Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Chinese vendors are already marketing face masks as iPhone X security tools
Face ID can’t get me now!
https://www.theverge.com/tldr/2017/9/14/16307226/iphone-x-taobao-faceid-help-me-cover-my-face-masks
Chinese vendors on online marketplace Taobao never resist a chance to peddle their goods. Just days after Apple announced the iPhone X that replaced the home button’s Touch ID for Face ID, Chinese merchants have launched “protective masks” in response to the news.
Tomi Engdahl says:
Mozilla Implements Faster Diffie-Hellman Function in Firefox
http://www.securityweek.com/mozilla-implements-faster-diffie-hellman-function-firefox
Mozilla this week revealed plans to introduce a new key establishment algorithm in Firefox to improve both security and performance of the web browser.
Called Curve25519, and designed by Daniel Julius Bernstein, the algorithm is a high-security elliptic-curve-Diffie-Hellman function deemed suitable for a wide variety of cryptographic applications. The public key cryptography can achieve record-setting speeds, while also offering free key compression, free key validation, and state-of-the-art timing-attack protection, Bernstein explains (PDF).
Widely used for key-exchange in TLS, Curve25519 was recently standardized by the Internet Engineering Task Force (IETF). Mozilla has already implemented the algorithm in the latest Firefox Nightly, and expects Firefox 57, set to be released in November, to bring the feature to all users, Benjamin Beurdouche, Mozillian INRIA Paris – Prosecco team, reveals.
Curve25519:new Diffe-Hellman speed records
https://cr.yp.to/ecdh/curve25519-20060209.pdf
Tomi Engdahl says:
New Attack Abuses CDNs to Spread Malware
http://www.securityweek.com/new-attack-abuses-cdns-spread-malware
Content delivery networks (CDNs) are being increasingly abused to spread malware, courtesy of standards that allow the download and execution of payloads on computers, ESET warns.
The security firm analyzed the downAndExec standard, which makes extensive use of JS scripts and enables the download and execution of malware. In one attack, miscreants were observed using the standard and abusing CDNs to deliver banking threats to users in Brazil, the researchers reveal.
The attack chain starts with social engineering techniques being used to trick victims into executing a malicious application detected as NSIS/TrojanDropper.Agent.CL. This is a malware downloader designed to fetch a single snippet of externally-hosted JS necessary to supplement the execution process.
The JS snippet is hosted on the infrastructure of a CDN provider, which not only provides high bandwidth for payload delivery and command and control (C&C) operations, but also ensures that takedown attempts aren’t immediately successful, as it is impracticable to block the entire CDN domain.
Tomi Engdahl says:
Trouble in Paradise as Cyber Attackers Circumvent 2FA
http://www.securityweek.com/trouble-paradise-cyber-attackers-circumvent-2fa
Two-Factor Authentication (2FA) has for years been one of the very dependable security technologies that was invoked to address high-risk scenarios — whether to safeguard enterprise resources accessed through the firewall, financial accounts, or — for high-value targets — protect each email login. Most people, to the extent that they spend time thinking about the security of 2FA, conclude — incorrectly — that 2FA offers bullet proof security for authentication.
While 2FA is a big step above and beyond the use of traditional passwords, it is not infallible, and thinking so makes the risk of failure even greater. In a recent publication, some of my research collaborators and I demonstrated that attackers can achieve a greater than 50% success rate using a social engineering attack on Google’s SMS-based 2FA. This attack is based on an attacker coordinating a request, made to the victim, for a code with an access attempt to a resource that requires a code. Password reset is an example: the attacker would request a password reset on behalf of a victim, which results in the victim getting a security code from a service provider. Then, the attacker sends a request to the victim, appearing to come from the service provider, asking for the code. Most people responded with the code, which enables the attacker to reset their password. This is very troublesome.
Tomi Engdahl says:
Chrome to label FTP sites insecure
It’s only 0.0026 per cent of traffic, but it’s all in plaintext so deserves a red flag
https://www.theregister.co.uk/2017/09/15/chrome_to_label_ftp_sites_insecure/
Google’s Chrome browser will soon label file transfer protocol (FTP) services insecure.
Google employee and Chrome security team member Mike West yesterday announced the plan on the Chromium.org security-dev mailing list.
“As part of our ongoing effort to accurately communicate the transport security status of a given page, we’re planning to label resources delivered over the FTP protocol as ‘Not secure’.”
Adding FTP to Chrome’s naughty list was decided upon because “its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labelling it as such seems appropriate.”
Tomi Engdahl says:
Company risks of using your own hardware for file saving/sharing
https://vboxxcloud.com/blog/external-storage/
Hard Drives, SSD’s, USB-Sticks, NAS, Cloud: are the options available to save data externally. The ideal media storage solution, should be large, fast and secure. Each solution presents its set of advantages and disadvantages. We offer some insights into the pros and cons of external storage to help you find the ideal storage solution for your company data.
Tomi Engdahl says:
Chelsea Manning: we’re spied on all the time, and the state still can’t figure out who we are
https://boingboing.net/2017/09/14/unpersonned-by-bureaucracy.html?utm_content=buffer0116e&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer
Manning writes about this paradox in the New York Times, describing, on the one had, the enormous machineries of surveillance that we increasingly labor under; and on the other hand, the remorseless bureaucratic processes that insist that anyone whose data in anomalous can’t participate in the system (as Matt Blaze quipped about Equifax’s breach, “having an Equifax record is 100% voluntary. Only those who made the choice to have ever participated in the economy are included.”)
Tomi Engdahl says:
Your phone can now be turned into an ultrasound sonar tracker against you and others
https://www.privateinternetaccess.com/blog/2017/09/your-phone-can-now-be-turned-into-an-ultrasound-sonar-against-you-and-others/
New research shows how a mobile phone can be turned into a passive indoor ultrasound sonar, locating people with high precision indoors using multi-target echolocation, and is even able to discern a rough selection of activities. It does this by overlaying imperceptible ultrasound sonar pings into played-back music, measuring the reflections coming back to the phone’s microphone. The privacy implications are staggering.
Tomi Engdahl says:
Understanding the prevalence of web traffic interception
https://blog.cloudflare.com/understanding-the-prevalence-of-web-traffic-interception/
We found that between 4% and 10% of the web’s encrypted traffic (HTTPS) is intercepted. Analyzing these intercepted connections further reveals that, while not always malicious, interception products most often weaken the encryption used to secure communication and puts users at risk.
products intercept traffic by performing a so-called man-in-the-middle attack. In essence, the software redirects the encrypted connection to itself and pretends to be the requested website. The interceptor then opens a new encrypted connection to the destination website and proxies the data back and forth between the two connections, making the interception mostly “invisible.” Because the interceptor has access to the unencrypted data in the connection, it can read, change, and block any of the content sent or received by the client.
There are two main ways in which connections are intercepted: locally and remotely.
“unforgeability” of TLS certificates is the cornerstone of online security; it is the technical means that allows you to know you are talking to the right site, not an impostor.
How prevalent is HTTPS interception?
Measuring interception is not an easy task, as interceptors don’t advertise themselves (obviously). This is why, to detect whether a connection was intercepted, we used a refined version of the network fingerprint technique known as TLS fingerprinting, which allows us to determine which software is making the connection (interceptor or browser).
Breaking down the Cloudflare and e-commerce site traffic by OS reveals that Windows is intercepted far more often than MacOS
mobile OSes Android and iOS are significantly less often intercepted than desktop OSes
Contrary to popular belief, traffic interception is not necessarily malicious. According to our study and as summarized in the chart above, web traffic is primarily intercepted for two diametrically opposed reasons:
Improving security: Antivirus solutions and some corporate firewalls/IPS perform interception for security reasons.
Performing malicious activities: At the other end of the spectrum, malware intercepts connections to inject ads and steal confidential data.
most interception products use cryptography in an insecure way
Overall, we found that 65% of the intercepted connections going to the Firefox update server have reduced security, and a staggering 37% are easily vulnerable to man-in-the-middle attacks due to blatant cryptographic mistakes (e.g., certificates are not validated).
Overall we found out that HTTPS interceptions are more prevalent than expected (4% – 10%) and pose serious security risks as they downgrade the encryption used to secure web communications. Furthermore, the HTTPS implementations used for interception do not have the same automatic update mechanisms that browsers do, making fixes less likely to be rolled out. Intercepting middleboxes have also contributed to the delayed release of TLS 1.3 in browsers.
Tomi Engdahl says:
The Hunt for IoT: The Rise of Thingbots
https://www.darkreading.com/partner-perspectives/f5/the-hunt-for-iot-the-rise-of-thingbots/a/d-id/1329873
Across all of our research, every indication is that today’s “thingbots” – botnets built exclusively from Internet of Things devices – will become the infrastructure for a future Darknet.
The Internet of Things (IoT) and, specifically, the hunt for exploitable IoT devices by attackers, has been a primary area of research for F5 Labs for over a year now—and with good reason. IoT devices are becoming the cyber weapon delivery system of choice by today’s botnet-building attackers. And, why not? There are literally billions of them in the world, most of which are readily accessible (via Telnet) and easily hacked (due to lack of security controls). Why would attackers rent expensive resources in hosting environments to build their botnets when so many devices are free for the taking?
Tomi Engdahl says:
‘Ransomware of things’ spell trouble for transportation industry
https://www.scmagazineuk.com/ransomware-of-things-spell-trouble-for-transportation-industry/article/688040/?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BU1pQkBveT9CG%2BmZKvx5NvQ%3D%3D
The next step in the evolution of ransomware would be what they called “jackware” or ransomware designed to target connected devices subsequently creating a ransomware of things (RoT).
The study found the Cyber-attacks leveraging IoT devices are also becoming commonplace particularly in the transportation where 29 percent of companies indicated they experienced an IoT attack. The energy, construction, and IT sectors aren’t far behind 22 percent of respondents from each industry reported attacks, respectively.
Tomi Engdahl says:
Troy Hunt:
Face ID has upsides and downsides on both security and usability and isn’t less secure than a PIN or Touch ID in practice
Face ID, Touch ID, No ID, PINs and Pragmatic Security
https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-pragmatic-security/
I was wondering recently after poring through yet another data breach how many people actually use multi-step verification. I mean here we have a construct where even if the attacker has the victim’s credentials, they’re rendered useless once challenged for the authenticator code or SMS which is subsequently set. I went out looking for figures and found the following on Dropbox:
Less than 1%. That’s alarming. It’s alarming not just because the number is so low, but because Dropbox holds such valuable information for so many people. Not only that, but their multi-step implementation is very low-friction – you generally only ever see it when setting up a new machine for the first time.
But here’s the problem with multi-step verification: it’s a perfect example of where security is friction. No matter how easy you make it, it’s something you have to do in addition to the thing you normally do, namely entering a username and password. That’s precisely the same problem with getting people to put PINs on their phone and as a result, there’s a huge number of devices out there left wide open. How many? It’s hard to tell because there’s no easy way of collecting those stats. I found one survey from 2014 which said 52% of people have absolutely nothing protecting their phone. Another in 2016 said the number is more like 34%.
No ID
Let’s start here because it’s the obvious one. Missing PINs on phones provides zero protection from any adversary that gets their hands on it; the kids, a pickpocket or law enforcement – it’s free rein for all. Free reign over photos and videos, free reign over messages and email and free reign to communicate with anyone else under the identity of the device owner.
A lack of PIN has also proved very useful for remote attackers.
The first point I’ll make here as I begin talking about the 3 main security constructs available is that they’re all differently secure. This is not a case of one is “secure” and another is “insecure” in any sort of absolute way and anyone referring to them in this fashion is missing a very important part of the narrative. With that said, let’s look at the pros and cons involved here.
Obviously, the big pro of a PIN is familiarity
But PINs are enormously popular and even when you do use the biometric options we’re about to get into, you’re still going to need one on your phone anyway.
Edward Snowden typing his password in whilst under a blanket
We’ve all been warned about the risk of shoulder surfing at one time or another
But there’s one thing in particular PINs are resilient to which biometrics are not: the police in the US can force you to unlock your phone using your fingerprint.
Given we’ve now had 4 years of Touch ID (and of course many more years of fingerprint auth in general), we’ve got a pretty good sense the threat landscape. Even 15 years ago, researchers were circumventing biometric logins.
There have many other examples of auth bypass since that time
One of the arguments I heard against Touch ID yesterday is that an “attacker” could cause a sleeping or unconscious person to unlock their device by placing the owner’s finger on the home button.
Be that as it may, there are certainly circumstances where biometric login poses a risk that PINs don’t and the unconscious one is a perfect example.
Face ID
I watched the keynote today and was obviously particularly interested in how Face ID was positioned so let me share the key bits here.
Firstly, this is not a case of “if the camera sees something that looks like the owner’s face the device unlocks”.
Infrared camera + flood illuminator + proximity sensor + ambient light sensor + camera + dot projector = Face ID. Each of these plays a different role and you can see how, for example, something like infrared could be used to discern the difference between a human head and a photo.
The IR image and the dot pattern then get “pushed though neural networks to create a mathematical model of your face” which is then compared to the stored one created at setup.
Firstly, Touch ID:
So what they’re saying here is that you’ve got a 1 in 50k chance of someone else’s print unlocking your phone.
Here’s how Face ID compares:
One in a million. There’s literally a saying that’s “one in a million” which symbolises the extremely remote likelihood of something happening! The 20x figure over Touch ID is significant but it doesn’t seem like the right number to be focusing on. The right number would be the one that illustrates not the likelihood of random people gaining access, but rather the likelihood of an adversary tricking
Apple claim that Face ID is resilient to both photos and masks
Summary
What we have to keep in mind here is just how low the security bar is still set for so many people.
More than anything though, we need to remember that Face ID introduces another security model with its own upsides and downsides on both security and usability. It’s not “less secure than a PIN”, it’s differently secure and the trick now is in individuals choosing the auth model that’s right for them.
Tomi Engdahl says:
Thomas Fox-Brewster / Forbes:
Hackers hid backdoor in Avast-owned system cleanup tool CCleaner for Windows from August 15 to September 12; affected software was run by 2.7M users
Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads — 2.3 Million Infected
https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/#5a8d8656316a
Users of Avast-owned security application CCleaner for Windows have been advised to update their software immediately, after researchers discovered criminal hackers had installed a backdoor in the tool. The tainted application allows for download of further malware, be it ransomware or keyloggers, with fears millions are affected. According to Avast’s own figures, 2.27 million ran the affected software, though the company said users should not panic.
The affected app, CCleaner, is a maintenance and file clean-up software run by a subsidiary of anti-virus giant Avast. It has 2 billion downloads and claims to be getting 5 million extra a week, making the threat particularly severe, researchers at Cisco Talos warned. Comparing it to the NotPetya ransomware outbreak, which spread after a Ukrainian accounting app was infected, the researchers discovered the threat on September 13 after CCleaner 5.33 caused Talos systems to flag malicious activity.
Further investigation found the CCleaner download server was hosting the backdoored app as far back as September 11.
Downplaying the threat?
CCleaner’s owner, Avast-owned Piriform, has sought to ease concerns. Paul Yung, vice president of product at Piriform, wrote in a post Monday: “Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.
“The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker.
“Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”
https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
Tomi Engdahl says:
Magento Patches Critical Vulnerability in eCommerce Platforms
http://www.securityweek.com/magento-patches-critical-vulnerability-ecommerce-platforms
Magento this week released updates for Magento Commerce and Open Source 2.1.9 and 2.0.16 to address numerous vulnerabilities, including a remote code execution bug rated Critical severity.
Featuring a CVSSv3 score of 8.2, the remote code execution flaw impacts content management system (CMS) and layouts. The vulnerability allows an administrator with limited privileges to introduce malicious code when creating a new CMS page, which would potentially result in arbitrary remote code execution.
Tomi Engdahl says:
Mocana Integrates Embedded Security Software With Industrial Cloud Platforms
http://www.securityweek.com/mocana-integrates-embedded-security-software-industrial-cloud-platforms
Mocana Integrates Embedded Security Software with AWS IoT, Microsoft Azure IoT, and VMware Liota to Protect Devices
Two constants in current cybersecurity are the growing threat from insecure IoT botnets (Mirai, WireX, etcetera), and the continuing security provided by strong encryption. It is part of the mission of one venture capital funded firm to solve the former by use of the latter.
Mocana was formed in 2002 as an embedded security software company for military applications. With the help of venture capital ($11 million in May 2017 brought the total to $93.6 million), it has expanded into ICS and both the industrial internet of things (IIoT) and consumer IoT.
“We’re a crypto company,” Mocano’s CTO Dean Weber told SecurityWeek. “While traditional security has been to provide barriers and layers of network controls — even for IoT devices — we offer a different approach. We use cryptography to build a trust platform for IoT, mobile and industrial devices.”
The trust platform is provided as source code to device developers, who compile it into different target devices.
“OpenSSL provides a cryptographic library that gets calls from applications to provide services as necessary. We replace that,” explains Weber, “but we do a lot more than OSSL because we start from a root of trust on the platform, and we build an X509 trust chain. The device ends up with a trust value. That trust value represents the cryptographic trustworthiness of the platform. We’re building the foundation on a device, which could be an edge device, a sensor, an activator, a switch, a gravitometer, or a flow meter, or accelerometer or whatever.”
In effect, a cryptographically trusted edge or IIoT device can communicate securely with its device controller. “Traditionally, that device is going to talk to a gateway service, which may be a PLC or RTU, which would then be connected to a back-end service,” says Weber, who is set to speak at SecurityWeek’s upcoming ICS Cyber Security Conference. “In the industrial space that would be the ICS SCADA; in the IoT space that might be a cloud service where you bring everything together for analytics or management, or both. At each one of those layers we can provide a trust platform that guarantees through the strength of the cryptography chosen (and we support many different types of crypto) that this communication/device is secure because the crypto is intact.”
In the world of consumer IoT devices, any successful infection of the device with a bot will break the chain of trust and outbound traffic can be blocked. In ICS, the integrity of both the IIoT device and its communication with the SCADA device can be guaranteed. In the commercial world, Mocana this week announced that it has verified the integration of its IoT Security Platform with the IoT cloud platforms of Amazon Web Services, Microsoft Azure IoT, and VMware.
Tomi Engdahl says:
Millions Download “ExpensiveWall” Malware via Google Play
http://www.securityweek.com/millions-download-expensivewall-malware-google-play
A newly discovered Android malware that managed to infect at least 50 applications in Google Play has been downloaded between 1 million and 4.2 million times, Check Point researchers warn.
Dubbed ExpensiveWall, the threat was designed to send fraudulent premium SMS messages and to charge users’ accounts for fake services without their knowledge.
The total number of affected users, Check Point says, could be between 5.9 million and 21.1 million, as ExpensiveWall iw a variant of malware found in Google Play earlier this year. Unlike previous iterations, however, the new sample uses advanced obfuscation techniques to evade Google Play’s built-in anti-malware protections.
Tomi Engdahl says:
Artificial intelligence identifies abnormal network traffic
Established in the Czech Republic in 2007, Flowmon now introduces its artificial intelligence network management solution to the Finnish market. It complements corporate firewalls and anti-virus protection.
The first computer virus has been invented for 50 years. Writing malware is a growing large business that threatens businesses around the world. Preparing for tomorrow’s cyberbullying requires new kinds of solutions.
- WannaCryn and Petya’s wormholes are becoming more and more common, and traditional protection based on firewalls and antivirus protection is no longer sufficient. Flowmon’s online behavioral analysis detects and responds to these threats and other abnormal network traffic. Artificial intelligence learns about the network and responds to network traffic abnormalities , says Tomas Sarocky, Country Manager at Flowmon Networks.
Flowmon detects, for example, if someone is using a malicious application online if the network is part of a DDoS botnet or if a virus has come into a machine that, for example, steals information or hampers production. The technology is based on the fact that undesirable behavior is always unusual. The background is through years of research, advanced artificial intelligence algorithms and machine learning.
the traditional solution model based on firewall and antivirus protection is not enough when companies face a modern and far more demanding threat than others, which require tools other than virus-based tools. Flowmon’s network monitoring works with artificial intelligence together with existing solutions, providing the necessary additional protection.
- Flowmon not only detects attacks, but also makes it more effective by responding to them by providing more detailed information about the threat. This will speed up network restoration and enable better prevention.
Source: http://www.etn.fi/index.php/13-news/6848-tekoaely-tunnistaa-poikkeavan-verkkoliikenteen
Tomi Engdahl says:
Andy Greenberg / Wired:
Study: Apple may be overselling its differential privacy protections, which add noise to a user’s info before it’s sent to iCloud; Apple disputes the findings — FOR THE LAST year, Apple has touted a mathematical tool that it describes as a solution to a paradoxical problem: mining user data …
How One of Apple’s Key Privacy Safeguards Falls Short
https://www.wired.com/story/apple-differential-privacy-shortcomings
For the past year, Apple has touted a mathematical tool that it describes as a solution to a paradoxical problem: mining user data while simultaneously protecting user privacy. That secret weapon is “differential privacy,”
But differential privacy isn’t a simple toggle switch between total privacy and no-holds-barred invasiveness. And a new study, which delves deeply into how Apple actually implements the technique, suggests the company has ratcheted that dial further toward aggressive data-mining than its public promises imply.
Tomi Engdahl says:
Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks
Two-factor authentication by SMS? More like SOS
https://www.theregister.co.uk/2017/09/18/ss7_vuln_bitcoin_wallet_hack_risk/
Once again, it’s been demonstrated that vulnerabilities in cellphone networks can be exploited to intercept one-time two-factor authentication tokens in text messages.
Specifically, the security shortcomings lie in the Signaling System 7 (SS7) protocol, which is used to by networks worldwide to talk to each other to route calls, and so on.
There are little or no safeguards in place on SS7 once you have access to a cell network operator’s infrastructure. If you can reach the SS7 equipment – either as a corrupt insider or a hacker breaking in from the outside – you can reroute messages and calls as you please. Someone working for, or who has compromised, a telco in Morocco, for instance, can quietly hijack and receive texts destined for subscribers in America.
Infosec outfit Positive Technologies, based in Massachusetts, USA, obtained access to a telco’s SS7 platform, with permission for research purposes, to this month demonstrate how to commandeer a victim’s Bitcoin wallet. First, they obtained their would-be mark’s Gmail address and cellphone number. They then requested a password reset for the webmail account, which involved sending a token to the cellphone number. Positive’s team abused SS7 within the telco to intercept the authentication token and gain access to the Gmail inbox. From there, they were able to reset the password to the user’s Coinbase wallet, log into that, and empty it of crypto-cash.
Bitcoin wallet hacked via SMS interception
https://vimeo.com/232678861/b1295b6384
Tomi Engdahl says:
AnandTech Goes HTTPS: All Encryption, All the Time
by John Campion & Ryan Smith on September 18, 2017 2:25 PM EST
https://www.anandtech.com/show/11848/anandtech-goes-https-all-encryption
If you’re reading this, then congratulations! You have successfully accessed AnandTech over HTTPS.
I’m pleased to announce that as of this afternoon, all AnandTech pages and websites are now being served over HTTPS, allowing us to offer end-to-end transport encryption throughout the site. This is part of a larger project for us which started with moving the AnandTech Forums over to the XenForo software package and HTTPS last year; now it’s AnandTech main site to receive a security treatment of its own.
This update is being rolled out both to improve the security of the site, and as part of a broader trend in site hosting & delivery. From a site operations point of view, we’ve needed to improve the security of the user login system for some time so that usernames and passwords are better protected, as the two of those items are obviously important. Meanwhile, although AnandTech itself is not sensitive content, the broader trends in website hosting is for all sites regardless of content to move to HTTPS, as end-to-end encryption still enhances user privacy, and that’s always a good thing.
Tomi Engdahl says:
Sexploitation gang thrown in clink for 171 years after ‘hunting’ kids online and luring them in front of webcams
Youngsters tricked into performing sex acts for pervs
https://www.theregister.co.uk/2017/09/19/sexploitation_gang_sentenced_to_171yrs/
Four men have joined their two accomplices behind bars for tricking young girls into performing sex acts online so they could film them.
Between November 16, 2013 and March 10, 2016 the gang ran a sophisticated web ring to haunt internet forums that children use regularly. They would then lure each victim, one by one, into a private group chat session and take on various roles to achieve their ends.
According to federal court documents filed earlier this year, each gang member took on the part of either hunters, talkers, loopers or watchers.
Tomi Engdahl says:
Grab your popcorn: The first annual Privacy Shield review is go
Trump administration’s views on privacy to come under scrutiny
https://www.theregister.co.uk/2017/09/18/first_annual_privacy_shield_review/
Transatlantic data-transfer agreement Privacy Shield is facing its first major political hurdle as the inaugural joint review kicks off this week.
Agreed last summer, the deal between the European Union and the US aims to safeguard EU citizens’ data when it is transferred across the pond.
For one thing, it was facing legal challenges almost immediately – one from advocacy group Digital Rights Ireland, another as follow-up to Schrems’ original case – while the change in the US administration poured more uncertainty into the mix.
Questions were also raised over whether president Donald Trump’s executive orders on immigration, which limited citizens’ privacy rights, undermined Privacy Shield.
Tomi Engdahl says:
Trouble in Paradise as Cyber Attackers Circumvent 2FA
http://www.securityweek.com/trouble-paradise-cyber-attackers-circumvent-2fa
Tomi Engdahl says:
Windows 10 Users to Get Improved Privacy Controls
http://www.securityweek.com/windows-10-users-get-improved-privacy-controls
The upcoming Windows 10 Fall Creators Update will bring enhanced privacy controls to both consumers and commercial customers, Microsoft says.
After being heavily criticized for the large amount of user data collected from Windows 10 machines, Microsoft has decided to implement a series of data protections to silence concerns, and has been successful in its attempt.
Released earlier this year, the Windows 10 Creators Update provided users with increased control over privacy settings and updates, and also allowed them to choose how much usage data they like to share with Microsoft. In July, the company announced that it would force users into reviewing their privacy settings and installing the latest feature update, namely Windows 10 Creators Update.
Tomi Engdahl says:
Equifax Cybersecurity Failings Revealed Following Breach
http://www.securityweek.com/equifax-cybersecurity-failings-revealed-following-breach
Shortcomings revealed by researchers and cybersecurity firms following the massive data breach suffered by Equifax show that a successful hacker attack on the credit reporting agency’s systems was inevitable.
Some members of the industry pointed out last week that the company’s Chief Security Officer (CSO) Susan Mauldin was a music major with no educational background in cybersecurity or technology. Mauldin and Chief Information Officer David Webb retired from the company on Friday.
Others dug up old vulnerability reports that the firm had still not addressed and noted the lack of even basic protections on the company’s website. Even the website set up by Equifax to provide information about the breach was riddled with security holes and some services flagged it as a phishing site.
The Apache Struts 2 vulnerability leveraged by cybercriminals to breach Equifax systems had been known and exploited for roughly two months before the attack on the company. Equifax said its security team knew about the flaw and is now trying to determine why an online dispute portal, which served as the initial point of entry, remained unpatched.
Experts pointed out that the Apache Struts flaw is not easy to fix, especially if you have many systems that need patching. However, they believe the problem can be addressed with modern security solutions.
Comodo discovered that more than 388 records of Equifax users and employees are up for sale on the dark web. The information, which includes usernames, passwords and login URLs, was apparently stolen using Pony malware. The security firm pointed out that some Equifax credentials were also exposed in third-party incidents, including the massive LinkedIn and Dropbox breaches.
“From third-party (non-company system) sources, we uncovered that Equifax’s chief privacy officer, CIO, VP of PR and VP of Sales, used all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year. This reveals that they didn’t follow basic security best practices and were lacking a complex password requirement,” Comodo said in a blog post.
Equifax stock was worth roughly $140, but it has now dropped to $92, and financial experts believe it could plunge as low as $50. The incident has already cost the company nearly $10 billion in market value.
Equifax Shares More Details About Breach
http://www.securityweek.com/equifax-shares-more-details-about-breach
Equifax has shared more details about the recent breach that affects roughly 143 million U.S. consumer
Equifax also revealed that the breach affected less than 400,000 U.K. consumers. Their data had been stored in the United States due to a “process failure” between 2011 and 2016. It’s still unclear how many Canadians are impacted by the breach.
That was when Equifax’s security team discovered that the attackers had exploited an Apache Struts flaw to access its systems on May 13. The vulnerability in question, CVE-2017-5638, has been exploited in the wild since the first half of March.
Equifax said its team had known about the Struts vulnerability since it was disclosed and it took steps to patch systems. The organization is still reviewing the facts in an effort to determine why the dispute portal remained unpatched. FireEye-owned Mandiant has been called in to assist in conducting a comprehensive forensic investigation.
“The word patch is a bit inappropriate for this problem, since what Equifax would have had to do is replace the vulnerable Struts library with the latest one,”
Tomi Engdahl says:
A Google security chief considers the NSA a state-sponsored threat
https://techcrunch.com/2017/09/18/a-google-security-chief-considers-the-nsa-a-state-sponsored-threat/?utm_source=tcfbpage&sr_share=facebook
Today at TechCrunch Disrupt SF 2017 Google’s Manager of Information Security Heather Adkins sat down for a fireside chat. Among the varying topics discussed, she spoke about what’s like to have the NSA tap the company’s lines and how she views state sponsored threats.
Tomi Engdahl says:
Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks
Two-factor authentication by SMS? More like SOS
https://www.theregister.co.uk/2017/09/18/ss7_vuln_bitcoin_wallet_hack_risk/
Tomi Engdahl says:
AI Just Made Guessing Your Password a Whole Lot Easier
https://yro.slashdot.org/story/17/09/18/2054205/ai-just-made-guessing-your-password-a-whole-lot-
easier
The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you’re probably toast in less than an hour. Now, there’s more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.
Artificial intelligence just made guessing your password a whole lot easier
http://www.sciencemag.org/news/2017/09/artificial-intelligence-just-made-guessing-your-password-whole-lot-easier
Last week, the credit reporting agency Equifax announced that malicious hackers had leaked the personal information of 143 million people in their system. That’s reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you’re probably toast in less than an hour. Now, there’s more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. Yet the researchers say the technology may also be used to beat baddies at their own game.
The work could help average users and companies measure the strength of passwords, says Thomas Ristenpart, a computer scientist who studies computer security at Cornell Tech in New York City but was not involved with the study. “The new technique could also potentially be used to generate decoy passwords to help detect breaches.”
The strongest password guessing programs, John the Ripper and hashCat, use several techniques. One is simple brute force, in which they randomly try lots of combinations of characters until they get the right one. But other approaches involve extrapolating from previously leaked passwords and probability methods to guess each character in a password based on what came before. On some sites, these programs have guessed more than 90% of passwords. But they’ve required many years of manual coding to build up their plans of attack.
Tomi Engdahl says:
Cybersecurity and technology transfer seen as top priorities for NIST director nominee
https://www.theregister.co.uk/2017/09/19/programming_in_the_middle_ages/
President Donald Trump has nominated Walter Copan, an expert in technology transfer, to be the director of the National Institute of Standards and Technology (NIST), which supports physical sciences research and operates labs in Gaithersburg, Maryland, and Boulder, Colorado.
The 63-year-old Copan is a Ph.D. chemist and president and CEO of the Colorado-based Intellectual Property Engineering Group. He says his top priority for the agency is to implement the Cybersecurity Framework, a NIST-led effort to improve network security across federal agencies as well as industry.
“I think we all see cybersecurity as national security and economic security,” Copan says. He also wants to make sure security improvements benefit not just federal agencies and large corporations, but also smaller companies that can’t afford teams of information technology professionals. “Small- and medium-sized businesses are drivers of the economy. Statistics show that when [these businesses] are the victim of a cyberattack they go out of business in less than a year,” Copan says.
Tomi Engdahl says:
DigitalOcean Warns of Vulnerability Affecting Cloud Users
http://www.securityweek.com/digitalocean-warns-vulnerability-affecting-cloud-users
DigitalOcean is warning customers that some 1-Click applications running MySQL have an account with the same default password across all instances, and the company says the issue affects other cloud providers as well.
DigitalOcean customers reported on social media that they received an email recommending that they run a script to determine if their Droplets – the name used by the company for its cloud servers – are affected by the vulnerability.
The company allows its users to deploy pre-built and pre-configured applications with only one click. The list of 1-Click (One-Click) applications includes Node.js, Rails, Redis, MongoDB, Docker, GitLab, Magento and many others.
Tomi Engdahl says:
Google, Spotify Release Open Source Cloud Security Tools
http://www.securityweek.com/google-spotify-release-open-source-cloud-security-tools
Google and music service Spotify announced last week the launch of Forseti Security, a community-driven collection of open source tools designed to improve security in Google Cloud Platform (GCP) environments.
The Forseti toolkit currently includes an inventor tool that provides visibility into GCP resources, a scanner that validates access control policies, an enforcement tool that removes unwanted access to resources, and an add-on that helps users understand, test and develop Identity and Access Management (IAM) policies.
“Forseti gives us visibility into the GCP infrastructure that we didn’t have before, and we use it to help make sure we have the right controls in place and stay ahead of the game,” Spotify said.
http://forsetisecurity.org/
Tomi Engdahl says:
OptionsBleed – Apache bleeds in uncommon configuration
https://hackaday.com/2017/09/19/optionsbleed-apache-bleeds-in-uncommon-configuration/
[Hanno Böck] recently uncovered a vulnerability in Apache webserver, affecting Apache HTTP Server 2.2.x through 2.2.34 and 2.4.x through 2.4.27. This bug only affects Apache servers with a certain configuration in .htaccess file. Dubbed Optionsbleed, this vulnerability is a use after free error in Apache HTTP that causes a corrupted Allow header to be replied by the webserver in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain sensitive information. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.
Unlike the famous Heartbleed bug in the past, Optionsbleed leaks only small chunks of memory and more importantly only affects a small number of hosts by default. Nevertheless, shared hosting environments that allow for .htaccess file changes can be quite sensitive to it, as a rogue .htaccess file from one user can potentially bleed info for the whole server.
Optionsbleed – HTTP OPTIONS method can leak Apache’s server memory
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
Tomi Engdahl says:
AI slurps, learns millions of passwords to work out which ones you may use next
Get creative – bringbackfirefly! will not longer cut it, nerds
https://www.theregister.co.uk/2017/09/20/researchers_train_ai_bots_to_crack_passwords/
Eggheads have produced a machine-learning system that has studied millions of passwords used by folks online to work out other passphases people are likely to use.
These AI-guessed passwords could be used with today’s tools to crack more hashed passwords, and log into more strangers’ accounts on systems, than ever before.
When it comes to cracking a password, you typically start with a hashed version of the passphrase, stolen from a database or similar.
Tomi Engdahl says:
Chrome Continues To Be The Most Secure Browser, Confirms New Research
http://www.tomshardware.com/news/chrome-most-secure-browser-research,35493.html
Tomi Engdahl says:
At the beginning of the year, 1.9 billion personal data was stolen
Databases are growing at an alarming rate. Gemalto, a leader in smart card circuits, has produced a new security report that captured 1.9 billion personal data in the first half of this year.
Compared to the last half of last year, the figure has grown by as much as 164 percent. According to Gemalto, the vast majority of personal information was abducted in 22 major cybercrime, with over one million data reaching each criminal.
The situation may in fact be worse than reported. Of the reported 918 infiltrations in more than fifty-five, it was not possible to find out how much information eventually came to an end in the hands of criminals.
Over 4.5 years, more than 9 billion personal data have come to the hands of criminals.
In the beginning of this year, an average of more than 10 million data were stolen every day. The problem is likely to affect a large part of the population. The worry is that less than one percent of the stolen data is encrypted.
Source: http://www.etn.fi/index.php/13-news/6868-alkuvuonna-varastettiin-1-9-miljardia-henkiloetietoa
More:
Download the Breach Level Index 2017 H1 Report Now
http://www6.gemalto.com/breach-level-index-2017-h1-report?utm_medium=press-release&utm_campaign=bli-lp-report
According to the latest Breach Level Index report, there were 918 reported data breaches and almost 1.9 billion compromised data records worldwide in the first half of 2017.
Other key findings include:
Almost 1.9 billion records compromised, lost or stolen in the first half of 2017, up by 164% from the last six months in 2016.
Identity theft accounted for 74% of all data breaches in the first six months of 2017, up 49% from the second half of 2016
Malicious outsiders were responsible for 74% of breaches, up by 23%
Across industries, healthcare sector data breaches made up 25% of all breaches, with major breaches around the U.K’s National Health Service.
Education made up 13% of all breaches, with an increase of 103%
Tomi Engdahl says:
WikiLeaks releases files that appear to offer details of Russian surveillance system
https://www.washingtonpost.com/news/worldviews/wp/2017/09/19/wikileaks-releases-files-that-appear-to-offer-details-of-russian-surveillance-system/?utm_term=.0da04777bab9
WikiLeaks, a secret-sharing organization accused of playing a key role in Russian attempts to influence the 2016 U.S. presidential election, has released documents that it claims offer details of how Moscow uses state surveillance to spy on Internet and cellphone users.
The release, dubbed “Spy Files Russia,” appears to mark a shift for an organization that has long been accused of a reluctance to publish documents that could be embarrassing for the Russian state.
As Edward Snowden, a former National Security Agency contractor who now lives in Russia, put it in a tweet: “Plot twist.”
However, other experts are less impressed. “I don’t think it’s a real expose,” said Andrei Soldatov, a Russian investigative journalist and co-author of the “The Red Web: The Struggle Between Russia’s Digital Dictators and the New Online Revolutionaries.” “It actually adds a few details to the picture, [but] it’s not that much.”
Spy Files Russia
https://wikileaks.org/spyfiles/russia/
Tomi Engdahl says:
Twitter Suspends 300,000 Accounts Tied To Terrorism In 2017
https://yro.slashdot.org/story/17/09/19/2120231/twitter-suspends-300000-accounts-tied-to-terrorism-in-2017
According to a new transparency report, Twitter said it suspended nearly 300,000 accounts globally linked to terrorism in the first half of the year.
Twitter Suspends 300,000 Accounts Tied to Terrorism in 2017
https://www.bloomberg.com/news/articles/2017-09-19/twitter-suspends-300-000-accounts-in-2017-for-terrorism-content
Twitter Inc., under pressure from governments around the world to combat online extremism, said that improving automation tools are helping block accounts that promote terrorism and violence.
In the first half of the year, Twitter said it suspended nearly 300,000 accounts globally linked to terrorism. Of those, roughly 95 percent were identified by the company’s spam-fighting automation tools. Meanwhile, the social network said government data requests continued to increase, and that it provided authorities with data on roughly 3,900 accounts from January to June.
Twitter currently has around 328 million users, with monthly active users in the U.S. around 68 million.
Tomi Engdahl says:
What Comes After User-Friendly Design?
https://tech.slashdot.org/story/17/09/19/1946256/what-comes-after-user-friendly-design
“User-friendly” was coined in the late 1970s, when software developers were first designing interfaces that amateurs could use. In those early days, a friendly machine might mean one you could use without having to code. Forty years later, technology is hyper-optimized to increase the amount of time you spend with it, to collect data about how you use it, and to adapt to engage you even more. [...]
What Comes After User-Friendly Design?
The design industry needs a new way to talk to users–one that isn’t just friendly, but respectful.
https://www.fastcodesign.com/90139957/what-comes-after-user-friendly-design
“User-friendly” was coined in the late 1970s, when software developers were first designing interfaces that amateurs could use. In those early days, a friendly machine might mean one you could use without having to code.
Forty years later, technology is hyper-optimized to increase the amount of time you spend with it, to collect data about how you use it, and to adapt to engage you even more. Meanwhile, other aspects of our tech have remained difficult to use, from long, confusing privacy policies to a lack of explanation on why and when your data is being collected, much less how it’s being protected. While some aspects of apps and platforms have become almost too easy to use–consider how often Facebook invites you to check out a friend’s latest update or new comment–others remain frustratingly opaque, like, say, the way Facebook crafts advertising to your behavior.
The discussion around privacy, security, and transparency underscores a broader transformation in the typical role of the designer
Tomi Engdahl says:
Seriously, Is It That Easy To Skim Cards?
https://hackaday.com/2017/09/20/seriously-is-it-that-easy-to-skim-cards/
The folks at Sparkfun write about an approach they received from a law enforcement agency bearing a selection of card skimmer devices that had been installed in gasoline pumps. These didn’t rely on interception of the card itself, instead they sat as a man-in-the-middle attack in the serial line between the card reader unit and the pump electronics. Let that sink in for a minute: a serial line that is readily accessible to anyone with the pump manufacturer’s standard key, carries card data in an unencrypted form. The owner of the skimming device is the criminal, but the company leaving such a wide-open vulnerability should really be joining them in having to answer to authorities.
Gas Pump Skimmers
https://learn.sparkfun.com/tutorials/gas-pump-skimmers
Tomi Engdahl says:
Amazon ‘Reviewing’ Its Website After It Suggested Bomb-Making Items
https://slashdot.org/story/17/09/20/1424206/amazon-reviewing-its-website-after-it-suggested-bomb-making-items
Amazon said on Wednesday that it was reviewing its website after a British television report said the online retail giant’s algorithms were automatically suggesting bomb-making ingredients that were “Frequently bought together.” The news is particularly timely in Britain, where the authorities are investigating a terrorist attack last week on London’s Underground subway system. The attack involved a crude explosive in a bucket inside a plastic bag, and detonated on a train during the morning rush.
Amazon ‘Reviewing’ Its Website After It Suggested Bomb-Making Items
https://www.nytimes.com/2017/09/20/technology/uk-amazon-bomb.html
LONDON — Amazon said on Wednesday that it was reviewing its website after a British television report said the online retail giant’s algorithms were automatically suggesting bomb-making ingredients that were “Frequently bought together.”
The news report is the latest example of a technology company drawing criticism for an apparently faulty algorithm. Google and Facebook have come under fire for allowing advertisers to direct ads to users who searched for, or expressed interest in, racist sentiments and hate speech. Growing awareness of these automated systems has been accompanied by calls for tech firms to take more responsibility for the contents on their sites.
Amazon customers buying products that were innocent enough on their own, like cooking ingredients, received “Frequently bought together” prompts for other items that would help them produce explosives, according to the Channel 4 News.
Although many of the ingredients mentioned by Channel 4 News are not illegal on their own, the report said there had been successful prosecutions in Britain against individuals who bought chemicals and components that can produce explosives.
Amazon said in a statement that all the products sold on its website “must adhere to our selling guidelines and we only sell products that comply with U.K. laws.”
Tomi Engdahl says:
Stuxnet-Style Virus Failed to Infiltrate North Korea’s Nuclear Program
https://spectrum.ieee.org/riskfactor/telecom/security/nsa-stuxnetstyle-virus-failed-to-infiltrate-north-koreas-nuclear-program
The famous Stuxnet computer virus that sabotaged Iran’s nuclear program apparently had a cousin designed to do the same to North Korea. But this other U.S. cyber attack failed because agents could not physically access the isolated computers of North Korea’s nuclear program.
Several U.S. intelligence sources told Reuters that the operation aimed at North Korea took place at the same time as the Stuxnet attack that crippled Iran’s nuclear program in 2009 and 2010.
Both Iran and North Korea likely use similar centrifuges that can enrich uranium for either civilian purposes or to become weapons-grade nuclear material. That means North Korea probably also uses control software developed by Siemens AG running on some version of Microsoft Windows, experts told Reuters.
Tomi Engdahl says:
Viacom left the keys of its digital kingdom on a publicly exposed AWS S3 bucket
http://securityaffairs.co/wordpress/63201/data-breach/viacom-data-leak.html
The security researcher Chris Vickery discovered that Media giant Viacom left sensitive data and secret access key on unsecured Amazon AWS S3 bucket.
Media giant Viacom left sensitive data and secret access key on unsecured Amazon AWS S3 bucket, a gift for hackers. Viacom controls Paramount Pictures, MTV, Comedy Central and Nickelodeon.
The huge trove of data store was discovered by the popular security researcher Chris Vickery, director of Cyber Risk Research at security shop UpGuard.
The Amazon AWS S3 bucket contained 72 compressed .tgz files in a folder labeled ‘MCS’ name which appears to be Viacom’s Multiplatform Compute Services division that operates IT systems for the firm.
The cloud storage exposed a gigabyte’s worth of credentials and configuration files for the backend of dozens of Viacom properties.
Tomi Engdahl says:
Hacker or Hero? Why a Hacker Isn’t Always a Supervillain
http://www.securityweek.com/hacker-or-hero-why-hacker-isnt-always-supervillain
Summer is coming to a close, and with it the end of a steady stream of superhero movies that have been lighting up the box office over the past few months. But while on-screen heroes have been lassoing bad guys or saving the galaxy, here in the real world we’ve been witnessing a different type of anti-criminal activity: defense against cybercrime.
While the security industry is always focused on the latest “hack of the day” or other headline-generating malware outbreak, few attacks in recent memory have generated as much interest as WannaCry, the ransomware attack that crippled organizations worldwide back in May.
In a particularly shocking twist, researcher Marcus Hutchins, who discovered how to stop WannaCry, was recently arrested on separate hacking charges, leading to much debate within the security community. Not only was this person responsible for stopping arguably the most high-profile ransomware attack in history, but now he was accused of creating an unrelated malware strain that could land him in prison. In the wake of his arrest, many tried to figure out if he was a “black hat or a white hat” – someone who used his hacking expertise for good, or for wrongdoing?
If the summer movie season has taught us anything, it’s that heroes and villains aren’t always so black and white.
As people with an extraordinary ability to control the way the world works, many of today’s hackers mimic the X-Men. They toe the line between personal gain for their talent and a desire to do good for others. But if the rest of the community would give hackers more of a chance before writing them off as evildoers, not only would there potentially be more incentives for capable people to go into the white hat hacking business, but the stigma of evil hackers would slowly start to dissipate. By appreciating the unique skillset that hackers bring to the security industry, the benefits will be too large to ignore.
Tomi Engdahl says:
iOS 11 Patches 8 Security Vulnerabilities
http://www.securityweek.com/ios-11-patches-8-security-vulnerabilities
Tomi Engdahl says:
AWS Bucket Leaks Viacom Critical Data
http://www.securityweek.com/aws-bucket-leaks-viacom-critical-data
An Amazon Web Services S3 cloud storage bucket containing a great deal of Viacom internal access credentials and other critical data was left publicly accessible, UpGuard security researchers have discovered.
Viacom is an $18 billion multinational corporation that owns Paramount Pictures and various cable channels, including MTV, BET, Comedy Central, and Nickelodeon. According to the company, it has “the largest portfolio of ad-supported cable networks in the United States, in terms of audience share.”
Chris Vickery, UpGuard Director of Cyber Risk Research, was the one to discover the exposed Amazon Web Services (AWS) bucket. In it, he found seventy-two .tgz files representing irregular backups of technical data, created starting with June 2017 and containing a host of sensitive data.
After having a look at the exposed data, the security researcher determined that it included a master provisioning server running Puppet, left accessible to the public Internet, along with “the credentials needed to build and maintain Viacom servers across the media empire’s many subsidiaries and dozens of brands,” UpGuard’s Dan O’Sullivan notes in a blog post.
Viacom’s secret cloud keys were also exposed in the leak, which could have put the media company’s cloud-based servers in the hands of hackers. Thus, attackers could have been able to launch a variety of attacks while leveraging “the IT infrastructure of one of the world’s largest broadcast and media companies.”
Cut Cord: How Viacom’s Master Controls Were Left Exposed
https://www.upguard.com/breaches/cloud-leak-viacom
The UpGuard Cyber Risk Team can now disclose that Viacom Inc, the Fortune 500 corporation that owns Paramount Pictures, as well as cable channels like MTV, Comedy Central, and Nickelodeon, exposed a vast array of internal access credentials and critical data that could be used to cause immense harm to the multinational corporation’s business operations. Exposed in the leak are a master provisioning server running Puppet, left accessible to the public internet, as well as the credentials needed to build and maintain Viacom servers across the media empire’s many subsidiaries and dozens of brands.
Tomi Engdahl says:
Twitter Suspends Nearly 1 Million Accounts Associated with Terrorism
http://www.securityweek.com/twitter-suspends-nearly-1-million-accounts-associated-terrorism
Twitter has suspended a total of 935,897 accounts for the promotion of terrorism between August 1, 2015, and June 30, 2017, the company says in its latest transparency report.
A total of 299,649 accounts were suspended during the first half of 2017, marking a 20% decrease compared to the previous six-month period, the company reveals. 95% of the account suspensions were the result of internal efforts, the social platform claims.
These are “accounts that actively incite or promote violence associated with internationally recognized terrorist organizations, promote internationally recognized terrorist organizations, and accounts attempting to evade prior enforcement,” Twitter explains.
New Data, New Insights: Twitter’s Latest #Transparency Report
https://blog.twitter.com/official/en_us/topics/company/2017/New-Data-Insights-Twitters-Latest-Transparency-Report.html
Tomi Engdahl says:
‘Optionsbleed’ Flaw Causes Apache to Leak Data
http://www.securityweek.com/optionsbleed-flaw-causes-apache-leak-data
A vulnerability found in Apache HTTP Server (httpd) can cause certain systems to leak potentially sensitive data in response to HTTP OPTIONS requests, a researcher warned.
The flaw was discovered by freelance journalist and security researcher Hanno Böck, who has dubbed it “Optionsbleed.” Despite having a fancy name that is similar to the critical OpenSSL vulnerability known as Heartbleed due to them both “bleeding” memory contents, Optionsbleed is not as severe or as widespread.
Further analysis revealed that Apache leaked server memory due to a use-after-free bug. The flaw, which could result in the exposure of sensitive data, has been assigned the CVE identifier CVE-2017-9798.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
Tomi Engdahl says:
Android AV App Collected Data on Tens of Millions Users
http://www.securityweek.com/android-av-app-collected-data-tens-millions-users
Tens of millions of Android users potentially had their information collected by a security application distributed through Google Play, Check Point security researchers warn.
Called DU Antivirus Security, the software had between 10 and 50 million downloads when the security researchers alerted Google on its data collection practices on August 21. The application was removed from the store on August 24, but was reinstated on August 28, after its developers removed the information-collecting code.
Offered for free, the security software is developed by the DU group, and was discovered to collect a variety of user data without requesting consent from the device owner. The data collection activities, the security researchers discovered, were performed only at the application’s first run.
According to Check Point, the information collected by the application from Android devices included unique identifiers, contact list, call logs, and potentially the location of the device. After gathering the information, the app was encrypting it and sending it to a remote serve
Tomi Engdahl says:
Iranian Hackers Target Aerospace, Energy Companies
http://www.securityweek.com/iranian-hackers-target-aerospace-energy-companies
A cyber espionage group linked by security researchers to the Iranian government has been observed targeting aerospace and energy organizations in the United States, Saudi Arabia and South Korea.
The threat actor, tracked by FireEye as APT33, is believed to have been around since at least 2013. Since mid-2016, the security firm has spotted attacks aimed by this group at the aviation sector, including military and commercial aviation, and energy companies with connections to petrochemical production.
Specifically, the cyberspies targeted a U.S. organization in the aerospace sector, a Saudi Arabian business conglomerate with aviation holdings, and a South Korean firm involved in oil refining and petrochemicals. In recent attacks, the hackers used job vacancies at a Saudi Arabian petrochemical firm to target the employees of organizations in South Korea and Saudi Arabia.
Tomi Engdahl says:
Infrared Cameras Allow Hackers to Jump Air Gaps
http://www.securityweek.com/infrared-cameras-allow-hackers-jump-air-gaps
A team of researchers from Israel has developed a piece of malware that demonstrates how hackers can abuse security cameras with infrared (IR) capabilities to send and receive data to and from an air-gapped network.
The research was conducted by the Ben-Gurion University of Negev and the Shamoon College of Engineering in Israel. Its goal was to show that a piece of malware installed in an air-gapped network can not only exfiltrate sensitive data, such as passwords, PINs and encryption keys, but also receive commands from the outside world via infrared light, which is invisible to the human eye.
Security cameras are typically equipped with IR LEDs that provide night vision capabilities. If an attacker can plant a piece of malware on the network connected to these cameras, the malware can take control of the IR LEDs and use them to transmit bits of data.
The malware described by experts, dubbed “aIR-Jumper,” can encode the stolen data using various methods. For example, if on-off keying (OOK) encoding is used, the absence of an IR signal for a certain duration encodes a zero (“0”) bit, while the presence of a signal for the same duration encodes a one (“1”) bit.
Data transmission rates depend on the security camera and the camera used to capture the data (e.g. GoPro, smartphone camera). Experiments conducted by the researchers showed that data can be exfiltrated at a rate of 20 bits/sec over a distance of tens of meters, and it can be infiltrated over a distance of hundreds of meters and even kilometers at a rate of 100 bits/sec.
Data transmission rates can be increased significantly if more than one security camera is used by the attacker.
https://arxiv.org/ftp/arxiv/papers/1709/1709.05742.pdf