Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
New York Times:
Former NSA employee Nghia H. Pho pleads guilty to taking classified files home, where, officials say, Russian hackers stole the files via Kaspersky software
Former N.S.A. Employee Pleads Guilty to Taking Classified Information
https://www.nytimes.com/2017/12/01/us/politics/nsa-nghia-pho-classified-information-stolen-guilty.html
A former National Security Agency employee admitted on Friday that he had illegally taken from the agency classified documents believed to have subsequently been stolen from his home computer by hackers working for Russian intelligence.
Nghia H. Pho, 67, of Ellicott City, Md., pleaded guilty to one count of willful retention of national defense information, an offense that carries a possible 10-year sentence.
But in court documents, prosecutors did disclose that he worked from 2006 to 2016 for the N.S.A.’s “Tailored Access Operations.” The unit, whose name has now been changed to Computer Network Operations, is the N.S.A.’s fastest-growing component.
He kept those materials, some in digital form, at his home in Maryland, according to prosecutors.
Mr. Pho is one of three N.S.A. workers to be charged in the past two years with mishandling classified information, a dismal record for an agency that is responsible for some of the government’s most carefully guarded secrets.
Mr. Pho took the classified documents home to help him rewrite his resume. But he had installed on his home computer antivirus software made by Kaspersky Lab, a top Russian software company, and Russian hackers are believed to have exploited the software to steal the documents, the officials said.
Tomi Engdahl says:
David Bond / Financial Times:
Leaked memo: UK government warns against use of Kaspersky Labs software in departments that handle any information that can be related to national security
UK spying fears spark Russian software ban
Intelligence agency warns government departments over Kaspersky products
https://www.ft.com/content/d323c458-d6a4-11e7-8c9a-d9c0a5c8d5c9
Tomi Engdahl says:
Kaspersky says N America revenues to be hit on Russian espionage claims
https://www.ft.com/content/eee433b6-a8ca-334a-8e14-8311c2641327
Tomi Engdahl says:
‘Spy’ F-35s send sensitive Norwegian military data back to Lockheed Martin in the United States
http://www.news.com.au/technology/online/security/spy-f35s-send-sensitive-norwegian-military-data-back-to-lockheed-martin-in-the-united-states/news-story/12b4fafce6b579448cc8416518063d1f
THE marketing campaign makes it clear: The F-35 justifies its enormous cost and limited weapons load by being sneaky and enormously well informed.
But its international customers probably didn’t expect this.
Norwegian defence officials have caught one of their new $A120 million (less research and development costs) F-35A Lightning II Block 3F stealth jets sending sensitive data back to its US manufacturer — Lockheed Martin.
Tomi Engdahl says:
Former N.S.A. Employee Pleads Guilty to Taking Classified Information
https://www.nytimes.com/2017/12/01/us/politics/nsa-nghia-pho-classified-information-stolen-guilty.html?_r=0
BALTIMORE — A former National Security Agency employee admitted on Friday that he had illegally taken from the agency classified documents believed to have subsequently been stolen from his home computer by hackers working for Russian intelligence.
Nghia H. Pho, 67, of Ellicott City, Md., pleaded guilty to one count of willful retention of national defense information, an offense that carries a possible 10-year sentence.
Mr. Pho, who worked as a software developer for the N.S.A., was born in Vietnam but is a naturalized United States citizen.
But in court documents, prosecutors did disclose that he worked from 2006 to 2016 for the N.S.A.’s “Tailored Access Operations.”
The leaks have come to light as investigators scramble to trace the source of an even worse breach of N.S.A. security: the public release of the agency’s hacking tools by a still-unidentified group calling itself the Shadow Brokers. Some of those tools have been subsequently used for “ransomware” attacks that shut down or disrupted businesses, hospitals, railways and other enterprises around the world this year.
Tomi Engdahl says:
Security
NSA employee pleads guilty after stolen classified data landed in Russian hands
NSA employee pleads guilty after stolen classified data landed in Russian hands
http://www.zdnet.com/article/former-nsa-staffer-pleads-guilty-after-classified-data-theft/
The classified data was later collected by Kaspersky software running on the staffer’s home computer.
Eugene Kaspersky: We would quit Moscow if Russia asked us to spy
http://www.zdnet.com/article/eugene-kaspersky-we-would-quit-moscow-if-russia-asked-us-to-spy/
Kaspersky Lab founder hits back at espionage claims.
Tomi Engdahl says:
Snoopers Charter: Government forced to backtrack on data access
http://www.zdnet.com/article/snoopers-charter-government-forced-to-backtrack-on-data-access/
The UK’s controversial mass surveillance legislation will have to be tweaked to comply with EU law, but critics say the changes don’t go far enough.
Tomi Engdahl says:
Hacking back is a terrible idea, but companies are still keen to try it
http://www.zdnet.com/article/hacking-back-is-a-terrible-idea-but-some-companies-are-still-keen-to-try-it/
It’s tempting to take revenge on hackers, but the downsides far outweigh any benefits.
Tired of being attacked by cybercriminals, some organisations are keen to take the fight back to the hackers — but the risks of ‘hacking back’ are likely to be much greater than any potential gains.
Hacking back against an assailant — perhaps tracking down the systems they are using and either deleting the information they stole or disabling the computers — is currently illegal. But a new survey from Fidelis Cybersecurity has discovered that companies think they have the capability to respond more aggressively to hacking attacks, should they so wish.
Over half of respondents said that companies should be able to hack back, and that their organisation had the technical ability to identify an intruder, infiltrate their systems, and destroy any data that had been stolen after a cyberattack.
And over half of executives said that, if it were legal, they would rather hack back to get the decryption keys after a ransomware attack than pay the criminals to regain access to their data.
Tomi Engdahl says:
Security News This Week: A New Bill Wants Jail Time for Execs Who Hide Data Breaches
https://www.wired.com/story/a-new-bill-wants-jail-time-for-execs-who-hide-data-breaches/
It’s been a rough week for a lot of people, but particularly for Apple. On Tuesday, a security researcher tweeted information about a dire bug in the company’s macOS High Sierra operating system that allowed anyone being prompted for system user credentials to bypass the authentication by simply typing “root” as the username and leaving the password blank. Apple rushed to push out a necessary update on Wednesday, but botched it a bit; if you hadn’t yet updated to macOS 10.13.1, but had gotten the patch, your eventual jump to 10.13.1 would reintroduce the “root” bug. Not ideal!
A New Bill Wants Jail Time for Not Disclosing Data Breaches
What do this year’s various mega-breaches have in common, from Equifax to Yahoo to, most recently and irresponsibly, Uber? Shoddy disclosure practices that leave customers unaware that their personal information—including, in some cases, extra-sensitive details like Social Security and driver’s license numbers—is in the hands of unknown hackers. While state-level legislation already forms a patchwork of penalties for that sort of behavior, a new bill introduced in the US Senate this week wants to make nondisclosure a jailable offense no matter where it happens in the country. Failure to report within 30 days could come with imprisonment of up to five years for the execs who decided to cover it up.
The bill’s prospects are a little muddied, especially given that it basically echoes a 2014 bill that tried to do the same in the wake of the massive hack Target disclosed that year. Hopefully, though, the number of high-profile breaches—with literally billions of people affected—give the effort a better sense of urgency this time.
Tomi Engdahl says:
Founders of hacking firm linked to Michael Flynn turn to cyber defense
https://www.fastcompany.com/40503024/founders-of-nso-hacking-firm-linked-to-michael-flynn-turn-to-cyber-defense-orchestra
The founders behind NSO Group, an Israeli company that makes “lawful intercept” tools used by governments to spy on terrorists and criminals—but also, as I reported yesterday, civilians in multiple countries—are doubling down not on attacking devices but defending them.
In early November, NSO Group cofounder Omri Lavie told the Reuters Cyber Summit that he and investment partner Issac Zack were raising funds for Orchestra, a company that will aim to simplify cyber security.
This comes only months after Francisco Partners, the private equity firm that owns NSO Group, failed to sell part of the company to the New York-based Blackstone Group, at a reported valuation of $1 billion..
The company has also earned controversy for its links to former White House national security adviser Lt. General Michael Flynn: last year, Flynn’s various consulting gigs included work for Francisco Partners and for an NSO Group offshoot.
Tomi Engdahl says:
US credit repair biz damages own security: 111GB of personal info exposed in S3 blunder
Oh look, another AWS misconfiguration spillage
https://www.theregister.co.uk/2017/12/02/national_credit_federation_aws_leak/
The National Credit Federation, a US credit repair biz, left 111GB of thousands of folks’ highly sensitive personal details exposed to the public internet, according to security researchers.
In yet another AWS S3 configuration cockup, Americans’ names, addresses, dates of birth, photos of driver licenses and social security cards, credit reports from Equifax, Experian, and TransUnion, detailed financial histories, and credit card and bank account numbers, were all left sitting out in the open for miscreants to find, it is claimed.
Credit Crunch: Detailed Financial Histories Exposed for Thousands
https://www.upguard.com/breaches/credit-crunch-national-credit-federation
Tomi Engdahl says:
Expert gives Congress solution to vote machine cyber-security fears: Keep a paper backup
Hot take from crypto-guru Prof Matt Blaze
https://www.theregister.co.uk/2017/12/01/us_voting_machine_security_hearing/
With too many electronic voting systems buggy, insecure and vulnerable to attacks, US election officials would be well advised to keep paper trails handy.
This is according to Dr Matt Blaze, a University of Pennsylvania computer science professor and top cryptographer, who spoke to Congress this week about cyber-threats facing voting machines and election infrastructure.
Among Blaze’s recommendations is that rather than rely on purely electronic voting machines to log votes, officials use optical scan machines that retain a paper copy of each voter’s ballot that can be consulted if anyone grows concerned about counting errors or tampering. In other words, due to the fact that everything has bugs and flaws, truly paperless voting systems should be a no-no.
Tomi Engdahl says:
Think your home IT is secure? Think again
https://www.electropages.com/2017/11/think-your-home-it-is-secure/?utm_campaign=&utm_source=newsletter&utm_medium=email&utm_term=article&utm_content=Think+your+home+IT+is+secure%3F+Think+again
News this week that car thieves can now stand outside your house and pick up signals from your car keys stored inside your house (all too often near the front door) and then use the signal to get in and drive your car away means many of us have yet another system security issue in our personal lives that needs taking care of.
In this case it’s pretty easy. Keep your keys as far away as possible from your parked car and/or keep your keys in a Faraday cage, which you can easily buy online.
So that’s a simple problem to solve but with the proliferation of the IoT and with the majority of homes having a number of essential devices that are Internet connected, personal information and data security is a rapidly escalating problem.
To put that in some perspective, a recent report concluded there are something in the region of 2.5 million online devices in London that are vulnerable to hacking. These include a lot of company-based systems but also personal stuff like routers, baby monitors and kids toys and lifestyle stuff like watches that can tell you just how unfit you are.
The report was produced by security specialists Trend Micro and the information it contains was created by using the IoT search engine Shodan. London came out tops of all the major UK cities when it came to on-line security vulnerability but that doesn’t mean it is particularly lackadaisical when it comes to system security.
It makes clear that all IT information coming from connected devices in homes must pass through some form of router all the way through to BX class routers between mainstream telecommunications companies.
Unfortunately security weak and compromised routers can be made part of botnets and used for DDoS attacks such as Mirai12 which recently infiltrated Twitter.
But bearing in mind that just about every home does not have the benefit of an IT security whizz kid the report has come up with some excellent security advice for home IT operators and I thought I’d share these with you.
Firstly, always enable password protection on your devices.
Secondly, always change default passwords for stronger more complex personal ones.
Thirdly, always change default settings. Many devices have all their supported services enabled by default, many of which are not essential for regular daily use. If possible, disable nonessential services.
Fourth, never jailbreak any of your devices. This can disable integral device security features making it easier for hackers to gain entry.
Fifth, never install apps from unverified third-party marketplaces. This is especially a big security risk for jail broken iOS and Android devices. Apps installed from unverified third-party sources can have backdoors built into them that criminals can use to steal personal information.
Sixth, always take advantage of system updates as these can solve security vulnerabilities.
Seventh, always make sure you enable both disk and communication encryption. This will secure the data on the disk against theft.
Tomi Engdahl says:
Bitdefender Valued at $600 Million After Vitruvian Partners Investment
http://www.securityweek.com/bitdefender-valued-600-million-after-vitruvian-partners-investment
Tomi Engdahl says:
Siemens Patches Several Flaws in Teleprotection Devices
http://www.securityweek.com/siemens-patches-several-flaws-teleprotection-devices
Siemens has patched several vulnerabilities, including authentication bypass and denial-of-service (DoS) flaws, in its SWT 3000 teleprotection devices.
The SWT 3000 teleprotection devices are designed for quickly identifying and isolating faults in high-voltage power grids. This Siemens product is used in the energy sector worldwide.
According to advisories published by both Siemens and ICS-CERT, medium severity vulnerabilities have been found in the EN100 Ethernet module used by SWT 3000 devices running IEC 61850 and TPOP firmware.
The flaws can be exploited to bypass authentication to the web interface and perform administrative operations (CVE-2016-7112, CVE-2016-7114), and cause devices to enter a DoS condition by sending specially crafted packets (CVE-2016-7113).
Flaws related to the product’s web server can be leveraged by a network attacker to obtain sensitive device information (CVE-2016-4784), and data from the device’s memory (CVE-2016-4785).
The security holes have been addressed in IEC 61850 firmware with the release of version 4.29.01. The TPOP firmware is affected by only three of the flaws. These have been fixed with the release of version 01.01.00.
Tomi Engdahl says:
Breach at PayPal Subsidiary Affects 1.6 Million Customers
http://www.securityweek.com/breach-paypal-subsidiary-affects-16-million-customers
PayPal informed customers on Friday that personal information for 1.6 million individuals may have been obtained by hackers who breached the systems of its subsidiary TIO Networks.
TIO is a publicly traded bill payment processor that PayPal acquired in July 2017 for roughly $230 million. The company is based in Canada and it serves some of the largest telecom and utility network operators in North America. TIO has more than 10,000 supported billers and it serves 16 million consumer bill pay accounts.
Tomi Engdahl says:
Industrial Cybersecurity Startup SCADAfence Secures $10 Million
http://www.securityweek.com/industrial-cybersecurity-startup-scadafence-secures-10-million
Israeli industrial cybersecurity startup SCADAfence has secured $10 million in funding through a recently announced Series A round.
The Tel Aviv-based company explains that it helps industrial network operators bridge the cybersecurity gap that comes when connecting operational technology (OT) and IT networks to ensure operational continuity and the security of valuable assets.
SCADAfence’s solutions provide visibility of day-to-day operations, detection of malicious cyber-attacks as well as non-malicious operational threats, and risk management tools.
Tomi Engdahl says:
Google to Warn Android Users on Apps Collecting Data
http://www.securityweek.com/google-warn-android-users-apps-collecting-data
Google is stepping its fight against unwanted and harmful applications on Android and will soon alert users on apps and websites leading to apps that collect personal data without their consent.
Produced by Google Safe Browsing, the alerts will start popping up on Android devices in a couple of months, as part of expanded enforcement of Google’s Unwanted Software Policy, the Internet giant announced.
Unwanted Software Policy
https://www.google.com/about/unwanted-software-policy.html
Tomi Engdahl says:
New .NET-Based Ransomware Uses Open Source Code
http://www.securityweek.com/new-net-based-ransomware-uses-open-source-code
Two newly discovered .NET-based ransomware families are using open source repositories to encrypt users’ files, Zscaler security researchers say.
Dubbed Vortex and BUGWARE, the two ransomware families have been seen in live attacks carried out via spam emails containing malicious URLs. Both of the new malware families are compiled in Microsoft Intermediate Language (MSIL) and have been packed with the ‘Confuser’ packer.
Vortex is entirely based on AESxWin, a freeware encryption and decryption utility hosted on GitHub and created by Egyptian developer Eslam Hamouda. Thus, files can be decrypted using AESxWin, as long as the password used for encryption is known, Zscaler suggests.
Tomi Engdahl says:
Senators Propose New Breach Notification Law
http://www.securityweek.com/senators-propose-new-breach-notification-law
Senators Propose New Data Protection Bill Following Equifax and Uber Breaches
Following the Equifax breach and the hidden Uber breach, three U.S. senators have introduced the Data Security and Breach Notification Act. Its purpose is to ensure better protection of personal information, and to provide a nationwide standard breach notification requirement. It is effectively a re-introduction of the 2015 bill of the same name.
“The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage,” said Senator Baldwin.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” said Nelson. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
Tomi Engdahl says:
PHP Adds Support for Next-Gen Password Hashing Algorithm Argon2
https://www.bleepingcomputer.com/news/security/php-adds-support-for-next-gen-password-hashing-algorithm-argon2/
PHP got a whole lot more secure this week with the release of the 7.2 branch, a version that improves and modernizes the programming language’s support for cryptography and password hashing algorithms.
Of all, the most significant change in PHP 7.2 is, by far, the support for Argon2, a password hashing algorithm developed in the early 2010s and which won the Password Hashing Competition in 2015
is now in the midst of becoming a universally recognized Internet standard at the Internet Engineering Task Force (IETF), the reward for winning the contest.
Argon2 considered superior to Bcrypt
The algorithm is currently considered to be superior to Bcrypt, today’s most widely used password hashing function, in terms of both security and cost-effectiveness.
Besides password hashing functions, the algorithm is also ideal for proof-of-work operations, used with modern electronic (crypto)currencies.
Starting with PHP 7.2, released on Thursday, Argon2 v1.3 has been added to the PHP core, and developers can use it via the password_hash() function.
The other major change in PHP 7.2 was the removal of the old Mcrypt cryptographic library from the PHP core and the addition of Libsodium, a more modern alternative.
Tomi Engdahl says:
US credit repair biz damages own security: 111GB of personal info exposed in S3 blunder
Oh look, another AWS misconfiguration spillage
https://www.theregister.co.uk/2017/12/02/national_credit_federation_aws_leak/
Tomi Engdahl says:
Securing AMQ7 Routers with SSL
https://developers.redhat.com/blog/2017/11/30/securing-amq7-routers-ssl/?sc_cid=7016000000127ECAAY
Tomi Engdahl says:
How to hide PHP 5/7 version when using Nginx
https://www.cyberciti.biz/faq/hide-php-version-nginx-on-linux-unix-server/
By default, client/user/browser see information about your PHP and web server version. If you forgot to update your PHP version, an attacker can use version information to attack or find vulnerabilities in your PHP version.
You need to edit/create a file named custom.ini as per your Linux/Unix variant. Do not edit php.ini file as it might get updated/replaced with your PHP version.
Tomi Engdahl says:
Leaked Credentials Service Shuts Down
http://www.securityweek.com/leaked-credentials-service-shuts-down
LeakBase, an online service that provided paid access to leaked credentials, was shut down over the weekend.
The service started selling membership access in September last year, claiming to provide access to two billion credentials that leaked in major hacking incidents. The service received a boost in January 2017, when paid breach notification service LeakedSource went dark.
LeakBase claimed to be providing users with information on leaked credentials to help them better understand the risks hacked information poses and to allow them to remedy the situation.
The leaked credentials, however, were leveraged for financial gain
Law Enforcement Raid Blamed For LeakedSource Shutdown
http://www.securityweek.com/law-enforcement-raid-blamed-leakedsource-shutdown
Tomi Engdahl says:
Authorities Take Down Andromeda Botnet
http://www.securityweek.com/authorities-take-down-andromeda-botnet
The Federal Bureau of Investigation (FBI) and law enforcement agencies in Europe managed to dismantle the Andromeda botnet last week.
Also known as Gamarue, Andromeda malware has been around since 2011 and used to ensnare the infected computers into a botnet. The main purpose of this network of infected machines was to distribute other malware families, including the Dridex banking Trojan or point-of-sale (PoS) malware GamaPoS.
In a FortiGuard Labs report detailing the top 5 methods used to attack healthcare in Q4, 2016, Andromeda emerged as the top botnet.
Tomi Engdahl says:
Cybercrime is Not Seasonal
http://www.securityweek.com/cybercrime-not-seasonal
Security and Intelligence Professionals Are Concentrating on Far More Than Just Seasonal Threats
The increase in transactions during the holiday shopping season naturally comes with an increase in fraud. This rise is no surprise to security professionals across all sectors — but it’s an especially prominent concern among those in the retail industry. And yet, year after year, just before the U.S. Thanksgiving holiday, there’s a predictable boom of vendor op-eds, marketing campaigns, and media pitches that target retailers, promising all the answers they need to help them combat fraud and cybercrime during the holiday shopping season.
Hype increases risk of FUD and victim-shaming
The pattern for holiday shopping-themed campaigns isn’t too different from the pattern of campaigns that occurs after the disclosure of a large breach. Specifically, holiday fraud campaigns geared toward the retail industry are often ripe with undertones of Fear, Uncertainty, and Doubt (FUD).
Combatting fraud is not simple
These holiday-centric campaigns often focus heavily on fraud, which has long been considered one of the most persistent and dynamic threats to retailers. Many fraudsters are highly flexible and are known to continually adapt their tactics to circumvent new anti-fraud measures.
Retailers require security year-round
Since retailers operate year-round and are therefore susceptible to cybercrime year-round, their security and intelligence programs need to be proactive and implemented far in advance in order to be effective. Indeed, most retailers anticipate and plan for the holiday season’s spike in cybercrime long before the inundation of holiday-centric campaigns even begins.
Although the holidays are upon us, it’s important to remember that security and intelligence professionals in the retail industry are concentrating on far more than just seasonal threats. Return fraud, for example, might peak between November and January, but that doesn’t mean retailers aren’t actively striving to combat other types of fraud year-round.
Tomi Engdahl says:
UK government turns against Russian software
https://betanews.com/2017/12/02/uk-government-turns-against-russian-software/
There have been concerns about Russian security firm Kaspersky in the US for some time, and now these fears have spread across the Atlantic to the UK. The director of the UK National Cyber Security Centre (NCSC) has issued a warning that no Russian-made security software should be used on systems that could represent a national security threat if accessed by the Russian government.
The head of the NCSC wrote:
Russia has the intent to target UK central government and the UK’s critical national infrastructure. However, the overwhelming majority of UK individuals and organisations are not being actively targeted by the Russian state, and are far more likely to be targeted by cyber criminals.
In drawing this guidance to (department heads’) attention today, it is our aim to enable departments to make informed, risk-based decisions on (their) choice of AV provider.To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen.
Tomi Engdahl says:
JC Torres / SlashGear:
Google releases December Pixel/Nexus Security Bulletin confirming KRACK Wi-Fi patch is coming to devices — Google kicked off the whole monthly security bulletin practice to assure Android users, or at least owners of its Nexus and Pixel devices, that they will get timely and critical security fixes before all hell breaks loose.
Android December security bulletin finally has KRACK fix for Pixels
https://www.slashgear.com/android-december-security-bulletin-finally-has-krack-fix-for-pixels-04510750/
Tomi Engdahl says:
Nadia Khomami / The Guardian:
BBC launches Own It, a website to help 9 to 12 year olds navigate online risks, as part of £34M investment in children’s programming over three years
BBC launches Own It website to help under-12s navigate online risks
https://www.theguardian.com/media/2017/dec/04/bbc-own-it-website-online-risks-childrens-programming-investment
New site for nine to 12-year-olds is part of corporation’s £34m investment in children’s programming over three years
Tomi Engdahl says:
Josh Constine / TechCrunch:
Facebook launches Messenger Kids, a standalone messaging app that lets kids under 13 chat with friends and family approved by their parents, on iOS in the US
Facebook ‘Messenger Kids’ lets under-13s chat with whom parents approve
https://techcrunch.com/2017/12/04/facebook-messenger-kids/
Tomi Engdahl says:
UAVs Keep An Eye on Enemy Movements
Unmanned aircraft have become as much a part of military surveillance and intelligence gathering as the advanced electronic sensors they carry.
http://www.mwrf.com/systems/uavs-keep-eye-enemy-movements?NL=MWRF-001&Issue=MWRF-001_20171205_MWRF-001_536&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000002750211&utm_campaign=14407&utm_medium=email&elq2=420ea332e91147119ef9813c493b8b46
Tomi Engdahl says:
German government wants ‘backdoor’ access to every digital device: report
https://www.thelocal.de/20171201/german-government-wants-backdoor-access-to-every-digital-device-report/amp
Germany’s Interior Minister wants to force tech and car companies to provide the German security services with hidden digital access to cars, computers, phones and more, according to a media report from Friday.
The RedaktionsNetzwerk Deutschland (RND) reported that Thomas de Maizière had written up a draft proposal for the interior minister conference, taking place next week in Leipzig, which he has called “the legal duty for third parties to allow for secret surveillance.”
According to the RND, the proposal would “dramatically extend” the state’s powers to spy on its citizens.
Tomi Engdahl says:
NiceHash diced up by hackers, thousands of Bitcoin pilfered
Mining outfit says its entire wallet gone, estimated $62m
By Shaun Nichols in San Francisco 6 Dec 2017 at 23:03
https://www.theregister.co.uk/2017/12/06/nicehash_diced_up_by_hackers_thousands_of_bitcoin_pilfered/
Cryptocurrency mining market NiceHash says it has fallen victim to a hacking attack that may have resulted in the loss of its entire Bitcoin wallet.
The marketplace, where users can buy and sell their computing cycles to mine cryptocurrency, issued a statement Wednesday afternoon confirming that it had indeed fallen victim to hackers.
“Unfortunately, there has been a security breach involving NiceHash website. We are currently investigating the nature of the incident and, as a result, we are stopping all operations for the next 24 hours. Importantly, our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen. We are working to verify the precise number of BTC taken,” the marketplace said.
Official press release statement by NiceHash
https://www.reddit.com/r/NiceHash/comments/7i0s6o/official_press_release_statement_by_nicehash/
Tomi Engdahl says:
Mailsploit: It’s 2017, and you can spoof the ‘from’ in email to fool filters
Message client vendors have had 25 years to get RFC 1342 right
https://www.theregister.co.uk/2017/12/06/mailsploit_email_spoofing_bug/
Penetration tester Sabri Haddouche has reintroduced the world to email source spoofing, bypassing spam filters and protections like Domain-based Message Authentication, Reporting and Conformance (DMARC), thereby posing a risk to anyone running a vulnerable and unpatched mail client.
What he’s found is that more than 30 mail clients including Apple Mail, Thunderbird, various Windows clients, Yahoo! Mail, ProtonMail and more bungled their implementation of an ancient RFC, letting an attacker trick the software into displaying a spoofed from field, even though what the server sees is the real sender.
That means if the server is configured to use DMARC, Sender Policy Framework(SPF) or Domain Keys Identified Mail (DKIM), it will treat a message as legit, even if it should be spam-binned.
The RFC in question is RFC 1342, “Representation of Non-ASCII Text in Internet Message Headers”, and the implementation error Haddouche found was that mail clients and Web mail interfaces don’t properly sanitise a non-ASCII string after they decode it.
Tomi Engdahl says:
Investigatory Powers Act: You’re not being paranoid. UK.gov really is watching you
Civil rights group Liberty has plans on that
https://www.theregister.co.uk/2017/12/05/liberty_ipa/
Tomi Engdahl says:
Alleged Cyber Crime Kingpin Arrested in Belarus
http://fortune.com/2017/12/05/cyber-crime-kingpin-arrested-alleged-in-belarus/
One of Eastern Europe’s most prolific cyber criminals has been arrested in a joint operation involving Belarus, Germany and the United States that aimed to dismantle a vast computer network used to carry out financial scams, officials said on Tuesday.
National police in Belarus, working with the U.S. Federal Bureau of Investigation, said they had arrested a citizen of Belarus on suspicion of selling malicious software who they described as administrator of the Andromeda network.
Andromeda is made up of a collection of “botnets”, or groups of computers that have been infected with viruses to allow hackers to control them remotely without the knowledge of their owners, These networks were in turn leased to other criminals to mount malware or phishing attacks and other online scams.
Tomi Engdahl says:
Trillium aims to shield your high-tech car against cyberattacks
https://techcrunch.com/2017/12/04/trillium-aims-to-shield-your-high-tech-car-against-cyberattacks/
Cars these days are basically computers with wheels, and as with other computers, you’ll probably want to make a few changes to protect against cyberthreats. Trillium, presenting today on Disrupt Berlin’s Startup Battlefield stage, is looking to be the security solution for in-car computer systems, adding extra encryption, intrusion detection and other firewall-like features.
We’ve already seen demonstrations of cars being hacked while on the road; the danger may be largely theoretical today, but it could make the jump to practical tomorrow.
“Hacked cars pose a far greater danger than hacked desktop consumers,” Trillium’s Adrian Sossna told me. “The possible damage that a rogue hacked car can make is vast. It’s already happening, and I am concerned that we will see large hacks in the next 12 months.”
Trillium’s software lives on the car’s computing hardware, doing a couple of main duties. First, it encrypts all in-car transmissions; this prevents a security soft spot like a backseat media screen or Wi-Fi hotspot from becoming a back door into more critical systems. And second, it watches over the car’s networks for unusual activity that could indicate an intrusion attempt. The software updates itself.
To be clear, this isn’t something you’ll plug in and install on your 2014 Accord. You can’t actually fiddle with your car’s internals to that extent
“Trillium’s solution is built to be embedded into the car when it rolls out of the factory,” explained Sossna. “Our future end-customer is a fleet owner that needs to protect its employees, cargo and society at large from car hacks.”
Tomi Engdahl says:
Taking Hybrid IT from Accident to Strategy
http://www.securityweek.com/taking-hybrid-it-accident-strategy
Most enterprises have an accidental Hybrid IT reality, rather than a strategy. As various groups and geographies within enterprise organizations procure their own cloud services independently of the IT organization, conflict emerges between the use of traditional computing infrastructure and cloud options. As this situation grows, it exposes inefficiencies and risks that demand a more strategic approach.
How did we get here?
The potential for Hybrid IT was created by two flavors of cloud computing – SaaS and IaaS.
While Concur is often cited as the first SaaS offering, Salesforce deserves credit for normalizing the SaaS model in the minds of enterprise buyers whose initial concerns over security and performance were sidelined by business demands for its capabilities.
IaaS became mainstream when Amazon Web Services launched on March 14, 2006. It armed developers with direct access to infrastructure and an ability to bypass the IT operations provisioning bottleneck. This, combined with Agile development practices, unlocked the potential for DevOps, which emerged in 2009.
Web scale companies took full advantage with a cloud-first (or cloud-only) policy, but around 2014, enterprise developers took notice.
Why the status quo must change
The impact of running cloud and traditional services in parallel in the enterprise is most painfully felt within application development teams and IT operations. As long as cloud and traditional services operate independently, there is a division that increases management complexity and reduces the agility of the organization, impacting the overall competitive posture of the business.
From an application development perspective:
● The deployment pipelines across multiple cloud and legacy services are highly segregated. Where services are redundant, the enterprise misses out on potential volume discounting and efficiency gains.
● Cloud-based services often need access to rigid legacy systems. This dependency creates a flexibility mismatch that reduces the speed and agility benefits of cloud computing.
From the perspective of IT operations and security, there are several challenges:
● Management is divided in silos defined by computing platform, requiring multiple teams and tools. This increases complexity, costs and errors while slowing operations and frustrating users.
● Services delivered on legacy platforms are often unable to elastically respond to peaks or decline in demand, in the same way that cloud services can.
● IT operations models based on manual management of changes and configurations cannot scale to the pace demanded by the business. As process is bypassed, potential security policy and compliance violations emerge.
Getting to a strategic approach to Hybrid IT
A strategic approach to Hybrid IT means enabling the choice of environment for a workload to be made entirely based on what is best for the business. This is true both for newly developed applications and those that have run faithfully for decades.
This doesn’t automatically mean that public cloud services will always be selected.
Tomi Engdahl says:
HBO Hacker Linked to Iranian Spy Group
http://www.securityweek.com/hbo-hacker-linked-iranian-spy-group
A man accused by U.S. authorities of hacking into the systems of HBO and attempting to extort millions of dollars from the company has been linked by security researchers to an Iranian cyber espionage group tracked as Charming Kitten.
Tomi Engdahl says:
Android’s December 2017 Patches Resolve Critical Flaws
http://www.securityweek.com/androids-december-2017-patches-resolve-critical-flaws
The December 2017 Android security patches that Google released this week resolve 47 vulnerabilities, including 10 rated Critical severity.
The patches affect a variety of platform components and were split in two packages, or security patch levels, as Google calls them. The first addresses 19 vulnerabilities while the second resolves 28 issues.
The 2017-12-01 security patch level resolves 6 Critical severity vulnerabilities and 13 High risk flaws, Google notes in a security bulletin.
The issues affect the framework (3 High risk elevation of privilege bugs), Media framework (5 Critical remote code execution, 2 High elevation of privilege, and 4 High denial-of-service bugs), and System components (1 Critical remote code execution, 1 High elevation of privilege, and 3 High information disclosure issues).
The 2017-12-05 security patch level addresses 4 Critical risk vulnerabilities and 24 High severity issues.
Tomi Engdahl says:
Common Infiltration, Exfiltration Methods Still Successful: Report
http://www.securityweek.com/common-infiltration-exfiltration-methods-still-successful-report
Many organizations are still having difficulties protecting their systems against the most common infiltration, exfiltration and lateral movement methods used by attackers, according to the latest Hacker’s Playbook report from SafeBreach.
The company provides a platform designed to test an organization’s defenses by continuously simulating attacks and breaches. For the third edition of its Hacker’s Playbook report, SafeBreach has analyzed data from roughly 11.5 million automated simulations conducted between January and November 2017. The simulations covered more than 3,400 attack methods – from exploit kits and malware to brute force and credential harvesting – that allowed the company to see where attackers are blocked and where they are successful.
An analysis of the top 5 infiltration methods used by malware showed that more than 55 percent of attack attempts are successful. The methods used by notorious malware families such as the WannaCry ransomware, which leverages SMB, and the Carbanak (Anunak) banking Trojan, which relies on HTTP, had a success rate of 63.4% and 59.8%, respectively, in SafeBreach’s simulations.
Other popular infiltration methods involve malicious executables packed in CHM, VBS and JavaScript files. These help attackers trick both end users and high-level scanners, and they had success rates between 50% and 61%.
Tomi Engdahl says:
StorageCrypt Ransomware Targets NAS Devices via SambaCry Exploit
http://www.securityweek.com/storagecrypt-ransomware-targets-nas-devices-sambacry-exploit
A new ransomware family is using the SambaCry vulnerability that was patched in May to infect network-attached storage (NAS) devices, researchers have discovered.
Dubbed StorageCrypt, the ransomware demands between 0.4 and 2 Bitcoins ($5,000 to $25,000) from its victims for decrypting the affected files.
To infect NAS devices, StorageCrypt abuses the Linux Samba vulnerability known as SambaCry and tracked as CVE-2017-7494. Affecting devices from major vendors, the bug allows remote attackers to execute arbitrary code on targeted systems by uploading a shared library to a writable share, and then causing the server to load that library.
The first attempt to abuse the vulnerability resulted in targeted systems being infected with a cryptocurrency miner. During summer, a piece of malware dubbed SHELLBIND started abusing the flaw to infect NAS devices.
StorageCrypt leverages the SambaCry in the same manner as SHELLBIND did, BleepingComputer’s Lawrence Abrams reveals.
Tomi Engdahl says:
Android Development Tools Riddled with Nasty Vulnerabilities
http://www.securityweek.com/android-development-tools-riddled-nasty-vulnerabilities
Java/Android developers are exposed to vulnerabilities affecting the development tools, both downloadable and cloud based, used in the Android application ecosystem, Check Point warns.
Check Point security researchers have discovered several vulnerabilities impacting the most common Android Integrated Development Environments (IDEs), namely Google’s Android Studio and JetBrains’ IntelliJ IDEA and Eclipse, along with major reverse engineering tools for Android applications, including APKTool, the Cuckoo-Droid service, and more.
The bugs were reported to the impacted IDE companies in May 2017 and have been already resolved in Google and JetBrains tools.
According to Check Point, their research focused on APKTool (Android Application Package Tool), which emerges as the most popular tool for reverse engineering third party Android apps, and which allows developers to decompile and build APK files.
Tomi Engdahl says:
Mobile Response to Security Alerts Allows Immediate Action Anywhere, Anytime
http://www.securityweek.com/mobile-response-security-alerts-allows-immediate-action-anywhere-anytime
Mobile Alerts Improve Incident Response
Cybersecurity is 24/7; cybersecurity staff are not. While larger corporations can arrange for 24/7 cover, most smaller organizations cannot do this. This means that senior security staff are effectively permanently ‘on call’ whether they are in the office, between offices, or at home.
A recent small survey by Barkly queried 95 IT and security professionals from companies with between 50 and 1,000 endpoints, “to learn more about how they’re currently receiving and managing security alerts.” Nearly half of the respondents (46%) said they had missed alerts while out of the office, while about 20% said that it had been necessary to return to the office to handle an alert that could not be managed remotely.
Given these figures, it is not surprising that 76% said that their ability to respond to alerts efficiently and speedily would improve if they could both receive and respond via a mobile device.
“The ability to react quickly can be crucial,” commented Barkly’s Jonathan Crowe, “especially with a resurgence of worming capabilities [think WannaCry and NotPetya] making it possible for malware to spread throughout and across organizations faster than ever.”
Tomi Engdahl says:
Former US State Department cyber man: We didn’t see the Russian threat coming
Cyber no longer domain of techies, says ex-diplomat
https://www.theregister.co.uk/2017/12/06/black_hat_eu_cyber/
Black Hat Cyber threats have evolved from been a solely technical issues to core issues of government policy, according to a senior US lawyer and former cyber diplomat.
Chris Painter, former co-ordinator for cyber issues at the US State Department, told delegates at the Black Hat EU conference that cyber issues have emerged as a core topic for governments worldwide. “Cyber is now seen as a core issue for defence policy, foreign policy and more… it’s not just a technical issue.
“Cyberspace is a new domain of war and all countries are involved in it,” he added.
The US, China and Russia have agreed that the rules of international law apply in cyberspace, so the rules of war apply to cyber attacks. That means that an attack on civilian infrastructure such as a dam would be considered as warranting reprisals, but the situation is more complicated than that in practice.
“A lot of malign activity is occurring below the high threshold of what could be classified as an act of war,” Painter explained.
Tomi Engdahl says:
EU urges internet companies to do more to remove extremist content
https://www.reuters.com/article/us-eu-internet-forum/eu-urges-internet-companies-to-do-more-to-remove-extremist-content-idUSKBN1E02Q7
(Reuters) – Internet groups such as Facebook (FB.O), Google’s YouTube (GOOGL.O) and Twitter (TWTR.N) need to do more to stem the proliferation of extremist content on their platforms, the European Commission said after a meeting on Wednesday.
Tomi Engdahl says:
New Homeland Security Secretary Kirstjen Nielsen brings her cybersecurity focus to domestic defense
https://techcrunch.com/2017/12/06/kirstjen-nielsen-dhs-secretary-cybersecurity/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook
Kirstjen Nielsen has been confirmed as John Kelly’s replacement to lead the Department of Homeland Security. The top position at the DHS has remained open since Kelly left to join the White House as chief of staff in late July.
Tomi Engdahl says:
These 3D-Printable Devices Communicate
https://blog.hackster.io/these-3d-printable-devices-communicate-wirelessly-without-electronics-or-batteries-1f1155403c02
Wirelessly Without Electronics or Batteries
As the Internet of Things (IoT) becomes more and more popular, one challenge in particular is proving to be very pressing: how to power all of those devices in your home. Most smart devices on the market use a small Wi-Fi module, like the ESP8266, to send data to your network. The issue is that these gadgets need power.
Now researchers from the University of Washington have come up with a very innovative way to 3D print smart devices that don’t require any electronics or even a power source. The key concept at the heart of the system is Wi-Fi backscatter monitoring, which sends out a wireless signal and measures the reflections. Traditionally, those reflections are either static (from a fixed antenna), or are modified dynamically with electronics.
This new method allows the devices to relay dynamic information, but without the need for electronics. That’s accomplished using various 3D-printed mechanisms that make contact with a copper antenna and modify the signal being sent back to the backscatter receiver. Utilizing this technique, the researchers were able to make devices like switches, knobs, and even a soap-level monitor that can communicate with an IoT hub, and are completely free from electronics or the need for a power source.
Tomi Engdahl says:
2D Materials Push Paper Electronics Towards the Internet of Things
https://spectrum.ieee.org/nanoclast/semiconductors/materials/2d-materials-push-paper-electronics-towards-the-internet-of-things
Among the uses for which paper-based electronic devices have been heretofore unsuitable is connecting to the cloud over Bluetooth frequencies for the Internet of Things (IoT), smart sensors, and other smart applications.
Researchers at the University of Texas at Austin (UT-Austin) are reporting this week at the International Electron Devices Meeting that graphene and molybdenum disulfide (MoS2), with their extraordinary conductivity, can enable paper-based electronics to achieve the frequency required to make them fit for IoT and smart sensor applications. The researchers claim that this work represents the first time that high-performance two-dimensional (2D) transistors have been demonstrated on a paper substrate.