms
A recently discovered piece of malware allows attackers to remotely control compromised ATMs (automated teller machines), Kaspersky Lab reveals.
The threat was discovered after a Russian bank was hit by a targeted attack where cybercriminals gained control of ATMs and uploaded malware to them. Although the actors did remove the malware after the heist, which left researchers without an executable to analyze, the malware’s logs and some file names were restored after the attack, which Kaspersky researchers were able to analyze.
The malware is installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank.
Tomi Engdahl says:
Kaspersky Links Global Cyber Attacks to North Korea
http://www.securityweek.com/kaspersky-links-global-cyber-attacks-north-korea
ST. MAARTEN – SECURITY ANALYST SUMMIT – Just days after reports surfaced that U.S. prosecutors were preparing to point fingers at the North Korean government for directing the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank in 2016, Kaspersky Lab unveiled new details on the hacking group believed to be conducting the attack and several others.
Considered to be one of the largest and most successful cyber heists ever, Kaspersky said there is a “high chance” that the attacks were conducted by Lazarus, a North Korea-linked hacking group responsible for a series of regular and destructive attacks, including the devastating attack against Sony Pictures in late 2014.
On Monday at Kaspersky Lab’s Security Analyst Summit in St. Maarten, the Moscow-based security firm shared its findings on the malicious tools the group uses and how it operates.
Tomi Engdahl says:
Turla Linked to One of the Earliest Cyberespionage Operations
http://www.securityweek.com/turla-linked-one-earliest-cyberespionage-operations
Researchers at Kaspersky Lab and King’s College London have identified a link between the Russian-speaking threat actor Turla and Moonlight Maze, one of the earliest known state-sponsored cyberespionage operations carried out in the ‘90s.
In around 1996, a threat group believed to be located in Russia had started spying on organizations in the United States, including the Pentagon, the Department of Energy and NASA. The actor had stolen vast amounts of sensitive information from universities, military and research organizations. The activities of the group, dubbed Moonlight Maze, were first made public in 1999 and detailed last year at Kaspersky’s SAS conference by Thomas Rid of King’s College London.
Tomi Engdahl says:
Sam Thielman / The Guardian:
Interview with Tim Berners-Lee on his 2016 ACM A.M. Turing Award, the recent privacy vote, clickbait, and online advertisements
Tim Berners-Lee: selling private citizens’ browsing data is ‘disgusting’
https://www.theguardian.com/technology/2017/apr/04/tim-berners-lee-online-privacy-interview-turing-award
As the world wide web creator accepts the prestigious Turing award, he talks to Sam Thielman about the US Congress’s rollback of privacy rules and fake news
Tomi Engdahl says:
Andy Greenberg / Wired:
Researchers say they have uncovered clues about Turla, a 20-year-old hacking group that is still active and is believed to have Kremlin ties
Russian Hackers Have Used the Same Backdoor for Two Decades
https://www.wired.com/2017/04/russian-hackers-used-backdoor-two-decades/
The researchers say they’ve found a piece of vintage malicious code in that trove that survives today, as part of the arsenal of a modern-day team of Russian hackers—believed to have Kremlin ties—known as Turla. And they suggest that the contemporary hacking team—though mutated and evolved through the years—could be the same one that first appeared in the late 90s, making it one of the longest-lived cyberespionage operations in history.
“We can see an evolution of tradecraft,” says Rid, who teaches at King’s College Department of War Studies, and last week testified at a Senate hearing on Russian hackers meddling in the 2016 election. “They’ve been doing this for 20 years or even more.”
When a surprisingly unredacted FOIA finally helped lead Rid to Hedges, he gave the researchers the logs from his HP9000 last year. In them, the team found that the late-90s hackers had used a Linux backdoor known as Loki2 to stealthily pull data out of some of the target computers they’d compromised. That trojan, first published in the hacker zine Phrack in 1996, had become a common tool at the time thanks to its trick of hiding stolen data in unlikely network channels, like the Internet Control Message Protocol and Domain Name System communications.
But Kaspersky’s researchers made a connection to a separate analysis they’d performed on a toolkit used by the Turla hackers in 2014, and which was used last year against the Swiss tech firm RUAG. The Turla toolkit had used a modified version of that same Loki2 backdoor. “This is a backdoor that’s been around for two decades that’s still being leveraged in attacks,” says Juan Andres Guerrero-Sade, a Kaspersky researcher. “When they need to be stealthier on a Linux or Unix machine, they dust off this code and use it again.” The use of that archaic code today is far more rare today than in 1998: The researchers say they’ve searched extensively for any other modern-day hacker operations using the backdoor, and found no others.
A Hacker Time Capsule
Aside from that attempt to trace Turla’s longevity, the Moonlight Maze logs also provide a rare, minutely detailed record of how hackers operated 20 years ago. In several instances, the researchers say, the hacker set up software designed to record everything that occurred on a target machine, and then set about trying to gain deeper access on the same machine, thus recording and uploading a log of their own attacks.
Compared with modern cyberspies, the hackers also performed much of their work manually, typing commands on victim machines one by one instead of running automated malware.
Beyond late 90s nostalgia, however, the researchers hope their work will help shake loose more evidence of the missing links in state-sponsored hacker history
Tomi Engdahl says:
Canary for USB Ports
http://hackaday.com/2017/04/04/canary-for-usb-ports/
f you’re a paranoid system admin, [errbufferoverfl] has your back with software that keeps track of whenever someone plugs in or disconnects an USB-based device from a workstation.
Christened USB Canary, [errbufferoverfl’s] tool is written in Python. However, even though Python is cross-platform, USB Canary only works on Linux currently. But, fret not: [errbufferoverfl] is already working on Windows and Mac versions.
Primarily, USB Canary watches USB connectors for any activity and logs anything it sees. Moreover, when a USB device is plugged in or unplugged, USB Canary can alert the owner of the workstation via an SMS message courtesy of the Twilio API, post a message in a Slack channel or even make a noise to alert a nearby sysadmin. Additionally, USB Canary can be configured to only run when the workstation is locked (if you’re not completely paranoid).
https://github.com/probablynotablog/usb-canary
Tomi Engdahl says:
Gigabytes the Dust with UEFI Vulnerabilities
http://hackaday.com/2017/04/04/gigabytes-the-dust-with-uefi-vulnerabilities/
At this year’s BlackHat Asia security conference, researchers from Cylance disclosed two potentially fatal flaws in the UEFI firmware of Gigabyte BRIX small computers which allow a would-be attacker unfettered low-level access to the computer.
Gigabyte has been working on a fix since the start of 2017.
The two vulnerabilities that have been discovered seem like a massive oversight from Gigabyte, They didn’t enable write protection for their UEFI (CVE-2017-3197), and seem to have thrown cryptography out of the window when it comes to signing their UEFI files (CVE-2017-3198). The latter vulnerability is partly due to not verifying a checksum or using HTTPS in the firmware update process, instead using its insecure sibling HTTP. CERT has issued an official vulnerability note (VU#507496) for both flaws.
Researchers Disclose Vulnerabilities in GIGABYTE BRIX Systems
https://www.cylance.com/en_us/blog/gigabyte-brix-systems-vulnerabilities.html
Earlier this month, we teased a proof of concept for UEFI ransomware, which was presented at RSA Conference 2017. The HackingTeam, Snowden, Shadow Brokers, and Vault7 leaks have revealed that UEFI/BIOS implants aren’t just a theoretical concept, but have actually been weaponized by nation states to conduct cyber-espionage. Physical access requirements are a thing of the past; these low-level implants can be installed remotely by exploiting vulnerabilities in the underlying UEFI system.
A practical attack consists of 4 stages:
1. User-mode execution (ring 3)
2. Kernel mode execution (ring 0)
3. SMM execution (ring -2)
4. SPI Flash Write
The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system’s firmware.
Write-protection mechanisms exist to prevent attackers from modifying the firmware; however, the affected systems do not enable them.
Tomi Engdahl says:
Brazilians whacked: Crooks hijack bank’s DNS to fleece victims
Usernames, passwords swiped for hours, malware dropped on PCs
https://www.theregister.co.uk/2017/04/05/hackers_take_over_banks_dns_system/
Rather than picking off online banking customers one by one, ambitious hackers took control of a Brazilian bank’s entire DNS infrastructure to rob punters blind.
The heist, detailed by security engineers at Kaspersky Lab, took place over about five hours on Saturday October 22, 2016, after the miscreants managed to get control of the bank’s DNS hosting service using targeted attacks. They managed to transfer all 36 of the bank’s domains to phony websites that used free HTTPS certs from Let’s Encrypt. These sites masqueraded as the bank’s legit online services, tricking marks into believing the malicious servers were the real deal. That allowed the crims to steal customers’ usernames and passwords as they were typed into the sites’ login boxes.
“All domains, including corporate domains, were in control of the bad guy,” said Fabio Assolini, a senior security researcher at Kaspersky, in a blog post. He said the attackers also took over the bank’s email servers so that staff couldn’t warn customers not to log in.
During the attack, every time a customer logged in, they were handing over their details to the attackers, all of which were sent off to a command and control server in Canada. In addition, the dummy websites dropped malware onto each visitor’s computer in the form of .zip’d Java plugin files: clicking on those would start an infection on machines capable of running the malicious code.
The bad guys wanted to use that opportunity to hijack operations of the original bank, but also drop malware with the capacity to steal money from banks of other countries,”
Tomi Engdahl says:
Schneider Electric still shipping passwords in firmware
You’d think a vendor of critical infrastructure would at least pretend to care about security
https://www.theregister.co.uk/2017/04/05/schneider_istilli_shipping_passwords_in_firmware/
That “don’t use hard-coded passwords” infosec rule? Someone needs to use a needle to write it on the corner of Schneider Electric’s developers’ eyes so they don’t forget it.
Yes, it’s happened again, this time on the SCADA vendor’s Schneider Modicon TM221CE16R, Firmware 1.3.3.3 – and without new firmware, users are stuck, because they can’t change the password.
It’s a real Friday-afternoon-special: someone encrypted the user/password XML file with the fixed key “SoMachineBasicSoMachineBasicSoMa”.
That means an attacker can open the control environment (SoMachine Basic 1.4 SP1), get and decrypt the user file, and take over.
Tomi Engdahl says:
RAT-catchers spot new malware attacking South Korean word processor
Twitter, Yandex and Mediafire as C&C for snoopy malware
https://www.theregister.co.uk/2017/04/05/rokrat_malware/
Cisco Talos researchers reckon South Korean users are again under attack from a new malicious RAT (remote administration tool) they’ve dubbed ROKRAT.
The RAT uses Twitter, Yandex and Mediafire for command-and-control and data exfiltration, since these are “difficult to block globally” because they’re legitimate business tools, and also because their use of HTTPS makes it hard to spot at the firewall.
As well as the Twitter/Yandex/Mediafire C&C connections, the RAT includes a screen-shot uploader and a keylogger.
If it’s executed in a sandbox, ROKRAT tries to conceal itself by firing off requests to Amazon and Hulu.
Tomi Engdahl says:
WWW daddy Sir Tim Berners-Lee stands up for end-to-end crypto
It’s settled then, he has spoken
https://www.theregister.co.uk/2017/04/04/web_inventor_opposes_crypto_backdoors/
Sir Tim Berners-Lee has criticised plans to weaken encryption or extend surveillance in the wake of recent terrorist attacks.
Weakening encryption would be a mistake, according to Sir Tim. “If you’re trying to catch terrorists, it’s really tempting to demand to be able to break all that encryption but if you break that encryption then guess what – so could other people, and guess what – they may end up getting better at it than you are.”
Sir Tim made the comments to the BBC in a wide-ranging interview1 following his Turing Award win, a prestigious gong sometimes described as the Nobel Prize of computing. His criticism against weakening encryption parallel those of other security experts.
The Home Secretary has reportedly invited tech bosses from Google, Microsoft, Twitter and Facebook to a summit to discuss encryption and its national security implications.
The terrorist attack in Westminster has renewed the debate about the use of end-to-end encryption by messaging services such as WhatsApp. Rudd has appealed to tech companies to provide a way for government to inspect the communications of those suspected of criminal activity, for example terrorists. Other politicians have even called for a blanket ban on end-to-end-encryption.
Both of these approaches are flawed, according to Emm.
“The requirement for application vendors who use encryption to provide a way for government or law enforcement agencies to ‘see through’ encryption, poses some real dangers,” Emm said. “Creating a ‘backdoor’ to decipher encrypted traffic is akin to leaving a key to your front door under the mat outside. Your intention is for it to be used only by those you have told about it. But if someone else discovers it, you’d be in trouble.
“Similarly, if a government backdoor were to fall into the wrong hands, cybercriminals, foreign governments or anyone else might also be able to inspect encrypted traffic”
Tomi Engdahl says:
Researchers sink scalpel into Lazarus crew. Yup. Autopsy shows distinct hacker tradecraft
See these contusions? It’s where the hackers burrowed out to infect other hosts
https://www.theregister.co.uk/2017/04/04/lazarus_hacker_hunt_trail/
The hacking group blamed for the infamous $81m cyber-heist against the Central Bank of Bangladesh last year has been targeting a far wider range of organisations than previously thought.
The so-called Lazarus cyber-espionage and sabotage crew has also been busy attacking casinos, software developers for investment companies and crypto-currency businesses as well as bank around the world, according to researchers from Kaspersky Lab.
During the forensic analysis of artefacts left by the group in South-East Asian and European banks, Kaspersky Lab has reached a deep understanding of what malicious tools the group uses and how it operates. Knowledge of the hackers’ tradecraft has helped to interrupt at least two other operations aimed at stealing a large amount of money from financial institutions.
Modus operandi
The hackers typically start by running watering hole attacks in order to plant malicious code on the victim’s (bank employee) computer. Once a toehold has been established, the hackers attempt to infect other hosts in a targeted institution.
The next stage involves internal reconnaissance, mapping the targeted network. Particular targets include the backup server, where authentication information is stored, mail servers or domain controllers as well as servers storing or processing records of financial transactions.
Finally, the hackers deploy “special malware” capable of bypassing the internal security features of financial software and issuing rogue transactions on behalf of the bank.
Tomi Engdahl says:
Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)
https://googleprojectzero.blogspot.fi/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
Why-Fi?
In the past decade, the use of Wi-Fi has become commonplace on mobile devices. Gradually, Wi-Fi has evolved into a formidable set of specifications—some detailing the physical layer, others focusing on the MAC layer. In order to deal with this increased complexity, vendors have started producing “FullMAC” Wi-Fi SoCs.
In essence, these are small SoCs that perform all the PHY, MAC and MAC SubLayer Management Entity (MLME) processing on their own, allowing the operating system to abstract itself away from the complex (and sometimes chip-specific) features related to Wi-Fi. The introduction of Wi-Fi FullMAC chips has also improved the power consumption of mobile devices, since much of the processing is done on a low-power SoC instead of the power-hungry application processor. Perhaps most importantly, FullMAC chips are much easier to integrate, as they implement the MLME within their firmware, reducing the complexity on the host’s side.
All that said and done, the introduction of Wi-Fi FullMAC chips does not come without a cost. Introducing these new pieces of hardware, running proprietary and complex code bases, may weaken the overall security of the devices and introduce vulnerabilities which could compromise the entire system.
Analysing the Firmware
Due to the relatively small size of the available memory (both ROM and RAM), Broadcom went to extreme efforts in order to conserve memory.
After reverse engineering all of the call sites, I’ve found a few vulnerabilities related to the handling of information elements embedded in management frames.
Two of the vulnerabilities can be triggered when connecting to networks supporting wireless roaming features; 802.11r Fast BSS Transition (FT), or Cisco’s CCKM roaming. On the one side, these vulnerabilities should be relatively straightforward to exploit – they are simple stack overflows. Moreover, the operating system running on the firmware (HNDRTE) does not use stack cookies, so there’s no additional information leak or bypass required.
Wrapping Up
We’ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security. Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection (by means of an MPU).
Broadcom have informed me that newer versions of the SoC utilise the MPU, along with several additional hardware security mechanisms. This is an interesting development and a step in the right direction. They are also considering implementing exploit mitigations in future firmware versions.
Tomi Engdahl says:
Flat File Encryption with OpenSSL and GPG
http://www.linuxjournal.com/content/flat-file-encryption-openssl-and-gpg
The Pretty Good Privacy (PGP) application, which has long been known as a primary tool for file encryption, commonly focused on email. It has management tools for exchanging credentials with peers and creating secure communication channels over untrusted networks. GNU Privacy Guard (GPG) has carried on this legacy with a free and open implementation included in most major Linux distributions. PGP/GPG has proven highly resistant to cryptographic attack and is a preeminent tool for secure communications.
OpenSSL is more known for network security, but it also has tools useful for most aspects of encrypting flat files. Although using OpenSSL requires more knowledge of specific algorithms and methods, it can be more flexible in a number of scenarios than other approaches. OpenSSH keys can be used transparently for flat file encryption with OpenSSL, allowing user and/or host SSH keys to pervade any number of unrelated services.
Many common programs in UNIX have implementations within the OpenSSL command-line utility.
Tomi Engdahl says:
Hello, Sir/Madam
Here is your copy of the Nokia Threat Intelligence Report – 2H 2016.
https://pages.nokia.com/8859.Threat.Intelligence.Report-Thank.You.html
Tomi Engdahl says:
Kim Dotcom could be building bitcoin’s killer app
https://qz.com/948260/kim-dotcoms-micropayments-service-bitcache-could-be-bitcoins-killer-app/
Bitcoin’s price has been soaring, and if entrepreneur and provocateur Kim Dotcom’s latest scheme takes off, it’ll rocket even higher. The founder of Megaupload, who the US government has called a fugitive from copyright infringement charges, is creating a payments platform called Bitcache, which will let people get paid for digital content with bitcoin.
Dotcom tweeted a video showing a demo of the Bitcache system today. A user can upload any file or video stream and charge others to download it, setting the price himself. The uploader then gets paid in “Bits,” which can be converted into bitcoin. Precise details of how the Bitcache system works remains scarce
Micropayments for content is one of bitcoin’s most talked about uses. The Aspen Institute’s Walter Isaacson has called it journalism’s “savior,” while the creator of Javascript, Brendan Eich, is building a variety of technologies to turn it into a reality.
Kim Dotcom’s idea is to allow any publisher on the web to easily charge readers tiny amounts for content with “one line of code” on their website. This service would eventually extend beyond individual files or streams to entire websites, he says in his demo video.
The odds are stacked against Kim Dotcom’s new venture. He’s launching Bitcache as a service for a rebooted version of his original enterprise Megaupload
Kim Dotcom announces new Bitcoin venture for content uploaders to earn money
http://www.reuters.com/article/us-newzealand-bitcoin-dotcom-idUSKBN17705U
Controversial New Zealand-based internet mogul Kim Dotcom plans to launch a Bitcoin payments system for users to sell files and video streaming as he fights extradition to the United States for criminal copyright charges.
“You can create a payment for any content that you put on the internet…you can share that with your customers, with the interest community and, boom, you are basically in business and can sell your content,” Dotcom said in the video.
He added that Bitcontent would eventually allow businesses, such as news organizations, to earn money from their entire websites. He did not provide a launch date.
Tomi Engdahl says:
How to Improve Your Chances of Staying Out of the Insider Threat Headlines
http://www.securityweek.com/how-improve-your-chances-staying-out-insider-threat-headlines
Insider Threats Are a Fact of Life and Are Not Going Away.
Unfortunately, it takes time and effort to minimize exposure to insider threats. Here are some tips to make the process a bit easier and more efficient:
• Create well defined, concise policies and procedures that govern access, user responsibilities and what to do if an incident occurs.
• Create a culture that embraces cyber security by (over) communicating and highlighting the importance of security at every possible opportunity.
• Provide security awareness education for all users that’s relatively short and targeted based on the policy each user violated.
• Build cyber security into business processes.
• Actively manage access, especially privileged access. The access provided to users is the attack surface that insiders (and bad actors when compromised) go after to do damage.
• Know your crowned jewels and mission critical systems. Managing the attack surface, including user access and vulnerabilities in general, is even more critical when it comes to your most important assets.
• Implement active and passive controls that block sensitive data from leaving the organization and monitor user behavior to identify anomalies. Anomaly detection is the only way to identify when a user, who is not necessarily setting off any policy alarms, is doing something unusual and is therefore a risk.
Insider threats are a fact of life and are not going away. Careless users, who create most of the noise in detection tools, all too often don’t have the education or the means to securely do their jobs.
Tomi Engdahl says:
Web inventor Sir Tim Berners-Lee slams UK and US net plans
http://www.bbc.com/news/technology-39490324
The web’s creator has attacked any UK plans to weaken encryption and promised to battle any moves by the Trump administration to weaken net neutrality.
Sir Tim Berners-Lee was speaking to the BBC following the news that he has been given the Turing Award.
It is sometimes known as the Nobel Prize of computing.
Sir Tim said moves to undermine encryption would be a “bad idea” and represent a massive security breach.
Sir Tim also criticised moves by legislators on both sides of the Atlantic, which he sees as an assault on the privacy of web users. He attacked the UK’s recent Investigatory Powers Act, which he had criticised when it went through Parliament: “The idea that all ISPs should be required to spy on citizens and hold the data for six months is appalling.”
In the United States he is concerned that the principle of net neutrality, which treats all internet traffic equally, could be watered down by the Trump administration and the Federal Communications Commission.
“If the FCC does move to reduce net neutrality I will fight it as hard as I can,” he vowed.
Tomi Engdahl says:
ICO fines 11 big charities over dirty data donor-squeezing deeds
Not looking so fluffy-wuffy now
https://www.theregister.co.uk/2017/04/05/ico_fines_eleven_big_charities_over_dirty_data_dealings_chasing_funds/
Eleven charities have been fined by the Information Commissioner’s Office for their dodgy dealings with donors’ personal data.
Over the last two years, an ICO investigation into fundraising has found a number of charities operating in breach of the Data Protection Act.
“Millions of people will have been affected by these charities’ contravention of the law,” said Denham. “They will be upset to learn the way their personal information has been analysed and shared by charities they trusted with their details and their donations. No charity wants to alienate their donors. And we acknowledge the role charities play in the fabric of British society. But charities must follow the law.”
Tomi Engdahl says:
Online Trust Alliance merges with Internet Society
Two become one
https://www.theregister.co.uk/2017/04/05/ota_isoc_merger/
Key internet standards-making body the Internet Society (ISOC) and security and privacy org the Online Trust Alliance (OTA) are merging.
The move, announced Wednesday, sees an important standards-driver combining with an org that has guided best practices for the commercialisation of the web.
From now on the OTA will operate within the Internet Society. Existing OTA initiatives such as annual Online Trust Audit and Cyber Incident Response Guide and Internet of Things (IoT) Trust Framework will be retained and expanded, the new org said.
“OTA and ISOC are excited to join forces in order to improve online trust, enhance data security, promote responsible privacy practices, and bolster the development and use of an open internet,”
Tomi Engdahl says:
Google Patches 31 Critical Flaws in Android
http://www.securityweek.com/google-patches-31-critical-flaws-android
Google this week released security updates for Android to resolve numerous Critical remote code execution (RCE) and elevation of privilege (EoP) vulnerabilities in the platform.
Over 100 vulnerabilities were resolved in Android this month, split into two separate sets of patches. A total of 23 bugs were addressed with 2017-04-01 security patch level, including 6 Critical vulnerabilities, 9 rated High risk and 8 Moderate.
There were 6 Critical RCE issues affecting Mediaserver; High risk flaws such as EoPs in CameraBase, Audioserver, and SurfaceFlingerș Information disclosure in Mediaserver; and denial of service (DoS) vulnerabilities in libskia and Mediaserver.
Tomi Engdahl says:
Wi-Fi Flaws Expose iPhone, Nexus Phones to Attacks
http://www.securityweek.com/wi-fi-flaws-expose-iphone-nexus-phones-attacks
Vulnerabilities in Broadcom’s Wi-Fi system-on-chip (SoC) can be exploited to hijack iPhone, Nexus, Samsung and other smartphones without requiring any user interaction.
Google Project Zero researcher Gal Beniamini has identified several remote code execution, privilege escalation and information disclosure vulnerabilities in Broadcom firmware.
Since Broadcom’s Wi-Fi chips are widely used, the flaws affect many devices, including Google’s Nexus 5, 6 and 6P, all iPhones since iPhone 4, and most of Samsung’s flagship Android smartphones.
Beniamini has published a lengthy blog post describing the Broadcom Wi-Fi chipset and vulnerabilities that can be exploited for remote code execution.
https://googleprojectzero.blogspot.fi/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
Tomi Engdahl says:
Cyberspies Target Middle East With Windows, Android Malware
http://www.securityweek.com/cyberspies-target-middle-east-windows-android-malware
A cyberespionage group apparently not linked to any previously known threat actor has been using several Windows and Android malware families in attacks aimed at organizations in the Middle East.
The first report on this group’s activities was published last month by Chinese security firm Qihoo 360, which tracks the actor as APT-C-23 and Two-Tailed Scorpion. Researchers at Palo Alto Networks and ClearSky have also conducted a joint investigation into the gang’ operations.
According to the security firms, the group uses Windows and Android malware to spy on victims. Qihoo 360 said it observed nearly 85 percent of infections in Palestine, followed by Israel, but Palo Alto also reported seeing victims in Egypt and the United States.
Tomi Engdahl says:
How to Reduce the Top Five Security Stressors
http://www.securityweek.com/how-reduce-top-five-security-stressors
April is Stress Awareness Month. With the pace of constantly-evolving threats, budget battles and security apathy from users, it isn’t a stretch to imagine that stress is a part of the job in IT security.
So, it’s surprising to see a survey that says “Security Analyst” is the #1 least stressful job across all industries. It will be interesting to hear from you as a reader in the comments section below if you take exception to that survey result, or if you think it’s accurate.
Stress in general is your body’s way of responding to danger, whether real or perceived. The situations and pressures that cause stress are known as stressors
Keeping Current with Threats
There were over 6000 new common vulnerabilities and exposures (CVEs) published in 2016. While not all are present in your environment, that is still a big number to keep up with and compare against hundreds or thousands of servers, apps, devices, and so on.
User Behavior
IT security would be a lot less stressful if users were not part of the equation. They are the weakest link in security, constantly finding ways around company controls, falling victim to phishing attacks and exposing credentials.
Budget Justification
How to justify a security project is outside the scope of this article, but those tasked with securing their organizations do feel the pressure of falling behind attackers and the standard of due care. That pressure drives a need for budget resources that correlate with the evolving threat landscape, but it isn’t always easy to justify to those outside of day-to-day security operations.
The Task Backlog
There are always new policies to write in response to changing technologies, threats and regulations. User demands and project changes add to the pile of assignments. And a lack of skilled personnel to tackle these tasks plagues many organizations.
Unpredictability of Incidents
Nothing contributes to stress quite like a security incident. Incidents derail planned work, result in immediate pressure to find, contain and recover from the breach, and bring unwelcome attention from people who don’t always understand what’s happening.
Implementing policies and controls are a big part of IT security, so feeling out of control can have a big impact on stress levels. Rely on your network, gain a sense of accomplishment, stay aware of your emotions, take some time off and build good plans to reduce the common stressors in IT security.
Tomi Engdahl says:
Facebook revenge porn to be blocked from reposts
http://www.bbc.com/news/technology-39502265
Facebook is taking fresh action to prevent so-called revenge porn from being spread across its platforms.
The social network is making it impossible to repost or share intimate images of people thought to have been uploaded without their permission once they have been identified as such and removed.
The measure is being rolled out across Facebook, Messenger and Instagram but not WhatsApp.
Campaigners welcomed the development.
“It’s a huge step forward,” said Laura Higgins, founder of the UK’s Revenge Porn Helpline.
“One of the greatest challenges is to stop people re-uploading the content.”
‘First step’
Facebook is not hunting out revenge porn imagery itself, but instead will rely on users flagging the content via its Report tool.
Its community operations team will then make a judgement as to whether the posts qualify, taking into account factors including whether sexual activity is depicted, the setting and whether the person making the complaint is shown.
If the image is judged to be revenge porn, it will be removed and the account that posted it blocked, pending a potential appeal.
Photo-recognition software is then deployed to ensure any further attempts to circulate the picture are blocked without human operators needing to review them.
The technique is similar to that already used by Facebook and others to prevent child abuse imagery being shared.
Tomi Engdahl says:
Found: Quite possibly the most sophisticated Android espionage app ever
Discovery of Pegasus for Android comes 8 months after similar iOS app was found.
https://arstechnica.com/security/2017/04/found-quite-possibly-the-most-sophisticated-android-espionage-app-ever/
Researchers have uncovered one of the most advanced espionage apps ever written for the Android mobile operating system. They found the app after it had infected a few dozen handsets.
Pegasus for Android is the companion app to Pegasus for iOS, a full-featured espionage platform that was discovered in August infecting the iPhone of a political dissident located in the United Arab Emirates.
“Pegasus for Android is an example of the common feature-set that we see from nation states and nation state-like groups,” Lookout researchers wrote in a technical analysis published Monday. “These groups produce advanced persistent threats (APT) for mobile with the specific goal of tracking a target not only in the physical world, but also the virtual world.”
Like its iOS counterpart, Pegasus for Android offers a wide array of spying functions, including:
Keylogging
Screenshot capture
Live audio and video capture
Remote control of the malware via SMS
Messaging data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao
Browser history exfiltration
E-mail exfiltration from Android’s Native E-mail client
Contacts and text message exfiltration
This app will self-destruct
Pegasus for Android also has the ability to self-destruct when it’s at risk of being discovered or compromised. The self-destruct mechanism can be triggered in several different ways: if the mobile country code associated with the SIM card is invalid; if an “antidote” file exists in the /sdcard/MemosForNotes folder; if the app has been unable to connect to an attacker-controlled server for 60 days; or if the app receives a command from the server to remove itself.
“It’s clear that this malware was built to be stealthy, targeted, and is very sophisticated,”
Given how narrowly targeted the Pegasus attacks were, the chances are extremely small that they infected readers of this post.
Tomi Engdahl says:
Smart phones hacked in every fourth company
Security Zimperium House has announced securty Mobile Trends report, which interviewed more than 1,900 IT and security professionals. The results are alarming. 47 per cent felt that the number of security threats has increased in the past year. 24 percent know that their organization’s mobile devices have been hacked.
Zimperium says that development is related to the so-called. BYOD phenomenon.
33 percent of those surveyed said that their organization none of the device had been compromised. 16 percent reported that hacked has had less than a quarter of the devices. At one extreme is one per cent of companies with 76-100 percent of devices have been hacked.
In reality, the number of hacked devices can be significantly higher, as 43 percent of IT professionals says that he can not reveal the number of hacked devices. Even this information would be a security risk, because it says the level of enterprise security policy.
Source: http://www.etn.fi/index.php/13-news/6133-alypuhelimia-hakkeroitu-joka-neljannessa-yrityksessa
Tomi Engdahl says:
Megan Rose Dickey / TechCrunch:
Facebook to allow flagging revenge porn for review and removal, prevent further sharing of removed images on Messenger and Instagram using photo-matching tech
Facebook addresses revenge porn with tech to prevent people from re-sharing intimate images
https://techcrunch.com/2017/04/05/facebook-addresses-revenge-porn-with-tech-to-prevent-people-from-re-sharing-intimate-images/
Facebook has implemented a new photo-matching technology to ensure people can’t re-share images previously reported and tagged as revenge porn — intimate photos of people shared without their consent. That means if someone tries to share a photo that Facebook has previously taken down, that person will see a pop-up saying the photo violates Facebook’s policies and that Facebook will not allow the person to share that particular photo on Facebook, Messenger or Instagram.
“We’ve focused in on this because of the unique harm that this kind of sharing has on its victims,” Facebook Global Head of Safety Antigone Davis told me. “In the newsroom post we refer to a specific piece of research around the unique harm this has for victims. I think that’s where the focus was for this moving forward.”
The figure Davis is referring to is that 93 percent of people affected by the sharing of non-consensual intimate images report “significant emotional distress” and 82 percent report significant difficulties in other aspects of their lives, according to the US Victims of Non-Consensual Intimate Images.
Tomi Engdahl says:
Emma Thomasson / Reuters:
German cabinet approves plan that could fine social networks up to $53M if companies do not remove hate speech quickly
German cabinet agrees to fine social media over hate speech
http://www.reuters.com/article/us-germany-hatecrime-idUSKBN1771FC
Germany’s cabinet approved a plan on Wednesday to fine social networks up to 50 million euros ($53 million) if they fail to remove hateful postings quickly, prompting concerns the law could limit free expression.
Germany has some of the world’s toughest laws covering defamation, public incitement to commit crimes and threats of violence, with prison sentences for Holocaust denial or inciting hatred against minorities. But few online cases are prosecuted.
“There should be just as little tolerance for criminal rabble rousing on social networks as on the street,” Justice Minister Heiko Maas said in a statement,
The issue has taken on more urgency as German politicians worry that a proliferation of fake news and racist content, particularly about 1 million migrants who have arrived in the last two years, could sway public opinion in the run-up to national elections in September.
A spokesman for Facebook, which has 29 million active users in Germany – more than a third of the total population – said the company was working hard to remove illegal content, but expressed concern at the draft law.
The draft law would give social networks 24 hours to delete or block obviously criminal content and seven days to deal with less clear-cut cases, with an obligation to report back to the person who filed the complaint about how they handled the case.
Tomi Engdahl says:
Suspected Chinese Malware Found On U.S. Trade Group Website
http://spectrum.ieee.org/tech-talk/telecom/security/cybersecurity-firm-finds-malicious-script-from-chinese-statesponsored-group-on-us-trade-group-website
A U.S. cybersecurity company has uncovered a malicious script on the website of the National Foreign Trade Council, a public policy and lobbying organization devoted to U.S. trade policy. And John Bambenek, threat intelligence manager for Fidelis Cybersecurity, whose team found the script, says he is “highly confident” the script was placed there by Chinese state-sponsored actors.
The script is a tool known as a Scanbox.
The script provides information about a victim’s operating system, IP address, and software programs, which attackers can later use in targeted phishing campaigns. For example, if attackers learn that someone is using a browser with known software holes, they may target that person with an exploit that the hackers know will work for the user’s particular version.
Hidden within the National Foreign Trade Council’s site, the Scanbox script ran whenever a visitor navigated to a page with a registration form for an upcoming Board of Directors meeting. That means the script, which has been removed, likely targeted board members
Tomi Engdahl says:
New Malware Intentionally Bricks IoT Devices
https://www.bleepingcomputer.com/news/security/new-malware-intentionally-bricks-iot-devices/
A new malware strain called BrickerBot is bricking Internet of Things (IoT) devices around the world by corrupting their storage capability and reconfiguring kernel parameters.
Detected via honeypot servers maintained by cyber-security firm Radware, the first attacks started on March 20 and continued ever since, targeting only Linux BusyBox-based IoT devices.
Right from the get-go, two different versions of BrickerBot were detected: BrickerBot.1 and BrickerBot.2.
BrickerBot spreads to devices with open Telnet ports
In the first stages of the attacks, both strains work in a similar way, by attempting a dictionary brute-force attack on devices with Telnet ports left open on the Internet.
Just like Mirai, Hajime, LuaBot, and other IoT malware, BrickerBot uses a list of known default credentials used for various IoT devices.
If device owners failed to change their default credentials, BrickerBot logs in and performs a series of Linux commands.
The end result is a bricked IoT device that will stop working within seconds of getting infected. Experts call these attack PDoS (Permanent Denial of Service), but they are also known as “phlashing.”
According to telemetry data, just one of Radware’s honeypots has seen 1,895 PDoS attempts in the span of four days.
BrickerBot the work of a vigilante?
All in all, BrickerBot isn’t like anything we’ve seen before in the landscape of IoT malware. Most IoT malware strains try to hoard devices in massive botnets that are then used as proxies to relay malicious traffic or to launch DDoS attacks. Both of these are lucrative businesses for any cyber-criminal talented enough to hijack large numbers of IoT equipment.
BrickerBot’s destructive capabilities are something new, which don’t benefit anyone. Not BrickerBot’s author, and certainly not the device owner, who’ll have to reinstall firmware, or even worse, buy a new device.
BrickerBot could also be the work of an Internet vigilante that wants to destroy insecure IoT devices. A similar malware strain first appeared in October 2015.
Called Linux.Wifatch, this IoT malware strain took over insecure routers and then executed commands that improved the device’s security. The creators of this malware open-sourced the code on GitLab, also explaining the reasons why they created the malware to begin with, claiming they had no bad intentions.
“Wow. That’s pretty nasty,” said Cybereason security researcher Amit Serper after Bleeping Computer showed him Radware’s security alert. “They’re just bricking it for the sake of bricking it. [They're] deliberately destroying the device.”
“It’s someone who wanted the clean up the mess in a harsh way,”
BrickerBot’s approach is definitely illegal and dangerous, as Gevers points out. The researcher also doesn’t agree with the attackers’ approach.
“These attacks are very easy to execute, and I think this just the beginning,” the expert told Bleeping Computer. “I don’t want to label this work as dark, but I think there are less destructive ways to achieve the same goal.”
Tomi Engdahl says:
Kerry Flynn / Mashable:
Twitter sues the Trump administration after Customs and Border Protection tries to compel the social network to reveal the identity behind @alt_USCIS account — So remember how President Donald Trump (a.k.a. @realDonaldTrump) loves Twitter and credits it with helping him win the election?
Twitter to U.S. government: No, you can’t see who’s behind that anti-Trump account
http://mashable.com/2017/04/06/twitter-sues-us-government-anti-trump-account/
Twitter is leveraging First Amendment rights to protect the user @ALT_USCIS. “The rights of free speech afforded Twitter’s users and Twitter itself under the First Amendment of the U.S. Constitution include a right to disseminate such anonymous or pseudonymous political speech,” Twitter wrote in its lawsuit.
The account is called ALT Immigration and the Twitter bio reads, “Immigration resistance
According to Twitter, there is no legal reason, such as criminal or civil defense, for the U.S. government to demand the account.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Project Zero finds serious Broadcom WiFi chipset flaw that allows hacking of many Android devices; Google releasing patch this month; iOS was patched in 10.3.1 — Broadcom chips allow rogue Wi-Fi signals to execute code of attacker’s choosing. — A broad array of Android phones are vulnerable …
Android devices can be fatally hacked by malicious Wi-Fi networks
Broadcom chips allow rogue Wi-Fi signals to execute code of attacker’s choosing.
https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/
Tomi Engdahl says:
Rafia Shaikh / Wccftech:
McAfee Report: Mac malware instances grew 744% in 2016 to 450K+, mostly from adware bundling, and IoT devices were used for the first time with Dyn
Latest Report Reveals Mac Malware Grew 744% in 2016!
http://wccftech.com/mac-malware-grew-744-2016/
There’s a common misconception that Macs are immune to security threats such as malware or adware. While we have reported on several Mac-focused security threats, a new analysis reveals that the number of Mac malware is actually skyrocketing. In a threat analysis report, McAfee shows that Mac malware grew by 744% in 2016!
While that number may take you by surprise, it’s not actually as alarming as it sounds. Most of the 460,000 instances detected by the security firm were due to adware bundling, where a software exposes users to ads.
Mac malware skyrocketed in 2016 – it’s mostly adware
Tomi Engdahl says:
Democrats draft laws in futile attempt to protect US internet privacy
In non-snowball-in-Hell’s-chance news: New York joins states’ revolt on ISP rules
https://www.theregister.co.uk/2017/04/06/democrats_move_to_restore_internet_privacy/
Less than a week after President Trump signed the law allowing ISPs to sell customers’ browsing habits to advertisers, Democratic politicians are introducing bills to stop the practice.
On Thursday, Senator Ed Markey (D-MA) submitted a bill [PDF] that would enshrine the FCC privacy rules proposed during the Obama administration into law – the rules just shot down by the Trump administration. Americans would have to opt in to allowing ISPs to sell their browsing data under the proposed legislation, and ISPs would have to take greater care to protect their servers from hacking attacks.
Tomi Engdahl says:
Security
‘Evidence of Chinese spying’ uncovered on eve of Trump-Xi summit
Gosh, this is awkward…
https://www.theregister.co.uk/2017/04/06/us_china_summit_suspected_espionage/
Evidence of Chinese cyber-espionage against the US has been uncovered on the eve of an important Sino-US presidential summit.
The “Scanbox” malware – used by nation-state threat actors associated with or sponsored by the Chinese government – has been discovered embedded on webpages on the US National Foreign Trade Council (NFTC) site, Fidelis Cybersecurity reports.
The possible cyber-espionage was found ahead of President Trump’s meeting with Chinese President Xi Jinping taking place on Thursday and Friday. Items on the agenda are likely to include North Korea, trade and the use of chemical weapons against civilians in Syria.
Tomi Engdahl says:
F-Secure gobbles up Zdziarski’s Little Flocker, spits it into antivirus kit
Is this the end of the road for the file system firewall app?
https://www.theregister.co.uk/2017/04/06/fsecure_buys_mac_security_specialist/
F-Secure has completely absorbed Little Flocker, the macOS security tool built by computer forensics boffin Jonathan Zdziarski.
Financial terms of the deal, announced Thursday, were undisclosed. Zdziarski just recently joined Apple on its security engineering team, so the handover of the paid-for software to F-Secure makes a lot of sense.
Little Flocker acts as a file system firewall: it basically intercepts file accesses by applications and processes, and asks the user if they are OK with that. This means folks can stop errant processes, ransomware, and other malware, from meddling with documents, executables, and system data. A whitelist can be built by the user for trusted apps so their file accesses usually get through.
The software – which runs at the kernel level and can also detect microphone and webcam snooping – will be built into F-Secure’s products, such as XFENCE, its Protection Service for Business, and F-Secure SAFE.
Tomi Engdahl says:
Security: Losses Outpace Gains
http://semiengineering.com/state-of-security-declining/
Complexity, new and highly connected technology, and more valuable data are making it harder to keep out hackers.
SE: Where are we with security? It seems that rather than getting better, things have actually gotten worse over the past year. Where are the problems and how do we close up some of these holes?
Kocher: At a high level, if you want to run some complex set of applications, run huge amounts of software and keep it from being compromised from adversaries, this is an area where we’re losing ground. And it’s one where we’ve been losing ground for a long time. It’s hard to get a sense of where things are going because the press is missing both the positive and negative information. Nobody writes an article announcing which system is not hacked this week. On the other side, most attacks don’t get detected, which is the number one objective if you’re an adversary. If you’ve recognized you’ve been breached, the attacker already messed up. The ones that get detected are the ones that either have business models that necessitate detection, like financial fraud, or they’re amateurish and unlucky or working on such a scale that they’ve can’t hide. If you look at what gets caught, there’s an awful lot that clearly is not being reported on.
SE: But this is more than just a reporting issue, right?
Kocher: Yes, but there aren’t good metrics.
SE: So where are you seeing progress?
Kocher: People are finally realizing that security solutions are not cost-prohibitive for transistors
SE: A lot of that has been regulated from the outside down, whereas, the chip industry for the most part has never had to deal with this.
Kocher: It may take regulation or other market forces to change behavior. It certainly is true that if you look at industries like aviation, pharmaceuticals, and to a certain degree medicine, change has occurred and regulators have played a role in that. It’s still a little early in the security space to really apply a lot of regulation because we don’t exactly know what the best solutions to a problem are.
SE: What could regulators do?
Kocher: They could regulate what your expectations should be for a product if it claims to be secure, because right now most products sold have security bugs in them that make them not secure. Trying to figure out what information should be delivered to customers about what was done probably could help. It would certainly make the security easier if and when it becomes highly regulated.
SE: So what’s next?
Kocher: There are some pretty good proposals that are currently on the table that are being studied, and there will be standardization process for those.
SE: The security picture comprises lots of smaller pieces. AI is one component. The Mirai botnet was another piece, where little things you don’t expect to be important add up to something big, like the first massive IoT attack. You also have the standard stuff that has been going on for a while, hacking into a server to get financial data. Can they be addressed on a macro level, considering everything is now connected, or does everything have to be addressed separately?
Kocher: There’s a point where you’ve got a specific vulnerability in a specific product, and those things end up being treated like a specific gunshot wound that might be treated in an ER. A patient comes in and people do the best to deal with whatever you got there, minimizing the consequences. There are a lot of things that are common root causes to different problems that are often many steps before the actual product was shipped to a customer.
Tomi Engdahl says:
Remotely Get Root On Most Smart TVs With Radio Signals
http://hackaday.com/2017/04/06/remotely-get-root-on-most-smart-tvs-with-radio-signals/
[Rafael Scheel] a security consultant has found that hacking smart TVs takes nothing much more than an inexpensive DVB-T transmitter, The transmitter has to be in range of the target TV and some malicious signals. The hack works by exploiting hybrid broadcast broadband TV signals and widely known about bugs in web browsers commonly run on smart TVs, which seem run in the background almost all the time.
Smart TV Hacking (Oneconsult Talk at EBU Media Cyber Security Seminar)
https://www.youtube.com/watch?v=bOJ_8QHX6OA
Tomi Engdahl says:
How Hackers Hijacked a Bank’s Entire Online Operation
https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/?mbid=nl_4417_p3&CNDID=49216633
Thieves get in, get the goods, and get out. But one enterprising group of hackers targeting a Brazilian bank seems to have taken a more comprehensive and devious approach: One weekend afternoon, they rerouted all of the bank’s online customers to perfectly reconstructed fakes of the bank’s properties, where the marks obediently handed over their account information.