Security trends 2017

3,151 Comments

1. October 3, 2017 at 8:54 am

   Tomi Engdahl says:

   Novelty and Outlier Detection
   http://www.linuxjournal.com/content/novelty-and-outlier-detection

   Just as clustering can be used to divide data into a number of coherent groups, it also can be used to decide which data points belong inside a group and which don’t. In “novelty detection”, you have a data set that contains only good data, and you’re trying to determine whether new observations fit within the existing data set. In “outlier detection”, the data may contain outliers, which you want to identify.

   Where could such detection be useful? Consider just a few questions you could answer with such a system:

   Are there an unusual amount of login attempts from a particular IP address?

   Are any customers buying more than the typical number of products at a given hour?

   Which homes are consuming above-average amounts of water during a drought?

   Which judges convict an unusual number of defendants?

   Should a patient’s blood tests be considered normal, or are there outliers that require further checks and examinations?

   In all of those cases, you could set thresholds for minimum and maximum values and then tell the computer to use those thresholds in determining what’s suspicious. But machine learning changes that around, letting the computer figure out what is considered “normal” and then identify the anomalies, which humans then can investigate. This allows people to concentrate their energies on understanding whether the outliers are indeed problematic, rather than on identifying them in the first place.

   Reply
2. October 3, 2017 at 8:55 am

   Tomi Engdahl says:

   Following Las Vegas shooting, Facebook’s Safety Check page filled with scammers and hoaxes
   Con artists are targeting the heavily trafficked service
   https://www.theverge.com/2017/10/2/16401562/facebook-safety-check-las-vegas-shooting-scam-hoax-newsfeed

   Since 2014, Facebook has offered a service called Safety Check in the wake of dangerous incidents. If you have the Facebook mobile app and are in an area hit by something like a natural disaster, Facebook may trigger a push notification asking you to verify your status. If you mark yourself as safe, the system will automatically add a post to your News Feed with that message, so anyone checking on you can see quickly that you’re okay.

   Facebook also creates a dedicated page where users can check in on friends in the affected area and see breaking news. That last feature has become a vector for scammers and con artists looking to drive traffic to their services and sites. This morning, the Facebook Safety Check page for the deadly mass shooting in Las Vegas featured a video soliciting donations to a Bitcoin wallet, photos from the AANR Midwest American Association for Nude Recreation, and a story (since retracted), that described the shooter as a “Trump-hating Rachel Maddow fan.”

   Reply
3. October 3, 2017 at 9:01 am

   Tomi Engdahl says:

   UK asks for ways to destroy contraband drones heading to prisons
   The MOJ competition is asking for solutions to eradicate contraband delivery drones.
   http://www.zdnet.com/article/uk-asks-you-to-destroy-contraband-drones-heading-to-prisons/

   The UK Ministry of Justice (MOJ) has launched a competition asking for ideas to stop drones from dropping contraband into prisons.

   Drones delivering everything from weapons to drugs and mobile phones are proving to be a serious issue for today’s prison services in the UK.

   Prison employees already have to cope with high numbers of inmates, drug usage, and a lack of both funding and staff — and so adding contraband falling from the sky is potentially more than prison operators can cope.

   The MOJ wants technological solutions to this problem and has earmarked a total of £950,000 for ideas.

   The aim of the competition is to develop “novel detection techniques” to identify contraband in prisons.

   Funding competition SBRI competition: Detecting security threats and contraband in prisons
   https://apply-for-innovation-funding.service.gov.uk/competition/66/overview

   Businesses can apply for a share of £950,000. This is to work with the Ministry of Justice on technological solutions to the problems that drones, drugs, mobile phones, and other contraband, pose within a prison environment.

   Reply
4. October 3, 2017 at 9:12 am

   Tomi Engdahl says:

   GDPR – Not Just a European Concern
   http://www.securityweek.com/gdpr-not-just-european-concern

   The recent Equifax breach that has been all over the news raises an interesting question: How would the situation have played out if it was after May 25, 2018 when the new General Data Protection Regulations (GDPR) are due to come into force? While none of us has a crystal ball, we can bet the outcome for Equifax would be even worse.

   This report (PDF) provides comprehensive information on the GDPR but, in brief, the GDPR is a new set of regulations to protect the personal data and privacy of citizens of EU countries. It will affect any company that processes personal data of EU citizens – even if that company doesn’t have a presence in an EU country – making this legislation more than a European concern. To begin with, the regulations set a high standard for the speed with which businesses are required to report data breaches, in some cases within 72 hours after becoming aware of the breach. Companies also have to comply with each of these rights, transparently and without cost to EU citizens:

   • Right of data portability – if a customer asks for their data you are required to provide it

   • Right of removal – if a customer requests that their information be removed from your systems you are required to do so

   • Data transfer notification – prior to sharing customer data with a third party, you must notify the customer and gain explicit consent to share it

   • Customer access requests – if a customer asks whether or not you hold data on them, you are obligated to let them know

   To satisfy the GDPR regulations, companies will likely need additional processes, technology and personnel in place. In a survey by PwC (PDF) of U.S. companies, nearly 70% of respondents said they plan to spend between $1 million and $10 million to address GDPR obligations. While that may sound like a lot, it could pale in comparison to fines. Failure to comply with the GDPR can result in hefty financial penalties of up to 4 percent of global turnover or 20 million Euros (more than $23 million), whichever is greater in certain instances. For companies operating with razor-thin margins, profits could easily evaporate into thin air.

   https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird–bird–guide-to-the-general-data-protection-regulation.pdf?la=en

   Reply
5. October 3, 2017 at 9:12 am

   Tomi Engdahl says:

   Crafting Your Cyber Threat Intelligence Driven Playbook
   http://www.securityweek.com/crafting-your-cyber-threat-intelligence-driven-playbook

   The concept around cyber threat intelligence is that it should be used to drive better security decisions and as a result better outcomes.

   Intel provides insights so that decision-makers are well-informed of their risk, relevant impending threats, the potential impact and the best course of action to take to ensure the best cyber defense. There are many different approaches to threat intelligence, from the type (strategic, operational, tactical/technical) to the delivery (feed, software, full-service solution) to the processes and people involved to create and consume the intel.

   Reply
6. October 3, 2017 at 9:13 am

   Tomi Engdahl says:

   Business Risk Intelligence: The New Industry Standard
   http://www.securityweek.com/business-risk-intelligence-new-industry-standard

   Intelligence in its various forms has long served as the foundation for many organizations’ cybersecurity strategies. And yet, only in recent years has the industry begun to recognize that certain types of intelligence — namely that which is relevant, actionable, and gleaned from high-value sources — can and should be applied to support not just cybersecurity teams, but all business functions across the enterprise.

   Indeed, I’m talking about Business Risk Intelligence (BRI). Often considered the more strategic and cross-functional counterpart to its predecessor, cyber threat intelligence (CTI), BRI surpasses CTI’s relatively limited applications to inform decision-making, improve preparation, and mitigate a broad spectrum of cyber and physical risks. As someone who’s faced the limitations of CTI firsthand, I wanted to reflect on my experience with BRI to shed some light on why it’s quickly becoming the new industry standard.

   BRI addresses overall risk

   Just as its name implies, BRI focuses on addressing business risks — not just threats. To understand the difference, let’s look at a basic formula for risk:

   Risk = threat x likelihood x impact

   As you can see, threat is one component of risk. While most cybersecurity teams focus largely on detecting cyber threats, such an approach should really be just the beginning. Doing more than that requires assessing the likelihood that any given threat will target an organization and, if it does, what the potential impact could be. Even though countless threats exists, they’re not all relevant to all organizations. Evaluating a threat’s relevancy effectively requires visibility into the full context surrounding that threat.

   The challenge is that the context surrounding many threats can be difficult to ascertain given that the nature of CTI is largely focused on detecting threats — but not much else.

   Reply
7. October 3, 2017 at 9:14 am

   Tomi Engdahl says:

   Websites Hacked via Zero-Day Flaws in WordPress Plugins
   http://www.securityweek.com/websites-hacked-zero-day-flaws-wordpress-plugins

   Zero-day flaws affecting several WordPress plugins have been exploited by malicious actors to plant backdoors and take control of vulnerable websites.

   The attacks have been spotted by Wordfence, a company that specializes in protecting WordPress websites.

   The firm’s investigation revealed that attackers had been exploiting previously unknown vulnerabilities in three WordPress plugins. The flaws, described as critical PHP object injection issues, affect the Appointments, Flickr Gallery, and RegistrationMagic-Custom Registration Forms plugins.

   Attacks exploiting the zero-day vulnerability involved the creation of a file on targeted websites, but logs only showed a POST request to /wp-admin/admin-ajax.php, which made it look as if the file appeared out of nowhere, researchers said.

   “This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges. For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL. For the other two plugins, the request would go to admin-ajax.php,” Wordfence explained in a blog post.

   3 Zero-Day Plugin Vulnerabilities Being Exploited In The Wild
   https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/

   Reply
8. October 3, 2017 at 1:49 pm

   Tomi Engdahl says:

   US Telco Fined $3 Million in Domain Renewal Blunder
   https://www.bleepingcomputer.com/news/technology/us-telco-fined-3-million-in-domain-renewal-blunder/

   Sorenson Communications, a Utah-based telecommunications provider, received a whopping $3 million fine from the Federal Communications Commission (FCC) on Friday for failing to renew a crucial domain name used by a part of the local 911 emergency service.

   The affected service was the Video Relay System (VRS), a video calling service that telecommunication firms must provide to deaf people and others people with vocal disabilities so they can make video calls to 911 services and use sign language to notify operators of an emergency or crime.

   According to the FCC, on June 6, Sorenson failed to notice that the domain name on which the VRS 911 service ran had expired, leading to the entire system collapsing shortly after.

   Utah residents with disabilities were unable to reach 911 operators for almost three days, the FCC discovered. Sorensen noticed its blunder and renewed the domain three days later, on June 8.

   FCC found the outage was preventable

   “The Commission’s investigation found the outage was preventable,” the FCC wrote in a settlement it reached with Sorensen last week.

   The settlement sum is massive, but of it, only $252,000 is an actual fine, going to the FCC. The rest of the fee — $2.7 million — is a restitution Sorensen must give back to the FCC’s TRSF division.

   Sorensen is by no stretch of the imagination the first company to forget to renew a domain name.

   Samsung left millions of users exposed to hacking after it forgot to renew a domain name

   Online marketing giant Marketo also forgot to renew its main domain, causing huge and costly downtimes to many of its customers.

   Reply
9. October 4, 2017 at 4:17 am

   Tomi Engdahl says:

   Former Equifax CEO says breach boiled down to one person not doing their job
   https://techcrunch.com/2017/10/03/former-equifax-ceo-says-breach-boiled-down-to-one-person-not-doing-their-job/?utm_source=tcfbpage&sr_share=facebook

   In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax’s recently departed CEO is blaming it all on a single person who failed to deploy a patch.

   Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.

   Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.

   However, Smith had an interesting explainer for how this easy fix slipped by 225 people’s notice — one person didn’t do their job.

   “The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not,” Smith, who did not name this individual, told the committee.

   The notion that just one person didn’t do their job and led to the biggest breach in history is quite an amazing claim and shows a fundamental lack of good security practices. But that’s what Smith says led to this disaster.

   Equifax sent out an internal email on March 9th to deploy the Apache Struts update within 48 hours. However, Smith said, the system failed to identify any vulnerabilities.

   Equifax is still investigating the details of what happened and Smith said providing consumers with adequate information in the aftermath was “challenging.”

   Smith stepped down as CEO last week, shortly after the company’s chief security officer and chief information officer also exited the company.

   Reply
10. October 4, 2017 at 4:24 am

    Tomi Engdahl says:

    “Our inability to act in a responsible manner is a deeply rooted artifact of our corporate structure and every single person from an individual security engineer up to me was culpable.”

    It’s hard to imagine a worse defense.

    Reply
11. October 4, 2017 at 4:25 am

    Tomi Engdahl says:

    There was definitely a failure within IT, but one person? Are there procedures for constant vigilance, updating, and patching? Are there internal audits to ensure that’s being done? That’s more than one person.

    Reply
12. October 4, 2017 at 7:49 am

    Tomi Engdahl says:

    US Studying Ways To End Use of Social Security Numbers For ID
    https://yro.slashdot.org/story/17/10/03/2046247/us-studying-ways-to-end-use-of-social-security-numbers-for-id

    U.S. officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, Rob Joyce, the White House cybersecurity coordinator, said Tuesday. Joyce told a forum at the Washington Post that officials were studying ways to use “modern cryptographic identifiers” to replace social security numbers. “I feel very strongly that the social security number has outlived its usefulness,” Joyce said. “It’s a flawed system.”

    US Reviewing Better Tech Identifiers After Hacks: Trump Aide
    http://www.securityweek.com/us-reviewing-better-tech-identifiers-after-hacks-trump-aide

    US officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, a Trump administration official said Tuesday.

    Rob Joyce, the White House cybersecurity coordinator, told a forum at the Washington Post that officials were studying ways to use “modern cryptographic identifiers” to replace social security numbers.

    Joyce’s comments come after news that some 145 million Americans may have had personal information leaked, including the important social security numbers, in a breach at Equifax, one of three big US firms which collect data for credit applications.

    “I feel very strongly that the social security number has outlived its usefulness,” Joyce said.

    “It’s a flawed system.”

    For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft.

    “If you think about it, every time we use the social security number we put it at risk,” Joyce said.

    “That is the identifier that connects you to all sort of credit and digital and information online.”

    The official spoke as US lawmakers opened hearings on the Equifax breach, believed to be one of the worst because of the sensitivity of data leaked.

    Reply
13. October 4, 2017 at 9:39 am

    Tomi Engdahl says:

    Oath-my-God: THREE! BILLION! Yahoo! accounts! hacked! in! 2013! – not! ‘just!’ 1bn!
    Every user pwned, how’s that $4bn looking now, Verizon?
    https://www.theregister.co.uk/2017/10/03/yahoo_says_one_beeelion_user_hack_figure_wrong_its_three/

    With Equifax testifying in US Congress today about its own massive security failings, someone at Yahoo! presumably thought now would be a good time to bury bad news – but some things are too large to hide.

    In a filing on Tuesday to America’s financial watchdogs, Yahoo!, now owned by Verizon under the Oath brand, admitted the total number of user accounts illegally accessed by hackers in 2013 wasn’t the 500 million earlier reported, nor the one billion it later confessed, but all of them – all three billion accounts.

    The miserable web giant said that following its 2016 takeover by Verizon – which has its own security consultancy – it “recently obtained new intelligence” that indicated that the network intrusion was much larger than had previously been thought. In fact, it was as large as it could be.

    That means account records – including names, addresses, phone numbers, and weakly hashed passwords – for three billion accounts worldwide were exposed to hackers. In its statement today to the SEC, Yahoo! admitted

    Despite their words, Verizon management are most likely seething about the news. When the initial hack was disclosed, the telco managed to knock $350m off the $4.8bn asking price for the company. Had it known about the size of the actual hack it could have got a considerably bigger discount.

    As for the hackers themselves, the US authorities have indicted four men over the infiltration. American prosecutors claim the hack was ordered by the Russian intelligence services and carried out by hackers-for-hire.

    Reply
14. October 4, 2017 at 9:50 am

    Tomi Engdahl says:

    Websites Hacked via Zero-Day Flaws in WordPress Plugins
    http://www.securityweek.com/websites-hacked-zero-day-flaws-wordpress-plugins

    Zero-day flaws affecting several WordPress plugins have been exploited by malicious actors to plant backdoors and take control of vulnerable websites.

    The attacks have been spotted by Wordfence, a company that specializes in protecting WordPress websites.

    The firm’s investigation revealed that attackers had been exploiting previously unknown vulnerabilities in three WordPress plugins. The flaws, described as critical PHP object injection issues, affect the Appointments, Flickr Gallery, and RegistrationMagic-Custom Registration Forms plugins.

    Attacks exploiting the zero-day vulnerability involved the creation of a file on targeted websites, but logs only showed a POST request to /wp-admin/admin-ajax.php, which made it look as if the file appeared out of nowhere, researchers said.

    Reply
15. October 4, 2017 at 9:51 am

    Tomi Engdahl says:

    Many Companies Unprepared for DNS Attacks: Survey
    http://www.securityweek.com/many-companies-unprepared-dns-attacks-survey

    Many companies are not prepared to deal with DNS attacks, and a quarter of the ones that have already been hit reported significant losses, according to a survey conducted by Dimensional Research on behalf of network security firm Infoblox.

    Attacks on Domain Name System (DNS) services can have serious consequences, as demonstrated by the attack on Dyn last year. The attack, powered by the Mirai botnet, led to service disruptions for several major websites, including Twitter, GitHub, Etsy, Soundcloud, PagerDuty, Spotify and Airbnb.

    The study from Dimensional Research and Infoblox, based on a survey of over 1,000 IT and security professionals worldwide, revealed that 3 out of 10 companies have already experienced DNS attacks and in most cases it resulted in downtime.

    As for the financial losses caused by DNS attacks, 3% of respondents said they had lost more than $1 million, and nearly a quarter reported losses exceeding $100,000.

    The research has not found any link between the type of DNS service used and the risk of attacks. Companies that used a cloud DNS service, a third-party service or their own service were attacked roughly the same.

    According to the report, 22% of companies don’t have a backup DNS service, and 63% of them are not capable of defending against all common DNS attacks, such as hijacking, exploits, cache poisoning, protocol anomalies, reflection, NXDomain and amplification.

    Reply
16. October 4, 2017 at 9:52 am

    Tomi Engdahl says:

    The Challenge of Training AI to Detect Unique Threats
    http://www.securityweek.com/challenge-training-ai-detect-unique-threats

    In a previous column, I discussed how traditional endpoint security fails because it focuses on detecting known bad instances. As evidenced by the rapid rise of email-based attacks, this is a losing proposition. That is because advanced threats and targeted email attacks change rapidly as attackers dodge detection. While bad changes on a daily basis, good does not. Therefore, modeling what is good and detecting deviations from the good offers a better solution than identifying bad does.

    Tragically, many security vendors are hesitant to recognize the inherent drawbacks of blacklisting, which is the detection of known bad. Instead, they are embracing artificial intelligence with the hope that this will help them keep up with adversarial changes.

    While machine learning can significantly speed up the reaction to changes by identifying similarities and generalizing, it requires reasonably large training sets to do so. But these often take time to establish, which means that attacks will always remain one step ahead. This is particularly worrisome for low-volume targeted attacks.

    Reply
17. October 4, 2017 at 9:55 am

    Tomi Engdahl says:

    The Increasing Effect of Geopolitics on Cybersecurity
    http://www.securityweek.com/increasing-effect-geopolitics-cybersecurity

    Cyber Warfare Can be Exerted by Any Nation With an Actual or Perceived Grievance Against Any Other Nation

    The effect of geopolitics on cybersecurity can be seen daily – from Chinese cyber espionage to Russian attacks on the Ukraine and North Korea’s financially-motivated attacks against SWIFT and Bitcoins – and, of course, Russian interference in western elections and notably the US 2016 presidential election.

    The primary cause is political mistrust between different geopolitical regions combined with the emergence of cyberspace as a de facto theater of war.

    “Of course there is a connection between cybersecurity and geopolitics,” Ilia Kolochenko, CEO of High-Tech Bridge, told SecurityWeek. “Hackers are now acting as soldiers, and it’s difficult to find a country that has never used a cyber weapon.”

    A current example of geopolitical tensions can be seen in the recent ban on U.S. government agencies using a much-respected antivirus and endpoint protection product produced by Russian firm Kaspersky Lab

    Kaspersky Lab has continually denied any inappropriate ties to the Russian intelligence services; and there is no public evidence to suggest otherwise.

    Cyber as a Theater of War

    Although not necessarily recognized at government level, few people involved with cybersecurity have any doubt that cyber warfare is current and ongoing. Governments are reluctant to openly acknowledge this reality for fear that recognition will require retaliation – and the big fear then is that it could escalate into kinetic warfare. Kinetic provocation leads to kinetic responses; cyber provocation tends not to. Consider, for example, the U.S. response to North Korea’s missile tests compared to the response to North Korea’s cyber attacks against Sony and SWIFT.

    Cyber warfare has further advantages: the difficulty of attribution provides plausible deniability.

    Attribution

    Attribution is a major problem in cyberspace. Attackers can compromise servers in any part of the world. They can limit their activities to the working day of any geographical area. They can code in foreign languages; and they can reuse code snippets first used by different hacking groups. Such misdirection (false flags) is used by both nation state actors and cyber criminals.

    Plausible deniability

    When it is impossible to openly prove the culprit, it is easy for the suspect to deny all knowledge. Following repeated denials of involvement in the US 2016 election hacks, Vladimir Putin finally suggested that it could have been ‘patriotic Russian hackers’.

    “They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia,” he said. But at the same time, he stressed that it had nothing to do with the Russian government.

    Escalation

    Given the ease and success of cyber warfare attacks, it’s only natural that we see an escalation in its use. “In 2007, in Estonia,” explains Kenneth Geers, senior research scientist at Comodo and NATO Cyber Center Ambassador, “a distributed denial of service campaign primarily targeted online services. A decade later, in Ukraine, we have seen a far higher number and variety of attacks, spanning the political, diplomatic, business, military, critical infrastructure, and social media domains.”

    The use of the internet as a means of disseminating political propaganda has also increased. Public awareness initially focused on Anonymous hacktivism, where the Anonymous group would deface or take down the websites of organizations or companies to which it objected.

    The Effect of Geopolitics on Cybersecurity

    The fundamental cause of cyber warfare is international political mistrust. As this escalates, so international cyber incidents increase – and there is little doubt that political mistrust is as high as it has ever been since the end of the Cold War. Sino-American tensions remain high, complicated by the unpredictability of a newly nuclear North Korea. The War on Terror that replaced the Cold War has seen the emergence of Iran as a sponsor of terror; both on the streets and in cyberspace. And Russia’s new found energy wealth sees Putin apparently determined to make the Russian Federation as powerful as the old Soviet Union.

    Kinetically, the United States is probably the world’s sole Super Power; perhaps followed by China. Cyberspace, however, is a huge leveler. “What you’re seeing today is technology straining and sometimes eclipsing the ability of traditional constraints and institutions to keep them in check,” Christopher Bray, SVP/GM Consumer at Cylance Inc, told SecurityWeek. “It’s also resulting in smaller nations punching above their weight when it comes to cyber defensive and offensive capabilities, and exerting these new-found technological powers in advancing their geopolitical agendas as well as their desire to monitor their own populations to various degrees. This monitoring is always done in the interest of ‘national security’, but depending on the government in question, it can also lead into a more Orwellian direction.”

    In short, cyber warfare can be exerted by any nation with an actual or perceived grievance against any other nation; and the implication of that is that it will continue to grow. This is likely to have several negative effects on cyberspace.

    Balkanization

    The first negative effect is already being felt: it is the balkanization of the internet. There are two aspects to this: the first is to protect the national internet from the global internet; and the second is to promote the use of locally produced products over foreign-produced, and therefore suspect, products. The Iranian, North Korean and Chinese intranets are the best known examples. China has embarked on a locally-produced product policy (China’s Cybersecurity Law) which will see 80% of large Chinese business security expenditure will be on locally produced products.

    Other countries are embarking on different routes towards the same end: banning or at least deprecating the use of foreign-produced products (China’s Huawei and perhaps Russia’s Kaspersky in the U.S., for example), or using internet censorship and press restraint to limit the citizen’s access to foreign or distrusted information sources (as increasingly happens in the UK).

    The problem with this effect of geopolitics is that it increases rather than decreases mistrust – and this ‘balkanization’ will likely, but not necessarily, have further negative effects on both cyber and national security.

    Weakened cybersecurity

    It is not at all clear that a ‘local product only’ policy can work. “Most major software products are written by personnel in numerous countries, and parent companies subcontract out much of the labor to coders whom they only know tenuously,” explains Geers. “Often, we have little choice but to use, for example, Chinese hardware, American software, French routers, and Israeli security applications… Are there spies working in many of the best-known software companies? Without a doubt. But in most cases, the companies in question do not know about them.”

    More complex business security

    Concern over geopolitical influence on cybersecurity products simply makes a difficult job even more difficult. Steven Lentz, CSO at Samsung Research America, told SecurityWeek, “It’s sad that we have to be aware of vendors like this, but that’s the environment. Politics finds a way into everything nowadays. I just want a solution that does what it says and fits our environment. Now, with all the press of certain vendors in possible collusion with governments that may spy on the U.S., it makes it more complicated. I may like the vendor’s solution, but now I have to worry about possible malware or back doors,. It’s sad.”

    Reply
18. October 4, 2017 at 9:55 am

    Tomi Engdahl says:

    Google Patches Critical Android Flaws With October 2017 Updates
    http://www.securityweek.com/google-patches-critical-android-flaws-october-2017-updates

    Google this week released its October 2017 Android patches, which address a total of 14 vulnerabilities in the mobile platform, including five rated Critical severity.

    Split in two, the Android Security Bulletin—October 2017 resolves issues affecting various platform iterations, ranging from Android 4.4.4 to Android 8.0. The most severe of these could lead to arbitrary code execution or to applications being able to gain additional permissions without user interaction.

    Reply
19. October 4, 2017 at 9:56 am

    Tomi Engdahl says:

    Enterprises Blacklist iOS Apps Due to Data Leakage: Report
    http://www.securityweek.com/enterprises-blacklist-ios-apps-due-data-leakage-report

    A report published on Tuesday by mobile security firm Appthority reveals which Android and iOS applications are most frequently blacklisted by enterprises.

    According to data collected by Appthority, iOS apps are typically blacklisted due to the fact that they leak data. The most commonly blacklisted iOS app is WhatsApp, which has a high risk rating due to the fact that it sends information from the device’s address book to a remote server.

    Reply
20. October 4, 2017 at 9:56 am

    Tomi Engdahl says:

    2013 Hack Hit All 3 Billion Yahoo Accounts: Company
    http://www.securityweek.com/2013-hack-hit-all-3-billion-yahoo-accounts-company

    A 2013 hack affected all three billion accounts at Yahoo, triple the original estimate, the online giant’s parent company said Tuesday following a new analysis of the incident.

    The disclosure from Verizon, which acquired Yahoo’s online assets earlier this year, revised upward the initial estimate of one billion accounts affected.

    The statement said the estimate is based on “new intelligence” following an investigation with the assistance of outside forensic experts into the incident in August 2013.

    “While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts,” said a statement issued by Verizon’s internet unit known as Oath.

    “The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.”

    Reply
21. October 4, 2017 at 10:22 am

    Tomi Engdahl says:

    IRS awards multimillion-dollar fraud-prevention contract to Equifax
    http://www.politico.com/story/2017/10/03/equifax-irs-fraud-protection-contract-243419

    The no-bid contract was issued last week, as the company continued facing fallout from its massive security breach.

    The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.

    A contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year. The credit agency will “verify taxpayer identity” and “assist in ongoing identity verification and validations” at the IRS, according to the award.

    The notice describes the contract as a “sole source order,” meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract.

    Lawmakers on both sides of the aisle blasted the IRS decision.

    Reply
22. October 4, 2017 at 10:24 am

    Tomi Engdahl says:

    White House plan to nuke social security numbers is backed by Equifax’s ex-top boss
    We meant it, nothing matters any more. Nothing at all
    https://www.theregister.co.uk/2017/10/04/white_house_plans_to_ditch_social_security_numbers_as_ids/

    White House cybersecurity coordinator Rob Joyce has won the backing of Equifax’s ex-CEO for a plan to stop using social security numbers as personal identifiers in the US.

    We have no idea of Joyce’s opinion of the endorsement, but what we do know is that he floated the notion in a speech given to a Washington Post-sponsored cybersecurity conference on Tuesday. Joyce suggested using a “modern cryptographic identifier” – presumably a hash or public-private key pair or something – to identify individual US taxpayers rather than the usual nine digits.

    Former Equifax CEO Richard Smith followed a similar path, but in a less-favorable forum – on Tuesday, he was giving testimony to the US House committee investigating the litany of failures that led to his credit-check agency leaking 145 million Americans’ social security numbers and other sensitive personal data. The same biz that just won a US$7.5 million contract to help Uncle Sam identify taxpayers, funnily enough.

    “The concept of a Social Security number in this environment being private and secure – I think it’s time as a country to think beyond that,” Smith told politicians. No kidding, Dick, you just lost 145 million of the numbers to hackers.

    Meanwhile, arguing the social security number has “outlived its usefulness” for citizen-government interactions, Joyce said that “every time we use the Social Security number you put it at risk.” Again, no kidding, thanks to organizations like Equifax.

    Reply
23. October 4, 2017 at 2:14 pm

    Tomi Engdahl says:

    Yahoo Triples Estimate of Breached Accounts to 3 Billion
    Company disclosed late last year that 2013 hack exposed private information of over 1 billion users
    https://www.wsj.com/articles/yahoo-triples-estimate-of-breached-accounts-to-3-billion-1507062804

    A massive data breach at Yahoo in 2013 was far more extensive than previously disclosed, affecting all of its 3 billion user accounts, new parent company Verizon Communications Inc. said on Tuesday.

    Reply
24. October 5, 2017 at 8:45 am

    Tomi Engdahl says:

    Crafting Your Cyber Threat Intelligence Driven Playbook
    http://www.securityweek.com/crafting-your-cyber-threat-intelligence-driven-playbook

    The concept around cyber threat intelligence is that it should be used to drive better security decisions and as a result better outcomes.

    So how do you go about halting payload delivery by disabling a tool that is barely used by your user population? Easy – you push a GPO that has been around for a while. You can refer to this post: For users that have a need to use macro’s, generate a digital signature for that user base and digitally sign them so they are trusted.

    If you understand what these threats are exploiting, and know your environment, you should be able to map out the most effective countermeasures. Each organization should look at countermeasures in terms of what is relevant to them. The level of effort and cost to implement as well as the threat impact potential may be different per organization. Mapping this out though can help you prioritize the countermeasures to deploy. In this scenario the play called had a high level of impact to the threat, a low impact to the user, and a low cost to deploy.

    Additionally, your playbook should go beyond countermeasures to proactively prevent bad things from happening… it should also include incident and breach response process because ultimately you cannot prevent every threat. Having intel play a role in your IR/BR process can help speed the response, improve the effectiveness of that response and also loop back into your countermeasures to help prevent future attacks. Run through the different scenarios and options to consider so that it is well-thought out, agreed upon and reacted to as quickly and effectively as possible.

    With sound cyber threat intelligence informing these plays in your book, you have practical methodologies to both proactively mitigate and more quickly and effectively respond to specific threats.

    Reply
25. October 5, 2017 at 8:45 am

    Tomi Engdahl says:

    Oracle Announces New Cloud Security Services
    http://www.securityweek.com/oracle-announces-new-cloud-security-services

    Oracle announced this week at the company’s OpenWorld convention the launch of new cloud security services and improvements to existing products.

    One of the new offerings is the Oracle Identity Security Operations Center (SOC), a context-aware intelligence and automation solution designed to help organizations detect and respond to sophisticated threats targeting users, applications, data and cloud workloads.

    The Identity SOC leverages the newly released Oracle Security Monitoring and Analytics Cloud Service, which provides security incident and event management (SIEM) and user and entity behavioral analytics (UEBA) capabilities.

    Two other major components of the Identity SOC are the Oracle CASB (Cloud Access Security Broker) Cloud Service, which enables organizations to protect business-critical cloud infrastructure and data, and the Oracle Identity Cloud Service, described by the company as a “next-generation comprehensive security and identity platform.”

    Reply
26. October 5, 2017 at 8:48 am

    Tomi Engdahl says:

    Free Tool Detects, Exploits DLL Hijacking Vulnerabilities
    http://www.securityweek.com/free-tool-detects-exploits-dll-hijacking-vulnerabilities

    DLL hijacking is not a new attack vector. It’s been around for 20 years or more. It’s not easy, but it’s very effective. Once achieved it provides stealth and persistence — precisely those attributes sought by advanced and state actors.

    Forrest Williams, senior security researcher at Cybereason, spotted an incidence of DLL hijacking on a customer’s network; and decided to tackle the problem. His solution was to develop a new scanner, a tool he calls Siofra, that will both detect a hijacking vulnerability and also provide an automated method of exploiting the vulnerability.

    It is a drastic solution, and one that leaves him and his company open to criticism in the same way that Metasploit is criticized: it can help bad guys attack good guys. Williams first approached Microsoft and was told, this attack “is predicated on the attacker having written a malicious binary to the directory where the application is launched from. As described in the Windows library search order process, loading binaries from the application directory is by design. This does not meet the bar for security servicing.”

    DLL hijacking occurs when a modified and weaponized DLL is called by an application instead of the original DLL. It is neither an easy nor a common attack; but a hijacked DLL can be left behind after a network compromise, allowing the attacker to withdraw while leaving a stealthy, persistent and dangerous malware behind. Because of the inherent difficulties, it is primarily used by advanced or state actors.

    And it does happen. It happened with the recent CCleaner compromise, now thought to have been conducted by a Chinese state actor.

    For the moment, it appears that Microsoft is unwilling to address the problem. “The only real solution from Microsoft would be whitelisting or code signing so that no DLL is ever loaded into a Microsoft process unless it is digitally signed,” explained Williams. “Thing is, they don’t do this; and I think the reason they don’t do this is because they won’t be able to do backwards compatibility. Also,” he added, “some Microsoft code is designed with ‘just-in-time-compiling’. It’s compiled as the code is run — and there’s no way to sign it. So there’s no real way to create a whitelist. Windows simply wasn’t designed with this issue in mind — so it is design flaws that have prevented them fixing the issue to this day.”

    The design flaws will need to be designed out of Windows — but it will take a lot of development effort from Microsoft. “It wouldn’t be an easy fix,” said Williams. “If attacks become more prevalent — and right now they’re not very common — I think that Microsoft would definitely do something. After the release of the Mimikatz tool to steal credentials, making credential stealing much easier, Microsoft has now changed their design.”

    Williams has little doubt that DLL hijacking will continue and become a growing problem from advanced attackers. The problem is that the vulnerability is everywhere. “When I tested Siofra,” he told SecurityWeek, “I did not find a single application that did not include at least one vulnerable DLL.” This isn’t limited to Microsoft applications, although it includes Windows Defender, Internet Explorer and WMI — none of which were previously known to be vulnerable. But it also includes applications like Adobe Reader and Firefox. “No defensive software wants to delete high-trust applications like these.” As a result, a hijacked DLL simply flies under the radar of anti-malware software.

    Reply
27. October 5, 2017 at 8:50 am

    Tomi Engdahl says:

    New Microsoft Tool Analyzes Memory Corruption Bugs
    http://www.securityweek.com/new-microsoft-tool-analyzes-memory-corruption-bugs

    A newly released analysis tool from Microsoft helps security engineers and developers investigate memory corruption bugs.

    Called VulnScan, the tool has been designed and developed by the Microsoft Security Response Center (MSRC) to help determine the vulnerability type and root cause of memory corruption flaws. The utility was built on top of two internally developed tools, namely Debugging Tools for Windows (WinDbg) and Time Travel Debugging (TTD), the tech giant says.

    WinDbg was created as a Windows debugger that has recently received a user interface makeover, while Time Travel Debugging is an internally developed framework designed to record and replay execution of Windows applications.

    “By leveraging WinDbg and TTD, VulnScan is able to automatically deduce the root cause of the most common types of memory corruption issues. Application Verifier’s mechanism called PageHeap is used to trigger an access violation closer to the root cause of the issue,” Mateusz Krzywicki from MSRC explains.

    VulnScan – Automated Triage and Root Cause Analysis of Memory Corruption Issues
    https://blogs.technet.microsoft.com/srd/2017/10/03/vulnscan-automated-triage-and-root-cause-analysis-of-memory-corruption-issues/

    For these reasons, MSRC has made significant investments over the course of many years to build tooling that helps us automate the root cause analysis process. VulnScan is a tool designed and developed by MSRC to help security engineers and developers determine the vulnerability type and root cause of memory corruption bugs. It is built on top of two internally developed tools: Debugging Tools for Windows (WinDbg) and Time Travel Debugging (TTD).

    WinDbg is Microsoft’s Windows debugger that has recently received a user interface makeover to make it even easier to use. You can find more information about the new WinDbg Preview version here.
    Time Travel Debugging is an internally developed framework that records and replays execution of Windows applications. This technology was released during CPPCon 2017.

    Classes of memory corruption issues supported by VulnScan:
    Out of bounds read/write
    Use after free
    Type confusion
    Uninitialized memory use
    Null/constant pointer dereference

    MSRC uses VulnScan as part of our automation framework called Sonar. It automatically processes externally reported proof of concept files on all supported platforms and software versions. Sonar is used to both reproduce and to perform the root cause analysis. To this end, we employ multiple different environments and try to reproduce the issue multiple times with different configurations.

    VulnScan is planned for inclusion in Microsoft Security Risk Detection service (Project Springfield), where it is used to de-duplicate crashes and provide extended analysis of vulnerabilities found through fuzzing.

    Reply
28. October 5, 2017 at 8:51 am

    Tomi Engdahl says:

    Code Execution Flaws Patched in Apache Tomcat
    http://www.securityweek.com/code-execution-flaws-patched-apache-tomcat

    Several vulnerabilities, including ones that allow remote attackers to execute arbitrary code, have been patched in recent weeks in Apache Tomcat.

    Developed by The Apache Software Foundation, Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pager (JSP), Java WebSocket and Java Expression Language technologies. Tomcat is said to be the most widely used web application server, with a presence in more than 70% of enterprise data centers.

    Apache Tomcat developers informed users on Tuesday that the product is affected by a remote code execution vulnerability.Apache Tomcat vulnerabilities

    The flaw, tracked as CVE-2017-12617 and classified as “important” severity, has been addressed with the release of versions 9.0.1, 8.5.23, 8.0.47 and 7.0.82. All previous 9.x, 8.5.x, 8.0.x and 7.0.x versions are impacted.

    The vulnerability affects systems that have the HTTP PUT method enabled and it allows attackers to upload a malicious JSP file to a targeted server using a specially crafted request. The server would then execute the code in the JSP file when the file was requested. A proof-of-concept (PoC) exploit is publicly available.

    While this sounds like a serious vulnerability, in only affects systems that have the default servlet configured with the readonly parameter set to false or the WebDAV servlet enabled with the readonly parameter set to false.

    Summary: Apache Tomcat Remote Code Execution via JSP Upload bypass
    https://bz.apache.org/bugzilla/show_bug.cgi?id=61542

    Reply
29. October 5, 2017 at 8:55 am

    Tomi Engdahl says:

    NIST Readies to Tackle Internet’s Global BGP Vulnerabilities
    http://www.securityweek.com/nist-readies-tackle-internets-global-bgp-vulnerabilities

    NIST has published an update on its work on the new Secure Internet Domain Routing (SIDR) standards designed to provide the internet the security that is currently lacking from the Border Gateway Protocol (BGP).

    BGP was designed in 1989 as a short-term fix for the earlier Exterior Gateway Protocol that could no longer handle the rapidly increasing size of the internet, and was in imminent danger of meltdown. The problem is that BGP was designed without any security, despite it being fundamental to the operation of the internet.

    BGP controls the route that data takes from source to destination. It does this by keeping tabs on the availability of local stepping stones along that route. The availability of those stepping stones is maintained in regularly updated routing tables held locally. The problem is that there is no security applied to those tables — in effect, the entire map of the internet is built on trust; and trust is in short supply in today’s internet. Whole swathes of traffic can be hijacked.

    “BGP forms the technical glue holding the internet together,” explains NIST in Tuesday’s post; “but historically, its lack of security mechanisms makes it an easy target for hacking.”

    The trust model underpinning BGP is easily abused, and has frequently been abused. Generally speaking, most abuse is thought to have be accidental — but there have been enough suspicious incidents to demonstrate that the theoretic concern over BGP’s security is not unfounded.

    “As a result,” warns NIST in a separate publication (SIDR, Part 1: Route Hijacks– PDF)

    New Network Security Standards Will Protect Internet’s Routing
    https://www.nist.gov/news-events/news/2017/10/new-network-security-standards-will-protect-internets-routing

    Reply
30. October 5, 2017 at 8:57 am

    Tomi Engdahl says:

    Attribution Hell: Cyberspies Hacking Other Cyberspies
    http://www.securityweek.com/attribution-hell-cyberspies-hacking-other-cyberspies

    Cyber espionage attribution is almost never easy, but it becomes even more complicated when threat actors hack other threat actors and they start using each other’s tools and infrastructure in their operations.

    On Wednesday, at the Virus Bulletin conference in Madrid, Spain, Kaspersky researchers Juan Andrés Guerrero-Saade and Costin Raiu pointed out that cyberspies hacking other cyberspies, which they call “fourth-party data collection,” is the worst case scenario when trying to link an attack to a certain actor.

    Fourth-party collection takes place when a competent entity (Agency-A) actively or passively harvests information related to a foreign intelligence service’s (Agency-B) computer network exploitation activity.

    Active collection involves Agency-A breaking into the C&C servers or backend-collection nodes of Agency-B. This can be achieved either by using stolen credentials or by exploiting vulnerabilities to plant a backdoor on the server – the latter scenario can be more efficient as it provides persistent access without raising suspicion.

    Once it gains access to Agency-B’s systems, Agency-A can adopt its tools and infrastructure to launch attacks in their name. According to Guerrero-Saade and Raiu, Kaspersky Lab has investigated several campaigns that could involve fourth-party collection.

    Benefits of fourth-party collection

    According to Guerrero-Saade and Raiu, the byproducts and benefits of fourth-party collection include tasking-by-proxy, code reuse, and learning from adversaries.

    As for code reuse, the experts pointed out that there can be numerous benefits to obtaining a different group’s tools and implants. They noted that a piece of code found in two different malware families does not necessarily mean they were made by the same developers; it’s possible that the developers of one tool used code that they had stolen from another threat actor.

    Reply
31. October 5, 2017 at 1:17 pm

    Tomi Engdahl says:

    The Disturbing Rise of Cyberattacks Against Abortion Clinics
    https://www.wired.com/story/cyberattacks-against-abortion-clinics

    Later that day, Whole Woman’s Health noticed a surge in hacking attempts through routine monitoring of web activity. A few days after, the staff couldn’t log into the website. One of the intrusive efforts had succeeded, and shut the website down for a week.

    It was just the beginning of the onslaught of cyberattacks that Whole Woman’s Health would experience between June 2013 and April 2016, as the organization continued to fight a legal battle over abortion that went all the way to the Supreme Court.

    The battle lines around abortion in the US have been clearly drawn for decades. Protesters, ranging from handfuls to hundreds, stake territory outside clinics to pray, wave signs, and yell into loudspeakers.

    Over the past few years, though, a new front has emerged that many reproductive healthcare organizations struggle to deal with. Cyberattacks and threats, as well as internet harassment, have escalated, aiming to disrupt services, intimidate providers and patients, and prevent women from getting the care they need.

    After the initial attack, Whole Woman’s Health hired a cybersecurity specialist to remove the malware and repair the damage that had been done. Still, Hagstrom Miller says, the site suffered more than 500 hacking attempts each day in the wake of Gifford’s testimony. About a month later, hackers found and exploited a vulnerability in the Whole Woman’s Health blog, which gave them a backdoor to the entire website.

    The second successful attack shut down the site for a month. Without it, potential patients were unable to find the clinics, make appointments, identify hours, locations, and services provided, and ask questions.

    “The damage was awful,” Gifford said. “Our phones literally stopped ringing. It was devastating. Most of our patients find us online, so with no website and no Google advertising, it made day-to-day awareness nearly impossible.”

    After that attack, Whole Woman’s Health switched to a more secure hosting provider, and rebuilt every single page on its website, around 100 in all. These measures allowed the organization to better track the cyberthreats as they came in, but didn’t stop them.

    The high-profile of Whole Woman’s Health may have made the organization a unique target, but anti-abortion cyber warfare is part of a larger trend.

    Hackers targeted Whole Woman’s Health and Planned Parenthood because they are prominent, nationally recognized organizations that advocate for abortion rights, but the threats can be localized as well.

    “It happens pretty regularly and we have had to spend way too much money to fix it,” Hales says. “To be honest, I’m surprised by how tech-savvy they are.”

    “Anyone that knows how to type a word document or a simple email can go on the dark web with malicious intent to find what they are after,” Petronella says. “The simplicity of it is scary.”

    Many hospitals, clinics, and private practices operate on older technology and equipment and have limited resources to devote to state-of-the-art IT.

    “Healthcare is such low-hanging fruit,” Petronella says. “Hackers know their defenses are weak and they are limited on budget, without a lot of sophistication with cybersecurity. They also know that a healthcare practice needs their computer systems and are sensitive to downtime. They can do a lot of damage.”

    And then there are the threats that exist in gray area. APWHC does not have Wi-Fi, because they ask their patients to stay off their phones for privacy purposes. Hales said one local anti-abortion group sends over a van that parks outside the clinic with a Wi-Fi node that broadcasts a network called Abortion Info. When patients connect to the network, they are taken to a website that looks like APWHC’s, but isn’t.

    “People automatically log in and the website looks exactly like our website,” Hales says. “It has all these cartoon videos that say things like ‘I’m going to stick in the speculum and rip the arm off.’ It’s creepy as shit.”

    Massachusetts recently banned this practice, but it demonstrates how the anti-abortion movement has embraced digital tools can to circumvent barriers they face in the physical world.

    The attacks against Whole Woman’s Health have since subsided, but who knows when they might strike again? There is no such thing as “perfect” cybersecurity

    Reply
32. October 5, 2017 at 6:40 pm

    Tomi Engdahl says:

    Russian intelligence reportedly breached the NSA in 2015, stealing cybersecurity strategy
    https://techcrunch.com/2017/10/05/russian-intelligence-reportedly-breached-the-nsa-in-2015-stealing-cybersecurity-strategy/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    MenuTechCrunch
    Russian intelligence reportedly breached the NSA in 2015, stealing cybersecurity strategy
    Posted 45 minutes ago by Devin Coldewey

    The NSA suffered a serious breach in 2015, exposing the agency’s cyberwarfare strategy, including its own defenses and methods of attacking foreign networks, reports The Wall Street Journal today. Russian intelligence is said to be behind the attack, and software from Russia-based Kaspersky labs is suggested to have been their vector.

    Amazingly, the data in question is reported to have been taken home by an NSA contractor, who was somehow compromised through their use of Kaspersky’s antivirus software. How exactly this would work is not explained, although it is speculated that it may be related to the practice of downloading and storing files it thought were suspicious (e.g. malware executables) on its servers. We’ve contacted the company for more information.

    https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108

    Reply
33. October 5, 2017 at 6:42 pm

    Tomi Engdahl says:

    Russian Hackers Stole NSA Data on U.S. Cyber Defense
    https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108

    The breach, considered the most serious in years, could enable Russia to evade NSA surveillance and more easily infiltrate U.S. networks

    Reply
34. October 5, 2017 at 6:45 pm

    Tomi Engdahl says:

    Cloudflare Bans Sites For Using Cryptocurrency Miners
    https://torrentfreak.com/cloudflare-bans-sites-for-using-cryptocurrency-miners-171004/

    BY ANDY ON OCTOBER 4, 2017 C: 19
    Web-based cryptocurrency miners became a big thing recently when The Pirate Bay trialed one to generate extra revenue. Now, however, TorrentFreak has learned that Cloudflare has banned at least one torrent proxy site for deploying a miner on its platform. According to Cloudflare, unannounced miners are considered malware.

    Reply
35. October 6, 2017 at 9:05 am

    Tomi Engdahl says:

    Apple Releases macOS High Sierra 10.13 Supplemental Update With Fix for APFS Disk Utility Bug and Keychain Vulnerability
    https://www.macrumors.com/2017/10/05/apple-releases-macos-high-sierra-10-13-supplemental-update/

    Apple today released a supplemental update to macOS High Sierra 10.13, the first update to the macOS High Sierra operating system that was released to the public in late September. The macOS High Sierra 10.13 update comes just over one week after the release of macOS High Sierra.

    The new version of macOS High Sierra 10.13 is a free update for all customers who have a compatible machine. The update can be downloaded using the Software Update function in the Mac App Store.

    Reply
36. October 6, 2017 at 9:09 am

    Tomi Engdahl says:

    Another W3C API exposing users to browser snitching
    Web Payments API bugs, or perhaps features, can be abused: Lukasz Olejnik
    https://www.theregister.co.uk/2017/10/06/another_w3c_api_exposing_users_to_browser_snitching/

    Yet another W3C API can be turned against the user, privacy boffin Lukasz Olejnik – this time, it’s in how browsers store and check credit card data.

    As is so often the case, a feature created for convenience can be abused in implementation. To save users from the tedious task of entering the 16 characters of their credit card numbers, four for date, and three for CCV number, the Web Payments API lets Websites pull numbers stored in browsers.

    Olejnik, security and privacy researcher, writes that even without a full privacy assessment, it was easy to discover some serious vectors for misuse: fingerprinting, a frequent interest of Olejnik’s; and in Chrome, he found a way to reliably detect users in “incognito” mode, “a thing that generally should not be possible”.

    Web Payments API is supported in Chrome and Edge, and is on the real-soon-now list in Firefox and WebKit.

    Privacy of Web Request API
    https://blog.lukaszolejnik.com/privacy-of-web-request-api/

    Simple payment standard will be the new cool thing web browsers can do. This happens thanks to W3C Payment Request API. Early on it has been even featured in the New York Times and rightly so, as it has a big potential. Why?

    Web Payment API works as follows:

    payment process is initiated by the site
    browser takes control; the user either can provide payment method such as a credit card, then a CVV number, and that’s it.

    All using a standard, intuitive, browser-supported display messages. Payment Request API is now supported in Chrome and Edge, and will soon ship to Firefox and WebKit.

    A lot of thought and resources went into the development of Payment Request API, including considering its security and privacy aspects. Still, it’s often difficult to design things considering all possible misuse scenarios. In this post, I’m including just a small addition. I’m not providing a comprehensive privacy review of the specification. My focus is put on a particular and possibly most troubling aspect

    This aspect enables:

    In general, fingerprinting and possibly profiling, and…
    In Chrome browser – detecting incognito (a.k.a. private browsing mode) mode reliably, a thing that generally should not be possible

    Reply
37. October 6, 2017 at 10:25 am

    Tomi Engdahl says:

    Dumb bug of the week: Apple’s macOS reveals your encrypted drive’s password in the hint box
    High Sierra update derided by devs as half-baked
    https://www.theregister.co.uk/2017/10/05/apple_patches_password_hint_bug_that_revealed_password/

    Apple on Thursday released a security patch for macOS High Sierra 10.13 to address vulnerabilities in Apple File System (APFS) volumes and its Keychain software.

    Matheus Mariano, a developer with Brazil-based Leet Tech, documented the APFS flaw in a blog post a week ago, and it has since been reproduced by another programmer, Felix Schwartz.

    The bug (CVE-2017-7149) undoes the protection afforded to encrypted volumes under the new Apple File System (APFS).

    Reply
38. October 6, 2017 at 10:26 am

    Tomi Engdahl says:

    Russian spies used Kaspersky AV to hack NSA contractor, swipe exploit code – new claim
    https://www.theregister.co.uk/2017/10/05/anonymous_report_russian_spies_used_kaspersky_lab_software_to_steal_nsa_secrets/

    Russian government spies extracted NSA exploits from a US government contractor’s home PC using Kaspersky Lab software, anonymous sources have claimed.

    The clumsy snoop broke regulations by taking the classified code, documentation and other materials home to work on using his personal computer, which was running Kaspersky’s antivirus, sources told the Wall Street Journal. It is alleged Kremlin hackers exploited the security package in one way or another to identify those sensitive files and exfiltrate them.

    In effect, it means the Russian government has copies of the NSA’s tools used to exploit vulnerabilities in computer systems and equipment to spy on other nations and targets. It also means Russia can turn the cyber-weapons on American corporations, government agencies and other networks, and steal secrets, cause merry havoc, and so on.

    The theft, reported today, is said to have occurred in 2015, but apparently wasn’t discovered until earlier this year.

    The allegedly stolen NSA code and dossiers sound an awful lot like the Shadow Brokers archive of stolen agency spyware. The brokers’ pilfered exploits dates back to 2013, though.

    Russian Hackers Stole NSA Data on U.S. Cyber Defense
    The breach, considered the most serious in years, could enable Russia to evade NSA surveillance and more easily infiltrate U.S. networks
    https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108

    Reply
39. October 6, 2017 at 10:28 am

    Tomi Engdahl says:

    The NSA Officially Has a Rogue Contractor Problem
    https://www.wired.com/story/nsa-contractors-hacking-tools

    The NSA is one of the world’s most notoriously secretive and powerful government agencies, guarding its powerful hacking tools and massive caches of collected data under layers of security clearances and world-class technical protections. But it turns out that three times in three years, that expensive security has been undone by one of its own contract employees simply carrying those secrets out the door.

    In 2013, an NSA contractor named Edward Snowden walked out of the agency’s building in Oahu, Hawaii, carrying a USB drive full of thousands of top-secret documents. Last year, a 53-year-old Booz Allen contractor for the NSA named Hal Martin was arrested last year for taking 50 terabytes out of the agency over a period as long two decades. And Thursday, the Wall Street Journal reported that in 2015, a third contract employee of the NSA in as many years took home a trove of classified materials that included both software code and other information that the agency uses in its offensive hacking operations, as well as details of how it protects US systems from hacker adversaries.

    That classified data, which wasn’t authorized to be removed from the perimeter of the facility where that contractor worked, was then stolen from the contractor’s home computer by Russian spies, who exploited the unnamed employee’s installation of antivirus software from Kaspersky, a Russian company. And while that revelation has raised yet another round of serious concerns and unanswered questions about Kremlin spying and the role of Kaspersky’s widely used commercial software, it also points to a more fundamental security problem for the NSA: The own-goals it has committed, as a series of its paid employees spill some of its most sensitive secrets—including its intensely guarded and dangerous hacking techniques.

    Going Rogue

    The revelation of the latest unidentified contractor, whose employer also hasn’t been publicly named, comes a year after Martin was caught leaving sensitive data on hard drives in his home and car, a collection that included 75 percent percent of the hacking tools used by the NSA’s elite hacking team, known as Tailored Access Operations, according to the Washington Post. Prosecutors in Martin’s case have said the data also contained the highly secret identities of undercover agents.

    It’s not yet clear if either Martin or the most recent contractor to breach the agency’s secrecy rules had any intention of selling or exploiting the documents they took. The latest incident in particular seems to be a case of carelessness, rather than profit or malice, according to the Wall Street Journal’s reporting. Both of those leaks contrast with the whistleblowing-motivated data thefts of Edward Snowden—another Booz Allen contractor—who stole his thousands of top secret files with the intention of giving them to media.

    Reply
40. October 6, 2017 at 11:07 am

    Tomi Engdahl says:

    John Kelly’s personal cellphone was compromised, White House believes
    http://www.politico.com/story/2017/10/05/john-kelly-cell-phone-compromised-243514

    White House tech support discovered the suspected breach after Kelly turned his phone in to tech support staff this summer.

    White House officials believe that chief of staff John Kelly’s personal cellphone was compromised, potentially as long ago as December, according to three U.S. government officials.

    The discovery raises concerns that hackers or foreign governments may have had access to data on Kelly’s phone while he was secretary of Homeland Security and after he joined the West Wing.

    Tech support staff discovered the suspected breach after Kelly turned his phone in to White House tech support this summer complaining that it wasn’t working or updating software properly.

    Kelly told the staffers the phone hadn’t been working properly for months, according to the officials.

    White House aides prepared a one-page September memo summarizing the incident, which was circulated throughout the administration.

    A White House spokesman said Kelly hadn’t used the personal phone often since joining the administration. This official said Kelly relied on his government-issued phone for official communications.

    The official, who did not dispute any of POLITICO’s reporting on the timeline of events or the existence of the memo, said Kelly no longer had possession of the device but declined to say where the phone is now.

    Reply
41. October 7, 2017 at 7:47 am

    Tomi Engdahl says:

    Amber Rudd: viewers of online terrorist material face 15 years in jail
    https://www.theguardian.com/uk-news/2017/oct/03/amber-rudd-viewers-of-online-terrorist-material-face-15-years-in-jail?CMP=share_btn_fb

    Tightening of law around viewing terrorist material is response to increasing frequency of UK attacks

    People who repeatedly view terrorist content online could face up to 15 years behind bars in a move designed to tighten the laws tackling radicalisation the home secretary, Amber Rudd, is to announce on Tuesday.

    A new maximum penalty of 15 years’ imprisonment will also apply to terrorists who publish information about members of the armed forces, police and intelligence services for the purposes of preparing acts of terrorism.

    The tightening of the law around viewing terrorist material is part of a review of the government’s counter-terrorism strategy following the increasing frequency of terrorist attacks in Britain this year.

    Reply
42. October 7, 2017 at 2:41 pm

    Tomi Engdahl says:

    Russian Hackers Stole NSA Hacking Tools Using Kaspersky Software
    https://gbhackers.com/nsa-hacking-tools/

    Russian Government Hackers are using Kaspersky software to stole NSA Advance cyber Weapons such as secret spying tools from NSA Contractor Personal Home Computer who has been used the Russian Based Kaspersky Security Products.

    This Incident reported by The Wall Street Journal says, Stolen Information are Highly Sensitive Data such as how the NSA penetrates foreign computer networks.

    Reply
43. October 7, 2017 at 7:02 pm

    Tomi Engdahl says:

    Dustin Volz / Reuters:
    US House Committee on Science, Space and Technology sets hearing on Kaspersky Lab for Oct. 25

    U.S. House committee calls new hearing on Kaspersky software
    http://www.reuters.com/article/us-usa-kaspersky-hearing/u-s-house-committee-calls-new-hearing-on-kaspersky-software-idUSKBN1CB2K6

    WASHINGTON (Reuters) – A U.S. House of Representatives committee said on Friday that it has scheduled a new hearing on Kaspersky Lab software as lawmakers review accusations that the Kremlin could use its products to conduct espionage.

    Kaspersky Lab has strongly denied those allegations, which last month prompted the Trump administration to order civilian government agencies to purge the software from its networks, and agreed to send Chief Executive Eugene Kaspersky to Washington to testify before Congress.

    Reply
44. October 8, 2017 at 9:38 pm

    Tomi Engdahl says:

    Activism on digital AR space:

    Jeff Koons’ augmented reality Snapchat artwork gets ‘vandalized’
    https://techcrunch.com/2017/10/08/jeff-koons-augmented-reality-snapchat-artwork-gets-vandalized/?utm_source=tcfbpage&sr_share=facebook

    Earlier this week, Snapchat launched a new augmented reality art exhibiting feature as part of a collaboration with the artist Jeff Koons. ART, as it’s called, will plaster the digital artwork and sculptures of artists into geo-tagged physical locations across the world that viewers can see as a Lens inside the Snapchat app.

    The group didn’t hack Snap’s servers to vandalize the sculpture, the work is more simply a 3D digital recreation of the work placed on top of a photo of the same geo-tagged location as Koons’ work.

    Reply
45. October 9, 2017 at 9:32 am

    Tomi Engdahl says:

    Did you know that it’s National Cyber Security Awareness Month? It is!

    https://staysafeonline.org/ncsam/

    Reply
46. October 9, 2017 at 2:03 pm

    Tomi Engdahl says:

    Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI
    https://yro.slashdot.org/story/17/10/08/029217/cyberstalking-suspect-arrested-after-vpn-providers-shared-logs-with-the-fbi

    “VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity,” writes Bleeping Computer, “but a recent criminal case shows that at least some do store user activity logs.” According to the FBI, VPN providers played a key role in identifying an aggressive cyberstalker by providing detailed logs to authorities, even if they claimed in their privacy policies that they don’t.

    Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI
    https://www.bleepingcomputer.com/news/security/cyberstalking-suspect-arrested-after-vpn-providers-shared-logs-with-the-fbi/

    VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity, but a recent criminal case shows that at least some, do store user activity logs.

    The case in question is of Ryan Lin, a 24-year-old man from Newton, Massachusetts, arrested on Thursday, October 5, on charges of cyberstalking.

    According to an FBI affidavit published by the US Department of Justice, Lin is accused of harassing and cyberstalking an unnamed 24-year-old woman — referred to under the generic name of Jennifer Smith — between April 2016 and up until his arrest.

    Suspect hid behind VPNs, Tor, ProtonMail

    For all of these actions, the suspect used ProtonMail, VPN clients, and Tor to hide his identity. After local police investigated all the victim’s complaints for almost a year, they called in the FBI to help.

    The FBI found their first evidence at one of Lin’s former employers. The company had reinstalled Lin’s work computer after he left, but the FBI was able to find various artifacts in the hard drive’s unallocated disk space.

    VPN activity logs tie Lin to Smith’s harassment

    Yet, the most conclusive evidence came after the FBI managed to obtain logs from two VPN providers — PureVPN and WANSecurity.

    Ironically, FBI agents also found tweets in which Lin was warning other users that VPN providers store activity logs, advice he didn’t follow himself.

    Reply
47. October 9, 2017 at 2:24 pm

    Tomi Engdahl says:

    SSH 7.6 drops support for SSHv1, splats bugs

    Sysadmins and developers alike, pay heed: the folk who tend SSH have pushed out a new version with a bunch of security patches and bug fixes.

    Calling the release “primarily a bugfix”, the maintainers also note that OpenSSH 7.6 “contains substantial internal refactoring”.

    Those deploying or writing to 7.6 are given notice of five details that might break existing implementations: SSHv1 support is gone, as is support for the hmac-ripemd160 message authentication code (MAC).

    The deprecated arcfour, blowfish and CAST ciphers have been consigned to memory, RSA keys less than 1,024 bits long will be refused, and CBC (cipher block chaining) will no longer be offered by default.

    Source:
    https://www.theregister.co.uk/2017/10/06/security_roundup/

    Reply
48. October 10, 2017 at 8:08 pm

    Tomi Engdahl says:

    In recent months, Deloitte has introduced multi-factor authentication and encryption software to try to stop further hacks.

    Dmitri Sirota, co-founder and CEO of the cybersecurity firm BigID, warned that many companies had failed to use such methods because they were inconvenient and complex.

    “Privileged accounts are like keys that unlock everything, from the castle to the treasury. They provide unfettered access to all systems, which is why they are so valuable.

    “Organisations are monitoring databases, not the data in it. It’s hard to detect changes, prevent incidents or compare your data to notice breached information unless you have an inventory of what you have.”

    Source: https://www.theguardian.com/business/2017/oct/10/deloitte-hack-hit-server-containing-emails-from-across-us-government

    Reply
49. October 10, 2017 at 8:18 pm

    Tomi Engdahl says:

    Researcher finds OnePlus’ OxygenOS does not anonymize telemetry data, lacks an opt-out setting — OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer.

    OxygenOS Telemetry Lets OS Maker Tie Phones to Individual Users
    https://www.bleepingcomputer.com/news/mobile/oxygenos-telemetry-lets-os-maker-tie-phones-to-individual-users/

    OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer.

    A security researcher going by the pseudonym of Tux discovered the abusive tracking in July 2016, but his tweet went largely unnoticed in the daily sea of security tweets sent out each day.

    The data collection issue was brought up to everyone’s attention again, today, after British security researcher Christopher Moore published the results of a recent study on his site.

    OnePlus caught collecting trove of sensitive details

    Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus’ servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws.

    In almost all cases, when vendors collect this data, they make sure not to include details that may reveal information about the user’s real-world identity.

    The problem is that OnePlus is not anonymizing this information.

    OnePlus OxygenOS built-in analytics
    https://www.chrisdcmoore.co.uk/post/oneplus-analytics/

    Reply
50. October 10, 2017 at 8:22 pm

    Tomi Engdahl says:

    Melanie Ehrenkranz / Gizmodo:
    In the wake of Las Vegas shooting, YouTube has blocked some videos showing how to modify guns to fire more rapidly and updated its guidelines

    YouTube Bans Some Gun Modification Tutorials, But Plenty Remain
    https://gizmodo.com/youtube-bans-some-gun-modification-tutorials-but-plent-1819278915

    Fifty-eight people were killed in the Las Vegas massacre last week, the deadliest mass shooting in modern US history. Seventeen guns were found in gunman Stephen Paddock’s hotel room, including a dozen that had been modified with a “bump stock,” an added part that allowed the guns to fire more rapidly. And up until today, anyone with access to YouTube could watch a tutorial on how to modify their guns in the exact same way. Now those videos are not allowed.

    Reply