Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
How to adult at security
You’re not gonna make it very far if you keep clicking on obvious phishing links.
https://www.engadget.com/2017/03/24/how-to-adult-at-security/
You’re a grown-ass adult — so stop using the same password for everything. Seriously, your cat’s name followed by your birthday isn’t fooling anybody. Don’t be that guy (of any gender) who gets totally owned by ransomware. Pull up your big-person pants, walk with us through the baddies of threats and help yourself to our tips on how to totally adult your way through the nightmare that is modern computer security. Don’t worry, you got this.
Ransomware
Ransomware can happen to anyone. It has exploded into an epidemic over the past few years, infecting people, police departments, hospitals, schools and more.
Right now, there is no definitive way to prevent ransomware, but there are things you can do to help protect yourself.
Never download attachments you don’t expect. Double-check the spelling of any links to make sure they’re legitimate spellings before you click, and avoid shortened links from untrusted sources. Turn off your email program’s ability to automatically display images.
Next, get your backup act together. Backups are definitely something that makes you an adult: You should have auto-backups set with everything possible. Apple’s Time Machine is an encrypted blessing. CrashPlan is an example of a backup service that copies and stores your files on a regular schedule, and it also comes as standalone software.
But when it comes to fighting ransomware, you want to have a separate set of backups that are out of reach of your network, because ransomware will also lock up any external drives you have attached or mapped.
Surveillance
Between broken security and an aggressive surveillance state, it often feels like the deck is stacked against us. Some people react by going overboard with surveillance paranoia, others sink into apathy and give up.
Botnets
We all love the convenience of connected devices, app-controlled lightbulbs and high-tech cars. But they come with many disadvantages, one of the biggies being that they can be hijacked by botnets.
Botnets often harness the weak security of internet-connected devices, like DVRs, printers, routers, vending machines and cameras, to overload targeted businesses and websites with traffic.
It’s difficult for us consumers to fight botnets because half the problem lies with the manufacturers of our connected appliances. The makers aren’t practicing good security. But we can at least make sure our connected devices aren’t using a simple or default password.
Identity management
One new buzzword that emerged from the recent RSA security conference in San Francisco was something called identity management. That simply refers to the user accounts we have on our devices and high-tech cars.
The problem here is that previous owners’ profiles aren’t getting removed when the items are being resold.
Adulting, accomplished
That’s it!
Tomi Engdahl says:
“Philadelphia” Ransomware Targets Healthcare Industry
http://securityaffairs.co/wordpress/57795/malware/philadelphia-ransomware.html
Security experts from Forcepoint have discovered a new strain of ransomware dubbed Philadelphia that is targeting organizations in the healthcare industry.
The Philadelphia ransomware is a variant of the Stampado ransomware, a very cheap malware offered for sale on the Dark Web since June 2016 at just 39 USD for a lifetime license.
Tomi Engdahl says:
Alleged NSA hack group Shadow Brokers releases new trove of exploits
https://techcrunch.com/2017/04/08/shadow-brokers-be-back/?sr_share=facebook
Shadow Brokers, the group behind last year’s release of hacking exploits allegedly used by the National Security Agency, has dropped another trove of files. In a Medium post today, the hacker group offered up a password giving free access to files it had previously tried to auction off.
Tomi Engdahl says:
New York Times:
Hackers breach Dallas warning system, sounding all of the city’s 156 emergency sirens
Hacking Attack Woke Up Dallas With Emergency Sirens, Officials Say
https://www.nytimes.com/2017/04/08/us/dallas-emergency-sirens-hacking.html?_r=0
Officials in Dallas said the city’s warning system was hacked late on Friday night, disrupting the city when all 156 of its emergency sirens sounded into the early hours of Saturday morning.
The alarms, which started going off around 11:40 p.m. Friday and lasted until 1:20 a.m. Saturday, created a sense of fear and confusion, jarring residents awake and flooding 911 with thousands of calls, officials said.
Officials declined to give full details about the nature of the breach, citing security reasons, but they said they believed it had originated locally.
The alarms blasted for 90-second durations about 15 times, Rocky Vaz, the director of the city’s Office of Emergency Management, told reporters at a news conference.
Mr. Vaz said emergency workers and technicians had to first figure out whether the sirens had been activated because of an actual emergency. And turning off the sirens also proved difficult, eventually prompting officials to shut down the entire system.
Security officials have warned for years about the risks that hacking attacks can pose to infrastructure. The number of attacks on critical infrastructure appears to have risen: to nearly 300 in 2015 from just under 200 in 2012, according to federal data. In 2013, hackers tied to the Iranian military tried to gain control of a small dam in upstate New York.
Tomi Engdahl says:
Shadow Brokers re-emerge, drop large catalog of stolen NSA exploits
https://www.cyberscoop.com/shadow-brokers-linux-nsa-donald-trump-syria/
Tomi Engdahl says:
Selena Larson / CNNMoney:
IRS says hackers accessed tax info of 100K people through a financial aid tool for students; info can be used to file fraudulent tax returns to steal refunds
Hackers use FAFSA application to steal tax info
http://money.cnn.com/2017/04/07/technology/hackers-irs-fafsa-data/
Hackers accessed the data of up to 100,000 people through a tool that helps students get financial aid.
IRS Commissioner John Koskinen testified before the Senate Finance Committee Thursday that a breach had been discovered in the fall. In September, he said, his agency discovered that fraudsters could use someone’s personal data to fill out a financial aid application, and the “Data Retrieval Tool” would populate the application with tax information.
That information could be used to file false tax returns. The commissioner said fewer than 8,000 of these returns were processed, and refunds were issued totaling $30 million.
The tool is part of the Free Application for Federal Student Aid (FAFSA) system, which is used to determine how much financial aid students receive for college.
In October, the IRS told the Department of Education that the system could be abused by criminals, but because up to 15 million people use the system for convenience, they kept it available. However, in February, the agency witnessed a pattern of fraudulent activity, and it shut down the automated tool in March.
Tomi Engdahl says:
Violet Blue / Engadget:
Cancellation of FCC’s ISP privacy rules drives Virtual Private Network adoption, but VPNs can have privacy issues of their own
Good luck finding a safe VPN
Everyone’s telling you to use a VPN but not how to choose a good one.
https://www.engadget.com/2017/04/07/good-luck-finding-a-safe-vpn/
If you’re most people, you just found out about the FCC’s internet privacy rules by way of their untimely demise. Thanks to the FCC’s new chief, Congress, and Donald Trump, ISPs are now free to track you like crazy and sell your data to the four directions. As a result, interest in VPNs exploded overnight.
Using a VPN for cloaking your activity from your ISP is a practical solution — especially if you combine it with tracker-blocking browser plug-ins like uBlock Origin, because ads are trackers too.
With a VPN, the user’s internet connection travels encrypted from computer to VPN server; from there the user’s connection travels unencrypted to their final destination (a website). This way, websites only see the VPN’s IP address and not the user’s, and your ISP only sees you visiting the VPN. The ability of any attacker to spy, intercept, attack or steal information stops at the VPN. That’s why they’re essential for personal security when you use public WiFi.
Once the idea took hold that VPNs were the magic solution to ISP spying, tracking, and data sales, suddenly everyone and their dog was publishing an article about it. Lots of these articles tell you to use a VPN service with “the hallmarks of a trustworthy service” but few explain what that means, exactly.
Many of these explainery-think pieces, not surprisingly, are profit-seeking endorsements for affiliate VPN services. Not all of which are VPNs you can trust, even if they come from a trusted blog or source.
And fake VPN services rolled out in waves to cash in.
Selecting a VPN you can trust already took research and consideration, weighing connection speeds and pricing, learning about who keeps records and for how long and more. VPN services are also like any other in that they change their record-keeping policies and privacy practices over time, so that’s another thing to keep up with.
In addition, these services are easy to misconfigure.
So if a VPN is recommended somewhere, do a little homework before you fork over your data (and your cash). Names that come up as trusted include Perfect Privacy, Freedome, TorGuard, Tunnelbear, Black VPN and others.
Should you have one for your phone? Absolutely, and most VPNs have mobile apps — though look out for the bad ones. Google’s Project Fi (the company’s phone service provider) automatically secures users on a Google VPN in every public WiFi situation.
The drawbacks? They can slow your connection down, and they may not work with services like Netflix that want to know where you’re physically located. Some public places block the use of VPNs, which should be your sign that the network isn’t safe to use anyway.
When the trend is people turning to VPNs for protection from their own internet service providers — in their own homes — it’s safe to say the privacy and security situation for most Americans has gotten pretty bad.
Which VPN Services Take Your Anonymity Seriously?
By Ernesto on December 20, 2016
https://torrentfreak.com/vpn-anonymous-review-160220/
VPN services have grown increasingly popular in recent years, but not all are completely anonymous. Some VPN services even keep extensive logs of users’ IP-addresses for weeks. To find out which are the best VPNs, TorrentFreak asked several dozen providers about their logging policies, and more.
Tomi Engdahl says:
Tech predictions from 2007
http://www.edn.com/electronics-blogs/from-the-edge-/4458199/Tech-predictions-from-2007
Just how good are we at predicting the future? When we look at CES 2017, for example, and the realities of cutting wires, technology truly has come far. Sometimes it’s fun to look back at an attempt to look forward. I ran across an NBC News piece that Brian Williams did 10 years ago on what 2017 would look like, and the “wrenching changes” predicted in what was then the decade to come.
Well, this security aspect is dead on. Our lives are pretty much open books. Facial recognition software is still used, however, and the adoption of biometric technology to the extent that it will free us completely is quite a reach.
Tomi Engdahl says:
Neglected Step Child: Security in DevOps
http://www.securityweek.com/neglected-step-child-security-devops
The use of microservices and containers like Docker have led to a revolution in DevOps. Providing the agility that business have long awaited, these new technologies also introduce inherent security implications that cannot be ignored at a time when the enterprise attack surface continues to grow wider. Let’s consider these risks and how organizations can minimize their exposure to them.
According to a recent report by 451 Research, nearly 45% of enterprises have either already implemented or plan to roll out microservices architectures or container-based applications over the next 12 months. This confirms the hype surrounding these emerging technologies, which are meant to simplify the life of application developers and DevOps teams. Microservices can break down larger applications into smaller, distinct services; whereby containers in this context are viewed as a natural compute platform for microservices architectures.
Microservices and containers enable faster application delivery and improved IT efficiency. However, the adoption of these technologies has outpaced security. A recent research study by Gartner (DevSecOps: How to Seamlessly Integrate Security into DevOps) shows that fewer than 20% of enterprise security teams have engaged with their DevOps groups to actively and systematically incorporate information security into their DevOps initiatives.
Tomi Engdahl says:
Sathurbot Botnet Targets WordPress Accounts
http://www.securityweek.com/sathurbot-botnet-targets-wordpress-accounts
A recently observed backdoor Trojan is ensnaring victims’ computers into a botnet that attempts to brute-force its way into WordPress accounts. The compromised WordPress sites are then used to spread the malware further.
Dubbed Sathurbot, the backdoor Trojan uses torrents as a delivery medium. Compromised websites are used to host fake movie and software torrents and, when a user searches the web for a movie or software to download, links to these websites are served instead of legitimate torrents.
Users accessing movie subpages are served with the same torrent file, while those going for software are served a different torrent file. Because the torrents are well-seeded, they might appear legitimate. Both the movie and the software torrent contain an executable and are meant to entice the victim into running it, thus loading the Sathurbot DLL.
Once launched, the malware informs the victim that their machine has become a bot in the Sathurbot network. Sathurbot also retrieves its command and control (C&C) at startup. Communication with the server involves status reporting, task retrieval, and the receiving of links to other malware downloads.
Tomi Engdahl says:
BrickerBot Damages IoT Device Firmware
http://www.securityweek.com/brickerbot-damages-iot-device-firmware
Security researchers have identified a new type of cyber attack causes damage to Internet of Things (IoT) devices, rather than ensnaring them into a botnet.
Dubbed Permanent Denial-of-Service (PDoS), the attacks can be highly damaging, resulting in the need to replace or reinstall hardware, researchers explain: security flaws are abused to destroy the firmware and/or basic functions of system.
One of the tools used to launch such attacks is called BrickerBot, and Radware researchers observed two variants starting March 20, 2017. One of them, however, had a short life and remains inactive, while the other continues to operate. Both, however, have had the same purpose: to compromise IoT devices and corrupt their storage.
To compromise devices, BrickerBot uses Telnet brute force, a method previously associated with the Mirai botnet, which abused infected devices to launch distributed denial of service (DDoS) attacks.
“BrickerBot” Results In Permanent Denial-of-Service
https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/
Tomi Engdahl says:
Shadow Brokers Release More NSA Exploits
http://www.securityweek.com/shadow-brokers-release-more-nsa-exploits
The hacker group calling itself “Shadow Brokers” has released another round of exploits and tools allegedly used by the NSA-linked threat actor “Equation Group,” along with a message to U.S. President Donald Trump.
Tomi Engdahl says:
Greg Otto / Cyberscoop:
Months after failing to sell NSA hacking tools, The Shadow Brokers hacking group publicly releases the alleged exploits — The Shadow Brokers, the mysterious group linked to exploits stolen from the National Security Agency, released a large catalog of files Saturday that give further insight …
Shadow Brokers re-emerge, drop large catalog of stolen NSA exploits
https://www.cyberscoop.com/shadow-brokers-linux-nsa-donald-trump-syria/
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers uncover BrickerBot-powered botnet attacks that are designed to brick poorly secured Linux-based routers and other IoT devices
Rash of in-the-wild attacks permanently destroys poorly secured IoT devices
Ongoing “BrickerBot” attacks might be trying to kill devices before they can join a botnet.
https://arstechnica.com/security/2017/04/rash-of-in-the-wild-attacks-permanently-destroys-poorly-secured-iot-devices/
Tomi Engdahl says:
Critical Office Zero-Day Attacks Detected in the Wild
https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
At McAfee, we have put significant efforts in hunting attacks such as advanced persistent threats and “zero days.” Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched.
This blog post serves as a heads-up for our customers and all Office users to protect against this zero-day attack.
The samples we have detected are organized as Word files (more specially, RTF files with “.doc” extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack we have seen dates to late January.
The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft.
The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office.
Do not open any Office files obtained from untrusted locations.
According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.
Acknowledgement of Attacks Leveraging Microsoft Zero-Day
https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
FireEye recently detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.
FireEye shared the details of the vulnerability with Microsoft and has been coordinating for several weeks public disclosure timed with the release of a patch by Microsoft to address the vulnerability. After recent public disclosure by another company, this blog serves to acknowledge FireEye’s awareness and coverage of these attacks.
Tomi Engdahl says:
How To Hack Your Own Password
http://hackaday.com/2017/04/09/how-to-hack-your-own-password/
He decided to scrounge up his old password, only to discover he locked himself out of his Reddit account until 2018. What followed is a security exploit of an ’email me in the future’ service, and a great example of how much effort one person will commit to a lifetime of instant gratification.
The email service in question is LetterMeLater, a site that will send an email at some arbitrary point in the future. You can hide the body of the email from yourself, making this a fairly good solution for what [Haseeb] is doing. He was still locked out of his email, though, and emailing the people running LetterMeLater seemed absurd.
With a little bit of code, he can perform substring queries on an email he can’t read. Now, extracting the password is simply a first year CS homework problem.
At this point, the only thing [Haseeb] knows about his password is that it’s a long string of random characters that probably doesn’t include upper-case characters. That’s 26 possible characters, 10 possible numbers, and a character bank that can be determined by searching his email one character at a time. [Haseeb] is essentially playing Hangman against his former self here.
That time I had to crack my own Reddit password
(Kinda.)
https://medium.freecodecamp.com/the-time-i-had-to-crack-my-own-reddit-password-a6077c0a13b4
Tomi Engdahl says:
Is My Password Safe? Practices for People Who Know Better
http://hackaday.com/2017/04/07/is-my-password-safe/
A couple of weeks back a report came out where [Tavis Ormandy], a widely known security researcher for Google Project-Zero, showed how it was possible to abuse Lastpass RPC commands and steal user passwords. Irony is… Lastpass is a software designed to keep all your passwords safe and it’s designed in a way that even they can’t access your passwords, the passwords are stored locally using strong cryptography, only you can access them via a master-key. Storing all your passwords in only place has its downfalls. By the way, there is no proof or suggestion that this bug was abused by anyone, so if you use Lastpass don’t worry just yet.
But it got me thinking, how worried and how paranoid should a regular Internet user should be about his password? How many of us have their account details exposed somewhere online? If you’ve been around long enough, odds are you have at least a couple of accounts on some major Internet-based companies.
The easiest way to get your paranoia started is to visit Have I Been Pwned.
It keeps track of all known public security breaches he can get his hands on and provides an answer to a simple question: “Was my account in any major data leak?” Let’s take a look.
Does Someone Know My Password?
Notice that the Yahoo breach is not there, add 1 Billion accounts more, plus another 500 Million on another Yahoo breach. Does this mean that the attackers automatically have my password? Well, it’s not that easy.
Not all leaks are alike in severity. For example, The NetEase leak contained clear-text passwords, pretty much as bad as it gets. The Yahoo leak contained some MD5 hashes. The LinkedIn leak contained SHA-1 hashed passwords in which no salt was used. The following days more than 90% of all passwords had been cracked. The Dropbox leak had usernames and salted hashes of passwords, half of them SHA1, half of them bcrypt, which is pretty good given the circumstances. Leaks security impact mileage varies a lot.
So What Can You Do? Trust No One.
It’s clear that you cannot trust any website when providing your password since you usually have no choice or knowledge on how they will handle it. Since you can’t enforce any website into safely storing your password, what can you effectively do? Well, you can stop using 123456 as a password. And I don’t mean use the more secure version, 123456789, either. You! Yes, you!
Can you answer this in all honesty that you have never had a Top 25 password?
Don’t choose obvious passwords. Really don’t. Even if you think no one cares about you or your particular account and you’ll never be a target of a malicious attacker. This include words, names, dates, phone numbers. Ideally use lower/upper case letters with numbers with 10 or more chars.
Don’t choose obvious security answers either. What good is it a 30 chars long password when your security question is your mothers maiden name?
Less sensitive accounts can have an easier to remember password
When possible, use two factor authentication (2FA). An increasing number of websites already provide 2FA, either via email or SMS. This can drastically reduce the impact of a stolen/leaked password. Consider using a hardware token in critical accounts, like Yubikey.
Check online for any leaks that might have affected you. Change your passwords accordingly. If you used it on multiple websites, they too must be changed.
My Advice: Do Your Own Thing
My advice is to spend some time thinking about your passwords and find your own thing. What’s your own thing? For some it can be the way that they pronounce their password letters. Despite being random, choosing passwords with some rhyme or musicality when read results in something that sticks in your head.
Goldfish Memory
“Good passwords are hard to memorize. I’ll just write them down on a piece of paper.”
Well, there are worst things to do. I mean, where do you put your credit card? If you really can’t memorize it, sure, write it down and keep it safe, like in your wallet. The keep it safe part is important, you don’t leave your credit card around in public places right? I bet you don’t tape it underneath your keyboard either. Over fifteen years ago [Bruce Schneier] saw this coming. Keep a duplicate copy somewhere really safe, like an actual safe. Plan ahead so that if someone steals your wallet or wherever you keep your passwords, you can rapidly change them.
The future of passwords and overall authentication mechanisms is widely debated. Some say passwords are dead and the future is biometrics. Hackaday has been known to argue against that.
https://haveibeenpwned.com/
Tomi Engdahl says:
These Are 10 Cybersecurity Myths That Must Be Busted
https://www.forbes.com/sites/williamsaito/2017/04/04/these-are-10-cybersecurity-myths-that-must-be-busted/#5ece3ab566ea
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Symantec links alleged Vault7 CIA malware to hacking operation that attacked at least 40 targets in 16 countries across the Middle East, Europe, Asia, Africa — WikiLeaks dump identical to operation that has been hacking governments since 2011. — Malware that WikiLeaks purports belongs …
Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA
WikiLeaks dump identical to operation that has been hacking governments since 2011.
https://arstechnica.com/security/2017/04/found-in-the-wild-vault7-hacking-tools-wikileaks-attributes-to-the-cia/
Malware that WikiLeaks purports belongs to the Central Intelligence Agency has been definitively tied to an advanced hacking operation that has been penetrating governments and private industries around the world for years, researchers from security firm Symantec say.
Longhorn, as Symantec dubs the group, has infected governments and companies in the financial, telecommunications, energy, and aerospace industries since at least 2011 and possibly as early as 2007. The group has compromised 40 targets in at least 16 countries across the Middle East, Europe, Asia, Africa, and on one occasion, in the US, although that was probably a mistake.
Uncanny resemblance
Malware used by Longhorn bears an uncanny resemblance to tools and methods described in the Vault7 documents. Near-identical matches are found in cryptographic protocols, source-code compiler changes, and techniques for concealing malicious traffic flowing out of infected networks. Symantec, which has been tracking Longhorn since 2014, didn’t positively link the group to the CIA, but it has concluded that the malware Longhorn used over a span of years is included in the Vault7 cache of secret hacking manuals that WikiLeaks says belonged to the CIA. Virtually no one is disputing WikiLeaks’ contention that the documents belong to the US agency.
“Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide,”
Tomi Engdahl says:
BBC:
Two weeks before election, French centrist candidate Emmanuel Macron campaigns with plan to compel tech firms to decrypt communications for police on demand
French election: Macron vows to tackle terrorism by taking on tech companies
http://www.bbc.com/news/world-europe-39555125
French centrist candidate Emmanuel Macron has launched his presidential campaign with a plan to tackle terrorism by forcing internet firms to release encrypted messages.
Election campaigning officially began on Monday, two weeks ahead of the first round of voting.
Opinion polls predict Mr Macron and far-right Marine Le Pen will reach the second round on 7 May.
Ms Le Pen will set out her security priorities later in the day.
Speaking at his Paris launch, Mr Macron said he wants to legally compel social media companies to give authorities access to encrypted messages between terror suspects.
“Democratic states must have access to content exchanged between terrorists on social media and instant messaging,” he said, while introducing a five-point strategy that would bring in new powers across Europe.
He said it was “no longer acceptable” for companies to insist that they have a contractual obligation to clients after offering protected communication.
Tomi Engdahl says:
Thousands of Fake Google Maps Listings Redirect Users to Fraudulent Sites Each Month
https://www.bleepingcomputer.com/news/google/thousands-of-fake-google-maps-listings-redirect-users-to-fraudulent-sites-each-month/
Tens of thousands of fake listings are added to Google Maps each month, redirecting users to fraudulent websites selling phony or overpriced services, or part of some referral scam.
This is the result of a study carried out by Google and University of California, San Diego researchers, who analyzed over 100,000 businesses marked as “abusive” and added to Google Maps between June 2014 and September 2015.
Researchers say that 74% of these abusive listings were for local businesses in the US and India, mainly in pockets around certain local hotspots, especially in large metropolitan areas such as New York, Chicago, Houston, or Los Angeles.
In most cases, the scheme was simple. A customer in need of a locksmith or electrician would search Google Maps for a local company. If he navigated to the website of a fake business or called its number, a call center operator posing as the business’ representative would send over an unaccredited contractor that would charge much more than regular professionals. If a customer’s situation were urgent, the contractor would often charge more than the initial agreed upon price.
Tomi Engdahl says:
Russian Arrested in Spain ‘Over US Election Hacking’
https://politics.slashdot.org/story/17/04/10/1740204/russian-arrested-in-spain-over-us-election-hacking
Spanish police have arrested a Russian programmer for alleged involvement in “hacking” the US election, BBC reported Monday, citing local press reports.
Russian arrested in Spain ‘over mass hacking’
http://www.bbc.com/news/technology-39553250
Spanish police have arrested a Russian programmer following US allegations of large-scale hacking.
Pyotr Levashov was held in Barcelona on Friday and is remanded in custody.
Spanish police said Mr Levashov controlled a botnet called Kelihos, hacking information and installing malicious software in hundreds of thousands of computers.
The arrest was part of a “complex inquiry carried out in collaboration with the FBI”, police said.
Mr Levashov is subject to a US international arrest warrant and a Spanish court will hear whether he can be extradited.
Tomi Engdahl says:
Evil ISPs could disrupt Bitcoin’s blockchain
Boffins say BGP is a threat to the crypto-currency
https://www.theregister.co.uk/2017/04/11/evil_isps_could_disrupt_bitcoins_blockchain/
Attacks on Bitcoin just keep coming: ETH Zurich boffins have worked with Aviv Zohar of The Hebrew University in Israel to show off how to attack the crypto-currency via the Internet’s routing infrastructure.
That’s problematic for Bitcoin’s developers, because they don’t control the attack vector, the venerable Border Gateway Protocol (BGP) that defines how packets are routed around the Internet.
BGP’s problems are well-known: conceived in a simpler era, it’s designed to trust the information it receives. If a careless or malicious admin in a carrier or ISP network sends incorrect BGP route information to the Internet, they can black-hole significant chunks of ‘net traffic.
The upside of both of these attacks is that they need an insider, because they happen at the ISP level.
They are, however, serious attacks.
In the partition attack, if an ISP is the only route between significant chunks of the Bitcoin network, a blackhole would stop the two sides communicating with each other.
Since the two “islands” will keep going – processing transactions, and mining new Bitcoin. When the “evil ISP” connects the islands together again, they have no option but to discard mined Bitcoins, transactions, and mining revenue.
The delay attack is nastier, in a way, because unlike the partitioning attack, the researchers say it’s undetectable.
Tomi Engdahl says:
OLE-y hell. Bug in MSFT Word allows total PC p0wnage
FireEye, McAfee, disclose over the weekend. Will Microsoft squash it on Patch Tuesday?
https://www.theregister.co.uk/2017/04/09/microsoft_word_ole_bug/
All eyes will be on Microsoft’s April patch run – due tomorrow – to see whether Redmond gets ahead of a nasty Word zero-day that popped up last week.
The hack exploits Object Linking and Embedding and the FireEye researchers who discovered the bug were working with Microsoft, but were pre-empted by a disclosure from McAfee.
McAfee and FireEye each explain that the attack works all the way up to Office 2016 running on Windows 10.
A nasty aspect of the attack is that unlike many Word-based attacks, it doesn’t ask the victim to enable macros.
Tomi Engdahl says:
Internet Society tells G20 nations: The web must be fully encrypted
Not happy about online security being equated with restricting access to law enforcement
https://www.theregister.co.uk/2017/04/10/internet_society_full_encryption/
The Internet Society has called for the full encryption of the internet, decrying the fact that securing the digital world has increasingly become associated with restricting access to law enforcement.
In a blog post aimed at the leaders of the G20 economies, ISOC CEO Kathryn Brown argues that the digital economy “will only continue to thrive and generate opportunities for citizens if the Internet is strong, secure, and trusted,” adding: “Without this foundation, the global digital economy is at risk.”
Engineering
Internet engineers have long been strong advocates of increased online security (something that has been difficult since the internet’s earliest building blocks largely ignored the idea of malicious activity), and the Internet Society reflects that belief back: “Strong encryption is an essential piece to the future of the world’s economy and the Internet Society believes it should be the norm for all online transactions. It allows us to do our banking, conduct local and global business, run our power grids, operate communications networks, and do almost everything else.”
Brown goes on: “Encryption is a technical building block for securing infrastructure, communications and information. It should be made stronger and universal, not weaker.”
ISOC CEO Brown is not happy about how this conversation is defining the debate around encryption. “Rather than being recognized as the way to secure our online transactions or our conversations, all too often the debate focuses on the use of encryption as a way to thwart law enforcement,” she complains, arguing: “To undermine the positive role of encryption in the name of security could have devastating consequences.”
The Internet Society is usually diplomatic to the point of saying nothing, so when its CEO says, “we should recognize that encryption is key to the future digital economy and stop treating it as simply an obstacle to law enforcement,” it is clear that the level of frustration among internet engineers is high.
ISOC clearly sees July’s G20 Summit as the best opportunity to address that concern, with Brown calling it a “turning point that should not be missed.” And its position is stated simply: “The Internet Society calls for ubiquitous encryption for the Internet. We strongly believe that this is the best foundation for trust in the digital economy, and we urge the G20 nations to stand behind encryption.”
Securing our Digital Economy
https://www.internetsociety.org/blog/public-policy/2017/04/securing-our-digital-economy
As G20 leaders from around the world gather this week, Germany wants them to agree to a concrete plan – one that includes affordable Internet access across the world by 2025, common technical standards and a focus on digital learning.
Today, the G20 economies, like so many other economies around the world, are digital and interconnected. Digital services have opened up new avenues for sustainable economic growth. But, the digital economy will only continue to thrive and generate opportunities for citizens if the Internet is strong, secure, and trusted. Without this foundation, the global digital economy is at risk.
Currently, there are 360 million people that take part in cross-border e-commerce. 28% of output in mature economies is digital. The Internet is set to contribute $6.6 trillion a year, or 7.1% of the total GDP in the G20 countries. And, by 2020, it’s estimated that more than 1 billion users will be added and there will be 30-50 billion additional connected devices. This level of interconnection will only boost the market.
However, this cannot happen without a serious commitment by all parties to security and privacy. The truth is that economies can only function within a secure and trusted environment.
Which brings us to encryption.
If the G20 countries are serious about strengthening their economies and continuing to deliver economic and social prosperity to their citizens in future, there are three key principles they should endorse and implement immediately:
1. Encryption is an important technical foundation for trust in the digital economy and should be the norm. All users (whether government, business or individual) should use encryption to protect infrastructure, communications and the privacy and integrity of their data. Encryption technologies should be strengthened, not weakened.
2. The security of the digital economy is a shared responsibility that needs the expertise and experience of all stakeholders, across border and across disciplines. It is an urgent need that will require open, inclusive collaboration.
3. Users’ rights should be at the heart of any decisions related to the digital economy. They are both the customers and the contributors to the success of the digital economy.
The Internet Society calls for ubiquitous encryption for the Internet. We strongly believe that this is the best foundation for trust in the digital economy, and we urge the G20 nations to stand behind encryption.
Tomi Engdahl says:
Justice Department Announces Actions to Dismantle Kelihos Botnet
https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0
The Justice Department today announced an extensive effort to disrupt and dismantle the Kelihos botnet – a global network of tens of thousands of infected computers under the control of a cybercriminal that was used to facilitate malicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and installing ransomware and other malicious software.
“The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks. The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting Assistant Attorney General Blanco. “Our success in disrupting the Kelihos botnet was the result of strong cooperation between private industry experts and law enforcement, and the use of innovative legal and technical tactics. The Department of Justice is committed to combatting cybercrime, no matter the size or sophistication of the scheme, and to punish those who are engaged in such crimes.”
Tomi Engdahl says:
5 Blockchain Trends for 2017
http://www.eetimes.com/author.asp?section_id=36&doc_id=1331571&
Blockchain moved beyond being just the technology behind bitcoin in 2016, showing it has the potential to disrupt many different industries.
International payments
Bitcoin proved blockchain could enable quick, cheap and safe transactions between peers without a third party. However, for large corporations, bitcoin is still far too volatile to be used as a currency.
With fast, cheap payments, businesses will be able to start making smaller, more frequent transactions. Developers and engineers will need to design systems that can handle this change.
Cloud storage
The cloud is already having a huge impact on businesses and the way they operate. However, many are still concerned about privacy, cost, ownership and the power of big cloud providers like Amazon.
Decentralized cloud storage offers an alternative, using open source blockchains. These technologies break up, encrypt and distribute files among many different nodes in a network.
Blockchain-based cybersecurity
Traditionally, IT systems are kept safe by building a security wall to keep intruders out. The problem with this approach is that security engineers are always one step behind the attackers, and it’s impossible to know if the security has been compromised at any given time.
Blockchain-based solutions take a completely different approach. The data itself is encrypted, so there is no single point of failure. Also, thanks to the sequential hashing, the integrity of the data is guaranteed–it’s impossible to tamper with data without being detected.
While this solves many of the difficult cybersecurity problems, it also opens up issues of scalability. Using mathematics to ensure integrity is computationally expensive, and gets worse as a network grows. It’s predicted that the bitcoin blockchain could use as much energy as Denmark by 2020.
Supply blockchain management
A long time ago, supply chains revolutionized how our society runs, now suppy chains are being revolutionized by blockchain. Current supply chains can lack transparency and traceability, two things at which blockchain excels.
Music distribution
The music industry has been living through a painful migration to digital technology since the debut of Napster in the 1990s. Once listeners could copy and send each other songs for free, music recordings lost their scarcity, and artists’ profits plummeted.
Projects are already attempting to implement crypto-based music distribution where songs are added to a blockchain and user pay for listening using a small amount of cryptocurrency.
Tomi Engdahl says:
Microsoft Office Zero-Day Used to Push Dridex Banking Trojan
https://www.bleepingcomputer.com/news/security/microsoft-office-zero-day-used-to-push-dridex-banking-trojan/
The operators of the Dridex botnet are using the recently disclosed Microsoft Office zero-day to spread a version of their malware, the infamous Dridex banking trojan.
It is unclear at this time if the Dridex gang was the group that discovered the zero-day, or if they just figured out a way to exploit it after McAfee and FireEye disclosed public details over the weekend.
Dridex campaign targeted Australian users
According to cyber-security firm Proofpoint, who discovered the Dridex spam campaign delivering Word documents weaponized with this zero-day, the spam wave consisting of millions of emails targeted mainly Australia.
Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day
This weekend saw multiple reports a new zero-day vulnerability that affected all versions of Microsoft Word. Today, Proofpoint researchers observed the document exploit being used in a large email campaign distributing the Dridex banking Trojan. This campaign was sent to millions of recipients across numerous organizations primarily in Australia.
Tomi Engdahl says:
Russian-owned Livejournal bans dissenting speech to please Putin
Maybe now George R. R. Martin will finally move onto WordPress.
https://www.engadget.com/2017/04/10/russian-owned-livejournal-bans-dissenting-speech-to-please-putin/
Russia’s hardline stance against LGBTQ media is back in the news. This time it’s because a change in the terms of service for LiveJournal strictly prohibits users from posting “political solicitation materials” and anything “contradictory to the laws of the Russian Federation.” As AdVox notes, what constitutes as such is wide open for interpretation. But it’s feared that given recent history, this will be a uniform crackdown on posts that don’t fit the express purview of Russia, including political dissent and pro-LGBTQ stances.
More than that, the Russian version of the ToS is the only legally binding one. Yup, even if you’re outside the aging social network’s new-ish home country. “Attention: this translation of the User Agreement is not a legally binding document. The original User Agreement, which is valid is located at the following address,” the top of the page read
Tomi Engdahl says:
Exclusive: Spyware firms in breach of global sanctions
http://www.aljazeera.com/news/2017/04/exclusive-spyware-firms-breach-global-sanctions-170405102959191.html
Undercover investigation exposes inner workings of spy equipment companies selling to clients from sanctioned countries.
Spy equipment producers are breaking laws and circumventing international sanctions by agreeing to sell stock to countries known for human rights abuses, and to clients who do not declare the end user – meaning surveillance tools could easily fall into the hands of armed groups, corporations, governments cracking down on dissent, or opposition leaders, an exclusive investigation by Al Jazeera reveals.
During “Spy Merchants”, a four-month undercover operation, Al Jazeera secretly filmed representatives of two Italian companies and one Chinese business agreeing to sell spyware that is capable of tracking millions of people online and able to intercept phone calls and text messages without anyone finding out.
Tomi Engdahl says:
Pornhub And YouPorn Are Adding Support for HTTPS Encryption
https://motherboard.vice.com/en_us/article/pornhub-youporn-privacy-https-encryption?utm_source=mbtwitter
Browse like no one’s watching.
Porn sites need to have good security.
“With this Internet communication protocol we can ensure not only the security of our platform, but also that of our users,”
HTTPS provides several different benefits: it can protect data entered into a web page, such as passwords, meaning that if a hacker is sitting on the same network as you, they’ll be unable to read any intercepted sensitive info. HTTPS may also help users be a bit more sure they are visiting the genuine
House Republicans voted to allow internet service providers to monetize their customers’ browsing histories; HTTPS may provide some protection
Tomi Engdahl says:
GameStop looks into a potentially serious credit card breach
Intruders may have taken key payment info from online shoppers.
https://www.engadget.com/2017/04/09/gamestop-credit-card-breach/
Did you shop at GameStop’s online store for the holidays, or take advantage of its post-holiday clearance sales? You might want to check your credit card statement. GameStop has confirmed to security guru Brian Krebs that it’s looking into a possible data breach that compromised credit card info between September 2016 and February 2017. Krebs’ financial industry sources claim that the intruders not only took card numbers, expiration dates and cardholder addresses, but the three-digit security number that’s ordinarily hard to get (as it’s not usually stored online).
GameStop isn’t providing much official detail at this point, but it understands that the payment data may have been “offered for sale on a website.”
Gamestop.com Investigating Possible Breach
https://krebsonsecurity.com/2017/04/gamestop-com-investigating-possible-breach/
Tomi Engdahl says:
British Payday Loan Firm Wonga Suffers Data Breach
http://www.securityweek.com/british-payday-loan-firm-wonga-suffers-data-breach
British payday loan company Wonga has informed customers that their personal and financial data may have been stolen in a cyberattack.
According to Wonga, hackers gained unauthorized access to names, email addresses, physical addresses, phone numbers, partial payment card numbers (i.e. the last four digits), bank account numbers, and sort codes. The firm’s investigation is ongoing.
Wonga says there is no evidence that passwords have been compromised, but users who are concerned can change their passwords as a precaution. Impacted individuals are being notified.
The Guardian reported that the incident may have affected as many as 270,000 current and former customers in the United Kingdom and Poland. Roughly 245,000 of the potential victims are from the U.K.
https://www.wonga.com/help/incident-faq
Tomi Engdahl says:
Treat Security Like a Doctor, Not an EMT
http://www.securityweek.com/treat-security-doctor-not-emt
I love watching reality shows about paramedics. It is thrilling to see the EMTs rush to a scene and take immediate action to save the life of some unfortunate victim. They are often forced to guess the trauma or ailment of the patient and hope that the treatment they administer is the correct one.
In cybersecurity, we often work the same way, and that is not necessarily a good thing. We are often required to make snap decisions about which files are safe and which are potentially toxic, and we are constantly rushing and responding to alerts about something bad that has already happened. As defenders, it feels as though we never have the time to take a measured, thoughtful approach.
Wouldn’t it be great if we could spend more time acting like the doctors and surgeons who work away from emergency rooms and ICUs? Doctors are afforded adequate time to assess the situation and run tests so that they can fully understand the details of the problem, and plan their response before administering treatment.
The need to decide and act in real time is one of the biggest problems for our security systems. A network gateway device has only milliseconds to decide if an observed file is safe or not and many protocols, including HTTP, cannot tolerate significant delays. As a result, we are forced to use fast but unreliable indicators to decide which files to ignore, and which to block. Like the EMT, we are up against the clock and working without enough information. Inevitably, we will allow infected files through, and wind up blocking files that are clean. False positives create a usability problem, and false negatives let malware penetrate our networks.
In emergency medicine, doctors often order tests where the results will not be known until treatment has been underway for some time. If the doctor’s diagnosis of the condition is wrong, the situation could go from bad to worse.
Similarly, many security architectures provide a second level of screening where files that originally passed the quick scan are examined more carefully. This can involve static analysis, detonation, and other approaches which are much more reliable but can take up to a couple of minutes to complete. By the time the tests indicate that a file should have been blocked it has had plenty of time to infect the endpoint. The defenders are forced to respond and recover to clean up the infection before it causes damage or spreads.
Over the last few years, email gateways have gotten really good at scanning for malware attachments. Why? Because email is a store and forward protocol. The gateway can take as much time as it needs to analyze any file.
Does that mean organizations are not getting attacked through email anymore? Not at all.
It would be great if we could keep the user’s web connection real time, scan at leisure, and still not let anything dangerous through to the desktop.
The trick is to move where the critical testing takes place. Just because an infected file reaches the browser does not need to mean that the user’s desktop will be compromised. You can break up the data flow separating the browsing from the movement of the file to the desktop. If the browser is properly isolated, any malware will be trapped in that tiny container.
Tomi Engdahl says:
First Comes Business Risk Intelligence, then Comes Digital Risk Monitoring
http://www.securityweek.com/first-comes-business-risk-intelligence-then-comes-digital-risk-monitoring
Then, as is the case of all emerging technology use cases, market confusion began. Is social media really important in business? Is it digital marketing? Is it social media for business? Is it social marketing? Does it fit in lead generation or communications?
In the end, it was rightly determined that social media is merely a tactical approach that is part of a bigger marketing and business strategy
Fast forward to the mid-2010s, and we’re in a similar dilemma with the crowded cyber threat intelligence (CTI) market, especially in the discussion around digital risk monitoring. According to Forrester, digital risk is assessing cyber risk, brand risk, and physical risk emanating from open web properties, social networks, and some computer and mobile applications. Much like tactical social media tools, a good intelligence-rich strategy needs to be developed in advance of any digital risk monitoring implementation in order to be most effective.
Business Risk Intelligence (BRI), on the other hand, provides strategic intelligence gleaned from the Deep & Dark Web that informs organization what the actual threats are that are critical to their business. While many organizations do have digital risk monitoring in addition to BRI, many organizations end up adding BRI later on to address the intelligence gap that digital risk monitoring approaches leave open. Many concerns often stem from missed information around insider threats, fraud, anti-money laundering, geopolitical intelligence, supply chain, and a need for more sophisticated threat actor profiling, or directed actor engagement.
Tomi Engdahl says:
It’s time to publicly shame United Airlines’ so-called online security
https://techcrunch.com/2016/08/13/its-time-to-publicly-shame-united-airlines-so-called-online-security/?sr_share=facebook
was bad enough when they replaced their free-form password security questions with drop-down selections — I am not making this up — for “Your favorite artist,” “Your favorite pizza topping,” etc.
it’s a kind of idiocy that seems to be common to large organizations.
The thing that bumbling bureaucrats like United’s security team never seem to realize is: you don’t make your systems more secure by making them hard to use. They will react by trying to make it easy again
First, you are compounding your flawed-because-user-hostile security problems by forcing people to use it more often. Second, you are calling that “two-factor authorization,”
You have adopted security Dadaism, or security Situationism, rather than security engineering?
Two-factor authorization has a specific meaning: most often, it’s “something you know, something you have.” It actually does make you much more secure! (Even if you use SMS, which you probably shouldn’t, because SS7 flaws, etc.) Two-factor authentication is not “enter your password, then answer stupid arbitrarily / externally chosen security questions.”
So I stand by my original suggestions. Sack them, burn it, and salt the remains.
Tomi Engdahl says:
Time to rethink mandatory password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
Data security is a process that evolves over time as new threats emerge and new countermeasures are developed. The FTC’s longstanding advice to companies has been to conduct risk assessments, taking into account factors such as the sensitivity of information they collect and the availability of low-cost measures to mitigate risks.
What was reasonable in 2006 may not be reasonable in 2016. This blog post provides a case study of why keeping up with security advice is important. It explores some age-old security advice that research suggests may not be providing as much protection as people previously thought.
But my favorite question about passwords is: “How often should people change their passwords?” My answer usually surprises the audience: “Not as often as you might think.”
I go on to explain that there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.
Mandated password changes are a long-standing security practice
While some experts began questioning this practice (link is external) at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive.
The Carleton researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit, probably not enough to offset the inconvenience to users.
Tomi Engdahl says:
Dridex Attacks Exploit Recent Office 0-Day
http://www.securityweek.com/dridex-attacks-exploit-recent-office-0-day
A recently revealed zero-day vulnerability in Microsoft Office is being exploited by the Dridex banking Trojan to compromise unsuspecting victims’ computers, Proofpoint security researchers warn.
Detailed recently by McAfee and FireEye, the zero-day allows an attacker to achieve code execution on compromised machines. Leveraging Office’s Object Linking and Embedding (OLE) functionality, an attacker could create a malicious RTF (Rich Text Format) document that links to an HTA (HTML Application) file hosted on remote servers, which in turn executes a malicious Visual Basic script.
According to Proofpoint, the vulnerability is currently being exploited in malicious documents that millions of recipients across various organizations primarily in Australia have received via email, and which eventually led to the Dridex Trojan being installed on the compromised system.
Tomi Engdahl says:
Microsoft Patches Office, IE Flaws Exploited in Attacks
http://www.securityweek.com/microsoft-patches-office-ie-flaws-exploited-attacks
Microsoft’s security updates for April 2017 address more than 40 critical, important and moderate severity vulnerabilities, including three zero-day flaws that have been exploited in attacks.
According to Microsoft, the updates resolve flaws affecting Edge, Internet Explorer, Windows, Office, Visual Studio for Mac, .NET Framework, Silverlight and Adobe Flash Player components.
One of the zero-days patched by Microsoft this month is CVE-2017-0199, an Office and WordPad vulnerability that can be exploited for remote code execution. The security hole has been exploited in the wild by malicious actors to deliver various pieces of malware, including Dridex, WingBird, Latentbot and Godzilla.
Another vulnerability that has been actively exploited is CVE-2017-0210, a privilege escalation weakness affecting Internet Explorer.
Tomi Engdahl says:
Mandatory Certificate Authority Authorization Checks Will Boost Domain Security
http://www.securityweek.com/mandatory-certificate-authority-authorization-checks-will-boost-domain-security
The issuance of SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates is expected to become a more secure process this September, after the implementation of mandatory Certificate Authority Authorization (CAA) checks.
After Certificate Authorities (CAs) and browser makers voted last month to make CAA checking mandatory, the new standard will be implemented starting September 8, 2017, according to Ballot 187 on the CA/Browser Forum site. Starting then, all CAs will have to check CAA records at issuance time for all certificates, which should prevent them from issuing certificates if not permitted to.
CAA is a DNS Resource Record that “allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain and, by implication, that no other CAs are authorized.”
Domain owners will be able to set an issuance policy that all publicly-trusted CAs should comply with, thus preventing CAs from wrongfully issuing HTTPS certificates. This new standard should also mitigate the issue that “the public CA trust system is only as strong as its weakest CA,” Ballot 187 also reveals.
Apparently, CAA checking isn’t required in specific scenarios,
17 out of 19 voting CAs (94%) voted in favor of the new CAA standard. All three participating browser makers (Mozilla, Google, and Apple) voted in favor.
Tomi Engdahl says:
Cybercriminals Target Amazon Third-Party Sellers With Password Reuse Attacks
http://www.securityweek.com/hackers-targeting-amazon-third-party-sellers-password-reuse-attacks
Cyber criminals are re-using stolen passwords to access the accounts of third-party sellers on Amazon. They then change the bank account details and simply redirect customer payments to their own bank accounts. Where they find an old and disused account, they promote non-existent deals with heavy discounts, and again divert the proceeds to their own bank account. It should be noted that this is not an attack against Amazon users, but against Amazon third-party sellers.
It would be wrong to say that Amazon is being hacked. Legitimate passwords are being used to access legitimate accounts. These passwords come from the billions of stolen passwords available on the internet. Where there is a fault, it is in users’ continued tendency to use the same password across multiple accounts; and to rarely, if ever, change them.
Tomi Engdahl says:
Beyond Nation-states: The Disappearing Line Between Attacker Capabilities
http://www.securityweek.com/beyond-nation-states-disappearing-line-between-attacker-capabilities
In the incident response world, we used to draw a clear line between the capabilities of attackers affiliated with nation-states and those not affiliated with any nation-state. Nation-state attackers always seemed to be the most well equipped and the most sophisticated attackers. Then, over the last few years, that line began to blur.
The sophistication of attackers with criminal or financial, rather than nation-state motives began to increase significantly. We now find ourselves in a completely different threat landscape. As the 2017 M-Trends report notes, “Today, the line between the level of sophistication of certain financial attackers and advanced state sponsored attackers is not just blurred – it no longer exists.”
Am I saying that we no longer need to worry about nation-state attackers? No, of course not. Rather, what I am saying is that most organizations should probably be paying far more attention to criminal attack groups than they currently do.
One of the key takeaways I hope the reader will take from this piece is that organizations should not be lured into a false sense of security if they deal in information or data that are not typically sought after by nation-state attackers.
There is a whole other world out there once we look beyond nation-states. It pays to be prepared.
Tomi Engdahl says:
Security Leaders: When Dealing with DevOps, Get Your Mind Right
http://www.securityweek.com/security-leaders-when-dealing-devops-get-your-mind-right
Security Cannot Exist in a Vacuum – it Must be Integrated With the Entirety of an Organization’s Strategy
It is a simple fact – members of security teams will be outnumbered by members of development teams, and in most organizations, will probably be politically outgunned as well. This is because development teams support lines of business by innovating, delivering new products, and providing immediate value to stakeholders. Security acts in a risk management capacity – protecting against potential bad things that could happen in the future. They are also – in many organizations – perceived as the “department of no,” hampering the value-producing efforts of development teams. To combat this, security teams need to learn to look at the big picture and understand the context in which their security efforts are being deployed. Given this perspective, security leaders can look for opportunities to influence the conversation and stay relevant as organizations undertake strategic initiatives such as the shift to DevOps.
Tomi Engdahl says:
Every Tornado Siren In Dallas Hacked
http://hackaday.com/2017/04/12/every-tornado-siren-in-dallas-hacked/
Someone had some fun with the Dallas early warning tornado siren system on Friday, April 8th. All 156 tornado sirens were hacked to go off just before midnight until they were manually turned off individually, reports The Washington Post. Thousands of residents flooded 911 call centers asking if they were under attack, if there was a tornado or if the zombie apocalypse had begun. The sirens were blaring for at least an hour and was originally put down as a malfunction, however it was later revealed that it was a hack and the “hacker” must have had physical access to the siren control center.
This isn’t the first time Dallas has had problems with “hackers” breaking into their infrastructure, Only last year some unknown person/persons hacked electronic road signs
UPDATE: This hack seems to have been accomplished via DTMF signals broadcast on radio frequency in the clear. Recognizing the vulnerability after the fact, the system is now using some form of encryption for the control messages.
Someone hacked every tornado siren in Dallas. It was loud.
https://www.washingtonpost.com/news/the-intersect/wp/2017/04/09/someone-hacked-every-tornado-siren-in-dallas-it-was-loud/
Tomi Engdahl says:
OWASP Proposes New Vulnerabilities for 2017 Top 10
http://www.securityweek.com/owasp-proposes-new-vulnerabilities-2017-top-10
The Open Web Application Security Project (OWASP) announced on Monday the first release candidate for the 2017 OWASP Top 10, which proposes two new vulnerability categories.
The new categories proposed for OWASP Top 10 – 2017 are “insufficient attack detection and prevention” and “unprotected APIs.”
https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf
Tomi Engdahl says:
Cloud adoption and increasing threats drive enterprise encryption usage
https://betanews.com/2017/04/13/cloud-threats-enterprise-encryption/
Enterprises are accelerating their use of encryption and the strategy is being driven by business units rather than IT teams.
This is among the findings of a study into encryption habits by cyber security company Thales, based on research carried out by the Ponemon Institute. It finds that 41 percent of enterprises now have an encryption strategy in place.
Among the key findings are that 67 percent of respondents take one of two routes; they either perform encryption on premise prior to sending data to the cloud, or encrypt in the cloud using keys they generate and manage on premises. Slightly concerning is that 37 percent say their organizations turn over complete control of keys and encryption processes to cloud providers.
The report shows the top driver for encryption is compliance at 55 percent, followed closely by protecting enterprise intellectual property (51 percent), customer information protection (49 percent) and protection from external threats (49 percent).
Tomi Engdahl says:
Half-baked security: Hackers can hijack your smart Aga oven ‘with a text message’
This IoT goose is cooked
https://www.theregister.co.uk/2017/04/13/aga_oven_iot_insecurity/
Tomi Engdahl says:
VPN Providers Report Huge Increase In Downloads, Usage Since Privacy Rules Were Repealed
https://yro.slashdot.org/story/17/04/12/2225255/vpn-providers-report-huge-increase-in-downloads-usage-since-privacy-rules-were-repealed
A number of major VPN providers reported a significant increase in subscriptions, downloads, and traffic from Americans since the U.S. Congress voted to repeal the Broadband Consumer Privacy Rules that would have mandated internet service providers get user permission before collecting information.
Tomi Engdahl says:
$1 billion worth of United Airline’s market value gone – what you can learn from its incident response
http://cybersecurityproject.com/incident-response-lesson-learned-from-1-billion-worth-united-airlines-market-value-gone/
So, as someone in the Cybersecurity field, what can you learn from this breaking news?
Lesson #1 – Never underestimate the impact of a security incident
Lesson #2 – Get prepared for possible scenarios
Lesson #3 – Follow a right incident handling process
I am not sure how the United Airline will eventually recover from this incident. But hopefully this $1 billion worth of a lesson will remind you to look into your incident response process before it is too late.
Tomi Engdahl says:
We know What You’re Watching (Even If It’s Encrypted)
http://spectrum.ieee.org/tech-talk/telecom/security/we-know-what-youre-watching-even-if-its-encrypted
The company has been protecting video streams with HTTPS encryption since the summer of 2016. But new research indicates that this strategy is not sufficient to keep third party service providers and motivated attackers from getting a peek at what I’m watching.
Two recent papers, one from West Point Academy, and one by a collection of authors at Tel Aviv University and Cornell Tech, lay out methods for identifying videos by performing straightforward traffic analysis on encrypted data streams.