Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers find malware with Stuxnet-style use of legitimate digital certificates is much more common than previously believed, going back as early as 2003
Stuxnet-style code signing is more widespread than anyone thought
Forgeries undermine the trust millions of people place in digital certificates
https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does/
One of the breakthroughs of the Stuxnet worm that targeted Iran’s nuclear program was its use of legitimate digital certificates, which cryptographically vouched for the trustworthiness of the software’s publisher. Following its discovery in 2010, researchers went on to find the technique was used in a handful of other malware samples both with ties to nation-sponsored hackers and, later on, with ties to for-profit criminal enterprises.
Now, researchers have presented proof that digitally signed malware is much more common than previously believed. What’s more, it predated Stuxnet, with the first known instance occurring in 2003.
Tomi Engdahl says:
Asn / Tor Blog:
Tor releasing next-gen onion services with improved cryptography and authentication, a project four years in the making — Hello friends! — We are hyped to present the next generation of onion services! We’ve been working on this project non-stop for the past 4 years and we officially launched …
Tor’s Fall Harvest: the Next Generation of Onion Services
https://blog.torproject.org/tors-fall-harvest-next-generation-onion-services
Tomi Engdahl says:
Synopsys will acquire Black Duck Software, a provider of software for securing and managing open source software. Synopsys already has a stake in this area from its Coverity acquisition in 2014, which it has been using to analyze security practices in open source software.
Source: https://semiengineering.com/the-week-in-review-design-104/
Tomi Engdahl says:
Estonia Blocks Electronic ID Cards Over Identity-Theft Risk
http://www.securityweek.com/estonia-blocks-electronic-id-cards-over-identity-theft-risk
Cyber-savvy Estonia said on Thursday it would suspend security certificates for up to 760,000 state-issued electronic ID-cards with faulty chips as of Friday midnight to mitigate the risk of identity theft.
Dubbed E-stonia for being one of the world’s most wired nations, the Baltic eurozone state of 1.3 million people issues electronic ID cards giving citizens online access to virtually all public services at a special “e-government” state portal.
IT security experts recently discovered a flaw in the Swiss-made chips used in the cards that makes them vulnerable to malware.
As of October 31, all users of faulty ID cards can update their security certificates remotely and at Estonian police and border guard service points.
As of Thursday night around 40,000 users had already done so.
Tomi Engdahl says:
Savitech Audio Drivers Caught Installing Root Certificate
http://www.securityweek.com/savitech-audio-drivers-caught-installing-root-certificate
Savitech drivers used by several companies that provide specialized audio products expose computers to hacker attacks by installing a new root certificate into the Trusted Root Certification Authorities store in Windows.
The USB audio drivers from Savitech, a company that offers application-specific integrated circuits for audio and video solutions, are used by several vendors. The CERT Coordination Center lists products from Accuphase, AsusTek, Audio-Technica, Creek Audio, EMC, FiiO Electronics, HiFime, Intos, JDS Labs, McIntosh Laboratory, ShenZhen YuLong Audio, Stoner Acoustics, Sybasonic, and TeraDak Audio as possibly being affected.
Savitech used the “SaviAudio” root certificate as part of its effort to support the outdated Windows XP operating system, but the certificate is no longer installed by the latest version of the drivers released by the company.
Vulnerability Note VU#446847
Savitech USB audio drivers install a new root CA certificate
https://www.kb.cert.org/vuls/id/446847
Savitech provides USB audio drivers for a number of specialized audio products. Some versions of the Savitech driver package silently install a root CA certificate into the Windows trusted root certificate store.
Savitech has released a new driver package to address the issue. Savitech drivers version 2.8.0.3 or later do not install the root CA certificate. Users still must remove any previously installed certificate manually.
Tomi Engdahl says:
Stopping Threats Starts with Getting Back to the Basics
http://www.securityweek.com/stopping-threats-starts-getting-back-basics
Over the past year there have been a large number of high profile security breaches. Millions of organizations have been impacted. Tens of millions of names along with personally identifiable information has been stolen. Billions of dollars in damages have resulted. It’s almost like we haven’t been investing more time and money into cybersecurity than ever.
But we have. So what’s going wrong?
The majority of these breaches have one thing in common. IT teams are failing to practice basic security hygiene. Cybercriminals target known vulnerabilities because they know that most organizations will have failed to patch or replace their vulnerable devices.
Of course, it’s easy to point a finger. But there are reasons why performing the basics has gotten away from us. Here are a few:
IT Security BasicsNetworks have gotten really complicated. IT teams used to have a pretty good handle on the network. But you can only add so many new ecosystems to a networked environment before your IT team is stretched to the breaking point. SDN, IoT, private clouds, multicloud, shadow IT, and the list goes on.
Visibility has diminished. Dynamic scalability is really a wonderful thing. But when devices can exist on your network for only minutes, simply configuring and coordinating the application and removal of policies – especially across multiple hypervisors – can eat up a lot of IT resources. So maintaining a working inventory of things that need to be patched or updated in such an environment can be really hard. Add thousands or millions of new IoT devices, the ongoing challenge of BYOD, multiple cloud environments, and bringing OT online, and it’s easy to miss that device in the corner that desperately needs an update. But cybercriminals only need to compromise one device if it’s the right place.
Visibility isn’t just about tracking devices. We need to know what devices and resources applications can touch, where the data lives, who has access, and where the workflows go. Add offline devices, cloud based software and storage services, and increasingly, multiple cloud-based infrastructures, and keeping track of everything can be a full time job. But if you’re like most organizations, you didn’t get new IT budget to hire an engineer to do that.
Part of the challenge is that we keep reinventing the wheel. And it wasn’t a particularly good wheel to begin with. Our approach to security has historically involved buying whatever cool new security tool was available to plug the security hole of the day, wherever it happened to be. Which means that we have deployed dozens of tools from a variety of vendors in our networks. And these tools don’t talk to each other or share information. Instead, IT teams manage them through an average of about fourteen different security consoles, which makes things like threat correlation nearly impossible. And then, when we add a new environment, like SDN or the cloud, we start all over again, and many times with different security vendors.
Here are six things every organization needs to consider when approaching security, especially during the chaos and time pressures of a network undergoing digital transformation.
1. Assume you will be compromised.
2. Complexity requires simplicity.
3. Implement inventory and IoC controls.
4. Integration is king.
5. Correlation saves networks.
6. Automate your response.
Of course, this sounds easier said than done. But it can be done. In fact, more and more organizations are doing it. They start with lots of planning. And the best place to start is by designing and deploying a security fabric that dynamically spans the entire distributed network, even into the multicloud.
Tomi Engdahl says:
Stack Ranking SSL Vulnerabilities: DUHK and ROCA
http://www.securityweek.com/stack-ranking-ssl-vulnerabilities-duhk-and-roca
Even with catchy branding and cute mascot and a theme song, these two SSL/TLS vulnerabilities nearly went unnoticed last week. The WPA2 Key Reinstallation Attack (KRACK) overshadowed them both, vacuuming up the tech media attention.
DUHK and ROCA are both implementation-specific vulnerabilities concerning one of my favorite topics, random number generators.
The “Don’t Use Hardcoded Keys” (DUHK)
The Green/Heninger/Cohney team didn’t invent anything new with DUHK; the ANSI X.931 PRNG used in some ancient versions of FortiOS VPNs and firewalls has been known to be garbage for years because of its use of a static key. Fortinet patched the problem over three years ago, and if someone is still running software that old, they probably have easier vulnerabilities to target.
Everything Old Is New Again
The Return of Coppersmith’s Attack (ROCA) is also an ancient problem. And, like DUHK, ROCA is specific to a particular implementation—in this case, Infineon chipsets that are often used in smart cards and embedded, high-security (trusted computing) environments. The authors of ROCA claim these chipsets are found in FIPS 140-2 and CC EAL 5+ certified hardware, both of which are solutions you pay tens of thousands of dollars for to keep your private keys, well, private.
The majority of keys vulnerable to ROCA are associated with smartcards (which are actually not smart at all, having very little in the way of computation power and thus need tricks like “fast prime” for generating keys). But researchers have found a handful of vulnerable TLS and Github keys.
With ROCA, an attacker could factor a 2048-bit private key with $20,000 to $40,000 in CPU time. Factoring a 1024-bit key is only about $50 (peanuts)! ECC keys are probably not vulnerable to ROCA, though DH keys might be.
Keep in mind that both DUHK and ROCA are limited to a handful of SSL/TLS sites, which is what we’re evaluating these vulnerabilities against.
Tomi Engdahl says:
Over a million Android users fooled by fake WhatsApp app in official Google Play Store
Rap for whack WhatsApp chat app chaps in ad crap flap
http://www.theregister.co.uk/2017/11/03/fake_whatsapp_app/
Once again Google’s Play Store has proved less than excellent at tackling malicious apps, after netizens found a fake version of WhatsApp that was good enough to fool over a million people into downloading it.
The rogue program was spotted by Redditors earlier today, and the software looks very much like the real deal. However, when opened, it appears to download and run the real WhatsApp Android client albeit with adverts wrapped around it, making a fast buck for whichever miscreant produced this dodgy imitation.
Tomi Engdahl says:
Inside story: How Russians hacked the Democrats’ emails
https://www.apnews.com/dea73efc01594839957c3c9a6c962b8a/Inside-story:-How-Russians-hacked-the-Democrats'-emails
It was just before noon in Moscow on March 10, 2016, when the first volley of malicious messages hit the Hillary Clinton campaign.
The first 29 phishing emails were almost all misfires. Addressed to people who worked for Clinton during her first presidential run, the messages bounced back untouched.
Except one.
Within nine days, some of the campaign’s most consequential secrets would be in the hackers’ hands, part of a massive operation aimed at vacuuming up millions of messages from thousands of inboxes across the world.
Tomi Engdahl says:
Mariella Moon / Engadget:
Estonia freezes access to online services for 760K people using national ID cards until certificates potentially compromised via RSA security flaw are updated
Estonia freezes resident ID cards due to security flaw
The flaw makes Estonians vulnerable to identity theft.
https://www.engadget.com/2017/11/04/estonia-freezes-resident-id-cards-security-flaw/
Tomi Engdahl says:
https://www.av-test.org/en/press/test-results/
Tomi Engdahl says:
AV-TEST, a security analyst, has tested anti-virus tools for Android phones. In a large test, many well-known software worked well.
To the full 13 points came a number of software: Ahnlab, Antiy, Bitdefender, Cheetah Mobile, G Data, Kaspersky, McAfee, Symantec, Tencent and Trend Micro
Google’s own Play Protect got only six points and also all of usability. In practice, the tool is therefore easy to use, but provides no protection. Google’s own tool recognized only 65.8 percent of the latest Android malware.
F-Secure Secured real-time 81.9 percent of the latest Android disadvantages in real time
Source: http://www.etn.fi/index.php/13-news/7113-f-secure-paerjaesi-surkeasti-android-suojaustestissae
Tomi Engdahl says:
Call to Arms on Cybersecurity for Industrial Control
https://www.eetimes.com/document.asp?doc_id=1332547&
Since last spring, U.S. Department of Homeland Security warnings to manufacturers and infrastructure owners about industrial control systems’ vulnerabilities to cyberattack have grown increasingly dire. In October, those warnings were recast as stark realities when DHS and the FBI issued a joint technical alert confirming ICS cyberattacks against manufacturers as well as energy, nuclear, and water utilities. The breaches are part of a long-term campaign targeting small and low-security networks as vectors for gaining access to larger, high-value networks in the energy sector.
The 2017 annual SANS Institute survey of ICS security practitioners found that nearly 69 percent describe the threats to their ICS as either high or severe/critical, but only 46 percent apply vendor-validated patches regularly, and 40 percent aren’t even sure whether their control systems were compromised during the previous year. On the plus side, awareness of, and budgets for, ICS security is increasing, the survey found. Yet external threats such as hacking are perceived as only slightly more dangerous than adding unprotected devices and “things” to the network.
As more devices get connected to Industrial Internet of Things (IIoT) networks, increasingly sophisticated cyberthreats originally directed at IT environments are entering operational technology (OT) environments, including ICS, said Abhi Dugar, IDC’s research director for IoT security. Those threats pose very different and potentially larger, more hazardous risks as they migrate to OT environments, where potential targets include critical infrastructure such as power grids and dams.
Tomi Engdahl says:
The Internet Sees Nearly 30,000 Distinct DoS Attacks Each Day: Study
http://www.securityweek.com/internet-sees-nearly-30000-distinct-dos-attacks-each-day-study
The incidence of denial-of-service (DoS) attacks has consistently grown over the last few years, “steadily becoming one of the biggest threats to Internet stability and reliability.” Over the last year or so, the emergence of IoT-based botnets — such as Mirai and more recently Reaper, with as yet unknown total capacity — has left security researchers wondering whether a distributed denial-of-service (DDoS) attack could soon take down the entire internet.
The problem is there is no macroscopic view of the DoS ecosphere. Analyses tend to be by individual research teams examining individual botnets or attacks.
The initial results, published in a paper (PDF) presented at IMC 2017 in London this week, took the researchers by surprise. In devising a methodology to assess the entire DoS ecosphere, they discovered “the massive scale of the DoS problem, including an eye-opening statistic that one-third of all /24 networks recently estimated to be active on the Internet have suffered at least one DoS attack over the last two years.”
In developing their framework for a macroscopic evaluation of Dos, the researchers aggregated and analyzed data over the last two years from the the UCSD Network Telescope — which captures evidence of DoS attacks that involve randomly and uniformly spoofed addresses — and the AmpPot DDoS honeypots — which witness reflection and amplification of DoS attacks.
The results are staggering. “Together,” say the researchers, “our data sets of attack events account for 20.90 M attacks, targeting 6.34 M unique IP addresses, over a two-year period.” The daily figures are no less surprising. By combining the direct attacks with the reflection attacks, the researchers discovered that the internet suffers an average of 28,700 distinct DoS attacks every day. This is claimed to be 1000 times greater than other reports have indicated.
http://www.caida.org/publications/papers/2017/millions_targets_under_attack/millions_targets_under_attack.pdf
Tomi Engdahl says:
AWS S3 Buckets at Risk of “GhostWriter” MiTM Attack
http://www.securityweek.com/aws-s3-buckets-risk-ghostwriter-mitm-attack
GhostWriter: Writable AWS S3 Buckets Could Be Exploited to Overwrite Existing Data and Files, or Upload Malware
The exposure of sensitive data via misconfigured AWS S3 buckets has been regular over the last few years. In two months this summer, researchers discovered thousands of potentially sensitive files belonging to the U.S. National Geospatial-Intelligence Agency (NGA); information on millions of Verizon customers; and a database containing details of 198 million American voters.
In each case a misconfiguration of the S3 buckets left the data freely accessible to anyone via the internet. Amazon’s ‘shared responsibility’ model clearly states that Amazon is responsible for security of the cloud (that is, the cloud infrastructure) while the customer is responsible for security in the cloud (that is, protecting data through AWS configuration and/or other means). In leaving the data open to public reads, S3 data exposure is clearly the fault of the customers and not Amazon.
Now, however, Skyhigh Networks research has discovered that some AWS customers are also leaving their data open to public writes. Skyhigh calls this vulnerability, ‘GhostWriter’. In a blog post Friday, chief scientist & VP Eng., Sekhar Sarukkai, warned, “In such cases a 3rd party, unbeknownst to either the data owner or the data consumer, can launch a surreptitious man-in-the-middle (MITM) attack.”
Vulnerable buckets found by Skyhigh — which has reported its findings to AWS — are owned by leading national news/media sites, large retail stores, popular cloud services, and leading advertisement networks. An adversary merely has to locate writable buckets to be able to overwrite existing data and files, or upload malware into the bucket.
“Bucket owners who store JavaScript or other code should pay particular attention to this issue,” warns Sarukkai, “to ensure that 3rd parties don’t silently overwrite their code for drive-by attacks, bitcoin mining or other exploits. Even benign image or document content left open for overwriting can be exploited for steganography attacks or malware distribution.”
Tomi Engdahl says:
Neos launches IoT-powered home insurance UK-wide
https://techcrunch.com/2017/11/06/neos-launches-iot-powered-home-insurance-uk-wide/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook
Neos launches IoT-powered home insurance UK-wide
Posted 11 hours ago by Natasha Lomas (@riptari)
What do you get if you combine the Internet of Things with the business of home insurance? U.K. startup Neos is hoping the answer is prevention rather than (just) payouts.
Its home insurance product is intended to lean on sensor tech and wireless connectivity to reduce home-related risks — like fire and water damage, break-ins and burglary — by having customers install a range of largely third-party internet-connected sensors inside their home, included in the price of the insurance product. So it’s a smart home via the insured backdoor, as it were.
Tomi Engdahl says:
Boffins tear into IEEE’s tissue-thin anti-hacker chip blueprint crypto
This kind of security should keep the likes of the NSA and pirates out, but doesn’t
https://www.theregister.co.uk/2017/11/07/ieee_p1735_chip_design_insecurity/
Several large gaps have been found in the IEEE’s P1735 cryptography standard that can be exploited to unlock or tamper with encrypted system-on-chip blueprints.
The P1735 scheme was designed so that chip designers could, ideally, shield their intellectual property from prying eyes.
When you’re creating a system-on-chip processor, you typically won’t want to craft it completely from scratch. You’ll most likely license various complex pieces – such as video encoders and decoders, wireless communications electronics, and USB controllers – and slot them onto your final die design alongside your own logic and CPU cores.
These licensed components are quite valuable to their designers, though. As such they’ll want to protect them from being reverse engineered and cloned to be used for free by pirates. As such, the IEEE developed P1735, a standard for encrypting hardware designs to keep them confidential throughout the manufacturing process. This requires you use P1735-compliant engineering software to import the ciphered blocks and integrate them with your own logic before taping out your chip.
However, according to a team at the University of Florida in the US this month, the standard is broken and potentially dangerous. It is possible to decrypt blueprints protected by P1735, and alter them to inject hidden malware.
“We find a surprising number of cryptographic mistakes in the standard,” the research crew said.
https://regmedia.co.uk/2017/11/06/ieeep1735.pdf
Tomi Engdahl says:
How a Tiny Error Shut Off the Internet for Parts of the US
https://www.wired.com/story/how-a-tiny-error-shut-off-the-internet-for-parts-of-the-us/
A year ago, a DDoS attack caused internet outages around the US by targeting the internet-infrastructure company Dyn, which provides Domain Name System services to look up web servers. Monday saw a nationwide series of outages as well, but with a more pedestrian cause: a misconfiguration at Level 3, an internet backbone company—and enterprise ISP—that underpins other big networks. Network analysts say that the misconfiguration was a routing issue that created a ripple effect, causing problems for companies like Comcast, Spectrum, Verizon, Cox, and RCN across the country.
Level 3, whose acquisition by CenturyLink closed recently, said in a statement to WIRED that it resolved the issue in about 90 minutes.
The misconfiguration was a “route leak,” according to Roland Dobbins, a principal engineer at the DDoS and network-security firm Arbor Networks, which monitors global internet operations. ISPs use “Autonomous Systems,” also known as ASes, to keep track of what IP addresses are on which networks, and route packets of data between them. They use the Border Gateway Protocol (BGP) to establish and communicate routes.
Tomi Engdahl says:
Twitter exploit let two pranksters post a 35,000-character tweet
And you thought 280 was excessive.
https://www.engadget.com/2017/11/06/twitter-exploit-let-two-pranksters-post-a-35-000-character-tweet/
Over the weekend, two German Twitter users successfully broke the existing character limit by sending a 35,000-character tweet. By formatting a message as a URL with extensive gibberish, they were able to absurdly pollute followers’ timelines. Twitter soon removed it, but for a moment, all the complaints about the length of 280-character tweets seemed insignificant in the face of such a monster.
User Timrasett paired up with another named HackneyYT to discover the exploit and tweet out the message. The original is gone now, but thanks to the power of the Internet Archive, you can see the colossus here in all its glory.
Twitter temporarily banned the two users responsible, though their accounts are back online (after thanking Twitter and apologizing for crashing the site).
Tomi Engdahl says:
Cisco borked its own BGP code in IOS XE, has since patched
Wanna break the Internet? Start by not patching this problem
https://www.theregister.co.uk/2017/11/07/cisco_patches_bgp/
Cisco’s pushed a fix for a border gateway protocol (BGP) denial-of-service bug in its IOS XE operating system.
Between a couple of releases of IOS, the company says it introduced a bug to its RFC 7432 implementation, which gives the system support for MPLS-based Ethernet VPNs.
As a result, as Cisco’s advisory explains, a crafted BGP packet could crash the target system.
While Switchzilla only grades the vulnerability as medium-severity, it’s worth noting that BGP is critical to the Internet’s backbone, and Cisco’s by far the dominant supplier of backbone routers.
BGP problems – most commonly misconfigurations – are a common cause of serious outages.
The bug exists in all Cisco IOS XE releases prior to version 16.3.
Tomi Engdahl says:
Facebook legitimately wants you to send nudes
Facebook’s testing a new method to prevent revenge porn that requires uploading your nudes
https://techcrunch.com/2017/11/07/facebook-revenge-porn-strategy-involes-sending-nudes-to-self/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
Facebook is testing a new method to combat revenge porn in Australia, the Australia Broadcasting Corporation reports. The strategy entails uploading your nude photos or videos to Messenger in order to help Facebook tag it as non-consensual explicit media.
Facebook is doing this in partnership with Australian government agency e-Safety in order to try to prevent people from sharing intimate images without consent. If someone fears they are at risk of revenge porn, they can contact e-Safety. The organization might then tell them to send a nude photo of themselves to themselves via Messenger. Facebook’s hashing system would then be able to recognize those images in the future without needing to store them on its servers.
http://mobile.abc.net.au/news/2017-11-02/facebook-offers-revenge-porn-solution/9112420?pfmredir=sm
Tomi Engdahl says:
One Third of The Internet Has Seen a DDoS Attack In The Past Two Years
http://securityaffairs.co/wordpress/65253/hacking/ddos-attack.html
A group of researchers has conducted a rigorous comprehensive characterization of this DDoS attacks and of countermeasures to mitigate the associated risks.
Denial of Service (DoS) attacks have been around about as long as computers have been network connected. A website’s purpose is to accept connections from the Internet and return information. A bad actor can take advantage of this setup to overwhelm the web server with so many connection requests that valid connections are denied. If your business relies on eCommerce to sell products, a DoS attack directly affects your revenue. For this reason, a lot of people work to find methods to guard against such attacks. And bad actors work to find new ways of overcoming such protections.
Tomi Engdahl says:
The nasty future of ransomware: Four ways the nightmare is about to get even worse
http://www.zdnet.com/article/the-nasty-future-of-ransomware-four-ways-the-nightmare-is-about-to-get-even-worse/
WannaCry, NotPetya, Bad Rabbit, and others have demonstrated the power of ransomware — and new sneaky tricks are only going to make it an even bigger problem.
Tomi Engdahl says:
Flaw crippling millions of crypto keys is worse than first disclosed
https://arstechnica.com/information-technology/2017/11/flaw-crippling-millions-of-crypto-keys-is-worse-than-first-disclosed/
Estonia abruptly suspends digital ID cards as crypto attacks get easier and cheaper.
A crippling flaw affecting millions—and possibly hundreds of millions—of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend.
The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs.
When researchers first disclosed the flaw three weeks ago, they estimated it would cost an attacker renting time on a commercial cloud service an average of $38 and 25 minutes to break a vulnerable 1024-bit key and $20,000 and nine days for a 2048-bit key.
Organizations known to use keys vulnerable to ROCA—named for the Return of the Coppersmith Attack the factorization method is based on—have largely downplayed the severity of the weakness.
Netherlands-based smartcard maker Gemalto, meanwhile, has said only that its IDPrime.NET—a card it has sold for more than a decade as, among other things, a way to provide two-factor authentication to employees of Microsoft and other companies—”may be affected”
On Friday, Estonia’s Police and Border Guard suspended an estimated 760,000 ID cards known to be affected by the crypto vulnerability.
Estonia is almost certainly not the only country with a national ID card that’s vulnerable to ROCA. Researchers said cards issued by Slovakia also tested positive for the vulnerability.
Bernstein and Lange said, may be to use fast graphics cards, which have the potential to shave the average cost of factorizing a vulnerable 2048-bit key to $2,000 in energy costs.
Tomi Engdahl says:
‘Sowbug’ Hackers Hit Diplomatic Targets Since 2015
http://www.securityweek.com/sowbug-hackers-focus-diplomatic-targets
A cyberespionage group that has been active since at least early-2015 has been targeting organizations in South America and Southeast Asia, while focusing mainly on foreign policy institutions and diplomatic targets, Symantec reports.
Called Sowbug by Symantec, the group is using a piece of malware called Felismus, which was detailed earlier this year. The malware is a modular Remote Access Trojan (RAT) that packs anti-analysis functions and self-updating routines, and which is capable of file upload, file download, file execution, and shell command execution.
According to Symantec, the hackers managed to infiltrate organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia with the purpose of stealing documents.
“The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organizations in order to maintain a low profile,” Symantec says.
Tomi Engdahl says:
Google Patches Critical Bugs in Android
http://www.securityweek.com/google-patches-critical-bugs-android
Google on Monday released its November 2017 set of security patches for Android to address 31 vulnerabilities, 9 of which are remote code execution issues rated Critical severity. A total of 9 vulnerabilities are related to the recently revealed KRACK attack.
The newly released Android Security Bulletin—November 2017 is split into three security patch levels. The 2017-11-01 and 2017-11-05 patch levels contain fixes for both Critical and High severity issues, while the 2017-11-06 patch level resolves only High risk KRACK vulnerabilities.
The 11 issues addressed in Android with the 2017-11-01 security patch level include 6 Critical remote code execution flaws, 3 High severity elevation of privilege bugs, and 2 High severity information disclosure vulnerabilities.
The Media framework was impacted the most, with 7 issues addressed in it, including 5 Critical. Impacted Android versions include 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, and 8.0.
All 9 vulnerabilities addressed in 2017-11-06 security patch level are related to the KRACK attack revealed last month. Short for Key Reinstallation Attack, KRACK is an attack method leveraging bugs in the WPA2 protocol that secures modern Wi-Fi networks. The technique allows an attacker to access information believed to be encrypted and even inject or manipulate data.
With industrial products also vulnerable to KRACK attacks, vendors began announcing patches for these bugs immediately after the attack went public. Apple addressed the flaws in multiple products with the release of security updates last week.
Tomi Engdahl says:
Stopping Threats Starts with Getting Back to the Basics
http://www.securityweek.com/stopping-threats-starts-getting-back-basics
It doesn’t have to be like this. Here are six things every organization needs to consider when approaching security, especially during the chaos and time pressures of a network undergoing digital transformation.
1. Assume you will be compromised.
2. Complexity requires simplicity.
3. Implement inventory and IoC controls.
4. Integration is king.
5. Correlation saves networks.
6. Automate your response.
As much as possible, the network should be able to respond to an attack or vulnerability without human intervention. Patches should be applied, unpatchable or compromised systems should be quarantined, security rules should be updated, and systems should be hardened without relying on human beings. Adding things like machine learning and AI allows the network to make autonomous decisions as close to the point of compromise as possible. The goal is to reduce that gap between detection and response as much as possible, and that means making decisions at digital speeds.
Tomi Engdahl says:
Privileged Accounts Still Poorly Managed
http://www.securityweek.com/privileged-accounts-still-poorly-managed
Despite Continious Warnings, Organizations Fail to Protect Privileged Accounts
Privileged accounts are a primary target for both cyber criminals and nation-state adversaries. If they are lost, the castle will fall. Despite this, the defense of privileged account credentials still leaves much to be desired. A 2016 survey of 500 professionals indicated that nearly 70% of respondents were using ‘home-grown’ solutions to manage accounts.
Little seems to have changed. This week, a separate survey indicates that 37% of respondents use internally developed tools or scripts, 36% use a spreadsheet, and 18% use paper-based tracking to manage at least some of their administrative and other privileged accounts. In fact, 67% of organizations use two or more tools to manage these accounts, suggesting widespread inconsistency in privileged account management.
Tomi Engdahl says:
U.S. Government Warns of Weakness in IEEE Encryption Standard
http://www.securityweek.com/us-government-warns-weakness-ieee-encryption-standard
The United States Department of Homeland Security’s US-CERT has issued an alert to warn on cryptographic weaknesses impacting the IEEE P1735 standard, which describes methods for encrypting electronic-design intellectual property and the management of access rights for such IP.
The P1735 IEEE standard is used to ensure confidentiality and access control for the design of complex electronics design intellectual property (IP), where multiple IP owners are usually involved. Newly discovered weaknesses, however, reveal that the standard recommends poor cryptographic choices and is vague or silent on security critical decisions.
The methods described in said Institute of Electrical and Electronics Engineers (IEEE) standard are flawed and enable an attacker to recover the entire underlying plaintext IP, United States Computer Emergency Readiness Team (US-CERT) warns.
Because of these flaws, “implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts,” an alert issued on Friday reads.
Tomi Engdahl says:
Why Outdated Firmware Processes are Costing Your Business
http://www.broadbandtechreport.com/webcasts/2017/11/why-outdated-firmware-processes-are-costing-your-business.html?cmpid=enl_btr_weekly_2017-11-07
Upgrading firmware on gateways is time consuming and can introduce unexpected issues to customer services, however new firmware images are released on a weekly basis to add new functionality, patch security holes, increase stability, and improve broadband performance. How does your engineering and operations team determine if firmware updates are worth the hassle and risk of deployment?
Tomi Engdahl says:
Parity calamity! Wallet code bug destroys $280 MEEELLION in Ethereum
Punter ‘accidentally’ borks dozens of strangers’ crypto-currency collections
http://www.theregister.co.uk/2017/11/07/parity_wallet_destroys_280m_ethereum/
There’s a lot of hair-pulling among Ethereum alt-coin hoarders today – after a programming blunder in Parity’s wallet software let one person bin $280m of the digital currency belonging to scores of strangers, probably permanently.
Parity, which was set up by Ethereum core developer Gavin Woods, admitted today that a user calling themselves devops199 had “accidentally” triggered a bug in its multi-signature wallets that hold Ethereum coins. As a result, wallets created after July 20 are now locked down and inaccessible, quite possibly permanently, thus nuking $90m of Woods’ own savings.
Multi-signature wallets mean more than one person has to sign off on a transaction before funds are moved, and are popular with companies and investment groups looking to protect their assets. Unfortunately, Parity’s technology is seriously flawed: in July a hacker managed to exploit errors in the multi-signature code to steal about $30m in Ethereum.
In response to that cockup, Parity updated its wallet software to address the vulnerability, and rolled out a new version. However, that update contained another disastrous bug, one that would lock people out of their wallets. It was set off by devops199 on Monday, affecting anyone who had installed the new code since its release.
In a series of posts on GitHub, devops199 said they were a newbie to the crypto-currency system, and had created a multi-signature wallet in a way the software did not expect.
https://github.com/paritytech/parity/issues/6995
Tomi Engdahl says:
One in four UK workers maliciously leaks business data via email
https://betanews.com/2017/11/06/business-data-email-leaks/
New research into insider threats reveals that 24 percent of UK employees have deliberately shared confidential business information outside their company.
The study from privacy and risk management specialist Egress Software Technologies also shows that almost half (46 percent) of respondents say they have received a panicked email recall request, which is not surprising given more than a third (37 percent) say they don’t always check emails before sending them.
The survey of 2,000 UK workers who regularly use email as part of their jobs shows the biggest human factor in sending emails in error is listed as ‘rushing’ (68 percent). However alcohol also plays a part in eight percent of all wrongly sent emails — where are these people working!? Autofill technology, meanwhile, caused almost half (42 percent) to select the wrong recipient in the list.
“Email is frequently misused by the UK workforce,” says Tony Pepper, CEO and co-founder of Egress. “While offending an accidental recipient may cause red faces, leaking confidential information can amount to a data breach. As we move towards the EU General Data Protection Regulation, it has never been more important to get a grip on any possible risk points within the organization and, as this research shows, email needs serious attention.”
Tomi Engdahl says:
More than seven billion records exposed in 2017 data breaches
https://betanews.com/2017/11/08/seven-billion-records-exposed-data-breach/
The first three quarters of 2017 have seen 3,833 breaches reported, exposing over seven billion records, according to a new report.
But the study by Risk Based Security reveals that 78.5 percent of all records exposed came from just five breaches. Compared to the same period in 2016, the number of reported breaches is up 18.2 percent and the number of exposed records is up 305 percent.
The number of breaches confirmed to have exposed a million or more records now stands at 69 for the year. Inadvertent online disclosure remains the leading cause of records compromised in 2017, accounting for 68.5 percent of records exposed, but only 5.4 percent of the incidents reported, down from 7.1 percent of incidents at the midyear point.
Hacking accounts for 52.1 percent of reported breaches, up from 41.6 percent at the mid year point. The percentage of records exposed due to hacking remained unchanged from mid year though, at 30.6 percent. Breaches involving US organizations account for 49.6 percent of incidents and 29.3 percent of records exposed.
Tomi Engdahl says:
Donald Trump’s Twitter account was temporarily deleted by a disgruntled company employee
How did that happen?
https://www.recode.net/2017/11/3/16601626/donald-trump-twitter-account-deleted-employee
President Donald Trump’s personal Twitter account was temporarily removed on Thursday after a Twitter employee purposefully deactivated the account.
Trump’s @realDonaldTrump account went down for 11 minutes Thursday afternoon, and it was originally unclear why. Twitter later tweeted that it was because of “human error” and that the company was investigating further.
In a tweet Thursday night, Twitter confirmed that the account was deactivated “by a Twitter customer support employee who did this on the employee’s last day.”
The fact that a single Twitter employee can remove the account of the most power Twitter user on the planet is startling, to say the least. Two sources familiar with the company said that employees on Twitter’s Trust and Safety team have the ability to suspend or remove accounts, but a second source said that this is limited.
This source added that Twitter once considered a safeguard in which it would require two employees to remove important, notable Twitter accounts, but that it has never been implemented.
Rogue Twitter Employee Briefly Shuts Down Trump’s Account
https://www.nytimes.com/2017/11/02/us/politics/trump-twitter-deleted.html
Tomi Engdahl says:
We’re not saying Uncle Sam has lost control on Twitter, but US Embassy in Riyadh just did a shout out for oatmeal
Serious rethink needed on account policies
https://www.theregister.co.uk/2017/11/08/abandoned_us_embassy_twitter_account_oatmeal/
The Digital Registry is supposed to be an authoritative list of Uncle Sam’s official social media accounts, because “users need to trust they are engaging with official US government digital accounts.”
Instead, it serves as a shopping list for aspiring government imposters, thanks to its own lax data management and Twitter’s account policies, which allow the usernames of deleted accounts, though not suspended accounts, to be assumed by others.
Tomi Engdahl says:
Get the Most From Your Software Development Testing Budget
https://www.synopsys.com/software-integrity/resources/analyst-reports/software-development-testing-budget.html?cmp=em-sig-eloqua&utm_medium=email&utm_source=eloqua&elq_mid=262&elq_cid=166673
The rising cost of security professionals, which has a compound annual growth rate (CAGR) of 7.8% through 2020, is intersecting the nearly flat overall IT budget (CAGR of 1.3%) of most industry enterprises, causing a problem for security and risk management leaders, in particular CISOs and application development executives. The question being asked is, “How do I leverage my existing resources better, while trying to maintain a responsible security posture?”
Tomi Engdahl says:
The Myth of Security Enabling Your Business
http://www.securityweek.com/myth-security-enabling-your-business
Organizations That Do Not Invest Even in Baseline Security Are Realistically Uncompetitive
Every year there are reports and surveys which make the case that security inhibits innovation, productivity and generally holds businesses back. I am not going to argue with that sentiment. Security requires that things are done in a certain manner, which can act as a constraint on wanting to do things a different way. What I do want to address is the notion that this is the case because security people just don’t get business. It’s actually the reverse – businesses do not get security. And this misconception is based on several fallacies, false beliefs and myths.
Security as an add-on cost
The first myth is that security is an add-on cost. It is not. Security is, instead, an inherent cost of using digital technologies. Any realistic calculation can only be done by weighing the two against each other – the gains of using digital technologies minus the cost of securing them. Only when that sum turns negative can it be considered an overhead.
Security can be bolted on after the fact
The second myth is that security can be bolted on after the fact. It cannot. Security must be included from the beginning, or it can rarely be effective. Design decisions made without consideration for security can make good security challenging to impossible.
Making Security Easy
The greatest myth of all is that security people should make security easy. Good security isn’t easy, and many of the challenges and problems it must address do not actually derive from the security field.
This is like blaming a doctor for the fact that human bodies are frail. Similarly, since we know smoking increases our chances of getting lung cancer, we can’t smoke and then blame the doctor for not being able to cure the cancer. Security people don’t intentionally complicate business processes, instead it is often a by-product of providing good security. They also would prefer if it was easy.
There are discussions around enabling the business with security, which are of course ludicrous. Security enables a business to be secure and nothing else. This may provide a competitive advantage in some cases, but in general it has a very different basis. People don’t try to avoid sickness, injury and stay alive for a competitive advantage, they stay alive because the alternative is to be dead.
Tomi Engdahl says:
Protecting Critical Infrastructure When a Dragonfly Beats its Wings
http://www.securityweek.com/protecting-critical-infrastructure-when-dragonfly-beats-its-wings
The Threat of Cyberattacks on Power Networks is Real, But We Have the Ability to Build Defenses That Minimize The Disruption to Services
News that a sophisticated and long-established cyber espionage group may have the ability to infiltrate and do serious harm to critical energy supply infrastructure doesn’t come as a complete surprise. It does, however, provide an opportunity to reflect on how such systems are protected and what we as an industry can do better in the future.
Anyone who works in security quickly gets used to the dilemma at the heart of what we do. It’s vital for us to communicate openly, clearly and with transparency about the threats faced in today’s networked world. Yet all too often, we run the risk of creating an unnecessary public panic which still doesn’t have the required effect of motivating those responsible for protecting critical systems into following good security practice.
The recent revelations were published by researchers at Symantec and concern a cyber-attack group known as Dragonfly. They found that over a two-year period Dragonfly-affiliated hackers have been stepping up their attempts to compromise energy industry infrastructure, notably in the US, Turkey and Switzerland. The Symantec researchers found that the behavior of the Dragonfly group suggests they may not be state-sponsored, but that they have been conducting many exploratory attacks in order to determine how power supply systems work and what could be compromised and controlled as a result.
An obvious target
This shouldn’t come as a shock. Even the most innocuous web server will face dozens, if not hundreds, of attacks every day. Industrial control systems and critical national infrastructure have always been prime targets. Everyone from bedroom hackers to state sponsored spies have wanted to breach critical systems since the dawn of the networked era, whether that be for monetary gain, secret information, or just pure curiosity.
What’s important in the Symantec report is not that energy systems are under attack, but that the methods detected – email phishing, Trojan malware and watering hole websites – are all well understood and can be mitigated against.
Symantec was keen to point out that it has already integrated protections from the known Dragonfly attack methods into its software. Even so, it would be foolish to underestimate Dragonfly. It’s clearly a sophisticated group with a clear purpose, and while Dragonfly’s primary mechanisms at present appear to be based on social engineering, there are plenty of other state and non-state sponsored groups who have yet more sophisticated tools at their disposal.
What’s more, the industrial internet of things (IIoT) continues to expand and our power infrastructure is diversifying to include smart grids and new, decentralised generation and transmission technologies. These may be beyond the control of traditional energy companies, but are still connected to their networks, introducing many more potential points of weakness to protect. We already know that there are many hundreds of thousands of consumer devices out there that are poorly secured against malware such as Mirai and its successors . The risk is that the same weaknesses may be unwittingly introduced to critical infrastructures.
Building our defenses
What does defense in-depth mean for the power supply industry? For a start, more work needs to be done to convince utility companies that security spending must be an absolute business priority. Proactive regimes that include regular retraining and offensive exercises, such as penetration testing and “red teaming”, require ongoing investment and a commitment at all levels, but are essential to keeping defenses honed.
On a practical level, it should be a given for even the smallest business in this day and age that application and client software is regularly patched and up-to-date, but as recent ransomware outbreaks have shown, this is not something we can take for granted.
For power companies, the challenge here isn’t just about rapid deployment of desktop and server software security patches, there are myriad field devices and control systems that need protecting too, which requires careful consideration. The update-and-patch ethos applies just as it does in the server world, but many of the MTUs, the RTUs and the IEDs may be legacy units for which security was an afterthought. They must be supplemented with intelligence in the network that can spot anomalies and improve the ability to detect new threats and signatureless malware.
Improving capabilities for prevention and detection of attacks, however, won’t be effective without similar investment in the ability to respond to incidents. This requires the development of specialist forensic skills and knowledge within the ICS and SCADA environment, so that once an incident is detected, it can be quickly neutralised and identified with the least possible disruption to operations. To further minimize disruption, solid plans for business continuity also need to be drawn up and prepared.
Tomi Engdahl says:
Hundreds of Islamic State Supporters Could Be Giving Away Their Location on Instagram
https://www.thedailybeast.com/hundreds-of-islamic-state-supporters-could-be-give-away-their-location-on-instagram
Supporters of the so-called Islamic State make extensive use of social media to spread propaganda and connect, but that is also working against them.
Members of the Islamic State may have some social media mastery, but hundreds of supporters could be unwittingly providing a treasure trove of geo-location data for the intelligence services hunting them.
Plenty of so-called Instagram “Stories”—ephemeral posts that last 24 hours—from potential Islamic State supporters include data revealing the account owner’s location, according to a new analysis into supporters’ use of Instagram.
“When they disclose their location in Europe this is gold for intelligence,” Andrea Stroppa from software research group Ghost Data, which obtained and analyzed the data, told The Daily Beast.
Stroppa said some of the location data includes longitude and latitude coordinates, allowing the researchers to accurately pinpoint a user’s location.
An Instagram spokesperson told The Daily Beast, “There is no place for terrorists, terrorist propaganda, or the praising of terror activity on Instagram, and we work aggressively to remove content or an account as soon as we become aware of it. We prioritize reports related to terrorism, and we have dedicated teams that work to stop the spread of terrorist content.”
This Instagram research comes during renewed calls, especially from the U.K. government, for social media companies to remove terrorist content from their platforms more quickly. On the sidelines of a United Nations meeting this week, Prime Minister Theresa May was expected to discuss the issue with senior executives from Google, Facebook and Microsoft, as well as French and Italian political heads Emmanuel Macron and Paolo Gentiloni, the Guardian reports.
Often missing throughout that debate, however, is the trade-off between the intelligence value social media posts can provide, and pushing terrorist supporters onto other, more underground platforms.
Tomi Engdahl says:
A major vulnerability has frozen hundreds of millions of dollars of Ethereum
https://techcrunch.com/2017/11/07/a-major-vulnerability-has-frozen-hundreds-of-millions-of-dollars-of-ethereum/
Today is not a good news day for Ethereum. A vulnerability found within a popular wallet has frozen potentially hundreds of millions of dollars of the crypto currency in a second setback in recent months.
Parity Technologies, the company behind widely used wallet service Parity, today disclosed an issue that could enable the contents of a wallet to be wiped.
The issue affects multi-sig wallets — a technology that uses the consent of multiple parties for additional security on transactions — that were deployed after July 20. In other words, ICOs that were held since then may be impacted.
Tomi Engdahl says:
Ron Miller / TechCrunch:
Amazon’s AWS S3 adds five new tools, including default encryption and warnings about unencrypted files, to prevent data leaks
New tools help could help prevent Amazon S3 data leaks
https://techcrunch.com/2017/11/07/new-tools-help-could-help-prevent-amazon-s3-data-leaks/
If you do a search for Amazon S3 breaches due to customer error of leaving the data unencrypted, you’ll see a long list that includes a DoD contractor, Verizon (the owner of this publication) and Accenture, among the more high profile examples. Today, AWS announced a new set of five tools designed to protect customers from themselves and ensure (to the extent possible) that the data in S3 is encrypted and safe.
For starters, the company is giving the option of default encryption. That means every object that gets moved into an S3 bucket will have encryption on by default. What’s more, this will happen without admins having to construct a rejected bucket for unencrypted files. It’s not exactly foolproof, but it gives admins a good solid way to ensure the data is always encrypted in a much smoother way than before.
If that’s not enough, Amazon is putting a signal front and center on the administrative console that warns admins with a prominent indicator next to each S3 bucket that has been left open to the public. If something slips through the cracks at the end user level, this should at least give admins an additional level of protection that something is amiss.
Access Control Lists (ACLs) let admins define and manage who has access to buckets and objects in S3. It’s basically ensuring that permissions travel with the data when you move it, but the update now also lets you share ownership of the bucket in transit, which would be useful for giving the admin in the other region control over the bucket too. This provides a way to share ownership, yet maintain separate and distinct ownership for the original objects and the replicas.
Tomi Engdahl says:
David Shepardson / Reuters:
Ex-Yahoo CEO Marissa Mayer apologizes at Senate hearing for data breach and blames Russian agents for stealing users’ data
Former Yahoo CEO apologizes for data breach, blames Russians
http://www.reuters.com/article/us-usa-databreaches/former-yahoo-ceo-apologizes-for-data-breach-blames-russians-idUSKBN1D825V
Former Yahoo Chief Executive Marissa Mayer apologized on Wednesday for a pair of massive data breaches at the internet company and blamed Russian agents at a hearing on the growing number of incidents involving major U.S. companies.
”As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users,” she told the Senate Commerce Committee, testifying alongside the interim and former CEOs of Equifax Inc and a senior Verizon Communications Inc executive.
“Unfortunately, while all our measures helped Yahoo successfully defend against the barrage of attacks by both private and state-sponsored hackers, Russian agents intruded on our systems and stole our users’ data.”
In March, federal prosecutors charged two Russian intelligence agents and two hackers
Tomi Engdahl says:
BBC:
UK’s Office for National Statistics tests using Vodafone cell data to track daily commutes in London boroughs, a task that previously relied on the census
Mobile phone tracking data ‘could replace census questions’
http://www.bbc.com/news/uk-politics-41899723
Thousands of people have had their movements tracked by the Office for National Statistics to see if they can find out where they live and work.
The ONS is trying to build up a picture of people’s daily commute – something it normally asks about in the census.
Mobile phones create a record of every location visited by the user if the phone is switched on.
Statisticians believe the data, which is anonymised, could one day replace census questions in England and Wales.
But it admitted it would need to carry out “extensive evaluation” of “privacy impacts” if it went down that route.
Tomi Engdahl says:
Ingrid Lunden / TechCrunch:
SaaS provider Proofpoint acquires Cloudmark, which provides messaging security for ISPs and mobile carriers, for $110M
Proofpoint acquires Cloudmark for $110M in cybersecurity consolidation play
https://techcrunch.com/2017/11/07/proofpoint-acquires-cloudmark-for-100m-in-cybersecurity-consolidation-play/
As malicious groups continue to become more sophisticated in their hacking techniques, cybersecurity efforts are attempting to expand in their reach, and that is leading to some consolidation in the field. Today, cybersecurity firm Proofpoint — which provides SaaS products to protect businesses’ email, social media and other services — announced that it would pay $110 million to acquire Cloudmark, another firm that provides security protection for messaging services, focusing specifically on serving the ISP and mobile carrier markets.
“We are excited to welcome Cloudmark’s ISP and mobile carrier customers to Proofpoint,” said Gary Steele, Chief Executive Officer of Proofpoint. “By combining the threat intelligence from Cloudmark with the Proofpoint Nexus platform, we can better protect all of our customers – both enterprises and ISPs – from today’s rapidly evolving threats.”
Tomi Engdahl says:
Four years later, Yahoo still doesn’t know how 3 billion accounts were hacked
https://techcrunch.com/2017/11/08/yahoo-senate-commerce-hearing-russia-3-billion-hack/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
On Wednesday, in a security hearing that called both Equifax and Yahoo’s past and present executives to Washington D.C., we’re learning a bit more about what Yahoo didn’t know about the biggest hack in history.
When pressed about how Yahoo failed to recognize that 3 billion accounts — and not 500 million as first reported — were compromised in what was later revealed to be a state sponsored attack by Russia, former Yahoo CEO Marissa Mayer admitted that the specifics of the attack still remain unknown.
“To this day we have not been able to identify the intrusion that led to this theft,”
Tomi Engdahl says:
RE:SCAM
https://www.netsafe.org.nz/rescam/
$12 billion is lost globally to phishing scams every year. It’s time we fought back.
Introducing Re:scam – an artificially intelligent email bot made to reply to scam emails. Re:scam wastes scammers time with a never-ending series of questions and anecdotes so that scammers have less time to pursue real people.
Tomi Engdahl says:
Hacking the vote: Threats keep changing, but election IT sadly stays the same
https://arstechnica.com/information-technology/2017/11/hacking-the-vote-threats-keep-changing-but-election-it-sadly-stays-the-same/
Election security hasn’t changed much in over a decade, but the threat model has.
Tomi Engdahl says:
How Cloudflare uses lava lamps to encrypt the Internet
http://www.zdnet.com/article/how-lava-lamps-are-used-to-encrypt-the-internet/
Cloudflare’s encryption secret? Gelatinous floating blobs.
Cloudflare has revealed an interesting way to ensure randomness when generating encryption keys — lava lamps.
Cloudflare is a DNS service which also offers distributed denial-of-service (DDoS) attack protection, security, free SSL, encryption, and domain name services.
Roughly 10 percent of the Internet’s traffic passes through Cloudflare, and as the firm deals with so much encrypted traffic, many random numbers are required.
According to Nick Sullivan, Cloudfare’s head of cryptography, this is where the lava lamps shine.
Instead of relying on code to generate these numbers for cryptographic purposes, the lava lamps and the random lights, swirling blobs and movements are recorded and photographs are taken.
“Every time you take a picture with a camera there’s going to be some sort of static, some sort of noise,” Sullivan said. “So it’s not only just where the bubbles are flowing through the lava lamp; it is the state of the air, the ambient light — every tiny change impacts the stream of data.”
This is not the only way that Cloudflare generates randomness. In the firm’s London office, there is something called a “chaotic pendulum” which has three components that unpredictably twist and turn together, and in Singapore, the company uses a radioactive source.
Whether or not anything is truly random is up for debate
Tomi Engdahl says:
Mary Jo Foley / ZDNet:
Microsoft to integrate third-party security information on macOS, Linux, iOS, and Android into its Windows Defender Advanced Threat Protection service — Microsoft is partnering with Bitdefender, Lookout and Ziften to integrate their macOS, Linux, iOS and Android threat-detection offerings …
Microsoft to integrate third-party security information into its Windows Defender Advanced Threat Protection service
http://www.zdnet.com/article/microsoft-to-integrate-third-party-security-information-into-its-windows-defender-advanced-threat/
Microsoft is partnering with Bitdefender, Lookout, and Ziften to integrate their macOS, Linux, iOS, and Android threat-detection offerings with Windows Defender Advanced Threat Protection.
Tomi Engdahl says:
Abner Li / 9to5Google:
Google says Chrome will start blocking malicious auto-redirects in version 64, rolling out over the coming months
Upcoming Google Chrome security features will prevent malicious auto-redirects
https://9to5google.com/2017/11/08/google-chrome-features-protect-against-malicious-redirects/
In recent versions, Chrome has implmented various measures to increase security and ensure a good user experience, like preventing content from autoplaying. The latest defends against malicious redirect behavior and will be rolling out in the coming months.
The particular aim of these upcoming features is to protect against deceptive behaviors like auto-redirects and “trick-to-click experiences.”
Starting in Chrome 64, currently in the developer channel, the browser will counter surprise redirects from third-party content embedded into pages. When this happens, users will now remain on their current page, while the browser displays an infobar about the block. On mobile, this warning slides up from the bottom and includes a “Details” link to learn more.
Google found that this type of malicious behavior is due to third-party iframes, with Chrome now blocking them unless a user has been directly interacting with that frame.44