Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Tova Cohen / Reuters:
Report: US private equity firm Blackstone Group in advanced talks to buy 40% of Israeli hacking tools maker NSO Group for $400M
Blackstone in talks to buy 40 percent of Israel cyber firm NSO: report
http://www.reuters.com/article/us-nso-m-a-blackstone-idUSKBN1A807M
TEL AVIV (Reuters) – Blackstone Group (BX.N) is in advanced talks to acquire 40 percent of Israeli cyber firm NSO Group for $400 million, Israel’s Calcalist business newspaper reported on Sunday.
Another investor – ClearSky – is expected to join Blackstone in the deal as a secondary buyer for 10 percent, Calcalist said.
Founded in 2009 by Omri Lavie and Shalev Hulio, NSO makes software that can target mobile phones to gather information.
Tomi Engdahl says:
Ouch…..
‘Sweden’s Transport Agency moved all of its data to “the cloud”, apparently unaware that there is no cloud, only somebody else’s computer. In doing so, it exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation. Names, photos, and home addresses: the list is just getting started.’
‘Many governments have had partial leaks in terms of method (Snowden) or relations (Manning) lately, but this is the first time I’m aware that the full treasure chest of every single top-secret governmental individual with photo, name, and home address has leaked.’
Repeat after me: sensitive and business critical information does not belong to cloud.
Worst known governmental leak ever is slowly coming to light: Agency moved nation’s secret data to “The Cloud”
https://www.privateinternetaccess.com/blog/2017/07/swedish-transport-agency-worst-known-governmental-leak-ever-is-slowly-coming-to-light/
Sweden’s Transport Agency moved all of its data to “the cloud”, apparently unaware that there is no cloud, only somebody else’s computer. In doing so, it exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation. Names, photos, and home addresses: the list is just getting started. The responsible director has been found guilty in criminal court of the whole affair, and sentenced to the harshest sentence ever seen in Swedish government: she was docked half a month’s paycheck.
Many governments have had partial leaks in terms of method (Snowden) or relations (Manning) lately, but this is the first time I’m aware that the full treasure chest of every single top-secret governmental individual with photo, name, and home address has leaked. It goes to show, again, that governments can’t even keep their most secret data under wraps — so any governmental assurances to keep your data safe have as much value as a truckload of dead rats in a tampon factory.
It started out with a very speedy trial where a Director General in Sweden was fined half a month’s pay.
On digging, it turns out the Swedish Transport Agency moved all its data to “the cloud”, as managed by IBM, two years ago. Something was found amiss when the Director General of the Transport Agency, Maria Ågren, was quickly retired from her position this January — but it was only on July 6 that it became known that she was found guilty of exposing classified information in a criminal court of law. The scandal quickly escalated from there.
Let’s be clear: if a common mortal had leaked this data through this kind of negligence, the penalty would be life in prison. But not when done by the government themselves. Half a month’s pay was the harshest conceivable sentence.
Tomi Engdahl says:
How the Swedish administration leaked EU’s secure STESTA intranet to Russia, then tried glossing over it
https://www.privateinternetaccess.com/blog/2017/07/swedish-administration-tried-glossing-leaking-eus-secure-stesta-intranet-russia/
The Swedish administration is leaking its secret intranet and databases to Russia, via its Transport Agency, via the IBM cloud, via IBM’s subcontractor NCR (formerly AT&T) in Serbia, which is a close Russian military ally. Giving staff in Serbia administrative access to these networks practically guarantees that Russia also has access to the network. The European Union’s secure STESTA network is also connected to the leaked intranet. But this is not about geopolitics and who’s allied with whom, but about how an administration tries to quiet down and gloss over an apocalyptically stupid and monstrously damaging data leak.
Tomi Engdahl says:
Swedish Government Blamed for Mega Data Leak
https://www.infosecurity-magazine.com/news/swedish-government-blamed-for-mega/
The Swedish government is facing intense criticism after reports claimed it responsible for one of the world’s biggest and most damaging public sector data breaches ever recorded.
Local media reports summarized by The Local claim that the incident stemmed from the Swedish Transport Agency (STA), which outsourced its IT infrastructure to IBM back in 2015 apparently without mandating the requisite security clearance checks for staff.
This meant that outsourced workers in the Czech Republic and, more importantly, Serbia – which is said to have a close relationship with Russia when it comes to sharing intelligence – were able to access the documents.
The decision to outsource was apparently taken for financial reasons, while the subsequent disregard for security checks was a result of time constraints, as the STA had already started sacking employees.
The documents in question included: vehicle registration data from every Swedish citizen, data on all government/military vehicles, the weight capacity of all roads and bridges, names, photos and home addresses of Air Force pilots, police suspects, elite SAS-style operatives and anyone in a witness protection scheme.
There are also fears that the European Union’s secure network STESTA may have been compromised, as it is linked to the Swedish government’s supposedly secure intranet.
In March last year, the entire vehicle register was sent to subscribing marketers, but crucially this list contained individuals from witness protection and similar programs. When the error was discovered, these highly sensitive identities were actually pointed out by the agency to recipients with a request they be deleted, according to Swedish Pirate Party founder, Rick Falkvinge.
The details are only just emerging thanks to an investigation by the Swedish security service Säpo.
Swedish authority handed over ‘keys to the Kingdom’ in IT security slip-up
https://www.thelocal.se/20170717/swedish-authority-handed-over-keys-to-the-kingdom-in-it-security-slip-up
Criticism is mounting over IT security at Swedish government agencies after it emerged that millions of Swedes’ driving licence data may have been leaked to other countries.
Sweden’s security police Säpo has investigated the Swedish Transport Agency (Transportstyrelsen) after information about all vehicles in the country – including police and military – was made available to IT workers in Eastern Europe who had not gone through the usual security clearance checks when the agency outsourced its IT maintenance to IBM in 2015.
The scandal hit the headlines in Sweden when it emerged that former director-general Maria Ågren – who was fired for undisclosed reasons in January 2017 – had been fined 70,000 kronor after the probe found her guilty of being “careless with secret information”.
IBM administrators in the Czech Republic were given full access to all data and logs, reports Swedish newspaper Dagens Nyheter (DN) which has seen the Säpo investigation documents. Firewalls and communications were meanwhile maintained by a company in Serbia.
“The fact that a security check has not been made is serious. That means you have not tested the people’s loyalty and don’t know if you can trust them from the Swedish side.”
Tomi Engdahl says:
Biggest Data Leak in Sweden’s History Punished With Half a Month’s Paycheck
https://www.bleepingcomputer.com/news/government/biggest-data-leak-in-swedens-history-punished-with-half-a-months-paycheck/
The Swedish government has exposed sensitive details on millions of citizens in one of the biggest government screw-ups ever, and the official responsible for the whole fiasco was fined only half of her monthly salary, which is 70,000 Swedish krona — or around $8,500.
The leak happened in September 2015, when the Swedish Transport Agency (STA) decided to outsource the management of its database and other IT services to companies such as IBM in the Czech Republic, and NCR in Serbia.
The entire STA database was uploaded onto cloud servers belonging to these two companies, and some employees got full access to the database, as Sweden fired its IT technicians.
According to several Swedish newspapers, the leaked data included:
- Data from all drivers licenses in Sweden
- Personal details of all persons in Sweden’s witness relocation program
- Personal details of Sweden’s elite military units
- Personal details of Sweden’s fighter pilots
- Personal details of all of Sweden’s pilots and air controllers
- Personal details of all Swedish citizens in a police register
- Details of all Swedish government and military vehicles
- Details about Sweden’s road and transportation infrastructure
“There’s an enormous amount of data in Swedish about the overall leak scandal, but among all that data, one piece bears mentioning just to highlight the generally sloppy, negligent, and indeed criminal, attitude toward sensitive information,” said Rick Falkvinge, Head of Privacy at Private Internet Access and the founder of the first Pirate Party, the one who brough this local issue to the attention of international press.
Tomi Engdahl says:
Worst known governmental leak ever affected the Swedish Transport Agency, data includes records of members of the military secret units.
http://securityaffairs.co/wordpress/61280/data-breach/swedish-transport-agency-leak.html
Director General Maria Ågren in Sweden was fined half a month’s salary in a very short trial.
Further investigation in the governmental data leak revealed that the Swedish Transport Agency moved all its data to “the cloud”, as managed by IBM, two years ago, but suddenly the Director General of the Transport Agency, Maria Ågren, was quickly retired from her position in January 2017.
On July 6 it was disclosed the news that the Director was found guilty of exposing classified information in a criminal court of law.
“But on July 6th, she is known to be secretly investigated to have cleared confidential information. According to the Security Unit for Security Objectives, the data may damage the security of the country. She is ordered to pay 70,000 kronor in daily fines.” reported the website SvtNyHeater.se.
“Among other things, the entire Swedish database of driving license photos has been available to several Czech technologies, which have not been tested for security. This means that neither the SÄPO nor the Transport Agency had control over the persons who handled the information that could be said to damage the security of the country.“
Leaked data included information related to people in the witness protection program and similar programs. This information was wrongly included in the register distributed outside the Agency as part of a normal procedure. Another unacceptable mistake was discovered by the investigators when a new version without the sensitive identities was distributed, the Agency did not instruct recipients of destroying the old copy.
Tomi Engdahl says:
Sweden leaked every car owners’ details last year, then tried to hush it up
Another day, another botched government contract
https://www.theregister.co.uk/2017/07/23/sweden_leaked_every_car_owners_details_last_year_then_tried_to_hush_it_up/
In a slowly-unfolding scandal in Sweden, it’s emerged that the country’s transport agency bungled an outsourcing deal with IBM, putting both individuals and national security at risk.
Pirate Party founder and now head of privacy at VPN provider Private Internet Access Rik Falkvinge has been working to bring details of the scandal into the Anglosphere.
Falkvinge writes Sweden’s government has been trying to handle the huge leak of sensitive data away from the public eye.
The story goes back to 2015, when Sweden’s transport agency awarded IBM a contract to manage its databases and networks.
The databases pushed to the IBM cloud covered every vehicle in the country – including police and military registrations, plus details of individuals on witness protection programs.
Worst known governmental leak ever is slowly coming to light: Agency moved nation’s secret data to “The Cloud”
https://www.privateinternetaccess.com/blog/2017/07/swedish-transport-agency-worst-known-governmental-leak-ever-is-slowly-coming-to-light/
Sweden’s Transport Agency moved all of its data to “the cloud”, apparently unaware that there is no cloud, only somebody else’s computer. In doing so, it exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation. Names, photos, and home addresses: the list is just getting started. The responsible director has been found guilty in criminal court of the whole affair, and sentenced to the harshest sentence ever seen in Swedish government: she was docked half a month’s paycheck.
Tomi Engdahl says:
How the Swedish administration leaked EU’s secure STESTA intranet to Russia, then tried glossing over it
https://www.privateinternetaccess.com/blog/2017/07/swedish-administration-tried-glossing-leaking-eus-secure-stesta-intranet-russia/
The Swedish administration is leaking its secret intranet and databases to Russia, via its Transport Agency, via the IBM cloud, via IBM’s subcontractor NCR (formerly AT&T) in Serbia, which is a close Russian military ally. Giving staff in Serbia administrative access to these networks practically guarantees that Russia also has access to the network. The European Union’s secure STESTA network is also connected to the leaked intranet.
In May 2015, IBM won a hundred-million-range-contract for managing the Swedish Transport Agency’s databases and networks, outsourced from the country. It is relevant that a) this agency manages a lot of top secret data, such as the identities and photos of undercover and operative personnel, as well as relocated witnesses, and b) this was not taken into account at all when sending the databases right out of the country.
Tomi Engdahl says:
Yi Shu Ng / Mashable:
China forces citizens in Xinjiang, a Muslim-majority region, to put spyware on their phones; locals who don’t install the Android app could face 10 days in jail — China has ramped up surveillance measures in Xinjiang, home to much of its Muslim minority population, according to reports from Radio Free Asia.
China is force-installing spyware onto Muslim citizens’ phones, to monitor them
http://mashable.com/2017/07/21/china-spyware-xinjiang/#Qyj.dnIJROq6
China has ramped up surveillance measures in Xinjiang, home to much of its Muslim minority population, according to reports from Radio Free Asia.
Authorities sent out a notice over a week ago instructing citizens to install a “surveillance app” on their phones, and are conducting spot checks in the region to ensure that residents have it.
Android users were instructed to scan the QR code in order to install the Jingwang app that would, as authorities claimed, “automatically detect terrorist and illegal religious videos, images, e-books and electronic documents” stored in the phone. If illegal content was detected, users would be ordered to delete them.
Users who deleted, or did not install the app, would be detained for up to 10 days, according to social media users.
A teardown analysis by users in China showed that the app appears similar to a “citizen safety” (百姓安全) app developed by Urumqi police in April this year. The app, developed in-house, allowed users to report suspicious events to the police.
The app reportedly scans for the MD5 digital signatures of media files in the phone, and matches them to a stored database of offending files classified by the government as illegal “terrorist-related” media.
Jinwang also keeps a copy of Weibo and WeChat records, as well as a record of IMEI numbers, SIM card data and Wifi login data. The records are then sent to a server.
http://www.rfa.org/mandarin/yataibaodao/shaoshuminzu/ql2-07132017112039.html
Tomi Engdahl says:
Julia Fioretti / Reuters:
EU sets July 20 date for new proposals from Facebook, Google, Twitter to bring their user terms into compliance, after deeming earlier proposals insufficient
EU increases pressure on Facebook, Google and Twitter over user terms
http://www.reuters.com/article/us-socialmedia-eu-consumers-idUSKBN1A92D4
BRUSSELS (Reuters) – European Union authorities have increased pressure on Facebook, Google and Twitter to amend their user terms to bring them in line with EU law after proposals submitted by the tech giants were considered insufficient.
The authorities’ concerns center mainly on procedures the social media companies proposed to set up for the removal of illegal content on their websites, terms limiting their liability and terms allowing them unilaterally to remove content posted by users.
U.S. technology companies have faced tight scrutiny in Europe for the way they do business, from privacy issues to how quickly they remove illegal or threatening content.
Tomi Engdahl says:
45,000 Facebook Users Leave One-Star Ratings After Hacker’s Unjust Arrest
https://www.bleepingcomputer.com/news/security/45-000-facebook-users-leave-one-star-ratings-after-hackers-unjust-arrest/
Over 45,000 users have left one-star reviews on a company’s Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug.
The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ (BKK), Budapest’s public transportation authority.
The young man discovered that he could access BKK’s website, press F12 to enter the browser’s developer tools mode, and modify the page’s source code to alter a ticket’s price.
Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price.
As a demo, the young man says he bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents).
The teenager — who didn’t want his name revealed — reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems.
BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems “secure.” Since then, other security flaws in BKK’s system have surfaced on Twitter.
As details of the case emerged, public outrage grew against BKK and its manager Kálmán Dabóczi, especially after it was revealed that BKK was paying around $1 million per year for maintenance of its IT systems, hacked in such a ludicrously simple manner. The beneficiary of this humongous contract is a local company called T-Systems, which ironically sponsored an “ethical hacking” contest.
Talking to Hungarian press, the young hacker said he only had the best intentions when he reported the issue to BKK and said he hopes the organization withdraws its report.
Tomi Engdahl says:
Microsoft’s Chatbot Says Linux Is Awesome, Windows Great for Getting Viruses
Zo not really the biggest fan of Windows
http://news.softpedia.com/news/microsoft-s-chatbot-says-linux-is-awesome-windows-great-for-getting-viruses-517106.shtml
Microsoft really has a hard time getting chatbots right, and just when it looked like Zo learned how to behave and never say something odd, here’s a totally unexpected reply pointing out that Linux is better than Windows.
Tomi Engdahl says:
Multiple Critical Vulnerabilities Found in Popular Motorized Hoverboards
http://blog.ioactive.com/2017/07/multiple-critical-vulnerabilities-found.html
Not that long ago, motorized hoverboards were in the news – according to widespread reports, they had a tendency to catch on fire and even explode. Hoverboards were so dangerous that the National Association of State Fire Marshals (NASFM) issued a statement recommending consumers “look for indications of acceptance by recognized testing organizations” when purchasing the devices. Consumers were even advised to not leave them unattended due to the risk of fires. The Federal Trade Commission has since established requirements that any hoverboard imported to the US meet baseline safety requirements set by Underwriters Laboratories.
The hoverboard is also connected and comes with a rider application that enables the owner to do some cool things, such as change the light colors, remotely control the hoverboard, and see its battery life and remaining mileage.
Let’s Break a Hoverboard
Using reverse engineering and protocol analysis techniques, I was able to determine that my Ninebot by Segway miniPRO (Ninebot purchased Segway Inc. in 2015) had several critical vulnerabilities that were wirelessly exploitable. These vulnerabilities could be used by an attacker to bypass safety systems designed by Ninebot, one of the only hoverboards approved for sale in many countries.
Using protocol analysis, I determined I didn’t need to use a rider’s PIN (Personal Identification Number) to establish a connection. Even though the rider could set a PIN, the hoverboard did not actually change its default pin of “000000.” This allowed me to connect over Bluetooth while bypassing the security controls. I could also document the communications between the app and the hoverboard, since they were not encrypted.
Additionally, after attempting to apply a corrupted firmware update, I noticed that the hoverboard did not implement any integrity checks on firmware images before applying them. This means an attacker could apply any arbitrary update to the hoverboard, which would allow them to bypass safety interlocks.
Upon further investigation of the Ninebot application, I also determined that connected riders in the area were indexed using their smart phones’ GPS; therefore, each riders’ location is published and publicly available, making actual weaponization of an exploit much easier for an attacker.
An attacker could then connect to the miniPRO using a modified version of the Nordic UART application, the reference implementation of the Bluetooth service used in the Ninebot miniPRO. This application allows anyone to connect to the Ninebot without being asked for a PIN.
Using the pin “111111,” the attacker can then launch the Ninebot application and connect to the hoverboard. This would lock a normal user out of the Ninebot mobile application because a new PIN has been set.
Analysis of Findings
Even though the Ninebot application prompted a user to enter a PIN when launched, it was not checked at the protocol level before allowing the user to connect. This left the Bluetooth interface exposed to an attack at a lower level. Additionally, since this device did not use standard Bluetooth PIN-based security, communications were not encrypted and could be wirelessly intercepted by an attacker.
Tomi Engdahl says:
‘THIS IS NOT A DRILL:’ A Hacker Allegedly Stole $32 Million in Ethereum
https://motherboard.vice.com/en_us/article/zmvkke/this-is-not-a-drill-a-hacker-allegedly-stole-dollar32-million-in-ethereum
It’s the second alleged hack this week.
Ethereum, a cryptocurrency and platform for decentralized apps, has been steadily gaining mainstream attention. It was only a matter of time before dedicated hackers started working it in earnest.
On Wednesday, a hacker allegedly made off with more than $30 million worth of the cryptocurrency, just two days after an alleged hacker stole $7.4 million.
“THIS IS NOT A DRILL,” Wood wrote in the Parity chat channel. “[If] you have a parity-based multisig, move your funds to a secure address ASAP.”
After the hack, there was an attempt by “whitehats at the foundation” to secure the lost funds, Wood wrote. (Wood was presumably referring to the Ethereum Foundation, which directs protocol development. He did not respond to a request for comment in time for publication.) There are ongoing efforts to secure funds in other potentially vulnerable wallets, Wood wrote, but those folks “will make an announcement in their own time.”
In other words, there may be other wallets affected by the hack than the three cited by Wood, but it’s not yet clear which were cleaned out by thieves, and which had their funds funneled out by good-guy hackers who may return them later.
“Many more [wallets] are affected,” Manuel Araoz, co-founder of ethereum smart contract development firm Zeppelin Solutions, who was one of the first to publicize the hack, wrote me in an email. However, he continued, “we still don’t know if [it's] whitehat or blackhat.”
The alleged hack would be one of the largest in ethereum’s history, and brings to mind the infamous DAO hack of 2015. At that time, a hacker exploited a contract vulnerability to steal $53 million worth of the currency. As a solution, developers split ethereum into two versions in order to roll back the stolen funds—it was a brazen move, and drew widespread condemnation at the time.
Now, it seems like these sorts of hacks are becoming a weekly event.
Tomi Engdahl says:
The Hacker-Powered Security Report 2017
https://www.hackerone.com/sites/default/files/2017-06/The%20Hacker-Powered%20Security%20Report.pdf
Hacker-Powered Security: a report drawn from 800+ programs
and nearly 50,000 resolved security vulnerabilities.
Bug bounty and hacker-powered security programs are becoming
the norm, used by organizations as diverse as Facebook and the U.S.
government. Forty-one percent of bug bounty programs were from
industries other than technology in 2016. Top companies are rewarding
hackers up to $900,000 a year in bounties and bounty rewards on
average have increased 16 percent for critical issues since 2015. Despite
bug bounty program adoption and increased reward competitiveness,
vulnerability disclosure programs still lag behind. Ninety-four percent of
the Forbes Global 2000 companies do not have policies.
It’s time to give security teams the tools they need to keep up with ever-
faster development. This report examines the broadest platform data set
available and explains why organizations like General Motors, Starbucks,
Uber, the U.S. Department of Defense, Lufthansa, and Nintendo have
embraced continuous, hacker-powered security
Tomi Engdahl says:
Is threat modeling compatible with Agile and DevSecOps?
Posted by David Harvey on July 7, 2017
https://www.synopsys.com/blogs/software-security/threat-modeling-agile-devsecops/
Bryan Sullivan, a Security Program Manager at Microsoft, called threat modeling a “cornerstone of the SDL” during a Black Hat Conference presentation. He calls it a ‘cornerstone’ because a properly executed threat model:
Finds architectural and design flaws that are difficult or impossible to detect through other methods.
Identifies the most ‘at-risk’ components.
Helps stakeholders prioritize security remediation.
Gets people thinking about the application attack surface.
Drives fuzz testing.
Provides the basis for abuse cases as it encourages people to think like an attacker.
Threat modeling documentation
Yes, threat modeling requires documentation, but that’s not a bad thing.
When teaching threat modeling, a surprisingly common question I hear is “threat modeling requires documentation?” That question is often followed by an explanation that since moving to SAFe and CI/CD processes, firms have disposed of documentation.
This persistent ‘zero documentation in Agile’ myth is based on a misunderstanding of the Agile Manifesto. It is true that the Agile methodology does prioritize working software over written documentation. However, there are a number of design, architecture, and user story artifacts needed to properly communicate commitments and other project parameters to stakeholders.
If the application is mission critical and/or it handles sensitive data, then the project or application threat model is one of the most important artifacts. Architecture diagrams involving the inputs to the threat model are also highly valuable artifacts. The process of creating and maintaining these artifacts—usually a team exercise—is never automatable. This is known as an out-of-band activity.
Performing threat modeling as an out-of-band activity
There are a number of security activities, including tool-driven static application security testing (SAST) and software composition analysis (SCA). These testing approaches are amenable to automation and fit nicely within an always-deployable paradigm. Threat modeling doesn’t fit into this approach.
Maintaining threat modeling artifacts
As with any critical documentation, update the threat model as facts that form its basis change or are clarified during a development activity. The artifact you’ll need to maintain largely depends on the threat model method in use.
Keep threat modeling artifact(s) in a repository available for team editing (e.g., a wiki or SharePoint site). Ensure that changes are tracked.
Finding issues during threat modeling
Prioritize issues found during threat modeling within the backlog.
Remember, in a continuous development model (Agile or CI/CD), you’re going to be threat modeling as an out-of-band process. Thus, issues found may show up at any time during the threat modeling process. This may mean after development sprints are underway. Write up these issues as user stories and prioritize them on the backlog during a bug wash or sprint planning session—just as any other user story or defect.
It may be necessary to ‘pull the chain and stop the train’ to fix a serious issue found in a threat model.
The bottom line
Threat modeling needs to be a part of CI/CD and Agile processes. There are too many benefits to threat modeling not to conduct this activity on mission critical applications—regardless of the methodology in use for development.
Tomi Engdahl says:
New version of SambaCry spotted in the wild: Linux users urged to update OS
https://securitybrief.co.nz/story/new-version-sambacry-spotted-wild-linux-users-urged-update-os/
Trend Micro is warning all Linux users to update their systems immediately or fall prey to a new threat that takes advantage of a vulnerable in open-source protocol Samba.
The Samba vulnerability, named SambaCry because it took advantage of an SMB similar to the one used by WannaCry, allows an attacker to open a command shell in a vulnerable device and gain full control over it.
The vulnerability, CVE-2017-7494, affects all Samba versions since 3.5.0, and now SambaCry is being used for more nefarious purposes.
Tomi Engdahl says:
Linux Is Not As Safe As You Think
https://linux.slashdot.org/story/17/07/05/2148200/linux-is-not-as-safe-as-you-think?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Would you be surprised if I told you that threat methods for Linux increased an astonishing 300 percent in 2016, while Microsoft’s operating systems saw a decrease? Well, according to a new report, that is true. Does this mean Linux is unsafe? No way, Jose! There are some important takeaways here. Microsoft’s Windows operating systems are still the most targeted platforms despite the year over year decline — far beyond Linux. Also, just because there is an increase in malware attack methods doesn’t necessarily mean that more systems will be infected. Let us not forget that it is easier to find a vulnerability with open source too; Microsoft largely uses closed source code.
Linux is not as safe as you think
https://betanews.com/2017/07/05/linux-safe/
There is a notion by many people that Linux-based operating systems are impervious to malware and are 100 percent safe. While operating systems that use that kernel are rather secure, they are certainly not impenetrable. In fact, users are arguably less safe when they believe that stereotype, since they could be less vigilant.
Tomi Engdahl says:
Python autocomplete-in-the-cloud tool Kite pushes into projects, gets stabbed with a fork
Cloud dev biz tries rainmaking, stirs up storm of complaints
https://www.theregister.co.uk/2017/07/25/kite_flies_into_a_fork/
Kite, a San Francisco-based development tools startup, has managed to alienate developers by quietly altering open-source projects for its benefit.
Kite makes a Python programming plugin, called Kite, for various code editors to boost developer productivity through automatic code completion and other enhancements. The company introduced its software in a private beta last year and launched in March, 2017.
Kite remains somewhat controversial because it uploads source code to Kite’s servers, raising privacy and security concerns. It does this to analyze code and make autocomplete recommendations. The company insists it does so only with whitelisted Python files, but some developers remain skeptical that anything stored in the cloud can truly be secure.
Kite’s troubles stem from its involvement with two popular open-source projects, autocomplete-python and Minimap, used with the Atom code editor. The former is a widely used autocompletion engine for Python code, and the latter is a plugin that provides a zoomed-out view of code for easier navigation.
Paul Berg, an open-source licensing expert who has worked at Amazon and advises Idaho National Laboratory, said forks happen, but once projects get large enough, there’s pressure for unification.
“Once a project is large enough to have significant IP value to be a successful commercial enterprise, there are enough players in the field that taking it in a more proprietary direction means you are running the risk of splitting your development talent pool via a fork,” he said in an email to The Register. “That causes your dev costs to skyrocket and the community-driven project can often outpace the more commercial one.”
Tomi Engdahl says:
Global Network of Labs Will Test Security of Medical Devices
https://hardware.slashdot.org/story/17/07/24/2217227/global-network-of-labs-will-test-security-of-medical-devices?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms, The Security Ledger reports. The “World Health Information Security Testing Labs (or “WHISTL”) will adopt a model akin to the Underwriters Laboratory, which started out testing electrical devices, and focus on issues related to cyber security and privacy, helping medical device makers “address the public health challenges” created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium. “MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders,” said Dr. Nordenberg, MD, Executive Director of MDISS.
Exclusive: WHISTL Labs will be Cyber Range for Medical Devices
https://securityledger.com/2017/07/exclusive-whistl-labs-will-be-cyber-range-for-medical-devices/
In-brief: A global federation of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms.
The facilities, dubbed WHISTL, will adopt a model akin to the Underwriters Laboratory, which tests electrical devices, but will focus on issues related to cyber security and privacy, helping medical device makers “address the public health challenges” created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium (MDISS).
Tomi Engdahl says:
Fourth Ethereum Platform Hacked This Month: Hacker Steals $8.4 Million From Veritaseum Platform
https://it.slashdot.org/story/17/07/24/2128245/fourth-ethereum-platform-hacked-this-month-hacker-steals-84-million-from-veritaseum-platform
“Veritaseum has confirmed today that a hacker stole $8.4 million from the platform’s ICO on Sunday, July 23,” reports Bleeping Computer. “This is the second ICO hack in the last week and the fourth hack of an Ethereum platform this month.”
Hacker Steals $8.4 Million Worth of Ethereum From Veritaseum Platform
https://www.bleepingcomputer.com/news/security/hacker-steals-8-4-million-worth-of-ethereum-from-veritaseum-platform/
Tomi Engdahl says:
Mysterious Mac Malware Has Infected Hundreds of Victims For Years
https://it.slashdot.org/story/17/07/24/1719255/mysterious-mac-malware-has-infected-hundreds-of-victims-for-years?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
A mysterious piece of malware has been infecting hundreds of Mac computers for years — and no one noticed until a few months ago. The malware is called “FruitFly,” and one of its variants, “FruitFly 2″ has infected at least 400 victims over the years. FruitFly 2 is intriguing and mysterious: its goals, who’s behind it, and how it infects victims, are all unknown. Earlier this year, an ex-NSA hacker started looking into a piece of malware he described to me as “unique” and “intriguing.” It was a slightly different strain of a malware discovered on four computers earlier this year by security firm Malwarebytes, known as “FruitFly.”
Mysterious Mac Malware Has Infected Victims for Years
https://motherboard.vice.com/en_us/article/zmv79w/mysterious-mac-malware-has-infected-hundreds-of-victims-for-years
While FruitFly itself isn’t that sophisticated or advanced, its long, undisturbed life shows that despite the widespread belief that they are virus-free, Macs aren’t immune from invasive and dangerous malware.
“This year we’ve seen more Mac malware than in any previous year,” Reed, the researcher at Malwarebytes who first analyzed the other version of FruitFly, told Motherboard.
Tomi Engdahl says:
Sweden Accidentally Leaks Personal Details of Nearly All Citizens
https://yro.slashdot.org/story/17/07/24/2012252/sweden-accidentally-leaks-personal-details-of-nearly-all-citizens?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military. The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military’s most secretive units, police suspects, people under the witness relocation program, the weight capacity of all roads and bridges, and much more. The incident is believed to be one of the worst government information security disasters ever.
Swedish authority handed over ‘keys to the Kingdom’ in IT security slip-up
https://www.thelocal.se/20170717/swedish-authority-handed-over-keys-to-the-kingdom-in-it-security-slip-up
Criticism is mounting over IT security at Swedish government agencies after it emerged that millions of Swedes’ driving licence data may have been leaked to other countries.
Sweden’s security police Säpo has investigated the Swedish Transport Agency (Transportstyrelsen) after information about all vehicles in the country – including police and military – was made available to IT workers in Eastern Europe who had not gone through the usual security clearance checks when the agency outsourced its IT maintenance to IBM in 2015.
Tomi Engdahl says:
Sweden Accidentally Leaks Personal Details of Nearly All Citizens
Monday, July 24, 2017 Swati Khandelwal
https://thehackernews.com/2017/07/sweden-data-breach.html?m=1
This time sensitive and personal data of millions of transporters in Sweden, along with the nation’s military secrets, have been exposed, putting every individual’s as well as national security at risk.
Who exposed the sensitive data? The Swedish government itself.
The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military’s most secretive units, police suspects, people under the witness relocation programme, the weight capacity of all roads and bridges, and much more.
The incident is believed to be one of the worst government information security disasters ever.
IBM administrators in the Czech Republic were also given full access to all data and logs, according to Swedish newspaper Dagens Nyheter (DN), which analysed the Säpo investigation documents.
According to Pirate Party founder and now head of privacy at VPN provider Private Internet Access Rick Falkvinge, who brought details of this scandal, the incident “exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation.”
According to Falkvinge, the leak exposed:
The weight capacity of all roads as well as bridges (which is crucial for warfare, and gives a lot idea about what roads are intended to be used as wartime airfields).
Names, photos, and home addresses of fighter pilots in the Air Force.
Names, photos, and home addresses of everybody in a police register, which are believed to be classified.
Names, photos, and residential addresses of all operators in the military’s most secret units that are equivalent to the SAS or SEAL teams.
Names, photos, and addresses of everybody in a witness relocation program, who has been given protected identity for some reasons.
Type, model, weight, and any defects in all government and military vehicles, including their operator, which reveals a much about the structure of military support units.
Although the data breach happened in 2015, Swedish Secret Service discovered it in 2016 and started investigating the incident, which led to the fire of STA director-general Maria Ågren in January 2017.
What’s the worrying part? The leaked database may not be secured until the fall, said the agency’s new director-general Jonas Bjelfvenstam. The investigation into the scope of the leak is still ongoing.
Tomi Engdahl says:
Kid found a way to travel for free in Budapest. He filed a bug report. And was promptly arrested
Protests sparked after web security hole reported
https://www.theregister.co.uk/2017/07/25/hungarian_teenager_arrest_sparks_protests/?utm_content=buffercc0d2&utm_medium=social&utm_source=linkedin.com&utm_campaign=buffer
The arrest of a Hungarian bloke after he discovered a massive flaw in the website of Budapest’s transport authority – and reported it – has sparked a wave of protests.
Thousands of users have flooded the Facebook page of the capital city’s transport authority Budapesti Közlekedési Központ (BKK) – and its main website was taken down for several days by online attacks.
Meanwhile, a crowd of protestors gathered outside the main BKK offices in Budapest on Monday and the story has taken off in the Hungarian media, thanks in large part to conflicting accounts of what happened from the young chap himself and the CEO of BKK, Kálmán Dabóczi
Tomi Engdahl says:
Russell Brandom / The Verge:
Google study finds ransomware victims have paid $25M+ in ransoms over last two years
Ransomware victims have paid out more than $25 million, Google study finds
https://www.theverge.com/2017/7/25/16023920/ransomware-statistics-locky-cerber-google-research
Ransomware victims have paid more than $25 million in ransoms over the last two years, according to a study presented today by researchers at Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering. By following those payments through the blockchain and comparing them against known samples, researchers were able to build a comprehensive picture of the ransomware ecosystem
Tomi Engdahl says:
Security
Yeah, WannaCry hit Windows, but what about the WannaCry of apps?
Patching done proper
https://www.theregister.co.uk/2017/07/20/application_level_patching/
WannaCrypt crippled 230,000 Windows PCs internationally, hitting unpatched Windows 7 and Windows Server 2008 and computers still running Microsoft’s seriously old Windows XP, though the latter wasn’t responsible for its spread.
The initial reaction was a predictable rush to patch Microsoft’s legacy desktop operating systems.
Laudable, if late, but slow down: while the impact of WannaCrypt was huge, it was also relatively exceptional: Windows 7 ranks as number 14 and XP number 17 in the top 20 of software stacks with the most “distinct” vulnerabilities administered by the US government-funded and supported CVE Details.
Putting aside the Linux kernel, which tops the CVE list this year (in previous years it struggled to make the top 10), what is instructive is the healthy presence of applications on that list versus the number of operating systems like Windows. There are eight in the top 20. Indeed, over the years, it’s been Internet Explorer, Word, Adobe’s Flash Player who’ve played an active part in throwing open systems and leaving IT pros rushing to patch.
If applications are nearly half the problem what are our safeguards? Operating systems tend to be supported for a surprisingly long time – ten years or more for some Linux distributions. Can the same be said for the applications? Let’s look at a couple of staples.
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
Adobe says it will stop updating and distributing Flash at the end of 2020 — Adobe today announced that Flash, the once-ubiquitous plugin that allowed you to play your first Justin Bieber video on YouTube and Dolphin Olympics 2 on Kongregate, will be phased out by the end of 2020.
Get ready to finally say goodbye to Flash — in 2020
https://techcrunch.com/2017/07/25/get-ready-to-say-goodbye-to-flash-in-2020/
Adobe today announced that Flash, the once-ubiquitous plugin that allowed you to play your first Justin Bieber video on YouTube and Dolphin Olympics 2 on Kongregate, will be phased out by the end of 2020. At that point, Adobe will stop updating and distributing Flash. Until then, Adobe will still partner with the likes of Apple, Mozilla, Microsoft and Google to offer security updates for Flash in their browsers and support new versions of them, but beyond that, Adobe will not offer any new Flash features.
Adobe also notes that it plans to be more aggressive about ending support for Flash “in certain
geographies where unlicensed and outdated versions of Flash Player are being distributed.”
To some degree, today’s announcement doesn’t come as a major surprise. Given its wide distribution, Flash (and especially outdated versions of it) quickly became one of the main targets for hackers, and Flash offered them plenty of avenues for trying to get into their target’s machines. The fact that Apple never supported it on mobile (and Steve Job’s famous 2010 letter about that) only sped up Flash’s demise, especially as modern browsers and HTML5 allowed browser vendors to replicate Flash’s functionality without the need for third-party plugins. To be fair, Adobe probably wanted Flash do go away as much as everybody else and, by 2015, the company said as much. Since then, it has started to phase out Flash support from its applications and worked on providing its users with alternatives.
Similarly, browser vendors have also started deprecating Flash support over the last few years. Google made Flash a “click-to-play” plugin, for example, that users must explicitly enable if they really want to use it. The same holds true for all other major browser vendors.
At this point, there’s very little that Flash can do that HTML5 can’t handle.
Tomi Engdahl says:
Eugene Kaspersky / Nota Bene:
Kaspersky announces free version of its antivirus software in US, Canada, and some Asia Pacific countries, with global rollout expected over four months
KL AV for Free. Secure the Whole World Will Be.
https://eugene.kaspersky.com/2017/07/25/kl-av-for-free-secure-the-whole-world-will-be/
I’ve some fantastic, earth-shattering-saving news: we’re announcing the global launch of Kaspersky Free, which, as you may have guessed by the title, is completely free-of-charge! Oh my giveaway!
We’ve been working on this release for a good year-and-a-half, with pilot versions in a few regions, research, analysis, tweaks and the rest of it, and out of all which we deduced the following:
The free antivirus won’t be competing with our paid-for versions. In our paid-for versions there are many extra features
There are a lot of users who don’t have the ~$50 to spend on premium protection; therefore, they install traditional freebies (which have more holes than Swiss cheese for malware to slip through) or they even rely on Windows Defender (ye gods!).
An increase in the number of installations of Kaspersky Free will positively affect the quality of protection of all users
And based on those three deductions we realized we had to do one thing, and fast: roll out a KL freebie all over the planet!
Last year the product successfully piloted in the Russia-Ukraine-Belarus region, in China, and also in the Nordic countries (that’s Denmark, Norway, Sweden and Finland, in case you were wondering).
Tomi Engdahl says:
Yuan Yang / Financial Times:
China to expand quantum communications network, which can’t be surveilled, for defense and finance sectors after successful trial that connected 200 terminals
https://t.co/rGMq6HP5gn
Tomi Engdahl says:
Smart Gun Beaten by Dumb Magnets
http://hackaday.com/2017/07/25/smart-gun-beaten-by-dumb-magnets/
[Plore], a hacker with an interest in safe cracking, read a vehemently anti-smart-gun thread in 2015. With the words “Could you imagine what the guys at DEF CON could do with this?” [Plore] knew what he had to do: hack some smart guns. Watch the video
Armed with the Armatix IP1, [Plore] started with one of the oldest tricks in the book: an RF relay attack. The Armatix IP1 is designed to fire only when a corresponding watch is nearby, indicating that a trusted individual is the one holding the gun. However, by using a custom-built $20 amplifier to extend the range of the watch, [Plore] is able to fire the gun more than ten feet away, which is more than enough distance to be dangerous and certainly more than the few inches the manufacturers intended.
jams the signal from the watch, effectively preventing a legitimate gun owner from firing their gun at 10 to 20 feet!
[Plore] realised that the gun prevented illicit firing with a simple metal pin which it moved out of the way once it sensed the watch nearby. However, this metal just happened to be ferrous, and you know what that means: [Plore], with the help of some strong magnets, was able to move the pin without any electrical trickery.
Anybody Can Fire This ‘Locked’ Smart Gun With $15 Worth of Magnets
https://www.wired.com/story/smart-gun-fire-magnets/
Tomi Engdahl says:
45,000 Facebook Users Leave One-Star Ratings After Hacker’s Unjust Arrest
https://www.bleepingcomputer.com/news/security/45-000-facebook-users-leave-one-star-ratings-after-hackers-unjust-arrest/
Over 45,000 users have left one-star reviews on a company’s Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug.
The arrest took place this week in Hungary after an 18-year-old found a flaw in the online ticket-selling system of Budapesti Közlekedési Központ (BKK), Budapest’s public transportation authority.
Teen hacks company using browser’s DevTools
The young man discovered that he could access BKK’s website, press F12 to enter the browser’s developer tools mode, and modify the page’s source code to alter a ticket’s price.
Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price.
As a demo, the young man says he bought a ticket initially priced at 9459 Hungarian forints ($35) for 50 Hungarian forints (20 US cents).
BKK calls police and has the teenager arrested
The teenager — who didn’t want his name revealed — reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems.
BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems “secure.” Since then, other security flaws in BKK’s system have surfaced on Twitter.
Tomi Engdahl says:
SK Telecom makes light of random numbers for IoT applications
Quantum random number generator in a 5 mm chip
https://www.theregister.co.uk/2017/07/26/sk_telecom_makes_light_of_random_numbers_for_iot_applications/
Quantum random number generators aren’t new, but one small enough to provide practical security for Internet of Things applications is interesting.
That’s what South Korean telco SK Telecom reckons its boffins have created, embedding a full quantum random number generator (QRNG) in a 5x5mm chip.
The company’s pitch is that QRNGs are large and (at least compared to IoT requirements) expensive, and it wants a commercial tie-up to make its research into an off-the-shelf device.
The telco hasn’t set a target price, beyond saying it wants its QRNG to be “the lowest price ever for a QRNG”. The two components sharing the 5 mm package are a quantum noise source (SK Telecom hasn’t specified what kind) acting as the input to a deterministic RNG.
More entropy, Igor! More entropy!
While you could safely argue that existing random number generators should be good enough to protect information through to the heat death of the universe, but the randomness predicted by theory might not be achieved in practice because of buggy software.
At various times, random number failures have hit iOS, Windows XP, Raspberry Pi, and famously, RSA.
As long as your QRNG’s source of entropy is genuinely observing a quantum phenomenon, you don’t have to worry about it being predictable.
More than one answer to observing truly random quantum events is to listen to the quantum vacuum.
It’s one of the many stranger predictions of quantum physics is that there’s no such thing as a “perfect” vacuum.
Tomi Engdahl says:
Cyber arm of UK spy agency left without PGP for four months
Meanwhile Huawei gets green light, despite failure to verify source code
https://www.theregister.co.uk/2017/07/24/spooks_agency_cesg_left_without_pgp_for_four_months/
UK spy agency GCHQ’s cyber security arm, CESG, was left without PGP encryption for more than four months, according to a government report.
This “prevent[ed] direct electronic receipt of evaluation reports”, it emerged in the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board (PDF) annual report.
“Internal processes were updated to ensure this issue does not recur,” said the report.
Any risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated
However, the report found the board had failed to verify Huawei’s source code. It said HCSEC has “provided less than ideal assurance to the operators, as part of their risk management regimes”.
It said: “The incomplete delivery of source code obviously means that HCSEC cannot provide assurance or risk management artefacts for the additional code.
“While this is a matter of significant concern, the [National Cyber Security Centre] does not believe this process is in any way malicious, but is based solely on Huawei supplying source code for the features procured and used by UK operators.”
Tomi Engdahl says:
Postmortem: What to Do After a Security Incident
http://www.linuxjournal.com/content/postmortem-what-do-after-security-incident
Incidents happen. Vulnerabilities happen. The quality of your response can make the difference between a bad day and a disaster. What happens after the response can make the difference between endless firefighting and becoming stronger with every battle. A quality postmortem analysis is free ammunition
This is how a good information security officer, or an engineer who’s a true information security evangelist, can make a difference:
1. Something happens. It may be an exercise, or a real incident.
2. You now have real information to go on. You are in a very different position from when you were working from the theoretical.
3. If you know how to understand that information, and what information you need, you may have a new understanding of the project or organization’s security needs. Even if this is only confirmation of what you knew before, it is important because…
4. This information and analysis, if communicated effectively, especially in the aftermath of an incident, can be a powerful tool for fixing problems.
5. Next time around, the organization will be a little more on its game, and another set of weaknesses can be shored up. Every iteration makes the organization stronger.
How to Sabotage Your Postmortem
Postmortem mistakes can have long-term implications, but they also can take a long time to identify. A bad postmortem feels just as satisfying as a good postmortem to someone who doesn’t know the difference. Unfortunately, it fills a team—or a whole organization—with false beliefs, missed opportunities and bad data, eroding its ability to mature its security. These erosions are small individually, but like water lapping up against a beach, they eventually aggregate. Learn these anti-patterns and be certain to recognize them.
Tomi Engdahl says:
2,227 Breaches Exposed 6 Billion Records in First Half of 2017: Report
http://www.securityweek.com/2227-breaches-exposed-6-billion-records-first-half-2017-report
More than 6 billion records were exposed as a result of the 2,227 data breaches that were reported in the first six months of 2017, according to a new report from Risk Based Security.
The number of publicly disclosed data compromise events through June 30 remained in line with the number of breaches disclosed mid-way through 2015 and 2016, but the total number of records exposed surpassed 2016’s year-end high mark.
The top 10 data breaches exposed 5.6 billion of the 6 billion records compromised, and had an average severity score of 9.82 out of 10.0, Risk Based Security’s report (PDF) reveals.
The United States registered by far the largest number of data breaches at 1,367, followed by the United Kingdom at 104, Canada at 59, India at 52, and Australia at 34. Overall, North America accounted for 64.2% of the breaches reported in the first half of 2017, while breaches involving U.S. entities accounted for 61% of incidents and 30% of the records compromised.
https://pages.riskbasedsecurity.com/hubfs/Reports/2017%20MidYear%20Data%20Breach%20QuickView%20Report.pdf
Tomi Engdahl says:
North Korea’s Elite More Connected Than Previously Thought
http://www.securityweek.com/north-koreas-elite-more-connected-previously-thought
Telecommunications capability in North Korea is three-tiered. The vast majority of people have neither internet nor North Korean intranet connectivity — they simply have mobile telephony voice, text and picture/video messaging within the domestic provider, Koryolink.
A small group of others, including university students, scientists and some government officials, can access the state-run North Korean intranet, Kwangmyong, that links libraries, universities and government departments and comprises a limited number of domestic websites.
In a report and analysis conducted in partnership with Team Cymru and published today, Recorded Future notes that North Korean leadership’s internet activity is little different to the rest of the world’s internet activity: “North Koreans spend much of their time online checking social media accounts, searching the web, and browsing Amazon and Alibaba,” notes the report. “Facebook is the most widely used social networking site for North Koreans, despite reports that it, Twitter, YouTube, and a number of others were blocked by North Korean censors in April 2016.”
North Korea’s Ruling Elite Are Not Isolated
https://www.recordedfuture.com/north-korea-internet-activity/
Tomi Engdahl says:
Misconfigured Google Groups Expose Sensitive Data
http://www.securityweek.com/misconfigured-google-groups-expose-sensitive-data
Researchers at cloud security firm RedLock believe hundreds of organizations may be exposing highly sensitive information by failing to properly configure Google Groups.
Google Groups is a service that allows users to create and take part in online forums and email-based groups. When a group is configured, its creator has to set sharing options for “Outside this domain – access to groups” to either “Private” or “Public on the Internet.”
RedLock’s Cloud Security Intelligence (CSI) team noticed that many Google Groups for Business users have allowed access to their groups from the Internet, and in some cases the configuration error has resulted in the exposure of sensitive information.
Researchers have found names, email and home addresses, employee salary data, sales pipeline data, and customer passwords in the exposed groups.
“We only looked for a sample of such cases and found dozens,” RedLock told SecurityWeek. “Extending that, there are likely hundreds of companies affected by this misconfiguration.”
https://blog.redlock.io/google-groups-misconfiguration
Tomi Engdahl says:
Hiding from artificial intelligence in the age of total surveillance
July 22, 2017 VICTORIA ZAVYALOVA
https://www.rbth.com/science_and_tech/2017/07/22/hiding-from-artificial-intelligence-in-the-age-of-total-surveillance_808692
Grigory Bakunov, a top specialist at one of Russia’s largest tech companies, has invented an anti-facial recognition algorithm to conceal people’s identities with the help of makeup.
Tomi Engdahl says:
Bloomberg:
UniCredit, Italy’s biggest bank, says hackers stole 400,000 clients’ biographical and loan data; the related attacks occurred Sept-Oct 2016 and June-July 2017
Hackers Breach 400,000 UniCredit Bank Accounts for Data
https://www.bloomberg.com/news/articles/2017-07-26/unicredit-says-400-000-clients-affected-by-security-breach
Bank said to have discovered breaches from 2016 only this week
Attack comes after 80 Ukrainian lenders compromised in June
UniCredit SpA, Italy’s No. 1 bank, said hackers took biographical and loan data from 400,000 client accounts in one of the biggest breaches of European banking security this year.
The attack occurred in September and October of 2016 and June and July of this year, according to an emailed statement from the bank on Wednesday. UniCredit only discovered the breaches this week
Cyberattacks on corporations and banks are accelerating. In May and June, two ransomware assaults swept the globe
“This is the first attack targeting an Italian bank and confirms that IT systems, particularly in Italy, need massive investment to avoid a loss of confidence,”
Today’s hack also comes after the Italian financial system had stabilized
In Europe, lenders such as Barclays Plc, Banco Santander SA and Deutsche Bank AG have joined forces with law-enforcement personnel to mount a unified defense against cyber-criminals by sharing expertise and information.
“There aren’t material damages for the bank and its clients from these attacks,” Tonella said. “No data, such as passwords allowing access to customer accounts or allowing for unauthorized transactions, has been affected.”
UniCredit, which is investing 2.3 billion euros in upgrading and strengthening its IT systems, has started an audit and will file a report
Cybersecurity experts are bracing for a wave of ever-more-ambitious hacks to hit in months to come, while their ability to catch perpetrators is often limited. Banking leaders are worried about more than the theft of customers’ data or money: cyber-criminals might also damage account databases and render them unusable
“Banks are justified in their fear of corrupted data,” Pinkard said. “Attackers could harm the bank by adding or subtracting a zero to every balance, or even deleting entire accounts.”
Tomi Engdahl says:
Reuters:
Greek police arrest Russia’s Alexander Vinnik on suspicion of laundering $4B+ via bitcoin; sources say Vinnik was key person behind the BTC-e currency exchange
Greece arrests Russian suspected of running $4 billion bitcoin laundering ring
http://www.reuters.com/article/us-greece-russia-arrest-idUSKBN1AB1OP
ATHENS/MOSCOW/NEW YORK (Reuters) – A Russian man suspected of being the anonymous mastermind behind one of the world’s oldest crypto-currency exchanges and of laundering at least $4 billion has been arrested in Greece, police and sources said on Wednesday.
Two sources close to the BTC-e virtual currency exchange, who declined to be named while commenting on an ongoing case, said Vinnik was a key person behind the platform, which has been offline since reporting “technical problems” late on Tuesday.
Police said “at least” $4 billion in cash had been laundered through a bitcoin platform since 2011 – the year BTC-e was founded – with 7 million bitcoins deposited, and 5.5 million bitcoins in withdrawals.
Founded in 2011, BTC-e is one of the oldest and most obscure virtual currency exchanges, allowing users to trade bitcoin anonymously against fiat currencies, such as the U.S. dollar, and other virtual currencies. Until today, the people behind it had remained anonymous.
Tomi Engdahl says:
The Swedish information crisis
Two ministers have resigned from the Swedish Vehicle Administration as a result of the information crisis.
The Swedish government does not differ from the information management crisis in the vehicle administration. Interior Minister Anders Ygema and Minister of Infrastructure Anna Johansson , however, leave their job.
Source: http://www.iltalehti.fi/ulkomaat/201707272200289302_ul.shtml
Tomi Engdahl says:
Las Vegas locks down ahead of DEF CON hacking conference
Trust the hookers, don’t trust the Wi-Fi
https://www.theregister.co.uk/2017/07/25/def_con_hacking_conference/
Businesses in Las Vegas are locking down their systems as hackers fly into the fetid hell of Sin City for a trio of security conferences.
This week the BSides conference, Black Hat, and DEF CON are all in town and folks here are worried that their computers are going to be thoroughly subverted by visiting miscreants. Caesars Palace, the new home of DEF CON, has already closed its business center in case hackers take control of its networks.
Tomi Engdahl says:
‘SambaCry’ malware scum return with a Windows encore
CowerSnail’ opens garden variety backdoors rather than mining BTC
https://www.theregister.co.uk/2017/07/27/sambacry_malware_scum_return_with_a_windows_encore/
Malware authors continue to chip away at Samba bugs similar to those that helped spread WannaCry/WannaCrypt.
Kaspersky researchers writing at Securelist say they’ve spotted a Windows variant of SambaCry, which was first spotted in June. The new variant has been dubbed “CowerSnail”.
The researchers strongly suspect CowerSnail comes from SambaCry’s developers as it points to the same C&C server.
Tomi Engdahl says:
Revealed: 779 cases of data misuse across 34 British police forces
Probe finds widespread abuse of cop IT systems by personnel
https://www.theregister.co.uk/2017/07/26/uk_police_data_handling_foi/
A freedom-of-information request by Huntsman Security has discovered that UK police forces detected and investigated at least 779 cases of potential data misuse by personnel between January 2016 and April 2017.
Tomi Engdahl says:
A vendor that doesn’t think AI and ML will fix security? We found one!
RSA reckons crooks know predictability equals death
https://www.theregister.co.uk/2017/07/26/rsa_asia_2017_ai_ml/
Machine learning and artificial intelligence will improve security technologies and outcomes, but “won’t move the needle as much as people think”, according to RSA chief technology officer Zulfikar Ramzan.
Speaking to The Register at the company’s Asian conference in Singapore today, Ramzan said that while AI and ML will doubtless help security vendors to spot more threats, good criminals know that the more predictable they are, the easier they will be to detect. They therefore go to considerable lengths to be unpredictable, with the result that it’s hard to collect data of sufficient volume or quality to let ML and AI do their thing.
RSA won’t ignore AI and ML as a result, but thinks its clients will be better served if it can help organisations to understand which of their assets deserves different levels of security, based on their importance to the business.
Tomi Engdahl says:
Hacker Warns Radioactivity Sensors Can Be Spoofed Or Disabled
https://www.wired.com/story/radioactivity-sensor-hacks
The notion of a hacker-induced nuclear meltdown is the stuff of cyberpunk nightmares. And, let’s be clear, there’s no sign digital saboteurs are anywhere close to unleashing a nuclear apocalypse. But one hacker who has prodded at radioactive hazard protections for years says he’s found serious vulnerabilities in those safety systems. These aren’t bugs that would cause a radioactive disaster–but they could make it harder to prevent them.
At the Black Hat security conference Wednesday, security researcher Ruben Santamarta laid out a series of potentially hackable security flaws in the software and hardware systems designed to protect against radioactive contamination in two distinct forms. One of his targets is a common model of radioactivity sensor at nuclear power facilities. Another is a set of devices sold as “gate” monitoring system, which check vehicles and humans for radioactivity as they leave nuclear facilities, or to screen cargo that passes through borders and ports.
Thankfully, none of Santamarta’s attacks present a practical path to a hacker-induced meltdown.
Tomi Engdahl says:
Superconference Interview: Samy Kamkar
http://hackaday.com/2017/07/26/superconference-interview-samy-kamkar/
Samy Kamkar has an incredible arsenal of self-taught skills that have grown into a remarkable career as a security researcher. He dropped out of high school to found a company based on Open Source Software and became infamous for releasing the Samy worm on the MySpace platform. But in our minds Samy has far outpaced that notoriety with the hardware-based security exploits he’s uncovered over the last decade. And he’s got a great gift for explaining these hacks — from his credit card magstripe spoofing experiments to hacking keyless entry systems and garage door opener remotes — in great depth during his talk at the 2016 Hackaday Superconference.
Samy Kamkar Hackaday Superconference Interview
https://www.youtube.com/watch?v=JjpD7EDMPz0
Tomi Engdahl says:
Bot vs Bot in Never-Ending Cycle of Improving Artificial intelligence
http://www.securityweek.com/bot-vs-bot-never-ending-cycle-improving-artificial-intelligence
Artificial intelligence, usually in the form of machine learning (ML), is infosecurity’s current buzz. Many consider it will be the savior of the internet, able to defeat hackers and malware by learning and responding to their behavior in all-but real time. But others counsel caution: it is a great aid; but not a silver bullet.
The basic problem is that if machine learning can learn to detect malware, machine learning can learn to avoid detection by machine learning. This is a problem that exercises Hyrum Anderson, technical director of data science at Endgame.
At the BSides Las Vegas in August 2016 he presented his work on a ‘Deep Adversarial Architectures for Detecting (and Generating!) Maliciousness’. He described the concept of using red team vs blue team gaming, where a ‘malicious’ algorithm continually probes a defensive algorithm looking for weakness, and the defensive algorithm learns from the probes how to improve itself.
Omri Moyal, co-founder and VP of research at Minerva, explains. “Given the increased adoption of anti-malware products that use machine learning, most adversaries will soon arm themselves with the capabilities to evade it,” he told SecurityWeek. “The most sophisticated attackers will develop their own offensive models. Some will copy ideas and code from various publicly-available research papers and some will even use simple trial and error, or replicate the offensive efforts of another group. In this cat-and-mouse chase, the defenders should change their model to mark the evolved attack tool as malicious. A process which is the modern version of ‘malware signature’ but more complex.”
Tomi Engdahl says:
What Are Security Buyers Looking For?
http://www.securityweek.com/what-are-security-buyers-looking
The information security market has been a topic of acute interest for quite some time now. Estimates around the current size of the market range between $75 and $150 Billion. That is far larger than the market was even just a few years ago. That being said, the market is expected to continue to grow at around 10% per year over the next five years. That puts the size of the security market at somewhere between $120 and $240 Billion by 2022.
Although it is difficult to pinpoint the exact size of the security market, one thing is very clear. There is an incredible amount of investment in people, process, and technology that is expected to continue to grow in the coming years. Yet, with all that investment, if you ask most security buyers what they are looking for, they would probably quote you a line from a famous U2 song: “I still haven’t found what I’m looking for.”
Recently, I attended a few different security events that were relatively well attended. I happened to notice a few people that I knew to be in “buyer” positions. It seemed that every time I happened across them during the course of the event, another person in a “seller” position had their ear. Of course, this is a natural part of professional events. But if you happen to be in a seller position, take a moment to think about it from the perspective of the buyer. Perhaps you are the 10th, 50th, or even 100th person that day to grab their ear and make your pitch.
The question then becomes: What was the pitch that was relayed and how did it resonate with the buyer?
Did the pitch perhaps highlight how the product or service, which competes in a crowded market with 20 or 30 competing products or services, is just a bit better than the competition? Or, perhaps the pitch described a product or service that doesn’t quite fit into the buyer’s strategic plan or budget? Or, perhaps the pitch detailed a product or service found in a market that the buyer has already invested in?
Large enterprises with large security teams regularly benchmark themselves, perform assessments, and undergo audits to identify challenges and issues that need addressing. Thus, these large organizations generally have a pretty good idea of what problems need solving. Consequently, those on the seller side can simply ask those on the buyer side what they are looking for. Buyers are generally quite happy to share their priorities and plans for the near and even distant future. If sellers listen acutely, they will find the information they are looking for. I did this quite a bit in my immediate previous role with good results.
In my opinion, this is why the time for automated benchmarking and assessment has come. I’m not an elitist. Small and medium-sized businesses need the ability to benchmark, assess, and audit just as much as large businesses. The problem is that the current state-of-the-art for benchmarking, assessment, and audit involves a very manual, labor-intensive process. While this process works well for large businesses, there are two main limitations here that keep SMBs from leveraging these services:
● Cost: Not surprisingly, a manual, labor-intensive process requires people to fuel it. And in this case, we are talking about highly-skilled, expensive people. That makes the cost of manual benchmarking, assessment, and audit a fairly high one. And one that is simply out of the reach of just about all small and medium-sized businesses.
● Bandwidth: When a service relies on highly-skilled people, there is a natural bandwidth limitation that occurs. There are simply not enough people with the requisite skills necessary to perform the benchmarking, assessment, and audit services that small and medium-sized business would require, even if the price point could be lowered.