Security trends 2017

3,151 Comments

1. September 1, 2017 at 9:48 am

   Tomi Engdahl says:

   A Canadian University Gave $11 Million to a Scammer
   https://motherboard.vice.com/en_us/article/yww4xy/a-canadian-university-gave-dollar11-million-to-a-scammer

   Uh oh.

   A Canadian university transferred more than $11 million CAD (around $9 million USD) to a scammer that university staff believed to be a vendor in a phishing attack, a university statement published on Thursday states.

   Staff at MacEwan University in Edmonton, Alberta became aware of the fraud on Wednesday, August 23, the statement says. According to the university, the attacker sent a series of emails that convinced staff to change payment details for a vendor, and that these changes resulted in the transfer of $11.8 million CAD to the scammer. Most of the funds were traced to bank accounts in Canada and Hong Kong.

   According to the university, its IT systems were not compromised and no personal or financial information was stolen. A phishing scam is not technically a “hack,” it should be noted, and only requires the attacker to convince the victim to send money.

   The school’s preliminary investigation found that “controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed.” Beharry would not elaborate on which processes were found to be inadequate or which warning signs were missed.

   Reply
2. September 1, 2017 at 9:55 am

   Tomi Engdahl says:

   Hardening the Kernel in Android Oreo
   https://android-developers.googleblog.com/2017/08/hardening-kernel-in-android-oreo.html

   Posted by Sami Tolvanen, Senior Software Engineer, Android Security

   The hardening of Android’s userspace has increasingly made the underlying Linux kernel a more attractive target to attackers. As a result, more than a third of Android security bugs were found in the kernel last year. In Android 8.0 (Oreo), significant effort has gone into hardening the kernel to reduce the number and impact of security bugs.

   Android Nougat worked to protect the kernel by isolating it from userspace processes with the addition of SELinux ioctl filtering and requiring seccomp-bpf support, which allows apps to filter access to available system calls when processing untrusted input. Android 8.0 focuses on kernel self-protection with four security-hardening features backported from upstream Linux to all Android kernels supported in devices that first ship with this release.

   Usercopy functions are used by the kernel to transfer data from user space to kernel space memory and back again. Since 2014, missing or invalid bounds checking has caused about 45% of Android’s kernel vulnerabilities.

   Conclusion

   Android Oreo includes mitigations for the most common source of security bugs in the kernel. This is especially relevant because 85% of kernel security bugs in Android have been in vendor drivers that tend to get much less scrutiny. These updates make it easier for driver developers to discover common bugs during development, stopping them before they can reach end user devices.

   Reply
3. September 1, 2017 at 10:01 am

   Tomi Engdahl says:

   WikiLeaks site hacked

   OurMine-hacker group got the WikiLeaks site for at least a moment. After a temporary break, the situation has been corrected.

   According to The Verge, the WikiLeaks.org site visitors were greeted earlier in today’s sight. On the black background, we read our great text “Ourmine” and, moreover, a delusional reminder of the wickedness of WikiLeaks on security. In addition, people were asked to use #wikileakshack on Twitter.

   OurMine has succeeded in recently appearing security holes. For example, Twitter’s CEO Jack Dorsey’s twitter account, Google’s CEO Sundar Pichain Quora, Variety and Buzzfeed releases, and HBO’s social media accounts.

   Source: http://www.tivi.fi/Kaikki_uutiset/wikileaks-sivusto-hakkeroitu-6673132

   Reply
4. September 1, 2017 at 10:05 am

   Tomi Engdahl says:

   Natalie Gagliordi / ZDNet:
   Juniper Networks acquires Cyphort, maker of a machine learning-powered analytics engine that can be integrated with existing security tools

   Juniper to buy security software startup Cyphort
   The Silicon Valley startup makes security analytics software. Financial terms were not disclosed.
   http://www.zdnet.com/article/juniper-to-buy-security-software-startup-cyphort/

   Juniper Networks announced Thursday it plans to acquire Cyphort, a Silicon Valley startup that makes security analytics software. Financial terms of the deal were not immediately disclosed.

   Cyphort’s open-architecture platform, which includes a machine learning powred analytics engine, can integrate with existing security tools to help companies find threats that bypass first-line security efforts.

   The company’s current chief executive, Manoj Leelanivas, was a 14-year veteran at Juniper Networks. He also spent seven year working at Cisco and apparently holds more than 10 patents for his work at both Cisco and at Juniper.

   In a blog post, Juniper said the acquisition will be used to bolster its Sky ATP platform by offering an increased range of supported file types and additional threat detection capabilities.

   https://forums.juniper.net/t5/The-New-Network/Announcing-Juniper-s-Intent-to-Acquire-Cyphort/ba-p/312174

   Reply
5. September 1, 2017 at 10:06 am

   Tomi Engdahl says:

   Brian Krebs / Krebs on Security:
   After documenting botnet attack on ProPublica, DFR Lab faced its own attack from bots and impersonators, who use follows, likes, retweets to intimidate users

   Twitter Bots Use Likes, RTs for Intimidation
   http://krebsonsecurity.com/2017/08/twitter-bots-use-likes-rts-for-intimidation/

   I awoke this morning to find my account on Twitter (@briankrebs) had attracted almost 12,000 new followers overnight. Then I noticed I’d gained almost as many followers as the number of re-tweets (RTs) earned for a tweet I published on Tuesday. The tweet stated how every time I tweet something related to Russian President Vladimir Putin I get a predictable stream of replies that are in support of President Trump — even in cases when neither Trump nor the 2016 U.S. presidential campaign were mentioned.

   Upon further examination, it appears that almost all of my new followers were compliments of a social media botnet that is being used to amplify fake news and to intimidate journalists, activists and researchers. The botnet or botnets appear to be targeting people who are exposing the extent to which sock puppet and bot accounts on social media platforms can be used to influence public opinion.

   Reply
6. September 1, 2017 at 10:14 am

   Tomi Engdahl says:

   Asterisk bugs make a right mess of RTP
   IP telephony server discloses three vulns, one critical. You know what to do next
   https://www.theregister.co.uk/2017/09/01/asterisk_admin_patch/

   Admins of the popular IP telephony application Asterisk have a lovely end to the week ahead of them – there’s two moderate vulnerabilities, and one critical mess, that need patches.

   The worst of the three is this one: a bug in the Realtime Transport Protocol (RTP) stack that exposes a system to information disclosure.

   The problem came about as a result of a change to the system’s strict RTP implementation, designed to handle network issues more smoothly.

   Reply
7. September 1, 2017 at 1:29 pm

   Tomi Engdahl says:

   40% of manufacturing security professionals have no formal security strategy
   https://www.designnews.com/electronics-test/40-manufacturing-security-professionals-have-no-formal-security-strategy/115121990957373?ADTRK=UBM&elq_mid=788&elq_cid=876648

   Cisco cybersecurity survey also reported that 28% of manufacturing organizations suffered loss of revenue due to attacks in the past year.

   Reply
8. September 1, 2017 at 2:07 pm

   Tomi Engdahl says:

   Security measures need to measure up to sophisticated attacks
   http://www.controleng.com/single-article/security-measures-need-to-measure-up-to-sophisticated-attacks/3af942c101d92a503305d98075375b77.html

   Security needs to be improved in order to combat attackers getting more and more dangerous and skilled each day, demonstrated by the attack on Ukraine in December 2016.

   Industrial control system (ICS) and supervisory control and data acquisition (SCADA) users across the board need to understand they need to create a holistic security program to protect against targeted attacks like this past December’s Ukraine utility assault.

   “The attacker had been developing its capabilities for at least a year, maybe two, and they discharged this tool and they will not use it anymore,” said Marina Krotofil, lead security researcher at the Honeywell Industrial Cyber Security Lab and an investigator on the December Ukraine utility attack. “It means they have developed much better capabilities, much higher and advanced. This what is scary because we don’t know what to prepare for.”

   Reply
9. September 1, 2017 at 6:40 pm

   Tomi Engdahl says:

   John Shinal / CNBC:
   Facebook has created a map of Earth that can pinpoint any man-made structures to a resolution of 5 meters, to help company’s Internet provision efforts

   Facebook has mapped the entire human population of Earth as it prepares to build an internet in space
   https://www.cnbc.com/2017/09/01/facebook-has-mapped-human-population-building-internet-in-space.html

   Facebook used satellite-based data and government census information to map the Earth’s entire human population.
   The data set has a resolution of five meters and knows where man-made structures are everywhere on the planet.
   Facebook has been hiring aerospace engineers and has a new executive hired to forge partnerships with aerospace and satellite companies.

   It now knows where 7.5 billion humans live, everywhere on Earth, to within 15 feet.

   The company has created a data map of the planet’s entire human population by combining government census numbers with information it’s obtained from space satellites, according to Janna Lewis, Facebook’s head of strategic innovation partnerships and sourcing.

   The mapping technology, which Facebook says it developed itself, can pinpoint any man-made structures in any country on Earth to a resolution of five meters.

   Facebook is using the data to understand the precise distribution of humans around the planet.

   That will help the company determine what types of internet service — based either on land, in the air or in space — it can use to reach consumers who now have no (or very low quality) internet connections.

   “Satellites are exciting for us. Our data showed the best way to connect cities is an internet in the sky,”

   Reply
10. September 1, 2017 at 6:46 pm

    Tomi Engdahl says:

    Natalie Gagliordi / ZDNet:
    Juniper Networks acquires Cyphort, maker of a machine learning-powered analytics engine that can be integrated with existing security tools — The Silicon Valley startup makes security analytics software. Financial terms were not disclosed. — Juniper Networks announced Thursday it plans …
    http://www.zdnet.com/article/juniper-to-buy-security-software-startup-cyphort/

    Reply
11. September 2, 2017 at 5:23 am

    Tomi Engdahl says:

    Casey Newton / The Verge:
    A site, now offline, sold access to hacked Instagram users’ contact info for $10 a search; Instagram now says non-verified users may have been impacted

    An Instagram hack hit millions of accounts, and victims’ phone numbers are now for sale
    Selena Gomez was first. Who’s next?
    https://www.theverge.com/2017/9/1/16244304/instagram-hack-api-bug-doxagram-selena-gomez

    A bug that exposed users’ contact information affected a far greater number of accounts than Instagram originally said. The bug, which appears to have been responsible for Selena Gomez’s account being hacked this week, allowed hackers to scrape email addresses and contact information for millions of accounts, Instagram said today. (It has since been fixed.) While the company first said the hack was limited to holders of verified accounts, it said today that non-verified users had been affected as well.

    Hours after the hack was disclosed, hackers established a searchable database named Doxagram allowing users to search for victims’ contact information for $10 per search. The hacker provided a list of 1,000 accounts they said were available for searching on Doxagram

    Instagram still will not say how many accounts were affected, other than that it is a “low percentage of Instagram accounts.” There are more than 700 million active Instagram accounts; hackers say they have information on file for 6 million users. Users’ passwords were not exposed in the hack, Instagram said.

    But even with the site shut down, contact information for dozens of celebrities now appears to be floating around on the dark web.

    For celebrities and other high-profile users, the hack could mean having to change a phone number, email address, or both. But it can also be used along with social engineering techniques to gain access to the account itself. That seems to be what happened to Gomez, Instagram’s most-followed user. Her account was briefly taken down Monday after it was used to post nude photographs of Justin Bieber, her ex-boyfriend.

    Today’s news is troubling on at least two fronts. One, average Instagram users may be at risk of hacking. Two, Instagram says it does not know which accounts were affected.

    Reply
12. September 2, 2017 at 5:44 am

    Tomi Engdahl says:

    New York Times:
    Sources: scant digital forensic investigations have assessed the impact on voting in at least 21 states whose election systems were targeted by Russian hackers — The calls started flooding in from hundreds of irate North Carolina voters just after 7 a.m. on Election Day last November.

    Russian Election Hacking Efforts, Wider Than Previously Known, Draw Little Scrutiny
    https://www.nytimes.com/2017/09/01/us/politics/russia-election-hacking.html

    The calls started flooding in from hundreds of irate North Carolina voters just after 7 a.m. on Election Day last November.

    Dozens were told they were ineligible to vote and were turned away at the polls, even when they displayed current registration cards. Others were sent from one polling place to another, only to be rejected. Scores of voters were incorrectly told they had cast ballots days earlier. In one precinct, voting halted for two hours.

    Susan Greenhalgh, a troubleshooter at a nonpartisan election monitoring group, was alarmed. Most of the complaints came from Durham, a blue-leaning county in a swing state.

    The problems involved electronic poll books — tablets and laptops, loaded with check-in software, that have increasingly replaced the thick binders of paper used to verify voters’ identities and registration status. She knew that the company that provided Durham’s software, VR Systems, had been penetrated by Russian hackers months before.

    There are plenty of other reasons for such breakdowns — local officials blamed human error and software malfunctions — and no clear-cut evidence of digital sabotage has emerged, much less a Russian role in it.

    questions still linger about what happened that day in Durham as well as other counties in North Carolina, Virginia, Georgia and Arizona.

    voting in at least 21 states whose election systems were targeted by Russian hackers

    The assaults on the vast back-end election apparatus — voter-registration operations, state and local election databases, e-poll books and other equipment — have received far less attention than other aspects of the Russian interference

    Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting

    Government officials said that they intentionally did not address the security of the back-end election systems, whose disruption could prevent voters from even casting ballots.

    That’s partly because states control elections

    “If you really want to know what happened, you’d have to do a lot of forensics, a lot of research and investigation, and you may not find out even then.”

    In interviews, academic and private election security experts acknowledged the challenges of such diagnostics but argued that the effort is necessary.

    They warned about what could come
    existing mix of outdated voting equipment

    the problems in Durham and elsewhere raise questions about the auditing of e-poll books and security of small election vendors

    Details of the breach did not emerge until June, in a classified National Security Agency report leaked to The Intercept, a national security news site.

    That report found that hackers from Russia’s military intelligence agency, the G.R.U., had penetrated the company’s computer systems as early as August 2016, then sent “spear-phishing” emails from a fake VR Systems account to 122 state and local election jurisdictions. The emails sought to trick election officials into downloading malicious software to take over their computers.

    The N.S.A. analysis did not say whether the hackers had sabotaged voter data. “It is unknown,” the agency concluded, whether Russian phishing “successfully compromised the intended victims, and what potential data could have been accessed.”

    During a conference of computer hackers last month in Las Vegas, participants had direct access and quickly took over more than 30 voting machines.

    In Arizona, Russian hackers successfully stole a username and password for an election official in Gila County. And in Illinois, Russian hackers inserted a malicious program into the Illinois State Board of Elections’ database.

    On Election Day last year, a number of counties reported problems similar to those in Durham.

    “We must harden our cyber defenses, and thoroughly educate the American public about the danger posed” by attacks

    Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election
    https://theintercept.com/2017/06/05/top-secret-nsa-report-details-russian-hacking-effort-days-before-2016-election/

    Reply
13. September 2, 2017 at 9:24 am

    Tomi Engdahl says:

    NSA whistleblower Snowden: VPN ban makes Russia ‘less safe and less free’
    http://www.zdnet.com/article/nsa-whistleblower-snowden-vpn-ban-makes-russia-less-safe-and-less-free/

    Vladimir Putin’s decision to ban virtual private networks has drawn criticism from NSA whistleblower Edward Snowden.

    Edward Snowden has laid into the Russian government for banning the use of virtual private networks (VPNs) and other tools that people can use to circumvent censorship and surveillance.

    Russian president Vladimir Putin signed the law on Sunday, prompting a Twitter tirade from Snowden, the US National Security Agency (NSA) whistleblower who has been sheltering in Moscow since 2013.

    Snowden called the decision a “tragedy of policy” that would make Russia “both less safe and less free”. He also linked the government’s move to China’s crackdown on VPN technology

    Reply
14. September 2, 2017 at 9:29 am

    Tomi Engdahl says:

    The Russia VPN ban doesn’t forbid personal or business use of VPNs at all
    https://www.privateinternetaccess.com/blog/2017/07/russia-vpn-ban-doesnt-forbid-personal-business-use-vpns/

    Putin has signed a new law that increases internet censorship dramatically and has been marked as the beginning of the Russia VPN ban, but does the new law actually ban and perhaps punish VPN use as some English language news sites are reporting?

    A lot of the confusion can be traced back to one English report on the Russia VPN ban released by ABC news where the title incorrectly claimed: “Russian parliament bans use of proxy Internet services, VPNs” even though the body of the article’s text does clarify that the bill “would oblige Internet providers to block websites that offer VPN services” not block VPN traffic.

    The FSB will be in charge of identifying owners of VPN services, and anonymizers, and asking said owners to implement Russia’s internet censorship blacklists for their users – most of which use VPN services to avoid those very restrictions.

    Is a VPN that gives you a non-Russian IP, but still shows you the Russia-approved internet a real VPN?

    Reply
15. September 2, 2017 at 6:57 pm

    Tomi Engdahl says:

    Kerry Flynn / Mashable:
    Sources describe how some Instagram employees are selling account verification through intermediaries for thousands of dollars, but process is getting harder

    Inside the black market where people pay thousands of dollars for Instagram verification
    http://mashable.com/2017/09/01/instagram-verification-paid-black-market-facebook/#7Nc69Crv4qqV

    “I mean if Mashable wants to pay for it, I can get you a blue check over night,” reads a recent Twitter direct message.

    This is a guy who knows a guy, a middleman in the black market for Instagram verification, where anyone from a seasoned publicist to a 22-year-old digital marketer will offer to verify an account—for a price. The fee is anywhere from a bottle of wine to $15,000, according to a dozen sources who have sold verification, bought verification for someone else, or directly know someone who has done one or the other.

    “These guys pay all their bills from one to two blue checks a month,” another message from the middleman added later.

    The product for sale isn’t a good or a service. It’s a little blue check designated for public figures, celebrities, and brands on Instagram. It grants users a prime spot in search as well as access to special features.

    More importantly, it’s a status symbol. The blue emblem can help people gain legitimacy in the business of influencer marketing and bestows some credibility within Instagram’s community of 700 million monthly active users. It cannot be requested online or purchased, according to Instagram’s policies. It is Instagram’s velvet rope.

    Casey Newton / The Verge:
    A site, now offline, sold access to hacked Instagram users’ contact info for $10 a search; Instagram now says non-verified users may have been impacted — Selena Gomez was first. Who’s next? — A bug that exposed users’ contact information affected a far greater number of accounts than Instagram originally said.

    An Instagram hack hit millions of accounts, and victims’ phone numbers are now for sale
    Selena Gomez was first. Who’s next?
    https://www.theverge.com/2017/9/1/16244304/instagram-hack-api-bug-doxagram-selena-gomez

    Reply
16. September 4, 2017 at 6:44 am

    Tomi Engdahl says:

    Jon Brodkin / Ars Technica:
    A real estate agent was flooded with 700 robocalls per day, halting her business for 5 days; at 2.4B robocalls/mo. in US, it’s a major problem with no quick fix

    Junk call nightmare flooded woman with hundreds of bizarre phone calls a day
    Kim France gets a lot of calls—but nothing prepared her for receiving 700 a day.
    https://arstechnica.com/information-technology/2017/08/junk-call-nightmare-flooded-woman-with-hundreds-of-bizarre-phone-calls-a-day/

    As a real estate agent, Kim France’s business depends upon answering calls from unfamiliar numbers. But during a five-day stretch in June, her cell phone was flooded with so many junk calls that it was almost impossible to answer legitimate ones.

    “I am in the middle of a cell phone nightmare,” France, who lives in Hilton Head Island, South Carolina, told Ars in an e-mail after three days worth of the calls.

    France installed robocall blocking tools on her phone, but they didn’t stop the flood. Unfortunately, anti-robocall services that rely primarily on blacklists of known scam numbers generally don’t block calls when the Caller ID has been spoofed to hide the caller’s true number.

    US consumers receive 2.4 billion robocalls a month, and the ones from spoofed numbers are among the hardest to stop, according to the Federal Communications Commission.

    France’s case posed even greater challenges than usual because she may have been victimized by a targeted attack rather than a run-of-the-mill robocaller. There’s also a question about whether the calls received by France were technically “robocalls.” But what we know for certain is that the problem of unwanted phone calls remains unsolved, and France’s ordeal shows what can happen in an extreme case.

    Oddly, there were no people or recorded voices on the other end of the line when France answered the calls. Instead of scam attempts, France said the calls consisted of sounds similar to, but not quite like, a fax machine. The robocalls were leaving long voicemails, filling up her voicemail storage and preventing clients from leaving legitimate messages.

    “My initial thought was this is definitely just a computer glitch somewhere,” France said. Later, she began suspecting that someone might be targeting her in a calculated attempt to disrupt her business.

    During the five-day deluge, France was worried enough that she contacted the police, a consumer rights attorney, and Verizon Wireless, but the calls continued.

    Instead of merely relying on a blocklist, RoboKiller’s technology analyzes the audio fingerprints of calls and can thus block many robocalls from spoofed numbers. Robokiller took first place in a contest the Federal Trade Commission held in 2015 to find the most promising new anti-robocall technologies, and the company has been busy improving its technology ever since.

    The Caller IDs were spoofed. In some cases, the Caller IDs mimicked real numbers that may be owned by real people. In most cases, the numbers calling France were totally fake

    Scammers seeking money often spoof local phone numbers so that the victims think it’s a valid call.

    There’s still a possibility that it wasn’t a targeted attack and that France’s problem was caused by a bug in auto-dialing software used by telemarketers or scammers. It’s also possible it was a “fax scam that went awry,” Garr said.

    But based on the evidence, it was most likely a targeted attack, the RoboKiller team concluded.

    “My developer said, just to give you an idea, if he wanted to do this to you right now he could set this up in 30 minutes,”

    Searching the Web for “fake fax sounds” quickly turns up websites that provide fax noise files. Using those sound files, a little programming knowledge, and easily available tools, a malicious person could have launched a similar attack.

    There are some online services that let you make calls from spoofed phone numbers. While there are legitimate reasons to make such calls, auto-dialing and spoofing can also be used for malicious purposes.

    Reply
17. September 4, 2017 at 7:17 am

    Tomi Engdahl says:

    Thousands of Job Applicants Citing Top Secret US Government Work Exposed In Amazon Server Data Breach
    https://yro.slashdot.org/story/17/09/03/0525224/thousands-of-job-applicants-citing-top-secret-us-government-work-exposed-in-amazon-server-data-breach

    According to Gizmodo, “Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year.” F

    The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants. “At no time was there ever a data breach of any TigerSwan server,” the firm said. “All resume files in TigerSwan’s possession are secure.

    Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the U.S. Department of Defense and within the U.S. intelligence community. The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled “resumes” containing the curriculum vitae of thousands of U.S. citizens holding Top Secret security clearances — a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the U.S. Secret Service, among other government agencies.

    Statement on Information Breach of TalentPen, LLC’s Cloud File Hosted by Amazon Web Services
    http://www.tigerswan.com/newsroom/statement-information-breach-talentpen-llcs-cloud-file-hosted-amazon-web-services-pdf/

    On Thursday, August 31st, a press inquiry alerted TigerSwan that resume files, accessed by a cyber resilience company (Upguard Inc.) on a site hosted by Amazon Web Services and controlled by a former recruiting vendor, TalentPen, LLC, were publicly accessible.

    While we regret this happened, TigerSwan appreciates Upguard for making us aware of TalentPen’s actions and bringing this to the attention of Amazon Web Services. It is our understanding that Amazon Web Services informed TalentPen of this issue sometime in August, resulting in TalentPen removing the resume files on August 24th. TalentPen never notified us of their negligence with the resume files nor that they only recently removed the files.

    In 2008, TigerSwan was selected for a services contract. We retained TalentPen to assist with voluntary resume submission and organization for those interested in working for TigerSwan.

    In February of 2017, TigerSwan terminated TalentPen’s contract. To close out our account, TalentPen set up a secure site to transfer the resume files connected to the project to TigerSwan’s secure server.

    TigerSwan downloaded the files to our secure server on February 8th. In accordance with TalentPen’s procedure, we notified them that the download was complete, initiating their process to remove the files.

    On Friday, July 21st, at 6:35pm EST, our general email address received a message from an Upguard research analyst alleging a potential data breach of a cloud file repository.
    we did not have or control a cloud file repository, we found his email very suspect and a potential phishing scam.
    On Saturday, July 22nd, our Global Security Operations Center received a phone call making similar claims, and it was also not considered credible. Our team advised Upguard that the situation was under control in order to stop them from contacting us because we viewed their approach lacked credibility.

    The reasons TigerSwan did not view the overtures from Upguard as credible was because his claim was inaccurate, it included a URL over which we had no knowledge or control, and contained a second URL that pointed to another, unknown website.

    On Thursday, August 31st, TigerSwan received a call from multiple reporters requesting comment about a TigerSwan data breach found by Upguard.

    Though our conversation, we were able to confirm several things to Upguard.

    First, there was no data breach of any TigerSwan server.
    Second, we do not control nor have we controlled any bucket sites on Amazon Web Services.
    Third, a former 3rd party vendor, not TigerSwan, controlled this site.

    From this conversation with Upguard Inc, and our subsequent investigation, we learned that our former recruiting vendor, TalentPen, used a bucket site on Amazon Web Services for the transfer of resumes to our secure server but never deleted them after our log-in credentials expired. Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing.

    We learned that Upguard contacted Amazon Web Services about this issue in Augus
    On August 24th, Amazon Web Services informed Upguard that the files had been removed by Amazon’s client, which was TalentPen.

    Reply
18. September 4, 2017 at 7:20 am

    Tomi Engdahl says:

    Data Breach Exposes Thousands of Job Seekers Citing Top Secret Government Work [Updated]
    https://gizmodo.com/thousands-of-job-applicants-citing-top-secret-us-govern-1798733354?IR=T

    Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year.

    The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants.

    “At no time was there ever a data breach of any TigerSwan server,” the firm said

    Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the US Department of Defense and within the US intelligence community.

    Other documents reveal sensitive and personal details about Iraqi and Afghan nationals who have cooperated and worked alongside US military forces in their home countries, according to the security firm who discovered and reviewed the documents.

    Many of the files are timestamped and indicate that they were uploaded to the server in mid-February. Gizmodo has yet to confirm for how long the data was left publicly accessible, information only accessible to Amazon and the server’s owner.

    TigerSwan has operated on behalf of the U.S. military and State Department as a paramilitary force in Iraq and Afghanistan, as well as domestically on behalf of corporations.

    Beyond its battlefield utility, TigerSwan International has provided construction and security services in Saudi Arabia

    A Gizmodo investigation into the potential consequences of the breach was interrupted on Saturday after TigerSwan went public with a statement on its website.

    Reply
19. September 4, 2017 at 7:30 am

    Tomi Engdahl says:

    ‘Independent’ gov law reviewer wants users preemptively identified before they’re ‘allowed’ to use encryption
    UK watchdog echoes Home Sec in anti-crypto comments
    https://www.theregister.co.uk/2017/09/01/max_hill_qc_deny_encryption_anonymous_users/

    The UK’s “independent reviewer of terrorism legislation” appears to have gone rogue, saying that encryption should be withheld from people who don’t verify their identities on social media.

    Max Hill QC is supposedly the reviewer of government laws designed to stop terrorists. His latest statement, carried in tonight’s London Evening Standard, appears to be strongly echoing the views of the very government he is supposed to be scrutinising and holding to account.

    “A discussion I have had with some of the tech companies is whether it is possible to withhold encryption pending positive identification of the internet user,” Hill was reported as telling the paper’s home affairs correspondent, Martin Evans.

    “If the technology would permit that sort of perusal, identification and verification, prior to posting that would form a very good solution… and would not involve wholesale infringement on free speech use of the internet,” added the lawyer.

    The Independent Reviewer of Terrorism Legislation (IRTL) is supposed to act as a check and balance on the government, reporting to Parliament on how anti-terror laws are used in practice and how they affect both their intended targets and the wider population. On the IRTL’s website it even states: “The uniqueness of the role lies in its complete independence from government”.

    Hill’s interview with the Standard will raise serious and far-reaching questions about his claimed independence from government, particularly as it leans heavily on the tech sector to fall into line and do as British ministers want.

    https://terrorismlegislationreviewer.independent.gov.uk/about-me/

    Reply
20. September 4, 2017 at 7:36 am

    Tomi Engdahl says:

    Microsoft bins unloved Chinese cert shops
    WoSign and StartCom banished from Windows 10
    https://www.theregister.co.uk/2017/08/10/microsoft_windows_10_will_not_recognise_chinese_cas_wosign_and_startcom/

    Microsoft’s decided not to support digital certificates issued by Chinese outfits WoSign and StartCom, but the first-mentioned CA disputes the decision.

    Google, Apple and Mozilla binned WoSign certs in 2016.

    Microsoft says it has now “… concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program.”

    Reply
21. September 4, 2017 at 7:39 am

    Tomi Engdahl says:

    Crypto-busters reverse nearly 320 MEELLION hashed passwords
    Researchers reverse hashes in Troy Hunt’s password release. PS, don’t forget the salt
    https://www.theregister.co.uk/2017/09/04/cryptobusters_reverse_nearly_320_meellion_hashed_passwords/

    The anonymous CynoSure Prime “cracktivists” who two years ago reversed the hashes of 11 million leaked Ashley Madison passwords have done it again, this time untangling a stunning 320 million hashes dumped to Australian researcher Troy Hunt.

    CynoSure Prime’s previous work pales compared to what’s in last week’s post.

    Hunt, of HaveIBeenPwned fame, released the passwords in the hope that people who persist in re-using passwords could be persuaded otherwise, by letting websites look up and reject common passwords.

    The password databases Hunt sourced for his release were sourced from various different leaks, so it’s not surprising that many hashing algorithms (15 in all) appeared in the release, but most of them used SHA-1.

    That algorithm was handed its death-note some time ago, and its replacement became untenable in February this year when boffins demonstrated a practical SHA-1 collision.

    The other problem is its weakness: hashing is used to protect passwords because it is supposed to be irreversible: p455w0rd gets hashed to b4341ce88a4943631b9573d9e0e5b28991de945d, the hash gets stored in the database, and it’s supposed to be impossible to get the password from the hash.

    Along the way, the post looks at Hunt’s methodology and notes that some people are storing info beyond just the passwords in the hashes (for example, there are email:password combinations and other varieties of personally identifiable information

    When it comes to reversing the hashes, the post illustrates just how good the available tools have become: running MDXfind and Hashcat on a quad-core Intel Core i7-6700K system, with four GeForce GTX 1080 GPUs and 64GB of memory, the researchers “recover all but 116 of the SHA-1 hashes”.

    Most of the passwords in the HaveIBeenPwned release are between 7 and 10 characters long.

    Reply
22. September 4, 2017 at 8:20 am

    Tomi Engdahl says:

    700 Million Records Found on Server Powering Onliner Spambot
    http://www.securityweek.com/700-million-records-found-server-powering-onliner-spambot

    A Paris-based malware researcher known as Benkow has discovered more than 700 million records used by the Onliner spambot on a misconfigured server. The records comprise a large number of email addresses, passwords and SMTP configurations. Researcher Troy Hunt has subsequently added the lists to his Have I Been Pwned (HIBP) website and service.

    The IP address of the misconfigured server has been traced to the Netherlands. “Benkow and I,” wrote Hunt in a blog post yesterday, “have been in touch with a trusted source there who’s communicating with law enforcement in an attempt to get it shut down ASAP.” However, since the database was exposed on the internet, it has possibly been accessed and downloaded by other actors.

    Reply
23. September 4, 2017 at 8:22 am

    Tomi Engdahl says:

    Serious Vulnerabilities Disclosed in Modems Used by AT&T’s U-verse Service
    http://www.securityweek.com/serious-vulnerabilities-disclosed-modems-used-atts-u-verse-service

    Five vulnerabilities have been found in Arris-manufactured home networking equipment supplied in AT&T’s U-verse service. The vulnerabilities are considered so trivial to exploit that they have been disclosed to the public without waiting for remedial work from either Arris or AT&T.

    On one of the vulnerabilities, Joseph Hutchins of Nomotion Software reported yesterday, “It is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents. Which is why this report is not passing Go, not collecting $200, and is going straight to the public domain.”

    Arris has said that it is investigating the claims and cannot yet comment; but that it will take any necessary action to protect users of its devices.

    It is worth noting that Arris is not a stranger to vulnerabilities — a talk “CableTap: Wireless Tapping Your Home Network” was recently delivered at Def Con.

    Right now, U-verse users should be aware that these are serious vulnerabilities. Tod Beardsley, Research Director at Rapid7, told SecurityWeek by email, they “include three separate maintenance interfaces over SSH and two hidden HTTP-based services, all of which are reachable from the internet with hard-coded credentials and susceptible to command injection attacks. In addition, Nomotion discovered an unauthenticated firewall bypass vulnerability, which appears to be a rudimentary reverse TCP proxy, allowing unfettered access from the internet to computers on the LAN side. Any one of these vulnerabilities is disastrous for AT&T U-Verse customers, since they ultimately bypass any security controls offered by these modems.”

    Reply
24. September 4, 2017 at 8:24 am

    Tomi Engdahl says:

    Need to Jumpstart IoT Security? Consider Segmentation
    http://www.securityweek.com/need-jumpstart-iot-security-consider-segmentation

    The Internet of Things (IoT) holds great promise for business collaboration and innovation through connections unimaginable a decade ago.

    In the healthcare industry, medical devices connecting patients, care givers, and systems across facilities are being used to save lives and find cures. Manufacturers embarking on their digital transformation journey are connecting devices on the factory floor to increase uptime, productivity, and competitive advantage. And connected meters, switches, and circuit breakers are allowing utilities to deliver power with the reliability and reach necessary to keep the economy moving. In fact, the number of connected things is expected to reach more than 20 billion by 2020 according to Gartner.

    But as the IoT grows so too does security risk. Organizations often aren’t aware of all the IoT devices connected to their network and expanding the attack surface. Adversaries are taking advantage of these weaknesses and are using these devices to establish a presence in an environment and move laterally across networks quietly and with relative ease until they accomplish their mission. WannaCry held medical devices for ransom at hospitals and shut down factories. Attacks on power grids compromised devices to infiltrate and disrupt critical infrastructure. Meanwhile, botnets like Mirai have infected hundreds of thousands of IoT devices, turning them into a collective weapon capable of launching coordinated attacks to incapacitate websites and take down parts of the Internet itself.

    IoT devices cannot protect themselves, either lacking the system resources to run any significant security capabilities or never designed with security in mind. Yet they need to be secured so that they can perform their functions unimpeded while making it harder for threat actors to use them for malicious activity.

    Software-based, extensible segmentation at an IoT scale, along with a segmentation strategy driven by security controls, can prevent lateral movement and effectively improve security.

    As you outline your segmentation strategy, here are three important aspects to keep in mind:

    • Identity and Trust – Establishing identity and the assignment of trust to users and devices

    • Visibility – To network, system, applications, and devices that drive security analytics and auditability

    • Availability – Establishment of resilience and availability mechanisms to meet business requirements

    Let’s take a quick look at how these elements come together.

    Electric utilities can have hundreds to thousands of power substations in geographically remote and difficult-to-reach locations. Therefore, any work that may be done remotely will help keep operational costs down by saving time and effort. Of course, that access must be secure. Additionally, if a technician is required to visit a substation, network access must be restricted to approved devices. Similarly, manufacturers often must allow remote access to their network from multiple vendors that provide remote support to their equipment. But they often lack visibility as to when the vendors are accessing their networks and what actions the vendors are taking during that time. A strategic segmentation approach ensures alignment to business goals while allowing only permitted, profiled devices access be it to the network at the substation, or to machinery on the factory floor.

    In a hospital setting, equipment moves around; an array of devices are connecting to the network; patients and care givers need network access; electronic medical records must be protected; and campuses and regional clinics need to be connected.

    Segmentation is an important element of any security strategy to mitigate risk from IoT-based attacks, but it has to be done right.

    Reply
25. September 4, 2017 at 8:25 am

    Tomi Engdahl says:

    The “Imitation Game” – The Need for Human Intelligence in Threat Operations
    http://www.securityweek.com/imitation-game-need-human-intelligence-threat-operations

    This is the question Alan Turing (played by Benedict Cumberbatch) asks in the movie, The Imitation Game. He and his team were charged with decrypting the codes used by Nazi Germany’s Enigma machine. Turing realized the need to have a machine to attempt all the various combinations and permutations to break the code within a 24 hour period, before the code changed. However, the machine kept failing as it still couldn’t decode fast enough. After months of trying without success, it wasn’t the machine that broke the code…it was human intelligence that resulted in success.

    In the end, the machine helped to do things faster, but it took human intelligence to figure out how to solve the puzzle. Realizing that the daily 6:00 a.m. weather report always included the same key letters, they were able to set the machine to find and decrypt the message every morning. This focus, coupled with the machine’s ability to automate the permutations, allowed it to crack the code daily. Humans were behind the creation of the coded messages and, ultimately, humans and human intelligence were behind how the messages were decrypted.

    Reply
26. September 4, 2017 at 8:27 am

    Tomi Engdahl says:

    With Security at the Foundation, Blockchain Can Revolutionize the World
    http://www.securityweek.com/security-foundation-blockchain-can-revolutionize-world

    The Only Way to Ensure That the Blockchain Revolution is Successful is Through Security

    The financial services industry is, in many ways, rather antiquated. You make a purchase using your credit card, the bitstream goes through a number of computers, some even legacy mainframes, and then the settlement is made a few days later. Why shouldn’t this be an instantaneous transaction? You can make a phone call from halfway across the world for free and almost instantly, but you can’t send money in the same way. A need to simplify these transactions has led to solutions like PayPal, Venmo, Square and Apple Pay. I expect further disruption as businesses look to reduce transaction costs and eliminate the need for this form of payment processors and verifiers. While third-party oversight can give the illusion of an added layer of security, in many ways it can actually be an added layer of vulnerability, as it introduces one further middleman that could potentially fall victim to some form of attack. Peer-to-peer transactions eliminate this middleman, lessening the risks associated with having information being passed from one intermediary to another.

    Retail and manufacturing are equally ripe for change. Manufactured goods are notoriously insecure because of susceptibility to counterfeiting. High margin and/or luxury goods, in particular, are targeted because of their high price tags and profit margins. Because of its decentralized nature, blockchain allows for objective verification down to the transistor level. Blockchain can ensure the integrity of the supply chain so that each transistor or component can be easily monitored or recalled, if necessary. Imagine retailers being able to pinpoint the location and manufacturing stage at any time in any part of the world, or consumers having the ability to verify the authenticity of their purchase through a public ledger.

    Then there’s the entertainment industry, a prime example of how blockchain can bring about improvements. Content distribution and purchasing, such as buying a song or movie, triggers a complex series of transactions, resulting in less money for the artist for his or her content. Blockchain could enable artists to become direct distributors and reap the financial benefits of working directly with fans. In addition, with blockchain, entertainment companies can improve copyright tracking, making it more difficult to distribute pirated materials. Piracy drastically reduces the value of the commodity, so implementing a public ledger system grants the ability to track where all the content originates from and ensure its value is maintained.

    Financial services, manufacturing and entertainment are just three examples out of many. Almost every industry can improve efficiencies with blockchain. But what will make blockchain a success is ultimately security. If this technology is going to be widely implemented into common transactions, customer reassurance of security becomes imperative. Security technologies can no longer remain an afterthought and not only will they have to be embedded into everything we do but also impact everything we do.

    Reply
27. September 4, 2017 at 8:29 am

    Tomi Engdahl says:

    Snapping Links in the Kill Chain: Lessons Learned from a Stealth Pilot
    http://www.securityweek.com/snapping-links-kill-chain-lessons-learned-stealth-pilot

    In military terms, a kill chain describes phases or stages of an attack. This is a similar definition that “Lockheed Martin” used in 2013 to describe the cyber kill chain. The cyber kill chain represents the different phases to describe how an adversary infiltrates the enterprise, then moves laterally to a specific endpoint that has sensitive data before exfiltrating it.

    There are several benefits of understanding the kill chain:

    ● Attacker versus defender perspective – The ability to see how you are viewed as a target allows you to take a critical view of your current security controls to make sure they are deployed and calibrated to meet your needs. You can use this view to test assumptions and probe for weaknesses using the techniques that hackers use to get in, move through, and exfiltrate data from a network

    ● Breaking the kill chain – While we all preach the philosophy of a defense-in-depth strategy with a layered number of security products, the reality is we have too many point products generating too many alerts with not enough people to manage them. When it comes to network defense and breach prevention, it’s not necessary to stop everything all the time. Your attacker has a specific objective. To stop them from consummating their attack, you just need to disrupt the hacker and prevent them from finishing their task.

    This sounds great in theory. But, do technologies exist today to visualize the kill chain?

    Some SIEMS provide you with the option to create customized widgets within your dashboards. You can collate logs from multiple systems to gain visibility into what is happening in various phases of the kill chain. For example, collecting logs and alerts from firewalls, IPS/IDS, and network monitoring services would help with understanding port scanning. This would all be incorporated into the reconnaissance widget within the SIEM dashboard. However, this approach takes the “defender” perspective, and is more of a log aggregation exercise. As we established earlier, there is already insufficient manpower available to analyze logs and alerts; grouping logs and alerts into different widgets is more of a technical configuration view.

    There are vulnerability management systems that attempt to model threats by grouping vulnerabilities and associated exploits into kill chain phases.

    The final approach is using breach and attack simulation technologies. Defined by Gartner recently in their “Hype Cycle for Threat Facing Technologies” report, this technology actually simulates hacker breach methods by dropping simulators in various security zones – endpoint, network, cloud.

    This attacker-based view allows you to take steps to snap the links that make up the kill chain by closing any security gaps you find, recalibrating your current assets and investing wisely in new assets that meet your known needs.

    In the security world, breach and attack simulation is a good approach to visualize the adversary and his/her kill chain. Breach and attack simulation provides great technical introspection and visibility into our network; to take as much interest as a hacker would and to find the cracks before they do. Without this information, bolting on a new widget won’t be much help even if the widget itself is a great product that can add real value to your defenses.

    Reply
28. September 4, 2017 at 8:30 am

    Tomi Engdahl says:

    Three Questions Every CISO Should Be Able to Answer
    http://www.securityweek.com/three-questions-every-ciso-should-be-able-answer

    To understand the scale of the challenge, three questions in particular should be asked of your security team.

    1. Can you account for every device on the network?
    2. Do you know where data is traveling, both internally and externally?
    3. Do you have meaningful oversight of how your users behave?

    Today’s threat landscape is getting more and more sophisticated, and the onset of machine-based attacks threatens to take that sophistication and speed to another level still. There is no such thing as a secure network today, and no security team can answer these three questions with 100 percent confidence. And yet, these are the starting points to initiate a new conversation about cyber security. Facing up to the blinds spots of our networks will help us direct our strategies toward the automation and visibility that we desperately need to anticipate the onset of attackers, before they strike.

    Reply
29. September 4, 2017 at 8:36 am

    Tomi Engdahl says:

    Demystifying Machine Learning: Turning the Buzzword Into Benefits for Endpoint Security
    http://www.securityweek.com/demystifying-machine-learning-how-turn-buzzword-real-benefits-endpoint-security

    To help clear up some of the confusion, let’s start by clarifying what machine learning in security is NOT:

    1. It is not a form of protection. One of the biggest misconceptions is that machine learning is some kind of new product or feature that provides protection to keep companies safe.

    2. It is not a quick fix for outdated approaches. Most AV solutions are using machine learning to analyze file attributes to determine whether a file is malicious. But this is basically what AV has been doing for years.

    3. It is not necessarily always getting smarter. Like any analytics tool, machine learning-based security solutions are only as good as the data available—the proverbial “garbage in, garbage out.”

    So, what will it take for machine learning to deliver on the hype and power a truly transformative new wave of endpoint security?

    1. It must analyze file behavior, not just attributes. Basing security decisions on file attributes only works when 1) there’s a file to analyze and 2) those attributes have been previously identified and embedded into the model.

    2. It must be informed by a timely, rigorously retrained model. Most vendors update their model every few months, but given the current cadence of new threat emergence, and the volatility of updates to beneficial software, this is not nearly enough.

    3. It must account for goodware. Just as thousands of new malware variants threaten endpoints daily, legitimate software is also constantly changing with updates and unique integrations.

    There’s no doubt that machine learning has and will continue to revolutionize endpoint security. But it’s important to understand exactly how this technology actually works, including its limitations. Understanding this, companies can better protect themselves by asking the right questions

    Reply
30. September 4, 2017 at 8:38 am

    Tomi Engdahl says:

    Assessing Cyber and Physical Risks to Oil & Gas Sector
    http://www.securityweek.com/assessing-cyber-and-physical-risks-oil-gas-sector

    This classification applies to 16 different sectors, some of which face greater risks and challenges than others when it comes to security. Oil and natural gas (ONG) is one such sector. Here’s why:

    Unsecure technologies are prevalent

    Overall, many ONG companies’ IT & OT infrastructures mimic an ongoing trend we’ve seen across all sectors: the widespread presence of security vulnerabilities stemming from the rapid (and often premature) adoption of digital technologies and IoT devices. Similar to how the healthcare sector’s rushed implementation of electronic medical record systems ultimately fueled an uptick in healthcare data breaches, the ONG sector’s continual adoption of increasingly-interconnected industrial control systems (ICS) is expanding the surface area upon which potential vulnerabilities could occur, threats manifest, and attacks transpire.

    Even worse, many ONG companies continue to rely on outdated, insecure operating systems and even hardware. A recent Ponemon Institute study on “The State of Cybersecurity in the Oil & Gas Industry” revealed that these issues may be exacerbating the fact that ONG already lags behind many other sectors when it comes to cybersecurity capabilities, readiness, and awareness. Consequently, over 70% of ONG companies have been breached in the last year.

    Threat actors are more complex

    While most security and intelligence teams are well-versed in protecting their organizations from the fraudsters and cybercriminals responsible for the majority of threats emanating from the Deep & Dark Web, combatting the myriad of malicious cyber and physical actors targeting the ONG sector can create substantial challenges for which many teams may be neither prepared nor able to address.

    State-sponsored actors are one such example. Often driven by political, ideological, and/or adversarial gain, these actors have historically targeted ONG industrial control systems, launched cyberattacks aimed at disrupting the operational continuity of regional ONG entities, and attempted to access and exploit confidential ONG information to support foreign military initiatives.

    Damages can be severe

    Perhaps the most obvious reason for the ONG sector’s increased cyber and physical risks stems from its omnipresent and truly vital role in modern society. Given that oil and natural gas account for the majority of the world’s energy consumption, power international trade, and remain integral determinants of the global economy, any threat that could compromise these resources and/or the systems on which they rely has the potential to yield catastrophic damages.

    So what exactly could these damages look like? Past cyberattacks in the ONG sector provide some insight. Following the 2012 attack on Saudi Aramco’s cyber infrastructure, for example, nearly 75 percent of the company’s data was lost and operations – as well as a global oil supply chain – were disrupted for months and yielded lasting economic consequences.

    Clearly when it comes to safeguarding critical infrastructure entities, the stakes are high – especially for ONG companies.

    Reply
31. September 4, 2017 at 1:01 pm

    Tomi Engdahl says:

    Jailed YouTuber: ‘Not proud’ of prank
    http://www.bbc.com/news/technology-40869278

    A YouTuber jailed for his part in a prank on the public says he is “sorry if he frightened people”.

    Daniel Jarvis, 27, is a member of the Trollstation YouTube channel, which has about a million subscribers.

    In 2016, he and three others were jailed for a total of 72 weeks after pleading guilty to two counts of threatening behaviour causing fear of unlawful violence.

    They staged a fake robbery at London’s National Portrait Gallery in 2015.

    Speaking in an exclusive interview with Stephen Nolan on BBC Radio 5 live, Jarvis said: “I’m not proud. It wasn’t meant to be that extreme.

    “We were going to go in there and be stupid, dumb, criminals, falling over each other.”

    “We were going to go in there and be stupid, dumb, criminals, falling over each other.”

    The pranksters set off an alarm inside the gallery after carrying in fake paintings, dressed as robbers, causing members of the public to flee.

    The video has been viewed nearly one million times on YouTube.

    “When the alarm was so loud, it caused too much panic, which was our fault,” Jarvis said.

    Reply
32. September 4, 2017 at 2:17 pm

    Tomi Engdahl says:

    Asterisk RTP bug worse than first thought: think intercepted streams
    Thanks for using Asterisk. Your call is transparent to us, so stay on the line to get p0wned
    https://www.theregister.co.uk/2017/09/03/asterisk_rtp_bug_allows_intercepted_calls/

    One of the Asterisk bugs published last week is worse than first thought: Enable Security warns it exposes the popular IP telephony system to stream injection and interception without an attacker holding a man-in-the-middle position.

    In it, Enable Security explains that a bug it’s dubbed “RTPbleed” (the “RTP” stands for Real Time Protocol) which first emerged in September 2011, was patched in the same month, but was then reintroduced in 2013. As this page states, it doesn’t only affect Asterisk, because the bug’s in RTP proxy code.

    The RTP bleed Bug
    https://rtpbleed.com/

    The RTP bleed Bug is a serious vulnerability in a number of RTP proxies. This weakness allows malicious users to inject and receive RTP streams of ongoing calls without needing to be positioned as man-in-the-middle. This may lead to eavesdropping of audio calls, impersonation and possibly cause toll fraud by redirecting ongoing calls.

    What leaks in practice?

    We have seen RTP proxies leak RTP packets containing unencrypted audio and allow audio injection of ongoing calls. We have also seen encrypted RTP (i.e. SRTP) packets being leaked out, which has different security implications to when RTP is not encrypted. We assume that any RTP traffic passing through a vulnerable RTP proxy may be sent to an attacker who has network access to the system.

    Why it is called the RTP bleed Bug?

    The naming convention follows a number of other security vulnerabilities, first being Heartbleed, suffixed with the keyword bleed. Also, our imagination when naming this vulnerability, was rather limited.

    When this vulnerability is exploited it leads to the leakage of RTP packets which are sent to the attacker instead of the legitimate caller or callee.

    Is this a design flaw in RTP protocol specification?

    Sort of, a bit. There is no authentication of RTP packets in unencrypted RTP session. Even when NAT is not involved the source of the packets cannot be known (except if symmetric RTP (RFC4961) is used by both endpoints).

    However, poorly designed RTP proxies make exploiting this flaw easier than necessary when trying to cater for endpoints behind NAT.

    How is this different to sniffing unencrypted RTP traffic?

    To sniff unencrypted RTP traffic, an attacker usually needs to be strategically positioned within the target network. Examples of strategically positioned attackers include those that can successfully mount an ARP cache poisoning attack, abuse compromised routers or perform BGP hijacking.

    RTP Bleed does not require the attacker to be strategically positioned within the target network. All that is required is for the attacker to send RTP packets to the vulnerable system.

    What is being leaked?

    RTP packets which usually contain audio or video payloads. The implication is that phone call audio may be leaked or hijacked by an attacker.

    How widespread is this?

    The most notable software vulnerable to this bug is Asterisk and RTP Proxy. We do expect a number of commercial as well as custom RTP proxies to be vulnerable to this bug.

    Reply
33. September 4, 2017 at 3:32 pm

    Tomi Engdahl says:

    Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas
    http://www.techrepublic.com/article/cyberweapons-are-now-in-play-from-us-sabotage-of-a-north-korean-missile-test-to-hacked-emergency/

    Cyberwarfare has begun. Unlike nuclear weapons, cyberweapons can be proliferated more quickly and the threat from accidentally setting them off is even greater.

    Reply
34. September 5, 2017 at 8:01 am

    Tomi Engdahl says:

    VMware wants security industry to shrink so its ambitions fit into market
    Virtzilla’s swagger is back as it plans to do to the security industry what it once did to storage industry
    https://www.theregister.co.uk/2017/09/05/vmware_wants_security_industry_to_shrink_so_its_ambitions_fit_into_market/

    VMWORLD 2017 VMware’s entered the enterprise security market and called for it to become more concentrated.

    The somewhat arrogant analysis comes from the top-down: CEO Pat Gelsinger’s opening day keynote featured a slide full of logos most often deployed when vendors show off all of their most recognisable customers. VMware put a twist on that slide by rendering hundreds of security vendors’ logos at illegible size. The point was that most security vendors offer point solutions that overlap, leaving organisations to manage multiple worthy-but-siloed products that together actually compromise security by making it hard to get the big picture.

    VMware’s answer is “AppDefense”, its new VM whitelisting product it says lets you “ensure good” behaviour in a VM by checking its activities against a manifest of permitted behaviour, instead of just “chasing bad” with a fleet of security tools. If AppDefense detects a VM deviating from expected behaviour, a range of manual and/or automated responses become available to nip attacks in the bud.

    Gelsinger thinks VMware is onto something with this approach.

    Gelsinger took some of the blame for that problem, on behalf of the rest of the industry, by saying “It is about collectively as an industry delivering secure infrastructure. We have failed the customer. We have to do more core security functions in the underlying infrastructure.”

    AppDefense does that for the hypervisor and Gelsinger pointed out that by baking encryption into VSAN VMware is stepping up to ensure storage is also more secure.

    The company’s next step may look familiar to storage-watchers, as when vSphere started to take off VMware started to lay down the law to array vendors so that their wares played well with Virtzilla’s hypervisors and management tools.

    Gelisinger plans something similar with security vendors, as he says their tools “need to be more deeply integrated with operational environments.” VMware therefore plans to partner with substantial security players to provide “validated solutions” that describe secure infrastructure combining VMware products with code from security vendors.

    “Maybe it will be 100 vendors,” he said. “It will not be 2,000 vendors.”

    The CEO doesn’t think niche vendors need to disappear. “Perhaps you are special,” he said. “There are special vendors in the PCI and federal and medical fields.

    Reply
35. September 5, 2017 at 8:19 am

    Tomi Engdahl says:

    China crackdown: VPN vendor gets prison
    Nine months for letting punters bypass Great Firewall
    https://www.theregister.co.uk/2017/09/05/china_crackdown_vpn_vendor_gets_prison/

    A Chinese man has been sentenced to nine months in prison for helping his fellow citizens drill through the Great Firewall with virtual private networks.

    The South China Morning Post says the sentence was handed down in March but only published over the weekend.

    Unsurprisingly, after trend-spotter What’s on Weibo noticed and published news of the sentence, VPN users have been somewhat spooked

    Part of that concern has to do with the wording the judgement uses, namely that Deng’s transgression was that the VPN software constituted “invading and illegally controlling” computer systems.

    China has recently clamped down on attempts to evade its Web censorship regime. In January, the Ministry of Industry and Information published new rules requiring ISPs, cloud providers and VPN resellers to get regional government licenses to operate.

    Reply
36. September 5, 2017 at 8:25 am

    Tomi Engdahl says:

    Crypto-busters reverse nearly 320 MEELLION hashed passwords
    Researchers reverse hashes in Troy Hunt’s password release. PS, don’t forget the salt
    https://www.theregister.co.uk/2017/09/04/cryptobusters_reverse_nearly_320_meellion_hashed_passwords/

    The anonymous CynoSure Prime “cracktivists” who two years ago reversed the hashes of 11 million leaked Ashley Madison passwords have done it again, this time untangling a stunning 320 million hashes dumped by Australian researcher Troy Hunt.

    Hunt, of HaveIBeenPwned fame, released the passwords in the hope that people who persist in re-using passwords could be persuaded otherwise, by letting websites look up and reject common passwords. The challenge was accepted by the group of researchers who go by CynoSure Prime, along with German IT security PhD student @m33x and infoseccer Royce Williams (@tychotithonus).

    The password databases Hunt mined for his release were sourced from various different leaks, so it’s not surprising that many hashing algorithms (15 in all) appeared in it, but most of them used SHA-1. That algorithm was handed its death-note some time ago, and its replacement became untenable in February this year when boffins demonstrated a practical SHA-1 collision.

    Reply
37. September 5, 2017 at 8:27 am

    Tomi Engdahl says:

    Security lapse exposed thousands of military contractor files
    The personal info of Americans with Top Secret clearance were left in a public server.
    https://www.engadget.com/2017/09/04/military-contractor-security-recruiter/

    Thousands of files containing the private info of US military and intelligence personnel have been exposed online. The documents (which included a mixture of resumes and job applications) were found on a public Amazon Web Services server by cybersecurity firm UpGuard. A research analyst for the company traced the files back to a North Carolina-based private security firm known as TigerSwan. In a statement on Saturday, TigerSwan blamed the lapse on TalentPen, a third-party recruiting vendor.

    The roughly 9,400 files contain the personal details of TigerSwan’s prospective employees, some of who had applied for work as far back as 2008. The documents include info such as an applicant’s home address, phone number, email address, driver’s license, passport and social security numbers.

    They also reveal sensitive details about individuals who were (and may still be) employed by the US Department of Defence, and US intelligence agencies. Others who may have been exposed include several Iraqi and Afghani nationals (who worked as translators for US and Coalition forces), a former UN worker in the Middle East, and a former US ambassador to Indonesia. TigerSwan insists the documents were not leaked as part of a data breach.

    Reply
38. September 5, 2017 at 8:29 am

    Tomi Engdahl says:

    ACM Queue:
    Most of Bitcoin’s components had been described in the 80s and 90s; Satoshi Nakamoto’s true genius was in assembling them to work in the real world

    Bitcoin’s Academic Pedigree
    The concept of cryptocurrencies is built from forgotten ideas in research literature.
    http://queue.acm.org/detail.cfm?id=3136559

    Reply
39. September 5, 2017 at 8:42 am

    Tomi Engdahl says:

    Paul Leighton jailed for rapes thousands of miles away
    http://www.bbc.com/news/uk-england-tyne-41153941

    A paedophile has been jailed for 16 years after admitting rape, despite being thousands of miles away when the offences happened.

    Paul Leighton, 32, from Seaham, County Durham, created up to 40 fake Facebook profiles to befriend teenagers in the UK, Canada, the US and Australia.

    He tricked them into sending him naked selfies, then blackmailed them into abusing young relatives.

    Sentencing Leighton to 16 years with a six-year extended licence, Judge Robert Adams told him: “You have effectively destroyed the lives of these people.”

    “This was a campaign of rape.

    “The defendant has pleaded guilty to the rape of this baby 4,000 miles away as he was using (the uncle) as an accessory.”

    “We were able to successfully prosecute Leighton for rape by proving that he was as guilty in instigating the overseas offending as he would have been committing the crime itself.”

    Reply
40. September 5, 2017 at 8:43 am

    Tomi Engdahl says:

    Always read the Terms of Use!

    The translation service site translate.com reveals their users’ translations online and includes a lot of sensitive and private translations

    There have been, for example, internal discussions within a Finnish bank, e-mails from a Finnish food company, and an internal discussion within the electronics company about the suitability of a particular person for the job of a chief shop steward, Yle reports. In addition, there are a lot of private messages.

    Translate.com’s activity is not really a mistake because the user issues all the rights to translate texts to translate.com as the site’s terms of use. However, few have read the terms. Texts are published on the page so that other users can propose better translations and thus improve the functionality of the service.

    Source:http://www.tivi.fi/Kaikki_uutiset/lue-aina-kayttoehdot-yle-verkon-kaannospalvelu-paljastaa-kaikille-mita-kaansit-julki-suomalaistenkin-luottamuksellisia-teksteja-6673888

    Reply
41. September 5, 2017 at 9:55 am

    Tomi Engdahl says:

    Vulnerabilities Discovered In Mobile Bootloaders of Major Vendors
    https://mobile.slashdot.org/story/17/09/05/0257221/vulnerabilities-discovered-in-mobile-bootloaders-of-major-vendors

    Android bootloader components from five major chipset vendors are affected by vulnerabilities that break the CoT (Chain of Trust) during the Android OS boot-up sequence, opening devices to attacks. The vulnerabilities were discovered with a new tool called BootStomp, developed by nine computer scientists from the University of California, Santa Barbara. Researchers analyzed five bootloaders from four vendors (NVIDIA, Qualcomm, MediaTek, and Huawei/HiSilicon).

    Vulnerabilities Discovered in Mobile Bootloaders of Major Vendors
    https://www.bleepingcomputer.com/news/security/vulnerabilities-discovered-in-mobile-bootloaders-of-major-vendors/

    Android bootloader components from five major chipset vendors are affected by vulnerabilities that break the CoT (Chain of Trust) during the boot-up sequence, opening devices to attacks.

    The vulnerabilities came to light during research carried out by a team of nine computer scientists from the University of California, Santa Barbara.

    Researchers developed BootStomp to analyze bootloaders

    The goal of BootStomp is to automatically identify security vulnerabilities that are related to the (mis)use of attacker-controlled non-volatile memory, trusted by the bootloader’s code. In particular, we envision using our system as an automatic system that, given a bootloader as input, outputs a number of alerts that could signal the presence of security vulnerabilities. Then, human analysts can analyze these alerts and quickly determine whether the highlighted functionality indeed constitute a security threat.

    By using BootStomp to find problematic areas of the previously obscure bootloader code, and then having the research team look over the findings, experts said they identified seven security flaws, six new and one previously known (CVE-2014-9798). Of the six new flaws, bootloader vendors already acknowledged and confirmed five.

    Reply
42. September 5, 2017 at 1:00 pm

    Tomi Engdahl says:

    Estonia’s acclaimed identity card system had to be shut down due to the security threat

    Estonia has announced on Tuesday that a security issue has been identified in identity cards issued to its citizens. Due to the security issue, in Estonia, the fully qualified certificate servers are closed. The problem is related to the chip of the smart card chip.

    According to the Population Register Center, there is no problem with the Finnish ID card system, as the system uses a different chip.

    Source: http://www.tivi.fi/Kaikki_uutiset/viron-kehuttu-henkilokorttijarjestelma-jouduttiin-sulkemaan-tietoturvauhan-vuoksi-6674048

    Reply
43. September 5, 2017 at 2:34 pm

    Tomi Engdahl says:

    Bazinga! Social network Taringa ‘fesses up to data breach
    Que pasó?
    https://www.theregister.co.uk/2017/09/05/taringa_data_breach/
    Latin American social networking site Taringa has suffered a database breach that has resulted in the spill of more than 28 million records.

    Usernames, hashed passwords (using the weak MD5 algorithm) and personal email addresses have been exposed by the breach.

    LeakBase claims that it has already cracked 94 per cent of password hashes exposed in the latest dumps.

    In response, Taringa – which has users all over the Spanish-speaking world – has applied a password reset as well as urging consumers to review their use of login credentials elsewhere to make sure they are not using the same (now compromised) passwords on other sites.

    Although the breach affects a consumer site, it poses a risk for corporates because it opens the door to the well-practised hacker tactic of using the same login credentials to break into more sensitive (webmail, online banking) or corporate accounts. The still widespread practice of password reuse opens the door to such credential stuffing attacks.

    Reply
44. September 5, 2017 at 2:35 pm

    Tomi Engdahl says:

    Verizon Wants to Build an Advertising Juggernaut. It Needs Your Data First
    The company offers concert tickets and other rewards in exchange for customers’ personal information
    https://www.wsj.com/articles/verizon-wants-to-build-an-advertising-juggernaut-it-needs-your-data-first-1504603801

    A new Verizon Communications Inc. rewards program, Verizon Up, provides credits that wireless subscribers can use for concert tickets, movie premieres and phone upgrades.

    But it comes with a catch: Customers must give the carrier access to their web-browsing history, app usage and location data

    Reply
45. September 5, 2017 at 2:48 pm

    Tomi Engdahl says:

    Inkjet-printed nanoparticle ink can produce security holograms on an industrial scale
    http://www.laserfocusworld.com/articles/2017/08/inkjet-printed-nanoparticle-ink-can-produce-security-holograms-on-an-industrial-scale.html?cmpid=enl_lfw_lfw_enewsletter_2017-09-05

    Researchers at ITMO University (St. Petersburg, Russia) have unveiled a new approach to printing luminescent structures based on nanoparticle ink. The unique optical properties of the ink were achieved by means of europium-doped zirconia.1 Particles of this material were proven to be useful in manufacturing luminescent holographic coatings with a high degree of protection. Notably, the developed approach enables the fabrication of custom holograms (including security holograms) by means of a simple inkjet printer.

    These luminescent nanoparticles can also be used to produce biosensors and to visualize cancer cells.

    “Europium-doped zirconium dioxide is a material that has been studied and used by researchers all over the world for decades,” says Alexandr Vinogradov, co-author of the research and head of ITMO University’s Biochemistry Cluster. “However, our research is novel in that it uses the material to protect the surface of rainbow holograms.”

    Nanoparticle Ink Lets Regular Inkjet Printers Produce Glowing Holograms
    http://news.ifmo.ru/en/science/new_materials/news/6884/

    Researchers at ITMO University have unveiled a new approach to printing luminescent structures based on nanoparticle ink. The unique optical properties of the ink were achieved by means of europium-doped zirconia. Particles of this material were proven to be useful in manufacturing glowing holographic coatings with a high degree of protection. Notably, the developed approach enables the fabrication of custom holograms by means of a simple inkjet printer. The results of the research were published in RSC Nanoscale.

    Reply
46. September 6, 2017 at 11:28 am

    Tomi Engdahl says:

    Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records
    US cable giant the latest victim of S3 cloud security brain-fart
    https://www.theregister.co.uk/2017/09/05/twc_loses_4m_customer_records/

    Records of roughly four million Time Warner Cable customers in the US were exposed to the public internet after a contractor failed to properly secure an Amazon cloud database.

    Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings.

    Just before the weekend, Kromtech said the vulnerable AWS instance was operated by BroadSoft, a cloud service provider that had been using the S3 silos to hold the SQL database information that included customer records.

    When Kromtech spotted the repository in late August, it realized that databases had been set to allow public access, rather than limit access to administrators or authorized users.

    “It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents,” Kromtech’s Bob Diachenko said.

    “Not only could they access the documents, but any ‘authenticated users’ could have downloaded the data from the URL or using other applications. With no security in place, just a simple anonymous login would work.”

    The researchers found that the database included information on four million TWC customers collected between November 26, 2010 and July 7, 2017. The exposed data included customer billing addresses, phone numbers, usernames, MAC addresses, modem hardware serial numbers, account numbers, and details about the service settings and options for the accounts.

    Reply
47. September 6, 2017 at 11:39 am

    Tomi Engdahl says:

    Cory Doctorow / Locus Online Perspectives:
    The law should penalize, by corporate dissolution, companies who use their software to cheat consumers if it wants to end the behavior

    Cory Doctorow: Demon-Haunted World
    http://www.locusmag.com/Perspectives/2017/09/cory-doctorow-demon-haunted-world/

    Cheating is a given.

    Inspectors certify that gas-station pumps are pumping unadulter­ated fuel and accurately reporting the count, and they put tamper-evident seals on the pumps that will alert them to attempts by station owners to fiddle the pumps in their favor. Same for voting machines, cash registers, and the scales at your grocery store.

    The basic theory of cheating is to assume that the cheater is ‘‘rational’’ and won’t spend more to cheat than they could make from the scam: the cost of cheating is the risk of getting caught, multiplied by the cost of the punishment (fines, reputational dam­age), added to the technical expense associated with breaking the anti-cheat mechanisms.

    Software changes the theory. Software – whose basic underlying mechanism is ‘‘If this happens, then do this, otherwise do that’’ – allows cheaters to be a lot more subtle, and thus harder to catch. Software can say, ‘‘If there’s a chance I’m undergoing inspection, then be totally honest – but cheat the rest of the time.’’

    This presents profound challenges to our current regulatory model: Vegas slot machines could detect their location and if they believe that they are any­where near the Nevada Gaming Commission’s testing labs, run an honest payout.

    Reply
48. September 6, 2017 at 11:42 am

    Tomi Engdahl says:

    Mohit Kumar / The Hacker News:
    Latin American social media site Taringa hacked; LeakBase says stolen database has 28M accounts with hashed passwords, of which 93.79% have been cracked so far — Exclusive — If you have an account on Taringa, also known as “The Latin American Reddit,” your account details may have compromised …

    Taringa: Over 28 Million Users’ Data Exposed in Massive Data Breach
    Monday, September 04, 2017 Mohit Kumar
    http://thehackernews.com/2017/09/taringa-data-breach-hacking.html

    Reply
49. September 6, 2017 at 11:44 am

    Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    Critical flaw found in Apache Struts, a popular Java web app framework, has been present since 2008, and may affect 65% of Fortune 500 firms; patch is available

    A critical Apache Struts security flaw makes it ‘easy’ to hack Fortune 100 firms
    http://www.zdnet.com/article/critical-security-bug-threatens-fortune-100-companies/

    Servers and data stored by dozens of Fortune 100 companies are at risk, including airlines, banks and financial institutions, and social media sites.

    A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server — putting sensitive corporate data at risk.

    The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability.

    All versions of Struts since 2008 are affected, said the researchers.

    Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug’s discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems.

    Mo said that all a hacker needs “is a web browser.”

    “I can’t stress enough how incredibly easy this is to exploit,”

    “If you know what request to send, you can start any process on the web server running a vulnerable application,” he said.

    The vulnerability is caused by how Struts deserializes untrusted data, Mo said. An attacker can exploit the flaw to run any command on an affected Struts server, even behind a company firewall.

    “An attacker can use the vulnerability to find the credentials, connect to the database server, and extract all data,” he said. Worse, he added, an attacker could delete data.

    “A creative attacker will have a field day,” he said. “And even worse: The organization under attack may not even notice until it is well too late.”

    An exploit has been developed by the security researchers but has not been released to give companies time to patch their systems. He said that he’s not aware of anyone exploiting the vulnerability but warned that he expects this to change “within a few hours” of the bug’s details being made public.

    “Companies may indeed scramble to fix their infrastructure,” van Schaik said.

    A source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability.

    But many companies will be vulnerable to attack until their systems are patched.

    Reply
50. September 6, 2017 at 11:45 am

    Tomi Engdahl says:

    Security is the Goal, Not Compliance
    http://www.securityweek.com/security-goal-not-compliance

    Just Because You Passed Your Compliance Audit Does Not Mean That You Are Secure

    When asked why he robs banks, Willie Sutton famously responded, “because that’s where the money is.” In today’s day and age, physical currency is no longer the target of the bad guys.

    Stealing actual money carries too much risk with too little reward compared to other targets. Stealing money electronically with ones and zeros has somewhat taken its place, but today’s most valuable currency is data. To date, data is not as well protected as the physical and virtual gateways to financial currency, and as opposed to actual money, can be sold many times over. Despite this not being a new phenomenon, many organizations have not gotten their act together to properly protect their customers’, employees’ and business partners’ data.

    Reply