Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
SonicSpy Spyware Found in Over One Thousand Android Apps
http://www.securityweek.com/sonicspy-spyware-found-over-one-thousand-android-apps
Security researchers have found more than one thousand applications rigged with spyware over the past six months, including some distributed via Google Play.
The applications are part of the SonicSpy malware family and have been aggressively deployed since February 2017 by a threat actor likely based in Iraq, Lookout security researchers say. Google was informed on the malicious activity and has removed at least one of the offending apps from Google Play.
Tomi Engdahl says:
Hackers Say Humans Most Responsible for Security Breaches
http://www.securityweek.com/hackers-say-humans-most-responsible-security-breaches
Under the principle of set a thief to catch a thief, 250 hackers at Black Hat 2017 were asked about their hacking methods and practices. By understanding how they work and what they look for, defenders can better understand how to safeguard their own systems.
Thycotic surveyed (PDF) a cross section of hackers attending Black Hat. Fifty-one percent described themselves as white hats; 34% described themselves as grey hats using their skills for both good and bad causes; and 15% self-identified as out-and-out black hats.
The hackers’ number one choice for fast and easy access to sensitive data is gaining access to privileged accounts (31%). Second is access to an email account (27%), and third is access to a user’s endpoint (21%). All other routes combined totaled just 21%.
The hackers also confirmed that perimeter security, in the form of firewalls and anti-virus, is irrelevant and obsolete. Forty-three percent are least troubled by anti-virus and anti-malware defenses, while 29% are untroubled by firewalls.
https://thycotic.com/wp-content/uploads/2013/03/BlackHa_Hacker_Survey_Report_2017.pdf
Tomi Engdahl says:
New password guidelines say everything we thought about passwords is wrong
https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/
When I recently discovered a draft of new guidelines for password management from NIST (the National Institute of Standards and Technology), I was amazed about the number of very progressive changes they proposed.
Although NIST’s rules are not mandatory for nongovernmental organizations, they usually have a huge influence as many corporate security professionals use them as base standards and best practices when forming policies for their companies. Thus, another fact I was surprised about was a lack of attention to this document, finalized March 31, from both official media and the blogosphere. After all, those changes are supposed to affect literally everyone who browses the Internet
Tomi Engdahl says:
Wall Street Journal:
FBI says ISIS used fake eBay listings to send a total of $8,700 via PayPal to a US-based ISIS operative
FBI Says ISIS Used eBay to Send Terror Cash to U.S.
https://www.wsj.com/articles/fbi-says-isis-used-ebay-to-send-terror-cash-to-u-s-1502410868
Affidavit alleges American citizen Mohamed Elshinawy was part of a global network stretching from Britain to Bangladesh
Tomi Engdahl says:
Danny Palmer / ZDNet:
Over 1,000 Android apps, including 3 in the Play Store, found to be distributing SonicSpy spyware that silently records audio, takes photos, and makes calls
Android app stores flooded with 1,000 spyware apps
http://www.zdnet.com/article/android-app-stores-flooded-with-1000-spyware-apps/
Three fake messaging apps in the Google Play Store have been found to be distributing SonicSpy malware.
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
AWS unveils Macie security service, which uses machine learning to classify sensitive info stored on S3 and then monitors access to it
Amazon Macie helps businesses protect their sensitive data in the cloud
https://techcrunch.com/2017/08/14/amazon-macie-helps-businesses-protect-their-sensitive-data-in-the-cloud/
Amazon’s AWS cloud computing service hosted its annual NY Summit today and it used the event to launch a new service: Amazon Macie. The idea behind Macie is to use machine learning to help businesses protect their sensitive data in the cloud. For now, you can use Macie to protect personally identifiable information and intellectual property in the Amazon S3 storage service, with support for other AWS data stores coming later this year (likely at the re:Invent conference in November).
The company says the fully managed service uses machine learning to monitor how data is accessed and to look for any anomalies. The service then alerts users of any activity that looks suspicious so they can find the root cause of any data leaks (whether those are malicious or not). To do all of this, the service continuously monitors new data that comes into S3. It then uses machine learning to understand regular access patterns and the data in the storage bucket.
As with all AWS services, pricing is complicated, but mostly based on the number of events and data the service processes every month. Because a lot of costs are bound to the initial classification of the data, the first month of usage is also likely the most expensive.
Tomi Engdahl says:
Steve Kovach / Business Insider:
Google says it will cancel Daily Stormer’s domain registration, shortly after site switched from GoDaddy; Zoho also says it’ll stop providing services to site
Google cancels domain registration for Daily Stormer
http://nordic.businessinsider.com/google-cancels-domain-registration-for-daily-stormer-2017-8?op=1&r=US&IR=T
Google has canceled the domain registration for The Daily Stormer, a company spokesperson confirmed Monday.
“We are cancelling Daily Stormer’s registration with Google Domains for violating our terms of service,” the spokesperson told Business Insider.
Google didn’t want its services used to incite violence, a source close to Google told Business Insider.
Tomi Engdahl says:
Hacker Leaks ‘Curb Your Enthusiasm’ Episodes, Other HBO Series
http://variety.com/2017/tv/news/hacker-leaks-curb-your-enthusiasm-episodes-other-hbo-series-1202526233/
The weeks-long standoff between HBO and a hacker intent on extracting money from the Time Warner-owned cable network intensified Sunday with the leak of several episodes of “Curb Your Enthusiasm,” as well as other series.
The Larry David-fronted comedy series wasn’t scheduled to return to TV until October. But in a statement issued Sunday after the hacker’s dumping, the network did not indicate it would yield to pressure tactics.
”We are not in communication with the hacker and we’re not going to comment every time a new piece of information is released,” the network said in a statement. “It has been widely reported that there was a cyber incident at HBO. The hacker may continue to drop bits and pieces of stolen information in an attempt to generate media attention. That’s a game we’re not going to participate in. Obviously, no company wants their proprietary information stolen and released on the internet. Transparency with our employees, partners, and the creative talent that works with us has been our focus throughout this incident and will remain our focus as we move forward. This incident has not deterred us from ensuring HBO continues to do what we do best.”
Tomi Engdahl says:
If Anonymous ‘pwnd’ the Daily Stormer, they did a spectacularly awful job
More likely damage control after host GoDaddy pulled plug
https://www.theregister.co.uk/2017/08/14/anon_daily_stormer/
Doubts have been cast over claims that hacktivists have taken control of neo-Nazi website the Daily Stormer.
Elements of the loose hacker collective Anonymous supposedly took control of the site as a reprisal for the death of anti-racist protestor Heather Heyer after she was struck by a car during protests by white supremacists in Charlottesville, Virginia. According to the most recent “post” on the site, the hackers were ostensibly threatening to dox the Daily Stormer’s Andrew Anglin and users of the controversial site.
Anonymous, via a long-established Twitter account, cast doubt on whether hackers were actually behind the action.
In short, the hack is likely a hoax.
Current host GoDaddy has given the Daily Stormer 24 hours to find a new hosting company over terms-of-service violations.
Tomi Engdahl says:
GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug
Your website will work, but might be riddled with errors
https://www.theregister.co.uk/2017/01/11/godaddy_pulls_unvalidated_digital_certs/
GoDaddy was obliged to revoke thousands of SSL certificates on Tuesday as the result of an unspecified software bug.
An affected website’s HTTPS encryption will still work even if its GoDaddy-issued certificate is revoked. However, visitors to your website may see error messages or warnings in their browser until a new certificate is installed. GoDaddy, which is issuing these replacement certificates free of charge, apologised to customers for the hassle caused by the slip-up in its notification email.
Tomi Engdahl says:
Security researcher Marcus Hutchins pleads not guilty, returns to Twitter
https://techcrunch.com/2017/08/14/marcus-hutchins-arraignment-wisconsin/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
Initially, Hutchins was prevented from going online after his arrest. In court today, Hutchins was granted nearly unfettered access to the internet
Notably, as the International Business Times reports, the government appeared to acknowledge that the case against Hutchins was “historical” in nature, suggesting that it no longer considers Hutchins a threat in a seeming acknowledgement of his role preventing the spread of more recent malware. That kind of language could bode well for his case.
Hutchins, a British citizen, will now be allowed to move around the U.S. freely
Tomi Engdahl says:
DJI adds an offline mode to its drones for clients with ‘sensitive operations’
https://techcrunch.com/2017/08/14/dji-adds-an-offline-mode-to-its-drones-for-clients-with-sensitive-operations/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
DJI is working on a “local data mode” for its apps that prevents any data from being sent to or received from the internet. The feature will be welcomed by many, but it’s hard not to attribute the timing and urgency of the announcement to the recent ban of DJI gear by the U.S. Army over unspecified “cyber vulnerabilities.”
“We are creating local data mode to address the needs of our enterprise customers, including public and private organizations that are using DJI technology to perform sensitive operations around the world,”
Tomi Engdahl says:
Accidenture Security 2017 CYBER THREATSCAPE REPORT
https://www.accenture.com/t20170721T220639Z__w__/us-en/_acnmedia/PDF-57/Accenture-2017-cyber-year-threatscape-report.pdf#zoom=50
Tomi Engdahl says:
Salvador Rodriguez / Reuters:
US judge orders LinkedIn to remove any tech stopping hiQ Labs from scraping public profile data, after LinkedIn sent cease and desist letter in May
U.S. judge says LinkedIn cannot block startup from public profile data
http://www.reuters.com/article/us-microsoft-linkedin-ruling-idUSKCN1AU2BV
A U.S. federal judge on Monday ruled that Microsoft Corp’s (MSFT.O) LinkedIn unit cannot prevent a startup from accessing public profile data, in a test of how much control a social media site can wield over information its users have deemed to be public.
U.S. District Judge Edward Chen in San Francisco granted a preliminary injunction request brought by hiQ Labs, and ordered LinkedIn to remove within 24 hours any technology preventing hiQ from accessing public profiles.
The case is considered to have implications beyond LinkedIn and hiQ Labs and could dictate just how much control companies have over publicly available data that is hosted on their services.
“To the extent LinkedIn has already put in place technology to prevent hiQ from accessing these public profiles, it is ordered to remove any such barriers,” Chen’s order reads.
Tomi Engdahl says:
Discord Bans Servers That Promote Nazi Ideology
https://games.slashdot.org/story/17/08/14/2039230/discord-bans-servers-that-promote-nazi-ideology
A popular video game chat service with over 25 million users announced today that it had shut down “a number of accounts” following violence instigated by white supremacists over the weekend. Discord, the service “which lets users chat with voice and text, was being used by proponents of Nazi ideology both before and after the attacks in Charlottesville, Virginia,” reports The Verge. “We will continue to take action against Nazi ideology, and all forms of hate,” the company said in a tweet.
Discord bans servers that promote Nazi ideology
After Charlottesville, ‘Love. Not hate’
https://www.theverge.com/2017/8/14/16145432/discord-nazi-ban-white-supremacist-altright
Discord, a fast-growing free chat service popular among gamers, said today that it had shut down “a number of accounts” following violence instigated by white supremacists over the weekend. The service, which lets users chat with voice and text, was being used by proponents of Nazi ideology both before and after the attacks in Charlottesville, Virginia. “We will continue to take action against Nazi ideology, and all forms of hate,” the company said in a tweet.
Discord declined to state how many servers had been affected, but said it included a mix of old accounts and accounts that were created over the weekend.
Tomi Engdahl says:
Bootnote: In our background reading for this story, Vulture South has made a shocking discovery: we know who to blame for the permanent trash-fire that is Internet of Things security. Here’s the damning text, with italics added by The Reg.
From RFC 2324:
Coffee pots heat water using electronic mechanisms, so there is no fire. Thus, no firewalls are necessary, and firewall control policy is irrelevant .
Source: https://www.theregister.co.uk/2017/08/14/error_418_im_a_teapot_preserved/
Tomi Engdahl says:
Old Firefox add-ons get ‘dead man walking’ call
After version 57, plugins go to browser heaven
https://www.theregister.co.uk/2017/08/14/firefox_57_to_disable_all_extensions/
The end of legacy Firefox plugins is drawing closer, with Mozilla’s Jorge Villalobos saying they’ll be disabled in an upcoming nightly build of the browser’s 57th edition.
While he didn’t specify just how soon the dread date will arrive, Villalobos writes: “There should be no expectation of legacy add-on support on this or later versions”.
It’s been a long dark tea-time of the soul for plugins: back in March, with Version 52, the devs made Flash the only anointed plugin, with anything reliant on the Netscape Plugin API (NPAPI) forbidden.
There’s always a legacy base, however, and that’s what Mozilla’s taking aim at in Version 57.
“All legacy add-ons will have strict compatibility set, with a maximum version of 56.*. This is the end of the line for legacy add-on compatibility. They can still be installed on Nightly with some preference changes, but may break due to other changes happening in Firefox”, Villalobos’ post states.
Tomi Engdahl says:
To Manage Risk Understand Adversaries, Not Just Activity in Your Environment
http://www.securityweek.com/manage-risk-understand-adversaries-not-just-activity-your-environment
Six years ago the US National Institute of Standards and Technology (NIST) put forth a framework for information security continuous monitoring (ISCM), defined as maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions. The framework describes tools and technologies to support continuous monitoring with one of the objectives being to maintain awareness of threats and vulnerabilities.
The recommended technologies are mainly focused on monitoring activity inside the organization and looking for known threats for which a signature exists, both of which are critical. But to get a comprehensive assessment of risk, you also need to consider what’s happening outside the organization. Continuous threat assessment
Broadening the scope of risk assessment, the opening keynote at the Gartner Security & Risk Management Summit 2017 focused on CARTA, continuous adaptive risk and trust assessment, to manage the increasing risk associated with the digital world. CARTA complements the NIST framework with a process that spans the business – from how companies develop technology products to external partners along the supply chain. The CARTA process involves continuously assessing your ecosystem risk, which extends beyond the walls of the enterprise, and adapting as necessary.
Mitigating risk in the digital world is a challenge vexing more and more security teams. New research by ESG found that 26 percent of cybersecurity professionals claim that security analytics and operations is more difficult than it was two years ago because the threat landscape is evolving so rapidly that it is difficult to keep up.
A recent report from Cisco corroborates this sentiment stating that security experts are becoming increasingly concerned about the accelerating pace of change and sophistication in the global cyber threat landscape.
Whatever risk management framework or process you use – ISCM, CARTA, or something else, gaining a complete picture of risk hinges on your ability to keep up with the real threats to your organization. Given today’s dynamic threat landscape, continuous threat assessment is the linchpin in gaining a comprehensive understanding of security risk.
Tomi Engdahl says:
Defenders Gaining on Attackers, But Attacks Becoming More Destructive: Cisco
http://www.securityweek.com/defenders-gaining-attackers-attacks-becoming-more-destructive-cisco
Cisco Publishes 2017 Midyear Cybersecurity Report
Cisco’s just-released Midyear Cybersecurity Report (PDF) draws on the accumulated work of the Cisco Security Research members. The result shows some improvement in industry’s security posture, but warns about the accelerating pace of change and sophistication in the global cyber threat landscape.
Improvements can be demonstrated by the mean ‘time to detect.’ When monitoring first began in November 2015, this stood at 39 hours; but it narrowed to about 3.5 hours in the period from November 2016 to May 2017.
http://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/1456403/Cisco_2017_Midyear_Cybersecurity_Report.pdf
Tomi Engdahl says:
Hackers Say Humans Most Responsible for Security Breaches
http://www.securityweek.com/hackers-say-humans-most-responsible-security-breaches
Under the principle of set a thief to catch a thief, 250 hackers at Black Hat 2017 were asked about their hacking methods and practices. By understanding how they work and what they look for, defenders can better understand how to safeguard their own systems.
Thycotic surveyed (PDF) a cross section of hackers attending Black Hat.
The hackers also confirmed that perimeter security, in the form of firewalls and anti-virus, is irrelevant and obsolete. Forty-three percent are least troubled by anti-virus and anti-malware defenses, while 29% are untroubled by firewalls. “Hackers today are able to bypass both firewalls and AV using well known applications and protocols or even VPN that hide within expected communications,”
https://thycotic.com/wp-content/uploads/2013/03/BlackHa_Hacker_Survey_Report_2017.pdf
Tomi Engdahl says:
A Pragmatic Approach to Your Digital Transformation Journey
http://www.securityweek.com/pragmatic-approach-your-digital-transformation-journey
From the Amazon juggernaut to the now legendary story of Uber, examples of digital disruption reshaping markets and industries abound. In fact, in their 2017 State of Digital Disruption study, the Global Center for Digital Business Transformation (DBT Center) says that in just two years digital disruption has gone from a peripheral concern to top-of-mind. The DBT Center’s latest study finds that among the 636 business leaders polled across 44 countries and 14 industries, 75 percent believe that digital disruption will have a major or transformative impact on their industry. This is in sharp contrast to the 26 percent that felt that way when last surveyed in 2015.
With a security strategy and architecture in place, you are now ready to take on the next key stages in your digital journey.
1. Hyper-connectivity: Driving new patterns of rich connections between people, process, data, and things.
2. Data integration: Embedding data-driven insights and decisions directly into the workflows and applications that drive business.
3. Machine learning: Automating insight from business and operational data to intelligently scale key initiatives.
As with most new and challenging endeavors, you need to define a pragmatic approach to mastering hyper-connectivity, data integration, and machine learning.
Just as novice runners don’t start with a marathon – they begin with a 5K and work up from there – the same is true as you embark on digital transformation. With a strong cybersecurity foundation in place, the most successful journeys begin with initiatives that involve strategic, but limited, connectivity and data integration. As digital value is realized, you build on success, incrementally expanding connectivity and integration and layering in machine learning.
Tomi Engdahl says:
New password guidelines say everything we thought about passwords is wrong
https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/
When I recently discovered a draft of new guidelines for password management from NIST (the National Institute of Standards and Technology), I was amazed about the number of very progressive changes they proposed.
Here is a quick look at the three main changes the NIST has proposed:
No more periodic password changes. This is a huge change of policy as it removes a significant burden from both users and IT departments. It’s been clear for a long time that periodic changes do not improve password security but only make it worse, and now NIST research has finally provided the proof.
No more imposed password complexity (like requiring a combination of letters, numbers, and special characters). This means users now can be less “creative” and avoid passwords like “Password1$”, which only provide a false sense of security.
Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords. Users will be prevented from setting passwords like “password”, “12345678”, etc. which hackers can easily guess.
So why haven’t we seen any coverage of the changes considering how much of a departure they are from previous advice — and considering every average user is going to be affected? I think there are several reasons for the radio silence.
First, many people now suffer from password fatigue. Users are tired of and disappointed with password rules. They are forced to follow all these complex guidelines, remember and periodically change dozens or hundreds of different passwords, and yet we still hear about an enormous number of security breaches caused by compromised passwords. Users, especially less sophisticated ones, seem to have reconciled themselves to this situation and perceive it as a matter of course, so no one believes it can be improved.
Second, we’ve seen a widespread introduction of MFA (multi factor authentication), also known as two factor authentication, which supposedly pushes the password problem to the background.
NIST Special Publication 800-63B
Digital Identity Guidelines
Authentication and Lifecycle Management
https://pages.nist.gov/800-63-3/sp800-63b.html
Tomi Engdahl says:
Feds demand 1.3 million IP addresses of those who visited Trump protest site
https://arstechnica.com/tech-policy/2017/08/feds-demand-1-3-million-ip-addresses-of-those-who-visited-trump-protest-site/
DreamHost said the warrant is “a clear abuse of government authority.”
The Justice Department is seeking the 1.3 million IP addresses that visited a Trump resistance site. The search warrant is part of an investigation into Inauguration Day rioting, which has already resulted in the indictment of 200 people in the District of Columbia. DreamHost, the Web host of the disruptj20.org site that helped organize the January 20 protests, is challenging the warrant it was served as being an “unfocused search” and declared that it was a “clear abuse of government authority.”
That information could be used to identify any individuals who used this site to exercise and express political speech protected under the Constitution’s First Amendment. That should be enough to set alarm bells off in anyone’s mind.”
In a related development, Facebook is fighting a gag order prohibiting it from telling users about search warrants connected to the January 20 rioting.
Tomi Engdahl says:
Police camera inaction? Civil liberties group questions forces’ £23m body-cam spend
Report says UK cops need to prove tech benefits policing
https://www.theregister.co.uk/2017/08/15/big_brother_watch_probes_police_body_cams/
Almost three-quarters of police forces have forked out more than £22m on body-worn cameras, but are failing to properly monitor how the videos are used in court, according to a report released today.
Proponents of the technology argue it will improve transparency in frontline policing, stop police and the public from behaving badly and speed up court proceedings by encouraging earlier guilty pleas.
But civil liberties group Big Brother Watch – which compiled its report based on Freedom of Information requests to all 45 UK forces – said there wasn’t enough evidence that it had a positive impact on policing.
Tomi Engdahl says:
Drone-maker DJI’s Go app contains naughty Javascript hot-patching framework
Apple has already smote JSPatch once this year
https://www.theregister.co.uk/2017/08/15/dji_go_app_jspatch_tinker_silent_update_no_review/
Updated Chinese drone firm DJI appears to have baked a hot-patching framework into its Go app that breaks Apple’s App Store terms and conditions, according to drone hacker sources.
The patching framework in question, JSPatch, appears to be baked into the iOS version of Go. Earlier this year Apple ejected a handful of JSPatch-using apps from the App Store.
China Daily said at the time that over 45,000 apps had been booted due to “hot-patching” concerns.
JSPatch, along with similar hot-patching frameworks such as Rollout.io, fell foul of Apple because it allows substantial changes to be made to apps without triggering a review from Apple. Such reviews are mandatory for all new apps and updates to existing apps.
Anything that gets around review processes, regardless of motivation, raises questions about security. A year ago El Reg warned that JSPatch “had inadvertently spawned a serious security risk for iOS app users”.
Tomi Engdahl says:
APT-style attack against over 4,000 infrastructure firms blamed on lone Nigerian 20-something
‘Get rich or die trying’ seems to be working out for this fellow
https://www.theregister.co.uk/2017/08/15/nigerian_fraud_kingpin/
A seemingly state-sponsored cyberattack aimed at more than 4,000 infrastructure companies has been blamed on a lone Nigerian cybercriminal.
The campaign started in April 2017, and has targeted some of the largest international organisations in the oil, gas, manufacturing, banking and construction industries. The global scale of the campaign and the organisations marked suggest an expert gang or state-sponsored agency is behind it.
Security researchers at Check Point have blamed the APT-style attack on a single Nigerian national in his mid-20s, living near the country’s capital, Abuja. The crook is using fraudulent emails which appear to originate from oil and gas giant Saudi Aramco, the world’s second largest daily oil producer, targeting financial staff within companies in attempts to trick them into revealing company bank details, or open the email’s malware-infected attachment.
Tomi Engdahl says:
A drone landed on Britain’s biggest warship and nobody cared
It touched down and lifted off with nobody batting an eyelash
https://www.engadget.com/2017/08/15/photography-drone-hms-queen-elizabeth/
The Pentagon has already approved a policy giving military bases the right to shoot down drones that get too close. A lot of other countries’ governments and militaries, however, are still in the midst of figuring out how to deal with them as they become more common. A photographer operating under the name “Black Isle Images,” for instance, landed a drone aboard Britain’s biggest warship, the HMS Queen Elizabeth, and nobody seemed to care.
The photographer reportedly never intended to touch down on the aircraft carrier, but he was forced to do when a strong gust of wind triggered the drone’s high wind sensors. According to BBC, he was flying one of DJI’s Phantom drones — it even snapped a picture of the ship, which is now up on BBC’s website. He decided to give himself up to a team of armed police officers guarding the warship, but “no one seemed too concerned.” He also left his phone number to the authorities, but nobody got in touch with him.
The concern over the lack of security stems from the fact that drones can be used for anything these days — from espionage to terrorism. ISIS, for instance, is known to weaponize drones, including DJI’s models, essentially turning them into flying bombs.
It’s worth noting that HMS Queen Elizabeth isn’t active and armed yet, however, which could explain why authorities weren’t alarmed by the incident. That said, if Britain’s military wasn’t too bothered at first, it is now.
Tomi Engdahl says:
Get Rich or Die Trying: A Case Study on the Real Identity behind a Wave of Cyber Attacks on Energy, Mining and Infrastructure Companies
https://blog.checkpoint.com/2017/08/15/get-rich-die-trying-case-study-real-identity-behind-wave-cyberattacks-energy-mining-infrastructure-companies/
Over the past 4 months, over 4,000 organizations globally have been targeted by cyber attacks which aim to infect their networks, steal data and commit fraud. Many of these companies are leading international names in industries such as oil & gas, manufacturing, banking and construction industries – and some have had their defenses breached by the attacks.
Tomi Engdahl says:
Your ‘Anonymous’ Browsing Data Isn’t Actually Anonymous
https://motherboard.vice.com/en_us/article/gygx7y/your-anonymous-browsing-data-isnt-actually-anonymous
Researchers said it was “trivial” to identify users and view their browsing habits in purchased ‘anonymous’ browsing data.
Tomi Engdahl says:
Keith Collins / Quartz:
DDoS protection company Cloudflare, under fire for continuing to service Daily Stormer, defends its hands-off, content-neutral policy
The one tech company still sticking by neo-Nazi websites is also one of their chief enablers
https://qz.com/1053689/cloudflare-is-the-one-tech-company-still-sticking-by-neo-nazi-websites-like-daily-stormer/
After 32-year-old Heather Heyer was killed while protesting against the “Unite the Right” rally in Charlottesville, Virginia, on Aug. 12, the American neo-Nazi website The Daily Stormer published a hate-filled article about her.
Although GoDaddy had previously defended its choice to provide domain services to the neo-Nazi site, citing its rights under the First Amendment, the company took a different stance this time around. Within a few hours of the article’s publication, GoDaddy dropped The Daily Stormer, saying it violated the registrar’s terms of service. The website then registered its domain with Google, which promptly dropped it as well. Other tech companies have also made moves against the far right: Airbnb banned users it suspected were traveling to attend the rally, while Discord, a chat service for online gamers, shut down a server and some accounts used for spreading extremist views.
But one company is sticking by The Daily Stormer and other far-right websites: the cloud security and performance service Cloudflare.
Cloudflare acts as a shield between websites and the outside world, protecting them from hackers and preserving the anonymity of the sites’ owners. But Cloudflare is not a hosting service: It does not store website content on its servers. And that fact, as far as the company is concerned, exempts it from judgment over who its clients are—even if those clients are literally Nazis.
In a statement Cloudflare sent to Quartz and other publications yesterday, the company refused to explicitly say it will continue to do business with sites like The Daily Stormer, but pointed out that the content would exist regardless of what Cloudflare does or doesn’t do.
That statement somewhat underplays Cloudflare’s importance. Without its shield, many websites—belonging to groups right across the political spectrum as well as companies and government agencies—would be frequently crippled by distributed-denial-of-service (DDoS) attacks, in which attackers flood a site’s servers with spurious traffic. In DDoS attacks, might is right: Only a few companies like Cloudflare have enough servers to soak up a concerted assault. If it were to drop the Daily Stormer, the site would for all intents and purposes cease to exist any time it came under concerted DDoS attack from anti-fascist activists. If the Daily Stormer lost its web hosting service, on the other hand, it would have countless others to choose from.
The statement from Cloudflare is also neutral about whether or not hate speech is dangerous.
It’s not just Cloudflare’s refusal to take a stand against hate speech that has drawn criticism. Last May, ProPublica reported on a practice that made Cloudflare particularly appealing to neo-Nazi websites.
Cloudflare’s indiscriminate approach to its clients appeals not only to neo-Nazis, but also to another set of bad actors: websites that provide illegal hacking services. Security journalist Brian Krebs has written at length about websites that conduct DDoS attacks for hire while using free services from Cloudflare to protect themselves from the same kinds of attacks.
Tomi Engdahl says:
Alwyn Scott / Reuters:
Chinese drone maker DJI working on mode to let pilots disconnect from internet during flights, weeks after US Army ended DJI use due to “cyber vulnerabilities”
China drone maker steps up security after U.S. Army ban
http://www.reuters.com/article/us-usa-drones-dji-idUSKCN1AU294
Tomi Engdahl says:
Russell Brandom / The Verge:
In the wake of a killing after a white nationalist rally in Charlottesville, tech firms are setting aside content neutrality in the fight against online hate
Charlottesville is reshaping the fight against online hate
Content-neutrality concerns take a back seat after a killing at a white nationalist rally
https://www.theverge.com/2017/8/15/16151740/charlottesville-daily-stormer-ban-neo-nazi-facebook-censorship
Tomi Engdahl says:
Rackspace rolls out managed data protection service
http://www.zdnet.com/article/rackspace-rolls-out-managed-data-protection-service/
Rackspace is the latest firm to offer new cybersecurity tools ahead of the GDPR implementation.
Rackspace is bolstering cybersecurity offerings, rolling out a new service to help companies identify and protect sensitive data in accordance with various compliance requirements.
Utilizing the Vormetric Transparent Data Encryption platform to protect data, the new service enables firms to restrict access to approved company personnel and processes. It also generates detailed information about unauthorized access by users, applications, and systems.
The Privacy and Data Protection (PDP) service also offers detailed compliance reporting that gives customers a monthly, comprehensive view of their data usage. That should help them comply with Europe’s General Data Protection Regulation (GDPR), as well as other compliance standards like the Payment Card Industry Data Security Standard (PCI DSS).
Rackspace is one of several vendors lining up new cybersecurity tools and services ahead of the GDPR’s implementation in May 2018. The new regulations will require organizations to protect data belonging to EU citizens and to know where the data is flowing at all times.
As compliance requirements evolve, so do the threats: Rackspace highlighted a recent Forrester Research report which showed that 49 percent of global network security decision-makers have experienced at least one breach in the past year.
Tomi Engdahl says:
Och. Scottish Parliament under siege from brute-force cyber attack
Unidentified hackers attempt to bust open email accounts
https://www.theregister.co.uk/2017/08/16/scottish_parliament_cyberattack/
Hackers are trying to break into Scottish Parliament email accounts weeks after similar campaigns against Westminster.
MSPs and Holyrood staff were warned on Tuesday that as-yet unidentified hackers were running “brute-force” attacks on systems in the devolved assembly, The Guardian reports. Similar attacks on Westminster back in June, subsequently blamed on Russia by intel sources, led to the compromise of 90 accounts.
In an internal bulletin Sir Paul Grice, Holyrood’s chief executive, warned: “The parliament’s monitoring systems have identified that we are currently the subject of a brute-force cyber attack from external sources.
“This attack appears to be targeting parliamentary IT accounts in a similar way to that which affected the Westminster parliament in June. Symptoms of the attack include account lockouts or failed logins.
Tomi Engdahl says:
Speaking in Tech: Tomorrow’s infosec fiasco is a ‘we’re not a company any more’ fiasco
Wannacry is just the beginning
https://www.theregister.co.uk/2017/08/16/speaking_in_tech_episode_274/
Tomi Engdahl says:
Russian malware scum post new rent-an-exploit
Unpatched browser, plug-in bugs targeted by and with ‘Disdain’ kit
https://www.theregister.co.uk/2017/08/16/disdain_exploit_kit/
WebEx on Firefox is among the targets of a new exploit kit that’s started circulating on Russian nastyware exchanges.
The Disdain-based exploit kit is described here by security services outfit IntSights, which says the exploit kit is offered by someone using the handle “Cehceny”.
IntSights says the kit includes:
A domain rotator, to make the C&C harder to block;
Support for exploits to exchange RSA keys;
The C&C’s panel server can’t be traced from the payload server; and
IP geolocation, browser and IP tracking, and domain scanning.
Disdain is rented on a daily, weekly, or monthly basis at US$80, $500, and $1,400 respectively. Victims who hit the exploit are scanned, and the kit tries to attack a number of known vulnerabilities from between 2013 and this year.
Tomi Engdahl says:
When is a Barracuda not a Barracuda? When it’s really AWS S3
Now you can replicate backups to Barracuda’s actually-Amazonian cloud
https://www.theregister.co.uk/2017/08/16/barracuda_aws_s3/
Barracuda’s backup appliances can now replicate data to Amazon’s S3 cloud silos.
According to the California-based outfit, its backup appliance is now available in three flavors:
On-premises physical server
On-premises virtual server
In-cloud virtual server
Data can be backed up from Office 365, physical machines, and virtual machines running in Hyper-V or VMware systems, to an appliance. This box can then replicate its backups to a second appliance, typically at a remote site, providing a form of disaster recovery, or send the data to S3 buckets in AWS. For small and medium businesses with no second data centre, replicating to Amazon’s silos provides an off-site protection resource.
Tomi Engdahl says:
Web-enabled vibrator class action put to bed
The plaintiffs must be buzzing
https://www.theregister.co.uk/2017/08/16/web_enabled_vibrator_class_action_put_to_bed/
The case against sex toy maker We-Vibe, which agreed to pay out $3.75m for tracking owners’ use, has finally been put to bed, with a judge yesterday signing off the settlement.
Earlier this year We-Vibe’s parent company, Standard Innovation, agreed to fork out following a privacy infringement lawsuit, and also said it would ensure that personal information collected from users would be deleted.
The firm was accused of collecting information on the date and time of use, the “vibration intensity level” and users’ email via its accompanying app, We-Connect.
“We have enhanced our privacy notice, increased app security, provided customers [with] more choice in the data they share, and we continue to work with leading privacy and security experts to enhance the app.”
Tomi Engdahl says:
Warning: Two Dangerous Ransomware Are Back – Protect Your Computers
By — Swati Khandelwal • 15 Aug, 2017
https://amp.thehackernews.com/thn/2017/08/locky-mamba-ransomware.html
Ransomware has been around for a few years but has become an albatross around everyone’s neck—from big businesses and financial institutions to hospitals and individuals worldwide—with cyber criminals making millions of dollars.
In just past few months, we saw a scary strain of ransomware attacks including WannaCry, Petya and LeakerLocker, which made chaos worldwide by shutting down hospitals, vehicle manufacturing, telecommunications, banks and many businesses.
Before WannaCry and Petya, the infamous Mamba full-disk-encrypting ransomware and the Locky ransomware had made chaos across the world last year, and the bad news is—they are back with their new and more damaging variants than ever before.
Tomi Engdahl says:
Tech Companies Urge Supreme Court To Boost Cellphone Privacy
https://yro.slashdot.org/story/17/08/15/1820246/tech-companies-urge-supreme-court-to-boost-cellphone-privacy
More than a dozen high technology companies and the biggest wireless operator in the United States, Verizon, have called on the U.S. Supreme Court to make it harder for government officials to access individuals’ sensitive cellphone data.
Tech companies urge Supreme Court to boost cellphone privacy
http://www.reuters.com/article/us-usa-court-mobilephone-idUSKCN1AV1B3
More than a dozen high technology companies and the biggest wireless operator in the United States, Verizon Communications Inc (VZ.N), have called on the U.S. Supreme Court to make it harder for government officials to access individuals’ sensitive cellphone data.
The companies filed a 44-page brief with the court on Monday night in a high-profile dispute over whether police should have to get a warrant before obtaining data that could reveal a cellphone user’s whereabouts.
Tomi Engdahl says:
New York Times:
Ukrainian hacker identified as “Profexer”, who created malware used in DNC hacking, has turned himself in and become a witness for the FBI — KIEV, Ukraine — The hacker, known only by his online alias “Profexer,” kept a low profile. He wrote computer code alone in an apartment …
http://www.nytimes.com/2017/08/16/world/europe/russia-ukraine-malware-hacking-witness.html
Tomi Engdahl says:
Disgraced US Secret Service agent coughs to second Bitcoin heist
Fox, meet henhouse
https://www.theregister.co.uk/2017/08/16/secret_service_shaun_bridges_agent_bitcoin_theft/
An ex-Secret Service agent who stole Bitcoins from the Silk Road dark web drugs bazaar he was supposed to be investigating has admitted stealing even more sacks of the digital currency.
Shaun Bridges, who is already serving a six-year sentence for nicking Bitcoins from the underground souk, pleaded guilty on Tuesday to stealing a further 1,600 Bitcoin (worth $359,005 at the time and approximately $6.6m today) during a separate investigation.
According to court documents [PDF] Bridges, 35, was probing European Bitcoin trading firm Bitstamp, which led to the US government seizing 1,606,6488 BTC in November 2014. These were transferred into a digital wallet that only Bridges had the access code for.
Tomi Engdahl says:
Russell Brandom / The Verge:
After sustained pressure, CloudFlare CEO Matthew Prince says the firm has stopped protecting Daily Stormer from DDoS attacks
The Daily Stormer just lost the most important company defending it
The web provider CloudFlare has decided to drop the neo-Nazi site
https://www.theverge.com/2017/8/16/16157710/cloudflare-daily-stormer-drop-russia-hate-white-nationalism
This afternoon, the Russian relaunch of Daily Stormer disappeared, just as the original site disappeared on Tuesday. With that disappearance, the web’s most notorious neo-Nazi website was no longer available anywhere on the conventional web.
The disappearance came after a decision made at CloudFlare, a content distribution network that Stormer has long used as protection from denial-of-service attacks.
Reached by The Verge, CEO Matthew Prince said the decision to drop the site was a difficult one.
“This was my decision, I don’t think it’s CloudFlare’s policy and I think it’s an extremely dangerous decision in a lot of ways,” Prince said. “I think that we as the internet need to have a conversation about where the right place for content restriction is…but there was no way we could have that conversation until we resolved this particular issue.”
CloudFlare never directly hosted the Daily Stormer, but by distributing it through a broader network, the company made it impossible to discover the original host, which made it difficult for activists to take direct action against the site. Without CloudFlare’s network, the Daily Stormer could still serve up the site directly, but doing so would expose their host. The site owners seem to have decided that reveal would be too risky.
Writing on Gab, site founder Andrew Anglin pledged to carry on without the network. “The CloudFlare betrayal adds another layer of super complexity,” Algin wrote. “But we got this.”
The decision comes after sustained pressure on CloudFlare to drop the site, and a long-standing insistence from Prince that the network must remain content neutral.
Still, that neutrality hasn’t always been easy to defend.
Today’s move comes after a wave of companies turning their backs on the Daily Stormer and other white nationalist sites. In the wake of the killing of a protestor in Charlottesville, platforms like Facebook, Discord and GoFundMe have all taken direct steps to ban white nationalist content, often employing far more aggressive measures than had been previously used.
Billboard:
Prompted by Charlottesville reactions, Spotify says it has begun to remove white supremacist music flagged as “hate bands”
Spotify Removes Hate Music as Streaming Companies Struggle to Police Their Tunes
http://www.billboard.com/articles/business/7905175/spotify-removes-hate-band-music-streaming
Tomi Engdahl says:
Tatiana Siegel / Hollywood Reporter:
A new episode of Game of Thrones was accidentally aired on HBO Nordic and HBO Espana, with the leak then spreading to file-sharing sites — Though the episode was posted for a “brief” amount of time, the leak quickly spread on the Internet early Wednesday. — It’s a case of deja vu for HBO.
New ‘Game of Thrones’ Episode Leaks
http://www.hollywoodreporter.com/news/game-thrones-episode-leaks-is-pulled-down-1030098
It’s a case of deja vu for HBO.
For the second time in two weeks, the network has seen an upcoming episode of Game of Thrones leak ahead of its scheduled premiere. A HBO Europe spokesperson acknowledged the leak, which was described as “brief.”
“We have learned that the upcoming episode of Game of Thrones was accidentally posted for a brief time on the HBO Nordic and HBO Espana platforms,” the spokesperson said. “The error appears to have originated with a third-party vendor and the episode was removed as soon as it was recognized. This is not connected to the recent cyber incident at HBO in the U.S.”
Tomi Engdahl says:
Laurel Wamsley / NPR:
Hosting provider DreamHost is resisting a DOJ warrant which it claims requires the company to hand over the details of 1.3M visitors to an anti-Trump site — At the intersection where protections against unreasonable search and seizure meet the rights to free speech and association, there’s a now web hosting company called DreamHost.
DOJ Demands Files On Anti-Trump Activists, And A Web Hosting Company Resists
http://www.npr.org/sections/thetwo-way/2017/08/15/543782396/doj-demands-files-on-anti-trump-activists-and-a-web-hosting-company-resists
At the intersection where protections against unreasonable search and seizure meet the rights to free speech and association, there is now a web hosting company called DreamHost.
The California-based company is resisting a Department of Justice warrant that demands it hand over all files related to DisruptJ20.org, a website created by one of its customers to plan and announce actions intended to interrupt President Trump’s inauguration.
Inauguration Day protests in Washington, D.C., turned violent; 230 people were arrested and charged with felony rioting.
In gathering evidence for the nearly 200 still-open cases in D.C. court, the Justice Department issued a warrant that DreamHost says is so broad it would require handing over the logs of 1.3 million visits to the website.
The company called the warrant “a highly untargeted demand that chills free association and the right of free speech afforded by the Constitution. … This is, in our opinion, a strong example of investigatory overreach and a clear abuse of government authority.”
Tomi Engdahl says:
4 ways to share files without the cloud
If you’re concerned about privacy, these may work for you
https://www.electronicproducts.com/Software/Development_Tools_and_Software/4_ways_to_share_files_without_the_cloud.aspx
Tomi Engdahl says:
Rowhammer RAM attack adapted to hit flash storage
Project Zero’s two-year-old dog learns a new trick
https://www.theregister.co.uk/2017/08/17/rowhammer_for_nand_flash/
It’s Rowhammer, Jim, but not as we know it: IBM boffins have taken the DRAM-bit-flipping-as-attack-vector trick found by Google and applied it to MLC NAND Flash.
Google’s Project Zero found Rowhammer in 2015, when they demonstrated that careful RAM bit-flipping in page table entries could let an attacker pwn Linux systems.
Ever since Project Zero’s initial result, boffins have looked for other vectors or other victims (for example, it was turned into an Android root attack in 2016).
Enter a group of boffins from IBM Research Zurich, who plan to demo a Rowhammer attack on MLC NAND flash after explaining it at this week’s Usenix-organised W00T17 conference in Vancouver.
Scary? Yes, but there’s a couple of slivers of good news: it’s a local rather than a remote attack, and the researchers constrained themselves to a filesystem-level attack rather than a full-system attack.
The bad news is that Rowhammer-for-NAND can work at lower precision than its ancestor: while the original Google research worked by flipping single bits, “ the attack primitive an attacker can obtain from MLC NAND flash weaknesses is a coarse granularity corruption”.
In other words, their “weaker attack primitive … is nevertheless sufficient to mount a local privilege escalation attack”.
To get that far, the research explain in this paper [PDF], an attack has to beat protections at all layers from the Flash chip up to the operating system:
Cell-to-cell interference protections on the chip;</li
The Flash controller's scrambling and error correction codes, that are designed to increase device reliability;
Wear-levelling and block placement algorithms in the SSD controller make memory placement less predictable, from the attacker's point of view;
Filesystem protections like caching and error detection have to be bypassed.
Only then does the attacker get to present their payload.
https://www.usenix.org/system/files/conference/woot17/woot17-paper-kurmus.pdf
Tomi Engdahl says:
8 More Chrome Extensions Hijacked to Target 4.8 Million Users
Wednesday, August 16, 2017 Swati Khandelwal
http://thehackernews.com/2017/08/chrome-extension-hacking.html
Google’s Chrome web browser Extensions are under attack with a series of developers being hacked within last one month.
Almost two weeks ago, we reported how unknown attackers managed to compromise the Chrome Web Store account of a developer team and hijacked Copyfish extension, and then modified it to distribute spam correspondence to users.
Just two days after that incident, some unknown attackers then hijacked another popular extension ‘Web Developer’ and then updated it to directly inject advertisements into the web browser of over its 1 million users.
Tomi Engdahl says:
U.S. Army to Protect Warfighters With Continuous Biometric Authentication
http://www.securityweek.com/us-army-protect-warfighters-continuous-biometric-authentication
U.S. Army’s NETCOM to Deploy Continuous Biometric Authentication Software to Protect Warfighters
The fundamental basis of security is to stop bad guys (or things) getting in; and then, if that fails, to discover those who got in as rapidly as possible. Authentication is used for the former, and network anomaly detection is increasingly used for the latter.
Both controls can be good in theory, but often fall down in practice; the more effective they are, the more intrusive they become. Authentication can be strengthened by enforcing strong unmemorable passwords, and multi-factor authentication — often making it difficult and time-consuming for the user. Anomaly detection can be improved by reporting and responding to every single alert — often overwhelming security analysts with the sheer volume of work.
To solve both problems, companies often set their security barriers lower than they could be. Authentication is made easier and alerts are set lower so that work is less interrupted. As a result, adversaries can get into the network and stay hidden long enough to cause damage — and this is demonstrated every week by new announcements of both major and minor breaches.
Plurilock believes it may have the answer in low-friction continuous behavioral biometric user authentication. Called BioTracker, the product continuously (sampling every few seconds) monitors the user, analyzing key stroke and mouse patterns and using artificial intelligence (AI) to provide a probability score on the current user being the authorized user.
Tomi Engdahl says:
Common Source Code Used by Multiple Chinese DDoS Platforms
http://www.securityweek.com/common-source-code-used-multiple-chinese-ddos-platforms
An increase in Chinese websites offering online distributed denial of service (DDoS) capabilities was observed after a localized version of the source code of online booters was put up for sale, Talos reveals.
Because many of the websites were nearly identical, Talos security researchers initially believed that the same actor or group of actors was behind all of them. However, they discovered that multiple actors are operating them, and that they even launch attacks against one another.
The websites, most of which have been registered within the past six months, feature a simple interface where the user can select a target’s host, port, attack method, and duration of attack. The similarities emerge from the fact that the sites are based on the localized source code of an English-language DDoS platform that cybercriminals have been selling on hacker forums.
While both DDoS tools and services remain highly popular on the Chinese underground market, a shift to online DDoS platforms was recently observed, along with more frequent advertisements for such services.
A sidebar allows users to “register an account, purchase an activation code to begin launching an attack, and then attack a target, either through the graphical interface set up on the website or through identical command line calls,” Talos explains.
The researchers discovered 32 nearly-identical Chinese online DDoS websites, most with the word “ddos” in their domain names
Booters with Chinese Characteristics: The Rise of Chinese Online DDoS Platforms
http://blog.talosintelligence.com/2017/08/chinese-online-ddos-platforms.html
In the past few months, Talos has observed an uptick in the number of Chinese websites offering online DDoS services. Many of these websites have a nearly identical layout and design, offering a simple interface in which the user selects a target’s host, port, attack method, and duration of attack. In addition, the majority of these sites have been registered within the past six months. However, the websites operate under different group names and have different registrants. In addition, Talos has observed administrators of these websites launching attacks on one another. Talos sought to research the actors responsible for creating these platforms and analyze why they have become more prevalent lately.